6607 Commits

Author SHA1 Message Date
Eric Curtin
1aed5d7cf9
Merge pull request #2954 from cgwalters/harden-gvariant-get-data
Harden gvariant get data
2023-07-27 15:41:24 +01:00
Colin Walters
5b37259607 checksum-utils: Add an assertion that buf != NULL
Another hardening against https://bugzilla.redhat.com/show_bug.cgi?id=2217401
2023-07-26 18:09:28 -04:00
Colin Walters
0392b54602 core, switchroot: Harden a bit against g_variant_get_data() == NULL
I'm not totally sure this is the cause of
https://bugzilla.redhat.com/show_bug.cgi?id=2217401
but analyzing the code a bit it seems the most likely.
2023-07-26 18:09:28 -04:00
Eric Curtin
d7d661218e
Merge pull request #2953 from samcday/patch-1
docs: update boot loader spec link
2023-07-26 15:10:27 +01:00
Eric Curtin
66e425534e
Merge pull request #2930 from cgwalters/prepare-root-config3
prepare-root: Introduce ostree/prepare-root.conf && sysroot.readonly improvements
2023-07-26 10:17:35 +01:00
samcday
b5397887e3
docs: update boot loader spec link 2023-07-25 21:42:41 +02:00
Eric Curtin
af52a88d5f
Merge pull request #2952 from cgwalters/silence-variant-lookup
tree-wide: Consistently `(void)g_variant_lookup()`
2023-07-25 17:36:12 +01:00
Colin Walters
13e7ae907d tree-wide: Consistently (void)g_variant_lookup()
Coverity warns when we're checking the return value in most-but-not-all
instances.  The code is correct in these instances; we're initializing
the values to defaults.  So add a `(void)` cast like we are doing
in many other places.
2023-07-25 11:28:23 -04:00
Colin Walters
3465626015 prepare-root: Don't parse target root when composefs enabled
We shouldn't load anything from the target root filesystem *before*
verifying its integrity if composefs is enabled.

In effect, we want to force composefs users to migrate to
`/usr/lib/ostree/prepare-root.conf` which lives in the initramfs.
(But because we enable sysroot.readonly=true if composefs is enabled
 too, they don't actually need to)
2023-07-25 09:15:11 -04:00
Colin Walters
83d37d6d3c prepare-root: Default sysroot.readonly=true if composefs
Not because it's logically required or anything, but because
it's just a good idea.
2023-07-25 09:15:11 -04:00
Colin Walters
22b8e4f953 prepare-root: Introduce ostree/prepare-root.conf
Using the repository configuration for configuration of this
program was always a bit hacky.

But actually with composefs, we really must validate
the target root *before* we parse anything in it.

Let's add a config file for `ostree-prepare-root` that can live
in the initramfs, which will already have been verified.

In the future we'll also add configuration for composefs here.

We expect OS builders to drop this in `/usr/lib/ostree/prepare-root.conf`,
but system local configuration can live in `/etc`.
2023-07-25 09:15:09 -04:00
Eric Curtin
250c40a671
Merge pull request #2948 from cgwalters/composefs-more-cleanups
composefs: Use lowerdir in /run
2023-07-25 10:25:29 +01:00
Eric Curtin
3f594b04aa
Merge pull request #2951 from cgwalters/errprefix-sysroot
sysroot: Add a bit more error prefixing
2023-07-24 21:07:28 +01:00
Eric Curtin
5e2eedeec9
Merge pull request #2949 from cgwalters/kargs-cleanup
kernel-args: Move private functions out of public header
2023-07-24 21:06:59 +01:00
Colin Walters
cf525ee619 repo: Clarify when we fail to parse a remote
This would have directly pointed at the failing config file.
2023-07-24 08:54:29 -04:00
Colin Walters
70d790abea sysroot: Add a bit more error prefixing
While an error message I saw was pretty clear, this would
be even more explicit.
2023-07-24 08:48:51 -04:00
Eric Curtin
82da0e169b
Merge pull request #2950 from cgwalters/generator-cleanup
generator: Some cleanup
2023-07-24 10:52:41 +01:00
Colin Walters
d7fe9e54ed kernel-args: Move private functions out of public header
External users can't call `_` prefixed APIs, so move them
to a `-private.h`.
2023-07-23 13:22:14 -04:00
Colin Walters
303e7eb2e1 src/generator: Move all logic into libostree-1.so
This pushes down the code for parsing the `ostree=` cmdline
in the generator into code that's part of libostree-1.so.

This is prep for using logic shared in libotcore.la.

But in general it's just cleaner to also keep the binary
entrypoint to just be a trampoline into the C library.
2023-07-23 10:47:19 -04:00
Colin Walters
ec1109c7a9 generator: Stop creating /run/ostree-booted
This must have always been dead code.  We're trying to iterate
towards a place where it's only `ostree-prepare-root.c` which
parses the `ostree=` kernel argument, and canonically sets up
`/run/ostree-booted`.
2023-07-23 10:40:20 -04:00
Colin Walters
64afbcdeb0 composefs: Use lowerdir in /run
I just noticed that this was another constant string duplicated
between prepare-root.c and libostree-1.so, and I went to make
it a common `#define` in libotcore.la.

But then I thought "it's ugly to have this directory mixed into
the deployment namespace" because in some theoretical world
it could also be in the ostree commit, which would cause weird
behavior.

I think this is transient state that is better in `/run`, so move
it there.
2023-07-22 16:46:17 -04:00
Eric Curtin
4c0e5b1ef7
Merge pull request #2942 from ostreedev/android-bootloader-parsing
bootloader: fold all Android Bootloader specific logic into prepare-root
2023-07-20 21:58:11 +01:00
Colin Walters
a035c2e21c
Merge pull request #2946 from cgwalters/add-inode-fix-feature
Add an always-on `inode64` feature
2023-07-20 15:12:31 -04:00
Colin Walters
8ce7bbe199 Add an always-on inode64 feature
As I (and others) will be backporting the fix in
de6fddc6ad
pretty far, I want a way for sysadmins and OS builders to
be able to reliably see when their version of ostree has this fix
(Because comparing version numbers isn't portable).
2023-07-20 13:50:25 -04:00
Eric Curtin
c89baaed77 bootloader: fold all Android Bootloader specific logic into prepare-root
Now that we use androidboot.slot_suffix karg to determine whether we
boot into /ostree/root.a or /ostree/root.b, we can use ostree= karg
simply for parsing the stateroot, although we will still boot into
what's pointed to by /ostree/root.a or /ostree/root.b.
2023-07-20 12:31:01 +01:00
Joseph Marrero Corchado
559361655d
Merge pull request #2943 from cgwalters/mount-cleanup
prepare-root: Drop code mounting `/proc`
2023-07-19 10:35:27 -04:00
Joseph Marrero Corchado
253e7758d3
Merge pull request #2944 from cgwalters/prepare-root-more-cleanup
prepare-root: Drop more dead code
2023-07-19 10:34:46 -04:00
Colin Walters
e61226a8d7 prepare-root: Drop more dead code
Most of this was used for the old composefs signature model.  We
now reuse the core signature code and link to glib, so we don't
need reimplementations of hex strings and reading files.
2023-07-19 09:13:53 -04:00
Colin Walters
41cda3bd2a prepare-root: Drop code mounting /proc
This must be done by the init process here; it was always
dead code in the initramfs path.

We keep the copy of this code in the now-forked -static.c.
2023-07-19 09:12:10 -04:00
Eric Curtin
b258375f05
Merge pull request #2938 from cgwalters/dedup-ostree-parsing
generator: Deduplicate ostree= karg parsing
2023-07-18 14:35:45 +01:00
Eric Curtin
b548ff74a2
Merge pull request #2939 from cgwalters/ed25519-cleanups
sign-ed25519: Minor cleanups
2023-07-18 14:33:58 +01:00
Colin Walters
6966979c5e generator: Deduplicate ostree= karg parsing
Avoid having two copies of a regular expression for parsing
the `ostree=` kernel argument.  Because the `ostree-system-generator`
binary already has access to the internals because it's implemented
in the shared library, expose the sysroot version internally
and use that.

Motivated by an attempt to change one of these copies but not
the other.
2023-07-18 08:29:09 -04:00
Colin Walters
fc303da67d sign-ed25519: Don't set sk unless we've validated it
The semantics of this function now keep the key assigned
even if we fail to validate it, which is ugly.  Only assign
the key after verifying its length.
2023-07-18 08:25:36 -04:00
Colin Walters
3a18a5570d sign-ed25519: Add some comments for data structure
Like poor man's generics.
2023-07-18 07:55:14 -04:00
Colin Walters
fb40e55990 sign-ed25519: More verbose errors for invalid length
Add a helper to compare lengths which includes the found
and expected values.  Use it consistently.

The error message "Incorrect" is misleading; one might think
one had the *wrong* key.  "Ill-formed" makes it clearer that
we're not parsing it at all.
2023-07-18 07:55:14 -04:00
Colin Walters
1a2fac371b tests: Remove dead references to "SEED"
Nothing uses this.
2023-07-18 07:55:14 -04:00
Colin Walters
1c0fd7d458
Merge pull request #2937 from ericcurtin/ostree2androidboot.slot_suffix
android-boot: Remove dependency on ostree= karg, use androidboot.slot_suffix=
2023-07-17 09:46:02 -04:00
Eric Curtin
355cd72705 Remove steal_pointer and steal_pointer_impl as we link in glib now
These were necessary to keep initramfs small, but now we link in glib
anyway so these functions are now redundant.
2023-07-17 13:23:27 +01:00
Eric Curtin
a6f0a57134 android-boot: Remove dependency on ostree= karg, use androidboot.slot_suffix=
Given the kernel argument androidboot.slot_suffix= is required in
Android AB updates [1] there is no need to check for ostree= or ostree=aboot
at all in the aboot case. This also ensures if the dependancy on ostree=
is removed, the android-boot technique will work regardless.

[1]: https://source.android.com/docs/core/ota/ab/ab_implement
2023-07-17 13:22:49 +01:00
Eric Curtin
27a9fe30b3
Merge pull request #2936 from cgwalters/sign-from-file
commit: Add `--sign-from-file`
2023-07-16 22:22:20 +01:00
Eric Curtin
7bbe13cabb
Merge pull request #2931 from cgwalters/prepare-root-man
man: Add ostree-prepare-root
2023-07-16 21:59:32 +01:00
Eric Curtin
de81a7e71a
Merge pull request #2929 from cgwalters/prepare-root-drop-pivot
prepare-root: Drop dead `pivot_root` code
2023-07-15 17:33:56 +01:00
Eric Curtin
8302a8add0
Merge pull request #2927 from cgwalters/sysroot-errprefix-bootlinks
sysroot: Add some error prefixing for bootversion
2023-07-15 17:31:53 +01:00
Colin Walters
845d68d1d4
Merge pull request #2935 from cgwalters/prepare-root-config4
prepare-root: Refactor composefs config handling
2023-07-15 09:52:11 -04:00
Colin Walters
82d934916b commit: Add --sign-from-file
Passing the private key via a direct command line argument
is just a bad idea because it's highly likely to get logged
or appear in `ps`.
Spotted in review of work for composefs signatures.
2023-07-15 09:50:40 -04:00
Colin Walters
d4ca834b09 prepare-root: Refactor composefs config handling
- Convert the current enum into a struct, using `OtTristate` and
  two member variables (expected signature and digest)
- Factor out a helper function to parse this config
- Clean up the logging by consistently using `composefs:` as a prefix
- Add more assertions to more strictly verify our runtime state
  since this is security relevant
2023-07-14 14:37:03 -04:00
Eric Curtin
18d6f59793
Merge pull request #2934 from cgwalters/enable-composefs-default
build-sys: Enable composefs at *build time* by default
2023-07-14 16:40:42 +01:00
Colin Walters
592351d1b0 build-sys: Enable composefs at *build time* by default
There's no additional dependencies, and it's a small amount
of new code.

The riskiest thing is the changes to ostree-prepare-root, but
I believe that things are in a good state now there.

Again, this just enables it at *build time* - it's still
off at runtime by default.
2023-07-14 10:34:46 -04:00
Colin Walters
3d29f89c0e
Merge pull request #2928 from cgwalters/prepare-root-config
More prepare-root cleanups
2023-07-14 10:26:25 -04:00
Eric Curtin
c1ac6bc346
Merge pull request #2932 from cgwalters/aboot-fix-nullderef
mount: Fix gcc -fanalyzer warning for parsing androidboot.slot_suffix
2023-07-14 13:48:17 +01:00