toradex / meta-toradex-security

MIT License
4 stars 9 forks source link

Is it possible to use overlayfs with tdxref-signed? #47

Open thepinkmile opened 2 months ago

thepinkmile commented 2 months ago

Currently building minimal reference image adding this layer for secure boot and encrypted partition.

I am wondering if there might be a possibility to implement an overlayfs such that I can use my encrypted partition as the writable layer of the fs? Mainly due to the fact the rootfs will be read-only.

This would also enable me to have a temp solution to provide remote-offline-updates (albeit a hacky one). At least until we can re-evaluate the decision to not use torizon os.

sergioprado commented 2 months ago

I have never tried combining dm-verity and overlayfs, but it seems to be possible: see https://docs.kernel.org/filesystems/overlayfs.html#fs-verity-support

Just be aware that this might have some security impacts, as this enables writes to the rootfs at runtime.

thepinkmile commented 2 months ago

Will have a look at that link tomorrow when I get to the rootfs testing again.

I believe the idea is to actually use a tempfs as the writable layer. But to temporarily allow partial updates, we would “commit” these changes via an external mechanism.

However, this is only until we can move over to a better solution (ideally using TorizonOS).