From: Pintu Agarwal <pintu.ping@gmail.com>
To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Mikulas Patocka <mpatocka@redhat.com>,
open list <linux-kernel@vger.kernel.org>,
Phillip Lougher <phillip@squashfs.org.uk>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
linux-mtd <linux-mtd@lists.infradead.org>,
dm-devel@redhat.com,
Kernelnewbies <kernelnewbies@kernelnewbies.org>,
agk@redhat.com, snitzer@redhat.com,
Sami Tolvanen <samitolvanen@google.com>
Subject: Re: Kernel 4.14: Using dm-verity with squashfs rootfs - mounting issue
Date: Tue, 31 Aug 2021 18:49:28 +0530 [thread overview]
Message-ID: <CAOuPNLgMd0AThhmSknbmKqp3_P8PFhBGr-jW0Mqjb6K6NchEMg@mail.gmail.com> (raw)
In-Reply-To: <20210830211224.76391708@windsurf>
Hi,
On Tue, 31 Aug 2021 at 00:42, Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> On Mon, 30 Aug 2021 23:48:40 +0530
> Pintu Agarwal <pintu.ping@gmail.com> wrote:
>
> > ohh that means we already have a working reference.
> > If possible can you share the details, even 4.19 or higher will be
> > also a good reference.
> >
> > > > Or, another option is to use the new concept from 5.1 kernel that is:
> > > > dm-mod.create = ?
> > > How are you doing it today without dm-mod.create ?
> > I think in 4.14 we don't have dm-mod.create right ?
>
> No, but you can backport it easily. Back at
> http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025967.html
> I provided backports of this feature to OpenWrt, for the 4.14 and 4.19
> kernels.
>
Yes, I can backport it to our 4.14 Kernel.
Can you share the list of patches to be backported to make it work on 4.14 ?
If it's backported also I need to report to our internal kernel, but
it might be slightly easier.
Please share the details.
> > Here is our kernel command line:
> >
> > [ 0.000000] Kernel command line: ro rootwait
> > console=ttyMSM0,115200,n8 .... verity="95384 11923
> > 16da5e4bbc706e5d90511d2a3dae373b5d878f9aebd522cd614a4faaace6baa3 12026
> > " rootfstype=squashfs ubi.mtd=40,0,30 ubi.block=0,0 root=/dev/dm-0
> > .... init=/sbin/init root=/dev/dm-0 dm="rootfs none ro,0 95384 verity
> > 1 /dev/ubiblock0_0 /dev/mtdblock53 4096 4096 11923 8 sha256
> > 16da5e4bbc706e5d90511d2a3dae373b5d878f9aebd522cd614a4faaace6baa3
> > aee087a5be3b982978c923f566a94613496b417f2af592639bc80d141e34dfe7 10
> > restart_on_corruption ignore_zero_blocks use_fec_from_device
> > /dev/mtdblock53 fec_roots 2 fec_blocks 12026 fec_start 12026" ...
>
> I don't see how this can work without the dm-mod.create feature. Are
> you sure the verity= and dm= kernel arguments exist?
Sorry, I am not a security guy and this was done by someone from the
security team.
But, I know that this is already working with ext4.
The moment we change to squashfs, it does not work.
The only difference with squashfs are:
=> verity metadata are kept on separate volume
=> The rootfstype and related stuff are different
=> verity command line related stuff are almost the same.
Also, you mentioned:
>>> Here, it definitely worked to append the hash tree to the squashfs
>>> image and store them in the same partition.
Can you share some details about it ?
How it can be done since squashfs is readonly.
Do, we need to change some parameters during squashfs image generation ?
{
$(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \
- -nopad -noappend -root-owned \
+ -noappend -root-owned \
}
Also, for the above cmdline, is there any problem with the block size ?
As @Mikulas said before that the block size could be the issue
Also, for squashfs we are passing like this for root=. Is it fine ?
rootfstype=squashfs ubi.mtd=40,0,30 ubi.block=0,0 root=/dev/dm-0
I see that dm-0 is already passed elsewhere so do we really need it ?
I suspect it is not required as a block device.
Thanks,
Pintu
WARNING: multiple messages have this Message-ID (diff)
From: Pintu Agarwal <pintu.ping@gmail.com>
To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Sami Tolvanen <samitolvanen@google.com>,
snitzer@redhat.com,
Kernelnewbies <kernelnewbies@kernelnewbies.org>,
open list <linux-kernel@vger.kernel.org>,
dm-devel@redhat.com, Mikulas Patocka <mpatocka@redhat.com>,
linux-mtd <linux-mtd@lists.infradead.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Phillip Lougher <phillip@squashfs.org.uk>,
agk@redhat.com
Subject: Re: Kernel 4.14: Using dm-verity with squashfs rootfs - mounting issue
Date: Tue, 31 Aug 2021 18:49:28 +0530 [thread overview]
Message-ID: <CAOuPNLgMd0AThhmSknbmKqp3_P8PFhBGr-jW0Mqjb6K6NchEMg@mail.gmail.com> (raw)
In-Reply-To: <20210830211224.76391708@windsurf>
Hi,
On Tue, 31 Aug 2021 at 00:42, Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> On Mon, 30 Aug 2021 23:48:40 +0530
> Pintu Agarwal <pintu.ping@gmail.com> wrote:
>
> > ohh that means we already have a working reference.
> > If possible can you share the details, even 4.19 or higher will be
> > also a good reference.
> >
> > > > Or, another option is to use the new concept from 5.1 kernel that is:
> > > > dm-mod.create = ?
> > > How are you doing it today without dm-mod.create ?
> > I think in 4.14 we don't have dm-mod.create right ?
>
> No, but you can backport it easily. Back at
> http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025967.html
> I provided backports of this feature to OpenWrt, for the 4.14 and 4.19
> kernels.
>
Yes, I can backport it to our 4.14 Kernel.
Can you share the list of patches to be backported to make it work on 4.14 ?
If it's backported also I need to report to our internal kernel, but
it might be slightly easier.
Please share the details.
> > Here is our kernel command line:
> >
> > [ 0.000000] Kernel command line: ro rootwait
> > console=ttyMSM0,115200,n8 .... verity="95384 11923
> > 16da5e4bbc706e5d90511d2a3dae373b5d878f9aebd522cd614a4faaace6baa3 12026
> > " rootfstype=squashfs ubi.mtd=40,0,30 ubi.block=0,0 root=/dev/dm-0
> > .... init=/sbin/init root=/dev/dm-0 dm="rootfs none ro,0 95384 verity
> > 1 /dev/ubiblock0_0 /dev/mtdblock53 4096 4096 11923 8 sha256
> > 16da5e4bbc706e5d90511d2a3dae373b5d878f9aebd522cd614a4faaace6baa3
> > aee087a5be3b982978c923f566a94613496b417f2af592639bc80d141e34dfe7 10
> > restart_on_corruption ignore_zero_blocks use_fec_from_device
> > /dev/mtdblock53 fec_roots 2 fec_blocks 12026 fec_start 12026" ...
>
> I don't see how this can work without the dm-mod.create feature. Are
> you sure the verity= and dm= kernel arguments exist?
Sorry, I am not a security guy and this was done by someone from the
security team.
But, I know that this is already working with ext4.
The moment we change to squashfs, it does not work.
The only difference with squashfs are:
=> verity metadata are kept on separate volume
=> The rootfstype and related stuff are different
=> verity command line related stuff are almost the same.
Also, you mentioned:
>>> Here, it definitely worked to append the hash tree to the squashfs
>>> image and store them in the same partition.
Can you share some details about it ?
How it can be done since squashfs is readonly.
Do, we need to change some parameters during squashfs image generation ?
{
$(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \
- -nopad -noappend -root-owned \
+ -noappend -root-owned \
}
Also, for the above cmdline, is there any problem with the block size ?
As @Mikulas said before that the block size could be the issue
Also, for squashfs we are passing like this for root=. Is it fine ?
rootfstype=squashfs ubi.mtd=40,0,30 ubi.block=0,0 root=/dev/dm-0
I see that dm-0 is already passed elsewhere so do we really need it ?
I suspect it is not required as a block device.
Thanks,
Pintu
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
WARNING: multiple messages have this Message-ID (diff)
From: Pintu Agarwal <pintu.ping@gmail.com>
To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Mikulas Patocka <mpatocka@redhat.com>,
open list <linux-kernel@vger.kernel.org>,
Phillip Lougher <phillip@squashfs.org.uk>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
linux-mtd <linux-mtd@lists.infradead.org>,
dm-devel@redhat.com,
Kernelnewbies <kernelnewbies@kernelnewbies.org>,
agk@redhat.com, snitzer@redhat.com,
Sami Tolvanen <samitolvanen@google.com>
Subject: Re: Kernel 4.14: Using dm-verity with squashfs rootfs - mounting issue
Date: Tue, 31 Aug 2021 18:49:28 +0530 [thread overview]
Message-ID: <CAOuPNLgMd0AThhmSknbmKqp3_P8PFhBGr-jW0Mqjb6K6NchEMg@mail.gmail.com> (raw)
In-Reply-To: <20210830211224.76391708@windsurf>
Hi,
On Tue, 31 Aug 2021 at 00:42, Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> On Mon, 30 Aug 2021 23:48:40 +0530
> Pintu Agarwal <pintu.ping@gmail.com> wrote:
>
> > ohh that means we already have a working reference.
> > If possible can you share the details, even 4.19 or higher will be
> > also a good reference.
> >
> > > > Or, another option is to use the new concept from 5.1 kernel that is:
> > > > dm-mod.create = ?
> > > How are you doing it today without dm-mod.create ?
> > I think in 4.14 we don't have dm-mod.create right ?
>
> No, but you can backport it easily. Back at
> http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025967.html
> I provided backports of this feature to OpenWrt, for the 4.14 and 4.19
> kernels.
>
Yes, I can backport it to our 4.14 Kernel.
Can you share the list of patches to be backported to make it work on 4.14 ?
If it's backported also I need to report to our internal kernel, but
it might be slightly easier.
Please share the details.
> > Here is our kernel command line:
> >
> > [ 0.000000] Kernel command line: ro rootwait
> > console=ttyMSM0,115200,n8 .... verity="95384 11923
> > 16da5e4bbc706e5d90511d2a3dae373b5d878f9aebd522cd614a4faaace6baa3 12026
> > " rootfstype=squashfs ubi.mtd=40,0,30 ubi.block=0,0 root=/dev/dm-0
> > .... init=/sbin/init root=/dev/dm-0 dm="rootfs none ro,0 95384 verity
> > 1 /dev/ubiblock0_0 /dev/mtdblock53 4096 4096 11923 8 sha256
> > 16da5e4bbc706e5d90511d2a3dae373b5d878f9aebd522cd614a4faaace6baa3
> > aee087a5be3b982978c923f566a94613496b417f2af592639bc80d141e34dfe7 10
> > restart_on_corruption ignore_zero_blocks use_fec_from_device
> > /dev/mtdblock53 fec_roots 2 fec_blocks 12026 fec_start 12026" ...
>
> I don't see how this can work without the dm-mod.create feature. Are
> you sure the verity= and dm= kernel arguments exist?
Sorry, I am not a security guy and this was done by someone from the
security team.
But, I know that this is already working with ext4.
The moment we change to squashfs, it does not work.
The only difference with squashfs are:
=> verity metadata are kept on separate volume
=> The rootfstype and related stuff are different
=> verity command line related stuff are almost the same.
Also, you mentioned:
>>> Here, it definitely worked to append the hash tree to the squashfs
>>> image and store them in the same partition.
Can you share some details about it ?
How it can be done since squashfs is readonly.
Do, we need to change some parameters during squashfs image generation ?
{
$(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \
- -nopad -noappend -root-owned \
+ -noappend -root-owned \
}
Also, for the above cmdline, is there any problem with the block size ?
As @Mikulas said before that the block size could be the issue
Also, for squashfs we are passing like this for root=. Is it fine ?
rootfstype=squashfs ubi.mtd=40,0,30 ubi.block=0,0 root=/dev/dm-0
I see that dm-0 is already passed elsewhere so do we really need it ?
I suspect it is not required as a block device.
Thanks,
Pintu
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
WARNING: multiple messages have this Message-ID (diff)
From: Pintu Agarwal <pintu.ping@gmail.com>
To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Sami Tolvanen <samitolvanen@google.com>,
snitzer@redhat.com,
Kernelnewbies <kernelnewbies@kernelnewbies.org>,
open list <linux-kernel@vger.kernel.org>,
dm-devel@redhat.com, Mikulas Patocka <mpatocka@redhat.com>,
linux-mtd <linux-mtd@lists.infradead.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Phillip Lougher <phillip@squashfs.org.uk>,
agk@redhat.com
Subject: Re: [dm-devel] Kernel 4.14: Using dm-verity with squashfs rootfs - mounting issue
Date: Tue, 31 Aug 2021 18:49:28 +0530 [thread overview]
Message-ID: <CAOuPNLgMd0AThhmSknbmKqp3_P8PFhBGr-jW0Mqjb6K6NchEMg@mail.gmail.com> (raw)
In-Reply-To: <20210830211224.76391708@windsurf>
Hi,
On Tue, 31 Aug 2021 at 00:42, Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> On Mon, 30 Aug 2021 23:48:40 +0530
> Pintu Agarwal <pintu.ping@gmail.com> wrote:
>
> > ohh that means we already have a working reference.
> > If possible can you share the details, even 4.19 or higher will be
> > also a good reference.
> >
> > > > Or, another option is to use the new concept from 5.1 kernel that is:
> > > > dm-mod.create = ?
> > > How are you doing it today without dm-mod.create ?
> > I think in 4.14 we don't have dm-mod.create right ?
>
> No, but you can backport it easily. Back at
> http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025967.html
> I provided backports of this feature to OpenWrt, for the 4.14 and 4.19
> kernels.
>
Yes, I can backport it to our 4.14 Kernel.
Can you share the list of patches to be backported to make it work on 4.14 ?
If it's backported also I need to report to our internal kernel, but
it might be slightly easier.
Please share the details.
> > Here is our kernel command line:
> >
> > [ 0.000000] Kernel command line: ro rootwait
> > console=ttyMSM0,115200,n8 .... verity="95384 11923
> > 16da5e4bbc706e5d90511d2a3dae373b5d878f9aebd522cd614a4faaace6baa3 12026
> > " rootfstype=squashfs ubi.mtd=40,0,30 ubi.block=0,0 root=/dev/dm-0
> > .... init=/sbin/init root=/dev/dm-0 dm="rootfs none ro,0 95384 verity
> > 1 /dev/ubiblock0_0 /dev/mtdblock53 4096 4096 11923 8 sha256
> > 16da5e4bbc706e5d90511d2a3dae373b5d878f9aebd522cd614a4faaace6baa3
> > aee087a5be3b982978c923f566a94613496b417f2af592639bc80d141e34dfe7 10
> > restart_on_corruption ignore_zero_blocks use_fec_from_device
> > /dev/mtdblock53 fec_roots 2 fec_blocks 12026 fec_start 12026" ...
>
> I don't see how this can work without the dm-mod.create feature. Are
> you sure the verity= and dm= kernel arguments exist?
Sorry, I am not a security guy and this was done by someone from the
security team.
But, I know that this is already working with ext4.
The moment we change to squashfs, it does not work.
The only difference with squashfs are:
=> verity metadata are kept on separate volume
=> The rootfstype and related stuff are different
=> verity command line related stuff are almost the same.
Also, you mentioned:
>>> Here, it definitely worked to append the hash tree to the squashfs
>>> image and store them in the same partition.
Can you share some details about it ?
How it can be done since squashfs is readonly.
Do, we need to change some parameters during squashfs image generation ?
{
$(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \
- -nopad -noappend -root-owned \
+ -noappend -root-owned \
}
Also, for the above cmdline, is there any problem with the block size ?
As @Mikulas said before that the block size could be the issue
Also, for squashfs we are passing like this for root=. Is it fine ?
rootfstype=squashfs ubi.mtd=40,0,30 ubi.block=0,0 root=/dev/dm-0
I see that dm-0 is already passed elsewhere so do we really need it ?
I suspect it is not required as a block device.
Thanks,
Pintu
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
next prev parent reply other threads:[~2021-08-31 13:19 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-20 9:38 Kernel 4.14: Using dm-verity with squashfs rootfs - mounting issue Pintu Agarwal
2021-07-20 9:38 ` [dm-devel] " Pintu Agarwal
2021-07-20 9:38 ` Pintu Agarwal
2021-07-20 9:38 ` Pintu Agarwal
2021-07-20 11:41 ` Mikulas Patocka
2021-07-20 11:41 ` [dm-devel] " Mikulas Patocka
2021-07-20 11:41 ` Mikulas Patocka
2021-07-20 11:41 ` Mikulas Patocka
2021-07-21 15:00 ` Pintu Agarwal
2021-07-21 15:00 ` [dm-devel] " Pintu Agarwal
2021-07-21 15:00 ` Pintu Agarwal
2021-07-21 15:00 ` Pintu Agarwal
2021-07-21 17:10 ` Mikulas Patocka
2021-07-21 17:10 ` [dm-devel] " Mikulas Patocka
2021-07-21 17:10 ` Mikulas Patocka
2021-07-21 17:10 ` Mikulas Patocka
2021-07-21 17:29 ` Pintu Agarwal
2021-07-21 17:29 ` [dm-devel] " Pintu Agarwal
2021-07-21 17:29 ` Pintu Agarwal
2021-07-21 17:29 ` Pintu Agarwal
2021-08-30 16:25 ` Pintu Agarwal
2021-08-30 16:25 ` [dm-devel] " Pintu Agarwal
2021-08-30 16:25 ` Pintu Agarwal
2021-08-30 16:25 ` Pintu Agarwal
2021-08-30 16:55 ` Thomas Petazzoni
2021-08-30 16:55 ` [dm-devel] " Thomas Petazzoni
2021-08-30 16:55 ` Thomas Petazzoni
2021-08-30 16:55 ` Thomas Petazzoni
2021-08-30 18:18 ` Pintu Agarwal
2021-08-30 18:18 ` [dm-devel] " Pintu Agarwal
2021-08-30 18:18 ` Pintu Agarwal
2021-08-30 18:18 ` Pintu Agarwal
2021-08-30 19:12 ` Thomas Petazzoni
2021-08-30 19:12 ` [dm-devel] " Thomas Petazzoni
2021-08-30 19:12 ` Thomas Petazzoni
2021-08-30 19:12 ` Thomas Petazzoni
2021-08-31 13:19 ` Pintu Agarwal [this message]
2021-08-31 13:19 ` [dm-devel] " Pintu Agarwal
2021-08-31 13:19 ` Pintu Agarwal
2021-08-31 13:19 ` Pintu Agarwal
2021-09-06 16:28 ` Pintu Agarwal
2021-09-06 16:28 ` [dm-devel] " Pintu Agarwal
2021-09-06 16:28 ` Pintu Agarwal
2021-09-06 16:28 ` Pintu Agarwal
2021-09-08 11:27 ` Pintu Agarwal
2021-09-08 11:27 ` [dm-devel] " Pintu Agarwal
2021-09-08 11:27 ` Pintu Agarwal
2021-09-08 11:27 ` Pintu Agarwal
2021-09-08 12:08 ` Greg KH
2021-09-08 12:08 ` [dm-devel] " Greg KH
2021-09-08 12:08 ` Greg KH
2021-09-08 12:08 ` Greg KH
2021-10-29 15:51 ` Pintu Agarwal
2021-10-29 15:51 ` [dm-devel] " Pintu Agarwal
2021-10-29 15:51 ` Pintu Agarwal
2021-10-29 15:51 ` Pintu Agarwal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAOuPNLgMd0AThhmSknbmKqp3_P8PFhBGr-jW0Mqjb6K6NchEMg@mail.gmail.com \
--to=pintu.ping@gmail.com \
--cc=agk@redhat.com \
--cc=dm-devel@redhat.com \
--cc=kernelnewbies@kernelnewbies.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=mpatocka@redhat.com \
--cc=phillip@squashfs.org.uk \
--cc=samitolvanen@google.com \
--cc=snitzer@redhat.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.