Skip to content

Commit

Permalink
checkout: Only verify digest if repo requires fsverity
Browse files Browse the repository at this point in the history
Fixes a regression from the previous commit; in
the case where the target repo doesn't have composefs in
signed mode there's no reason to verify the digest
at checkout time because we aren't verifying it at
boot time either.

The regression is in cases that use rpm-ostree e.g.
where as of recently we unconditionally add the composefs
digest, but for e.g. FCOS we aren't deploying with fsverity
enabled.

Closes: ostreedev#3330

Signed-off-by: Colin Walters <[email protected]>
  • Loading branch information
cgwalters committed Oct 30, 2024
1 parent 841c8a6 commit 7f9da52
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 3 deletions.
11 changes: 8 additions & 3 deletions src/libostree/ostree-repo-checkout.c
Original file line number Diff line number Diff line change
Expand Up @@ -1346,9 +1346,14 @@ ostree_repo_checkout_composefs (OstreeRepo *self, GVariant *options, int destina
if (!ostree_composefs_target_write (target, tmpf.fd, &fsverity_digest, cancellable, error))
return FALSE;

/* If the commit specified a composefs digest, verify it */
if (!compare_verity_digests (metadata_composefs, fsverity_digest, error))
return FALSE;
/* If the commit specified a composefs digest and the target is known to have fsverity,
* then double check our ouptut.
*/
if (verity == OT_TRISTATE_YES)
{
if (!compare_verity_digests (metadata_composefs, fsverity_digest, error))
return FALSE;
}

if (!glnx_fchmod (tmpf.fd, 0644, error))
return FALSE;
Expand Down
10 changes: 10 additions & 0 deletions tests/test-composefs.sh
Original file line number Diff line number Diff line change
Expand Up @@ -62,4 +62,14 @@ composefs-info dump test2-co-noverity.cfs > dump.txt
assert_file_has_content_literal dump.txt '/baz/cow 4 100644 1 0 0 0 0.0 f6/a517d53831a40cff3886a965c70d57aa50797a8e5ea965b2c49cc575a6ff51.file - -'
tap_ok "checkout composefs noverity"

# Test with a corrupted composefs digest
$OSTREE commit ${COMMIT_ARGS} -b test-composefs-bad-digest --tree=ref=test-composefs \
'--add-metadata=ostree.composefs.digest.v0=[byte 0x13, 0xae, 0xae, 0xed, 0xc0, 0x34, 0xd1, 0x39, 0xef, 0xfc, 0xd6, 0x6f, 0xe3, 0xdb, 0x08, 0xd3, 0x32, 0x8a, 0xec, 0x2f, 0x02, 0xc5
, 0xa7, 0x8a, 0xee, 0xa6, 0x0f, 0x34, 0x6d, 0x7a, 0x22, 0x6d]'
if $OSTREE checkout --composefs test-composefs-bad-digest test2-co.cfs 2>err.txt; then
fatal "checked out composefs with mismatched digest"
fi
assert_file_has_content_literal err.txt "doesn't match expected digest"
tap_ok "checkout composefs bad digest"

tap_end

0 comments on commit 7f9da52

Please sign in to comment.