Skip to content

Commit

Permalink
mount.composefs: Drop fs-verity signature verification
Browse files Browse the repository at this point in the history
We will encourage use of userspace verification.  Basically higher
level tools should have metadata that contains the composefs digest
covered by a signature, then pass that expected digest to
`mount.composefs`.

Closes: #151
Signed-off-by: Colin Walters <[email protected]>
  • Loading branch information
cgwalters committed Jul 14, 2023
1 parent 1704f82 commit 089ad0b
Show file tree
Hide file tree
Showing 3 changed files with 0 additions and 40 deletions.
35 changes: 0 additions & 35 deletions libcomposefs/lcfs-mount.c
Original file line number Diff line number Diff line change
Expand Up @@ -250,41 +250,6 @@ static int lcfs_validate_verity_fd(struct lcfs_mount_state_s *state)
char buf[MAX_DIGEST_SIZE];
} buf;
int res;
bool require_signature;
char sig_data[1];
struct fsverity_read_metadata_arg read_metadata = { 0 };

require_signature = (state->options->flags &
LCFS_MOUNT_FLAGS_REQUIRE_FSVERITY_SIGNATURE) != 0;
if (require_signature) {
/* First ensure fs-verity is enabled for the image,
* the actual digest doesn't matter at this point. */
buf.fsv.digest_size = MAX_DIGEST_SIZE;
res = ioctl(state->fd, FS_IOC_MEASURE_VERITY, &buf.fsv);
if (res == -1) {
if (errno == ENODATA || errno == EOPNOTSUPP || errno == ENOTTY)
return -ENOVERITY;
return -errno;
}

/* If the file has verity enabled, has a signature and
* we were able to open it, then the kernel will have
* verified it against the kernel keyring, making it
* valid. So, we read just one byte of the signature,
* to validate that a signature exist in the file */

read_metadata.metadata_type = FS_VERITY_METADATA_TYPE_SIGNATURE;
read_metadata.offset = 0;
read_metadata.length = sizeof(sig_data);
read_metadata.buf_ptr = (size_t)&sig_data;

res = ioctl(state->fd, FS_IOC_READ_VERITY_METADATA, &read_metadata);
if (res == -1) {
if (errno == ENODATA)
return -ENOSIGNATURE;
return -errno;
}
}

if (state->expected_digest_len != 0) {
buf.fsv.digest_size = MAX_DIGEST_SIZE;
Expand Down
1 change: 0 additions & 1 deletion libcomposefs/lcfs-mount.h
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@ enum lcfs_mount_flags_t {
LCFS_MOUNT_FLAGS_NONE = 0,
LCFS_MOUNT_FLAGS_REQUIRE_VERITY = (1 << 0),
LCFS_MOUNT_FLAGS_READONLY = (1 << 1),
LCFS_MOUNT_FLAGS_REQUIRE_FSVERITY_SIGNATURE = (1 << 2),
LCFS_MOUNT_FLAGS_IDMAP = (1 << 3),
LCFS_MOUNT_FLAGS_DISABLE_VERITY = (1 << 4),

Expand Down
4 changes: 0 additions & 4 deletions tools/mountcomposefs.c
Original file line number Diff line number Diff line change
Expand Up @@ -172,8 +172,6 @@ int main(int argc, char **argv)
opt_verity = true;
} else if (strcmp("noverity", key) == 0) {
opt_noverity = true;
} else if (strcmp("signed", key) == 0) {
opt_signed = true;
} else if (strcmp("upperdir", key) == 0) {
if (value == NULL)
printexit("No value specified for upperdir option\n");
Expand Down Expand Up @@ -239,8 +237,6 @@ int main(int argc, char **argv)
options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY;
if (opt_noverity)
options.flags |= LCFS_MOUNT_FLAGS_DISABLE_VERITY;
if (opt_signed)
options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_FSVERITY_SIGNATURE;
if (opt_ro)
options.flags |= LCFS_MOUNT_FLAGS_READONLY;

Expand Down

0 comments on commit 089ad0b

Please sign in to comment.