mirror of
https://github.com/ostreedev/ostree.git
synced 2024-12-22 17:35:55 +03:00
Merge pull request #3331 from cgwalters/verity-no-verity
checkout: Only verify digest if repo requires fsverity
This commit is contained in:
commit
5a262340e7
@ -1346,9 +1346,14 @@ ostree_repo_checkout_composefs (OstreeRepo *self, GVariant *options, int destina
|
||||
if (!ostree_composefs_target_write (target, tmpf.fd, &fsverity_digest, cancellable, error))
|
||||
return FALSE;
|
||||
|
||||
/* If the commit specified a composefs digest, verify it */
|
||||
if (!compare_verity_digests (metadata_composefs, fsverity_digest, error))
|
||||
return FALSE;
|
||||
/* If the commit specified a composefs digest and the target is known to have fsverity,
|
||||
* then double check our ouptut.
|
||||
*/
|
||||
if (verity == OT_TRISTATE_YES)
|
||||
{
|
||||
if (!compare_verity_digests (metadata_composefs, fsverity_digest, error))
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (!glnx_fchmod (tmpf.fd, 0644, error))
|
||||
return FALSE;
|
||||
|
@ -153,7 +153,7 @@ pub(crate) fn itest_composefs() -> Result<()> {
|
||||
return Ok(());
|
||||
}
|
||||
{
|
||||
let fstype = cmd!(sh, "stat -f / -c %T").read()?;
|
||||
let fstype = cmd!(sh, "stat -f /sysroot -c %T").read()?;
|
||||
if fstype.trim() == "xfs" {
|
||||
println!("SKIP no xfs fsverity yet");
|
||||
return Ok(());
|
||||
|
@ -1,36 +0,0 @@
|
||||
#!/bin/bash
|
||||
set -xeuo pipefail
|
||||
|
||||
. ${KOLA_EXT_DATA}/libinsttest.sh
|
||||
|
||||
require_writable_sysroot
|
||||
prepare_tmpdir
|
||||
|
||||
bootupd_state=/boot/bootupd-state.json
|
||||
mount -o remount,rw /boot
|
||||
if grep -qFe "\"static-configs\"" "${bootupd_state}"; then
|
||||
echo "Host is using static configs already, overriding this"
|
||||
jq --compact-output '.["static-configs"] = null' < "${bootupd_state}" > "${bootupd_state}".new
|
||||
mv "${bootupd_state}.new" "${bootupd_state}"
|
||||
fi
|
||||
|
||||
# Print the current value for reference, it's "none" on FCOS derivatives
|
||||
ostree config get sysroot.bootloader || true
|
||||
ostree config set sysroot.bootloader auto
|
||||
|
||||
ostree admin deploy --stage "${host_commit}"
|
||||
systemctl stop ostree-finalize-staged.service
|
||||
used_bootloader=$(journalctl -u ostree-finalize-staged -o json MESSAGE_ID=dd440e3e549083b63d0efc7dc15255f1 | tail -1 | jq -r .OSTREE_BOOTLOADER)
|
||||
# We're verifying the legacy default now
|
||||
assert_streq "${used_bootloader}" "grub2"
|
||||
ostree admin undeploy 0
|
||||
|
||||
# Now synthesize a bootupd config which uses static configs
|
||||
jq '. + {"static-configs": {}}' < "${bootupd_state}" > "${bootupd_state}".new
|
||||
mv "${bootupd_state}.new" "${bootupd_state}"
|
||||
ostree admin deploy --stage "${host_commit}"
|
||||
systemctl stop ostree-finalize-staged.service
|
||||
used_bootloader=$(journalctl -u ostree-finalize-staged -o json MESSAGE_ID=dd440e3e549083b63d0efc7dc15255f1 | tail -1 | jq -r .OSTREE_BOOTLOADER)
|
||||
assert_streq "${used_bootloader}" "none"
|
||||
|
||||
echo "ok bootupd static"
|
@ -62,4 +62,14 @@ composefs-info dump test2-co-noverity.cfs > dump.txt
|
||||
assert_file_has_content_literal dump.txt '/baz/cow 4 100644 1 0 0 0 0.0 f6/a517d53831a40cff3886a965c70d57aa50797a8e5ea965b2c49cc575a6ff51.file - -'
|
||||
tap_ok "checkout composefs noverity"
|
||||
|
||||
# Test with a corrupted composefs digest
|
||||
$OSTREE commit ${COMMIT_ARGS} -b test-composefs-bad-digest --tree=ref=test-composefs \
|
||||
'--add-metadata=ostree.composefs.digest.v0=[byte 0x13, 0xae, 0xae, 0xed, 0xc0, 0x34, 0xd1, 0x39, 0xef, 0xfc, 0xd6, 0x6f, 0xe3, 0xdb, 0x08, 0xd3, 0x32, 0x8a, 0xec, 0x2f, 0x02, 0xc5
|
||||
, 0xa7, 0x8a, 0xee, 0xa6, 0x0f, 0x34, 0x6d, 0x7a, 0x22, 0x6d]'
|
||||
if $OSTREE checkout --composefs test-composefs-bad-digest test2-co.cfs 2>err.txt; then
|
||||
fatal "checked out composefs with mismatched digest"
|
||||
fi
|
||||
assert_file_has_content_literal err.txt "doesn't match expected digest"
|
||||
tap_ok "checkout composefs bad digest"
|
||||
|
||||
tap_end
|
||||
|
Loading…
Reference in New Issue
Block a user