Once fs-verity is available via composefs which requires changes to kernel-space (TOR-3378), we need to do the user-space implementations to integrate it. The final goal is to make the necessary changes so that fs-verity is enabled upon rootfs mounting.
The work would include:
Generating key pairs or allowing users to set them during build.
Signing the required artifacts upon build.
Loading the keys at boot-time into the kernel keyring.
Passing appropriate parameters to the kernel and/or initial ramdisk to ensure verity is enforced on the composefs image.
Once
fs-verity
is available viacomposefs
which requires changes to kernel-space (TOR-3378), we need to do the user-space implementations to integrate it. The final goal is to make the necessary changes so thatfs-verity
is enabled upon rootfs mounting.The work would include: