dm-verity and x86-64 and systemd -------------------------------- In this example, we'll target combining qemux86-64 with dm-verity and also systemd - systemd has dm-verity bindings and is more likely to be used on x86. While dm-verity in a qemu environment doesn't make practial sense as a deployment - it can be a useful stepping stone for testing and getting to a final physical deployment. Set/uncomment the MACHINE line for "qemux86-64" if you haven't yet. It should be the default if unspecified, but check to be sure. As of this writing (kernel v6.1) the resulting qemux86-64 build can also be booted successfully on physical hardware, but if you don't intend to use qemu, you might instead want to choose "genericx86-64" This will make use of wic/systemd-bootdisk-dmverity.wks.in -- note that it contains a dependency on the meta-intel layer for microcode, so you'll need to fetch and add that layer in addition to the meta-security related layers. In addition to the basic dm-verity settings, choose systemd in local.conf: DISTRO_FEATURES:append = " security systemd" VIRTUAL-RUNTIME_init_manager = "systemd" EFI_PROVIDER = "systemd-boot" PACKAGECONFIG:append:pn-systemd = " cryptsetup" Note the last line - you won't typically see that in on-line instructions for enabling systemd. It is important for dm-verity, since it triggers the build and installation of components like this onto the rootfs: /lib/systemd/system-generators/systemd-veritysetup-generator /lib/systemd/systemd-veritysetup Now build the components for the wic image: bitbake intel-microcode bitbake core-image-minimal Assemble the image: ------------------------------ build-qemu-x86_64$wic create systemd-bootdisk-dmverity -e core-image-minimal INFO: Building wic-tools... [...] INFO: Creating image(s)... INFO: The new image(s) can be found here: ./systemd-bootdisk-dmverity.wks-202304181413-sda.direct The following build artifacts were used to create the image(s): BOOTIMG_DIR: /home/paul/poky/build-qemu-x86_64/tmp/work/qemux86_64-poky-linux/core-image-minimal/1.0-r0/recipe-sysroot/usr/share KERNEL_DIR: /home/paul/poky/build-qemu-x86_64/tmp/deploy/images/qemux86-64 NATIVE_SYSROOT: /home/paul/poky/build-qemu-x86_64/tmp/work/core2-64-poky-linux/wic-tools/1.0-r0/recipe-sysroot-native INFO: The image(s) were created using OE kickstart file: /home/paul/poky/meta-security/wic/systemd-bootdisk-dmverity.wks.in build-qemu-x86_64$ ------------------------------ The "runqemu" script defaults were acceptable for testing with only the verity image needing to be specified, i.e. runqemu \ nographic \ qemux86-64 \ tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64-*.rootfs.ext4.verity You will see the above "direct" image file and also similarly named individual partition images. To boot on UEFI enabled physical hardware, you need to simply write the "direct" image file to a USB stick with dd and the partition images can largely be ignored. Further information on interacting with the systemd UEFI loader is here: https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/