Install with fsverity enabled + required#935
Conversation
|
Needs a rebase, conflicts should be relatively straightforward to fix |
|
Can you explain some scenarios where we might want to have fs-verity disabled? Is it just on filesystems that can't support it? Because even without checking the verity data or anything, I find the "this inode is now immutable" thing to be extremely compelling, particularly in the presence of multiple hardlinks.... |
That's by far the biggest case. However, there is some generic overhead to having it...this isn't quite as relevant for bootc but it would be for taking fsverity in container runtimes in general. There are people that disable selinux to claw back like 1-2% of performance and fsverity is a bit like that, you just have this cost to paging in new code and doing cryptographic verification. But supporting deploying to filesystems without it is 94.3% of the rationale for bootc.
Definitely! Before composefs existed I was trying to push for fsverity in ostree just for this reason...but I struggled with tying it to a higher level integrity story. Thankfully we have that now! |
cgwalters
force-pushed
the
install-config-verity
branch
from
8379be7 to
d045510
Compare
cgwalters
force-pushed
the
install-config-verity
branch
3 times, most recently
from
280cbe6 to
b7cfe64
Compare
|
TODO: Also check for ostreedev/ostree#3354 - if that's set then we should key off it too. In fact, maybe that should be the sole interface for now. |
cgwalters
force-pushed
the
install-config-verity
branch
2 times, most recently
from
403be9a to
0cea6bc
Compare
cgwalters
force-pushed
the
install-config-verity
branch
2 times, most recently
from
d32c973 to
cfad476
Compare
|
So this is getting closer, but I'm seeing an issue where some zero-sized objects (different ones due to different selinux labels) don't have fsverity enabled. It must be an ostree bug, but I wasn't able to reproduce in a quick test. |
|
Split out of this PR so far as prep: |
cgwalters
force-pushed
the
install-config-verity
branch
from
cfad476 to
64b2c82
Compare
cgwalters
force-pushed
the
install-config-verity
branch
from
64b2c82 to
856cb09
Compare
libostree currently has a bug here with fsverity support; in the consume case (which right now is always zero-sized files because we don't hardlink them) it doesn't enable verity. This would be an easy bug to fix in libostree. But OTOH there's no real reason to set consume here either. The main idea of consume is when one is operating on potentially large files external to libostree, but most things here are hardlinked, and what isn't is just the zero sized files. Signed-off-by: Colin Walters <walters@verbum.org>
For here doc support. Signed-off-by: Colin Walters <walters@verbum.org>
cgwalters
force-pushed
the
install-config-verity
branch
2 times, most recently
from
efa8594 to
8f2d2b5
Compare
Key off the ostree prepare-root config to require fsverity on all objects. As part of this: - Add a dependency on composefs-rs just for the fsverity querying APIs, and as prep for further integration. - Add `bootc internals fsck`, which verifies the expected fsverity state. Signed-off-by: Colin Walters <walters@verbum.org>
cgwalters
force-pushed
the
install-config-verity
branch
from
8f2d2b5 to
ff952c3
Compare
cgwalters
changed the title
cgwalters
requested review from
jeckersb and
jmarrero
and removed request for
allisonkarlitskaya
|
TODO:
|
3 participants
The goal of this PR is to align with this PR to ostree so that to to hard require fsverity for
bootc install, and chain it to the ostree config, you can do e.g.: