| Tim Windelschmidt | bed76d9 | 2025-02-18 03:04:14 +0100 | [diff] [blame] | 1 | # VerityInfo is emitted by verity_image, and contains a file enclosing a |
| 2 | # singular dm-verity target table. |
| 3 | VerityInfo = provider( |
| 4 | "Information necessary to mount a single dm-verity target.", |
| 5 | fields = { |
| 6 | "table": "A file containing the dm-verity target table. See: https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html", |
| 7 | }, |
| 8 | ) |
| 9 | |
| 10 | def _verity_image_impl(ctx): |
| 11 | """ |
| 12 | Create a new file containing the source image data together with the Verity |
| 13 | metadata appended to it, and provide an associated DeviceMapper Verity target |
| 14 | table in a separate file, through VerityInfo provider. |
| 15 | """ |
| 16 | |
| 17 | # Run mkverity. |
| 18 | image = ctx.actions.declare_file(ctx.attr.name + ".img") |
| 19 | table = ctx.actions.declare_file(ctx.attr.name + ".dmt") |
| Jan Schär | 2add1cb | 2025-07-14 09:26:18 +0000 | [diff] [blame^] | 20 | inputs = [ctx.file.source] |
| 21 | args = ctx.actions.args() |
| 22 | args.add("-input", ctx.file.source) |
| 23 | args.add("-output", image) |
| 24 | if ctx.file.salt: |
| 25 | args.add("-salt", ctx.file.salt) |
| 26 | inputs.append(ctx.file.salt) |
| 27 | args.add("-table", table) |
| 28 | args.add("-data_alias", ctx.attr.rootfs_partlabel) |
| 29 | args.add("-hash_alias", ctx.attr.rootfs_partlabel) |
| Tim Windelschmidt | bed76d9 | 2025-02-18 03:04:14 +0100 | [diff] [blame] | 30 | ctx.actions.run( |
| 31 | mnemonic = "GenVerityImage", |
| 32 | progress_message = "Generating a dm-verity image: {}".format(image.short_path), |
| Jan Schär | 2add1cb | 2025-07-14 09:26:18 +0000 | [diff] [blame^] | 33 | inputs = inputs, |
| 34 | outputs = [image, table], |
| Tim Windelschmidt | bed76d9 | 2025-02-18 03:04:14 +0100 | [diff] [blame] | 35 | executable = ctx.file._mkverity, |
| Jan Schär | 2add1cb | 2025-07-14 09:26:18 +0000 | [diff] [blame^] | 36 | arguments = [args], |
| Tim Windelschmidt | bed76d9 | 2025-02-18 03:04:14 +0100 | [diff] [blame] | 37 | ) |
| 38 | |
| 39 | return [ |
| 40 | DefaultInfo( |
| 41 | files = depset([image]), |
| 42 | runfiles = ctx.runfiles(files = [image]), |
| 43 | ), |
| 44 | VerityInfo( |
| 45 | table = table, |
| 46 | ), |
| 47 | ] |
| 48 | |
| 49 | verity_image = rule( |
| Tim Windelschmidt | bed76d9 | 2025-02-18 03:04:14 +0100 | [diff] [blame] | 50 | implementation = _verity_image_impl, |
| 51 | doc = """ |
| 52 | Build a dm-verity target image by appending Verity metadata to the source |
| 53 | image. A corresponding dm-verity target table will be made available |
| 54 | through VerityInfo provider. |
| 55 | """, |
| 56 | attrs = { |
| 57 | "source": attr.label( |
| 58 | doc = "A source image.", |
| 59 | allow_single_file = True, |
| Jan Schär | 2add1cb | 2025-07-14 09:26:18 +0000 | [diff] [blame^] | 60 | mandatory = True, |
| 61 | ), |
| 62 | "salt": attr.label( |
| 63 | doc = """ |
| 64 | A file which will be hashed to generate the salt. |
| 65 | This should be a small file which is different for each |
| 66 | released image, but which only changes when the source also |
| 67 | changes. The product info file is a good choice for this. |
| 68 | """, |
| 69 | allow_single_file = True, |
| Tim Windelschmidt | bed76d9 | 2025-02-18 03:04:14 +0100 | [diff] [blame] | 70 | ), |
| 71 | "rootfs_partlabel": attr.string( |
| 72 | doc = "GPT partition label of the rootfs to be used with dm-mod.create.", |
| 73 | default = "PARTLABEL=METROPOLIS-SYSTEM-X", |
| 74 | ), |
| 75 | "_mkverity": attr.label( |
| 76 | doc = "The mkverity executable needed to generate the image.", |
| 77 | default = "//osbase/build/mkverity", |
| 78 | allow_single_file = True, |
| 79 | executable = True, |
| 80 | cfg = "exec", |
| 81 | ), |
| 82 | }, |
| 83 | ) |