[OE-core] Solving a circular dependency issue between the main image and initramfs
Ayoub Zaki
ayoub.zaki at embexus.com
Tue Mar 10 22:54:53 UTC 2020
On 10.03.20 23:02, Bartosz Golaszewski wrote:
> wt., 10 mar 2020 o 22:33 Ayoub Zaki <ayoub.zaki at embexus.com> napisał(a):
>>> Do I implement do_install in image.bbclass so that initramfs can
>>> depend on core-image-full-cmdline:do_populate_sysroot and have the
>>> artifacts installed locally? But this would mean that the initramfs
>>> recipe deploys the main image artifact. Should we deploy the images
>>> earlier (before do_image_complete) for the initramfs recipe to fetch
>>> from DEPLOY_DIR_IMAGE? Any other ideas?
>>
>> I think that best thing is to implement the dm-verity stuffs as a wic
>> plugin, check this example:
>>
>>
>> https://github.com/intel/intel-iot-refkit/blob/master/meta-refkit-core/scripts/lib/wic/plugins/source/dm-verity.py
>>
> This doesn't look like a correct solution. For starters: not every
> platform uses wic. The platform I'm aiming this at uses fastboot and
> requires separate images for each partition.
My proposition was refering to your example :
https://github.com/brgl/meta-security/commit/83c8e8fba6988249c9d351aa2ad6e02a71b010df#diff-33f7c29b373860ec45379a5f2dc42a75
your are trying to include the dm-verity conversion output to your wic
wks using the following:
part / --source rawcopy --ondisk mmcblk
--sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_TYPE}"
In this case you will definitely stuck in a circular dependency unless
using a Wic plugin.
>
> This plugin also seems to be unnecessarily complicated with additional
> signature for the verity hash tree. This is not needed as long as the
> root hash comes from a secure place - which it does in my case: the
> fitImage containing the initramfs is signed and the key is appended to
> u-boot's DTB. When do_image_wic starts, u-boot and initramfs assembly
> are long completed - another reason for not using a wic plugin.
I was referring to the plugin not the implementation which does not work
anyway...
Mit freundlichen Grüßen / Kind regards
--
Ayoub Zaki
Embedded Systems Consultant
Vaihinger Straße 2/1
D-71634 Ludwigsburg
Mobile : +4917662901545
Email : ayoub.zaki at embexus.com
Homepage : https://embexus.com
VAT No. : DE313902634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20200310/5b32e55b/attachment.html>
More information about the Openembedded-core
mailing list