Skip to content

Commit

Permalink
prepare-root: Add composefs.enabled=verity
Browse files Browse the repository at this point in the history
  • Loading branch information
@ruihe774
ruihe774 committed Dec 16, 2024
1 parent 74efebd commit 74e0dda
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 4 deletions.
7 changes: 7 additions & 0 deletions src/libotcore/otcore-prepare-root.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,8 +178,15 @@ otcore_load_composefs_config (const char *cmdline, GKeyFile *config, gboolean lo
if (g_strcmp0 (enabled, "signed") == 0)
{
ret->enabled = OT_TRISTATE_YES;
ret->require_verity = true;
ret->is_signed = true;
}
else if (g_strcmp0 (enabled, "verity") == 0)
{
ret->enabled = OT_TRISTATE_YES;
ret->require_verity = true;
ret->is_signed = false;
}
else if (!ot_keyfile_get_tristate_with_default (config, OTCORE_PREPARE_ROOT_COMPOSEFS_KEY,
OTCORE_PREPARE_ROOT_ENABLED_KEY,
OT_TRISTATE_MAYBE, &ret->enabled, error))
Expand Down
1 change: 1 addition & 0 deletions src/libotcore/otcore.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ GKeyFile *otcore_load_config (int rootfs, const char *filename, GError **error);
typedef struct
{
OtTristate enabled;
gboolean require_verity;
gboolean is_signed;
char *signature_pubkey;
GPtrArray *pubkeys;
Expand Down
15 changes: 11 additions & 4 deletions src/switchroot/ostree-prepare-root.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -449,12 +449,19 @@ main (int argc, char *argv[])
if (!cfs_digest_buf)
errx (EXIT_FAILURE, "Failed to query digest: %s", error->message);

expected_digest = g_malloc (OSTREE_SHA256_STRING_LEN + 1);
ot_bin2hex (expected_digest, cfs_digest_buf, g_variant_get_size (cfs_digest_v));
if (composefs_config->require_verity)
{
expected_digest = g_malloc (OSTREE_SHA256_STRING_LEN + 1);
ot_bin2hex (expected_digest, cfs_digest_buf, g_variant_get_size (cfs_digest_v));

cfs_options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY;
g_print ("composefs: Verifying digest: %s\n", expected_digest);
cfs_options.expected_fsverity_digest = expected_digest;
}
}
else if (composefs_config->require_verity)
{
cfs_options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY;
g_print ("composefs: Verifying digest: %s\n", expected_digest);
cfs_options.expected_fsverity_digest = expected_digest;
}

if (lcfs_mount_image (OSTREE_COMPOSEFS_NAME, TMP_SYSROOT, &cfs_options) == 0)
Expand Down

0 comments on commit 74e0dda

Please sign in to comment.