IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This pushes down the code for parsing the `ostree=` cmdline
in the generator into code that's part of libostree-1.so.
This is prep for using logic shared in libotcore.la.
But in general it's just cleaner to also keep the binary
entrypoint to just be a trampoline into the C library.
This must have always been dead code. We're trying to iterate
towards a place where it's only `ostree-prepare-root.c` which
parses the `ostree=` kernel argument, and canonically sets up
`/run/ostree-booted`.
I just noticed that this was another constant string duplicated
between prepare-root.c and libostree-1.so, and I went to make
it a common `#define` in libotcore.la.
But then I thought "it's ugly to have this directory mixed into
the deployment namespace" because in some theoretical world
it could also be in the ostree commit, which would cause weird
behavior.
I think this is transient state that is better in `/run`, so move
it there.
As I (and others) will be backporting the fix in
de6fddc6ad
pretty far, I want a way for sysadmins and OS builders to
be able to reliably see when their version of ostree has this fix
(Because comparing version numbers isn't portable).
Now that we use androidboot.slot_suffix karg to determine whether we
boot into /ostree/root.a or /ostree/root.b, we can use ostree= karg
simply for parsing the stateroot, although we will still boot into
what's pointed to by /ostree/root.a or /ostree/root.b.
Most of this was used for the old composefs signature model. We
now reuse the core signature code and link to glib, so we don't
need reimplementations of hex strings and reading files.
Avoid having two copies of a regular expression for parsing
the `ostree=` kernel argument. Because the `ostree-system-generator`
binary already has access to the internals because it's implemented
in the shared library, expose the sysroot version internally
and use that.
Motivated by an attempt to change one of these copies but not
the other.
The semantics of this function now keep the key assigned
even if we fail to validate it, which is ugly. Only assign
the key after verifying its length.
Add a helper to compare lengths which includes the found
and expected values. Use it consistently.
The error message "Incorrect" is misleading; one might think
one had the *wrong* key. "Ill-formed" makes it clearer that
we're not parsing it at all.
Given the kernel argument androidboot.slot_suffix= is required in
Android AB updates [1] there is no need to check for ostree= or ostree=aboot
at all in the aboot case. This also ensures if the dependancy on ostree=
is removed, the android-boot technique will work regardless.
[1]: https://source.android.com/docs/core/ota/ab/ab_implement
Passing the private key via a direct command line argument
is just a bad idea because it's highly likely to get logged
or appear in `ps`.
Spotted in review of work for composefs signatures.
- Convert the current enum into a struct, using `OtTristate` and
two member variables (expected signature and digest)
- Factor out a helper function to parse this config
- Clean up the logging by consistently using `composefs:` as a prefix
- Add more assertions to more strictly verify our runtime state
since this is security relevant
There's no additional dependencies, and it's a small amount
of new code.
The riskiest thing is the changes to ostree-prepare-root, but
I believe that things are in a good state now there.
Again, this just enables it at *build time* - it's still
off at runtime by default.
I think this was only ever used in the "static pid1" path which
is now split out into a separate file.
We always expect that e.g. systemd does the switchroot in
the initramfs, so drop this dead code.
Since we now have a generalized more structured way of serializing
state in the initramfs instead of "stamp files", use it for
passing the composefs state.
Particularly for the signature case, having this metadata
acts as a reliable "proof of execution" of the signature verification
code (as opposed to parsing a log file or so).
Besides that, this is also just a stronger check for "we're using
composefs" instead of checking for "overlayfs on /".
