diff --git a/.github/workflows/validate-cg-manifest.sh b/.github/workflows/validate-cg-manifest.sh
index 9db35a3c946..e827be8cf75 100755
--- a/.github/workflows/validate-cg-manifest.sh
+++ b/.github/workflows/validate-cg-manifest.sh
@@ -52,7 +52,6 @@ ignore_no_source_tarball=" \
python-rpm-generators \
qt-rpm-macros \
sgx-backwards-compatibility \
- verity-read-only-root \
web-assets \
"
diff --git a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
index 848eb7120d1..90f4c437f97 100644
--- a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
+++ b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
@@ -9,7 +9,7 @@ The Azure Linux SPEC files originated from a variety of sources with varying lic
| Fedora (Copyright Remi Collet) | [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) | libmemcached-awesome
librabbitmq |
| Fedora (ISC) | [ISC License](https://github.com/sarugaku/resolvelib/blob/main/LICENSE) | python-resolvelib |
| Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka |
-| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress
asc
azcopy
azure-iot-sdk-c
azure-nvme-utils
azure-storage-cpp
azurelinux-release
azurelinux-repos
azurelinux-rpm-macros
azurelinux-sysinfo
bazel
blobfuse2
bmon
bpftrace
ccache
cert-manager
cf-cli
check-restart
clamav
cloud-hypervisor-cvm
cmake-fedora
containerd
coredns
dcos-cli
debugedit
dejavu-fonts
distroless-packages
docker-buildx
docker-cli
docker-compose
doxygen
dtc
elixir
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
gh
go-md2man
grpc
grub2-efi-binary-signed
GSL
gtk-update-icon-cache
helm
ig
intel-pf-bb-config
ivykis
jsonbuilder
jx
kata-containers-cc
kata-packages-uvm
keda
keras
kernel-signed
kernel-uki
kernel-uki-signed
kpatch
kube-vip-cloud-provider
kubernetes
libacvp
libconfini
libconfuse
libgdiplus
libmaxminddb
libmetalink
libsafec
libuv
libxml++
lld
local-path-provisioner
lsb-release
ltp
lttng-consume
mm-common
moby-containerd-cc
moby-engine
msgpack
ncompress
networkd-dispatcher
nlohmann-json
nmap
node-problem-detector
ntopng
opentelemetry-cpp
packer
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates
prebuilt-ca-certificates-base
prometheus-adapter
python-cachetools
python-cherrypy
python-cstruct
python-execnet
python-google-pasta
python-libclang
python-libevdev
python-logutils
python-ml-dtypes
python-namex
python-nocasedict
python-omegaconf
python-opt-einsum
python-optree
python-pecan
python-pip
python-pyrpm
python-remoto
python-repoze-lru
python-routes
python-rsa
python-setuptools
python-sphinxcontrib-websupport
python-tensorboard
python-tensorboard-plugin-wit
python-yamlloader
R
rabbitmq-server
rocksdb
rubygem-addressable
rubygem-asciidoctor
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-bindata
rubygem-concurrent-ruby
rubygem-connection_pool
rubygem-console
rubygem-cool.io
rubygem-deep_merge
rubygem-digest-crc
rubygem-elastic-transport
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-eventmachine
rubygem-excon
rubygem-faraday
rubygem-faraday-em_http
rubygem-faraday-em_synchrony
rubygem-faraday-excon
rubygem-faraday-httpclient
rubygem-faraday-multipart
rubygem-faraday-net_http
rubygem-faraday-net_http_persistent
rubygem-faraday-patron
rubygem-faraday-rack
rubygem-faraday-retry
rubygem-ffi
rubygem-fiber-local
rubygem-fluent-config-regexp-type
rubygem-fluent-logger
rubygem-fluent-plugin-elasticsearch
rubygem-fluent-plugin-kafka
rubygem-fluent-plugin-prometheus
rubygem-fluent-plugin-prometheus_pushgateway
rubygem-fluent-plugin-record-modifier
rubygem-fluent-plugin-rewrite-tag-filter
rubygem-fluent-plugin-systemd
rubygem-fluent-plugin-webhdfs
rubygem-fluent-plugin-windows-exporter
rubygem-fluentd
rubygem-hirb
rubygem-hocon
rubygem-hoe
rubygem-http_parser
rubygem-httpclient
rubygem-io-event
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-minitest
rubygem-mocha
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-net-http-persistent
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-power_assert
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-puppet-resource_api
rubygem-rdiscount
rubygem-rdkafka
rubygem-rexml
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-rubyzip
rubygem-semantic_puppet
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-test-unit
rubygem-thor
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-webrick
rubygem-yajl-ruby
rubygem-zip-zip
runc
sdbus-cpp
sgx-backwards-compatibility
shim
shim-unsigned
shim-unsigned-aarch64
shim-unsigned-x64
skopeo
span-lite
sriov-network-device-plugin
SymCrypt
SymCrypt-OpenSSL
systemd-boot-signed
tensorflow
tinyxml2
toml11
tracelogging
umoci
usrsctp
vala
valkey
verity-read-only-root
vnstat
zstd |
+| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress
asc
azcopy
azure-iot-sdk-c
azure-nvme-utils
azure-storage-cpp
azurelinux-release
azurelinux-repos
azurelinux-rpm-macros
azurelinux-sysinfo
bazel
blobfuse2
bmon
bpftrace
ccache
cert-manager
cf-cli
check-restart
clamav
cloud-hypervisor-cvm
cmake-fedora
containerd
coredns
dcos-cli
debugedit
dejavu-fonts
distroless-packages
docker-buildx
docker-cli
docker-compose
doxygen
dtc
elixir
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
gh
go-md2man
grpc
grub2-efi-binary-signed
GSL
gtk-update-icon-cache
helm
ig
intel-pf-bb-config
ivykis
jsonbuilder
jx
kata-containers-cc
kata-packages-uvm
keda
keras
kernel-signed
kernel-uki
kernel-uki-signed
kpatch
kube-vip-cloud-provider
kubernetes
libacvp
libconfini
libconfuse
libgdiplus
libmaxminddb
libmetalink
libsafec
libuv
libxml++
lld
local-path-provisioner
lsb-release
ltp
lttng-consume
mm-common
moby-containerd-cc
moby-engine
msgpack
ncompress
networkd-dispatcher
nlohmann-json
nmap
node-problem-detector
ntopng
opentelemetry-cpp
packer
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates
prebuilt-ca-certificates-base
prometheus-adapter
python-cachetools
python-cherrypy
python-cstruct
python-execnet
python-google-pasta
python-libclang
python-libevdev
python-logutils
python-ml-dtypes
python-namex
python-nocasedict
python-omegaconf
python-opt-einsum
python-optree
python-pecan
python-pip
python-pyrpm
python-remoto
python-repoze-lru
python-routes
python-rsa
python-setuptools
python-sphinxcontrib-websupport
python-tensorboard
python-tensorboard-plugin-wit
python-yamlloader
R
rabbitmq-server
rocksdb
rubygem-addressable
rubygem-asciidoctor
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-bindata
rubygem-concurrent-ruby
rubygem-connection_pool
rubygem-console
rubygem-cool.io
rubygem-deep_merge
rubygem-digest-crc
rubygem-elastic-transport
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-eventmachine
rubygem-excon
rubygem-faraday
rubygem-faraday-em_http
rubygem-faraday-em_synchrony
rubygem-faraday-excon
rubygem-faraday-httpclient
rubygem-faraday-multipart
rubygem-faraday-net_http
rubygem-faraday-net_http_persistent
rubygem-faraday-patron
rubygem-faraday-rack
rubygem-faraday-retry
rubygem-ffi
rubygem-fiber-local
rubygem-fluent-config-regexp-type
rubygem-fluent-logger
rubygem-fluent-plugin-elasticsearch
rubygem-fluent-plugin-kafka
rubygem-fluent-plugin-prometheus
rubygem-fluent-plugin-prometheus_pushgateway
rubygem-fluent-plugin-record-modifier
rubygem-fluent-plugin-rewrite-tag-filter
rubygem-fluent-plugin-systemd
rubygem-fluent-plugin-webhdfs
rubygem-fluent-plugin-windows-exporter
rubygem-fluentd
rubygem-hirb
rubygem-hocon
rubygem-hoe
rubygem-http_parser
rubygem-httpclient
rubygem-io-event
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-minitest
rubygem-mocha
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-net-http-persistent
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-power_assert
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-puppet-resource_api
rubygem-rdiscount
rubygem-rdkafka
rubygem-rexml
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-rubyzip
rubygem-semantic_puppet
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-test-unit
rubygem-thor
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-webrick
rubygem-yajl-ruby
rubygem-zip-zip
runc
sdbus-cpp
sgx-backwards-compatibility
shim
shim-unsigned
shim-unsigned-aarch64
shim-unsigned-x64
skopeo
span-lite
sriov-network-device-plugin
SymCrypt
SymCrypt-OpenSSL
systemd-boot-signed
tensorflow
tinyxml2
toml11
tracelogging
umoci
usrsctp
vala
valkey
vnstat
zstd |
| Netplan source | [GPLv3](https://github.com/canonical/netplan/blob/main/COPYING) | netplan |
| Numad source | [LGPLv2 License](https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt) | numad |
| NVIDIA | [ASL 2.0 License and spec specific licenses](http://www.apache.org/licenses/LICENSE-2.0) | libnvidia-container
mlnx-tools
mlx-bootctl
nvidia-container-toolkit
ofed-scripts
perftest |
diff --git a/LICENSES-AND-NOTICES/SPECS/data/licenses.json b/LICENSES-AND-NOTICES/SPECS/data/licenses.json
index 063158becdc..e2b190613dc 100644
--- a/LICENSES-AND-NOTICES/SPECS/data/licenses.json
+++ b/LICENSES-AND-NOTICES/SPECS/data/licenses.json
@@ -2434,7 +2434,6 @@
"usrsctp",
"vala",
"valkey",
- "verity-read-only-root",
"vnstat",
"zstd"
]
diff --git a/SPECS/initramfs/initramfs.spec b/SPECS/initramfs/initramfs.spec
index ed249ab2791..7ad9e34f811 100644
--- a/SPECS/initramfs/initramfs.spec
+++ b/SPECS/initramfs/initramfs.spec
@@ -1,7 +1,7 @@
Summary: initramfs
Name: initramfs
Version: 3.0
-Release: 4%{?dist}
+Release: 5%{?dist}
License: Apache License
Vendor: Microsoft Corporation
Distribution: Azure Linux
@@ -19,7 +19,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/dracut.conf.d
install -D -m644 %{SOURCE0} %{buildroot}%{_sysconfdir}/dracut.conf.d/
%define watched_path %{_sbindir} %{_libdir}/udev/rules.d %{_libdir}/systemd/system /lib/modules %{_sysconfdir}/dracut.conf.d
-%define watched_pkgs e2fsprogs, systemd, kpartx, device-mapper-multipath, verity-read-only-root, dracut-fips, dracut-megaraid, dracut-hostonly, dracut-hyperv, dracut-overlayfs, dracut-virtio, dracut-vrf, dracut-xen
+%define watched_pkgs e2fsprogs, systemd, kpartx, device-mapper-multipath, dracut-fips, dracut-megaraid, dracut-hostonly, dracut-hyperv, dracut-overlayfs, dracut-virtio, dracut-vrf, dracut-xen
%define removal_action() rm -rf %{_localstatedir}/lib/rpm-state/initramfs
@@ -112,6 +112,9 @@ echo "initramfs" %{version}-%{release} "postun" >&2
%{_sysconfdir}/dracut.conf.d/fscks.conf
%changelog
+* Tue Jul 02 2024 Daniel McIlvaney - 3.0-5
+- Remove old dm-verity boot support
+
* Thu Mar 23 2024 Cameron Baird - 3.0-4
- Flag all dracut driver list configs as watched pkgs for initramfs regen
@@ -130,11 +133,11 @@ echo "initramfs" %{version}-%{release} "postun" >&2
* Fri Oct 06 2023 Cameron Baird - 2.0-14
- Ensure grub2-mkconfig is called after the initramfs generation
-- Deprecate old linuxloader; no longer copy initrd image to efi partition
+- Deprecate old linuxloader; no longer copy initrd image to efi partition
* Wed Jun 28 2023 Cameron Baird - 2.0-13
- Copy the initrd image to /boot/efi to maintain backwards compatibility
- with the old linuxloader. Let the initrd remain in /boot as well.
+ with the old linuxloader. Let the initrd remain in /boot as well.
* Fri Apr 07 2023 Andy Zaugg - 2.0-12
- Added fsck.xfs into initrd
diff --git a/SPECS/verity-read-only-root/20verity-mount/module-setup.sh b/SPECS/verity-read-only-root/20verity-mount/module-setup.sh
deleted file mode 100755
index afb86017bb3..00000000000
--- a/SPECS/verity-read-only-root/20verity-mount/module-setup.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-# Portions Copyright (c) 2020 Microsoft Corporation
-
-# See verity-parse.sh for documentation.
-
-check() {
- # Only include if requested by the dracut configuration files
- require_binaries veritysetup || return 1
- return 255
-}
-
-depends() {
- echo systemd dm
-}
-
-# Omit cmdline() since it does not make sense to auto populate the cmdline.
-# The initramfs needs to be modified out of band after the fact anyways
-# with updated hashes.
-
-install() {
- inst "veritysetup"
- inst "grep"
- inst_hook cmdline 20 "$moddir/verity-parse.sh"
- inst_hook pre-mount 10 "$moddir/verity-mount.sh"
- dracut_need_initqueue
-}
\ No newline at end of file
diff --git a/SPECS/verity-read-only-root/20verity-mount/verity-mount.sh b/SPECS/verity-read-only-root/20verity-mount/verity-mount.sh
deleted file mode 100755
index 8cceff59c08..00000000000
--- a/SPECS/verity-read-only-root/20verity-mount/verity-mount.sh
+++ /dev/null
@@ -1,201 +0,0 @@
-#!/bin/sh
-# Portions Copyright (c) 2020 Microsoft Corporation
-
-# See verity-parse.sh for documentation.
-
-# Make sure we have dracut-lib and loaded
-type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh
-
-VERITY_MOUNT="/verity_root/verity_mnt"
-OVERLAY_TMPFS="/verity_root/overlays"
-OVERLAY_MNT_OPTS="rw,nodev,nosuid,nouser,noexec"
-
-# Get verity root. This should already be set by the dracut cmdline module
-[ -n "$root" ] || root=$(getarg root=)
-# Bail early if no 'verityroot' root is found
-[ "${root%%:*}" = "verityroot" ] || exit 0
-verityroot="$root"
-
-# Double check we have all other parameters
-[ -z "${veritydevicename}" ] && veritydevicename=$(getarg rd.verityroot.devicename=)
-[ -n "${veritydevicename}" ] || veritydevicename="verity_root"
-[ -z "${verityhashtree}" ] && verityhashtree=$(getarg rd.verityroot.hashtree=)
-[ -z "${verityroothash}" ] && verityroothash=$(getarg rd.verityroot.roothash=)
-[ -z "${verityroothashfile}" ] && verityroothashfile=$(getarg rd.verityroot.roothashfile=)
-
-# Get the optional parameters
-[ -z "${verityroothashsig}" ] && verityroothashsig=$(getarg rd.verityroot.roothashsig=)
-[ -z "${verityerrorhandling}" ] && verityerrorhandling=$(getarg rd.verityroot.verityerrorhandling=)
-[ -z "${validateonboot}" ] && validateonboot=$(getarg rd.verityroot.validateonboot=)
-[ -z "${verityfecdata}" ] && verityfecdata=$(getarg rd.verityroot.fecdata=)
-[ -z "${verityfecroots}" ] && verityfecroots=$(getarg rd.verityroot.fecroots=)
-[ -z "${verityoverlays}" ] && verityoverlays=$(getarg rd.verityroot.overlays=)
-[ -z "${verityoverlaysize}" ] && verityoverlaysize=$(getarg rd.verityroot.overlaysize=)
-[ -z "${overlaysdebugmount}" ] && overlaysdebugmount=$(getarg rd.verityroot.overlays_debug_mount=)
-
-# Check the required parameters are pressent
-[ -n "${veritydevicename}" ] || die "verityroot requires rd.verityroot.devicename="
-[ -n "${verityhashtree}" ] || die "verityroot requires rd.verityroot.hashtree="
-[ -n "${verityroothash}" ] || [ -n "${verityroothashfile}" ] || die "verityroot requires rd.verityroot.roothash= or rd.verityroot.roothashfile="
-[ -n "${verityroothash}" -a -n "${verityroothashfile}" ] && die "verityroot does not support using both rd.verityroot.roothash= and rd.verityroot.roothashfile= at the same time"
-
-# Validate the optional paramters
-# Make sure we have either both or neither FEC arguments (xor)
-[ -n "${verityfecdata}" -a -z "${verityfecroots}" ] && die "verityroot FEC requires both rd.verityroot.fecdata= and rd.verityroot.fecroots="
-[ -z "${verityfecdata}" -a -n "${verityfecroots}" ] && die "verityroot FEC requires both rd.verityroot.fecdata= and rd.verityroot.fecroots="
-
-# Make sure we have set an overlay size if we are using overlays
-if [ -n "${verityoverlays}" ]; then
- [ -z "${verityoverlaysize}" ] && die "verityroot rd.verityroot.overlaysize= must be set if using rd.verityroot.overlays="
-fi
-
-# Check we have a valid error handling option
-if [ -n "${verityerrorhandling}" ]; then
- [ "${verityerrorhandling}" == "ignore" -o \
- "${verityerrorhandling}" == "restart" -o \
- "${verityerrorhandling}" == "panic" ] || die "verityroot rd.verityroot.verityerrorhandling= must be one of [ignore,restart,panic]"
-fi
-# Same for full validation during boot option
-if [ -n "${validateonboot}" ]; then
- [ "${validateonboot}" == "true" -o \
- "${validateonboot}" == "false" ] || die "verityroot rd.verityroot.validateonboot= must be one of [true,false]"
-fi
-
-# create_overlay
-#
-# Create a writable overlay for a folder inside the verity disk.
-# The path must already exist in the verity disk for an overlay to be added.
-# $1: Path relative to the rootfs (ie '/var')
-create_overlay() {
- local _folder=$1
- local _mounted_folder="${VERITY_MOUNT}/${_folder}"
- local _overlay_name="$(str_replace ${_mounted_folder} '/' '_')"
- local _overlay_folder="$(mkuniqdir ${OVERLAY_TMPFS} ${_overlay_name})"
- local _working="${_overlay_folder}/working"
- local _upper="${_overlay_folder}/upper"
-
- [ -d "${_overlay_folder}" ] || die "Failed to create overlay base folder '${_overlay_folder}'"
-
- info "Creating a R/W overlay for $_folder"
- [ -d "$_mounted_folder" ] || die "$_folder does not exist, cannot create overlay"
-
- [ ! -d "${_working}" ] || die "Name collision with ${_working}"
- [ ! -d "${_upper}" ] || die "Name collision with ${_upper}"
-
- mkdir -p "${_working}" && \
- mkdir -p "${_upper}" && \
- mount -t overlay overlay -o ${OVERLAY_MNT_OPTS},lowerdir="${_mounted_folder}",upperdir="${_upper}",workdir="${_working}" "${_mounted_folder}" || \
- die "Failed to mount overlay in ${_mounted_folder}"
-}
-
-# Mount the verity disk to $NEWROOT, create a dummy device at /dev/root to
-# satisfy wait_for_dev
-mount_root() {
- info "Mounting verity root"
- mkdir -p "${VERITY_MOUNT}"
-
- # Convert error handling options into argument
- if [ "${verityerrorhandling}" == "restart" ]; then
- errorarg="--restart-on-corruption"
- elif [ "${verityerrorhandling}" == "panic" ]; then
- errorarg="--panic-on-corruption"
- elif [ "${verityerrorhandling}" == "ignore" ]; then
- errorarg="--ignore-corruption"
- fi
-
- # Convert FEC options to argument
- if [ -n "${verityfecdata}" -a -n "${verityfecroots}" ]; then
- fecargs="--fec-device=${verityfecdata} --fec-roots=${verityfecroots}"
- fi
-
- # Convert root hash signature to argument
- if [ -n "${verityroothashsig}" ]; then
- roothashsigargs="--root-hash-signature=${verityroothashsig}"
- fi
-
- # Get the root hash itself
- if [ -n "${verityroothash}" ]; then
- roothashval="${verityroothash}"
- else
- roothashval=$(cat "${verityroothashfile}")
- fi
-
- if [ "${validateonboot}" == "true" ]; then
- # verify does not support error handling args, ommit
- info "rd.verityroot.validateonboot is set, validating full read-only root device"
- info "This could take several minutes if forward error correction is being used to rebuild corrupted blocks"
- veritysetup --debug --verbose ${roothashsigargs} ${fecargs} verify ${veritydisk} ${verityhashtree} ${roothashval} > verity.log 2>&1 || \
- { warn "Failed to validate verity disk" ; cat verity.log | vwarn ; }
-
- # Report any FEC activity, this indicates possible disk failure
- if grep "# Verification failed, trying to repair with FEC device." verity.log; then
- warn "Verity disk is corrupted, proceding while using forward error correction"
- grep "Found [0-9]* repairable errors with FEC device" verity.log | vwarn
- fi
- fi
-
- info "Creating dm-verity read-only root"
- veritysetup --debug --verbose ${roothashsigargs} ${errorarg} ${fecargs} open ${veritydisk} ${veritydevicename} ${verityhashtree} ${roothashval} > verity.log 2>&1 || \
- { cat verity.log | vwarn ; die "Failed to create verity root" ; }
-
- mount -o ro,defaults "/dev/mapper/${veritydevicename}" "${VERITY_MOUNT}" || \
- die "Failed to mount verity root"
-
- if [ -n "${verityoverlays}" ]; then
- # Create working directories for overlays
- mkdir -p "${OVERLAY_TMPFS}"
- mount -t tmpfs tmpfs -o ${OVERLAY_MNT_OPTS},size=${verityoverlaysize} "${OVERLAY_TMPFS}" || \
- die "Failed to create overlay tmpfs at ${OVERLAY_TMPFS}"
-
- for _folder in ${verityoverlays}; do
- create_overlay "${_folder}"
- done
-
- if [ -n "${overlaysdebugmount}" ]; then
- info "Adding overlay debug mount to ${overlaysdebugmount}"
- mount -o ro --bind "${OVERLAY_TMPFS}" "${VERITY_MOUNT}/${overlaysdebugmount}" || warn "Couldn't mount overlay debug (Does '${overlaysdebugmount}' exist?)"
- fi
- else
- info "No verity RW overlays set, mounting fully read-only"
- fi
-
- # Remount the verity disk and any overlays into the destination root
- mount --rbind "${VERITY_MOUNT}" "${NEWROOT}"
-
- # Signal completion
- ln -s /dev/null /dev/root
-}
-
-# dracut-functions.sh is only available during initramfs creation,
-# keep a copy of this function here.
-expand_persistent_dev() {
- local _dev=$1
-
- case "$_dev" in
- LABEL=*)
- _dev="/dev/disk/by-label/${_dev#LABEL=}"
- ;;
- UUID=*)
- _dev="${_dev#UUID=}"
- _dev="${_dev,,}"
- _dev="/dev/disk/by-uuid/${_dev}"
- ;;
- PARTUUID=*)
- _dev="${_dev#PARTUUID=}"
- _dev="${_dev,,}"
- _dev="/dev/disk/by-partuuid/${_dev}"
- ;;
- PARTLABEL=*)
- _dev="/dev/disk/by-partlabel/${_dev#PARTLABEL=}"
- ;;
- esac
- printf "%s" "$_dev"
-}
-
-if [ -n "$verityroot" -a -z "${verityroot%%verityroot:*}" ]; then
- veritydisk=$(expand_persistent_dev "${verityroot#verityroot:}")
- verityhashtree=$(expand_persistent_dev "${verityhashtree}")
- verityroothashfile=$(expand_persistent_dev "${verityroothashfile}")
- verityfecdata=$(expand_persistent_dev "${verityfecdata}")
- mount_root
-fi
diff --git a/SPECS/verity-read-only-root/20verity-mount/verity-parse.sh b/SPECS/verity-read-only-root/20verity-mount/verity-parse.sh
deleted file mode 100755
index f7069f81666..00000000000
--- a/SPECS/verity-read-only-root/20verity-mount/verity-parse.sh
+++ /dev/null
@@ -1,151 +0,0 @@
-#!/bin/sh
-# Portions Copyright (c) 2020 Microsoft Corporation
-
-# Overview:
-# The verity-mount module is responsible for mounting a dm-verity protected read-only
-# root file system. (see https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMVerity)
-# To load a dm-verity disk both a hash tree and root hash must be available. The
-# verity-mount module may load the hash tree from a device or as a file inside the
-# initramfs. The root hash is expected as a file in the initramfs.
-#
-# Error Correction:
-# Optionally forward error correction (FEC) may also be used. dm-verity will use the
-# FEC to patch any corrupted data at run time (but will not repair the underlying data).
-# Error correction normally happens only as required (when blocks are read). The
-# rd.verityroot.validateonboot argument will force a full validation of all blocks
-# at boot and print any issues as dracut warnings (This can take several minutes if
-# the disk is degraded)
-#
-# Signing:
-# The expectation is that the initramfs (and its enclosed root hash) will be signed.
-# The root hash can then be trusted because the initramfs was validated during boot.
-# dm-verity also supports cryptographically signing the root hash, the signature file is
-# expected to be part of the initramfs and will be validated against the kernel key-ring.
-#
-# Overlays:
-# Many packages expect to be able to write files to disk during day-to-day operations. To
-# accomodate these programs the verity-mount module can create tmpfs overlays in targeted
-# locations. These overlays are not persistant and will be created fresh on every boot.
-#
-# Debugging:
-# The verity-mount module will mount a read-only view of the tmpfs overlays into
-# rd.verityroot.overlays_debug_mount=/path/to/mount if set. This is an easy way to see
-# what files are being modified during runtime.
-
-# Parameters:
-# Required:
-# rd.verityroot.devicename=desired_device_mapper_name
-# rd.verityroot.hashtree=/path/to/hashtree | =
-# rd.verityroot.roothash=
-# or
-# rd.verityroot.roothashfile=/path/to/roothash
-
-# Optional
-# rd.verityroot.roothashsig=/path/to/file
-# rd.verityroot.verityerrorhandling=ignore|restart|panic
-# rd.verityroot.validateonboot=true/false
-# rd.verityroot.fecdata=/path/to/fecdata | =
-# rd.verityroot.fecroots=#
-# rd.verityroot.overlays="/path/to/overlay/directory /other/path"
-# rd.verityroot.overlays_debug_mount=/path/to/mount/debug/info
-
-# Make sure we have dracut-lib and loaded
-type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh
-
-# Look for a root device parameter of the form: root=verityroot:=
-[ -z "$root" ] && root=$(getarg root=)
-if [ "${root%%:*}" = "verityroot" ] ; then
- verityroot=$root
-fi
-
-# Bail early if no 'verityroot' root is found
-[ "${verityroot%%:*}" = "verityroot" ] || exit 0
-
-# Get all other required parameters
-[ -z "${veritydevicename}" ] && veritydevicename=$(getarg rd.verityroot.devicename=)
-[ -n "${veritydevicename}" ] || veritydevicename="verity_root"
-[ -z "${verityhashtree}" ] && verityhashtree=$(getarg rd.verityroot.hashtree=)
-[ -z "${verityroothash}" ] && verityroothash=$(getarg rd.verityroot.roothash=)
-[ -z "${verityroothashfile}" ] && verityroothashfile=$(getarg rd.verityroot.roothashfile=)
-
-# Get the optional parameters
-[ -z "${verityroothashsig}" ] && verityroothashsig=$(getarg rd.verityroot.roothashsig=)
-[ -z "${verityerrorhandling}" ] && verityerrorhandling=$(getarg rd.verityroot.verityerrorhandling=)
-[ -z "${validateonboot}" ] && validateonboot=$(getarg rd.verityroot.validateonboot=)
-[ -z "${verityfecdata}" ] && verityfecdata=$(getarg rd.verityroot.fecdata=)
-[ -z "${verityfecroots}" ] && verityfecroots=$(getarg rd.verityroot.fecroots=)
-[ -z "${verityoverlays}" ] && overlays=$(getarg rd.verityroot.overlays=)
-[ -z "${verityoverlaysize}" ] && overlaysize=$(getarg rd.verityroot.overlaysize=)
-[ -z "${overlays_debug_mount}" ] && overlays_debug_mount=$(getarg rd.verityroot.overlays_debug_mount=)
-
-# Check the required parameters are pressent
-[ -n "${veritydevicename}" ] || die "verityroot requires rd.verityroot.devicename="
-[ -n "${verityhashtree}" ] || die "verityroot requires rd.verityroot.hashtree="
-[ -n "${verityroothash}" ] || [ -n "${verityroothashfile}" ] || die "verityroot requires rd.verityroot.roothash= or rd.verityroot.roothashfile="
-[ -n "${verityroothash}" -a -n "${verityroothashfile}" ] && die "verityroot does not support using both rd.verityroot.roothash= and rd.verityroot.roothashfile= at the same time"
-
-# Validate the optional paramters
-# Make sure we have either both or neither FEC arguments (xor)
-[ -n "${verityfecdata}" -a -z "${verityfecroots}" ] && die "verityroot FEC requires both rd.verityroot.fecdata= and rd.verityroot.fecroots="
-[ -z "${verityfecdata}" -a -n "${verityfecroots}" ] && die "verityroot FEC requires both rd.verityroot.fecdata= and rd.verityroot.fecroots="
-
-# Make sure we have set an overlay size if we are using overlays
-if [ -n "${verityoverlays}" ]; then
- [ -z "${verityoverlaysize}" ] && die "verityroot rd.verityroot.overlaysize= must be set if using rd.verityroot.overlays="
-fi
-
-# Check we have a valid error handling option
-if [ -n "${verityerrorhandling}" ]; then
- [ "${verityerrorhandling}" == "ignore" -o \
- "${verityerrorhandling}" == "restart" -o \
- "${verityerrorhandling}" == "panic" ] || die "verityroot rd.verityroot.verityerrorhandling= must be one of [ignore,restart,panic]"
-fi
-# Same for full validation during boot option
-if [ -n "${validateonboot}" ]; then
- [ "${validateonboot}" == "true" -o \
- "${validateonboot}" == "false" ] || die "verityroot rd.verityroot.validateonboot= must be one of [true,false]"
-fi
-
-# dracut-functions.sh is only available during initramfs creation,
-# keep a copy of this function here.
-expand_persistent_dev() {
- local _dev=$1
-
- case "$_dev" in
- LABEL=*)
- _dev="/dev/disk/by-label/${_dev#LABEL=}"
- ;;
- UUID=*)
- _dev="${_dev#UUID=}"
- _dev="${_dev,,}"
- _dev="/dev/disk/by-uuid/${_dev}"
- ;;
- PARTUUID=*)
- _dev="${_dev#PARTUUID=}"
- _dev="${_dev,,}"
- _dev="/dev/disk/by-partuuid/${_dev}"
- ;;
- PARTLABEL=*)
- _dev="/dev/disk/by-partlabel/${_dev#PARTLABEL=}"
- ;;
- esac
- printf "%s" "$_dev"
-}
-
-# Get paths to the various devices/files we might need to wait for.
-veritydisk=$(expand_persistent_dev "${verityroot#verityroot:}")
-verityhashtree=$(expand_persistent_dev "${verityhashtree}")
-verityroothashfile=$(expand_persistent_dev "${verityroothashfile}")
-verityfecdata=$(expand_persistent_dev "${verityfecdata}")
-
-info "Going to try to mount '$verityroot' with '$verityhashtree' and '$verityroothash$verityroothashfile'"
-rootok=1
-unset root
-root="${verityroot}"
-
-# Queue up a wait for each device/file
-if [ "${root%%:*}" = "verityroot" ]; then
- for _dev in ${veritydisk} ${verityhashtree} ${verityroothashfile} ${verityfecdata}; do
- wait_for_dev "${_dev}"
- done
-fi
diff --git a/SPECS/verity-read-only-root/COPYING b/SPECS/verity-read-only-root/COPYING
deleted file mode 100644
index d159169d105..00000000000
--- a/SPECS/verity-read-only-root/COPYING
+++ /dev/null
@@ -1,339 +0,0 @@
- GNU GENERAL PUBLIC LICENSE
- Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
- Preamble
-
- The licenses for most software are designed to take away your
-freedom to share and change it. By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users. This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it. (Some other Free Software Foundation software is covered by
-the GNU Lesser General Public License instead.) You can apply it to
-your programs, too.
-
- When we speak of free software, we are referring to freedom, not
-price. Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
- To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
- For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have. You must make sure that they, too, receive or can get the
-source code. And you must show them these terms so they know their
-rights.
-
- We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
- Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software. If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
- Finally, any free program is threatened constantly by software
-patents. We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary. To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
- The precise terms and conditions for copying, distribution and
-modification follow.
-
- GNU GENERAL PUBLIC LICENSE
- TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
- 0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License. The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language. (Hereinafter, translation is included without limitation in
-the term "modification".) Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope. The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
- 1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
- 2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
- a) You must cause the modified files to carry prominent notices
- stating that you changed the files and the date of any change.
-
- b) You must cause any work that you distribute or publish, that in
- whole or in part contains or is derived from the Program or any
- part thereof, to be licensed as a whole at no charge to all third
- parties under the terms of this License.
-
- c) If the modified program normally reads commands interactively
- when run, you must cause it, when started running for such
- interactive use in the most ordinary way, to print or display an
- announcement including an appropriate copyright notice and a
- notice that there is no warranty (or else, saying that you provide
- a warranty) and that users may redistribute the program under
- these conditions, and telling the user how to view a copy of this
- License. (Exception: if the Program itself is interactive but
- does not normally print such an announcement, your work based on
- the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole. If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works. But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
- 3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
- a) Accompany it with the complete corresponding machine-readable
- source code, which must be distributed under the terms of Sections
- 1 and 2 above on a medium customarily used for software interchange; or,
-
- b) Accompany it with a written offer, valid for at least three
- years, to give any third party, for a charge no more than your
- cost of physically performing source distribution, a complete
- machine-readable copy of the corresponding source code, to be
- distributed under the terms of Sections 1 and 2 above on a medium
- customarily used for software interchange; or,
-
- c) Accompany it with the information you received as to the offer
- to distribute corresponding source code. (This alternative is
- allowed only for noncommercial distribution and only if you
- received the program in object code or executable form with such
- an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it. For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable. However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
- 4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License. Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
- 5. You are not required to accept this License, since you have not
-signed it. However, nothing else grants you permission to modify or
-distribute the Program or its derivative works. These actions are
-prohibited by law if you do not accept this License. Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
- 6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions. You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
- 7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License. If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all. For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices. Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
- 8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded. In such case, this License incorporates
-the limitation as if written in the body of this License.
-
- 9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time. Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number. If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation. If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
- 10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission. For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this. Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
- NO WARRANTY
-
- 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
- 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
- END OF TERMS AND CONDITIONS
-
- How to Apply These Terms to Your New Programs
-
- If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
- To do so, attach the following notices to the program. It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-
- Copyright (C)
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License along
- with this program; if not, write to the Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
- Gnomovision version 69, Copyright (C) year name of author
- Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
- This is free software, and you are welcome to redistribute it
- under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License. Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary. Here is a sample; alter the names:
-
- Yoyodyne, Inc., hereby disclaims all copyright interest in the program
- `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
- , 1 April 1989
- Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs. If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library. If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.
diff --git a/SPECS/verity-read-only-root/create_linear_debug_mount.sh b/SPECS/verity-read-only-root/create_linear_debug_mount.sh
deleted file mode 100755
index 8304e5f2a63..00000000000
--- a/SPECS/verity-read-only-root/create_linear_debug_mount.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-# Portions Copyright (c) 2020 Microsoft Corporation
-
-# Tool which attempts to mount the dm-verity overlays into an accessible
-# location.
-
-set -e
-
-VERITY_NAME=$(cd /dev/mapper/ && ls verity-*)
-SIZE=$(blockdev --getsz /dev/mapper/$VERITY_NAME)
-
-# Get the device verity is pulling data from
-DATA_DEV=$(dmsetup table $VERITY_NAME | cut -d " " -f 5)
-
-# Freeze verity
-echo "Root FS from /dev/mapper/$VERITY_NAME is being suspended"
-dmsetup suspend $VERITY_NAME
-
-# Create a writable mapping
-dmsetup create $VERITY_NAME-RW --table "0 $SIZE linear $DATA_DEV 0"
-
-# Mount it
-mount /dev/mapper/$VERITY_NAME-RW /mnt/verity_writable_debug
-echo "Writable root is now avialable at /mnt/verity_writable_debug"
-echo "WARNING: /dev/mapper/$VERITY_NAME is still frozen, system may hang unexpectedly until it is resumed"
-echo " run 'dmsetup resume $VERITY_NAME' to unfreeze"
\ No newline at end of file
diff --git a/SPECS/verity-read-only-root/verity-read-only-root.signatures.json b/SPECS/verity-read-only-root/verity-read-only-root.signatures.json
deleted file mode 100644
index e59cc4b4927..00000000000
--- a/SPECS/verity-read-only-root/verity-read-only-root.signatures.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
- "Signatures": {
- "COPYING": "8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643",
- "create_linear_debug_mount.sh": "8f4684b35ac1341b846bb395aa1c41a0e53ab9e23657663653156f2b094b20ea",
- "module-setup.sh": "c3093b6664963b5588b90508021ff5f6190f64acaec1f010720e1aad6df14929",
- "verity-mount.sh": "bb1dca3ee3f72974d237856393b67e69f8713615548730ea851a7edfc575bf71",
- "verity-parse.sh": "b9c9989503826ac2b4d2360493d3b624e1ea573b49303dfab0e79c181887f333",
- "verity.conf": "f1cbec8e6eabc545a67ac60232f625830432e47a44f903422fcaeb1f6e65e353"
- }
-}
diff --git a/SPECS/verity-read-only-root/verity-read-only-root.spec b/SPECS/verity-read-only-root/verity-read-only-root.spec
deleted file mode 100644
index 5852d59b3fe..00000000000
--- a/SPECS/verity-read-only-root/verity-read-only-root.spec
+++ /dev/null
@@ -1,81 +0,0 @@
-Summary: Dracut module to enable dm-verity read-only roots
-Name: verity-read-only-root
-Version: 1.0
-Release: 2%{?dist}
-License: GPLv2+
-Vendor: Microsoft Corporation
-Distribution: Azure Linux
-Group: System Environment/Base
-URL: https://dracut.wiki.kernel.org/
-Source0: verity.conf
-Source1: 20verity-mount/module-setup.sh
-Source2: 20verity-mount/verity-parse.sh
-Source3: 20verity-mount/verity-mount.sh
-Source4: COPYING
-Source5: create_linear_debug_mount.sh
-Requires: device-mapper
-Requires: dracut
-Requires: grep
-Requires: initramfs
-Requires: kpartx
-Requires: veritysetup
-
-%description
-Dracut module capable of loading a dm-verity read-only root filesystem.
-The module will mount a root FS read-only, and will place tmpfs overlays
-on top of the read-only filesystem automatically. See verity-mount.sh for
-details.
-
-Reminder: Carefully consider the implications for GPLv3 licenced packages
-when using a read-only root file system in conjunction with verified boot
-flows.
-
-%package debug-tools
-Summary: Adds tools to help debug read-only verity root issues
-Group: System Environment/Base
-Requires: %{name} = %{version}-%{release}
-
-%description debug-tools
-Creates a mount point at /mnt/verity_overlay_debug_tmpfs. If
-rd.verityroot.overlays_debug_mount=/mnt/verity_overlay_debug_tmpfs is passed
-to the kernel it will make the writable tmpfs overlays' upper and working
-directories available here (read-only). Useful optimizing what directories
-need writable tmpfs overlays.
-
-Also creates a mount point at /mnt/verity_writable_debug, along with a script
-/mnt/mount_verity_writable.sh which will suspend the verity device and mount
-the underlying verity disk as a writable linear device.
-
-%install
-mkdir -p %{buildroot}%{_sysconfdir}/dracut.conf.d
-install -D -m 0644 %{SOURCE0} %{buildroot}%{_sysconfdir}/dracut.conf.d/
-
-mkdir -p %{buildroot}%{_libdir}/dracut/modules.d/20verity-mount/
-install -p -m 0755 %{SOURCE1} %{buildroot}%{_libdir}/dracut/modules.d/20verity-mount/
-install -p -m 0755 %{SOURCE2} %{buildroot}%{_libdir}/dracut/modules.d/20verity-mount/
-install -p -m 0755 %{SOURCE3} %{buildroot}%{_libdir}/dracut/modules.d/20verity-mount/
-
-cp %{SOURCE4} COPYING
-
-mkdir -p %{buildroot}/mnt/verity_overlay_debug_tmpfs
-mkdir -p %{buildroot}/mnt/verity_writable_debug
-install -p -m 0755 %{SOURCE5} %{buildroot}/mnt/create_linear_mount.sh
-
-%files
-%{_sysconfdir}/dracut.conf.d/verity.conf
-%dir %{_libdir}/dracut/modules.d/20verity-mount
-%{_libdir}/dracut/modules.d/20verity-mount/*
-%license COPYING
-
-%files debug-tools
-%dir /mnt/verity_overlay_debug_tmpfs
-%dir /mnt/verity_writable_debug
-/mnt/create_linear_mount.sh
-
-%changelog
-* Wed Oct 13 2021 Daniel McIlvaney - 1.0-2
-- Add required whitespace before and after module list in verity.conf
-- License verified.
-
-* Fri Dec 11 2020 Daniel McIlvaney - 1.0-1
-- Original version for CBL-Mariner.
diff --git a/SPECS/verity-read-only-root/verity.conf b/SPECS/verity-read-only-root/verity.conf
deleted file mode 100644
index 3cae0aac24b..00000000000
--- a/SPECS/verity-read-only-root/verity.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-add_dracutmodules+=" dm verity-mount "
-add_drivers+=" dm-verity vfat overlay "