ericcurtin
commented
4 months ago So we have some initial support here to write the hash to initramfs:
https://github.com/containers/initoverlayfs/pull/74
the next step is to ensure systemd only mounts an erofs that matches this hash.
We also likely must enable dm-verity in the Automotive kernel in CentOS Stream.
We need to verify initoverlayfs on boot, to check it's contents are correct, we must ensure whatever we use can work on a erofs file within a vfat, ext4, erofs boot partition.
dm-verity probably makes more sense to use the verity within the initoverlayfs, because if initoverlayfs is a file, the directory it's on may not have verity (for example if it's an initoverlayfs file on ESP vfat).