Skip to content

Commit

Permalink
sysroot-deploy: Require fsverity when composefs.enabled=verity
Browse files Browse the repository at this point in the history
  • Loading branch information
ruihe774 authored and cgwalters committed Dec 17, 2024
1 parent 881c881 commit 5831fb5
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 6 deletions.
5 changes: 0 additions & 5 deletions docs/composefs.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,11 +47,6 @@ before the content of a file in the mounted composefs is read,
the integrity of its backing OSTree object in `/ostree/repo/objects` is validated by the digest stored in `.ostree.cfs`.
This can ensure the integrity of the "backing store".

The digests in `.ostree.cfs` are read from fsverity digests of OSTree objects when deploying.
It is necessary to ensure all OSTree objects referenced have digests stored in `.ostree.cfs`.
This can be achieved when [committing](#injecting-composefs-digests),
or you have to set `ex-integrity.fsverity` to `true` for the OSTree repo.

### Injecting composefs digests

When generating an OSTree commit, there is a CLI switch `--generate-composefs-metadata`
Expand Down
2 changes: 1 addition & 1 deletion src/libostree/ostree-sysroot-deploy.c
Original file line number Diff line number Diff line change
Expand Up @@ -680,7 +680,7 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy
g_auto (GVariantBuilder) cfs_checkout_opts_builder
= G_VARIANT_BUILDER_INIT (G_VARIANT_TYPE_VARDICT);
guint32 composefs_requested = 1;
if (composefs_config->is_signed)
if (composefs_config->require_verity)
composefs_requested = 2;
g_variant_builder_add (&cfs_checkout_opts_builder, "{sv}", "verity",
g_variant_new_uint32 (composefs_requested));
Expand Down

0 comments on commit 5831fb5

Please sign in to comment.