See the manpage for `ostree-prepare-root` for details of how to configure it.
+### Integrity of backing OSTree objects
+
+In `ostree/prepare-root.conf`, if `composefs.enabled` is set to `signed` or `verity`,
+before the content of a file in the mounted composefs is read,
+the integrity of its backing OSTree object in `/ostree/repo/objects` is validated by the digest stored in `.ostree.cfs`.
+This can ensure the integrity of the "backing store".
+
+The digests in `.ostree.cfs` are read from fsverity digests of OSTree objects when deploying.
+It is necessary to ensure all OSTree objects referenced have digests stored in `.ostree.cfs`.
+This can be achieved when [committing](#injecting-composefs-digests),
+or you have to set `ex-integrity.fsverity` to `true` for the OSTree repo.
+
### Injecting composefs digests
When generating an OSTree commit, there is a CLI switch `--generate-composefs-metadata`
<varlistentry>
<term><varname>composefs.enabled</varname></term>
<listitem><para>This can be <literal>yes</literal>, <literal>no</literal>, <literal>maybe</literal>,
- or <literal>signed</literal>. The default is <literal>no</literal>. If set to <literal>yes</literal> or
- <literal>signed</literal>, then composefs is always used, and the boot fails if it is not
- available. Additionally if set to <literal>signed</literal>, boot will fail if the image cannot be
- validated by a public key. Setting this to <literal>maybe</literal> is currently equivalent to <literal>no</literal>.
+ <literal>signed</literal>, or <literal>verity</literal>. The default is <literal>no</literal>.
+ If set to <literal>yes</literal>, <literal>signed</literal>, or <literal>verity</literal>,
+ then composefs is always used, and the boot fails if it is not available.
+ If set to <literal>signed</literal> or <literal>verity</literal>,
+ before the content of a file is read,
+ the integrity of its backing OSTree object is validated by the digest stored in the image.
+ Additionally, if set to <literal>signed</literal>, boot will fail if the image cannot be
+ validated by a public key.
+ Setting this to <literal>maybe</literal> is currently equivalent to <literal>no</literal>.
</para></listitem>
</varlistentry>
<varlistentry>
if (g_strcmp0 (enabled, "signed") == 0)
{
ret->enabled = OT_TRISTATE_YES;
+ ret->require_verity = true;
ret->is_signed = true;
}
+ else if (g_strcmp0 (enabled, "verity") == 0)
+ {
+ ret->enabled = OT_TRISTATE_YES;
+ ret->require_verity = true;
+ ret->is_signed = false;
+ }
else if (!ot_keyfile_get_tristate_with_default (config, OTCORE_PREPARE_ROOT_COMPOSEFS_KEY,
OTCORE_PREPARE_ROOT_ENABLED_KEY,
OT_TRISTATE_MAYBE, &ret->enabled, error))
{
ret->enabled = OT_TRISTATE_YES;
ret->is_signed = true;
+ ret->require_verity = true;
}
else
{
typedef struct
{
OtTristate enabled;
+ gboolean require_verity;
gboolean is_signed;
char *signature_pubkey;
GPtrArray *pubkeys;
expected_digest = g_malloc (OSTREE_SHA256_STRING_LEN + 1);
ot_bin2hex (expected_digest, cfs_digest_buf, g_variant_get_size (cfs_digest_v));
+ g_assert (composefs_config->require_verity);
cfs_options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY;
g_print ("composefs: Verifying digest: %s\n", expected_digest);
cfs_options.expected_fsverity_digest = expected_digest;
}
+ else if (composefs_config->require_verity)
+ {
+ cfs_options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY;
+ }
if (lcfs_mount_image (OSTREE_COMPOSEFS_NAME, TMP_SYSROOT, &cfs_options) == 0)
{
projects / ostree.git / commitdiff