Re: [isar-cip-core][RFC 3/8] linux-cip-common: Add options necessary for dm-verity


Jan Kiszka
 

On 12.11.21 12:50, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>

CIP Kernel Config does not contain support for dm-verity
squashfs. Overlay_FS support is added for etc-overlay.
This should be quickly addressed by expanding the configs of all boards
we want to enable this way. Start with QEMU and the IPCs. Otherwise, we
risk to ignore this subsystem /wrt CVEs.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
recipes-kernel/linux/files/verity.cfg | 5 +++++
recipes-kernel/linux/linux-cip-common.inc | 6 ++++++
2 files changed, 11 insertions(+)
create mode 100644 recipes-kernel/linux/files/verity.cfg

diff --git a/recipes-kernel/linux/files/verity.cfg b/recipes-kernel/linux/files/verity.cfg
new file mode 100644
index 0000000..35d8208
--- /dev/null
+++ b/recipes-kernel/linux/files/verity.cfg
@@ -0,0 +1,5 @@
+CONFIG_BLK_DEV_DM=y
+CONFIG_DM_VERITY=y
+CONFIG_DM_CRYPT=y
+CONFIG_SQUASHFS=y
+CONFIG_OVERLAY_FS=y
diff --git a/recipes-kernel/linux/linux-cip-common.inc b/recipes-kernel/linux/linux-cip-common.inc
index 1afec88..0792371 100644
--- a/recipes-kernel/linux/linux-cip-common.inc
+++ b/recipes-kernel/linux/linux-cip-common.inc
@@ -28,3 +28,9 @@ SRC_URI_append_bbb = "file://${KERNEL_DEFCONFIG}"
SRCREV_cip-kernel-config ?= "cd5d43e99f4d5f20707d7ac1e721bb22d4c9e16e"

S = "${WORKDIR}/linux-cip-v${PV}"
+
+SRC_URI += "file://verity.cfg"
+
+do_prepare_build_prepend() {
+ cat ${WORKDIR}/verity.cfg >> ${WORKDIR}/${KERNEL_DEFCONFIG}
+}
This should be appended conditionally, when building a secure image, I
would say.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

Join cip-dev@lists.cip-project.org to automatically receive all group messages.