This layer creates dm-verity protected filesystem for Linux BSP on iMX9 series.
This describes the build step with BSP 6.18 for i.MX95 EVK board.
To get the BSP you need to have repo installed.
$ mkdir ~/bin
$ curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo
$ chmod a+x ~/bin/repo
$ PATH=${PATH}:~/bin
$ mkdir <bsp_dir>
$ cd <bsp_dir>
$ repo init -u ssh://bitbucket.sw.nxp.com/imx/imx-manifest -b linux-whinlatter-internal -m imx-verity.xml
$ repo sync
$ MACHINE=imx95evk DISTRO=fsl-imx-xwayland source imx-verity-setup-release.sh -b build
$ source ../sources/imx-build-bamboo/build/hook-in-internal-servers.sh
If you want to build in an existing build folder:
$ cd imx-linux-bsp
$ source setup-environment build
Also, configures the DM_VERITY_SEPARATE_HASH and WKS_FILES in conf/local.conf by selecting one from the table.
| DM_VERITY_SEPARATE_HASH | WKS_FILES |
|---|---|
| 0 | imx-imx-boot-bootpart-dmverity.wks.in |
| 0 | imx-imx-boot-bootpart-dmverity-overlay.wks.in |
| 1 | imx-imx-boot-bootpart-dmverity-hash.wks.in |
| 1 | imx-imx-boot-bootpart-dmverity-hash-overlay.wks.in |
By default, separated partitions with overlayfs is set, i.e.
DM_VERITY_SEPARATE_HASH = "1"
WKS_FILES = "imx-imx-boot-bootpart-dmverity-hash-overlay.wks.in"
When the WKS_FILES selects wks file that enables overlayfs, needs to set the UUID value for the partition as like below.
OVERLAYFS_UUID = "94a69ec6-abb5-41e1-b0b1-bfd15e004d66"
To change to single partition without overlayfs, edit the conf/local.conf
Example to select single partition without overlayfs,
DM_VERITY_SEPARATE_HASH = "0"
WKS_FILES = "imx-imx-boot-bootpart-dmverity.wks.in"
Example to select separated partitions with overlayfs,
DM_VERITY_SEPARATE_HASH = "1"
WKS_FILES = "imx-imx-boot-bootpart-dmverity-hash-overlay.wks.in"
image name to build should be same as the DM_VERITY_IMAGE in local.conf, such as imx-image-core(default), imx-image-multimedia or else.
$ bitbake imx-image-core -c cleansstate
$ bitbake imx-image-core
When the image is successfully built, program it to SD card or eMMC on the target board.
For booting, initramfs is required to add the verity check
mkimage -A arm -O linux -T ramdisk -d dm-verity-image-initramfs-${MACHINE}.cpio.gz uRamdisk
u-boot=> boot
Pass the rootrw with UUID value for overlayfs partition that set in local.conf.
u-boot=> setenv mmcroot '/dev/mmcblkXp2 rootwait rw rootrw=UUID="94a69ec6-abb5-41e1-b0b1-bfd15e004d66"'
u-boot=> boot
Here, /dev/mmcblkXp2 is the device partition for rootfs on SD card or eMMC (X depends on each target board).
When the verity is invoked, following message appears during the boot process.
[ 4.444788] device-mapper: verity: sha256 using implementation "sha256-caam"
-
Without overlayfs, it cannot write whole rootfs.
-
With overlayfs, it can write to /etc, /root ($HOME) and /var directories only in this example.
-
If SD card or eMMC is once mounted to another system, it will fail to boot even on the original system, since dm-verity feature detects corruption.
Please note that it is assumed that Secure Boot is enabled to dis-allow interference to the boot flow and assume eMMC or SD boot use cases as a dm-verity protected drive. Also, make sure that the overlayfs written result does not make influences on system security.