Skip to content

Verity hash output support. #209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 8 commits into from
Closed

Verity hash output support. #209

wants to merge 8 commits into from

Conversation

liulanze
Copy link
Contributor

Checklist

  • Tests added/updated
  • Documentation updated (if needed)
  • Code conforms to style guidelines

@liulanze liulanze requested a review from a team as a code owner April 22, 2025 20:51
@liulanze liulanze requested a review from cwize1 April 22, 2025 20:57
liulanze
liulanze commented Apr 23, 2025
View reviewed changes
@liulanze liulanze requested review from gmileka, jiria and romoh April 23, 2025 22:02
cwize1
cwize1 requested changes Apr 23, 2025
View reviewed changes
@liulanze liulanze marked this pull request as draft April 24, 2025 22:09
cwize1
cwize1 requested changes Apr 24, 2025
View reviewed changes
toolkit/resources/dracutmodules/90mountesppartition/mountesppartition-generator.sh Outdated

cat <<EOF > $verityConfiguration
[Unit]
After=espmountmonitor.service
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use Before and RequiredBy / WantedBy instead of After and Requires to specify the same dependencies but from the opposite service/mount file.

toolkit/resources/dracutmodules/90mountesppartition/mountesppartition-generator.sh Outdated

function updateVeritySetupUnit () {
systemdDropInDir=/etc/systemd/system
verityDropInDir=$systemdDropInDir/systemd-veritysetup@root.service.d
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shouldn't hardcode this to root verity. Use veritysetup-pre.target instead of systemd-veritysetup@root.service.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've refactored the 90mountesppartition dracut module to follow systemd-native mounting workflows.

  • Removed the previous manual polling script and service (espmountmonitor).
  • Dropped the dependency on modifying systemd-veritysetup@root.service directly.
  • Added a generator (mountesppartition-generator.sh) to dynamically create a boot-efi.mount unit at initramfs boot time.
  • The boot-efi.mount is generated based on the kernel cmdline argument pre.verity.mount=UUID, mounts the ESP to /boot/efi, and ensures it is ready before veritysetup-pre.target.
  • Switched from using After/Requires to Before/WantedBy for clean dependency declaration.

Please have a review, thanks!

toolkit/resources/dracutmodules/90mountesppartition/mountesppartition-generator.sh Outdated
espMountMonitorDir=$systemdDropInDir
espMountMonitorUnitFile=$espMountMonitorDir/$espMountMonitorName

cat <<EOF > $espMountMonitorUnitFile
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Create a .mount file instead of creating a .service file that calls mount.

cwize1
cwize1 reviewed Apr 24, 2025
View reviewed changes
toolkit/resources/dracutmodules/90mountesppartition/10-mountesppartition.conf Outdated
@@ -0,0 +1 @@
add_dracutmodules+=" mountesppartition "
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is also the toolkit/tools/internal/resources directory, which embeds the files into the binary.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO - add doc guiding user.

@liulanze liulanze force-pushed the user/lanzeliu/verity-sig-output branch from 8435e49 to 4d4156d Compare April 27, 2025 22:54
@liulanze liulanze requested a review from cwize1 April 27, 2025 22:54
@liulanze liulanze marked this pull request as ready for review April 27, 2025 23:17
@liulanze liulanze marked this pull request as draft April 30, 2025 04:50
@romoh
Copy link
Contributor

romoh commented Jun 3, 2025

Preview API is merged in a separate PR and other changes are in devdrop

@romoh romoh closed this Jun 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gmileka gmileka

@jiria jiria

@romoh romoh

@cwize1 cwize1

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@liulanze @romoh @cwize1