Is it possible to use overlayfs with tdxref-signed?

[thepinkmile]

Currently building minimal reference image adding this layer for secure boot and encrypted partition.

I am wondering if there might be a possibility to implement an overlayfs such that I can use my encrypted partition as the writable layer of the fs?
Mainly due to the fact the rootfs will be read-only.

This would also enable me to have a temp solution to provide remote-offline-updates (albeit a hacky one). At least until we can re-evaluate the decision to not use torizon os.

[sergioprado]

I have never tried combining dm-verity and overlayfs, but it seems to be possible: see https://docs.kernel.org/filesystems/overlayfs.html#fs-verity-support

Just be aware that this might have some security impacts, as this enables writes to the rootfs at runtime.

[thepinkmile]

Will have a look at that link tomorrow when I get to the rootfs testing again.

I believe the idea is to actually use a tempfs as the writable layer. But to temporarily allow partial updates, we would “commit” these changes via an external mechanism.

However, this is only until we can move over to a better solution (ideally using TorizonOS).