Add support for reinitializing verity. (#231)

Add support for reading the existing verity settings from the base image
and then reapplying them after OS customization.

Author: cwize1

docs/imagecustomizer/api/cli.md

@@ -31,6 +31,21 @@ But it can also be an Azure Linux image that has been customized.
 
 Supported image file formats: vhd, vhdx, qcow2, and raw.
 
+If verity is enabled in the base image, then:
+
+- If the partitions are recustomized using the
+  [disks](../api/configuration/storage.md#disks-disk) API, then the existing verity
+  settings are thrown away.
+  New verity settings can be configured with the
+  [verity](../api/configuration/verity.md) API.
+
+- Otherwise, the existing verity settings are reapplied to the image after OS
+  customization.
+
+  This feature is in preview and may be subject to breaking changes.
+  You may enable this feature by adding `reinitialize-verity` to the
+  [previewfeatures](./configuration/config.md#previewfeatures-string) API.
+
 Added in v0.3.
 
 ## --output-image-file=FILE-PATH

docs/imagecustomizer/api/configuration/config.md

@@ -99,6 +99,12 @@ Supported options:
 
   Added in v0.14.
 
+- `reinitialize-verity`: Enables support for customizing an image that has verity
+  enabled (without needing to recustomize the partitions). The verity settings are read
+  from the image and reapplied after OS customization.
+
+  Added in v0.15.
+
 ## output [[output](./output.md)]
 
 Specifies the configuration for the output image and artifacts.

docs/imagecustomizer/api/configuration/inputImage.md

@@ -26,4 +26,19 @@ But it can also be an Azure Linux image that has been customized.
 
 Supported image file formats: vhd, vhdx, qcow2, and raw.
 
+If verity is enabled in the base image, then:
+
+- If the partitions are recustomized using the
+  [disks](storage.md#disks-disk) API, then the existing verity
+  settings are thrown away.
+  New verity settings can be configured with the
+  [verity](verity.md) API.
+
+- Otherwise, the existing verity settings are reapplied to the image after OS
+  customization.
+
+  This feature is in preview and may be subject to breaking changes.
+  You may enable this feature by adding `reinitialize-verity` to the
+  [previewfeatures](config.md#previewfeatures-string) API.
+
 Added in v0.13.0.

toolkit/tools/imagecustomizerapi/previewfeaturetype.go

@@ -16,6 +16,9 @@ const (
 
 	// PreviewFeatureInjectFiles enables files injection into target partitions.
 	PreviewFeatureInjectFiles PreviewFeature = "inject-files"
+
+	// PreviewFeatureReinitializeVerity will reinitialize verity on verity partitions in the base image.
+	PreviewFeatureReinitializeVerity = "reinitialize-verity"
 )
 
 func (pf PreviewFeature) IsValid() error {

toolkit/tools/pkg/imagecustomizerlib/customizepartitionsfilecopy.go

@@ -16,7 +16,7 @@ import (
 func customizePartitionsUsingFileCopy(buildDir string, baseConfigPath string, config *imagecustomizerapi.Config,
 	buildImageFile string, newBuildImageFile string,
 ) (map[string]string, error) {
-	existingImageConnection, _, err := connectToExistingImage(buildImageFile, buildDir, "imageroot", false)
+	existingImageConnection, _, _, err := connectToExistingImage(buildImageFile, buildDir, "imageroot", false)
 	if err != nil {
 		return nil, err
 	}

toolkit/tools/pkg/imagecustomizerlib/customizepartitionsuuids.go

@@ -124,6 +124,11 @@ func resetFileSystemUuid(partition diskutils.PartitionInfo) (string, error) {
 		newUuid = strings.ToUpper(newUuid)
 		newUuid = newUuid[:4] + "-" + newUuid[4:]
 
+	case "DM_verity_hash":
+		// Resetting partition IDs on a disk with verity would require updating the kernel command-line args.
+		// This is probably doable, just not implemented yet.
+		return "", fmt.Errorf("resetting partition IDs on a verity-enabled image is not implemented")
+
 	default:
 		return "", fmt.Errorf("unsupported filesystem type (%s)", partition.FileSystemType)
 	}
@@ -174,7 +179,7 @@ func fixPartitionUuidsInFstabFile(partitions []diskutils.PartitionInfo, newUuids
 		// Find the partition.
 		// Note: The 'partitions' list was collected before all the changes were made. So, the fstab entries will still
 		// match the values in the `partitions` list.
-		mountIdType, _, partitionIndex, err := findSourcePartition(fstabEntry.Source, partitions, buildDir)
+		mountIdType, _, partitionIndex, _, err := findSourcePartition(fstabEntry.Source, partitions, buildDir)
 		if err != nil {
 			return err
 		}

toolkit/tools/pkg/imagecustomizerlib/customizeverity.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"path/filepath"
 	"slices"
+	"strings"
 
 	"github.com/microsoft/azurelinux/toolkit/tools/imagecustomizerapi"
 	"github.com/microsoft/azurelinux/toolkit/tools/imagegen/diskutils"
@@ -297,6 +298,32 @@ func SystemdFormatCorruptionOption(corruptionOption imagecustomizerapi.Corruptio
 	}
 }
 
+func parseSystemdVerityOptions(options string) (imagecustomizerapi.CorruptionOption, error) {
+	corruptionOption := imagecustomizerapi.CorruptionOptionIoError
+
+	optionValues := strings.Split(options, ",")
+	for _, option := range optionValues {
+		switch option {
+		case "":
+			// Ignore empty string.
+
+		case "ignore-corruption":
+			corruptionOption = imagecustomizerapi.CorruptionOptionIgnore
+
+		case "panic-on-corruption":
+			corruptionOption = imagecustomizerapi.CorruptionOptionPanic
+
+		case "restart-on-corruption":
+			corruptionOption = imagecustomizerapi.CorruptionOptionRestart
+
+		default:
+			return "", fmt.Errorf("unknown verity option (%s)", option)
+		}
+	}
+
+	return corruptionOption, nil
+}
+
 func validateVerityDependencies(imageChroot *safechroot.Chroot) error {
 	requiredRpms := []string{"lvm2"}
 

toolkit/tools/pkg/imagecustomizerlib/customizeverity_test.go

@@ -47,7 +47,7 @@ func testCustomizeImageVerityHelper(t *testing.T, testName string, imageType bas
 		return
 	}
 
-	verityRootVerity(t, imageType, imageVersion, buildDir, outImageFilePath)
+	verifyRootVerity(t, imageType, imageVersion, buildDir, outImageFilePath)
 
 	// Recustomize the image.
 	err = CustomizeImageWithConfigFile(buildDir, configFile, outImageFilePath, nil, outImageFilePath, "raw",
@@ -56,10 +56,10 @@ func testCustomizeImageVerityHelper(t *testing.T, testName string, imageType bas
 		return
 	}
 
-	verityRootVerity(t, imageType, imageVersion, buildDir, outImageFilePath)
+	verifyRootVerity(t, imageType, imageVersion, buildDir, outImageFilePath)
 }
 
-func verityRootVerity(t *testing.T, imageType baseImageType, imageVersion baseImageVersion, buildDir string,
+func verifyRootVerity(t *testing.T, imageType baseImageType, imageVersion baseImageVersion, buildDir string,
 	outImageFilePath string,
 ) {
 	// Connect to customized image.
@@ -449,3 +449,83 @@ func testCustomizeImageVerityUsr2StageHelper(t *testing.T, testName string, imag
 
 	verityUsrVerity(t, imageType, imageVersion, buildDir, stage2FilePath, "panic-on-corruption")
 }
+
+func TestCustomizeImageVerityReinitRoot(t *testing.T) {
+	for _, version := range supportedAzureLinuxVersions {
+		t.Run(string(version), func(t *testing.T) {
+			testCustomizeImageVerityReinitRootHelper(t, "TestCustomizeImageVerityReinitRoot"+string(version),
+				baseImageTypeCoreEfi, version)
+		})
+	}
+}
+
+func testCustomizeImageVerityReinitRootHelper(t *testing.T, testName string, imageType baseImageType,
+	imageVersion baseImageVersion,
+) {
+	baseImage := checkSkipForCustomizeImage(t, imageType, imageVersion)
+
+	testTempDir := filepath.Join(tmpDir, testName)
+	buildDir := filepath.Join(testTempDir, "build")
+	stage1ConfigFile := filepath.Join(testDir, "verity-config.yaml")
+	stage2ConfigFile := filepath.Join(testDir, "verity-reinit.yaml")
+	stage1FilePath := filepath.Join(testTempDir, "image.raw")
+	stage2FilePath := filepath.Join(testTempDir, "image.raw")
+
+	// Stage 1: Initialize verity.
+	err := CustomizeImageWithConfigFile(buildDir, stage1ConfigFile, baseImage, nil, stage1FilePath, "raw",
+		"" /*outputPXEArtifactsDir*/, true /*useBaseImageRpmRepos*/)
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	verifyRootVerity(t, imageType, imageVersion, buildDir, stage2FilePath)
+
+	// Stage 2: Reinitialize verity.
+	err = CustomizeImageWithConfigFile(buildDir, stage2ConfigFile, stage1FilePath, nil, stage2FilePath, "raw",
+		"" /*outputPXEArtifactsDir*/, true /*useBaseImageRpmRepos*/)
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	verifyRootVerity(t, imageType, imageVersion, buildDir, stage2FilePath)
+}
+
+func TestCustomizeImageVerityReinitUsr(t *testing.T) {
+	for _, version := range supportedAzureLinuxVersions {
+		t.Run(string(version), func(t *testing.T) {
+			testCustomizeImageVerityReinitUsrHelper(t, "TestCustomizeImageVerityReinitUsr"+string(version),
+				baseImageTypeCoreEfi, version)
+		})
+	}
+}
+
+func testCustomizeImageVerityReinitUsrHelper(t *testing.T, testName string, imageType baseImageType,
+	imageVersion baseImageVersion,
+) {
+	baseImage := checkSkipForCustomizeImage(t, imageType, imageVersion)
+
+	testTempDir := filepath.Join(tmpDir, testName)
+	buildDir := filepath.Join(testTempDir, "build")
+	stage1ConfigFile := filepath.Join(testDir, "verity-usr-config.yaml")
+	stage2ConfigFile := filepath.Join(testDir, "verity-reinit.yaml")
+	stage1FilePath := filepath.Join(testTempDir, "image.raw")
+	stage2FilePath := filepath.Join(testTempDir, "image.raw")
+
+	// Stage 1: Initialize verity.
+	err := CustomizeImageWithConfigFile(buildDir, stage1ConfigFile, baseImage, nil, stage1FilePath, "raw",
+		"" /*outputPXEArtifactsDir*/, true /*useBaseImageRpmRepos*/)
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	verityUsrVerity(t, imageType, imageVersion, buildDir, stage1FilePath, "")
+
+	// Stage 2: Reinitialize verity.
+	err = CustomizeImageWithConfigFile(buildDir, stage2ConfigFile, stage1FilePath, nil, stage2FilePath, "raw",
+		"" /*outputPXEArtifactsDir*/, true /*useBaseImageRpmRepos*/)
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	verityUsrVerity(t, imageType, imageVersion, buildDir, stage2FilePath, "")
+}