dm-verity: How to exactly use the dm-mod.create with verity-metadata append
wad at chromium.org
Tue Nov 23 11:43:15 EST 2021
On Tue, Nov 23, 2021 at 4:36 AM Pintu Agarwal <pintu.ping at gmail.com> wrote:
> For rootfs dm-verity I am trying to pass dm-mod.create from our
> bootloader but it seems not working for me.
> So, I need some guidance on the parameters that we pass here.
> The documentation also does not seem to help much.
> Kernel: 4.14 (with dm-init patch backported)
> Target: Arm-32 / NAND / Simple Busybox / Bootloader (edk2)
> Build: Ubuntu-18.04 / Yocto 2.6
> Steps I followed:
> 1) First I am trying to generate the root hash for our rootfs using
> the veritysetup command:
> $ ls -l system.img
> 64172032 ==> IMAGE_SIZE
> $ veritysetup format system.img dm-init-verity.img
> UUID: eca62b73-b66a-4249-834b-471e83fc382c
> Hash type: 1
> Data blocks: 15667
> Data block size: 4096
> Hash block size: 4096
> Hash algorithm: sha256
> Root hash:
> 2) Then I am trying to append the verity with the system image itself:
> $ cat dm-init-verity.img >> system.img
> 3) After that I am trying to pass dm-mod.create parameter like this:
> dm-mod.create=\"system,,,ro, 0 IMAGE_SIZE/512 verity 1
> /dev/ubiblock0_0 /dev/ubiblock0_0 4096 4096 DATA_BLOCKS 1 sha256
> 4) The Kernel command line seems to be updated properly:
> [ 0.000000] Kernel command line:.. rootfstype=squashfs
> ubi.mtd=40,0,30 ubi.block=0,0 root=/dev/ubiblock0_0
> dm-mod.create="system,,,ro, 0 125336 verity 1 /dev/ubiblock0_0
> /dev/ubiblock0_0 4096 4096 15667 1 sha256
> 8b66f42c07f576429109cf4e5d12ec072b23d242a9e653ac3423e49647339f5b" ....
> But it does not seem to work as expected.
> It gives below errors:
> [ 4.747708] block ubiblock0_0: created from ubi0:0(system)
> [ 4.752313] device-mapper: init: waiting for all devices to be
> available before creating mapped devices
> [ 4.752313]
> [ 4.766061] device-mapper: verity: sha256 using implementation
> [ 4.776178] device-mapper: ioctl: dm-0 (system) is ready
> [ 4.848886] md: Skipping autodetection of RAID arrays.
> (raid=autodetect will force)
> [ 4.849288] VFS: Cannot open root device "ubiblock0_0" or
> unknown-block(252,0): error -16
I'd start with changing your root device to point to the device mapper
one you've just created. E.g., root=/dev/dm-0 Then see how it goes
> I followed almost the same example from dm-init document:
> 0 1638400 verity 1 8:1 8:2 4096 4096 204800 1 sha256
> But this seems only refer to system and verity on a different blocks.
> I am not sure what parameter should be changed if my verity metadata
> is part of system image itself.
> Also, I don't know how 1638400;204800;1 is calculated here based on image size ?
It's the range of sectors covered by the device 0 to size_in_sectors:
(data_blocks * block_size)/sector_size
(15667 * 4096)/512
which you have in your entry already.
> So, people who have made this working successfully, please share the
> correct parameter to be used for the same block device.
More information about the Kernelnewbies