Initial fs-verity support

Using fs-verity is natural for OSTree because it's file-based, as opposed to block based (like dm-verity). This only covers files - not symlinks or directories. And we clearly need to have integrity for the deployment directories at least. Also, what we likely need is an API that supports signing files as they're committed. So making this truly secure would need a lot more work. Nevertheless, I think it's time to start experimenting with it. Among other things, it does *finally* add an API that makes files immutable, which will help against some accidental damage. This is basic enablement work that is being driven by Fedora CoreOS; see also coreos/coreos-assembler#876
endlessm · Mar 2, 2020 · 31cd865 · 31cd865
1 parent 8125fd5
commit 31cd865
Show file tree

Hide file tree

Showing 5 changed files with 253 additions and 30 deletions.
diff --git a/configure.ac b/configure.ac
@@ -244,6 +244,10 @@ LIBARCHIVE_DEPENDENCY="libarchive >= 2.8.0"
 # What's in RHEL7.2.
 FUSE_DEPENDENCY="fuse >= 2.9.2"
 
+AC_CHECK_HEADERS([linux/fsverity.h])
+AS_IF([test x$ac_cv_header_linux_fsverity_h = xyes ],
+  [OSTREE_FEATURES="$OSTREE_FEATURES ex-fsverity"])
+
 # check for gtk-doc
 m4_ifdef([GTK_DOC_CHECK], [
 GTK_DOC_CHECK([1.15], [--flavour no-tmpl])
@@ -617,6 +621,7 @@ echo "
     HTTP backend:                                 $fetcher_backend
     \"ostree trivial-httpd\":                       $enable_trivial_httpd_cmdline
     SELinux:                                      $with_selinux
+    fs-verity:                                    $ac_cv_header_linux_fsverity_h
     cryptographic checksums:                      $with_crypto
     systemd:                                      $have_libsystemd
     libmount:                                     $with_libmount

diff --git a/src/libostree/ostree-repo-commit.c b/src/libostree/ostree-repo-commit.c
@@ -32,6 +32,10 @@
 #include <glib/gprintf.h>
 #include <sys/ioctl.h>
 #include <linux/fs.h>
+#include <ext2fs/ext2_fs.h>
+#ifdef HAVE_LINUX_FSVERITY_H
+#include <linux/fsverity.h>
+#endif
 
 #include "otutil.h"
 #include "ostree.h"
@@ -168,6 +172,113 @@ ot_security_smack_reset_fd (int fd)
 #endif
 }
 
+/* Wrapper around the fsverity ioctl, compressing the result to
+ * "success, unsupported or error".  This is used for /boot where
+ * we enable verity if supported.
+ * */
+gboolean
+_ostree_tmpf_fsverity_core (GLnxTmpfile *tmpf,
+                            _OstreeFeatureSupport fsverity_requested,
+                            gboolean    *supported,
+                            GError     **error)
+{
+  /* Set this by default to simplify the code below */
+  if (supported)
+    *supported = FALSE;
+
+  if (fsverity_requested == _OSTREE_FEATURE_NO)
+    return TRUE;
+
+#ifdef HAVE_LINUX_FSVERITY_H
+  GLNX_AUTO_PREFIX_ERROR ("fsverity", error);
+
+  /* fs-verity requires a read-only file descriptor */
+  if (!glnx_tmpfile_reopen_rdonly (tmpf, error))
+    return FALSE;
+
+  struct fsverity_enable_arg arg = { 0, };
+  arg.version = 1;
+  arg.hash_algorithm =  FS_VERITY_HASH_ALG_SHA256;  /* TODO configurable? */
+  arg.block_size = 4096; /* FIXME query */
+  arg.salt_size = 0; /* TODO store salt in ostree repo config */
+  arg.salt_ptr = 0;
+  arg.sig_size = 0; /* We don't currently expect use of in-kernel signature verification */
+  arg.sig_ptr = 0;
+
+  if (ioctl (tmpf->fd, FS_IOC_ENABLE_VERITY, &arg) < 0)
+    {
+      switch (errno)
+        {
+          case ENOTTY:
+          case EOPNOTSUPP:
+            return TRUE;
+          default:
+            return glnx_throw_errno_prefix (error, "ioctl(FS_IOC_ENABLE_VERITY)");
+        }
+    }
+
+  if (supported)
+    *supported = TRUE;
+#endif
+  return TRUE;
+}
+
+/* Enable verity on a file, respecting the "wanted" and "supported" states.
+ * The main idea here is to optimize out pointlessly calling the ioctl()
+ * over and over in cases where it's not supported for the repo's filesystem,
+ * as well as to support "opportunistic" use (requested and if filesystem supports).
+ * */
+gboolean
+_ostree_tmpf_fsverity (OstreeRepo  *self,
+                       GLnxTmpfile *tmpf,
+                       GError    **error)
+{
+#ifdef HAVE_LINUX_FSVERITY_H
+  g_mutex_lock (&self->txn_lock);
+  _OstreeFeatureSupport fsverity_wanted = self->fs_verity_wanted;
+  _OstreeFeatureSupport fsverity_supported = self->fs_verity_supported;
+  g_mutex_unlock (&self->txn_lock);
+
+  switch (fsverity_wanted)
+    {
+      case _OSTREE_FEATURE_YES:
+        {
+          if (fsverity_supported == _OSTREE_FEATURE_NO)
+            return glnx_throw (error, "fsverity required but filesystem does not support it");
+        }
+        break;
+      case _OSTREE_FEATURE_MAYBE:
+        break;
+      case _OSTREE_FEATURE_NO:
+        return TRUE;
+    }
+
+  gboolean supported = FALSE;
+  if (!_ostree_tmpf_fsverity_core (tmpf, fsverity_wanted, &supported, error))
+    return FALSE;
+
+  if (!supported)
+    {
+      if (G_UNLIKELY (fsverity_wanted == _OSTREE_FEATURE_YES))
+        return glnx_throw (error, "fsverity required but filesystem does not support it");
+
+      /* If we got here, we must be trying "opportunistic" use of fs-verity */
+      g_assert_cmpint (fsverity_wanted, ==, _OSTREE_FEATURE_MAYBE);
+      g_mutex_lock (&self->txn_lock);
+      self->fs_verity_supported = _OSTREE_FEATURE_NO;
+      g_mutex_unlock (&self->txn_lock);
+      return TRUE;
+    }
+
+  g_mutex_lock (&self->txn_lock);
+  self->fs_verity_supported = _OSTREE_FEATURE_YES;
+  g_mutex_unlock (&self->txn_lock);
+#else
+  g_assert_cmpint (self->fs_verity_wanted, !=, _OSTREE_FEATURE_YES);
+#endif
+  return TRUE;
+}
+
 /* Given an O_TMPFILE regular file, link it into place. */
 gboolean
 _ostree_repo_commit_tmpf_final (OstreeRepo        *self,
@@ -185,6 +296,9 @@ _ostree_repo_commit_tmpf_final (OstreeRepo        *self,
                                             cancellable, error))
     return FALSE;
 
+  if (!_ostree_tmpf_fsverity (self, tmpf, error))
+    return FALSE;
+
   if (!glnx_link_tmpfile_at (tmpf, GLNX_LINK_TMPFILE_NOREPLACE_IGNORE_EXIST,
                              dest_dfd, tmpbuf, error))
     return FALSE;

diff --git a/src/libostree/ostree-repo-private.h b/src/libostree/ostree-repo-private.h
@@ -22,6 +22,7 @@
 #pragma once
 
 #include <sys/statvfs.h>
+#include "config.h"
 #include "otutil.h"
 #include "ostree-ref.h"
 #include "ostree-repo.h"
@@ -95,6 +96,12 @@ typedef struct {
   fsblkcnt_t max_blocks;
 } OstreeRepoTxn;
 
+typedef enum {
+  _OSTREE_FEATURE_NO,
+  _OSTREE_FEATURE_MAYBE,
+  _OSTREE_FEATURE_YES,
+} _OstreeFeatureSupport;
+
 /**
  * OstreeRepo:
  *
@@ -125,6 +132,8 @@ struct OstreeRepo {
   GMutex txn_lock;
   OstreeRepoTxn txn;
   gboolean txn_locked;
+  _OstreeFeatureSupport fs_verity_wanted;
+  _OstreeFeatureSupport fs_verity_supported;
 
   GMutex cache_lock;
   guint dirmeta_cache_refcount;
@@ -469,4 +478,15 @@ OstreeRepoAutoLock * _ostree_repo_auto_lock_push (OstreeRepo          *self,
 void          _ostree_repo_auto_lock_cleanup (OstreeRepoAutoLock *lock);
 G_DEFINE_AUTOPTR_CLEANUP_FUNC (OstreeRepoAutoLock, _ostree_repo_auto_lock_cleanup)
 
+gboolean
+_ostree_tmpf_fsverity_core (GLnxTmpfile *tmpf,
+                            _OstreeFeatureSupport fsverity_requested,
+                            gboolean    *supported,
+                            GError     **error);
+
+gboolean
+_ostree_tmpf_fsverity (OstreeRepo *self,
+                       GLnxTmpfile *tmpf,
+                       GError    **error);
+
 G_END_DECLS
diff --git a/src/libostree/ostree-repo.c b/src/libostree/ostree-repo.c
@@ -31,6 +31,7 @@
 #include "libglnx.h"
 #include "otutil.h"
 #include <glnx-console.h>
+#include <linux/magic.h>
 
 #include "ostree-core-private.h"
 #include "ostree-sysroot-private.h"
@@ -47,6 +48,7 @@
 #include <glib/gstdio.h>
 #include <sys/file.h>
 #include <sys/statvfs.h>
+#include <sys/statfs.h>
 
 #define REPO_LOCK_DISABLED (-2)
 #define REPO_LOCK_BLOCKING (-1)
@@ -3029,6 +3031,34 @@ reload_core_config (OstreeRepo          *self,
       }
   }
 
+  /* Currently experimental */
+  static const char fsverity_key[] = "ex-fsverity";
+  self->fs_verity_wanted = _OSTREE_FEATURE_NO;
+#ifdef HAVE_LINUX_FSVERITY_H
+  self->fs_verity_supported = _OSTREE_FEATURE_MAYBE;
+#else
+  self->fs_verity_supported = _OSTREE_FEATURE_NO;
+#endif
+  gboolean fsverity_required = FALSE;
+  if (!ot_keyfile_get_boolean_with_default (self->config, fsverity_key, "required",
+                                            FALSE, &fsverity_required, error))
+    return FALSE;
+  if (fsverity_required)
+    {
+      self->fs_verity_wanted = _OSTREE_FEATURE_YES;
+      if (self->fs_verity_supported == _OSTREE_FEATURE_NO)
+        return glnx_throw (error, "fsverity required, but libostree compiled without support");
+    }
+  else
+    {  
+      gboolean fsverity_opportunistic = FALSE;
+      if (!ot_keyfile_get_boolean_with_default (self->config, fsverity_key, "opportunistic",
+                                                FALSE, &fsverity_opportunistic, error))
+        return FALSE;
+      if (fsverity_opportunistic)
+        self->fs_verity_wanted = _OSTREE_FEATURE_MAYBE;
+    }
+
   {
     g_clear_pointer (&self->collection_id, g_free);
     if (!ot_keyfile_get_value_with_default (self->config, "core", "collection-id",