dm-verity

Open ericcurtin opened this issue 2 years ago • 1 comments

We need to verify initoverlayfs on boot, to check it's contents are correct, we must ensure whatever we use can work on a erofs file within a vfat, ext4, erofs boot partition.

dm-verity probably makes more sense to use the verity within the initoverlayfs, because if initoverlayfs is a file, the directory it's on may not have verity (for example if it's an initoverlayfs file on ESP vfat).

Oct 25 '23 13:10 ericcurtin

So we have some initial support here to write the hash to initramfs:

https://github.com/containers/initoverlayfs/pull/74

the next step is to ensure systemd only mounts an erofs that matches this hash.

We also likely must enable dm-verity in the Automotive kernel in CentOS Stream.

Mar 07 '24 12:03 ericcurtin