12daf84b2SAndrew Geisslerdm-verity and Yocto/OE
22daf84b2SAndrew Geissler----------------------
32daf84b2SAndrew GeisslerThe dm-verity feature provides a level of data integrity and resistance to
42daf84b2SAndrew Geisslerdata tampering.  It does this by creating a hash for each data block of
52daf84b2SAndrew Geisslerthe underlying device as the base of a hash tree.  There are many
6*03514f19SPatrick Williamsdocuments out there to further explain the implementation, such as the
72daf84b2SAndrew Geisslerin-kernel one itself:
82daf84b2SAndrew Geissler
92daf84b2SAndrew Geisslerhttps://docs.kernel.org/admin-guide/device-mapper/verity.html
102daf84b2SAndrew Geissler
112daf84b2SAndrew GeisslerThe goal of this document is not to reproduce that content, but instead to
122daf84b2SAndrew Geisslercapture the Yocto/OE specifics of the dm-verity infrastructure used here.
132daf84b2SAndrew Geissler
142daf84b2SAndrew GeisslerIdeally this should enable a person to build and deploy an image on one of
152daf84b2SAndrew Geisslerthe supported reference platforms, and then further adapt to their own
162daf84b2SAndrew Geisslerplatform and specific storage requirements.
172daf84b2SAndrew Geissler
182daf84b2SAndrew GeisslerBasic Settings
192daf84b2SAndrew Geissler--------------
202daf84b2SAndrew GeisslerLargely everything is driven off of a dm-verity image class; a typical
212daf84b2SAndrew Geisslerblock of non MACHINE specific settings are shown below:
222daf84b2SAndrew Geissler
232daf84b2SAndrew GeisslerINITRAMFS_IMAGE = "dm-verity-image-initramfs"
242daf84b2SAndrew GeisslerDM_VERITY_IMAGE = "core-image-minimal"
252daf84b2SAndrew GeisslerDM_VERITY_IMAGE_TYPE = "ext4"
262daf84b2SAndrew GeisslerIMAGE_CLASSES += "dm-verity-img"
272daf84b2SAndrew GeisslerINITRAMFS_IMAGE_BUNDLE = "1"
282daf84b2SAndrew Geissler
292daf84b2SAndrew GeisslerKernel Configuration
302daf84b2SAndrew Geissler--------------------
312daf84b2SAndrew GeisslerKernel configuration for dm-verity happens automatically via IMAGE_CLASSES
322daf84b2SAndrew Geisslerwhich will source features/device-mapper/dm-verity.scc when dm-verity-img
332daf84b2SAndrew Geissleris used. [See commit d9feafe991c]
34dc9d6147SAndrew GeisslerIMPORTANT: As per the top level README, you *must* put security in the
35dc9d6147SAndrew GeisslerDISTRO_FEATURES, or else you won't get the dm-verity kernel settings.
362daf84b2SAndrew Geissler
372daf84b2SAndrew GeisslerSupported Platforms
382daf84b2SAndrew Geissler-------------------
392daf84b2SAndrew GeisslerIn theory, you can use dm-verity anywhere - there is nothing arch/BSP
402daf84b2SAndrew Geisslerspecific in the core kernel support.  However, at the BSP level, one
412daf84b2SAndrew Geisslereventually has to decide what device(s) are to be hashed, and where the
422daf84b2SAndrew Geisslerhash tables are stored.
432daf84b2SAndrew Geissler
442daf84b2SAndrew GeisslerTo that end, the BSP storage specifics live in meta-security/wic dir and
452daf84b2SAndrew Geisslerrepresent the current set of example configurations that have been tested
462daf84b2SAndrew Geisslerand submitted at some point.
472daf84b2SAndrew Geissler
482daf84b2SAndrew GeisslerGetting Started
492daf84b2SAndrew Geissler---------------
502daf84b2SAndrew GeisslerThis document assumes you are starting from the basic auto-created
512daf84b2SAndrew Geisslerconf/local.conf and conf/bblayers.conf from the oe-init-build-env
522daf84b2SAndrew Geissler
532daf84b2SAndrew GeisslerFirstly, you need the meta-security layer to conf/bblayers.conf along with
542daf84b2SAndrew Geisslerthe dependencies it has -- see the top level meta-security README for that.
552daf84b2SAndrew Geissler
56dc9d6147SAndrew GeisslerNote that if you are using dm-verity for your rootfs, then it enforces a
57dc9d6147SAndrew Geisslerread-only mount right at the kernel level, so be prepared for issues such
58dc9d6147SAndrew Geissleras failed creation of temporary files and similar.
59dc9d6147SAndrew Geissler
60dc9d6147SAndrew GeisslerYocto does support additional checks and changes via setting:
612daf84b2SAndrew Geissler
622daf84b2SAndrew GeisslerEXTRA_IMAGE_FEATURES = "read-only-rootfs"
632daf84b2SAndrew Geissler
64dc9d6147SAndrew Geissler...but since read-only is enforced at the kernel level already, using
65dc9d6147SAndrew Geisslerthis feature isn't a hard requirement.  It may be best to delay/defer
66dc9d6147SAndrew Geisslermaking use of this until after you've established basic booting.
67dc9d6147SAndrew Geissler
682daf84b2SAndrew GeisslerFor more details, see the associated documentation:
692daf84b2SAndrew Geissler
702daf84b2SAndrew Geisslerhttps://docs.yoctoproject.org/dev/dev-manual/read-only-rootfs.html
712daf84b2SAndrew Geissler
722daf84b2SAndrew GeisslerAlso add the basic block of dm-verity settings shown above, and select
732daf84b2SAndrew Geissleryour MACHINE from one of the supported platforms.
742daf84b2SAndrew Geissler
752daf84b2SAndrew GeisslerIf there is a dm-verity-<MACHINE>.txt file for your BSP, check that for
762daf84b2SAndrew Geisslerany additional platform specific recommended settings, such as the
772daf84b2SAndrew GeisslerWKS_FILES which can specify board specific storage layout discussed below.
782daf84b2SAndrew Geissler
792daf84b2SAndrew GeisslerThen you should be able to do a "bitbake core-image-minimal" just like any
802daf84b2SAndrew Geisslerother normal build.  What you will notice, is the content in
812daf84b2SAndrew Geisslertmp/deploy/images/<MACHINE>/ now have suffixes like "rootfs.ext4.verity"
822daf84b2SAndrew Geissler
832daf84b2SAndrew GeisslerWhile you can manually work with these images just like any other build,
842daf84b2SAndrew Geisslerthis is where the BSP specific recipes in meta-security/wic can simplify
852daf84b2SAndrew Geisslerthings and remove a bunch of manual steps that might be error prone.
862daf84b2SAndrew Geissler
872daf84b2SAndrew GeisslerConsider for example, the beaglebone black WIC file, which contains:
882daf84b2SAndrew Geissler
892daf84b2SAndrew Geisslerpart /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat
902daf84b2SAndrew Geissler--label boot --active --align 4 --fixed-size 32 --sourceparams="loader=u-boot" --use-uuid
912daf84b2SAndrew Geisslerpart / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"
922daf84b2SAndrew Geisslerbootloader --append="console=ttyS0,115200"
932daf84b2SAndrew Geissler
942daf84b2SAndrew GeisslerAs can be seen, it maps out the partitions, including the bootloader, and
952daf84b2SAndrew Geisslersaves doing a whole bunch of manual partitioning and dd steps.
962daf84b2SAndrew Geissler
972daf84b2SAndrew GeisslerThis file is copied into tmp/deploy/images/<MACHINE>/ with bitbake
982daf84b2SAndrew Geisslervariables expanded with their corresponding values for wic to make use of.
992daf84b2SAndrew Geissler
1002daf84b2SAndrew GeisslerContinuing with the beaglebone example, we'll see output similar to:
1012daf84b2SAndrew Geissler
1022daf84b2SAndrew Geissler             ----------------------
1032daf84b2SAndrew Geissler$ wic create -e core-image-minimal beaglebone-yocto-verity
1042daf84b2SAndrew Geissler
1052daf84b2SAndrew Geissler[...]
1062daf84b2SAndrew Geissler
1072daf84b2SAndrew GeisslerINFO: Creating image(s)...
1082daf84b2SAndrew Geissler
1092daf84b2SAndrew GeisslerINFO: The new image(s) can be found here:
1102daf84b2SAndrew Geissler  ./beaglebone-yocto-verity.wks-202303070223-mmcblk0.direct
1112daf84b2SAndrew Geissler
1122daf84b2SAndrew GeisslerThe following build artifacts were used to create the image(s):
1132daf84b2SAndrew Geissler  BOOTIMG_DIR:       /home/paul/poky/build-bbb-verity/tmp/work/beaglebone_yocto-poky-linux-gnueabi/core-image-minimal/1.0-r0/recipe-sysroot/usr/share
1142daf84b2SAndrew Geissler  KERNEL_DIR:        /home/paul/poky/build-bbb-verity/tmp/deploy/images/beaglebone-yocto
1152daf84b2SAndrew Geissler  NATIVE_SYSROOT:    /home/paul/poky/build-bbb-verity/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/wic-tools/1.0-r0/recipe-sysroot-native
1162daf84b2SAndrew Geissler
1172daf84b2SAndrew GeisslerINFO: The image(s) were created using OE kickstart file:
1182daf84b2SAndrew Geissler  /home/paul/poky/meta-security/wic/beaglebone-yocto-verity.wks.in
1192daf84b2SAndrew Geissler             ----------------------
1202daf84b2SAndrew Geissler
1212daf84b2SAndrew GeisslerThe "direct" image contains the partition table, bootloader, and dm-verity
1222daf84b2SAndrew Geisslerenabled ext4 image all in one -- ready to write to a raw device, such as a
1232daf84b2SAndrew Geissleru-SD card in the case of the beaglebone.
124