Ukuba unenkxalabo malunga nesidima senkqubo yakho, I-dm-ukunyaniseka yenye yezinto eziphambili ze-ecosystem ye-Linux ukuqalisa ngokukhuselekileyo kwaye ubone ukonakala kogcino. Yavela njengenxalenye yesixhobo semaphu ye-kernel kwaye ngoku isisiseko soqinisekiso lokuqala kwi-Android, i-OpenWrt, kunye nosasazo olufuna ukhuseleko olongeziweyo.
Kunokuba ibe yingcinga engabonakaliyo, I-dm-inyani iqwalaselwe kwaye isetyenziswe ngezixhobo zokwenyani ezifana ne-veritysetup kunye ne-systemd-veritysetupIqinisekisa iibhloko kwimpukane isebenzisa imithi ye-hash kwaye inokusabela kurhwaphilizo kunye nemigaqo-nkqubo ukusuka ekugawulweni kwesiganeko ukuya ekuqaliseni kwakhona okanye ukuphahlazeka kwenkqubo. Makhe sihlolisise ngakumbi, ngaphandle kokushiya naziphi na iziphelo ezikhululekile.
Yintoni i-dm-verity kwaye kutheni unokukhathalela
dm-ukunyaniseka sisixhobo-mapper ekujoliswe kuyo kwikernel leyo iqinisekisa ukunyaniseka kwesixhobo sebhloko njengoko kufundwa idathaIsebenza ngokubala kunye nokuqinisekisa iihashi zebhloko nganye (ngokuqhelekileyo i-4K) ngokuchasene nomthi we-hashi owenziwe ngekhompyutha, ngokuqhelekileyo usebenzisa i-SHA-256.
Olu yilo luvumela Iifayile azinakuguqulwa buthule phakathi kokuqaliswa kwakhona okanye ngexesha lokuphunyezwaKusisitshixo ekwandiseni ikhonkco lokuthembela kwinkqubo yokusebenza, ukunciphisa ukuzingisa kwe-malware, ukomeleza imigaqo-nkqubo yokhuseleko, kunye nokuqinisekisa uguqulelo oluntsonkothileyo kunye neendlela ze-MAC ngexesha lokuqalisa.
Kwi-Android (ukususela kwi-4.4) kunye neLinux ngokubanzi, Ithemba limiliselwe kwingcambu yehashi yomthi, esayiniweyo yaze yaqinisekiswa ngesitshixo sikawonke-wonke esibekwe kwindawo ekhuselweyo (umzekelo, kwisahlulelo sesiqalo okanye kwi-UKI eKhuselekileyo esayiniweyo ngokuQalisa). Ukwaphula nayiphi na ibhloko kuya kufuna ukwaphula i-cryptographic hash.
Uqinisekiso lwenziwa ngebhloko nangokwemfuno: I-latency eyongezelelweyo incinci xa kuthelekiswa neendleko ze-I / OUkuba isheke asiphumelelanga, i-kernel ibuyisela iphutha le-I / O kwaye inkqubo yefayile ibonakala yonakalisiwe, ekulindeleke xa idatha ingathembeki. Ii-Apps zinokuthatha isigqibo sokuba ziqhubeke okanye zingaqhubeki ngokusekwe kunyamezelo lwabo lwempazamo.
Usebenza njani umthi wokuqinisekisa ngaphakathi
Umthi wokuqinisekisa wakhiwe ngokwemigangatho. Umaleko 0 yidatha ekrwada evela kwisixhobo, yahlulwe yaba ziibhloko ze-4K; i-SHA-256 (yetyuwa) i-hash ibalwa kwibhloko nganye. Ezi hashes ke ziyadityaniswa ukuze zenze umaleko 1. Umaleko woku-1 udityaniswa ube ziibhloko kwaye uhlaziywe kwakhona ukwenza umaleko wesi-2, njalo njalo de yonke into ingene kwibhloko enye: loo block, xa ihashi, ivelisa ihashi eyingcambu.
Ukuba nawuphi na umaleko awugqibi ncam ibhloko, Ifakwe i-zero de ifike ku-4K ukuphepha ukungacaci. Ubungakanani obupheleleyo bomthi buxhomekeke kubukhulu besahlulelo esijongwayo; ngokwenza, iqhele ukuba ngaphantsi kwe-30 MB kulwahlulo lwenkqubo eqhelekileyo.
Inkqubo jikelele yile: khetha ityuwa engaqhelekanga, i-hash ukuya kwi-4K, ubale i-SHA-256 nge-block-block yetyuwa, idibanisa ukwenza amanqanaba, idibanisa umda webhloko kunye no-zero, kwaye iphinda iphinde iphinde iphinde iphinde iphinde iphinde ishiye i-hash yengcambu enye. Loo hashi yengcambu, kunye netyuwa esetyenzisiweyo, yondla itafile ye-dm-verity kunye nesignesha.
Iinguqulelo zefomathi yeDiski kunye ne-algorithm
Ifomati yeebhloko zehash kwidiski inoguqulelo. Uguqulelo 0 yayiyinguqulelo yokuqala esetyenziswe kwiChromium OS: Ityuwa yongezwa ekupheleni kwenkqubo ye-hashing, i-digests igcinwa ngokuqhubekayo, kwaye yonke ibhloko ifakwe kwi-zeros.
La Inguqulelo 1 iyacetyiswa kwizixhobo ezitsha: Ityuwa ixhomekeke kwi-hash, kwaye i-digest nganye ifakwe kwi-zero ukuya kumandla amabini, ukuphucula ukulungelelaniswa kunye nokuqina. Itheyibhile ye-dm-verrity iphinda ichaze i-algorithm (umzekelo, i-sha1 okanye i-sha256), nangona ukhuseleko lwangoku, i-sha256 isetyenziswa.
itheyibhile ye-dm-verrity kunye neeparamitha ezibalulekileyo
Itheyibhile ekujoliswe kuyo dm-ukunyaniseka iyachaza iphi idatha, uphi umthi we-hash, kunye nendlela yokuqinisekisaImimandla yetheyibhile eqhelekileyo:
- dev: isixhobo esinedatha ekufuneka ingqinwe (uhlobo lwendlela /dev/sdXN okanye enkulu: ngaphantsi).
- hash_dev: isixhobo esinomthi we-hash (inokuba yinto enye; ukuba kunjalo, i-hash_start kufuneka ibe ngaphandle koluhlu olukhangelweyo).
- data_block_size: ubungakanani bebhloko yedatha kwiibytes (umzekelo 4096).
- hash_block_size: ubungakanani bebhloko ye-hash ngee-bytes.
- inani_iibhloko_zedatha: inani leebhloko zedatha eziqinisekisiweyo.
- hash_start_block: i-offset (kwiibhloko ze-hash_block_size) ukuya kwibhloko yengcambu yomthi.
- Algorithm: i-algorithm ye-hash (umzekelo, i-sha256).
- yokwetyisa: i-encoding ye-hexadecimal ye-hash yebhloko yengcambu (kuquka ityuwa ngokwenguqulelo yefomathi); eli xabiso lilo elinokuthenjwa.
- ityuwa: ityuwa enehexadecimal.
Ukongeza, kukho iparameters ozikhethelayo iluncedo kakhulu ukulungisa indlela yokuziphatha:
- ukungahoyi_urhwaphilizo: Irekhoda iibhloko ezonakeleyo, kodwa ivumela ukufunda kuqhubeke.
- qala_kurhwaphilizo: qala kwakhona ekubhaqweni urhwaphilizo (ayihambelani ne-ignored_corruption kwaye ifuna inkxaso yendawo yomsebenzisi ukunqanda iilophu).
- ukuphakuzela_kurhwaphilizo: : ibangela ukuphakuzela xa ubhaqa urhwaphilizo (aluhambisani neenguqulelo zangaphambili).
- qala kwakhona_kwimpazamo y uvalo_kwimpazamo: iimpendulo ezifanayo kodwa kwiimpazamo ze-I/O.
- ngoya_zero_iibhloko: ayijongi iibhloko ezilindelekileyo njengoothi ​​kwaye ibuyisela ooziro.
- use_fec_from_device + fec_roots + fec_blocks + fec_start: Yenza iReed-Solomon (FEC) ifumane kwakhona idatha xa ukuqinisekiswa kusilela; idatha, i-hash, kunye neendawo ze-FEC akufanele zidibanise, kwaye ubukhulu bebhloko kufuneka buhambelane.
- khangela_kakhulu_kanye: Ihlola ibhloko nganye yedatha kuphela xa ifundwa okokuqala (inciphisa i-overhead ngeendleko zokhuseleko ekuhlaselweni okuphilayo).
- ingcambu_hash_sig_key_desc: Ireferensi yesitshixo ekufakweni kwesitshixo ukuqinisekisa utyikityo lwe-PKCS7 lwengcambu yehashi xa usenza imephu (ifuna ubumbeko olufanelekileyo lwekernel kunye namaqhosha athembekileyo).
- try_verify_in_tasklet: Ukuba i-hashes igcinwe kunye nobukhulu be-I / O buvumela, jonga i-bottom-hash ukunciphisa i-latency; ihlengahlengiswe nge /sys/module/dm_verity/parameters/use_bh_bytes ngokweklasi ye-I/O.
Umsayino, imetadata kunye ne-trust anchoring
Ukuze i-dm-ukunyaniseka ithembeke, I-hash yengcambu kufuneka ithenjwe kwaye idla ngokusayinwaKwi-classic ye-Android, isitshixo sikawonke-wonke sifakwe kwi-partition ye-boot, eqinisekiswa ngaphandle ngumenzi; iqinisekisa umsayino wengcambu yehashi kwaye iqinisekisa ukuba ulwahlulo lwenkqubo alutshintshwanga.
Imetadata yokwenyani yongeza ubume kunye nolawulo lwenguqulelo. Ibhloko yemetadata ibandakanya inombolo yomlingo 0xb001b001 (bytes b0 01 b0 01), inguqulo (okwangoku 0), isignesha yetafile kwi-PKCS1.5 (ngokuqhelekileyo i-256 bytes ye-RSA-2048), ubude betafile, itafile ngokwayo kunye ne-zero padding ukuya kwi-32K.
Ekuphunyezweni kwe-Android, ukuqinisekiswa kuxhomekeke kwi fs_mgr kunye ne-fstab: Ukongeza uphawu lokukhangela kwingeniso ehambelanayo kunye nokubeka isitshixo kwi-/boot/verity_key. Ukuba inombolo yomlingo ayikho apho ifanele ukuba khona, isiqinisekiso siyayeka ukunqanda ukujonga into engalunganga.
Umsebenzi wokuqalisa uqinisekisiwe
Ukhuseleko luhlala kwi-kernel: Ukuba usengozini phambi kweebhutsi ze-kernel, umhlaseli ugcina ulawuloYiyo loo nto abavelisi ngokwesiqhelo beqinisekisa ngokungqongqo inqanaba ngalinye: isitshixo sitshiswe kwisixhobo siqinisekisa isilayidi sokuqala sokuqala, esiqinisekisa okulandelayo, isilayishi se-app, kwaye ekugqibeleni, i-kernel.
Nge-kernel eqinisekisiweyo, I-dm-ukunyaniseka yenziwe xa kunyuswa isixhobo esingqinisisiweyo sebhlokoEndaweni yokurhashaza isixhobo sonke (esiya kucotha kwaye sichithe amandla), singqinisiswa ibhloko ngebhloko njengoko sifikelelwe. Ukungaphumeleli kubangela impazamo ye-I / O, kwaye iinkonzo kunye nee-apps zisabela ngokunyamezela kwazo: nokuba ziqhubeke ngaphandle kwaloo datha okanye ziphazamiseke ngokupheleleyo.
Phambili Ukulungiswa Kwemposiso (FEC)
Ukusukela kwi-Android 7.0, I-FEC (iReed-Solomon) idityaniswe neendlela zokudibanisa ukunciphisa indawo kunye nokwandisa amandla okubuyisela iibhloko ezonakalisiweyo. Oku kusebenza ngokudityaniswa ne-dm-verrity: ukuba itshekhi ayiphumelelanga, inkqubo esezantsi ingazama ukuyilungisa phambi kokuba ibhengeze ukuba ayifumaneki.
Ukusebenza kunye nokuphucula
Ukunciphisa impembelelo: Nika amandla i-SHA-2 yokukhawulezisa nge-NEON kwi-ARMv7 kunye ne-SHA-2 izongezo kwi-ARMv8 ukusuka kwi-kernel. Lungisa ukufunda-phambili kunye ne-prefetch_cluster parameters kwihardware yakho; ungqinisiso lwebhloko nganye yongeza kancinci kwiindleko ze-I/O, kodwa ezi setingi zenza umahluko.
Ukuqalisa kwiLinux (systemd, veritysetup) kunye ne-Android
KwiLinux yanamhlanje ene-systemd, dm-ukunyaniseka ivumela ingcambu eqinisekisiweyo yokufunda-kuphela usebenzisa i-veritysetup (inxalenye ye-cryptsetup), systemd-veritysetup.generator, kunye ne-systemd-veritysetup@.service. Kuyacetyiswa ukuquka ukuQalisa ngokuKhuselekileyo kunye ne-UKI esayiniweyo (umfanekiso wekernel odityanisiweyo), nangona zingafunwa ngokungqongqo.
Ukulungiselela kunye nokwahlula okucetyiswayo
Inxalenye yenkqubo esebenzayo nehlengahlengisiweyo. Gcina umthamo womthi we-hash (I-8-10% yesayizi yeengcambu idla ngokwaneleyo) kwaye ucinge ngokuhlukana / ikhaya kunye / var ukuba ufuna ukubhala. Iskimu esiqhelekileyo sibandakanya: I-ESP (ye-bootloader), i-XBOOTLDR (ye-UKIs), ingcambu (ekunye okanye ngaphandle koguqulelo oluntsonkothileyo), ulwahlulo lweVERITY, kunye nokhetho / ikhaya kunye / var.
Njengengcambu, I-EROFS yindlela enomdla kakhulu kwi-ext4 okanye i-squashfs: Ifundwa kuphela ngoyilo, kunye nokusebenza kakuhle kakhulu kwi-flash / SSD, ukunyanzeliswa kwe-lz4 ngokungagqibekanga, kwaye isetyenziswa ngokubanzi kwiifowuni ze-Android ezine-dm-verrity.
Iifayile ekufuneka zibhaleke
Nge-root ro, ezinye iinkqubo zilindele ukubhalela /etc okanye ngexesha lokuqalisaUngayihambisa ukuya /var/etc kwaye symlink nantoni na efuna ukutshintsha (umzekelo, NetworkManager uqhagamshelo kwi /etc/NetworkManager/system-connections). Qaphela ukuba i-systemd-journald ifuna /etc/machine-id ukuba ibekho kulawulo lweengcambu (hayi i-symlink) ukunqanda ukwaphula iziqalo zakwangoko.
Ukufumana ukuba zeziphi iinguqu ekusebenzeni, sebenzisa i-dracut-overlayroot: igubungela i-tmpfs phezu kwengcambu, kwaye yonke into ebhaliweyo ibonakala kwi /run/overlayroot/u. Yongeza imodyuli ku /usr/lib/dracut/modules.d/, bandakanya i-overlayroot kwi-dracut, kwaye usete i-overlayroot=1 kumgca wekernel; ngale ndlela uzakubona ukuba ufudukele ntoni uye/var.
Imizekelo eluncedo: pacman kunye NetworkManager
KwiArch, ilungile Hambisa i-database ye-Pacman ukuya /usr/lib/pacman ukuze i-rootfs ihlale izibuko iipakethe ezifakiwe. Emva koko, uqondise kwakhona i-cache ku /var/lib/pacman kunye nekhonkco. Ukutshintsha uluhlu lwesibuko ngaphandle kokuchukumisa ingcambu, yisuse kwi /var/etc kwaye uyidibanise.
Ngomphathi weNethiwekhi, hambisa inkqubo-uqhagamshelo ukuya ku/var/etc/NetworkManager kunye nekhonkco ukusuka /etc/NetworkManager/system-connections. Oku kugcina ingcambu ingaguquki kwaye uqwalaselo luphila apho lufanele ukubhaleka khona.
Ukwakhiwa kobunyani kunye novavanyo
Ukusuka kokuphilayo kunye nayo yonke into egqibeleleyo kwaye ifakwe kwi-ro, yenza umthi kunye ne-roothash nge ifomati yokuseta ngokuqinisekileyo: Xa iqhutywa, ishicilela umgca we-Root Hash, onokuyigcina kwi-roothash.txt. Yiqhube yokuvavanya nge-veritysetup evulekileyo yengcambu-yesixhobo ingcambu yoqinisekiso-isixhobo $(ikati roothash.txt) kwaye unyuke /dev/mapper/root.
Ukuba ukhetha, kuqala ivelisa umthi kwifayile (verity.bin) kwaye emva koko uyibhale kwiVERITY isahlulelo. Iseti enesiphumo yile: ingcambu yomfanekiso, umthi wokwenyani, kunye nengcambu yehashi oyakuyiqhobosha ekuqaleni.
Qwalasela umgca we kernel
Yongeza ezi parameters: inkqubod.verity=1, roothash=contents_of_roothash.txt, systemd.verity_root_data=ROOT-PATH (e.g. LABEL=OS), kunye systemd.verity_root_hash=VERITY-PATH (umz. LABEL=VERITY). Cwangcisa i-systemd.verity_root_options ukuqalisa kwakhona kurhwaphilizo okanye ukothuka-ngorhwaphilizo kwimigaqo-nkqubo engqongqo.
Olunye ukhetho olucetyiswayo: ro (ukuba awusebenzisi EROFS/squashfs), rd.emergency=reboot y rd.iqokobhe=0 (bathintele amaqokobhe angagunyaziswanga ukuba inkqubo yokuqalisa ayiphumelelanga), kunye lockdown=imfihlo ukukhusela imemori ye-kernel ekufikeleleni.
Izahlulo ezongezelelweyo ezinokwenyani
Hayi nje ingcambu: Ungachaza ezinye iimaphu kwi/etc/veritytab kunye ne-systemd-veritysetup@.service iya kubahlanganisa ekuqaleni. Khumbula: kulula uku RW ukunyusa isahlulelo esingeyongcambu, kwaye umsebenzisi wengcambu unokucima i-Verity kwezo zahlulo, ngoko ixabiso lokhuseleko lisezantsi.
Ukhuseleko: Khusela i-Boot, i-UKI kunye neemodyuli ezisayiniweyo
I-dm-verity ayiyombumbulu yesilivere. Sayina i-UKI kwaye wenze uKhuseleko lwe-Boot ngezitshixo zakho ukuthintela nabani na ukuba angagqithisi ikernel/initramfs/cmdline (ebandakanya ingcambu yehashi). Izixhobo ezifana ne-sbupdate-git okanye i-sbctl inceda ukugcina imifanekiso isayiniwe kunye nomxokelelwane we-boot womelele.
Ukuba wenza ukuba i-kernel itshixeke okanye iqinisekise utyikityo lwemodyuli, I-DKMS okanye iimodyuli zangaphandle komthi mazisayinwe okanye abayi kulayisha. Qwalasela i-kernel yesiko kunye nenkxaso yokusayina yombhobho wakho (jonga iimodyuli zekernel esayiniweyo).
Uguqulelo oluntsonkothileyo, TPM kunye nokulinganisa
dm-ukunyaniseka ikhusela imfezeko, ukungabi yimfihloUngayishiya ingcambu ingafihlwanga ukuba ayiqulathanga naziphi na iimfihlo kwaye ikhonkco lesiqalo likhuselwe. Ukuba usebenzisa iifayile ezingundoqo ukusuka kwingcambu ukuvula eminye imiqulu, ngoko luluvo oluhle ukuyifihla.
Nge TPM 2.0, i-systemd-cryptenroll ivumela izitshixo zokubopha kwi-PCRs 0,1,5,7 (i-firmware, iinketho, i-GPT, imo ekhuselekileyo yokuqalisa). Yongeza u-rd.luks.options=LUKS_UUID=tpm2-device=auto kwaye uqinisekise ukuquka inkxaso ye-TPM2 kwi-initramfs. i-systemd-boot ilinganisa i-kernel.efi kwi-PCR4, iluncedo kwi-invaliding keys ukuba i-UKI okanye i-cmdline yayo iyatshintsha.
Uhlaziyo kunye neemodeli zokusasazwa
Ingcambu eqinisekisiweyo yokufunda-kuphela Ayihlaziywa nomphathi wepakethe ngendlela yemveli. Okufanelekileyo kukwakha imifanekiso emitsha ngezixhobo ezifana iprojekthi yeYocto kwaye uzipapashe. I-systemd ine-systemd-sysupdate kunye ne-systemd-repart yokukhuphela umfanekiso owomeleleyo kunye nokudanyaza.
Elinye iqhinga Iskimu se-A/B: Ugcina iingcambu ezimbini kunye neenyani ezimbini. Khuphela ingcambu esebenzayo kwingcambu engasebenziyo, sebenzisa utshintsho, kwaye wenze kwakhona ukunyaniseka. Buyela emva kwi-boot elandelayo. Ukuba usebenzisa i-UKI, khumbula ukuhlaziya ingcambu yehashi kumgca we-cmd okanye uphinde wakhe i-UKI esayiniweyo.
Ngokuzingisa ngokuzithandela, sebenzisa i-OverlayFS kwingcambu eqinisekisiweyo phezulu kwi-tmpfs okanye kwidiski. Ungaphinda ugqithe i-systemd.volatile=overlay ukwenzela ukuzingisa okwexeshana. I-Flatpak yenza kube lula ukufaka ii -apps kwi / var kunye / nekhaya ngaphandle kokuchukumisa /.
Kukho iipakethe ezizenzekelayo (umzekelo, i-verity-squash-root kwi-AUR) eyakha ingcambu yesquashfs kwaye sayina i-roothash nge-kernel kunye ne-initramfs, ikuvumela ukuba ukhethe phakathi kwemo eqhubekayo okanye ephemeral kunye nokugcina iiroot zamva nje njengogcino. Qaphela: ukongeza ukuzingisa kwingcambu eqinisekisiweyo kuneemeko zokusetyenziswa emxinwa; zama ukuzingisa idatha ye-app kwizahlulo ezahlukeneyo.
I-Android: inkqubo-njengengcambu, i-AVB kunye nokugqithisa umthengisi
Ukusukela kwi-Android 10, I-RootFS iyeka ukusebenza kwidiski ye-RAM kwaye idibanisa ne-system.img. (inkqubo-njengengcambu). Izixhobo eziqalisa nge-Android 10 zihlala zisebenzisa esi sikimu kwaye zifuna i-ramdisk ye-dm-linear. I-BOARD_BUILD_SYSTEM_ROOT_IMAGE imiselwe kubuxoki kolu lwakhiwo ukwahlula phakathi kokusebenzisa iramdisk kunye nokusebenza ngokuthe ngqo kwenkqubo.img.
Android 10 idibanisa izahlulelo eziguqukayo kunye nenqanaba lokuqala leinit eyenza kusebenze isahlulelo senkqubo esengqiqweni; ikernel ayisayikhweli ngokuthe ngqo. Ii-OTA zenkqubo kuphela zifuna uyilo lwenkqubo-njengengcambu, olunyanzelekileyo kwizixhobo ezili-10 ze-Android.
Kwinombolo A/B, gcina ukubuyisela ngokwahlukileyo kwi-bootNgokungafaniyo ne-A/B, akukho boot_a/boot_b backup, ke ukususa ukubuyisela kwakhona kwi-non-A/B kunokukushiya ngaphandle kwemowudi yokubuyisela ukuba uhlaziyo lwe-boot aluphumeleli.
I-kernel inyusela i-system.img ukuya / ukuguqulwa ngeendlela ezimbini: vboot 1.0 (iziqwenga zekernel ukwahlula imetadata ye-Android kwi/inkqubo kwaye ifumana iparameters ze-dm-verrity; i-cmdline ibandakanya ingcambu=/dev/dm-0, skip_initramfs kunye ne-init=/init nge-dm=…) okanye vboot 2.0/AVB, apho i-bootloader idibanisa i-libavb, ifunda i-hashtree descriptor (kwi-vbmeta okanye inkqubo), yakha i-parameters kwaye idlulise kwi-kernel kwi-cmdline, ngenkxaso ye-FEC kunye neeflegi ezifana ne-restart_on_corruption.
Ngenkqubo-njengengcambu, sukusebenzisa BOARD_ROOT_EXTRA_FOLDERS yesixhobo-esicacisiweyo seencwadi ezinengcambu: ezi ziza kunyamalala xa kudanyaza i-GSI. Chaza izinyusi ezithile phantsi kwe /mnt/vendor/ , eyenza i-fs_mgr ngokuzenzekelayo, kwaye ibhekisela kubo kwi-fstab yomthi wesixhobo.
Android ivumela a umaleko womthengisi ukusuka /kwimveliso/umthengisi_ongaphezulu/: init izakwenyuka/ithengise abalawuli abaphantsi abahlangabezana neemfuno zomxholo weSELinux kunye nobukho be/umthengisi/ . Ifuna CONFIG_OVERLAY_FS=yy, kwiinkozo ezindala, i-override_creds=off patch.
Uzalisekiso oluqhelekileyo: ifakela iifayile eziqulunqwe kwangaphambili kwisixhobo/ / /umthengisi_ukwaleka/, zongeze kwi PRODUCT_COPY_FILES nge find-copy-subdir-files to $(TARGET_COPY_OUT_PRODUCT)/vendor_overlay, define contexts in file_contexts for etc and app (umzekelo vendor_configs_file and vendor_app_file) kwaye uvumele mounton kuloo mxholo init. Vavanya ngovavanyo vfs_mgr_vendor_overlay_test kwi-userdebug.
Ukusombulula ingxaki: umyalezo worhwaphilizo we-dm kwi-Android
Kwizixhobo ezineendawo zokubeka A/B, tshintsha iindawo zokubeka okanye Ukudanyaza i-vbmeta/boot ngaphandle kokuhambelana kwe-roothash Oku kusenokuqalisa isilumkiso: dm-verrity urhwaphilizo, isixhobo sakho asithenjwa. Imiyalelo efana ne-fastboot flash -disable-verity -disable-verification vbmeta vbmeta.img khubaza ukuqinisekiswa, kodwa ushiye inkqubo ngaphandle kweziqinisekiso zengqibelelo.
Ezinye ii-bootloaders zixhasa fastboot oem disable_dm_verity kwaye ngokuchaseneyo, enable_dm_verity. Isebenza kwezinye iimodeli, kodwa hayi kwezinye; kwaye inokufuna i-kernel/magisk eneeflegi ezihlengahlengisiweyo. Sebenzisa ngomngcipheko wakho: ikhondo lobulumko lesenzo lungelelanisa ukuqala, vbmeta, kunye nenkqubo, sayina okanye wenze ngokutsha umthi kwaye uqinisekise ukuba ingcambu elindelekileyo ihash ihambelana nebumbeko.
Ukuba emva kwesilumkiso unokuqhubeka ucinezela amandla, inkqubo iqala, kodwa awusenalo ikhonkco lokuthembanaUkususa umyalezo ngaphandle kokuncama ukhuseleko, buyisela imifanekiso esayiniweyo yoqobo okanye uphinde uphinde/uqinisekise i-vbmeta nge-hashtree echanekileyo, endaweni yokuvala uqinisekiso.
i.MX kunye namaqonga e-OpenWrt
Kwi-i.MX6 (umzk. sabresd), qwalasela i-kernel nge-DM_VERITY kunye nenkxaso ye-FEC, yenza umthi ngeveritysetup, gcina ingcambu yehashi ngokukhuselekileyo, kwaye ugqithise iiparamitha ezifanelekileyo kumgca we cmd okanye udibanise nge initramfs nge systemd-veritysetup. Ukuba awusebenzisi i-dm-crypt, awudingi i-CAAM yokunyaniseka; kugxilwe kwingqibelelo.
Kwi-OpenWrt kwaye ngaphakathi iinkqubo ezizinzisiweyo zeLinux nge OpenEmbedded, Kukho iinzame zokudibanisa i-dm-verity kunye ne-SELinux (Imisebenzi ye-Bootlin ihlaziywe ngenjongo yokubandakanya inkxaso). Kufanelekile ngokwendalo: iirotha kunye nezixhobo zenethiwekhi zixhamla kwingcambu engenakuguquguquka, eqinisekisiweyo, kunye ne-MAC.
Umthi owenziwe ngesandla kunye nolwakhiwo lwemetadata (umbono oneenkcukacha)
I-cryptsetup inokukwenzela umthi, kodwa ukuba ukhetha ukuqonda ifomati, inkcazo yomgca wetafile ehlangeneyo ibandakanya: igama lemephu, isixhobo sedatha, ibhloko yedata kunye neesayizi ze-hash, ubungakanani bomfanekiso kwiibhloko, hash_start isikhundla (block image + 8 ukuba concatenated), ingcambu yehashi, kunye netyuwa. Emva kokuvelisa iileyile ezidibeneyo (ukusuka phezulu ukuya ezantsi, ngaphandle koluhlu lwe-0), ubhala umthi kwidiski.
Ukupakisha yonke into, qamba itheyibhile ye-dm-yokunyaniseka, yisayine (eqhelekileyo iRSA-2048) kunye notyikityo lweqela+itheyibhile kwimetadata ngesihloko esiguqulelweyo kunye nenombolo yomlingo. Emva koko, idibanisa umfanekiso wenkqubo, i-metadata yokwenyani, kunye nomthi we-hash. Kwi-fstab, iphawula i-fs_mgr njengokuqinisekisa kwaye ibeka isitshixo sikawonke-wonke kwi-/boot/verity_key ukuqinisekisa utyikityo.
Lungiselela nge Isantya se-SHA-2 se-CPU yakho kwaye ulungelelanise i-read-ahead/prefetch_cluster. Kwi-hardware ye-ARM, i-NEON SHA-2 (ARMv7) kunye ne-SHA-2 izandiso (ARMv8) inciphisa kakhulu i-overhead yokuqinisekisa.
Nakuphi na ukuthunyelwa, khumbula ukuba ixabiso lengcambu ye-hash kufuneka likhuselwe: nokuba idityaniswe kwi-UKI esayiniweyo, kulwahlulo lwesiqalo esayiniweyo, okanye ingqinwe ngumlayishi usebenzisa i-AVB. Yonke into emva kwelo nqaku izuza ilifa loo ntembelo.
Ngayo yonke le nto ingentla isendaweni, i-dm-verity iba isiseko esiluqilima seenkqubo ezingaguqukiyo, ezihambayo nezizinzisiweyo, ukuxhasa uhlaziyo lwentengiselwano, ukugqithiswa koqwalaselo, kunye nemodeli yokhuseleko lwanamhlanje olunciphisa indawo yokuhlaselwa kunye nokuthintela ukunyamezela ngaphandle kokuncama ukusebenza.
