m: enable dm-verity rootfs
This makes all the existing EFI unified kernel images boot from a
dm-verity rootfs.
Change-Id: Iac05942e40b81825252e84feb5c79c8ff215680a
Reviewed-on: https://review.monogon.dev/c/monogon/+/527
Reviewed-by: Sergiusz Bazanski <serge@monogon.tech>
diff --git a/metropolis/node/BUILD.bazel b/metropolis/node/BUILD.bazel
index f37ed9a..722f05b 100644
--- a/metropolis/node/BUILD.bazel
+++ b/metropolis/node/BUILD.bazel
@@ -1,5 +1,5 @@
load("@io_bazel_rules_go//go:def.bzl", "go_library")
-load("//metropolis/node/build:def.bzl", "erofs_image")
+load("//metropolis/node/build:def.bzl", "erofs_image", "verity_image")
load("//metropolis/node/build:efi.bzl", "efi_unified_kernel_image")
load("@rules_pkg//:pkg.bzl", "pkg_zip")
@@ -92,11 +92,17 @@
},
)
+verity_image(
+ name = "verity_rootfs",
+ source = ":rootfs",
+)
+
efi_unified_kernel_image(
name = "kernel_efi",
- cmdline = "console=ttyS0,115200 console=tty0 quiet root=PARTLABEL=METROPOLIS-SYSTEM rootfstype=erofs init=/init",
+ cmdline = "console=ttyS0,115200 console=tty0 quiet rootfstype=erofs init=/init",
kernel = "//third_party/linux",
os_release = ":os-release-info",
+ verity = ":verity_rootfs",
)
# An intermediary "bundle" format until we finalize the actual bundle format. This is NOT stable until migrated
@@ -106,7 +112,7 @@
name = "node",
srcs = [
":kernel_efi",
- ":rootfs",
+ ":verity_rootfs",
],
visibility = ["//visibility:public"],
)
@@ -115,7 +121,7 @@
name = "image",
srcs = [
":kernel_efi",
- ":rootfs",
+ ":verity_rootfs",
],
outs = [
"node.img",
@@ -123,7 +129,7 @@
cmd = """
$(location //metropolis/node/build/mkimage) \
-efi $(location :kernel_efi) \
- -system $(location :rootfs) \
+ -system $(location :verity_rootfs) \
-out $@
""",
tools = [