Clarify explanation of Verity= option
#3121
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DaanDeMeyer
reviewed
Oct 10, 2024
mkosi/resources/man/mkosi.1.md
Outdated
| key and certificate will be passed to systemd-repart if available, | ||
| the extension images produced by systemd-repart. If set to `auto` and | ||
| a verity key and certificate are present, mkosi will pass them to systemd-repart | ||
| and expect the generated disk image to contain verity partition, |
There was a problem hiding this comment.
Also "expects"
Suggested change
| and expect the generated disk image to contain verity partition, | |
| and expects the generated disk image to contain verity partitions, |
This clarifies that the "auto" value for the verity option only really makes sense for extension images.
DaanDeMeyer
approved these changes
Oct 10, 2024
|
Do you think my other idea still makes sense? |
Yeah makes sense happy to review a PR for that. You'd have to introduce a |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This clarifies that the "auto" value for the verity option only really makes sense for extension images.
Alternative solution: Implement
Verity=as an enum option which accepts off/no, hash, and signature (similar to the repart option - or off/verity/signed, similar to systemd.image-policy). If set to "off", no checking is performed and unsigned extension images are build. If set to "hash", mkosi asserts that the generated image contains a verity partition (and creates extension images with a verity partition? - not sure how useful). If set to "signature", mkosi asserts that key+certificate are present and checks that the resulting image contains a verity-sig partition.I actually like the alternative solution a bit more but won't have time until next week to work on it so I wanted to get this quick clarification out there for now.