-
Notifications
You must be signed in to change notification settings - Fork 225
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support fs-verity for mkfs.ext4 -d
#201
Comments
Actually, reading https://docs.kernel.org/filesystems/fsverity.html it looks like we could use |
I think I could write a patch for this, given confirmation that the idea is welcome and some guidance on the implementation approach. I'd probably add some code near the bottom of |
I'm certainly willing to look at patches, so long as they are maintainable. Do you know how you plan to calculate the merkle tree in userspace? I suspect this may add some external dependencies in terms shared libraries? I always worry about bloating mke2fs or adding mandatory package depenndencies which tend to make distributions' release engineers cranky. Solution to this might include having some separate binary to calculate the Merkle tree, since it might be something which is useful beyond just mke2fs -d (or maybe there is some external package which already has the Merkle tree calculation as a separate program) or using dlopen to dynamically load any shared libraries if they might happen to be necessary. We've done this before in e2fsprogs, but I suspect the first (having an external binary which mke2fs can run if mke2fs -d is requested to create a fsverity file system is the better one. The other thing to consider is you want to control which files need to be have a Merkle tree attached, and whether you need to digitally sign the Merkle tree --- and if so, using which private / public key pair, and where to get access to the private key pair. |
My reading of https://docs.kernel.org/filesystems/fsverity.html#fs-ioc-read-verity-metadata says that we can use the As for signing — I have no interest in this feature. I feel like it's probably not commonly used? Even the docs warn against it:
It's certainly not used for our usecase. |
When creating a filesystem with `mke2fs -O verity` and populating content via `-d`, check if that content is fs-verity enabled, and if it is, copy the fs-verity metadata from the host-native filesystem into the created filesystem. This currently doesn't work for reading from btrfs, which fails to implement the required ioctl(), but it will work between two ext4 filesystems. Closes: tytso#201 Signed-off-by: Allison Karlitskaya <[email protected]>
When creating a filesystem with `mke2fs -O verity` and populating content via `-d`, check if that content is fs-verity enabled, and if it is, copy the fs-verity metadata from the host-native filesystem into the created filesystem. This currently doesn't work for reading from btrfs, which fails to implement the required ioctl(), but it will work between two ext4 filesystems. Closes: tytso#201 Signed-off-by: Allison Karlitskaya <[email protected]>
When creating a new ext4 filesystem with
-O verity
enabled,-d
ought to check if the files in the given directory are verity-enabled and — if they are — flag them for verity also in the new filesystem. This would require computing the merkle tree in userspace (which is definitely annoying, but wouldn't be so difficult).This feature would be extremely helpful for creating OS images with fs-verity-enabled files inside of them, as we want to do in the composefs project.
The text was updated successfully, but these errors were encountered: