definitions = [defaults]
+ if context.config.verity == Verity.defer:
+ skip = [
+ *skip,
+ f"root-{context.config.architecture}-verity-sig",
+ f"usr-{context.config.architecture}-verity-sig",
+ ]
+
return make_image(
context,
msg=msg,
]
if context.config.verity == Verity.hash:
cmdline += [f"--exclude-partitions={','.join(verity)}"]
+ elif context.config.verity == Verity.defer:
+ cmdline += [f"--defer-partitions={','.join(verity)}"]
with complete_step(f"Building {context.config.output_format} extension image"):
j = json.loads(
`Verity=`, `--verity=`
: Whether to enforce or disable verity for extension images. Takes one of
- `signed`, `hash`, `auto` or a boolean value. If set to `signed`,
+ `signed`, `hash`, `defer`, `auto` or a boolean value. If set to `signed`,
a verity key and certificate must be present and the build will fail if
we don't detect any verity partitions in the disk image produced by
**systemd-repart**. If disabled, verity partitions will be excluded
from the extension images produced by **systemd-repart**. If set to
`hash`, **mkosi** configures **systemd-repart** to create a verity hash
- partition, but no signature partition. If set to `auto` and a verity key
- and certificate are present, **mkosi** will pass them to **systemd-repart** and
- expects the generated disk image to contain verity partitions, but the build
- won't fail if no verity partitions are found in the disk image produced by
- **systemd-repart**.
+ partition, but no signature partition. If set to `defer`, space for the verity
+ sig partition will be allocated but it will not be populated yet. If set to
+ `auto` and a verity key and certificate are present, **mkosi** will pass them
+ to **systemd-repart** and expects the generated disk image to contain verity
+ partitions, but the build won't fail if no verity partitions are found in the
+ disk image produced by **systemd-repart**.
Note that explicitly disabling verity signature and/or hash is not yet
implemented for the `disk` output and only works for extension images at the
- Teach `--verity` a new `hash` value, which skips the verity signature
partition for extension / portable images. To align the possible values,
`yes` is renamed to `signed`.
+- Teach `--verity` a new `defer` value, which defers creation of the
+ verity signature partition for disk, extension and portable images (but
+ still allocates space for it). This is useful to implement offline
+ signing of the verity roothash.
## v25
projects / thirdparty / mkosi.git / commitdiff
