diff options
Diffstat (limited to 'external/meta-security/recipes-core')
5 files changed, 89 insertions, 3 deletions
diff --git a/external/meta-security/recipes-core/busybox/busybox_%.bbappend b/external/meta-security/recipes-core/busybox/busybox_%.bbappend index 8bb0706e..27a24824 100644 --- a/external/meta-security/recipes-core/busybox/busybox_%.bbappend +++ b/external/meta-security/recipes-core/busybox/busybox_%.bbappend @@ -1,3 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://head.cfg" +require ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'busybox_libsecomp.inc', '', d)} diff --git a/external/meta-security/recipes-core/busybox/busybox_libsecomp.inc b/external/meta-security/recipes-core/busybox/busybox_libsecomp.inc new file mode 100644 index 00000000..4af22ce3 --- /dev/null +++ b/external/meta-security/recipes-core/busybox/busybox_libsecomp.inc @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/busybox:" + +SRC_URI_append = " file://head.cfg" diff --git a/external/meta-security/recipes-core/images/dm-verity-image-initramfs.bb b/external/meta-security/recipes-core/images/dm-verity-image-initramfs.bb new file mode 100644 index 00000000..f9ea3762 --- /dev/null +++ b/external/meta-security/recipes-core/images/dm-verity-image-initramfs.bb @@ -0,0 +1,26 @@ +DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper." + +# We want a clean, minimal image. +IMAGE_FEATURES = "" + +PACKAGE_INSTALL = " \ + initramfs-dm-verity \ + base-files \ + busybox \ + util-linux-mount \ + udev \ + cryptsetup \ + lvm2-udevrules \ +" + +# Can we somehow inspect reverse dependencies to avoid these variables? +do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}" + +IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" + +inherit core-image + +deploy_verity_hash() { + install -D -m 0644 ${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}/${datadir}/dm-verity.env +} +ROOTFS_POSTPROCESS_COMMAND += "deploy_verity_hash;" diff --git a/external/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb b/external/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb new file mode 100644 index 00000000..b6149565 --- /dev/null +++ b/external/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb @@ -0,0 +1,13 @@ +SUMMARY = "Simple init script that uses devmapper to mount the rootfs in read-only mode protected by dm-verity" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +SRC_URI = "file://init-dm-verity.sh" + +do_install() { + install -m 0755 ${WORKDIR}/init-dm-verity.sh ${D}/init + install -d ${D}/dev + mknod -m 622 ${D}/dev/console c 5 1 +} + +FILES_${PN} = "/init /dev/console" diff --git a/external/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh b/external/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh new file mode 100644 index 00000000..307d2c74 --- /dev/null +++ b/external/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh @@ -0,0 +1,46 @@ +#!/bin/sh + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +RDEV="" +ROOT_DIR="/new_root" + +mkdir -p /proc +mkdir -p /sys +mkdir -p /run +mkdir -p /tmp +mount -t proc proc /proc +mount -t sysfs sysfs /sys +mount -t devtmpfs none /dev + +udevd --daemon +udevadm trigger --type=subsystems --action=add +udevadm trigger --type=devices --action=add +udevadm settle --timeout=10 + +for PARAM in $(cat /proc/cmdline); do + case $PARAM in + root=*) + RDEV=${PARAM#root=} + ;; + esac +done + +if ! [ -b $RDEV ]; then + echo "Missing root command line argument!" + exit 1 +fi + +case $RDEV in + UUID=*) + RDEV=$(realpath /dev/disk/by-uuid/${RDEV#UUID=}) + ;; +esac + +. /usr/share/dm-verity.env + +echo "Mounting $RDEV over dm-verity as the root filesystem" + +veritysetup --data-block-size=1024 --hash-offset=$DATA_SIZE create rootfs $RDEV $RDEV $ROOT_HASH +mkdir -p $ROOT_DIR +mount -o ro /dev/mapper/rootfs $ROOT_DIR +exec switch_root $ROOT_DIR /sbin/init |