From aa879ddcce467d2fdd2782fc7afd8036c929c0f4 Mon Sep 17 00:00:00 2001
From: George Tankersley <george.tankersley@coreos.com>
Date: Thu, 18 Jun 2015 13:02:08 -0700
Subject: [PATCH 1/2] grub_install: add support for verity and non-verity
 grub.cfg

---
 build_library/grub.cfg        | 12 ++++++------
 build_library/grub_install.sh | 23 ++++++++++++++++++++++-
 2 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/build_library/grub.cfg b/build_library/grub.cfg
index c315654e08..e9120b718a 100644
--- a/build_library/grub.cfg
+++ b/build_library/grub.cfg
@@ -62,19 +62,19 @@ menuentry "CoreOS default" --id=coreos {
     gptprio.next -d usr -u usr_uuid
     if [ "$usr_uuid" = "7130c94a-213a-4e5a-8e26-6cce9662f132" ]; then
        linux$suf /coreos/vmlinuz-a $linux_console $linux_root \
-            mount.usr=PARTUUID=$usr_uuid $linux_append
+            @@MOUNTUSR@@=PARTUUID=$usr_uuid $linux_append
     else
        linux$suf /coreos/vmlinuz-b $linux_console $linux_root \
-            mount.usr=PARTUUID=$usr_uuid $linux_append
+            @@MOUNTUSR@@=PARTUUID=$usr_uuid $linux_append
     fi
 }
 
 menuentry "CoreOS USR-A" --id=coreos-a {
-    linux$suf /coreos/vmlinuz-a $linux_console $linux_root \
-         mount.usr=PARTLABEL=USR-A $linux_append
+   linux$suf /coreos/vmlinuz-a $linux_console $linux_root \
+        @@MOUNTUSR@@=PARTLABEL=USR-A $linux_append
 }
 
 menuentry "CoreOS USR-B" --id=coreos-b {
-    linux$suf /coreos/vmlinuz-b $linux_console $linux_root \
-         mount.usr=PARTLABEL=USR-B $linux_append
+   linux$suf /coreos/vmlinuz-b $linux_console $linux_root \
+        @@MOUNTUSR@@=PARTLABEL=USR-B $linux_append
 }
diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
index 0179bd62a0..dd50e9113f 100755
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@@ -20,6 +20,8 @@ DEFINE_string esp_dir "" \
   "Path to EFI System partition mount point."
 DEFINE_string disk_image "" \
   "The disk image containing the EFI System partition."
+DEFINE_boolean verity ${FLAGS_FALSE} \
+  "Indicates that boot commands should enable dm-verity."
 
 # Parse flags
 FLAGS "$@" || exit 1
@@ -71,6 +73,9 @@ cleanup() {
     if [[ -b "${LOOP_DEV}" ]]; then
         sudo losetup --detach "${LOOP_DEV}"
     fi
+    if [[ -n "${GRUB_TEMP_DIR}" && -e "${GRUB_TEMP_DIR}" ]]; then
+      rm -r "${GRUB_TEMP_DIR}"
+    fi
 }
 trap cleanup EXIT
 
@@ -116,10 +121,26 @@ set prefix=(memdisk)
 set
 EOF
 
+# Generate a memdisk containing the appropriately generated grub.cfg. Doing
+# this because we need conflicting default behaviors between verity and
+# non-verity images.
+GRUB_TEMP_DIR=$(mktemp -d)
 if [[ ! -f "${ESP_DIR}/coreos/grub/grub.cfg.tar" ]]; then
     info "Generating grub.cfg memdisk"
+
+    if [[ ${FLAGS_verity} -eq ${FLAGS_TRUE} ]]; then
+      # use dm-verity for /usr
+      cat "${BUILD_LIBRARY_DIR}/grub.cfg" | \
+        sed 's/@@MOUNTUSR@@/mount.usr=\/dev\/mapper\/usr verity.usr/' > \
+        "${GRUB_TEMP_DIR}/grub.cfg"
+    else
+      # uses standard systemd /usr mount
+      cat "${BUILD_LIBRARY_DIR}/grub.cfg" | \
+        sed 's/@@MOUNTUSR@@/mount.usr/' > "${GRUB_TEMP_DIR}/grub.cfg"
+    fi
+
     sudo tar cf "${ESP_DIR}/coreos/grub/grub.cfg.tar" \
-	 -C "${BUILD_LIBRARY_DIR}" "grub.cfg"
+	 -C "${GRUB_TEMP_DIR}" "grub.cfg"
 fi
 
 info "Generating ${GRUB_DIR}/${CORE_NAME}"

From 283452e8835d7220aedaaea81928c696702a7401 Mon Sep 17 00:00:00 2001
From: George Tankersley <george.tankersley@coreos.com>
Date: Thu, 18 Jun 2015 13:01:06 -0700
Subject: [PATCH 2/2] verity: add verity plumbing and hash injection to build
 scripts

---
 build_image                       |  2 ++
 build_library/build_image_util.sh | 42 +++++++++++++++++++++++--------
 build_library/prod_image_util.sh  | 13 ----------
 3 files changed, 34 insertions(+), 23 deletions(-)

diff --git a/build_image b/build_image
index 91a2fc8b6b..ccbea76496 100755
--- a/build_image
+++ b/build_image
@@ -24,6 +24,8 @@ DEFINE_string board "${DEFAULT_BOARD}" \
   "The board to build an image for."
 DEFINE_boolean enable_rootfs_verification ${FLAGS_TRUE} \
   "Default all bootloaders to use kernel-based root fs integrity checking."
+DEFINE_boolean enable_verity ${FLAGS_FALSE} \
+  "Default GRUB to use dm-verity-enabled boot arguments"
 DEFINE_string base_pkg "coreos-base/coreos" \
   "The base portage package to base the build off of (only applies to prod images)"
 DEFINE_string base_dev_pkg "coreos-base/coreos-dev" \
diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh
index c277c59519..847f81e491 100755
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@@ -258,11 +258,11 @@ finish_image() {
 
   local disk_img="${BUILD_DIR}/${image_name}"
 
+  # Copy kernel to support dm-verity boots
   sudo mkdir -p "${root_fs_dir}/boot/coreos"
   sudo cp "${root_fs_dir}/usr/boot/vmlinuz" \
        "${root_fs_dir}/boot/coreos/vmlinuz-a"
-  sudo cp "${root_fs_dir}/usr/boot/vmlinuz" \
-       "${root_fs_dir}/boot/coreos/vmlinuz-b"
+
   # Record directories installed to the state partition.
   # Explicitly ignore entries covered by existing configs.
   local tmp_ignore=$(awk '/^[dDfFL]/ {print "--ignore=" $2}' \
@@ -303,19 +303,36 @@ finish_image() {
       sudo chroot ${root_fs_dir} bash -c "cd /usr/share/selinux/mcs; semodule -i *.pp"
   fi
 
-  # Sign the kernels after /usr is in a consistent state
+  # We only need to disable rw and apply dm-verity in prod with a /usr partition
+  if [ "${PROD_IMAGE}" -eq 1 ] && mountpoint -q "${root_fs_dir}/usr"; then
+    local disable_read_write=${FLAGS_enable_rootfs_verification}
+
+    # Unmount /usr partition
+    sudo umount --recursive "${root_fs_dir}/usr" || exit 1
+
+    # Make the filesystem un-mountable as read-write and setup verity.
+    if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
+      "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" verity \
+        --root_hash="${BUILD_DIR}/${image_name%.bin}_verity.txt" \
+        "${BUILD_DIR}/${image_name}"
+
+      # Magic alert! Root hash injection works by replacing a seldom-used rdev
+      # error message in the uncompressed section of the kernel that happens to
+      # be exactly SHA256-sized. Our modified GRUB extracts it to the cmdline.
+      printf %s "$(cat ${BUILD_DIR}/${image_name%.bin}_verity.txt)" | \
+        sudo dd of="${root_fs_dir}/boot/coreos/vmlinuz-a" conv=notrunc seek=64 count=64 bs=1
+    fi
+  fi
+
+  # Sign the kernel after /usr is in a consistent state and verity is calculated
   if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
       sudo sbsign --key /usr/share/sb_keys/DB.key \
 	   --cert /usr/share/sb_keys/DB.crt \
 	   "${root_fs_dir}/boot/coreos/vmlinuz-a"
       sudo mv "${root_fs_dir}/boot/coreos/vmlinuz-a.signed" \
 	   "${root_fs_dir}/boot/coreos/vmlinuz-a"
-      sudo sbsign --key /usr/share/sb_keys/DB.key \
-	   --cert /usr/share/sb_keys/DB.crt \
-	   "${root_fs_dir}/boot/coreos/vmlinuz-b"
-      sudo mv "${root_fs_dir}/boot/coreos/vmlinuz-b.signed" \
-	   "${root_fs_dir}/boot/coreos/vmlinuz-b"
   fi
+
   rm -rf "${BUILD_DIR}"/configroot
   cleanup_mounts "${root_fs_dir}"
   trap - EXIT
@@ -324,8 +341,13 @@ finish_image() {
   if [[ "${install_grub}" -eq 1 ]]; then
     local target
     for target in i386-pc x86_64-efi x86_64-xen; do
-      ${BUILD_LIBRARY_DIR}/grub_install.sh \
-          --target="${target}" --disk_image="${disk_img}"
+      if [[ "${PROD_IMAGE}" -eq 1 && ${FLAGS_enable_verity} -eq ${FLAGS_TRUE} ]]; then
+        ${BUILD_LIBRARY_DIR}/grub_install.sh \
+            --target="${target}" --disk_image="${disk_img}" --verity
+      else
+        ${BUILD_LIBRARY_DIR}/grub_install.sh \
+            --target="${target}" --disk_image="${disk_img}" --noverity
+      fi
     done
   fi
 }
diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh
index f4cb1878f6..c7d68a26c3 100755
--- a/build_library/prod_image_util.sh
+++ b/build_library/prod_image_util.sh
@@ -76,21 +76,8 @@ create_prod_image() {
 L+  /etc/ld.so.conf     -   -   -   -   ../usr/lib/ld.so.conf
 EOF
 
-  # Only try to disable rw on /usr if there is a /usr partition 
-  local disable_read_write=${FLAGS_enable_rootfs_verification}
-  if ! mountpoint -q "${root_fs_dir}/usr"; then
-    disable_read_write=${FLAGS_FALSE}
-  fi
-
   finish_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${image_contents}"
 
-  # Make the filesystem un-mountable as read-write and setup verity.
-  if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
-    "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" verity \
-      --root_hash="${BUILD_DIR}/${image_name%.bin}_verity.txt" \
-      "${BUILD_DIR}/${image_name}"
-  fi
-
   upload_image -d "${BUILD_DIR}/${image_name}.bz2.DIGESTS" \
       "${BUILD_DIR}/${image_contents}" \
       "${BUILD_DIR}/${image_packages}" \