On Sa, 18.10.25 21:49, Demi Marie Obenour ([email protected]) wrote: > This isn't systemd-specific, but I know that at least some systemd > developers recommend using UEFI secure boot + dm-verity, which leads > to this problem. I also don't know a better place to ask for help > on this. > > How do OSs using dm-verity and UKIs find the user data partition?
In systemd there's systemd-gpt-auto-generator, which looks at the GPT partition table of the disk you are booting from, and finds the root fs and a few related auxiliary partitions. You can specify an "image policy" to tell this logic what exactly to look for (i.e. /usr/ must have Verity, and rootfs must have LUKS, or similar). You can also specify an "image filter" that matches the GPT partition label strings, so that you can allow parallel installation of multiple OSes. This is all anchored on the drive the firmware first boots from: systemd-boot searches for UKI on that drive, and then invokes the UKI from that drive. The UKI stub code than passes a reference to the drive to userspace via the StubDevicePartUUID EFI var. systemd-gpt-auto-generator in the intrd then uses that to find the rootfs + /usr. systemd-gpt-auto-generator then runs again after the transition onto the rootfs, where some additional mounts are searched for (i.e. /home/ + /srv/ and so on). This time it will look on the disk the rootfs/usrfs is located on. Once userspace is reached the reference to the backing disk is stabilized via the block device diskseq, hence should be somewhat safe regardig hot swapping different disks. The transition between EFI mode and Linux doesn't have a similar concept, hence it's not strictly protected against hot swapping different disks, it's hence essential that the entrypoint disks (i.e. rootfs + usrfs) are reasonably protected by other means (i.e. verity root hash and TPM binding) so that they cannot be swapped out. > On some systems it is trivial, as the storage device it must be on > is known ahead of time. However, desktops and servers can have many > storage devices or even use RAID, making this very nontrivial. I am a strong believer that RAID should be used for user data, but *not* for the immutable OS itself. It's immutable after all, and guaranteed the same regardless where it's read from, as long as the root hash matches. Lennart -- Lennart Poettering, Berlin
