| Lorenz Brun | 163525e | 2025-05-22 15:30:14 +0200 | [diff] [blame] | 1 | load("//osbase/build:def.bzl", "build_static_transition") |
| 2 | |
| Tim Windelschmidt | bed76d9 | 2025-02-18 03:04:14 +0100 | [diff] [blame] | 3 | # VerityInfo is emitted by verity_image, and contains a file enclosing a |
| 4 | # singular dm-verity target table. |
| 5 | VerityInfo = provider( |
| 6 | "Information necessary to mount a single dm-verity target.", |
| 7 | fields = { |
| 8 | "table": "A file containing the dm-verity target table. See: https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html", |
| 9 | }, |
| 10 | ) |
| 11 | |
| 12 | def _verity_image_impl(ctx): |
| 13 | """ |
| 14 | Create a new file containing the source image data together with the Verity |
| 15 | metadata appended to it, and provide an associated DeviceMapper Verity target |
| 16 | table in a separate file, through VerityInfo provider. |
| 17 | """ |
| 18 | |
| 19 | # Run mkverity. |
| 20 | image = ctx.actions.declare_file(ctx.attr.name + ".img") |
| 21 | table = ctx.actions.declare_file(ctx.attr.name + ".dmt") |
| 22 | ctx.actions.run( |
| 23 | mnemonic = "GenVerityImage", |
| 24 | progress_message = "Generating a dm-verity image: {}".format(image.short_path), |
| 25 | inputs = [ctx.file.source], |
| 26 | outputs = [ |
| 27 | image, |
| 28 | table, |
| 29 | ], |
| 30 | executable = ctx.file._mkverity, |
| 31 | arguments = [ |
| 32 | "-input=" + ctx.file.source.path, |
| 33 | "-output=" + image.path, |
| 34 | "-table=" + table.path, |
| 35 | "-data_alias=" + ctx.attr.rootfs_partlabel, |
| 36 | "-hash_alias=" + ctx.attr.rootfs_partlabel, |
| 37 | ], |
| 38 | ) |
| 39 | |
| 40 | return [ |
| 41 | DefaultInfo( |
| 42 | files = depset([image]), |
| 43 | runfiles = ctx.runfiles(files = [image]), |
| 44 | ), |
| 45 | VerityInfo( |
| 46 | table = table, |
| 47 | ), |
| 48 | ] |
| 49 | |
| 50 | verity_image = rule( |
| Lorenz Brun | 163525e | 2025-05-22 15:30:14 +0200 | [diff] [blame] | 51 | cfg = build_static_transition, |
| Tim Windelschmidt | bed76d9 | 2025-02-18 03:04:14 +0100 | [diff] [blame] | 52 | implementation = _verity_image_impl, |
| 53 | doc = """ |
| 54 | Build a dm-verity target image by appending Verity metadata to the source |
| 55 | image. A corresponding dm-verity target table will be made available |
| 56 | through VerityInfo provider. |
| 57 | """, |
| 58 | attrs = { |
| 59 | "source": attr.label( |
| 60 | doc = "A source image.", |
| 61 | allow_single_file = True, |
| 62 | ), |
| 63 | "rootfs_partlabel": attr.string( |
| 64 | doc = "GPT partition label of the rootfs to be used with dm-mod.create.", |
| 65 | default = "PARTLABEL=METROPOLIS-SYSTEM-X", |
| 66 | ), |
| 67 | "_mkverity": attr.label( |
| 68 | doc = "The mkverity executable needed to generate the image.", |
| 69 | default = "//osbase/build/mkverity", |
| 70 | allow_single_file = True, |
| 71 | executable = True, |
| 72 | cfg = "exec", |
| 73 | ), |
| 74 | }, |
| 75 | ) |