On 10/20/25 16:13, Lennart Poettering wrote: > On Sa, 18.10.25 21:49, Demi Marie Obenour ([email protected]) wrote: > >> This isn't systemd-specific, but I know that at least some systemd >> developers recommend using UEFI secure boot + dm-verity, which leads >> to this problem. I also don't know a better place to ask for help >> on this. >> >> How do OSs using dm-verity and UKIs find the user data partition? > > In systemd there's systemd-gpt-auto-generator, which looks at the GPT > partition table of the disk you are booting from, and finds the root > fs and a few related auxiliary partitions. You can specify an "image > policy" to tell this logic what exactly to look for (i.e. /usr/ must > have Verity, and rootfs must have LUKS, or similar). You can also > specify an "image filter" that matches the GPT partition label > strings, so that you can allow parallel installation of multiple OSes. > > This is all anchored on the drive the firmware first boots from: > systemd-boot searches for UKI on that drive, and then invokes the UKI > from that drive. The UKI stub code than passes a reference to the > drive to userspace via the StubDevicePartUUID EFI > var. systemd-gpt-auto-generator in the intrd then uses that to find > the rootfs + /usr. systemd-gpt-auto-generator then runs again after the > transition onto the rootfs, where some additional mounts are searched > for (i.e. /home/ + /srv/ and so on). This time it will look on the > disk the rootfs/usrfs is located on. > > Once userspace is reached the reference to the backing disk is > stabilized via the block device diskseq, hence should be somewhat safe > regardig hot swapping different disks. The transition between EFI mode > and Linux doesn't have a similar concept, hence it's not strictly > protected against hot swapping different disks, it's hence essential > that the entrypoint disks (i.e. rootfs + usrfs) are reasonably > protected by other means (i.e. verity root hash and TPM binding) so > that they cannot be swapped out.
How does one bind the user data partition? A swapped out device can have an identical rootfs. >> On some systems it is trivial, as the storage device it must be on >> is known ahead of time. However, desktops and servers can have many >> storage devices or even use RAID, making this very nontrivial. > > I am a strong believer that RAID should be used for user data, but > *not* for the immutable OS itself. It's immutable after all, and > guaranteed the same regardless where it's read from, as long as the > root hash matches. Makes sense, except for servers where one needs to be able to boot even in the event of a disk failure. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
