WIP: Add support for 'rootfs: verity'

I'd like to experiment with fs-verity.
coreos · Oct 27, 2019 · ee76fd3 · ee76fd3
1 parent 6bedd01
commit ee76fd3
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 5 deletions.
diff --git a/src/cmd-buildextend-metal b/src/cmd-buildextend-metal
@@ -165,7 +165,11 @@ kargs="$kargs $tty ignition.platform.id=$ignition_platform_id"
 
 ostree_remote="$(python3 -c 'import sys, yaml; print(yaml.safe_load(sys.stdin).get("ostree-remote", "NONE"))' < "$configdir/image.yaml")"
 save_var_subdirs="$(python3 -c 'import sys, yaml; print(yaml.safe_load(sys.stdin).get("save-var-subdirs-for-selabel-workaround", "NONE"))' < "$configdir/image.yaml")"
-luks_flag="$(python3 -c 'import sys, yaml; lf=yaml.safe_load(sys.stdin).get("luks_rootfs", ""); print("--luks-rootfs" if lf.lower() in ("yes", "true") else "")' < "$configdir/image.yaml")"
+# First parse the old luks_rootfs flag
+rootfs_type="$(python3 -c 'import sys, yaml; lf=yaml.safe_load(sys.stdin).get("luks_rootfs", ""); print("luks" if lf.lower() in ("yes", "true") else "")' < "$configdir/image.yaml")"
+if [ -z "${rootfs_type}" ]; then
+    rootfs_type="$(python3 -c 'import sys, yaml; print(yaml.safe_load(sys.stdin).get("rootfs", "xfs"))' < "$configdir/image.yaml")"
+fi
 
 qemu-img create -f ${image_format} "${path}.tmp" "$size"
 # We support deploying a commit directly instead of a ref
@@ -179,6 +183,7 @@ if [[ $image_format == raw && $image_type == dasd ]]; then
                     # we need 4096 block size for ECKD DASD
                     "-device" "virtio-blk-ccw,drive=target,physical_block_size=4096,logical_block_size=4096,scsi=off")
 fi
+# shellcheck disable=SC2086
 runvm "${target_drive[@]}" -- \
         /usr/lib/coreos-assembler/create_disk.sh \
             --disk /dev/vda \
@@ -191,7 +196,7 @@ runvm "${target_drive[@]}" -- \
             --ostree-remote "${ostree_remote}" \
             --ostree-repo "${ostree_repo}" \
             --save-var-subdirs "${save_var_subdirs}" \
-            "${luks_flag}"
+            --rootfs "${rootfs_type}"
 mv "${path}.tmp" "$path"
 echo "{}" > tmp/vm-iso-checksum.json
 

diff --git a/src/create_disk.sh b/src/create_disk.sh
@@ -52,7 +52,7 @@ do
         --ostree-remote)    remote_name="${1}"; shift;;
         --ostree-repo)      ostree="${1}"; shift;;
         --save-var-subdirs) save_var_subdirs="${1}"; shift;;
-        --luks-rootfs)      luks_rootfs=1;;
+        --rootfs)           rootfs="${1}" shift;;
          *) echo "${flag} is not understood."; usage; exit 10;;
          --) break;
      esac;
@@ -75,6 +75,11 @@ grub_script="${grub_script:?--grub-script must be defined}"
 os_name="${os_name:?--os_name must be defined}"
 save_var_subdirs="${save_var_subdirs:?--save_var_subdirs must be defined}"
 
+case "${rootfs}" in 
+    xfs|verity|luks) ;;
+    *) echo "Invalid rootfs type: ${rootfs}" 1>&2; exit 1;;
+esac
+
 set -x
 
 # Partition and create fs's. The 0...4...a...1 uuid is a sentinal used by coreos-gpt-setup
@@ -126,7 +131,7 @@ esac
 udevtrig
 
 root_dev="${disk}${ROOTPN}"
-if [ -n "${luks_rootfs}"  ]; then
+if [ "${rootfs}" = "luks" ]; then
     root_dev=/dev/mapper/crypt_root
     sgdisk -c ${ROOTPN}:luks_root "${disk}"
 
@@ -175,7 +180,20 @@ if [ ${EFIPN:+x} ]; then
        # partition $BIOPN has no FS, its for bios grub
        # partition $PREPPN has no FS, its for PowerPC PReP Boot
 fi
-mkfs.xfs "${root_dev}" -L root -m reflink=1
+if [ "${rootfs}" = "verity" ]; then
+    # As of today, xfs doesn't support verity, so we have a choice of fs-verity or reflinks.
+    # Now, fs-verity doesn't in practice gain us a huge amount of security because
+    # there are other "persistence vectors".  See
+    # https://blog.verbum.org/2017/06/12/on-dm-verity-and-operating-systems/
+    # https://github.com/coreos/rpm-ostree/issues/702
+    # And reflinks are *very* useful for the container stack with overlayfs (and in general).
+    # So basically, we're choosing performance over half-implemented security.
+    # Eventually, we'd like both - once XFS gains verity (probably not too hard),
+    # we could unconditionally enable it there.
+    mkfs.ext4 -O verity -L root "${root_dev}"
+else
+    mkfs.xfs "${root_dev}" -L root -m reflink=1
+fi
 
 # mount the partitions
 rm -rf rootfs
@@ -201,6 +219,9 @@ mkdir -p rootfs/ostree
 chcon $(matchpathcon -n /ostree) rootfs/ostree
 mkdir -p rootfs/ostree/{repo,deploy}
 ostree --repo=rootfs/ostree/repo init --mode=bare
+if [ "${rootfs}" = "verity" ]; then
+    ostree config --repo=rootfs/ostree/repo set fsverity.required 'true'
+fi
 remote_arg=
 deploy_ref="${ref}"
 if [ "${remote_name}" != NONE ]; then