From 6ed1f83ab80b74cc20c8b48b94d1991cfbdbf569 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Wed, 30 Oct 2024 10:07:26 -0400 Subject: [PATCH] checkout: Only verify digest if repo requires fsverity Fixes a regression from the previous commit; in the case where the target repo doesn't have composefs in signed mode there's no reason to verify the digest at checkout time because we aren't verifying it at boot time either. The regression is in cases that use rpm-ostree e.g. where as of recently we unconditionally add the composefs digest, but for e.g. FCOS we aren't deploying with fsverity enabled. Closes: https://github.com/ostreedev/ostree/issues/3330 Signed-off-by: Colin Walters --- src/libostree/ostree-repo-checkout.c | 11 ++++++++--- tests/inst/src/composefs.rs | 2 +- tests/test-composefs.sh | 10 ++++++++++ 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/src/libostree/ostree-repo-checkout.c b/src/libostree/ostree-repo-checkout.c index 8696229b37..2e50c30ded 100644 --- a/src/libostree/ostree-repo-checkout.c +++ b/src/libostree/ostree-repo-checkout.c @@ -1346,9 +1346,14 @@ ostree_repo_checkout_composefs (OstreeRepo *self, GVariant *options, int destina if (!ostree_composefs_target_write (target, tmpf.fd, &fsverity_digest, cancellable, error)) return FALSE; - /* If the commit specified a composefs digest, verify it */ - if (!compare_verity_digests (metadata_composefs, fsverity_digest, error)) - return FALSE; + /* If the commit specified a composefs digest and the target is known to have fsverity, + * then double check our ouptut. + */ + if (verity == OT_TRISTATE_YES) + { + if (!compare_verity_digests (metadata_composefs, fsverity_digest, error)) + return FALSE; + } if (!glnx_fchmod (tmpf.fd, 0644, error)) return FALSE; diff --git a/tests/inst/src/composefs.rs b/tests/inst/src/composefs.rs index eddccd1d6e..d4fadd759a 100644 --- a/tests/inst/src/composefs.rs +++ b/tests/inst/src/composefs.rs @@ -153,7 +153,7 @@ pub(crate) fn itest_composefs() -> Result<()> { return Ok(()); } { - let fstype = cmd!(sh, "stat -f / -c %T").read()?; + let fstype = cmd!(sh, "stat -f /sysroot -c %T").read()?; if fstype.trim() == "xfs" { println!("SKIP no xfs fsverity yet"); return Ok(()); diff --git a/tests/test-composefs.sh b/tests/test-composefs.sh index 12813cf2a9..72f81284ec 100755 --- a/tests/test-composefs.sh +++ b/tests/test-composefs.sh @@ -62,4 +62,14 @@ composefs-info dump test2-co-noverity.cfs > dump.txt assert_file_has_content_literal dump.txt '/baz/cow 4 100644 1 0 0 0 0.0 f6/a517d53831a40cff3886a965c70d57aa50797a8e5ea965b2c49cc575a6ff51.file - -' tap_ok "checkout composefs noverity" +# Test with a corrupted composefs digest +$OSTREE commit ${COMMIT_ARGS} -b test-composefs-bad-digest --tree=ref=test-composefs \ + '--add-metadata=ostree.composefs.digest.v0=[byte 0x13, 0xae, 0xae, 0xed, 0xc0, 0x34, 0xd1, 0x39, 0xef, 0xfc, 0xd6, 0x6f, 0xe3, 0xdb, 0x08, 0xd3, 0x32, 0x8a, 0xec, 0x2f, 0x02, 0xc5 +, 0xa7, 0x8a, 0xee, 0xa6, 0x0f, 0x34, 0x6d, 0x7a, 0x22, 0x6d]' +if $OSTREE checkout --composefs test-composefs-bad-digest test2-co.cfs 2>err.txt; then + fatal "checked out composefs with mismatched digest" +fi +assert_file_has_content_literal err.txt "doesn't match expected digest" +tap_ok "checkout composefs bad digest" + tap_end