[Buildroot] [PATCH 2/2] fs/squashfs: enable squashfs to generate a verity hashtable
Peter Korsgaard
peter at korsgaard.com
Thu Mar 22 22:32:48 UTC 2018
>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:
> Ben, All,
> On 2018-03-22 21:06 +0000, Ben Whitten spake thusly:
>> For those times that you want to verify that your readonly filesystem
>> hasn't been tampered we can generate a dm-verity hash table.
>> The root hash is enclosed in .table file and must be secured else where.
Strange, I don't seem to have received the original patch?
> I don't think this should belong to the squashfs filesystem.
> From what I understand, veritysetup is filesystem-agnostic, and can do
> the hash checksums on any image (even a r/w filesystem as long as it is
> mounted r/o for example).
> My position is that this should be done in a post-image script.
I agree! It is quite simple to enable the host-cryptsetup package and
call veritysetup format in a post-image script, but there is quite some
flexibility in how to use dm-verity (data/hash block size, hashes
appended to image or in a separate partition, where to store toplevel
hash and offset, ..) which makes it hard to integrate as kconfig
options.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list