Closed rborn-tx closed 1 month ago
jsrc27
commented
1 month ago Okay not going to lie it's a big diff so I skimmed through the changes. But just to check this is basically equivalent to the work you have done in Kirkstone yes? Plus some adaptations for the newer kernel/versions of other things correct?
jsrc27
commented
1 month ago Different topic, I don't think we're building these security options/features with our CI on master are we? Not sure if this was already discussed or not. But it would be helpful to make sure your changes here continue to at least build successfully as master/scarthgap will be more worked on in the near future.
rborn-tx
commented
1 month ago @jsrc27
Okay not going to lie it's a big diff so I skimmed through the changes. But just to check this is basically equivalent to the work you have done in Kirkstone yes? Plus some adaptations for the newer kernel/versions of other things correct?
That's right.
Different topic, I don't think we're building these security options/features with our CI on master are we? Not sure if this was already discussed or not. But it would be helpful to make sure your changes here continue to at least build successfully as master/scarthgap will be more worked on in the near future.
Absolutely. Since master can break easily due to upstream changes, I don't think building secboot images there is strictly needed. But once we branch out to scarthgap I think we should build and test secboot images on that branch.
By the way, currently on kirkstone we build and test "signed" images which use the tdx-signed class but now we have the torizon-signed class that covers the rootfs besides what's covered by tdx-signed. So, on scarthgap we could also switch to the new class.
Besides porting the various commits from kirkstone, resume the work on the rootfs protection by enabling the required kernel features to support composefs (i.e. erofs, fs-verity, etc.).