You are not logged in.
Hi,
I want to use a squashfs as root-filesystem with secure-boot.
My plan is to use sbupdate to sign the kernel, initramffs and cmdline. The hash of the squashfs root filesystem will be provided via the cmdline and verified during boot by a initcpio hook (this hook already exists, cmdline is manual).
On normal boot I want to use an ext4 partition as overlayfs, which includes the changes done during the last boots, but on fallback-initramfs the overlay should only be a clean tmpfs.
I don't think it is possible to achieve this with fstab, but I think the AUR package mkinitcpio-overlayfs can do it (not tested yet).
So the remaining problem is to create a new squashfs with the old changes after updates. (Which is not really a big problem).
My question: this seams to be a bit hacky. Are there cleaner solutions to these tasks?
Last edited by Rommy (2022-07-09 17:41:30)
Offline
If someone is interested, I ended up using: https://github.com/brandsimon/verify-squash-root
I even have know working A/B updates
Last edited by Rommy (2022-07-09 17:41:55)
Offline