DM-verity: Difference between revisions
(Creating DM-Verity Wiki Page) |
mNo edit summary |
||
Line 15: | Line 15: | ||
=== Installing === | === Installing === | ||
{{note| This wiki will be using Alpine Linux Edge Version.}} | {{note| This wiki will be using Alpine Linux Edge Version. (Alpine Linux Non-Edge Versions may not contain these packages in the this wiki page) (Use Alpine Linux Edge Testing as well)}} | ||
First, some considerations, you may use a strictly READ-ONLY file system, such as SquashFS or EROFS, this wiki will be using EROFS (if you use a custom kernel, make sure it supports a file system such as ERO-FS, the default linux-lts does) | First, some considerations, you may use a strictly READ-ONLY file system, such as SquashFS or EROFS, this wiki will be using EROFS (if you use a custom kernel, make sure it supports a file system such as ERO-FS, the default linux-lts does). [[https://github.com/erofs/erofs-utils ERO-FS Github]] [3] contains some information about how to compress and make your own read-only root image. | ||
{{cmd| $ apk install dracut erofs-utils}} | {{cmd| $ apk install dracut erofs-utils}} | ||
{{cmd| $ mkdir image && cd image }} | |||
{{cmd| $ wget https://dl-cdn.alpinelinux.org/alpine/v3.21/releases/x86_64/alpine-minirootfs-3.21.0-x86_64.tar.gz}} | |||
{{cmd| $ tar -xvf alpine-minirootfs-3.21.0-x86_64.tar.gz}} | |||
{{cmd| $ cd .. && mkfs.erofs erofs.img ./image}} | |||
== External Links == | == External Links == | ||
Line 27: | Line 30: | ||
==== DM-Verity (Arch Wiki): ==== | ==== DM-Verity (Arch Wiki): ==== | ||
* [https://wiki.archlinux.org/title/Dm-verity https://wiki.archlinux.org/title/Dm-verity] [2] | * [https://wiki.archlinux.org/title/Dm-verity https://wiki.archlinux.org/title/Dm-verity] [2] | ||
==== ERO-FS Github ==== | |||
* [https://github.com/erofs/erofs-utils https://github.com/erofs/erofs-utils] [3] | |||
[[Category:Security]] [[Category:InitRAMFS]] | [[Category:Security]] [[Category:InitRAMFS]] |
Revision as of 22:45, 8 December 2024
This material is work-in-progress ... Do not follow instructions here until this notice is removed. |
Why DM-Verity?
Possibly you want to continue the RoT (Root of Trust) from the hardware -> secure boot -> to dm-verity rootfs, and you already use TPMs to ensure only the hardware can unlock the disk encryption, but now you want to ensure your root-image/root-parition has not been tampered with.
What's the different between me just setting the root partition as read-only (or using Fedora's Immutable Root Partition) vs this?
DM-Verity disallows tampering with the read-only partition, and with this consideration, you may use ERO-FS or SquashFS to generate Read-Only Root-Paritition Images. If you set your EXT4 file system to writable, and DM-Verity were to use it, it would be seen as "corurpted" and not boot anymore, because even just ONE tiny data change to the root image/partition would render it "corrupted". This is the same technology used in Android and Chrome OS Devices.
What is ERO-FS?
[Google thought about implementing it for DM-Verity] [1]. But even if Google didn't use it for some reason, ERO-FS is still an excellent and fast compressed read-only filesystem.
Here is an excerpt about mkfs.erofs
on [Arch Linux Wiki] [2]:
mkfs.erofs(1) offers an attractive alternative to ext4 or squashfs on the root partition. EROFS, like squashfs, does not allow writes by design and has better performance in many cases than comparable filesystems on flash and solid-state media. It uses lz4 compression by default and was designed for Android phones by Huawei, which make extensive use of dm-verity.
Installing
First, some considerations, you may use a strictly READ-ONLY file system, such as SquashFS or EROFS, this wiki will be using EROFS (if you use a custom kernel, make sure it supports a file system such as ERO-FS, the default linux-lts does). [ERO-FS Github] [3] contains some information about how to compress and make your own read-only root image.
$ apk install dracut erofs-utils
$ mkdir image && cd image
$ wget https://dl-cdn.alpinelinux.org/alpine/v3.21/releases/x86_64/alpine-minirootfs-3.21.0-x86_64.tar.gz
$ tar -xvf alpine-minirootfs-3.21.0-x86_64.tar.gz
$ cd .. && mkfs.erofs erofs.img ./image