[OE-core] Solving a circular dependency issue between the main image and initramfs

Ayoub Zaki ayoub.zaki at embexus.com
Tue Mar 10 22:54:53 UTC 2020 

On 10.03.20 23:02, Bartosz Golaszewski wrote:
> wt., 10 mar 2020 o 22:33 Ayoub Zaki <ayoub.zaki at embexus.com> napisał(a):
>>> Do I implement do_install in image.bbclass so that initramfs can
>>> depend on core-image-full-cmdline:do_populate_sysroot and have the
>>> artifacts installed locally? But this would mean that the initramfs
>>> recipe deploys the main image artifact. Should we deploy the images
>>> earlier (before do_image_complete) for the initramfs recipe to fetch
>>> from DEPLOY_DIR_IMAGE? Any other ideas?
>>
>> I think that best thing is to implement the dm-verity stuffs as a wic
>> plugin, check this example:
>>
>>
>> https://github.com/intel/intel-iot-refkit/blob/master/meta-refkit-core/scripts/lib/wic/plugins/source/dm-verity.py
>>
> This doesn't look like a correct solution. For starters: not every
> platform uses wic. The platform I'm aiming this at uses fastboot and
> requires separate images for each partition.


My proposition was refering to your example :


https://github.com/brgl/meta-security/commit/83c8e8fba6988249c9d351aa2ad6e02a71b010df#diff-33f7c29b373860ec45379a5f2dc42a75


your are trying to include the dm-verity conversion output to your wic 
wks using the following:


part / --source rawcopy --ondisk mmcblk 
--sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_TYPE}"


In this case you will definitely stuck in a circular dependency unless 
using a Wic plugin.

>
> This plugin also seems to be unnecessarily complicated with additional
> signature for the verity hash tree. This is not needed as long as the
> root hash comes from a secure place - which it does in my case: the
> fitImage containing the initramfs is signed and the key is appended to
> u-boot's DTB. When do_image_wic starts, u-boot and initramfs assembly
> are long completed - another reason for not using a wic plugin.


I was referring to the plugin not the implementation which does not work 
anyway...


Mit freundlichen Grüßen / Kind regards

-- 
Ayoub Zaki
Embedded Systems Consultant

Vaihinger Straße 2/1
D-71634 Ludwigsburg


Mobile   : +4917662901545
Email    : ayoub.zaki at embexus.com
Homepage : https://embexus.com
VAT No.  : DE313902634

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20200310/5b32e55b/attachment.html>

More information about the Openembedded-core mailing list