From 863890804bcef67f7037c476389a9291e702d9e3 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Sat, 1 Feb 2025 10:23:29 -0500 Subject: [PATCH] prepare-root: Log when we're mounting with verity required On general principle, but specifically as I wanted to cross-check this when debugging something else. --- src/libotcore/otcore.h | 2 ++ src/switchroot/ostree-prepare-root.c | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/libotcore/otcore.h b/src/libotcore/otcore.h index 2d256c80..1213880f 100644 --- a/src/libotcore/otcore.h +++ b/src/libotcore/otcore.h @@ -96,6 +96,8 @@ ComposefsConfig *otcore_load_composefs_config (const char *cmdline, GKeyFile *co #define OTCORE_RUN_BOOTED "/run/ostree-booted" // This key will be present if composefs was successfully used. #define OTCORE_RUN_BOOTED_KEY_COMPOSEFS "composefs" +// True if fsverity was required for composefs. +#define OTCORE_RUN_BOOTED_KEY_COMPOSEFS_VERITY "composefs.verity" // This key if present contains the public key successfully used // to verify the signature. #define OTCORE_RUN_BOOTED_KEY_COMPOSEFS_SIGNATURE "composefs.signed" diff --git a/src/switchroot/ostree-prepare-root.c b/src/switchroot/ostree-prepare-root.c index 8e161be7..4bf180c3 100644 --- a/src/switchroot/ostree-prepare-root.c +++ b/src/switchroot/ostree-prepare-root.c @@ -465,9 +465,13 @@ main (int argc, char *argv[]) if (lcfs_mount_image (OSTREE_COMPOSEFS_NAME, TMP_SYSROOT, &cfs_options) == 0) { using_composefs = true; + bool using_verity = (cfs_options.flags & LCFS_MOUNT_FLAGS_REQUIRE_VERITY) > 0; g_variant_builder_add (&metadata_builder, "{sv}", OTCORE_RUN_BOOTED_KEY_COMPOSEFS, g_variant_new_boolean (true)); - g_print ("composefs: mounted successfully\n"); + g_variant_builder_add (&metadata_builder, "{sv}", OTCORE_RUN_BOOTED_KEY_COMPOSEFS_VERITY, + g_variant_new_boolean (using_verity)); + g_print ("composefs: mounted successfully (verity=%s)\n", + using_verity ? "true" : "false"); } else { -- 2.30.2