[yocto] How to include the checksum of the (read-only) rootfs in an initramfs

Patrick Doyle wpdster at gmail.com
Fri Aug 23 09:04:30 PDT 2019


Is this a solved problem?  If so, what is the correct solution?

Here are some more details of the problem statement...
I want to verify that my read-only rootfs has not been modified when I
boot.  So I bundle the checksum of the the rootfs in /etc/rootfs.hash
in my initramfs using something a lot like:

do_install() {
    install -d -m 0755 ${D}/etc
    sha256sum -b ${DEPLOY_DIR_IMAGE}/base-image-${MACHINE}.squashfs-xz
| cut -c-64 > ${D}/etc/rootfs.hash
    install -d -m 0755 ${D}/init.d
    install -m 0755 ${WORKDIR}/rootfs ${D}/init.d/90-rootfs
}

This is part of my "validate-rootfs.bb" recipe which is part of my
initramfs image.

The problem is, I need to ensure that
${DEPLOY_DIR_IMAGE}/base-image-${MACHINE}.squashfs-xz is up to date
prior to the execution of my do_install() task.  So I added:

do_install[depends] += "base-image:do_image_complete"

to my recipe.  That has worked great... until I noticed that if I do:

$ bitbake base-image -ccleansstate
$ bitbake base-image

I generate a new rootfs, with new timestamps, which means that it will
have a new checksum.

The problem is, since none of the inputs to base-image.bb have
changed, none of the checksums have changed, so bitbake doesn't think
it needs to run my validate-rootfs.bb recipe, so I don't get a new
checksum embedded in my initramfs.

So, I feel like I am doing something wrong here.  I _could_ generate
rootfs.hash as part of generating
${DEPLOY_DIR_IMAGE}/base-image-${MACHINE}.squashfs-xz, but I think I
would still have the problem of making validate-rootfs.bb notice that
a file in ${DEPLOY_DIR_IMAGE} has changed and therefore it should run
again.

Digging through the output of

$ bitbake-dumpsig -t validate-rootfs do_install

I noticed a line that read:

This task depends on the checksums of files: []

which looked promising.  Digging through the source code, I intuited
that I could add something like:

do_install[file-checksums] +=
"${DEPLOY_DIR_IMAGE}/base-image-${MACHINE}.squashfs-xz:False"

to my recipe.  This appeared to work at first, but also appears to be
totally undocumented, and even as I write this, I am seeing situations
where the checksum doesn't get recalculated.

So I wonder if other folks have tried to solve this problem, and how
they have done so.

--wpd


More information about the yocto mailing list