Hi, On Tue, 31 Aug 2021 at 00:42, Thomas Petazzoni <thomas.petazzoni@xxxxxxxxxxx> wrote: > > Hello, > > On Mon, 30 Aug 2021 23:48:40 +0530 > Pintu Agarwal <pintu.ping@xxxxxxxxx> wrote: > > > ohh that means we already have a working reference. > > If possible can you share the details, even 4.19 or higher will be > > also a good reference. > > > > > > Or, another option is to use the new concept from 5.1 kernel that is: > > > > dm-mod.create = ? > > > How are you doing it today without dm-mod.create ? > > I think in 4.14 we don't have dm-mod.create right ? > > No, but you can backport it easily. Back at > http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025967.html > I provided backports of this feature to OpenWrt, for the 4.14 and 4.19 > kernels. > Yes, I can backport it to our 4.14 Kernel. Can you share the list of patches to be backported to make it work on 4.14 ? If it's backported also I need to report to our internal kernel, but it might be slightly easier. Please share the details. > > Here is our kernel command line: > > > > [ 0.000000] Kernel command line: ro rootwait > > console=ttyMSM0,115200,n8 .... verity="95384 11923 > > 16da5e4bbc706e5d90511d2a3dae373b5d878f9aebd522cd614a4faaace6baa3 12026 > > " rootfstype=squashfs ubi.mtd=40,0,30 ubi.block=0,0 root=/dev/dm-0 > > .... init=/sbin/init root=/dev/dm-0 dm="rootfs none ro,0 95384 verity > > 1 /dev/ubiblock0_0 /dev/mtdblock53 4096 4096 11923 8 sha256 > > 16da5e4bbc706e5d90511d2a3dae373b5d878f9aebd522cd614a4faaace6baa3 > > aee087a5be3b982978c923f566a94613496b417f2af592639bc80d141e34dfe7 10 > > restart_on_corruption ignore_zero_blocks use_fec_from_device > > /dev/mtdblock53 fec_roots 2 fec_blocks 12026 fec_start 12026" ... > > I don't see how this can work without the dm-mod.create feature. Are > you sure the verity= and dm= kernel arguments exist? Sorry, I am not a security guy and this was done by someone from the security team. But, I know that this is already working with ext4. The moment we change to squashfs, it does not work. The only difference with squashfs are: => verity metadata are kept on separate volume => The rootfstype and related stuff are different => verity command line related stuff are almost the same. Also, you mentioned: >>> Here, it definitely worked to append the hash tree to the squashfs >>> image and store them in the same partition. Can you share some details about it ? How it can be done since squashfs is readonly. Do, we need to change some parameters during squashfs image generation ? { $(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \ - -nopad -noappend -root-owned \ + -noappend -root-owned \ } Also, for the above cmdline, is there any problem with the block size ? As @Mikulas said before that the block size could be the issue Also, for squashfs we are passing like this for root=. Is it fine ? rootfstype=squashfs ubi.mtd=40,0,30 ubi.block=0,0 root=/dev/dm-0 I see that dm-0 is already passed elsewhere so do we really need it ? I suspect it is not required as a block device. Thanks, Pintu
