You are not logged in.

#1 2022-04-27 23:32:05

Registered: 2014-10-17
Posts: 42

Using verified squashfs as read-only root with overlayfs


I want to use a squashfs as root-filesystem with secure-boot.
My plan is to use sbupdate to sign the kernel, initramffs and cmdline. The hash of the squashfs root filesystem will be provided via the cmdline and verified during boot by a initcpio hook (this hook already exists, cmdline is manual).
On normal boot I want to use an ext4 partition as overlayfs, which includes the changes done during the last boots, but on fallback-initramfs the overlay should only be a clean tmpfs.
I don't think it is possible to achieve this with fstab, but I think the AUR package mkinitcpio-overlayfs can do it (not tested yet).
So the remaining problem is to create a new squashfs with the old changes after updates. (Which is not really a big problem).

My question: this seams to be a bit hacky. Are there cleaner solutions to these tasks?


Board footer

Powered by FluxBB