Re: Kernel 4.14: Using dm-verity with squashfs rootfs - mounting issue

From: Pintu Agarwal
Date: Mon Aug 30 2021 - 12:25:38 EST


On Wed, 21 Jul 2021 at 22:59, Pintu Agarwal <pintu.ping@xxxxxxxxx> wrote:
>
> On Wed, 21 Jul 2021 at 22:40, Mikulas Patocka <mpatocka@xxxxxxxxxx> wrote:
>
> > > >
> > > > Try to set up dm-verity with block size 512 bytes.
> > > >
> > > > I don't know what block size does squashfs use, but if the filesystem
> > > > block size is smaller than dm-verity block size, it doesn't work.
> > > >
> > > Okay thank you so much for this clue,
> > > It seems we are using 65536 as the squashfs block size:
> >
> > 65536 is the compression block size - it is unrelated to I/O block size.
> >
> > There's a config option SQUASHFS_4K_DEVBLK_SIZE. The documentation says
> > that it uses by default 1K block size and if you enable this option, it
> > uses 4K block size.
> >
> Okay it seems this config is set in our case:
> CONFIG_SQUASHFS_4K_DEVBLK_SIZE=y
> So, with this the squashfs and dm-verity block size exactly matches (4K)
>
> > So, try to set it. Or try to reduce dm-verity block size down to 1K.
> >
Hi,

Sorry for coming back to this again..
Unfortunately, none of the options is working for us with squashfs
(bootloader, initramfs).
initramfs have different kinds of challenges because of the partition
size issue.
So, our preferred option is still the bootloader command line approach..

Is there a proven and working solution of dm-verity with squashfs ?
If yes, please share some references.

The current problem with squashfs is that we could not append the
verity-metadata to squashfs, so we store it on a separate volume and
access it.
By specifying it like : /dev/mtdblock53

Then we get the error like this:
{
[ 4.950276] device-mapper: init: attempting early device configuration.
[ 4.957577] device-mapper: init: adding target '0 95384 verity 1
/dev/ubiblock0_0 /dev/mtdblock53 4096 4096 11923 8 sha256
16da5e4bbc706e5d90511d2a3dae373b5d878f9aebd522cd614a4faaace6baa3
aee087a5be3b982978c923f566a94613496b417f2af592639bc80d141e34dfe7 10
restart_on_corruption ignore_zero_blocks use_fec_from_device
/dev/mtdblock53 fec_roots 2 fec_blocks 12026 fec_start 12026'
[ 4.975283] device-mapper: verity: sha256 using implementation
"sha256-generic"
[ 4.998728] device-mapper: init: dm-0 is ready

[ 5.614498] 1f35 1736 mtdblock53
[ 5.614502] (driver?)
[ 5.621098] fc00 61504 ubiblock0_0
[ 5.621102] (driver?)
[ 5.627661] fd00 47692 dm-0
[ 5.627665] (driver?)
[ 5.633663] No filesystem could mount root, tried:
[ 5.633667] squashfs
[ 5.636009]
[ 5.643215] Kernel panic - not syncing: VFS: Unable to mount root
fs on unknown-block(253,0)
}

Do you see any other problem here with dm-verity cmdline or with squashfs ?

Is squashfs ever proved to be working with dm-verity on higher kernel version ?
Currently our kernel version is 4.14.

Or, another option is to use the new concept from 5.1 kernel that is:
dm-mod.create = ?
But, currently I don't know how to use it with squashfs either...
Any reference example will be helpful..

Thanks,
Pintu