[systemd-devel] repart: How to use CopyBocks= with usr-verity?

[Daan De Meyer]

Hi Nils,

Pretty sure nobody ever tried this. The root hash might be changing
because we format the verity hash partition with different parameters
than it was originally formatted with in your case. I assume the
roothash will only stay the same if the verity format arguments are
exactly the same. We'd probably accept PRs to allow configuring more
verity arguments to support this use case.

Cheers,

Daan

On Fri, 29 Mar 2024 at 19:55, Nils Kattenbeck <nilskemail at gmail.com> wrote:
>
> Hello everyone,
>
> I am having trouble with getting CopyBlocks= to work with a verify enabled usr partition. The documentations says that it should automatically work automatically but it does not describe which properties have to be set for which partition, i.e. repart.d file.
> So far I have tried several variations of Verity=/VerityMatchKey=, settings it only on one partition, both etc., setting CopyBlocks= on only usr or usr and usr-verity. Setting CopyBlocks= on both does not work and systemd-repart fails with the message that it was unable to find the correct partition for usr-verity. The other approach was setting CopyBlocks= only on the usr partition but regardless of what I try with Verity= the root hash changes (and thus also the partition UUIDs). Or more specifically the usr partition retains the correct/original PARTUUID whereas the PARTUUID of the usr-verity partition changes.
>
> Maybe someone has an idea what might cause this or better yet already has a similar working solution which they could share.
>
> Kind regards,
> Nils
>