Skip to content

Verity hash signature I/O feature support. #270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jun 18, 2025
Merged

Verity hash signature I/O feature support. #270

merged 6 commits into from
Jun 18, 2025

Conversation

liulanze
Copy link
Contributor

@liulanze liulanze commented Jun 11, 2025
edited
Loading

This PR adds support for Verity hash signature I/O in Image Customizer, prepare the appropriate kernel command line arguments (such as root-hash-signature=...), and integrate with the supporting dracut module for boot-time verification.

It also resolves two related bugs. First, it ensures that if hashSignaturePath is not specified for a Verity device, no signature artifacts are generated or emitted, even if verity-hash is included in .output.artifacts. Second, it fixes the parsing logic for systemd.verity_*_options kernel arguments to properly handle root-hash-signature=... in addition to corruption handling options, ensuring the signature path is correctly extracted and reapplied when rebuilding images.

Checklist

  • Tests added/updated
  • Documentation updated (if needed)
  • Code conforms to style guidelines

@liulanze liulanze requested a review from a team as a code owner June 11, 2025 22:47
cwize1
cwize1 requested changes Jun 12, 2025
View reviewed changes
toolkit/tools/internal/resources/verity-signature/90mountbootpartition/mountbootpartition.sh

if [[ -n "$bootPartitionUuid" ]]; then
mkdir -p /boot
mount -U $bootPartitionUuid /boot
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code is only temporary, so it doesn't matter too much but you should really be using a .mount file instead of calling mount manually.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree the .mount unit would be in the long term, due to time constraints and the temporary of this implementation, shall we be going with the simpler mount approach for now. Marking as won’t fix for this iteration.

@liulanze liulanze force-pushed the user/lanzeliu/io-verityhash branch 2 times, most recently from 642b69d to 02c276c Compare June 18, 2025 06:30
@liulanze liulanze requested a review from cwize1 June 18, 2025 20:51
cwize1
cwize1 requested changes Jun 18, 2025
View reviewed changes
toolkit/tools/imagecustomizerapi/verity.go
return fmt.Errorf("invalid hashSignaturePath:\n%w", err)
}

sigPath := filepath.Clean(v.HashSignaturePath)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to report an error if filepath.Clean returns a string that is different than what was passed to it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean we don't like users to give non-standard path? I've added, please check.

@liulanze liulanze requested a review from cwize1 June 18, 2025 21:40
cwize1
cwize1 previously approved these changes Jun 18, 2025
View reviewed changes
toolkit/tools/pkg/imagecustomizerlib/customizeverity.go Outdated
return nil
}

func InstallVerityMountBootPartitionDracutModule(installRoot string) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Make function private.

@liulanze liulanze force-pushed the user/lanzeliu/io-verityhash branch from d74117e to b102647 Compare June 18, 2025 22:17
@liulanze liulanze requested a review from cwize1 June 18, 2025 22:17
@liulanze liulanze merged commit dc9d77b into main Jun 18, 2025
8 checks passed
@liulanze liulanze deleted the user/lanzeliu/io-verityhash branch June 18, 2025 22:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cwize1 cwize1

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@liulanze @cwize1