-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathcustomizeverity.go
290 lines (236 loc) · 9.51 KB
/
customizeverity.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.
package imagecustomizerlib
import (
"fmt"
"path/filepath"
"github.com/microsoft/azurelinux/toolkit/tools/imagecustomizerapi"
"github.com/microsoft/azurelinux/toolkit/tools/imagegen/diskutils"
"github.com/microsoft/azurelinux/toolkit/tools/internal/file"
"github.com/microsoft/azurelinux/toolkit/tools/internal/logger"
"github.com/microsoft/azurelinux/toolkit/tools/internal/safechroot"
)
func enableVerityPartition(verity []imagecustomizerapi.Verity, imageChroot *safechroot.Chroot,
) (bool, error) {
var err error
if len(verity) <= 0 {
return false, nil
}
logger.Log.Infof("Enable verity")
err = validateVerityDependencies(imageChroot)
if err != nil {
return false, fmt.Errorf("failed to validate package dependencies for verity:\n%w", err)
}
// Integrate systemd veritysetup dracut module into initramfs img.
systemdVerityDracutModule := "systemd-veritysetup"
dmVerityDracutDriver := "dm-verity"
err = addDracutModuleAndDriver(systemdVerityDracutModule, dmVerityDracutDriver, imageChroot)
if err != nil {
return false, fmt.Errorf("failed to add dracut modules for verity:\n%w", err)
}
err = updateFstabForVerity(verity, imageChroot)
if err != nil {
return false, fmt.Errorf("failed to update fstab file for verity:\n%w", err)
}
err = prepareGrubConfigForVerity(imageChroot)
if err != nil {
return false, fmt.Errorf("failed to prepare grub config files for verity:\n%w", err)
}
return true, nil
}
func updateFstabForVerity(verityList []imagecustomizerapi.Verity, imageChroot *safechroot.Chroot) error {
var err error
fstabFile := filepath.Join(imageChroot.RootDir(), "etc", "fstab")
fstabEntries, err := diskutils.ReadFstabFile(fstabFile)
if err != nil {
return fmt.Errorf("failed to read fstab file: %v", err)
}
// Update fstab entries so that verity mounts point to verity device paths.
for _, verity := range verityList {
if verity.FileSystem == nil || verity.FileSystem.MountPoint == nil {
// No mount point assigned to verity device.
continue
}
mountPath := verity.FileSystem.MountPoint.Path
for j := range fstabEntries {
entry := &fstabEntries[j]
if entry.Target == mountPath {
// Replace mount's source with verity device.
entry.Source = verityDevicePath(verity)
}
}
}
// Write the updated fstab entries back to the fstab file
err = diskutils.WriteFstabFile(fstabEntries, fstabFile)
if err != nil {
return err
}
return nil
}
func prepareGrubConfigForVerity(imageChroot *safechroot.Chroot) error {
bootCustomizer, err := NewBootCustomizer(imageChroot)
if err != nil {
return err
}
err = bootCustomizer.PrepareForVerity()
if err != nil {
return err
}
err = bootCustomizer.WriteToFile(imageChroot)
if err != nil {
return err
}
return nil
}
func updateGrubConfigForVerity(rootfsVerity imagecustomizerapi.Verity, rootHash string, grubCfgFullPath string,
partIdToPartUuid map[string]string, partitions []diskutils.PartitionInfo, buildDir string,
) error {
var err error
newArgs, err := constructVerityKernelCmdlineArgs(rootfsVerity, rootHash, partIdToPartUuid, partitions, buildDir)
if err != nil {
return fmt.Errorf("failed to generate verity kernel arguments:\n%w", err)
}
grub2Config, err := file.Read(grubCfgFullPath)
if err != nil {
return fmt.Errorf("failed to read grub config:\n%w", err)
}
// Note: If grub-mkconfig is being used, then we can't add the verity command-line args to /etc/default/grub and
// call grub-mkconfig, since this would create a catch-22 with the verity root partition hash.
// So, instead we just modify the /boot/grub2/grub.cfg file directly.
grubMkconfigEnabled := isGrubMkconfigConfig(grub2Config)
grub2Config, err = updateKernelCommandLineArgs(grub2Config, []string{"rd.systemd.verity", "roothash",
"systemd.verity_root_data", "systemd.verity_root_hash", "systemd.verity_root_options"}, newArgs)
if err != nil {
return fmt.Errorf("failed to set verity kernel command line args:\n%w", err)
}
rootDevicePath := verityDevicePath(rootfsVerity)
if grubMkconfigEnabled {
grub2Config, err = updateKernelCommandLineArgs(grub2Config, []string{"root"},
[]string{"root=" + rootDevicePath})
if err != nil {
return fmt.Errorf("failed to set verity root command-line arg:\n%w", err)
}
} else {
grub2Config, err = replaceSetCommandValue(grub2Config, "rootdevice", rootDevicePath)
if err != nil {
return fmt.Errorf("failed to set verity root device:\n%w", err)
}
}
err = file.Write(grub2Config, grubCfgFullPath)
if err != nil {
return fmt.Errorf("failed to write updated grub config:\n%w", err)
}
return nil
}
func constructVerityKernelCmdlineArgs(rootfsVerity imagecustomizerapi.Verity, rootHash string,
partIdToPartUuid map[string]string, partitions []diskutils.PartitionInfo, buildDir string,
) ([]string, error) {
// Format the dataPartitionId and hashPartitionId using the helper function.
formattedDataPartition, err := systemdFormatPartitionId(rootfsVerity.DataDeviceId,
rootfsVerity.DataDeviceMountIdType, partIdToPartUuid, partitions, buildDir)
if err != nil {
return nil, err
}
formattedHashPartition, err := systemdFormatPartitionId(rootfsVerity.HashDeviceId,
rootfsVerity.HashDeviceMountIdType, partIdToPartUuid, partitions, buildDir)
if err != nil {
return nil, err
}
formattedCorruptionOption, err := systemdFormatCorruptionOption(rootfsVerity.CorruptionOption)
if err != nil {
return nil, err
}
// Construct the verity-related kernel arguments.
newArgs := []string{
"rd.systemd.verity=1",
fmt.Sprintf("roothash=%s", rootHash),
fmt.Sprintf("systemd.verity_root_data=%s", formattedDataPartition),
fmt.Sprintf("systemd.verity_root_hash=%s", formattedHashPartition),
fmt.Sprintf("systemd.verity_root_options=%s", formattedCorruptionOption),
}
return newArgs, nil
}
func verityDevicePath(verity imagecustomizerapi.Verity) string {
return verityDevicePathFromName(verity.Name)
}
func verityDevicePathFromName(name string) string {
return imagecustomizerapi.DeviceMapperPath + "/" + name
}
// idToPartitionBlockDevicePath returns the block device path for a given idType and id.
func idToPartitionBlockDevicePath(configDeviceId string,
diskPartitions []diskutils.PartitionInfo, partIdToPartUuid map[string]string,
) (string, error) {
// Iterate over each partition to find the matching id.
for _, partition := range diskPartitions {
if partitionMatchesDeviceId(configDeviceId, partition, partIdToPartUuid) {
return partition.Path, nil
}
}
// If no partition is found with the given id.
return "", fmt.Errorf("no partition found with id (%s)", configDeviceId)
}
func partitionMatchesDeviceId(configDeviceId string, partition diskutils.PartitionInfo,
partIdToPartUuid map[string]string,
) bool {
partUuid := partIdToPartUuid[configDeviceId]
return partition.PartUuid == partUuid
}
// systemdFormatPartitionId formats the partition ID based on the ID type following systemd dm-verity style.
func systemdFormatPartitionId(configDeviceId string, mountIdType imagecustomizerapi.MountIdentifierType,
partIdToPartUuid map[string]string, partitions []diskutils.PartitionInfo, buildDir string,
) (string, error) {
partUuid := partIdToPartUuid[configDeviceId]
partition, _, err := findPartition(imagecustomizerapi.MountIdentifierTypePartUuid, partUuid, partitions, buildDir)
if err != nil {
return "", err
}
switch mountIdType {
case imagecustomizerapi.MountIdentifierTypePartLabel:
return fmt.Sprintf("%s=%s", "PARTLABEL", partition.PartLabel), nil
case imagecustomizerapi.MountIdentifierTypeUuid:
return fmt.Sprintf("%s=%s", "UUID", partition.Uuid), nil
case imagecustomizerapi.MountIdentifierTypePartUuid, imagecustomizerapi.MountIdentifierTypeDefault:
return fmt.Sprintf("%s=%s", "PARTUUID", partition.PartUuid), nil
default:
return "", fmt.Errorf("invalid idType provided (%s)", string(mountIdType))
}
}
func systemdFormatCorruptionOption(corruptionOption imagecustomizerapi.CorruptionOption) (string, error) {
switch corruptionOption {
case imagecustomizerapi.CorruptionOptionDefault, imagecustomizerapi.CorruptionOptionIoError:
return "", nil
case imagecustomizerapi.CorruptionOptionIgnore:
return "ignore-corruption", nil
case imagecustomizerapi.CorruptionOptionPanic:
return "panic-on-corruption", nil
case imagecustomizerapi.CorruptionOptionRestart:
return "restart-on-corruption", nil
default:
return "", fmt.Errorf("invalid corruptionOption provided (%s)", string(corruptionOption))
}
}
func validateVerityDependencies(imageChroot *safechroot.Chroot) error {
requiredRpms := []string{"lvm2"}
// Iterate over each required package and check if it's installed.
for _, pkg := range requiredRpms {
logger.Log.Debugf("Checking if package (%s) is installed", pkg)
if !isPackageInstalled(imageChroot, pkg) {
return fmt.Errorf("package (%s) is not installed:\nthe following packages must be installed to use Verity: %v", pkg, requiredRpms)
}
}
return nil
}
func updateUkiKernelArgsForVerity(rootfsVerity imagecustomizerapi.Verity, rootHash string,
partIdToPartUuid map[string]string, partitions []diskutils.PartitionInfo, buildDir string,
) error {
newArgs, err := constructVerityKernelCmdlineArgs(rootfsVerity, rootHash, partIdToPartUuid, partitions, buildDir)
if err != nil {
return fmt.Errorf("failed to generate verity kernel arguments:\n%w", err)
}
// UKI is enabled, update ukify kernel cmdline args file instead of grub.cfg.
err = appendKernelArgsToUkiCmdlineFile(buildDir, newArgs)
if err != nil {
return fmt.Errorf("failed to append verity kernel arguments to UKI cmdline file:\n%w", err)
}
return nil
}