From 6ed1f83ab80b74cc20c8b48b94d1991cfbdbf569 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Wed, 30 Oct 2024 10:07:26 -0400 Subject: [PATCH 1/2] checkout: Only verify digest if repo requires fsverity Fixes a regression from the previous commit; in the case where the target repo doesn't have composefs in signed mode there's no reason to verify the digest at checkout time because we aren't verifying it at boot time either. The regression is in cases that use rpm-ostree e.g. where as of recently we unconditionally add the composefs digest, but for e.g. FCOS we aren't deploying with fsverity enabled. Closes: https://github.com/ostreedev/ostree/issues/3330 Signed-off-by: Colin Walters --- src/libostree/ostree-repo-checkout.c | 11 ++++++++--- tests/inst/src/composefs.rs | 2 +- tests/test-composefs.sh | 10 ++++++++++ 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/src/libostree/ostree-repo-checkout.c b/src/libostree/ostree-repo-checkout.c index 8696229b37..2e50c30ded 100644 --- a/src/libostree/ostree-repo-checkout.c +++ b/src/libostree/ostree-repo-checkout.c @@ -1346,9 +1346,14 @@ ostree_repo_checkout_composefs (OstreeRepo *self, GVariant *options, int destina if (!ostree_composefs_target_write (target, tmpf.fd, &fsverity_digest, cancellable, error)) return FALSE; - /* If the commit specified a composefs digest, verify it */ - if (!compare_verity_digests (metadata_composefs, fsverity_digest, error)) - return FALSE; + /* If the commit specified a composefs digest and the target is known to have fsverity, + * then double check our ouptut. + */ + if (verity == OT_TRISTATE_YES) + { + if (!compare_verity_digests (metadata_composefs, fsverity_digest, error)) + return FALSE; + } if (!glnx_fchmod (tmpf.fd, 0644, error)) return FALSE; diff --git a/tests/inst/src/composefs.rs b/tests/inst/src/composefs.rs index eddccd1d6e..d4fadd759a 100644 --- a/tests/inst/src/composefs.rs +++ b/tests/inst/src/composefs.rs @@ -153,7 +153,7 @@ pub(crate) fn itest_composefs() -> Result<()> { return Ok(()); } { - let fstype = cmd!(sh, "stat -f / -c %T").read()?; + let fstype = cmd!(sh, "stat -f /sysroot -c %T").read()?; if fstype.trim() == "xfs" { println!("SKIP no xfs fsverity yet"); return Ok(()); diff --git a/tests/test-composefs.sh b/tests/test-composefs.sh index 12813cf2a9..72f81284ec 100755 --- a/tests/test-composefs.sh +++ b/tests/test-composefs.sh @@ -62,4 +62,14 @@ composefs-info dump test2-co-noverity.cfs > dump.txt assert_file_has_content_literal dump.txt '/baz/cow 4 100644 1 0 0 0 0.0 f6/a517d53831a40cff3886a965c70d57aa50797a8e5ea965b2c49cc575a6ff51.file - -' tap_ok "checkout composefs noverity" +# Test with a corrupted composefs digest +$OSTREE commit ${COMMIT_ARGS} -b test-composefs-bad-digest --tree=ref=test-composefs \ + '--add-metadata=ostree.composefs.digest.v0=[byte 0x13, 0xae, 0xae, 0xed, 0xc0, 0x34, 0xd1, 0x39, 0xef, 0xfc, 0xd6, 0x6f, 0xe3, 0xdb, 0x08, 0xd3, 0x32, 0x8a, 0xec, 0x2f, 0x02, 0xc5 +, 0xa7, 0x8a, 0xee, 0xa6, 0x0f, 0x34, 0x6d, 0x7a, 0x22, 0x6d]' +if $OSTREE checkout --composefs test-composefs-bad-digest test2-co.cfs 2>err.txt; then + fatal "checked out composefs with mismatched digest" +fi +assert_file_has_content_literal err.txt "doesn't match expected digest" +tap_ok "checkout composefs bad digest" + tap_end From 9e0d778df3fe13664e8a7dcff4e4792923d90e60 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Mon, 4 Nov 2024 14:28:13 -0500 Subject: [PATCH 2/2] bootupd-static: Drop this test It breaks due to https://bugzilla.redhat.com/show_bug.cgi?id=2308594 --- tests/kolainst/destructive/bootupd-static.sh | 36 -------------------- 1 file changed, 36 deletions(-) delete mode 100755 tests/kolainst/destructive/bootupd-static.sh diff --git a/tests/kolainst/destructive/bootupd-static.sh b/tests/kolainst/destructive/bootupd-static.sh deleted file mode 100755 index 670178e47d..0000000000 --- a/tests/kolainst/destructive/bootupd-static.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash -set -xeuo pipefail - -. ${KOLA_EXT_DATA}/libinsttest.sh - -require_writable_sysroot -prepare_tmpdir - -bootupd_state=/boot/bootupd-state.json -mount -o remount,rw /boot -if grep -qFe "\"static-configs\"" "${bootupd_state}"; then - echo "Host is using static configs already, overriding this" - jq --compact-output '.["static-configs"] = null' < "${bootupd_state}" > "${bootupd_state}".new - mv "${bootupd_state}.new" "${bootupd_state}" -fi - -# Print the current value for reference, it's "none" on FCOS derivatives -ostree config get sysroot.bootloader || true -ostree config set sysroot.bootloader auto - -ostree admin deploy --stage "${host_commit}" -systemctl stop ostree-finalize-staged.service -used_bootloader=$(journalctl -u ostree-finalize-staged -o json MESSAGE_ID=dd440e3e549083b63d0efc7dc15255f1 | tail -1 | jq -r .OSTREE_BOOTLOADER) -# We're verifying the legacy default now -assert_streq "${used_bootloader}" "grub2" -ostree admin undeploy 0 - -# Now synthesize a bootupd config which uses static configs -jq '. + {"static-configs": {}}' < "${bootupd_state}" > "${bootupd_state}".new -mv "${bootupd_state}.new" "${bootupd_state}" -ostree admin deploy --stage "${host_commit}" -systemctl stop ostree-finalize-staged.service -used_bootloader=$(journalctl -u ostree-finalize-staged -o json MESSAGE_ID=dd440e3e549083b63d0efc7dc15255f1 | tail -1 | jq -r .OSTREE_BOOTLOADER) -assert_streq "${used_bootloader}" "none" - -echo "ok bootupd static"