search

microsoft / hcsshim

Windows - Host Compute Service Shim
MIT License
576 stars 259 forks source link

verity-boot: append hash device to rootfs #2142

Closed anmaxvl closed 5 months ago

anmaxvl commented 5 months ago

Turned out that dev nodes for SCSI devices may not be determenistic, where the hash device and rootfs may end up appearing under /dev/sda and /dev/sdb respectively.

Instead of mounting a separate hash device, append the verity Merkle tree to rootfs ext4 filesystem, similarly to how it's done for layer VHDs and mount single VHD. Remove redundant hash device code.

The default GuestStateFile filename was changed to kernel.vmgs.

Update the IVGM kernel init to reflect the changes.

The kernel command looks something like this:

 8250_core.nr_uarts=0 panic=-1 debug loglevel=7 root=/dev/dm-0 \
     dm-mod.create="dmverity,,,ro,0 173768 verity \
         1 /dev/sda /dev/sda 4096 4096 21721 21721 sha256 \
         42896a788a58da77b6acb8ddf53aa744bd269c19146cfdf48eb8fc5529a52e62 \
         a1c38923e44adffdd21f84e9185248c884fa28e767795d1025e5804e1c3df905" \
     init=/startup.sh

To break this down a little further:

  dm-mod.create="<name>,<uuid>,<minor>,<flags>,[table {verity_params}]"
  table="<start_sector> <num_sectors> <target_type> verity_params"
  verity_params="<version> <data_device> <hash_device> <data_block_size> \
                 <hash_block_size> <num_data_blocks> <hash_start_block> \
                 <algorithm> <root_digest> <salt> [<opt_params>]"

With the example above we get:

  name: "dmverity"
  uuid: ""
  minor: ""
  flags: "ro"
  table: 0 0 173768 verity <verity_params>
  verity_params:
    version: 1
    data_device: /dev/sda
    hash_device: /dev/sda
    data_block_size: 4096
    hash_block_size: 4096
    num_data_blocks: 21721
    hash_start_block: 21721
    algorithm: "sha256"
    root_digest: "42896a788a58da77b6acb8ddf53aa744bd269c19146cfdf48eb8fc5529a52e62"
    salt: "a1c38923e44adffdd21f84e9185248c884fa28e767795d1025e5804e1c3df905"

The support for booting non-SNP UVMs with dm-verity has also been added as part of this PR. A new annotation can be used to pass the dm-mod.create parameters to kernel. The assumption that the rootfs VHD will also have Merkle tree appended after ext4 filesystem still holds. The new annotation is "io.microsoft.virtualmachine.lcow.dmverity-create-args" and must be used in conjunction with an existing "io.microsoft.virtualmachine.lcow.dmverity-mode" annotation.

Add an internal "io.microsoft.virtualmachine.console.pipe" annotation, which can be used to set the serial for the UVM for debugging purposes.

Note that dm-verity boot has a dependency on CONFIG_DM_INIT kernel config.

Signed-off-by: Maksim An maksiman@microsoft.com

anmaxvl commented 5 months ago

Clearly fabulous. Minor changes to some comments to clarify some things.

most of it was already in place, thanks to you/your team đŸ˜„