Add doc for the new feature.

Author: liulanze

docs/imagecustomizer/api/configuration/injectFilesConfig.md

@@ -42,6 +42,12 @@ injectFiles:
   destination: /EFI/systemd/systemd-bootx64.efi
   source: ./systemd-bootx64.signed.efi
   unsignedSource: ./systemd-bootx64.efi
+- partition:
+    idType: part-uuid
+    id: 5c0a7f80-0f9f-48f6-8bb1-d622022aaf24
+  destination: /root.hash.sig
+  source: ./root.hash.sig
+  unsignedSource: ./root.hash
 previewFeatures:
 - inject-files
 ```

docs/imagecustomizer/api/configuration/output.md

@@ -39,6 +39,7 @@ output:
     - ukis
     - shim
     - systemd-boot
+    - verity-hash
     path: ./output
 previewFeatures:
 - output-artifacts

docs/imagecustomizer/api/configuration/outputArtifacts.md

@@ -10,9 +10,9 @@ You must enable this feature by specifying `output-artifacts` in the
 [previewFeatures](./config.md#previewfeatures-string) API.
 
 Specifies the configuration for the output directory containing the generated
-artifacts, including UKI PE images, shim and systemd-boot.
+artifacts, including UKI PE images, shim, systemd-boot, and Verity hash files.
 
-After Prism outputs the selected artifacts, it will also generate a helper
+After Image Customizer outputs the selected artifacts, it will also generate a helper
 configuration file named `inject-files.yaml` under the same directory of output
 artifacts. This file can later be used to inject signed artifacts back into an
 image. For more details, see the [`injectFilesConfig`](./injectFilesConfig.md)
@@ -27,6 +27,7 @@ output:
     - ukis
     - shim
     - systemd-boot
+    - verity-hash
     path: ./output
 previewFeatures:
 - output-artifacts
@@ -38,7 +39,7 @@ Added in v0.14.
 
 Required.
 
-Specifies the directory path where Prism will output the selected artifacts.
+Specifies the directory path where Image Customizer will output the selected artifacts.
 
 Added in v0.14.
 
@@ -53,6 +54,7 @@ Supported values:
 - `ukis` – UKI PE images (`vmlinuz-<version>.efi`).
 - `shim` – Bootloader shim executable (`boot<arch>.efi`).
 - `systemd-boot` – Systemd-boot executable (`systemd-boot<arch>.efi`).
+- `verity-hash` – Verity hash files associated with dm-verity protected partitions.
 
 The `output.artifacts` field must be used with the `output-artifacts` enabled in `previewFeatures`.
 
@@ -61,4 +63,10 @@ These artifacts are generated in an unsigned format and must be signed externall
 Supported architectures for shim and systemd-boot include x64 and arm64,
 reflected in the `<arch>` portion of the filenames.
 
+The `verity-hash` artifact will only be output if the corresponding Verity entry
+defines a `hashSignaturePath`. If the `hashSignaturePath` is not configured,
+Image Customizer will skip generating the hash file for that Verity device. For
+more details, see the [`verity`](./verity.md) documentation.
+
 Added in v0.14.
+`verity-hash` added in v0.16.

docs/imagecustomizer/api/configuration/verity.md

@@ -250,3 +250,30 @@ Supported values:
 Default value: `io-error`.
 
 Added in v0.7.
+
+## hashSignaturePath [string]
+
+Optional.
+
+Specifies the path where the signed verity hash file should be injected into the
+image. This path is typically used by the `systemd-veritysetup` module to verify
+the verity hash against a signature at boot time.
+
+- This path **must be located under the boot partition** for the current
+  version. For example, if the boot partition is mounted at `/boot`, then
+  `hashSignaturePath: /boot/root.hash.sig` will result in a destination of
+  `/root.hash.sig` relative to the boot partition during injection.
+
+- When this field is specified, Prism will output the corresponding unsigned
+  hash file (`verity-hash`) as an artifact if the
+  [`output.artifacts`](./outputArtifacts.md) API is configured.
+
+- The generated `inject-files.yaml` will include an entry to inject the signed
+  hash file to the specified path inside the boot partition.
+
+If `hashSignaturePath` is not configured for a given Verity entry, the verity
+hash file will not be output even if `verity-hash` is listed in the
+`output.artifacts.items`. Only Verity entries with `hashSignaturePath` defined
+will produce a `verity-hash` artifact.
+
+Added in v0.16.