projects / ostree.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 6d2dc95) | patch
composefs: When using signatures, delay application until first boot
authorAlexander Larsson <alexl@redhat.com>
Wed, 31 May 2023 16:35:44 +0000 (18:35 +0200)
committerAlexander Larsson <alexl@redhat.com>
Wed, 31 May 2023 16:35:44 +0000 (18:35 +0200)
commit733380394922f441f743ee57d626ad631f418d5c
treebed5d8f5797f36bbf2e0cb820e143861d6b7deectree | snapshot
parent6d2dc959686e530dfd0b4e1ef8c4b480d9a01e1bcommit | diff
composefs: When using signatures, delay application until first boot

We can't safely apply the fs-verity with signature until we have
booted with the new initrd, because the public key that matches the
signature is loaded from it. So, instead we save the .sig file next
to the compoosefs, and on the first boot we detect that it is there, and
the composefs file isn't fs-verity, so we apply it.

Things get a bit more complex due to having to temporarily make
/sysroot read-write for the fsverity operation too.
src/libostree/ostree-sysroot-deploy.c diff | blob | history
src/switchroot/ostree-mount-util.h diff | blob | history
src/switchroot/ostree-prepare-root.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.