shaba/ostree
1
0
Fork 0
mirror of https://github.com/ostreedev/ostree.git synced 2025-03-11 20:58:45 +03:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2988 from cgwalters/prepare-root-binding-key

Browse Source 
prepare-root: Minor clarifications
This commit is contained in:
Eric Curtin 2023-08-16 23:20:15 +01:00 committed by GitHub
commit 55121cc4df
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/composefs.md
View File

@ -60,7 +60,7 @@ The exact usage of the signature is up to the user, but a common way
to use it with transient keys. This is done like this:
* Generate a new keypair before each build
* Embed the public key in the initrd that is part of the commit.
* Ensure the initrd has a `prepare-root.conf` with `keyfile=/path/to/key`
* Ensure the initrd has a `prepare-root.conf` with `[composefs] enabled=signed`, and either use `keypath` or inject `/etc/ostree/initramfs-root-binding.key`; for more see `man ostree-prepare-root`
* After committing, run `ostree --sign` with the private key.
* Throw away the private key.

10
src/switchroot/ostree-prepare-root.c
View File

@ -80,7 +80,11 @@
const char *config_roots[] = { "/usr/lib", "/etc" };
#define PREPARE_ROOT_CONFIG_PATH "ostree/prepare-root.conf"
#define DEFAULT_KEYPATH "/etc/ostree/initramfs-root-binding.key"
// This key is used by default if present in the initramfs to verify
// the signature on the target commit object. When composefs is
// in use, the ostree commit metadata will contain the composefs image digest,
// which can be used to fully verify the target filesystem tree.
#define BINDING_KEYPATH "/etc/ostree/initramfs-root-binding.key"
#define SYSROOT_KEY "sysroot"
#define READONLY_KEY "readonly"
@ -300,6 +304,7 @@ free_composefs_config (ComposefsConfig *config)
G_DEFINE_AUTOPTR_CLEANUP_FUNC (ComposefsConfig, free_composefs_config)
// Parse the [composefs] section of the prepare-root.conf.
static ComposefsConfig *
load_composefs_config (GKeyFile *config, GError **error)
{
@ -317,7 +322,8 @@ load_composefs_config (GKeyFile *config, GError **error)
OT_TRISTATE_MAYBE, &ret->enabled, error))
return NULL;
if (!ot_keyfile_get_value_with_default (config, COMPOSEFS_KEY, KEYPATH_KEY, DEFAULT_KEYPATH,
// Look for a key - we default to the initramfs binding path.
if (!ot_keyfile_get_value_with_default (config, COMPOSEFS_KEY, KEYPATH_KEY, BINDING_KEYPATH,
&ret->signature_pubkey, error))
return NULL;