diff --git a/docs/composefs.md b/docs/composefs.md
index 139d2d2629..513fdb2193 100644
--- a/docs/composefs.md
+++ b/docs/composefs.md
@@ -40,6 +40,13 @@ and specify an Ed25519 public key to validate the booted commit.
See the manpage for `ostree-prepare-root` for details of how to configure it.
+### Integrity of backing OSTree objects
+
+In `ostree/prepare-root.conf`, if `composefs.enabled` is set to `signed` or `verity`,
+before the content of a file in the mounted composefs is read,
+the integrity of its backing OSTree object in `/ostree/repo/objects` is validated by the digest stored in `.ostree.cfs`.
+This can ensure the integrity of the "backing store".
+
### Injecting composefs digests
When generating an OSTree commit, there is a CLI switch `--generate-composefs-metadata`
diff --git a/man/ostree-prepare-root.xml b/man/ostree-prepare-root.xml
index 70371b7bc5..c135c522b0 100644
--- a/man/ostree-prepare-root.xml
+++ b/man/ostree-prepare-root.xml
@@ -138,10 +138,15 @@ License along with this library. If not, see .
composefs.enabled
This can be yes, no, maybe,
- or signed. The default is no. If set to yes or
- signed, then composefs is always used, and the boot fails if it is not
- available. Additionally if set to signed, boot will fail if the image cannot be
- validated by a public key. Setting this to maybe is currently equivalent to no.
+ signed, or verity. The default is no.
+ If set to yes, signed, or verity,
+ then composefs is always used, and the boot fails if it is not available.
+ If set to signed or verity,
+ before the content of a file is read,
+ the integrity of its backing OSTree object is validated by the digest stored in the image.
+ Additionally, if set to signed, boot will fail if the image cannot be
+ validated by a public key.
+ Setting this to maybe is currently equivalent to no.
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
index 43f380f68c..45dc75a5bf 100644
--- a/src/libostree/ostree-sysroot-deploy.c
+++ b/src/libostree/ostree-sysroot-deploy.c
@@ -680,7 +680,7 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy
g_auto (GVariantBuilder) cfs_checkout_opts_builder
= G_VARIANT_BUILDER_INIT (G_VARIANT_TYPE_VARDICT);
guint32 composefs_requested = 1;
- if (composefs_config->is_signed)
+ if (composefs_config->require_verity)
composefs_requested = 2;
g_variant_builder_add (&cfs_checkout_opts_builder, "{sv}", "verity",
g_variant_new_uint32 (composefs_requested));
diff --git a/src/libotcore/otcore-prepare-root.c b/src/libotcore/otcore-prepare-root.c
index e0a1641a8f..90b9905487 100644
--- a/src/libotcore/otcore-prepare-root.c
+++ b/src/libotcore/otcore-prepare-root.c
@@ -178,8 +178,15 @@ otcore_load_composefs_config (const char *cmdline, GKeyFile *config, gboolean lo
if (g_strcmp0 (enabled, "signed") == 0)
{
ret->enabled = OT_TRISTATE_YES;
+ ret->require_verity = true;
ret->is_signed = true;
}
+ else if (g_strcmp0 (enabled, "verity") == 0)
+ {
+ ret->enabled = OT_TRISTATE_YES;
+ ret->require_verity = true;
+ ret->is_signed = false;
+ }
else if (!ot_keyfile_get_tristate_with_default (config, OTCORE_PREPARE_ROOT_COMPOSEFS_KEY,
OTCORE_PREPARE_ROOT_ENABLED_KEY,
OT_TRISTATE_MAYBE, &ret->enabled, error))
@@ -227,6 +234,7 @@ otcore_load_composefs_config (const char *cmdline, GKeyFile *config, gboolean lo
{
ret->enabled = OT_TRISTATE_YES;
ret->is_signed = true;
+ ret->require_verity = true;
}
else
{
diff --git a/src/libotcore/otcore.h b/src/libotcore/otcore.h
index 6e1d510329..2d256c80ea 100644
--- a/src/libotcore/otcore.h
+++ b/src/libotcore/otcore.h
@@ -52,6 +52,7 @@ GKeyFile *otcore_load_config (int rootfs, const char *filename, GError **error);
typedef struct
{
OtTristate enabled;
+ gboolean require_verity;
gboolean is_signed;
char *signature_pubkey;
GPtrArray *pubkeys;
diff --git a/src/switchroot/ostree-prepare-root.c b/src/switchroot/ostree-prepare-root.c
index a002ad6e58..8e161be76b 100644
--- a/src/switchroot/ostree-prepare-root.c
+++ b/src/switchroot/ostree-prepare-root.c
@@ -452,10 +452,15 @@ main (int argc, char *argv[])
expected_digest = g_malloc (OSTREE_SHA256_STRING_LEN + 1);
ot_bin2hex (expected_digest, cfs_digest_buf, g_variant_get_size (cfs_digest_v));
+ g_assert (composefs_config->require_verity);
cfs_options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY;
g_print ("composefs: Verifying digest: %s\n", expected_digest);
cfs_options.expected_fsverity_digest = expected_digest;
}
+ else if (composefs_config->require_verity)
+ {
+ cfs_options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY;
+ }
if (lcfs_mount_image (OSTREE_COMPOSEFS_NAME, TMP_SYSROOT, &cfs_options) == 0)
{