Hello,
I would like to say if dm-verity is still helpful to have for verified boot. There is a guide on how to do it on alpine linux, but it can be used for debian, because dracut is available on multiple distros.
Also, is it already implemented on whonix yet? Because I see it in discussion but it was thought of years ago. Also I see it in Kicksecure verified boot page.
With dm-verity on boot, you need to use Dracut. Reason is because dracut is one of the only initramfs generators to let you import your own modules and files into its initramfs.
Also remember, mount your ROOT_PARTITION as read only, since any changes will cause dm-verity to detect it as “corrupt”
[ This guide was done with FULL disk encryption, so this might not work perfectly on Non encrypted disk setup, also done on UEFI using gummiboot (now called systemd-boot) efistub and generating a UKI ]
Install basic stuff:
apk add dracut dracut-core cryptsetup gummiboot gummiboot-efistub
Create a new partition for your DM-verity:
TODO: add command for new verity partition with fdisk (should require 8-10% the size of Root partition)
Edit “/usr/lib/dracut/modules.d/90crypt/cryptroot-ask.sh” and add these lines right BEFORE “exit 0” (add your ROOT_PARTITION directory and VERITY_PARTITION directory):
### DM-Verity
mount /dev/mapper/[ROOT_PARTITION] /var/tmp
cryptsetup open --key-file /var/tmp/[Keyfile_dir] /dev/[Verity_partition] [verity dm name]
umount /var/tmp
veritysetup open /dev/[ROOT_PARTITION] /dev/[VERITY_PARTITION] $(cat /usr/lib/dracut/roothash.txt)
###
To setup dm-verity (borrowed from archlinux wiki):
veritysetup format /dev/[ROOT_PARTITION] /dev/[VERITY_PARTITION] | grep Root | cut -f2 >> /usr/lib/dracut/roothash.txt
/etc/dracut.conf (put whatever your boot parameters are in “kernel_cmdline”):
kernel_cmdline=""
add_dracutdrivers+=" busybox crypt crypt-gpg dm rootfs-block kernel-modules kernel-modules-extra "
/etc/dracut.conf.d/secureboot.conf (do this if you have your own secureboot keys, or want to use secureboot):
uefi_secureboot_cert="/[secureboot-keys-directory]/db.crt"
uefi_secureboot_key="/[secureboot-keys-directory]/db.key"
/etc/dracut.conf.d/files.conf (this is what will import veritysetup binary file into dracut initramfs):
install_items+=" /sbin/veritysetup "
Finally, generate UKI using dracut (replace 6.X.X-X-lts with your kernel version) (also replace /boot/efi/EFI/Linux/alpine-linux.efi with your mount efi partition):
export DRACUT_KMODDIR_OVERRIDE=1
dracut --include /usr/lib/dracut/roothash.txt /usr/lib/dracut/roothash.txt --host-only --kernel-image /boot/vmlinuz-lts --kmoddir /lib/modules/6.X.X-X-lts --kver 6.X.X-X-lts --uefi --uefi-stub /usr/lib/gummiboot/linuxx64.efi.stub --force --compress lz4 /boot/efi/EFI/Linux/alpine-linux.efi /boot/efi/EFI/Linux/alpine-linux.efi
efibootmgr
efibootmgr --create --disk /dev/[efi_partition] --part 1 --label alpine-linux --loader EFI/Linux/alpine-linux.efi
Unfortunately, using the default alpine linux kernel didn’t work so download another distributions root system (like debians or devuan), and replace 6.X.X-X-lts, and vmlinuz-lts with anothers distributions kernel modules and kernel image.
If you want to test if DM-verity fully works, change the ROOT_PARTITION’s files and it should say it is “corrupt”, and not continue the boot process.
Also, this should work for other linux distributions, since dracut is available on multiple distros.