microsoft · gmileka · Jan 8, 2025
@@ -20,6 +20,8 @@ const (
 
 	MountIdentifierTypeDeviceMapper MountIdentifierType = "device-mapper"
 
+	MountIdentifierTypeOverlay MountIdentifierType = "overlay"
+
 	// MountIdentifierTypeDefault uses the default type, which is PARTUUID.
 	MountIdentifierTypeDefault MountIdentifierType = ""
 )

@@ -115,6 +115,8 @@ func updateGrubConfigForVerity(rootfsVerity imagecustomizerapi.Verity, rootHash
 	partIdToPartUuid map[string]string, partitions []diskutils.PartitionInfo,
 	rootHashSignatureArgument string, requireRootHashSignatureArgument string, bootPartitionUuid string,
 ) error {
+	logger.Log.Debugf("---- debug ---- updateGrubConfigForVerity()")
+
 	var err error
 
 	newArgs, err := constructVerityKernelCmdlineArgs(rootfsVerity, rootHash, partIdToPartUuid, partitions,
@@ -123,6 +125,8 @@ func updateGrubConfigForVerity(rootfsVerity imagecustomizerapi.Verity, rootHash
 		return fmt.Errorf("failed to generate verity kernel arguments:\n%w", err)
 	}
 
+	logger.Log.Debugf("---- debug ---- updateGrubConfigForVerity() - newArgs=(%s)", newArgs)
+
 	grub2Config, err := file.Read(grubCfgFullPath)
 	if err != nil {
 		return fmt.Errorf("failed to read grub config:\n%w", err)
@@ -287,12 +291,16 @@ func updateUkiKernelArgsForVerity(rootfsVerity imagecustomizerapi.Verity, rootHa
 	partIdToPartUuid map[string]string, partitions []diskutils.PartitionInfo, buildDir string,
 	rootHashSignatureArgument string, requireRootHashSignatureArgument string, bootPartitionUuid string,
 ) error {
+	logger.Log.Debugf("---- debug ---- updateUkiKernelArgsForVerity()")
+
 	newArgs, err := constructVerityKernelCmdlineArgs(rootfsVerity, rootHash, partIdToPartUuid, partitions,
 		rootHashSignatureArgument, requireRootHashSignatureArgument, bootPartitionUuid)
 	if err != nil {
 		return fmt.Errorf("failed to generate verity kernel arguments:\n%w", err)
 	}
 
+	logger.Log.Debugf("---- debug ---- updateUkiKernelArgsForVerity() - newArgs=(%s)", newArgs)
+
 	// UKI is enabled, update ukify kernel cmdline args file instead of grub.cfg.
 	err = appendKernelArgsToUkiCmdlineFile(buildDir, newArgs)
 	if err != nil {
@@ -306,6 +314,7 @@ func generateSignedRootHashArtifacts(deviceId string, deviceRootHash string, out
 	requireSignedRootfsRootHash bool, requireSignedRootHashes bool,
 ) (rootHashSignatureArgument string, requireRootHashSignatureArgument string, err error) {
 
+	logger.Log.Debugf("---- debug ---- generateSignedRootHashArtifacts()")
 	if !outputVerityHashes {
 		return "", "", nil
 	}
@@ -325,9 +334,11 @@ func generateSignedRootHashArtifacts(deviceId string, deviceRootHash string, out
 
 	// ToDo: how do we handle multiple verity device?
 	if requireSignedRootfsRootHash {
+		logger.Log.Debugf("---- debug ---- generateSignedRootHashArtifacts() - adding systemd.verity_root_options=root-hash-signature")
 		rootHashSignatureArgument = "systemd.verity_root_options=root-hash-signature=" + rootHashSignedFileImagePath
 	}
 	if requireSignedRootHashes {
+		logger.Log.Debugf("---- debug ---- generateSignedRootHashArtifacts() - adding dm_verity.require_signatures=1")
 		requireRootHashSignatureArgument = "dm_verity.require_signatures=1"
 	}
 

@@ -921,6 +921,9 @@ func customizeVerityImageHelper(buildDir string, baseConfigPath string, config *
 		return err
 	}
 
+	logger.Log.Debugf("---- debug ---- rootHashSignatureArgument=(%s)", rootHashSignatureArgument)
+	logger.Log.Debugf("---- debug ---- requireRootHashSignatureArgument=(%s)", requireRootHashSignatureArgument)
+
 	if config.OS.Uki != nil {
 		// UKI is enabled, update kernel cmdline args file instead of grub.cfg.
 		err = updateUkiKernelArgsForVerity(rootfsVerity, rootHash, partIdToPartUuid, diskPartitions, buildDir,

@@ -245,7 +245,7 @@ func fstabEntriesToMountPoints(fstabEntries []diskutils.FstabEntry, diskPartitio
 			return nil, err
 		}
 
-		// ToDo: device mapper returns an empty string
+		// ToDo: device mapper and overlay return an empty string
 		if source == "" {
 			continue
 		}
@@ -312,7 +312,8 @@ func findSourcePartitionHelper(source string,
 	var partition diskutils.PartitionInfo
 	var partitionIndex int
 
-	if mountIdType != imagecustomizerapi.MountIdentifierTypeDeviceMapper {
+	if mountIdType != imagecustomizerapi.MountIdentifierTypeDeviceMapper &&
+		mountIdType != imagecustomizerapi.MountIdentifierTypeOverlay {
 		partition, partitionIndex, err = findPartition(mountIdType, mountId, partitions)
 		if err != nil {
 			return imagecustomizerapi.MountIdentifierTypeDefault, diskutils.PartitionInfo{}, 0, err
@@ -377,6 +378,10 @@ func parseSourcePartition(source string) (imagecustomizerapi.MountIdentifierType
 		return imagecustomizerapi.MountIdentifierTypeDeviceMapper, deviceMapperValue, nil
 	}
 
+	if source == "overlay" {
+		return imagecustomizerapi.MountIdentifierTypeOverlay, "", nil
+	}
+
 	err := fmt.Errorf("unknown fstab source type (%s)", source)
 	return imagecustomizerapi.MountIdentifierTypeDefault, "", err
 }