diff --git a/docs/composefs.md b/docs/composefs.md index 139d2d2629..513fdb2193 100644 --- a/docs/composefs.md +++ b/docs/composefs.md @@ -40,6 +40,13 @@ and specify an Ed25519 public key to validate the booted commit. See the manpage for `ostree-prepare-root` for details of how to configure it. +### Integrity of backing OSTree objects + +In `ostree/prepare-root.conf`, if `composefs.enabled` is set to `signed` or `verity`, +before the content of a file in the mounted composefs is read, +the integrity of its backing OSTree object in `/ostree/repo/objects` is validated by the digest stored in `.ostree.cfs`. +This can ensure the integrity of the "backing store". + ### Injecting composefs digests When generating an OSTree commit, there is a CLI switch `--generate-composefs-metadata` diff --git a/man/ostree-prepare-root.xml b/man/ostree-prepare-root.xml index 70371b7bc5..c135c522b0 100644 --- a/man/ostree-prepare-root.xml +++ b/man/ostree-prepare-root.xml @@ -138,10 +138,15 @@ License along with this library. If not, see . composefs.enabled This can be yes, no, maybe, - or signed. The default is no. If set to yes or - signed, then composefs is always used, and the boot fails if it is not - available. Additionally if set to signed, boot will fail if the image cannot be - validated by a public key. Setting this to maybe is currently equivalent to no. + signed, or verity. The default is no. + If set to yes, signed, or verity, + then composefs is always used, and the boot fails if it is not available. + If set to signed or verity, + before the content of a file is read, + the integrity of its backing OSTree object is validated by the digest stored in the image. + Additionally, if set to signed, boot will fail if the image cannot be + validated by a public key. + Setting this to maybe is currently equivalent to no. diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c index 43f380f68c..45dc75a5bf 100644 --- a/src/libostree/ostree-sysroot-deploy.c +++ b/src/libostree/ostree-sysroot-deploy.c @@ -680,7 +680,7 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy g_auto (GVariantBuilder) cfs_checkout_opts_builder = G_VARIANT_BUILDER_INIT (G_VARIANT_TYPE_VARDICT); guint32 composefs_requested = 1; - if (composefs_config->is_signed) + if (composefs_config->require_verity) composefs_requested = 2; g_variant_builder_add (&cfs_checkout_opts_builder, "{sv}", "verity", g_variant_new_uint32 (composefs_requested)); diff --git a/src/libotcore/otcore-prepare-root.c b/src/libotcore/otcore-prepare-root.c index e0a1641a8f..90b9905487 100644 --- a/src/libotcore/otcore-prepare-root.c +++ b/src/libotcore/otcore-prepare-root.c @@ -178,8 +178,15 @@ otcore_load_composefs_config (const char *cmdline, GKeyFile *config, gboolean lo if (g_strcmp0 (enabled, "signed") == 0) { ret->enabled = OT_TRISTATE_YES; + ret->require_verity = true; ret->is_signed = true; } + else if (g_strcmp0 (enabled, "verity") == 0) + { + ret->enabled = OT_TRISTATE_YES; + ret->require_verity = true; + ret->is_signed = false; + } else if (!ot_keyfile_get_tristate_with_default (config, OTCORE_PREPARE_ROOT_COMPOSEFS_KEY, OTCORE_PREPARE_ROOT_ENABLED_KEY, OT_TRISTATE_MAYBE, &ret->enabled, error)) @@ -227,6 +234,7 @@ otcore_load_composefs_config (const char *cmdline, GKeyFile *config, gboolean lo { ret->enabled = OT_TRISTATE_YES; ret->is_signed = true; + ret->require_verity = true; } else { diff --git a/src/libotcore/otcore.h b/src/libotcore/otcore.h index 6e1d510329..2d256c80ea 100644 --- a/src/libotcore/otcore.h +++ b/src/libotcore/otcore.h @@ -52,6 +52,7 @@ GKeyFile *otcore_load_config (int rootfs, const char *filename, GError **error); typedef struct { OtTristate enabled; + gboolean require_verity; gboolean is_signed; char *signature_pubkey; GPtrArray *pubkeys; diff --git a/src/switchroot/ostree-prepare-root.c b/src/switchroot/ostree-prepare-root.c index a002ad6e58..8e161be76b 100644 --- a/src/switchroot/ostree-prepare-root.c +++ b/src/switchroot/ostree-prepare-root.c @@ -452,10 +452,15 @@ main (int argc, char *argv[]) expected_digest = g_malloc (OSTREE_SHA256_STRING_LEN + 1); ot_bin2hex (expected_digest, cfs_digest_buf, g_variant_get_size (cfs_digest_v)); + g_assert (composefs_config->require_verity); cfs_options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY; g_print ("composefs: Verifying digest: %s\n", expected_digest); cfs_options.expected_fsverity_digest = expected_digest; } + else if (composefs_config->require_verity) + { + cfs_options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY; + } if (lcfs_mount_image (OSTREE_COMPOSEFS_NAME, TMP_SYSROOT, &cfs_options) == 0) {