Lennart Poettering

1️⃣6️⃣ Here's the 16th post highlighting key new features of the recently published v260 release of systemd. #systemd260 #systemd

systemd puts a lot of focus on DDIs, i.e. Discoverable Disk Images, which are disk images with a GPT partition table typically enveloping a triplet of an erofs fs, a dm-verity partition and signature partition for the verity root hash.

While that is the usual setup, it's by no means the only: the dissection logic that assembles a file system hierarchy from a disk image…

Mar 24 at 1:27pmWeb
Show threadLennart Poettering5d ago

…is quite powerful, and supports LUKS encryption, multiple separate partitions for distinct purposes, ESP stuff, boot counting, and a lot more.

This flexibility comes at a price: typically in secure setups it's essential to lock down which arrangements of DDIs are actually OK to mount and which ones aren't. For example for the OS DDI itself it might be OK to mount an EFI System Partition (ESP) located on the disk, and an encrypted /home, while for a container DDI the triplet of root fs, …

Show threadLennart Poettering5d ago

…verity partition and verity signature partition are all that shall be allowed.

To address this, systemd added the concept of "image policies" in v254, which allow encoding what shall be allowed when activating a DDI. The policies can be encoded in short strings, which is quite useful since they can be passed into the kernel command line this way (which makes sense, since the rootfs is typically configured there, hence the policy for it makes sense to encode there too).

Show threadLennart Poettering5d ago

With v260 the policy language is improved in two ways:

First of all, it now optionally encodes the choice of file system to accept. Previously, a curated, hardcoded list of modern Linux file systems has been accepted (except for ESP/XBOOTLDR where only VFAT has been accepted). For various usecases this is not strict enough, hence now you can say: /usr/ *must* be erofs, or /home can be either ext4 or btrfs, or similar rules.

And secondly there's now an explicit mechanism for requiring…

Show threadLennart Poettering5d ago
…integrity protected encryption (as opposed to regular LUKS encryption without integrity checks).