Extension repart definitions #3437
Conversation
I wanted to benefit from the extension release file generated by Another option would be a way to add And while we're at it: Why not use |
hundeboll
force-pushed
the
extension-repart-definitions
branch
from
05c3c90 to
2d0efc5
Compare
Okay, pushed a proposal using the |
hundeboll
force-pushed
the
extension-repart-definitions
branch
from
2d0efc5 to
610cfba
Compare
|
@hundeboll This is much worse, now the repart definitions have to be installed in the root filesystem or tools tree. That's exactly why we don't use --make-ddi= in the first place. |
I see. I'll revert that part. How about the other part - always using the signed repart definitions, and just exclude the signature partition when verity is off? Or would it be better with a |
|
@hundeboll Adding |
hundeboll
force-pushed
the
extension-repart-definitions
branch
4 times, most recently
from
bd68892 to
64d0b7b
Compare
|
I added the Thanks for the hint on |
mkosi/config.py
Outdated
| @@ -363,6 +363,13 @@ def __bool__(self) -> bool: | |||
| return self != BuildSourcesEphemeral.no | |||
|
|
|||
|
|
|||
| class Verity(StrEnum): | |||
| yes = enum.auto() | |||
There was a problem hiding this comment.
Let's name this signed
There was a problem hiding this comment.
It's okay to break existing users of --verity=yes ?
There was a problem hiding this comment.
parse_boolean() will take care of the boolean values
mkosi/resources/man/mkosi.1.md
Outdated
| partition. If set to `auto` and a verity key and certificate are present, | ||
| **mkosi** will pass them to systemd-repart and expects the generated disk | ||
| image to contain verity partitions, but the build won't fail if no verity | ||
| partitions are found in the disk image produced by **systemd-repart**. | ||
|
|
||
| Note that explicitly disabling signed verity is not yet implemented |
There was a problem hiding this comment.
This also needs to mention that Verity=hash is not supported for the disk output yet.
|
Setting don't-merge until we get another stable release out |
Building an unsigned extension image with verity hashes provides data integrity without needing a certificate on the target machine. Note that systemd-dissect and systemd-sysext doesn't automatically use the verity data has partition for validation. Both tools enables validation if the user.verity.roothash xattr is set for the image. For systemd-dissect, one can use the --root-hash option to enable the validation. The root hash can be obtained by concatenating the partition uuid's for the root and the root-verity partitions.
hundeboll
force-pushed
the
extension-repart-definitions
branch
from
64d0b7b to
f88f826
Compare
There was a problem hiding this comment.
Thanks for working on this and implementing my proposal from #3121. However for consistency we should either reuse the nomenclature from either sd-repart or sd.image-policy. Those are off/hash/signature and off/verity/signed respectively
No description provided.