Maitiro ekushandisa dm-verity paLinux: Yakazara uye Inoshanda Gwaro

  • dm-verity inosimbisa zvivharo panhunzi nemudzi wakasainwa wehashi muti, inomisa bhutsu cheni yekuvimba.
  • Kutumirwa kwayo kwemazuva ano kunobatanidza veritysetup, systemd-veritysetup, Chengetedza Boot, uye UKI kuchengetedza kernel, initramfs, uye cmdline.
  • Android inoshandisa system-se-root uye AVB kupfuudza dm-verity paramita; FEC uye maitiro ekugadzirisa anowedzera kusimba.
  • Midzi isingachinjiki inoda kupatsanura data inonyorwa (/ var, / kumba) uye kuronga zvigadziriso uchishandisa mifananidzo kana A/B zvirongwa.
Isaac

15 maminitsi

dm-verity paLinux

Kana iwe uine hanya nezve kutendeseka kwehurongwa hwako, dm-verity ndechimwe chezvimedu zvakakosha zveLinux ecosystem kubhutsu zvakachengeteka uye kuona kukanganiswa kwekuchengetedza. Yakatangira sechikamu cheiyo kernel's mudziyo mepu uye ikozvino ndiyo hwaro hweyakasimbiswa booting mu Android, OpenWrt, uye kugovera kuri kutsvaga kuchengetedzwa kwakawedzerwa.

Kure nekuve abstract concept, dm-verity inogadziriswa uye inoshandiswa nemidziyo chaiyo senge veritysetup uye systemd-veritysetup.Inosimbisa zvidhinha panhunzi ichishandisa miti yehashi uye inogona kuita huwori nematongerwo kubva pakutema chiitiko kusvika pakutangazve kana kukanganisa sisitimu. Ngatitarisei zvakanyanya, pasina kusiya chero magumo asina kusimba.

Chii chinonzi dm-verity uye nei iwe ungave nehanya

Kutendeseka verification ne dm-verity

dm-verity ndeye mudziyo-mapper chinangwa mu kernel iyo inosimbisa kutendeseka kwechivharo mudziyo sezvo data richiverengwaInoshanda nekuverenga nekusimbisa maheshi evhavha yega yega (kazhinji 4K) pakatarisana ne pre-computed hashi muti, kazhinji uchishandisa SHA-256.

Iyi dhizaini inobvumira Mafaira haagone kugadziridzwa chinyararire pakati reboots kana panguva yekuurayaIcho kiyi yekuwedzera iyo boot cheni yekuvimba kune inoshanda sisitimu, kudzikisira malware kushingirira, kusimbisa chengetedzo marongero, uye nekuona encryption uye MAC maitiro panguva yebhutsu.

Pa Android (kubvira 4.4) uye Linux zvachose, Kuvimbika kwakadzikwa mumudzi wehashi yemuti, iyo yakasainwa uye yakasimbiswa nekiyi yeruzhinji inowanikwa munzvimbo yakachengetedzwa (semuenzaniso, pachikamu chebhutsu kana mune Yakachengeteka Boot-yakasainwa UKI). Kutyora chero block kunoda kutyora iri pasi pe cryptographic hash.

Verification inoitwa ne block uye painoda: Iyo yakawedzerwa latency ishoma kana ichienzaniswa neiyo I / O mutengoKana cheki ikakundikana, kernel inodzorera I / O kukanganisa uye iyo faira system inoratidzika yakaora, iyo inotarisirwa kana data isingavimbike. Mapurogiramu anogona kusarudza kuti oenderera mberi here kana kuti orega zvichibva pakushivirira kwavo kukanganisa.

Mashandisiro anoita muti wekusimbisa mukati

Muti wekusimbisa unovakwa muzvikamu. Layer 0 ndiyo data yakasvibirira kubva pachigadzirwa, yakakamurwa kuita 4K zvidhinha; iyo SHA-256 (yakaiswa munyu) hashi inoverengerwa kune yega yega block. Maheshi aya anobva abatanidzwa kuti aite layer 1. Layer 1 inozounganidzwa kuita mabhuroko uye inodzokororwa kuita layer 2, zvichingodaro kusvika zvese zvakwana mubhuroko rimwechete: bhuroko iroro, kana rakamhanyiswa, rinoburitsa hashi yemidzi.

Kana chero layer ikasanyatso zadzisa block, Yakaputirwa ne zero kusvika yasvika 4K kudzivisa kusanzwisisika. Huwandu hwese hwemuti hunoenderana nehukuru hwekuparadzanisa kuri kuongororwa; mukuita, kazhinji isingasviki 30 MB kune akajairwa system partitions.

Iyo general process ndeye: sarudza munyu usina kurongeka, hashi ku4K, verenga SHA-256 ne-per-block munyu, inopindirana kuita mazinga, inobvisa muganho webhuroko ne zero, uye inodzokorora nedanho rekare kusvika hashi imwe chete yasara. Iwo mudzi hashi, pamwe nemunyu unoshandiswa, unodyisa tafura yedm-verity uye siginicha.

Disk format shanduro uye algorithm

Iyo fomati yehash blocks pa diski ine shanduro. Vhezheni 0 ndiyo yaive yekutanga vhezheni yakashandiswa muChromium OS: Munyu unowedzerwa pakupera kwehashing process, digests inochengetwa nguva dzose, uye iyo yese ye block inoputirwa ne zero.

La Shanduro 1 inokurudzirwa kumidziyo mitsva: Munyu unogadzirirwa kune hashi, uye digest yega yega inoputirwa ne zero kusvika kune masimba maviri, inovandudza kurongeka uye kusimba. Iyo dm-verity tafura inotsanangurawo algorithm (somuenzaniso, sha1 kana sha256), kunyange nokuda kwekuchengeteka kwemazuva ano, sha256 inoshandiswa.

dm-verity tafura uye yakakosha paramita

Tafura yakanangwa dm-verity inotsanangura pane iyo data, pane hashi muti, uye maitiro ekuonaNzvimbo dzematafura:

  • hombororo: mudziyo une data rinofanira kusimbiswa (nzira yerudzi /dev/sdXN kana yakakura: shoma).
  • hash_dev: mudziyo une muti wehashi (unogona kufanana; kana zvakadaro, hash_start inofanira kunge iri kunze kwenzvimbo yakatariswa).
  • data_block_size: saizi yeblock data mumabhayithi (semuenzaniso 4096).
  • hash_block_size: hash block saizi mumabhaiti.
  • num_data_blocks: nhamba yezvivharo zve data zvinogoneka.
  • hash_start_block: offset (mune hash_block_size blocks) kune mudzi wemuti.
  • Algorithm: hash algorithm (semuenzaniso sha256).
  • gaya: hexadecimal encoding yemudzi block hashi (kusanganisira munyu zvinoenderana nefomati vhezheni); kukosha uku ndiko kuvimba.
  • munyu: hexadecimal munyu.

Mukuwedzera, kune Optional parameters inobatsira zvikuru kugadzirisa maitiro:

  • ignore_corruption: Inorekodha mabhuroko ane huori, asi inobvumira kuverenga kuenderere mberi.
  • restart_on_corruption: tangazve pakuonekwa kwehuori (haienderane ne ignore_corruption uye inoda mushandisi-nzvimbo rutsigiro kudzivirira zvishwe).
  • panic_on_corruption: : inokonzeresa kuvhunduka kana uchiona huwori (hauenderane neshanduro dzakapfuura).
  • restart_on_error y panic_on_error: maitiro akafanana asi kune I/O zvikanganiso.
  • ignore_zero_blocks: haitarise mabhuroko anotarisirwa semazero uye anodzosera mazero.
  • use_fec_from_device + fec_roots + fec_blocks + fec_start: Gonesa Reed-Solomon (FEC) kudzoreredza data kana ongororo yatadza; iyo data, hashi, uye nzvimbo dzeFEC hadzifanirwe kupindirana, uye saizi yebhuroka inofanira kufanana.
  • check_at_most_kamwechete: Inotarisa imwe neimwe block yedata chete kekutanga painoverengwa (inoderedza kumusoro pamutengo wekuchengetedza mukurwiswa kwehupenyu).
  • root_hash_sig_key_desc: Reference kune kiyi mukiyi yekusimbisa PKCS7 siginecha yemudzi hashi paunenge uchigadzira mepu (inoda kwakakodzera kernel kumisikidzwa uye akavimbika makiyi).
  • try_verify_in_tasklet: Kana hashes yakachengetwa uye I / O saizi inobvumira, inotarisa pasi-hafu kuderedza latency; yakagadziridzwa ne /sys/module/dm_verity/parameters/use_bh_bytes paI/O kirasi.

Siginecha, metadata uye kuvimba anchoring

Kuti dm-verity ive yakavimbika, Mudzi hashi unofanirwa kuvimbwa uye kazhinji kusainwaMuchinyakare Android, kiyi yeruzhinji inosanganisirwa muchikamu chebhoti, icho chinosimbiswa nekunze nemugadziri; inosimbisa iyo root hashi siginecha uye inova nechokwadi chekuti system partition haina kuchinjwa.

Verity metadata inowedzera chimiro uye shanduro kutonga. Iyo metadata block inosanganisira nhamba yemashiripiti 0xb001b001 (mabhayiti b0 01 b0 01), shanduro (ikozvino 0), siginicha yetafura muPKCS1.5 (kazhinji 256 bytes yeRSA-2048), kureba kwetafura, tafura pachayo uye zero padding kusvika ku32K.

Mumashandisirwo eAroid, kuoneswa kunotsamira pa fs_mgr uye fstab: Kuwedzera cheki mucherechedzo kune inopindirana yekupinda uye nekuisa kiyi mukati /boot/verity_key. Kana iyo nhamba yemashiripiti isiri payaifanirwa kunge iri, kuongororwa kunomira kudzivirira kutarisa zvisirizvo.

Kutanga kushanda kwakasimbiswa

Kudzivirirwa kunogara mu kernel: Kana ikakanganiswa pamberi pe kernel bhutsu, anorwisa anochengeta kutongaNdosaka vagadziri vachiwanzo simbisa nhanho yega yega: kiyi yakapiswa mumudziyo inosimbisa yekutanga bootloader, iyo inosimbisa inotevera, iyo app bootloader, uye pakupedzisira, iyo kernel.

Ne kernel yakasimbiswa, dm-verity inogoneswa kana uchiisa yakasimbiswa block mudziyoPanzvimbo pekumhanyisa mudziyo wese (uyo unononoka uye kutambisa simba), inosimbiswa bhuroka nebhuroka sezvairi kuwanikwa. Kukundikana kunokonzeresa kukanganisa kweI / O, uye masevhisi uye maapplication anoita zvinoenderana nekushivirira kwavo: kungave kuenderera pasina iyo data kana kuparara zvachose.

Forward Error Correction (FEC)

Kubva Android 7.0, FEC (Reed-Solomon) inosanganisirwa nematekinoroji ekubatanidza kuderedza nzvimbo uye kuwedzera kugona kudzoreredza mabhuraki akakuvadzwa. Izvi zvinoshanda pamwe chete ne dm-verity: kana cheki ikatadza, subsystem inogona kuedza kuigadzirisa isati yazivisa kuti haigoneke.

Kuita uye optimization

Kuderedza kukanganisa: Gonesa SHA-2 kukwidziridzwa neNEON paARMv7 uye SHA-2 mawedzero paARMv8. kubva ku kernel. Rongedza kuverenga-mberi uye prefetch_cluster paramita yehardware yako; per-block verification inowanzowedzera zvishoma kumutengo weI/O, asi zvigadziriso izvi zvinoita mutsauko.

Kutanga paLinux (systemd, veritysetup) uye Android

Kugadzirisa dm-verity paLinux uye Android

Pane Linux yemazuva ano ine systemd, dm-verity inobvumira yakasimbiswa yekuverenga-chete mudzi uchishandisa veritysetup (chikamu checryptsetup), systemd-veritysetup.generator, uye systemd-veritysetup@.service. Zvinokurudzirwa kuti ubatanidze Yakachengeteka Boot uye yakasainwa UKI (yakabatana kernel mufananidzo), kunyangwe ivo vasinganyatso kudiwa.

Kugadzirira uye yakakurudzirwa partitioning

Chikamu chegadziriro inoshanda uye yakagadziridzwa. Chengetedza vhoriyamu yemuti wehashi (8-10% yehukuru hwemidzi inowanzokwana) uye funga kuparadzanisa / imba uye / var kana iwe uchida kunyora. Iyo yakajairika hurongwa inosanganisira: ESP (yeiyo bootloader), XBOOTLDR (yeUKIs), mudzi (ine kana isina encryption), VERITY chikamu, uye sarudzo / imba uye / var.

Semudzi, EROFS inzira inonakidza kune ext4 kana squashfs: Inoverengwa-chete nedhizaini, ine kuita kwakanaka kwazvo paflash/SSD, lz4 kudzvanya nekukasira, uye inoshandiswa zvakanyanya pamafoni eAndroid ane dm-verity.

Mafaira anofanira kunyorwa

Nemidzi ro, mamwe mapurogiramu anotarisira kunyora kune /etc kana panguva yekutangaUnogona kuifambisa ku / var/etc uye symlink chero chinhu chinoda kuchinja (semuenzaniso, NetworkManager yekubatanidza mu/etc/NetworkManager/system-connections). Ziva kuti systemd-journald inoda /etc/muchina-id kuti ivepo mumudziyo dhairekitori (kwete symlink) kudzivirira kutyora kwekutanga kutanga.

Kuti uone kuti chii chinochinja mukuitwa, shandisa dracut-overlayroot: inofukidza tmpfs pamusoro pemudzi, uye zvese zvakanyorwa zvinoonekwa mukati /run/overlayroot/u. Wedzera iyo module ku /usr/lib/dracut/modules.d/, sanganisira overlayroot mu dracut, uye isa overlayroot = 1 pamutsetse wekernel; nenzira iyi iwe uchaona zvekutamira ku / var.

Mienzaniso inobatsira: pacman uye NetworkManager

MuArch, zviri nyore Fambisa iyo Pacman dhatabhesi ku /usr/lib/pacman kuitira kuti rootfs nguva dzose magirazi akaiswa mapakeji. Wobva watungamira cache ku /var/lib/pacman uye link. Kuti uchinje girazi pasina kubata mudzi, fambisa ku /var/etc uye uibatanidza zvakadaro.

Ne NetworkManager, fambisa system-makonesheni kuenda ku/var/etc/NetworkManager uye chinongedzo kubva ku/etc/NetworkManager/system-connections. Izvi zvinoita kuti mudzi usachinjike uye gadziriso inogara painofanirwa kunyorwa.

Kuvakwa kwechokwadi uye kuongororwa

Kubva kuhupenyu uye nezvose zvakakwana uye zvakaiswa mu ro, gadzira muti uye roothash nazvo veritysetup format: Kana ichimhanya, inodhinda mutsara weRoot Hash, waunogona kuchengetedza ku roothash.txt. Imhanye kuti uedze neveritysetup yakavhurika mudzi-mudzi mudziyo verity-mudziyo $(katsi roothash.txt) woisa /dev/mapper/root.

Kana uchida, kutanga kuburitsa muti kune faira (verity.bin) wobva wanyora kuVERITY partition. Iyo inokonzeresa seti ndeiyi: mudzi mufananidzo, verity muti, uye mudzi hashi iwe unopinza paboot.

Gadzirisa mutsara wekernel

Wedzera izvi parameters: systemd.verity=1, roothash=contents_of_roothash.txt, systemd.verity_root_data=ROOT-PATH (e.g. LABEL=OS), uye systemd.verity_root_hash=VERITY-PATH (e.g. LABEL=VERITY). Set systemd.verity_root_options kuti utangezve-pa-huori kana kuvhunduka-pa-huwori kune dzakasimba mitemo.

Dzimwe sarudzo dzinokurudzirwa: ro (kana usingashandisi EROFS/squashfs), rd.emergency=reboot y rd.shell=0 (dzivirira mabhomba asina kubvumidzwa kana bhutsu ikatadza), uye lockdown=kuvanzika kuchengetedza kernel memory kubva pakuwana.

Zvimwe zvikamu zvine chokwadi

Kwete mudzi chete: Iwe unogona kutsanangura mamwe mappings mukati /etc/veritytab uye systemd-veritysetup@.service ichavaunganidza pa boot. Rangarira: zviri nyore kuRW kumisa isina-midzi partition, uye mudzi mushandisi anogona kudzima Verity pane izvo zvikamu, saka kukosha kwekuchengetedza ikoko kwakadzikira.

Chengetedzo: Chengetedza Boot, UKI uye akasaina modules

dm-verity haisi bara resirivha. Saina iyo UKI uye gonesa Chengetedza Boot nemakiyi ako kudzivirira chero munhu kubva pakupfuura kernel/initramfs/cmdline (inosanganisira mudzi hashi). Zvishandiso zvakaita se sbupdate-git kana sbctl zvinobatsira kuchengetedza mifananidzo yakasainwa uye cheni yebhutsu yakasimba.

Kana iwe ukagonesa kernel kukiya kana module siginecha verification, DKMS kana mamodule ekunze kwemuti anofanira kusainwa kana kuti havazoregi. Funga nezve tsika kernel ine kusaina tsigiro yepombi yako (ona akasainwa kernel modules).

Encryption, TPM uye metering

dm-verity inodzivirira kuvimbika, kusava zvakavanzikaUnogona kusiya midzi isina kunyorwa kana isina zvakavanzika uye bhoti cheni yakachengetedzwa. Kana iwe ukashandisa makiyi mafaera kubva mudzi kuvhura mamwe mavhoriyamu, saka ipfungwa yakanaka kuinyorera.

Ne TPM 2.0, systemd-cryptenroll inobvumira kusunga makiyi kuPCRs 0,1,5,7 (firmware, sarudzo, GPT, chengetedza bhutsu mamiriro). Wedzera rd.luks.options=LUKS_UUID=tpm2-device=auto uye ita shuwa kuti wasanganisira TPM2 rutsigiro muinitramfs. systemd-boot inoyera kernel.efi muPCR4, inobatsira kumisa makiyi kana UKI kana cmdline yayo ikachinja.

Updates uye deployment models

Mudzi wekuverenga chete wakasimbiswa Iyo haina kuvandudzwa neyepakeji maneja nenzira yechinyakare. Iyo yakanaka ndeyekuvaka mifananidzo mitsva ine zvishandiso senge chirongwa cheYocto uye muzvishambadzire. systemd ine systemd-sysupdate uye systemd-repart yekurodha mufananidzo wakasimba uye kupenya.

Imwe nzira ndeye A/B chirongwa: Unochengeta midzi miviri uye mbiri mbiri. Kopa mudzi unoshanda kumudzi usingashande, shandisa shanduko, uye dzokorora chokwadi. Dzokera pabhutsu inotevera. Kana uri kushandisa UKI, yeuka kugadzirisa mudzi hashi mumutsara wecmd kana kuvakazve iyo yakasainwa UKI.

Nokuda kwekutsungirira, shandisa OverlayFS pamudzi wakasimbiswa nepamusoro mune tmpfs kana dhisiki. Unogonawo kupfuura systemd.volatile=overlay yekushingirira kwenguva. Flatpak inoita kuti zvive nyore kuisa mapurogiramu mukati / var uye / kumba pasina kubata /.

Kune otomatiki mapakeji (e.g. verity-squash-midzi muAUR) inovaka squashfs mudzi uye saina iyo roothash ne kernel uye initramfs, zvichikubvumidza kuti usarudze pakati pekuramba kana ephemeral modhi uye kuchengetedza ichangoburwa rootfs se backup. Ongorora: kuwedzera kushingirira kune yakasimbiswa mudzi ine nhete dzekushandisa kesi; edza kuramba data yeapp pane zvikamu zvakasiyana.

Android: system-se-midzi, AVB uye mutengesi akafukidzira

Kubva Android 10, RootFS inomira kushanda pa RAM disk uye inobatanidza ne system.img. (system-as-root). Midziyo inotanga ne Android 10 inogara ichishandisa chirongwa ichi uye inoda ramdisk ye dm-mutsara. BOARD_BUILD_SYSTEM_ROOT_IMAGE yakaiswa kuita nhema mukuvaka uku kusiyanisa pakati pekushandisa ramdisk uye zvakananga activating system.img.

Android 10 inobatanidza dynamic partitions uye yekutanga-nhanho init iyo inomutsa iyo inonzwisisika system partition; kernel haichaikwidzi zvakananga. System-chete OTA inoda sisitimu-se-midzi dhizaini, inosungirwa pamidziyo yeAndroid 10.

Mune nhamba A/B, chengetedza kupora kwakasiyana kubva kubhutsuKusiyana neA/B, hapana boot_a/boot_b backup, saka kubvisa kudzoreredza mune isiri-A/B kunogona kukusiya usina kudzoreredza modhi kana bhutsu yekuvandudza ikatadza.

Iyo kernel inokwidza system.img ku / kutendeuka nenzira mbiri: Vboot 1.0 (zvigamba zve kernel kuti iparadze Android metadata mu/system uye inotora dm-verity paramita; iyo cmdline inosanganisira mudzi =/dev/dm-0, skip_initramfs uye init=/init ine dm=…) vboot 2.0/AVB, apo iyo bootloader inobatanidza libavb, inoverenga hashtree descriptor (mu vbmeta kana system), inovaka zvigadziridzo uye inopfuudza kune kernel mu cmdline, nerutsigiro rweFEC uye mireza serestart_on_corruption.

Ne system-as-root, usashandise BOARD_ROOT_EXTRA_FOLDERS kune mudziyo-chaiwo midzi mafolda: izvi zvichanyangarika kana uchipenya GSI. Rondedzera ma mounts chaiwo pasi pe/mnt/vendor/ , iyo fs_mgr inogadzira otomatiki, uye ivarevera mune fstab yemuti mudziyo.

Android inobvumira a mutengesi akafukidza kubva / chigadzirwa / mutengesi_overlay/: init ichakwira mukati / mutengesi iyo subdirectories inosangana neSELinux mamiriro ezvinhu uye kuvapo kwe / mutengesi/ . Inoda CONFIG_OVERLAY_FS=yy, pamakerners ekare, iyo override_creds=off patch.

Yakajairika kuita: inoisa mafaera akafanorongwa mumudziyo/ / /mutengesi_overlay/, vawedzere kuPRODUCT_COPY_FILES ine find-copy-subdir-files ku$(TARGET_COPY_OUT_PRODUCT)/vendor_overlay, tsanangura mamiriro ezvinhu mufaira_contexts nezvimwe uye app (semuenzaniso vendor_configs_file uye vendor_app_file) uye bvumira mounton pane izvo zviri mukati. Edzai ne test vfs_mgr_vendor_overlay_test muuserdebug.

Troubleshooting: dm-verity huwori meseji pa Android

Pamidziyo ine A/B slots, shandura slots kana Kupenya vbmeta/boot pasina roothash kuwirirana Izvi zvinogona kukonzeresa yambiro: dm-verity huwori, mudziyo wako hauna kuvimbika. Mirairo senge fastboot flash -disable-verity -disable-verification vbmeta vbmeta.img bvisa verification, asi siyai sisitimu pasina chero vimbiso yekuvimbika.

Mamwe ma bootloaders anotsigira fastboot OEM disable_dm_verity uye zvakapesana nazvo, enable_dm_verity. Inoshanda pane mamwe mamodheru, asi kwete pane mamwe; uye zvingada kernel/magisk ine mireza yakagadziridzwa. Shandisa panjodzi yako wega: nzira yehungwaru yekuita ndeye align boot, vbmeta, uye system, saina kana gadzira patsva muti uye simbisa kuti inotarisirwa mudzi hashi inofanana neyakagadzirirwa.

Kana mushure meyambiro iwe unogona kuramba uchidzvanya simba, iyo system inotanga, asi hausisina cheni yakasimba yekuvimbaKuti ubvise meseji pasina kupira chengetedzo, dzosera iyo yekutanga yakasaina mifananidzo kana kuvakazve / simbisa vbmeta neiyo hashtree chaiyo, pane kudzima chokwadi.

i.MX uye OpenWrt mapuratifomu

Pa i.MX6 (e.g. sabresd), gadzirisa kernel neDM_VERITY uye FEC rutsigiro, gadzira muti neveritysetup, chengetedza mudzi hashi zvakachengeteka, uye pfuudza ma paramita akakodzera mumutsara wecmd kana kubatanidza kuburikidza neinitramfs ine systemd-veritysetup. Kana iwe usingashandisi dm-crypt, haudi CAAM yechokwadi; chinangwa chiri pakuvimbika.

MuOpenWrt uye mukati yakadzamirirwa Linux masisitimu ane OpenEmbedded, Pane kuedza kubatanidza dm-verity uye SELinux (Bootlin mabasa akagadziridzwa nechinangwa chekubatanidza rutsigiro). Iyo yakasikwa yakakodzera: marouters uye network zvishandiso zvinobatsira kubva kune isingachinjiki, yakasimbiswa, uye MAC-yakaomeswa mudzi.

Manual muti uye metadata kuvaka (yakadzama maonero)

cryptsetup inogona kukuitira muti wacho, asi kana uchida kunzwisisa fomati, iyo compact tafura mutsara tsananguro inosanganisira: zita remepu, mudziyo wedata, data block uye saizi hashi, saizi yemufananidzo mumabhuraki, hash_start chinzvimbo (block image + 8 kana yakabatana), hashi yemidzi, uye munyu. Mushure mekugadzira iyo concatenated layers (kubva kumusoro kusvika pasi, kusasanganisa layer 0), unonyora muti kune disk.

Kurongedza zvese, nyora iyo dm-verity tafura, isaine (yakajairika RSA-2048) uye siginecha yeboka + tafura mune metadata ine musoro wakashandurwa uye nhamba yemashiripiti. Zvadaro, inobatanidza iyo system image, verity metadata, uye hashi muti. Mune fstab, inotaridza fs_mgr sekusimbisa uye inoisa kiyi yeruzhinji mukati /boot/verity_key kusimbisa siginecha.

Optimize ne SHA-2 inomhanyisa CPU yako uye gadzirisa kuverenga-mberi/prefetch_cluster. PaArM Hardware, NEON SHA-2 (ARMv7) uye SHA-2 edzedzero (ARMv8) inoderedza zvakanyanya iyo yekusimbisa pamusoro.

Mune chero kutumirwa, rangarira izvozvo iyo mudzi hashi kukosha inofanira kuchengetedzwa: ingave yakabatanidzwa muUK yakasainwa, mune yakasainwa boot partition, kana yakasimbiswa nebootloader uchishandisa AVB. Zvose mushure menguva iyoyo zvinogara nhaka kuvimba ikoko.

Nezvose zviri pamusoro panzvimbo, dm-verity inova hwaro hwakasimba hwekusachinjika, nharembozha uye yakamisikidzwa masisitimu, inotsigira transactional updates, magadzirirwo akafukidzwa, uye yemazuva ano yekuchengetedza modhi iyo inoderedza nzvimbo yekurwisa uye inodzivirira kutsungirira pasina kupira kuita.

Chii chinonzi Yocto project?
Nyaya inoenderana:
Chii chinonzi Yocto Project: Yakazara Embedded Guide