checkout: Only verify digest if repo requires fsverity

Fixes a regression from the previous commit; in the case where the target repo doesn't have composefs in signed mode there's no reason to verify the digest at checkout time because we aren't verifying it at boot time either. The regression is in cases that use rpm-ostree e.g. where as of recently we unconditionally add the composefs digest, but for e.g. FCOS we aren't deploying with fsverity enabled. Closes: https://github.com/ostreedev/ostree/issues/3330 Signed-off-by: Colin Walters <walters@verbum.org>
2025-03-10 16:58:43 +03:00 · 2024-10-30 10:07:26 -04:00 · 2024-10-30 10:07:26 -04:00 · 6ed1f83ab8
commit 6ed1f83ab8
parent ab8a7f7855
3 changed files with 19 additions and 4 deletions
--- a/src/libostree/ostree-repo-checkout.c
+++ b/src/libostree/ostree-repo-checkout.c
@ -1346,9 +1346,14 @@ ostree_repo_checkout_composefs (OstreeRepo *self, GVariant *options, int destina
  if (!ostree_composefs_target_write (target, tmpf.fd, &fsverity_digest, cancellable, error))
    return FALSE;

-  /* If the commit specified a composefs digest, verify it */
-  if (!compare_verity_digests (metadata_composefs, fsverity_digest, error))
-    return FALSE;
+  /* If the commit specified a composefs digest and the target is known to have fsverity,
+   * then double check our ouptut.
+   */
+  if (verity == OT_TRISTATE_YES)
+    {
+      if (!compare_verity_digests (metadata_composefs, fsverity_digest, error))
+        return FALSE;
+    }

  if (!glnx_fchmod (tmpf.fd, 0644, error))
    return FALSE;
--- a/tests/inst/src/composefs.rs
+++ b/tests/inst/src/composefs.rs
@ -153,7 +153,7 @@ pub(crate) fn itest_composefs() -> Result<()> {
                return Ok(());
            }
            {
-                let fstype = cmd!(sh, "stat -f / -c %T").read()?;
+                let fstype = cmd!(sh, "stat -f /sysroot -c %T").read()?;
                if fstype.trim() == "xfs" {
                    println!("SKIP no xfs fsverity yet");
                    return Ok(());
--- a/tests/test-composefs.sh
+++ b/tests/test-composefs.sh
@ -62,4 +62,14 @@ composefs-info dump test2-co-noverity.cfs > dump.txt
 assert_file_has_content_literal dump.txt '/baz/cow 4 100644 1 0 0 0 0.0 f6/a517d53831a40cff3886a965c70d57aa50797a8e5ea965b2c49cc575a6ff51.file - -'
 tap_ok "checkout composefs noverity"

+# Test with a corrupted composefs digest
+$OSTREE commit ${COMMIT_ARGS} -b test-composefs-bad-digest --tree=ref=test-composefs \
+    '--add-metadata=ostree.composefs.digest.v0=[byte 0x13, 0xae, 0xae, 0xed, 0xc0, 0x34, 0xd1, 0x39, 0xef, 0xfc, 0xd6, 0x6f, 0xe3, 0xdb, 0x08, 0xd3, 0x32, 0x8a, 0xec, 0x2f, 0x02, 0xc5
+, 0xa7, 0x8a, 0xee, 0xa6, 0x0f, 0x34, 0x6d, 0x7a, 0x22, 0x6d]'
+if $OSTREE checkout --composefs test-composefs-bad-digest test2-co.cfs 2>err.txt; then
+    fatal "checked out composefs with mismatched digest"
+fi
+assert_file_has_content_literal err.txt "doesn't match expected digest"
+tap_ok "checkout composefs bad digest"
+
 tap_end