From: Misaki Kasumi <misakikasumi@outlook.com>
Date: Mon, 16 Dec 2024 20:48:50 +0000 (+0800)
Subject: sysroot-deploy: Require fsverity when composefs.enabled=verity
X-Git-Tag: archive/raspbian/2024.10-1+rpi1^2~6^2^2~3^2
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=5831fb5a63527c52d211654d855c75c352232a88;p=ostree.git

sysroot-deploy: Require fsverity when composefs.enabled=verity
---

diff --git a/docs/composefs.md b/docs/composefs.md
index 8ae570ef..513fdb21 100644
--- a/docs/composefs.md
+++ b/docs/composefs.md
@@ -47,11 +47,6 @@ before the content of a file in the mounted composefs is read,
 the integrity of its backing OSTree object in `/ostree/repo/objects` is validated by the digest stored in `.ostree.cfs`.
 This can ensure the integrity of the "backing store".
 
-The digests in `.ostree.cfs` are read from fsverity digests of OSTree objects when deploying.
-It is necessary to ensure all OSTree objects referenced have digests stored in `.ostree.cfs`.
-This can be achieved when [committing](#injecting-composefs-digests),
-or you have to set `ex-integrity.fsverity` to `true` for the OSTree repo.
-
 ### Injecting composefs digests
 
 When generating an OSTree commit, there is a CLI switch `--generate-composefs-metadata`
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
index 43f380f6..45dc75a5 100644
--- a/src/libostree/ostree-sysroot-deploy.c
+++ b/src/libostree/ostree-sysroot-deploy.c
@@ -680,7 +680,7 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy
       g_auto (GVariantBuilder) cfs_checkout_opts_builder
           = G_VARIANT_BUILDER_INIT (G_VARIANT_TYPE_VARDICT);
       guint32 composefs_requested = 1;
-      if (composefs_config->is_signed)
+      if (composefs_config->require_verity)
         composefs_requested = 2;
       g_variant_builder_add (&cfs_checkout_opts_builder, "{sv}", "verity",
                              g_variant_new_uint32 (composefs_requested));