From 74e0dda30dddd7665c64037c8bea3c98bc4847dd Mon Sep 17 00:00:00 2001 From: Misaki Kasumi Date: Mon, 16 Dec 2024 19:41:21 +0800 Subject: [PATCH] prepare-root: Add composefs.enabled=verity --- src/libotcore/otcore-prepare-root.c | 7 +++++++ src/libotcore/otcore.h | 1 + src/switchroot/ostree-prepare-root.c | 15 +++++++++++---- 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/src/libotcore/otcore-prepare-root.c b/src/libotcore/otcore-prepare-root.c index e0a1641a8f..8def8ec133 100644 --- a/src/libotcore/otcore-prepare-root.c +++ b/src/libotcore/otcore-prepare-root.c @@ -178,8 +178,15 @@ otcore_load_composefs_config (const char *cmdline, GKeyFile *config, gboolean lo if (g_strcmp0 (enabled, "signed") == 0) { ret->enabled = OT_TRISTATE_YES; + ret->require_verity = true; ret->is_signed = true; } + else if (g_strcmp0 (enabled, "verity") == 0) + { + ret->enabled = OT_TRISTATE_YES; + ret->require_verity = true; + ret->is_signed = false; + } else if (!ot_keyfile_get_tristate_with_default (config, OTCORE_PREPARE_ROOT_COMPOSEFS_KEY, OTCORE_PREPARE_ROOT_ENABLED_KEY, OT_TRISTATE_MAYBE, &ret->enabled, error)) diff --git a/src/libotcore/otcore.h b/src/libotcore/otcore.h index 6e1d510329..2d256c80ea 100644 --- a/src/libotcore/otcore.h +++ b/src/libotcore/otcore.h @@ -52,6 +52,7 @@ GKeyFile *otcore_load_config (int rootfs, const char *filename, GError **error); typedef struct { OtTristate enabled; + gboolean require_verity; gboolean is_signed; char *signature_pubkey; GPtrArray *pubkeys; diff --git a/src/switchroot/ostree-prepare-root.c b/src/switchroot/ostree-prepare-root.c index a002ad6e58..62e8101a5c 100644 --- a/src/switchroot/ostree-prepare-root.c +++ b/src/switchroot/ostree-prepare-root.c @@ -449,12 +449,19 @@ main (int argc, char *argv[]) if (!cfs_digest_buf) errx (EXIT_FAILURE, "Failed to query digest: %s", error->message); - expected_digest = g_malloc (OSTREE_SHA256_STRING_LEN + 1); - ot_bin2hex (expected_digest, cfs_digest_buf, g_variant_get_size (cfs_digest_v)); + if (composefs_config->require_verity) + { + expected_digest = g_malloc (OSTREE_SHA256_STRING_LEN + 1); + ot_bin2hex (expected_digest, cfs_digest_buf, g_variant_get_size (cfs_digest_v)); + cfs_options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY; + g_print ("composefs: Verifying digest: %s\n", expected_digest); + cfs_options.expected_fsverity_digest = expected_digest; + } + } + else if (composefs_config->require_verity) + { cfs_options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY; - g_print ("composefs: Verifying digest: %s\n", expected_digest); - cfs_options.expected_fsverity_digest = expected_digest; } if (lcfs_mount_image (OSTREE_COMPOSEFS_NAME, TMP_SYSROOT, &cfs_options) == 0)