Comments addressed.

Author: liulanze

docs/imagecustomizer/api/configuration/outputArtifacts.md

@@ -55,6 +55,7 @@ Supported values:
 - `shim` – Bootloader shim executable (`boot<arch>.efi`).
 - `systemd-boot` – Systemd-boot executable (`systemd-boot<arch>.efi`).
 - `verity-hash` – Verity hash files associated with dm-verity protected partitions.
+  *Added in v0.16.*
 
 The `output.artifacts` field must be used with the `output-artifacts` enabled in `previewFeatures`.
 
@@ -64,9 +65,9 @@ Supported architectures for shim and systemd-boot include x64 and arm64,
 reflected in the `<arch>` portion of the filenames.
 
 The `verity-hash` artifact will only be output if the corresponding Verity entry
-defines a `hashSignaturePath`. If the `hashSignaturePath` is not configured,
-Image Customizer will skip generating the hash file for that Verity device. For
-more details, see the [`verity`](./verity.md) documentation.
+defines a [`hashSignaturePath`](./verity.md#hashsignaturepath-string). If the
+`hashSignaturePath` is not configured, Image Customizer will skip generating the
+hash file for that Verity device. For more details, see the
+[`verity`](./verity.md) documentation.
 
 Added in v0.14.
-`verity-hash` added in v0.16.

docs/imagecustomizer/api/configuration/verity.md

@@ -259,21 +259,21 @@ Specifies the path where the signed verity hash file should be injected into the
 image. This path is typically used by the `systemd-veritysetup` module to verify
 the verity hash against a signature at boot time.
 
-- This path **must be located under the boot partition** for the current
-  version. For example, if the boot partition is mounted at `/boot`, then
-  `hashSignaturePath: /boot/root.hash.sig` will result in a destination of
-  `/root.hash.sig` relative to the boot partition during injection.
+This path **must be located under the boot partition**. (This restriction may be
+lessened in the future.) For example, if the boot partition is mounted at
+`/boot`, then `hashSignaturePath: /boot/root.hash.sig` will result in a
+destination of `/root.hash.sig` relative to the boot partition during injection.
 
-- When this field is specified, Prism will output the corresponding unsigned
-  hash file (`verity-hash`) as an artifact if the
-  [`output.artifacts`](./outputArtifacts.md) API is configured.
+When this field is specified, Image Customizer will output the corresponding unsigned hash
+file (`verity-hash`) as an artifact if the
+[`output.artifacts`](./outputArtifacts.md) API is configured.
 
-- The generated `inject-files.yaml` will include an entry to inject the signed
-  hash file to the specified path inside the boot partition.
+The generated `inject-files.yaml` will include an entry to inject the signed
+hash file to the specified path inside the boot partition.
 
 If `hashSignaturePath` is not configured for a given Verity entry, the verity
 hash file will not be output even if `verity-hash` is listed in the
-`output.artifacts.items`. Only Verity entries with `hashSignaturePath` defined
-will produce a `verity-hash` artifact.
+[`output.artifacts.items`](./outputArtifacts.md#items-string). Only Verity
+entries with `hashSignaturePath` defined will produce a `verity-hash` artifact.
 
 Added in v0.16.

toolkit/tools/imagecustomizerapi/verity.go

@@ -101,6 +101,13 @@ func (v *Verity) IsValid() error {
 		}
 
 		sigPath := filepath.Clean(v.HashSignaturePath)
+		if sigPath != v.HashSignaturePath {
+			return fmt.Errorf(
+				"verity.hashSignaturePath (%s) is not normalized (cleaned path: %s). Please provide a canonical path",
+				v.HashSignaturePath, sigPath,
+			)
+		}
+
 		if !strings.HasPrefix(sigPath, bootMountPoint+"/") {
 			return fmt.Errorf(
 				"verity.hashSignaturePath (%s) must be located under /boot mount point (%s)",

toolkit/tools/imagegen/installutils/installutils.go

@@ -105,13 +105,6 @@ const (
 
 	// Configuration files related to boot behavior. Users should be able to read these files, and root should have RW access.
 	bootUsrConfigFileMode = 0644
-
-	// Dracut module directory path for verity boot partition support.
-	VerityMountBootPartitionModuleDir = "/usr/lib/dracut/modules.d/90mountbootpartition"
-	// Standard permission mode for dracut module directories.
-	DracutModuleDirMode = 0755
-	// Standard permission mode for executable scripts in dracut modules.
-	DracutModuleScriptFileMode = 0755
 )
 
 // PackageList represents the list of packages to install into an image
@@ -2898,23 +2891,3 @@ func KernelPackages(config configuration.Config) []*pkgjson.PackageVer {
 	}
 	return packageList
 }
-
-func InstallVerityMountBootPartitionDracutModule(installRoot string) error {
-	targetDir := filepath.Join(installRoot, VerityMountBootPartitionModuleDir)
-
-	filesToInstall := map[string]string{
-		resources.VerityMountBootPartitionSetupFile:     filepath.Join(targetDir, "module-setup.sh"),
-		resources.VerityMountBootPartitionGeneratorFile: filepath.Join(targetDir, "mountbootpartition-generator.sh"),
-		resources.VerityMountBootPartitionGenRulesFile:  filepath.Join(targetDir, "mountbootpartition-genrules.sh"),
-		resources.VerityMountBootPartitionScriptFile:    filepath.Join(targetDir, "mountbootpartition.sh"),
-	}
-
-	for src, dst := range filesToInstall {
-		err := file.CopyResourceFile(resources.ResourcesFS, src, dst, DracutModuleDirMode, DracutModuleScriptFileMode)
-		if err != nil {
-			return fmt.Errorf("failed to install verity dracut file (%s): %w", dst, err)
-		}
-	}
-
-	return nil
-}

toolkit/tools/pkg/imagecustomizerlib/customizeverity.go

@@ -11,9 +11,9 @@ import (
 
 	"github.com/microsoft/azurelinux/toolkit/tools/imagecustomizerapi"
 	"github.com/microsoft/azurelinux/toolkit/tools/imagegen/diskutils"
-	"github.com/microsoft/azurelinux/toolkit/tools/imagegen/installutils"
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/file"
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/logger"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/resources"
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/safechroot"
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/sliceutils"
 )
@@ -22,6 +22,13 @@ const (
 	systemdVerityDracutModule = "systemd-veritysetup"
 	dmVerityDracutDriver      = "dm-verity"
 	mountBootPartModule       = "mountbootpartition"
+
+	// Dracut module directory path for verity boot partition support.
+	VerityMountBootPartitionModuleDir = "/usr/lib/dracut/modules.d/90mountbootpartition"
+	// Standard permission mode for dracut module directories.
+	DracutModuleDirMode = 0755
+	// Standard permission mode for executable scripts in dracut modules.
+	DracutModuleScriptFileMode = 0755
 )
 
 func enableVerityPartition(verity []imagecustomizerapi.Verity, imageChroot *safechroot.Chroot,
@@ -126,7 +133,7 @@ func supportVerityHashSignature(verityList []imagecustomizerapi.Verity, imageChr
 			return fmt.Errorf("failed to add dracut modules for verity hash signature support:\n%w", err)
 		}
 
-		err = installutils.InstallVerityMountBootPartitionDracutModule(imageChroot.RootDir())
+		err = InstallVerityMountBootPartitionDracutModule(imageChroot.RootDir())
 		if err != nil {
 			return fmt.Errorf("failed to install verity dracut scripts:\n%w", err)
 		}
@@ -137,6 +144,26 @@ func supportVerityHashSignature(verityList []imagecustomizerapi.Verity, imageChr
 	return nil
 }
 
+func InstallVerityMountBootPartitionDracutModule(installRoot string) error {
+	targetDir := filepath.Join(installRoot, VerityMountBootPartitionModuleDir)
+
+	filesToInstall := map[string]string{
+		resources.VerityMountBootPartitionSetupFile:     filepath.Join(targetDir, "module-setup.sh"),
+		resources.VerityMountBootPartitionGeneratorFile: filepath.Join(targetDir, "mountbootpartition-generator.sh"),
+		resources.VerityMountBootPartitionGenRulesFile:  filepath.Join(targetDir, "mountbootpartition-genrules.sh"),
+		resources.VerityMountBootPartitionScriptFile:    filepath.Join(targetDir, "mountbootpartition.sh"),
+	}
+
+	for src, dst := range filesToInstall {
+		err := file.CopyResourceFile(resources.ResourcesFS, src, dst, DracutModuleDirMode, DracutModuleScriptFileMode)
+		if err != nil {
+			return fmt.Errorf("failed to install verity dracut file (%s): %w", dst, err)
+		}
+	}
+
+	return nil
+}
+
 func updateGrubConfigForVerity(verityMetadata []verityDeviceMetadata, grubCfgFullPath string,
 	partitions []diskutils.PartitionInfo, buildDir string, bootUuid string,
 ) error {