shaba/ostree
1
0
Fork 0
mirror of https://github.com/ostreedev/ostree.git synced 2025-01-03 05:18:24 +03:00
Code Issues Projects Releases Wiki Activity

prepare-root: Add composefs.enabled=verity

Browse Source
This commit is contained in:
Misaki Kasumi 2024-12-16 19:41:21 +08:00 committed by Colin Walters
parent ec363ade9d
commit 881c88162a
5 changed files with 35 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/composefs.md
View File

@ -40,6 +40,18 @@ and specify an Ed25519 public key to validate the booted commit.
See the manpage for `ostree-prepare-root` for details of how to configure it. See the manpage for `ostree-prepare-root` for details of how to configure it.
### Integrity of backing OSTree objects
In `ostree/prepare-root.conf`, if `composefs.enabled` is set to `signed` or `verity`,
before the content of a file in the mounted composefs is read,
the integrity of its backing OSTree object in `/ostree/repo/objects` is validated by the digest stored in `.ostree.cfs`.
This can ensure the integrity of the "backing store".
The digests in `.ostree.cfs` are read from fsverity digests of OSTree objects when deploying.
It is necessary to ensure all OSTree objects referenced have digests stored in `.ostree.cfs`.
This can be achieved when [committing](#injecting-composefs-digests),
or you have to set `ex-integrity.fsverity` to `true` for the OSTree repo.
### Injecting composefs digests ### Injecting composefs digests
When generating an OSTree commit, there is a CLI switch `--generate-composefs-metadata` When generating an OSTree commit, there is a CLI switch `--generate-composefs-metadata`

13
man/ostree-prepare-root.xml
View File

@ -138,10 +138,15 @@ License along with this library. If not, see <https://www.gnu.org/licenses/>.
<varlistentry> <varlistentry>
<term><varname>composefs.enabled</varname></term> <term><varname>composefs.enabled</varname></term>
<listitem><para>This can be <literal>yes</literal>, <literal>no</literal>, <literal>maybe</literal>, <listitem><para>This can be <literal>yes</literal>, <literal>no</literal>, <literal>maybe</literal>,
or <literal>signed</literal>. The default is <literal>no</literal>. If set to <literal>yes</literal> or <literal>signed</literal>, or <literal>verity</literal>. The default is <literal>no</literal>.
<literal>signed</literal>, then composefs is always used, and the boot fails if it is not If set to <literal>yes</literal>, <literal>signed</literal>, or <literal>verity</literal>,
available. Additionally if set to <literal>signed</literal>, boot will fail if the image cannot be then composefs is always used, and the boot fails if it is not available.
validated by a public key. Setting this to <literal>maybe</literal> is currently equivalent to <literal>no</literal>. If set to <literal>signed</literal> or <literal>verity</literal>,
before the content of a file is read,
the integrity of its backing OSTree object is validated by the digest stored in the image.
Additionally, if set to <literal>signed</literal>, boot will fail if the image cannot be
validated by a public key.
Setting this to <literal>maybe</literal> is currently equivalent to <literal>no</literal>.
</para></listitem> </para></listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>

8
src/libotcore/otcore-prepare-root.c
View File

@ -178,8 +178,15 @@ otcore_load_composefs_config (const char *cmdline, GKeyFile *config, gboolean lo
if (g_strcmp0 (enabled, "signed") == 0) if (g_strcmp0 (enabled, "signed") == 0)
{ {
ret->enabled = OT_TRISTATE_YES; ret->enabled = OT_TRISTATE_YES;
ret->require_verity = true;
ret->is_signed = true; ret->is_signed = true;
} }
else if (g_strcmp0 (enabled, "verity") == 0)
{
ret->enabled = OT_TRISTATE_YES;
ret->require_verity = true;
ret->is_signed = false;
}
else if (!ot_keyfile_get_tristate_with_default (config, OTCORE_PREPARE_ROOT_COMPOSEFS_KEY, else if (!ot_keyfile_get_tristate_with_default (config, OTCORE_PREPARE_ROOT_COMPOSEFS_KEY,
OTCORE_PREPARE_ROOT_ENABLED_KEY, OTCORE_PREPARE_ROOT_ENABLED_KEY,
OT_TRISTATE_MAYBE, &ret->enabled, error)) OT_TRISTATE_MAYBE, &ret->enabled, error))
@ -227,6 +234,7 @@ otcore_load_composefs_config (const char *cmdline, GKeyFile *config, gboolean lo
{ {
ret->enabled = OT_TRISTATE_YES; ret->enabled = OT_TRISTATE_YES;
ret->is_signed = true; ret->is_signed = true;
ret->require_verity = true;
} }
else else
{ {

1
src/libotcore/otcore.h
View File

@ -52,6 +52,7 @@ GKeyFile *otcore_load_config (int rootfs, const char *filename, GError **error);
typedef struct typedef struct
{ {
OtTristate enabled; OtTristate enabled;
gboolean require_verity;
gboolean is_signed; gboolean is_signed;
char *signature_pubkey; char *signature_pubkey;
GPtrArray *pubkeys; GPtrArray *pubkeys;

5
src/switchroot/ostree-prepare-root.c
View File

@ -452,10 +452,15 @@ main (int argc, char *argv[])
expected_digest = g_malloc (OSTREE_SHA256_STRING_LEN + 1); expected_digest = g_malloc (OSTREE_SHA256_STRING_LEN + 1);
ot_bin2hex (expected_digest, cfs_digest_buf, g_variant_get_size (cfs_digest_v)); ot_bin2hex (expected_digest, cfs_digest_buf, g_variant_get_size (cfs_digest_v));
g_assert (composefs_config->require_verity);
cfs_options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY; cfs_options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY;
g_print ("composefs: Verifying digest: %s\n", expected_digest); g_print ("composefs: Verifying digest: %s\n", expected_digest);
cfs_options.expected_fsverity_digest = expected_digest; cfs_options.expected_fsverity_digest = expected_digest;
} }
else if (composefs_config->require_verity)
{
cfs_options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY;
}
if (lcfs_mount_image (OSTREE_COMPOSEFS_NAME, TMP_SYSROOT, &cfs_options) == 0) if (lcfs_mount_image (OSTREE_COMPOSEFS_NAME, TMP_SYSROOT, &cfs_options) == 0)
{ {