From ee76fd3a56e0a4801a428232a29cfbafefd47300 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 25 Oct 2019 22:06:51 +0000 Subject: [PATCH] WIP: Add support for 'rootfs: verity' I'd like to experiment with fs-verity. --- src/cmd-buildextend-metal | 9 +++++++-- src/create_disk.sh | 27 ++++++++++++++++++++++++--- 2 files changed, 31 insertions(+), 5 deletions(-) diff --git a/src/cmd-buildextend-metal b/src/cmd-buildextend-metal index 828593139e..42fa75f3b9 100755 --- a/src/cmd-buildextend-metal +++ b/src/cmd-buildextend-metal @@ -165,7 +165,11 @@ kargs="$kargs $tty ignition.platform.id=$ignition_platform_id" ostree_remote="$(python3 -c 'import sys, yaml; print(yaml.safe_load(sys.stdin).get("ostree-remote", "NONE"))' < "$configdir/image.yaml")" save_var_subdirs="$(python3 -c 'import sys, yaml; print(yaml.safe_load(sys.stdin).get("save-var-subdirs-for-selabel-workaround", "NONE"))' < "$configdir/image.yaml")" -luks_flag="$(python3 -c 'import sys, yaml; lf=yaml.safe_load(sys.stdin).get("luks_rootfs", ""); print("--luks-rootfs" if lf.lower() in ("yes", "true") else "")' < "$configdir/image.yaml")" +# First parse the old luks_rootfs flag +rootfs_type="$(python3 -c 'import sys, yaml; lf=yaml.safe_load(sys.stdin).get("luks_rootfs", ""); print("luks" if lf.lower() in ("yes", "true") else "")' < "$configdir/image.yaml")" +if [ -z "${rootfs_type}" ]; then + rootfs_type="$(python3 -c 'import sys, yaml; print(yaml.safe_load(sys.stdin).get("rootfs", "xfs"))' < "$configdir/image.yaml")" +fi qemu-img create -f ${image_format} "${path}.tmp" "$size" # We support deploying a commit directly instead of a ref @@ -179,6 +183,7 @@ if [[ $image_format == raw && $image_type == dasd ]]; then # we need 4096 block size for ECKD DASD "-device" "virtio-blk-ccw,drive=target,physical_block_size=4096,logical_block_size=4096,scsi=off") fi +# shellcheck disable=SC2086 runvm "${target_drive[@]}" -- \ /usr/lib/coreos-assembler/create_disk.sh \ --disk /dev/vda \ @@ -191,7 +196,7 @@ runvm "${target_drive[@]}" -- \ --ostree-remote "${ostree_remote}" \ --ostree-repo "${ostree_repo}" \ --save-var-subdirs "${save_var_subdirs}" \ - "${luks_flag}" + --rootfs "${rootfs_type}" mv "${path}.tmp" "$path" echo "{}" > tmp/vm-iso-checksum.json diff --git a/src/create_disk.sh b/src/create_disk.sh index b1336f6145..726c3f967b 100755 --- a/src/create_disk.sh +++ b/src/create_disk.sh @@ -52,7 +52,7 @@ do --ostree-remote) remote_name="${1}"; shift;; --ostree-repo) ostree="${1}"; shift;; --save-var-subdirs) save_var_subdirs="${1}"; shift;; - --luks-rootfs) luks_rootfs=1;; + --rootfs) rootfs="${1}" shift;; *) echo "${flag} is not understood."; usage; exit 10;; --) break; esac; @@ -75,6 +75,11 @@ grub_script="${grub_script:?--grub-script must be defined}" os_name="${os_name:?--os_name must be defined}" save_var_subdirs="${save_var_subdirs:?--save_var_subdirs must be defined}" +case "${rootfs}" in + xfs|verity|luks) ;; + *) echo "Invalid rootfs type: ${rootfs}" 1>&2; exit 1;; +esac + set -x # Partition and create fs's. The 0...4...a...1 uuid is a sentinal used by coreos-gpt-setup @@ -126,7 +131,7 @@ esac udevtrig root_dev="${disk}${ROOTPN}" -if [ -n "${luks_rootfs}" ]; then +if [ "${rootfs}" = "luks" ]; then root_dev=/dev/mapper/crypt_root sgdisk -c ${ROOTPN}:luks_root "${disk}" @@ -175,7 +180,20 @@ if [ ${EFIPN:+x} ]; then # partition $BIOPN has no FS, its for bios grub # partition $PREPPN has no FS, its for PowerPC PReP Boot fi -mkfs.xfs "${root_dev}" -L root -m reflink=1 +if [ "${rootfs}" = "verity" ]; then + # As of today, xfs doesn't support verity, so we have a choice of fs-verity or reflinks. + # Now, fs-verity doesn't in practice gain us a huge amount of security because + # there are other "persistence vectors". See + # https://blog.verbum.org/2017/06/12/on-dm-verity-and-operating-systems/ + # https://github.com/coreos/rpm-ostree/issues/702 + # And reflinks are *very* useful for the container stack with overlayfs (and in general). + # So basically, we're choosing performance over half-implemented security. + # Eventually, we'd like both - once XFS gains verity (probably not too hard), + # we could unconditionally enable it there. + mkfs.ext4 -O verity -L root "${root_dev}" +else + mkfs.xfs "${root_dev}" -L root -m reflink=1 +fi # mount the partitions rm -rf rootfs @@ -201,6 +219,9 @@ mkdir -p rootfs/ostree chcon $(matchpathcon -n /ostree) rootfs/ostree mkdir -p rootfs/ostree/{repo,deploy} ostree --repo=rootfs/ostree/repo init --mode=bare +if [ "${rootfs}" = "verity" ]; then + ostree config --repo=rootfs/ostree/repo set fsverity.required 'true' +fi remote_arg= deploy_ref="${ref}" if [ "${remote_name}" != NONE ]; then