DM-Verity and Read-Only File System Support

The NVIDIA DRIVE® OS LINUX Yocto Cold-boot Initramfs (tegra-initramfs-boot) provides special support for DM-Verity when you want to flash and boot the Rootfs image whose integrity is verified and remains across system use. In DM-Verity workflow, the file system image content is validated on boot using the DM-verity root-hash and mounted read-only. DM-Verity workflow does not allow Rootfs to mount read/write as modifying the Rootfs partition changes its contents. The Initramfs enables Rootfs to write operations to go to a scratch partition to ensure normal operations (like logging). Both DM-Verity and handing of Rootfs write operations are detailed below.

Mounting Rootfs with DM-Verity Enabled

  1. Without DM-Verity, the Rootfs ext4 image is flashed to the gos0-fs partition, which is mounted as read/write (unless explicitly set to read-only) in the PCT configuration.
  2. With DM-Verity, the Rootfs ext4 is processed by NVIDIA DRIVE OS Bootburn to create the Rootfs Image having the ext4 image content with the verity header information appended. This content is flashed to the gos0-fs partition.
  3. The Initiramfs checks the kernel command line to see if the string verity=1 is present. If verity=1 is absent or verity=0, DM-Verity is disabled.
  4. If the verity=1 string is present, DM-Verity is enabled and proceeds to read the string starting from verityinfo and parses it to get the root-hash, root-hash offset, and the raw device containing the verity-enabled Rootfs image (by default, this is /dev/vblkdev0p1).
  5. The Initramfs runs the cmd veritysetup with inputs: root-hash, root-hash offset, and the raw device containing the verity-enabled Rootfs image (for example, /dev/vblkdev0p1) to create the virtual plus mountable device: /dev/mapper/vroot.
  6. /dev/mapper/vroot is mounted read-only and proceeds to prepare the scratch partition for Rootfs writes.

Using Scratch Partition for Rootfs Writes (Like Logging) When Rootfs Is Mounted Read-Only

The Rootfs can be mounted as read-only regardless of the state of DM-verity. If DM-Verity is enabled, the Rootfs must always be mounted as read-only. In this case, the Initramfs takes the following steps to use the scratch partition to enable Rootfs writes.

  1. NVIDIA DRIVE OS PCT contains the writable gos-rw-overlay (by default, this is /dev/vblkdev4) partition of size 1 GB, and the mounted Rootfs (read-only) contains the directory /rw_overlay.
  2. The device /dev/vblkdev4 is mounted on /rw_overlay to create mount points for further mounts: /rw_overlay/var, /rw_overlay/tmp, /rw_overlay/home, and /rw_overlay/etc/.
  3. Finally, to route the Rootfs partition writes from /tmp, /etc/, /home, and /var to /rw_overlay, Initramfs mounts as follows:
    1. Mount overlayfs from /rw_overlay/var to /var.
    2. Mount overlayfs from /rw_overlay/etc/ to /etc/.
    3. Mount overlayfs from /rw_overlay/home to /home.
      1. Overlayfs mounts a, b, and c allow Rootfs to see the existing files in the respective directory, and route write operations to /rw_overlay/*.
    4. Bind the mount directory /rw_overlay/tmp to /tmp.
      1. In this case, /tmp in the Rootfs starts empty, and all read/write from /tmp to /rw_overlay/tmp.