Verity signatures working.

microsoft · Jan 3, 2025 · 72410e1 · 72410e1
1 parent bba473c
commit 72410e1
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 12 deletions.
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go b/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go
@@ -113,12 +113,12 @@ func prepareGrubConfigForVerity(imageChroot *safechroot.Chroot) error {
 
 func updateGrubConfigForVerity(rootfsVerity imagecustomizerapi.Verity, rootHash string, grubCfgFullPath string,
 	partIdToPartUuid map[string]string, partitions []diskutils.PartitionInfo,
-	provideRootHashSignatureArgument string, requireRootHashSignatureArgument string, bootPartitionUuid string,
+	rootHashSignatureArgument string, requireRootHashSignatureArgument string, bootPartitionUuid string,
 ) error {
 	var err error
 
 	newArgs, err := constructVerityKernelCmdlineArgs(rootfsVerity, rootHash, partIdToPartUuid, partitions,
-		provideRootHashSignatureArgument, requireRootHashSignatureArgument, bootPartitionUuid)
+		rootHashSignatureArgument, requireRootHashSignatureArgument, bootPartitionUuid)
 	if err != nil {
 		return fmt.Errorf("failed to generate verity kernel arguments:\n%w", err)
 	}
@@ -164,7 +164,7 @@ func updateGrubConfigForVerity(rootfsVerity imagecustomizerapi.Verity, rootHash
 
 func constructVerityKernelCmdlineArgs(rootfsVerity imagecustomizerapi.Verity, rootHash string,
 	partIdToPartUuid map[string]string, partitions []diskutils.PartitionInfo,
-	provideRootHashSignatureArgument string, requireRootHashSignatureArgument string, bootPartitionUuid string) ([]string, error) {
+	rootHashSignatureArgument string, requireRootHashSignatureArgument string, bootPartitionUuid string) ([]string, error) {
 	// Format the dataPartitionId and hashPartitionId using the helper function.
 	formattedDataPartition, err := systemdFormatPartitionId(rootfsVerity.DataDeviceId,
 		rootfsVerity.DataDeviceMountIdType, partIdToPartUuid, partitions)
@@ -190,7 +190,7 @@ func constructVerityKernelCmdlineArgs(rootfsVerity imagecustomizerapi.Verity, ro
 		fmt.Sprintf("systemd.verity_root_data=%s", formattedDataPartition),
 		fmt.Sprintf("systemd.verity_root_hash=%s", formattedHashPartition),
 		fmt.Sprintf("systemd.verity_root_options=%s", formattedCorruptionOption),
-		fmt.Sprintf("%s", provideRootHashSignatureArgument),
+		fmt.Sprintf("%s", rootHashSignatureArgument),
 		fmt.Sprintf("%s", requireRootHashSignatureArgument),
 		fmt.Sprintf("pre.verity.mount=%s", bootPartitionUuid),
 	}
@@ -285,9 +285,10 @@ func validateVerityDependencies(imageChroot *safechroot.Chroot) error {
 
 func updateUkiKernelArgsForVerity(rootfsVerity imagecustomizerapi.Verity, rootHash string,
 	partIdToPartUuid map[string]string, partitions []diskutils.PartitionInfo, buildDir string,
+	rootHashSignatureArgument string, requireRootHashSignatureArgument string, bootPartitionUuid string,
 ) error {
 	newArgs, err := constructVerityKernelCmdlineArgs(rootfsVerity, rootHash, partIdToPartUuid, partitions,
-		"" /*provideRootHashSignatureArgument*/, "" /*requireRootHashSignatureArgument*/, "" /*bootPartitionUuid*/)
+		rootHashSignatureArgument, requireRootHashSignatureArgument, bootPartitionUuid)
 	if err != nil {
 		return fmt.Errorf("failed to generate verity kernel arguments:\n%w", err)
 	}
@@ -303,7 +304,7 @@ func updateUkiKernelArgsForVerity(rootfsVerity imagecustomizerapi.Verity, rootHa
 
 func generateSignedRootHashArtifacts(deviceId string, deviceRootHash string, outputVerityHashes bool, outputVerityHashesDir string,
 	requireSignedRootfsRootHash bool, requireSignedRootHashes bool,
-) (provideRootHashSignatureArgument string, requireRootHashSignatureArgument string, err error) {
+) (rootHashSignatureArgument string, requireRootHashSignatureArgument string, err error) {
 
 	if !outputVerityHashes {
 		return "", "", nil
@@ -324,17 +325,17 @@ func generateSignedRootHashArtifacts(deviceId string, deviceRootHash string, out
 
 	// ToDo: how do we handle multiple verity device?
 	if requireSignedRootfsRootHash {
-		provideRootHashSignatureArgument = "systemd.verity_root_options=root-hash-signature=" + rootHashSignedFileImagePath
+		rootHashSignatureArgument = "systemd.verity_root_options=root-hash-signature=" + rootHashSignedFileImagePath
 	}
 	if requireSignedRootHashes {
 		requireRootHashSignatureArgument = "dm_verity.require_signatures=1"
 	}
 
 	logger.Log.Debugf("---- debug ---- rootHashSignedFileImagePath=(%s)", rootHashSignedFileImagePath)
-	logger.Log.Debugf("---- debug ---- provideRootHashSignatureArgument      =(%s)", provideRootHashSignatureArgument)
+	logger.Log.Debugf("---- debug ---- rootHashSignatureArgument      =(%s)", rootHashSignatureArgument)
 	logger.Log.Debugf("---- debug ---- requireRootHashSignatureArgument      =(%s)", requireRootHashSignatureArgument)
 
-	return provideRootHashSignatureArgument, requireRootHashSignatureArgument, err
+	return rootHashSignatureArgument, requireRootHashSignatureArgument, err
 }
 
 func generateSignedRootHashConfiguration(signedRootHashFiles []string) (imagecustomizerapi.AdditionalFileList, error) {

diff --git a/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go b/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go
@@ -925,22 +925,23 @@ func customizeVerityImageHelper(buildDir string, baseConfigPath string, config *
 		return fmt.Errorf("failed to stat file (%s):\n%w", grubCfgFullPath, err)
 	}
 
-	provideRootHashSignatureArgument, requireRootHashSignatureArgument, err := generateSignedRootHashArtifacts(rootfsVerity.DataDeviceId, rootHash, outputVerityHashes,
+	rootHashSignatureArgument, requireRootHashSignatureArgument, err := generateSignedRootHashArtifacts(rootfsVerity.DataDeviceId, rootHash, outputVerityHashes,
 		outputVerityHashesDir, requireSignedRootfsRootHash, requireSignedRootHashes)
 	if err != nil {
 		return err
 	}
 
 	if config.OS.Uki != nil {
 		// UKI is enabled, update kernel cmdline args file instead of grub.cfg.
-		err = updateUkiKernelArgsForVerity(rootfsVerity, rootHash, partIdToPartUuid, diskPartitions, buildDir)
+		err = updateUkiKernelArgsForVerity(rootfsVerity, rootHash, partIdToPartUuid, diskPartitions, buildDir,
+			rootHashSignatureArgument, requireRootHashSignatureArgument, bootPartition.Uuid)
 		if err != nil {
 			return fmt.Errorf("failed to update kernel cmdline arguments for verity:\n%w", err)
 		}
 	} else {
 		// UKI is not enabled, update grub.cfg as usual.
 		err = updateGrubConfigForVerity(rootfsVerity, rootHash, grubCfgFullPath, partIdToPartUuid, diskPartitions,
-			provideRootHashSignatureArgument, requireRootHashSignatureArgument, bootPartition.Uuid)
+			rootHashSignatureArgument, requireRootHashSignatureArgument, bootPartition.Uuid)
 		if err != nil {
 			return fmt.Errorf("failed to update grub config for verity:\n%w", err)
 		}