OpenBMC Image Management

Patrick Williams patrick at stwcx.xyz
Wed Feb 1 05:16:41 AEDT 2017


On Mon, Jan 30, 2017 at 04:47:13PM +1100, Stewart Smith wrote:
> dm-verity (a device-mapper target taht cryptographically verifies each
> filesystem block) could be a way to very easily get most of what's
> needed here.
> 
> https://lwn.net/Articles/459420/
> 
> https://source.android.com/security/verifiedboot/
> 

Any ideas on how nicely that plays with mtd/ubi?  I don't see anything
about it.  I do see some dm-verity presentations claiming that IMA is
slow and dm-verity is much faster.

We should have all code in a SquashFS image anyhow.  Signing / verifying
that whole image might be reasonable as well.

-- 
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20170131/4f390cc8/attachment.sig>


More information about the openbmc mailing list