Add reinitializeVerity API. (#351)

Add API that controls how verity partitions in the base image are
handled. Specifically, whether or not the verity data partitions are set
to read-only or read-write during OS customization.

The primary scenario being targeted is recustomizing an image with a usr
verity partition + UKIs without changing/invalidating the /usr partition
or the UKIs. A functional test has been added for this scenario.

Author: cwize1

docs/imagecustomizer/api/configuration.md

@@ -155,6 +155,7 @@ os:
         - [options](./configuration/mountpoint.md#options-string)
         - [path](./configuration/mountpoint.md#path-string)
     - [resetPartitionsUuidsType](./configuration/storage.md#resetpartitionsuuidstype-string)
+    - [reinitializeVerity](./configuration/storage.md#reinitializeverity-string)
   - [iso](./configuration/config.md#iso-iso) ([iso type](./configuration/iso.md))
     - [additionalFiles](./configuration/iso.md#additionalfiles-additionalfile)
       - [additionalFile type](./configuration/additionalfile.md)

docs/imagecustomizer/api/configuration/storage.md

@@ -136,3 +136,21 @@ os:
 ```
 
 Added in v0.7.
+
+## reinitializeVerity [string]
+
+This is a preview feature.
+Its API and behavior is subject to change.
+You must enable this feature by specifying `reinitialize-verity` in the
+[previewFeatures](./config.md#previewfeatures-string) API.
+
+When the base image contains verity partitions, controls whether or not the verity
+partitions can be modified.
+
+Supported options:
+
+- `none`: During OS customization, all verity data partitions are mounted as read-only.
+  The verity hash partitions are left unchanged.
+
+- `all`: During OS customization, all verity data partitions are mounted as read-write.
+  The verity hash partitions will be regenerated.

toolkit/tools/imagecustomizerapi/config.go

@@ -118,6 +118,11 @@ func (c *Config) IsValid() (err error) {
 		}
 	}
 
+	if c.Storage.ReinitializeVerity != ReinitializeVerityTypeDefault &&
+		!sliceutils.ContainsValue(c.PreviewFeatures, PreviewFeatureReinitializeVerity) {
+		return fmt.Errorf("the 'reinitialize-verity' preview feature must be enabled to use 'storage.reinitializeVerity'")
+	}
+
 	return nil
 }
 

toolkit/tools/imagecustomizerapi/reinitializeveritytype.go

@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package imagecustomizerapi
+
+import (
+	"fmt"
+)
+
+type ReinitializeVerityType string
+
+const (
+	ReinitializeVerityTypeDefault ReinitializeVerityType = ""
+	ReinitializeVerityTypeNone    ReinitializeVerityType = "none"
+	ReinitializeVerityTypeAll     ReinitializeVerityType = "all"
+)
+
+func (t ReinitializeVerityType) IsValid() error {
+	switch t {
+	case ReinitializeVerityTypeDefault, ReinitializeVerityTypeNone, ReinitializeVerityTypeAll:
+		// All good.
+		return nil
+
+	default:
+		return fmt.Errorf("invalid value (%s)", t)
+	}
+}

toolkit/tools/imagecustomizerapi/schema.json

@@ -592,6 +592,9 @@
             "$ref": "#/$defs/Verity"
           },
           "type": "array"
+        },
+        "reinitializeVerity": {
+          "type": "string"
         }
       },
       "additionalProperties": false,

toolkit/tools/imagecustomizerapi/storage.go

@@ -26,6 +26,7 @@ type Storage struct {
 	Disks                    []Disk                   `yaml:"disks" json:"disks,omitempty"`
 	FileSystems              []FileSystem             `yaml:"filesystems" json:"filesystems,omitempty"`
 	Verity                   []Verity                 `yaml:"verity" json:"verity,omitempty"`
+	ReinitializeVerity       ReinitializeVerityType   `yaml:"reinitializeVerity" json:"reinitializeVerity,omitempty"`
 
 	// Filled in by Storage.IsValid().
 	VerityPartitionsType VerityPartitionsType `json:"-"`
@@ -96,6 +97,11 @@ func (s *Storage) IsValid() error {
 		}
 	}
 
+	err = s.ReinitializeVerity.IsValid()
+	if err != nil {
+		return fmt.Errorf("invalid 'reinitializeVerity' value:\n%w", err)
+	}
+
 	hasResetUuids := s.ResetPartitionsUuidsType != ResetPartitionsUuidsTypeDefault
 	hasBootType := s.BootType != BootTypeNone
 	hasDisks := len(s.Disks) > 0

toolkit/tools/internal/safechroot/safechroot.go

@@ -176,6 +176,11 @@ func (m *MountPoint) GetTarget() string {
 	return m.target
 }
 
+// GetFlags gets the flags of the mount.
+func (m *MountPoint) GetFlags() uintptr {
+	return m.flags
+}
+
 // NewChroot creates a new Chroot struct
 func NewChroot(rootDir string, isExistingDir bool) *Chroot {
 	// get chroot folder

toolkit/tools/pkg/imagecustomizerlib/artifactsinputoutput.go

@@ -364,8 +364,8 @@ func prepareImageConversionData(ctx context.Context, rawImageFile string, buildD
 ) (map[string]diskutils.FstabEntry, []verityDeviceMetadata, string,
 	[]OsPackage, [randomization.UuidSize]byte, string, *CosiBootloader, error,
 ) {
-	imageConnection, partUuidToFstabEntry, baseImageVerityMetadata, err := connectToExistingImage(ctx,
-		rawImageFile, buildDir, chrootDir, true, true)
+	imageConnection, partUuidToFstabEntry, baseImageVerityMetadata, _, err := connectToExistingImage(ctx,
+		rawImageFile, buildDir, chrootDir, true, true, false)
 	if err != nil {
 		return nil, nil, "", nil, [randomization.UuidSize]byte{}, "", nil, fmt.Errorf("failed to connect to image:\n%w", err)
 	}

toolkit/tools/pkg/imagecustomizerlib/customizeos.go

@@ -78,7 +78,7 @@ func doOsCustomizations(ctx context.Context, buildDir string, baseConfigPath str
 	}
 
 	if config.OS.ImageHistory != imagecustomizerapi.ImageHistoryNone {
-		err = addImageHistory(ctx, imageChroot.RootDir(), imageUuid, baseConfigPath, ToolVersion, buildTime, config)
+		err = addImageHistory(ctx, imageChroot, imageUuid, baseConfigPath, ToolVersion, buildTime, config)
 		if err != nil {
 			return err
 		}

toolkit/tools/pkg/imagecustomizerlib/customizepartitionsfilecopy.go

@@ -17,7 +17,8 @@ import (
 func customizePartitionsUsingFileCopy(ctx context.Context, buildDir string, baseConfigPath string, config *imagecustomizerapi.Config,
 	buildImageFile string, newBuildImageFile string,
 ) (map[string]string, error) {
-	existingImageConnection, _, _, err := connectToExistingImage(ctx, buildImageFile, buildDir, "imageroot", false, false)
+	existingImageConnection, _, _, _, err := connectToExistingImage(ctx, buildImageFile, buildDir, "imageroot", false,
+		true, false)
 	if err != nil {
 		return nil, err
 	}