From: Daan De Meyer Date: Sat, 21 Sep 2024 20:23:32 +0000 (+0200) Subject: docs: Fix partition order for root verity docs X-Git-Tag: v25~271 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fb93facaf0a74aaae0880e054046ea71b24d9110;p=thirdparty%2Fmkosi.git docs: Fix partition order for root verity docs The generated root partition needs to be resized on first boot for the A/B update setup so we have to make sure it's the last one and give it the same size requirements as the B partition in the image so it's grown to the same size. Similarly, we make sure to leave sufficient space for verity hash data updates. Because this is not the last partition, we can't grow it on first boot so we leave sufficient room inside the image itself when building it. While we're at it we also reorder the settings a bit so things are more consistent. --- diff --git a/docs/root-verity.md b/docs/root-verity.md index 17fad3384..3b2917328 100644 --- a/docs/root-verity.md +++ b/docs/root-verity.md @@ -6,40 +6,42 @@ partition, put the following in mkosi.repart: ```conf # mkosi.repart/00-esp.conf [Partition] +Type=esp +Format=vfat CopyFiles=/efi:/ CopyFiles=/boot:/ -Format=vfat -SizeMinBytes=1024M -Type=esp +SizeMinBytes=1G +SizeMaxBytes=1G -# mkosi.repart/10-root.conf +# mkosi.repart/10-root-verity-sig.conf [Partition] -CopyFiles=/ -ExcludeFilesTarget=/var/ -Format=erofs -Label=%M_%A_root -Minimize=yes -SplitName=%t.%U -Type=root -Verity=data +Type=root-verity-sig +Label=%M_%A_verity_sig +Verity=signature VerityMatchKey=root +SplitName=%t.%U # mkosi.repart/11-root-verity.conf [Partition] -Label=%M_%A_verity -Minimize=yes -SplitName=%t.%U Type=root-verity +Label=%M_%A_verity Verity=hash VerityMatchKey=root +SizeMinBytes=300M +SizeMaxBytes=300M +SplitName=%t.%U -# mkosi.repart/12-root-verity-sig.conf +# mkosi.repart/12-root.conf [Partition] -Label=%M_%A_verity_sig -SplitName=%t.%U -Type=root-verity-sig -Verity=signature +Type=root +Format=erofs +Label=%M_%A_root +Verity=data VerityMatchKey=root +CopyFiles=/ +ExcludeFilesTarget=/var/ +Minimize=yes +SplitName=%t.%U ``` Then, you'll need a dropin for systemd-repart in the initrd to make sure @@ -68,43 +70,47 @@ existing partitions: [Partition] Type=esp -# mkosi.extra/usr/lib/repart.d/10-root.conf +# mkosi.extra/usr/lib/repart.d/10-root-verity-sig.conf [Partition] -Label=%M_%A -Type=root +Type=root-verity-sig +Label=%M_%A_verity_sig # mkosi.extra/usr/lib/repart.d/11-root-verity.conf [Partition] -Label=%M_%A_verity Type=root-verity +Label=%M_%A_verity -# mkosi.extra/usr/lib/repart.d/12-root-verity-sig.conf +# mkosi.extra/usr/lib/repart.d/12-root.conf [Partition] -Label=%M_%A_verity_sig -Type=root-verity-sig +Type=root +Label=%M_%A +SizeMinBytes=2G +SizeMaxBytes=2G -# mkosi.extra/usr/lib/repart.d/20-root.conf +# mkosi.extra/usr/lib/repart.d/20-root-verity-sig.conf [Partition] +Type=root-verity-sig Label=_empty -SizeMaxBytes=2048M -SizeMinBytes=2048M -Type=root # mkosi.extra/usr/lib/repart.d/21-root-verity.conf [Partition] +Type=root-verity Label=_empty -SizeMaxBytes=300M SizeMinBytes=300M -Type=root-verity +SizeMaxBytes=300M -# mkosi.extra/usr/lib/repart.d/22-root-verity-sig.conf +# mkosi.extra/usr/lib/repart.d/22-root.conf [Partition] +Type=root Label=_empty -Type=root-verity-sig +SizeMinBytes=2G +SizeMaxBytes=2G # mkosi.extra/usr/lib/repart.d/30-swap.conf [Partition] Type=swap +Format=swap +Encrypt=tpm2 SizeMinBytes=4G SizeMaxBytes=4G @@ -130,20 +136,19 @@ example definitions here. These are all missing a `[Source]` section whose contents will depend on how updates are deployed: ```conf -# /usr/lib/sysupdate.d/10-root.conf - +# /usr/lib/sysupdate.d/10-root-verity-sig.conf [Transfer] ProtectVersion=%A [Target] Type=partition Path=auto -MatchPattern=ParticleOS_@v -MatchPartitionType=root +MatchPattern=%M_@v_verity_sig +MatchPartitionType=root-verity-sig PartitionFlags=0 ReadOnly=1 -# /usr/lib/sysupdate.d/10-root-verity.conf +# /usr/lib/sysupdate.d/11-root-verity.conf [Transfer] ProtectVersion=%A @@ -155,15 +160,15 @@ MatchPartitionType=root-verity PartitionFlags=0 ReadOnly=1 -# /usr/lib/sysupdate.d/12-root-verity-sig.conf +# /usr/lib/sysupdate.d/12-root.conf [Transfer] ProtectVersion=%A [Target] Type=partition Path=auto -MatchPattern=%M_@v_verity_sig -MatchPartitionType=root-verity-sig +MatchPattern=ParticleOS_@v +MatchPartitionType=root PartitionFlags=0 ReadOnly=1