Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verity-boot: append hash device to rootfs #2142

Merged
merged 2 commits into from
May 28, 2024
Merged

verity-boot: append hash device to rootfs #2142

merged 2 commits into from
May 28, 2024

Conversation

anmaxvl
Copy link
Contributor

@anmaxvl anmaxvl commented May 14, 2024
edited

Turned out that dev nodes for SCSI devices may not be
determenistic, where the hash device and rootfs may end
up appearing under /dev/sda and /dev/sdb respectively.

Instead of mounting a separate hash device, append the
verity Merkle tree to rootfs ext4 filesystem, similarly
to how it's done for layer VHDs and mount single VHD.
Remove redundant hash device code.

The default GuestStateFile filename was changed to kernel.vmgs.

Update the IVGM kernel init to reflect the changes.

The kernel command looks something like this:

 8250_core.nr_uarts=0 panic=-1 debug loglevel=7 root=/dev/dm-0 \
     dm-mod.create="dmverity,,,ro,0 173768 verity \
         1 /dev/sda /dev/sda 4096 4096 21721 21721 sha256 \
         42896a788a58da77b6acb8ddf53aa744bd269c19146cfdf48eb8fc5529a52e62 \
         a1c38923e44adffdd21f84e9185248c884fa28e767795d1025e5804e1c3df905" \
     init=/startup.sh

To break this down a little further:

  dm-mod.create="<name>,<uuid>,<minor>,<flags>,[table {verity_params}]"
  table="<start_sector> <num_sectors> <target_type> verity_params"
  verity_params="<version> <data_device> <hash_device> <data_block_size> \
                 <hash_block_size> <num_data_blocks> <hash_start_block> \
                 <algorithm> <root_digest> <salt> [<opt_params>]"

With the example above we get:

  name: "dmverity"
  uuid: ""
  minor: ""
  flags: "ro"
  table: 0 0 173768 verity <verity_params>
  verity_params:
    version: 1
    data_device: /dev/sda
    hash_device: /dev/sda
    data_block_size: 4096
    hash_block_size: 4096
    num_data_blocks: 21721
    hash_start_block: 21721
    algorithm: "sha256"
    root_digest: "42896a788a58da77b6acb8ddf53aa744bd269c19146cfdf48eb8fc5529a52e62"
    salt: "a1c38923e44adffdd21f84e9185248c884fa28e767795d1025e5804e1c3df905"

The support for booting non-SNP UVMs with dm-verity has also been added
as part of this PR. A new annotation can be used to pass the dm-mod.create
parameters to kernel. The assumption that the rootfs VHD will also have Merkle
tree appended after ext4 filesystem still holds. The new annotation is
"io.microsoft.virtualmachine.lcow.dmverity-create-args" and must be used
in conjunction with an existing "io.microsoft.virtualmachine.lcow.dmverity-mode"
annotation.

Add an internal "io.microsoft.virtualmachine.console.pipe" annotation, which
can be used to set the serial for the UVM for debugging purposes.

Note that dm-verity boot has a dependency on CONFIG_DM_INIT kernel config.

Signed-off-by: Maksim An maksiman@microsoft.com

@anmaxvl anmaxvl force-pushed the verity-boot-single-vhd branch 3 times, most recently from e7226bc to a2a84d7 Compare May 20, 2024 21:55
@anmaxvl anmaxvl marked this pull request as ready for review May 20, 2024 21:55
@anmaxvl anmaxvl requested a review from a team as a code owner May 20, 2024 21:55
@anmaxvl
verity-boot: append hash device to rootfs
03e06cd 
Turned out that dev nodes for SCSI devices may not be
determenistic, where the hash device and rootfs may end
up appearing under /dev/sda and /dev/sdb respectively.

Instead of mounting a separate hash device, append the
verity Merkle tree to rootfs ext4 filesystem, similarly
to how it's done for layer VHDs and mount single VHD.
Remove redundant hash device code.

The default `GuestStateFile` filename was changed to `kernel.vmgs`.

Update the IVGM kernel init to reflect the changes.

The kernel command looks something like this:

 8250_core.nr_uarts=0 panic=-1 debug loglevel=7 root=/dev/dm-0 \
     dm-mod.create="dmverity,,,ro,0 173768 verity \
         1 /dev/sda /dev/sda 4096 4096 21721 21721 sha256 \
         42896a788a58da77b6acb8ddf53aa744bd269c19146cfdf48eb8fc5529a52e62 \
         a1c38923e44adffdd21f84e9185248c884fa28e767795d1025e5804e1c3df905" \
     init=/startup.sh

To break this down a little further:

  dm-mod.create="<name>,<uuid>,<minor>,<flags>,[table {verity_params}]"
  table="<start_sector> <num_sectors> <target_type> verity_params"
  verity_params="<version> <data_device> <hash_device> <data_block_size> \
                 <hash_block_size> <num_data_blocks> <hash_start_block> \
                 <algorithm> <root_digest> <salt> [<opt_params>]"

With the example above we get:

  name: "dmverity"
  uuid: ""
  minor: ""
  flags: "ro"
  table: 0 0 173768 verity <verity_params>
  verity_params:
    version: 1
    data_device: /dev/sda
    hash_device: /dev/sda
    data_block_size: 4096
    hash_block_size: 4096
    num_data_blocks: 21721
    hash_start_block: 21721
    algorithm: "sha256"
    root_digest: "42896a788a58da77b6acb8ddf53aa744bd269c19146cfdf48eb8fc5529a52e62"
    salt: "a1c38923e44adffdd21f84e9185248c884fa28e767795d1025e5804e1c3df905"

The support for booting non-SNP UVMs with dm-verity has also been added
as part of this PR. A new annotation can be used to pass the `dm-mod.create`
parameters to kernel. The assumption that the rootfs VHD will also have Merkle
tree appended after ext4 filesystem still holds. The new annotation is
"io.microsoft.virtualmachine.lcow.dmverity-create-args" and must be used
in conjunction with an existing "io.microsoft.virtualmachine.lcow.dmverity-mode"
annotation.

Add an internal "io.microsoft.virtualmachine.console.pipe" annotation, which
can be used to set the serial for the UVM for debugging purposes.

Note that dm-verity boot has a dependency on `CONFIG_DM_INIT` kernel config.

Signed-off-by: Maksim An <maksiman@microsoft.com>
@KenGordon KenGordon self-assigned this May 21, 2024
KenGordon
KenGordon reviewed May 21, 2024
View reviewed changes
Makefile.bootfiles Outdated Show resolved Hide resolved
KenGordon
KenGordon approved these changes May 21, 2024
View reviewed changes
Copy link
Collaborator

@KenGordon KenGordon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clearly fabulous. Minor changes to some comments to clarify some things.

@anmaxvl
Copy link
Contributor Author

anmaxvl commented May 21, 2024

Clearly fabulous. Minor changes to some comments to clarify some things.

most of it was already in place, thanks to you/your team 😄

@anmaxvl
pr feedback
67d0ff7 
Signed-off-by: Maksim An <maksiman@microsoft.com>
KenGordon
KenGordon reviewed May 22, 2024
View reviewed changes
Makefile.bootfiles
@@ -20,6 +20,9 @@ IGVM_TOOL:=
KERNEL_PATH:=
TAR2EXT4_TOOL:=bin/cmd/tar2ext4

ROOTFS_DEVICE:=/dev/sda
HASH_DEVICE:=/dev/sdb
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In a subsequent PR (maybe I will do it) we need to make the v2056.vmgs scheme the same as the kernel.vmgs sceme and completely get rid of all the two vhd based configurations. Once that is done I'd like to find a way to provide v2056.vmgs and uvmtester in a testing package so we can do automated soak testing of the UVM startup part.

@anmaxvl anmaxvl merged commit 63adf6a into microsoft:main May 28, 2024
19 checks passed
@anmaxvl anmaxvl deleted the verity-boot-single-vhd branch May 28, 2024 21:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KenGordon KenGordon KenGordon approved these changes

@helsaawy helsaawy helsaawy approved these changes

Assignees

@KenGordon KenGordon

@helsaawy helsaawy

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@anmaxvl @KenGordon @helsaawy