Keyring is an encrypted file to store secrets. The encryption key is
derived from the disk decryption passphrase so that the file can be
automatically decrypted and processed during boot.
The keys contained in the keyring file are loaded into the kernel key
store so that they can later be retrieved by other components.
Currenly during installation a signing key is generated and stored in
the keyring so that the system can transparently sign RealmFS images
when the user modifies or updates them.
citadel-tool now installed with a hardlink for each binary tool and
dispatches on the exe path to the tool implementation. This makes
the build faster, uses less disk space, and makes it easier to
create new small tools.
This makes it possible to calculate sha256sum in place on an image file
which has both a header and an appended dm-verity tree. Before this
required a message process of extracting the body into a temporary file.
Option takes a string argument which identifies the channel which should
be expected when mounting images. The channel name can optionally be
followed by a colon and a hex encoded public key for the channel.
The initial hashtree is generated during the yocto build, so we
want to use veritysetup from the path (to use cryptsetup-native)
rather than try to find veritysetup on the build host.
