Re: [isar-cip-core]RFC v2 4/9] Create a initrd with support for dm-verity


Quirin Gylstorff
 

On 11/19/21 2:29 PM, Christian Storm via lists.cip-project.org wrote:
diff --git a/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
new file mode 100644
index 0000000..c4f3dc4
--- /dev/null
+++ b/recipes-initramfs/initramfs-verity-hook/files/verity.script.tmpl
@@ -0,0 +1,68 @@
+#!/bin/sh
+prereqs()
+{
+ # Make sure that this script is run last in local-top
+ local req
+ for req in "${0%/*}"/*; do
+ script="${req##*/}"
+ if [ "$script" != "${0##*/}" ] && [ "$script" != "cryptroot" ]; then
Hm, so you explicitly enumerate all scripts except for cryptroot so that
you run (hopefully right?) thereafter.
Isn't it sufficient to make cryptroot dependent on this?
Looks too verbose and complicated...
It is the same scripting as cryptroot uses in Debian 11 which inspired this
script. See [1].
[1]: https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/latest/debian/initramfs/scripts/local-top/cryptroot
Anyway, this doesn't answer the questions?
Kind regards,
Christian

The `verity.script` should executed as last script in the local-top init phase. if the cryptroot script exists `verity.script` is the second last script.

If the package `cryptsetup-initramfs` is always installed an entry in the cryptroot script would be enough. We have currently no dependency to
`cryptsetup-initramfs`.

If we want to change the cryptroot dependency we need to patch the necessary scripts/packages. Patching other packages is something I like to avoid for this feature.


Quirin

--

Join cip-dev@lists.cip-project.org to automatically receive all group messages.