From: Colin Walters <walters@verbum.org>
Date: Wed, 30 Oct 2024 14:07:26 +0000 (-0400)
Subject: checkout: Only verify digest if repo requires fsverity
X-Git-Tag: archive/raspbian/2024.9-1+rpi1^2~7^2^2~2^2~1
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=6ed1f83ab80b74cc20c8b48b94d1991cfbdbf569;p=ostree.git

checkout: Only verify digest if repo requires fsverity

Fixes a regression from the previous commit; in
the case where the target repo doesn't have composefs in
signed mode there's no reason to verify the digest
at checkout time because we aren't verifying it at
boot time either.

The regression is in cases that use rpm-ostree e.g.
where as of recently we unconditionally add the composefs
digest, but for e.g. FCOS we aren't deploying with fsverity
enabled.

Closes: https://github.com/ostreedev/ostree/issues/3330

Signed-off-by: Colin Walters <walters@verbum.org>
---

diff --git a/src/libostree/ostree-repo-checkout.c b/src/libostree/ostree-repo-checkout.c
index 8696229b..2e50c30d 100644
--- a/src/libostree/ostree-repo-checkout.c
+++ b/src/libostree/ostree-repo-checkout.c
@@ -1346,9 +1346,14 @@ ostree_repo_checkout_composefs (OstreeRepo *self, GVariant *options, int destina
   if (!ostree_composefs_target_write (target, tmpf.fd, &fsverity_digest, cancellable, error))
     return FALSE;
 
-  /* If the commit specified a composefs digest, verify it */
-  if (!compare_verity_digests (metadata_composefs, fsverity_digest, error))
-    return FALSE;
+  /* If the commit specified a composefs digest and the target is known to have fsverity,
+   * then double check our ouptut.
+   */
+  if (verity == OT_TRISTATE_YES)
+    {
+      if (!compare_verity_digests (metadata_composefs, fsverity_digest, error))
+        return FALSE;
+    }
 
   if (!glnx_fchmod (tmpf.fd, 0644, error))
     return FALSE;
diff --git a/tests/inst/src/composefs.rs b/tests/inst/src/composefs.rs
index eddccd1d..d4fadd75 100644
--- a/tests/inst/src/composefs.rs
+++ b/tests/inst/src/composefs.rs
@@ -153,7 +153,7 @@ pub(crate) fn itest_composefs() -> Result<()> {
                 return Ok(());
             }
             {
-                let fstype = cmd!(sh, "stat -f / -c %T").read()?;
+                let fstype = cmd!(sh, "stat -f /sysroot -c %T").read()?;
                 if fstype.trim() == "xfs" {
                     println!("SKIP no xfs fsverity yet");
                     return Ok(());
diff --git a/tests/test-composefs.sh b/tests/test-composefs.sh
index 12813cf2..72f81284 100755
--- a/tests/test-composefs.sh
+++ b/tests/test-composefs.sh
@@ -62,4 +62,14 @@ composefs-info dump test2-co-noverity.cfs > dump.txt
 assert_file_has_content_literal dump.txt '/baz/cow 4 100644 1 0 0 0 0.0 f6/a517d53831a40cff3886a965c70d57aa50797a8e5ea965b2c49cc575a6ff51.file - -'
 tap_ok "checkout composefs noverity"
 
+# Test with a corrupted composefs digest
+$OSTREE commit ${COMMIT_ARGS} -b test-composefs-bad-digest --tree=ref=test-composefs \
+    '--add-metadata=ostree.composefs.digest.v0=[byte 0x13, 0xae, 0xae, 0xed, 0xc0, 0x34, 0xd1, 0x39, 0xef, 0xfc, 0xd6, 0x6f, 0xe3, 0xdb, 0x08, 0xd3, 0x32, 0x8a, 0xec, 0x2f, 0x02, 0xc5
+, 0xa7, 0x8a, 0xee, 0xa6, 0x0f, 0x34, 0x6d, 0x7a, 0x22, 0x6d]'
+if $OSTREE checkout --composefs test-composefs-bad-digest test2-co.cfs 2>err.txt; then
+    fatal "checked out composefs with mismatched digest"
+fi
+assert_file_has_content_literal err.txt "doesn't match expected digest"
+tap_ok "checkout composefs bad digest"
+
 tap_end