From bae950cdd1eee95ce5ed8143f7e1eec59dc477f6 Mon Sep 17 00:00:00 2001 From: Misaki Kasumi Date: Tue, 17 Dec 2024 04:48:50 +0800 Subject: [PATCH] sysroot-deploy: Require fsverity when composefs.enabled=verity --- docs/composefs.md | 5 ----- src/libostree/ostree-sysroot-deploy.c | 2 +- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/docs/composefs.md b/docs/composefs.md index 8ae570effe..513fdb2193 100644 --- a/docs/composefs.md +++ b/docs/composefs.md @@ -47,11 +47,6 @@ before the content of a file in the mounted composefs is read, the integrity of its backing OSTree object in `/ostree/repo/objects` is validated by the digest stored in `.ostree.cfs`. This can ensure the integrity of the "backing store". -The digests in `.ostree.cfs` are read from fsverity digests of OSTree objects when deploying. -It is necessary to ensure all OSTree objects referenced have digests stored in `.ostree.cfs`. -This can be achieved when [committing](#injecting-composefs-digests), -or you have to set `ex-integrity.fsverity` to `true` for the OSTree repo. - ### Injecting composefs digests When generating an OSTree commit, there is a CLI switch `--generate-composefs-metadata` diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c index 43f380f68c..45dc75a5bf 100644 --- a/src/libostree/ostree-sysroot-deploy.c +++ b/src/libostree/ostree-sysroot-deploy.c @@ -680,7 +680,7 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy g_auto (GVariantBuilder) cfs_checkout_opts_builder = G_VARIANT_BUILDER_INIT (G_VARIANT_TYPE_VARDICT); guint32 composefs_requested = 1; - if (composefs_config->is_signed) + if (composefs_config->require_verity) composefs_requested = 2; g_variant_builder_add (&cfs_checkout_opts_builder, "{sv}", "verity", g_variant_new_uint32 (composefs_requested));