Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wip: Install with fsverity #935

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

wip: Install with fsverity #935

wants to merge 2 commits into from
+408 −14

Conversation

cgwalters
Copy link
Collaborator

@cgwalters cgwalters commented Dec 4, 2024
edited
Loading

The goal of this PR is to enable in an install config:

[install]
root-fs-type = "ext4"
fsverity = "enabled"

to hard require fsverity for bootc install, and chain it to the ostree config. We're trying to hide the ostree configuration here though.

@github-actions github-actions bot added the area/install Issues related to `bootc install` label Dec 4, 2024
@cgwalters
Copy link
Collaborator Author

Needs a rebase, conflicts should be relatively straightforward to fix

@allisonkarlitskaya
Copy link
Contributor

Can you explain some scenarios where we might want to have fs-verity disabled? Is it just on filesystems that can't support it? Because even without checking the verity data or anything, I find the "this inode is now immutable" thing to be extremely compelling, particularly in the presence of multiple hardlinks....

@cgwalters
Copy link
Collaborator Author

Can you explain some scenarios where we might want to have fs-verity disabled? Is it just on filesystems that can't support it?

That's by far the biggest case.

However, there is some generic overhead to having it...this isn't quite as relevant for bootc but it would be for taking fsverity in container runtimes in general. There are people that disable selinux to claw back like 1-2% of performance and fsverity is a bit like that, you just have this cost to paging in new code and doing cryptographic verification.

But supporting deploying to filesystems without it is 94.3% of the rationale for bootc.

Because even without checking the verity data or anything, I find the "this inode is now immutable" thing to be extremely compelling, particularly in the presence of multiple hardlinks....

Definitely! Before composefs existed I was trying to push for fsverity in ostree just for this reason...but I struggled with tying it to a higher level integrity story. Thankfully we have that now!

@cgwalters cgwalters force-pushed the install-config-verity branch from 8379be7 to d045510 Compare December 10, 2024 20:40
@cgwalters cgwalters force-pushed the install-config-verity branch 3 times, most recently from 280cbe6 to b7cfe64 Compare January 9, 2025 21:01
@cgwalters
Copy link
Collaborator Author

TODO: Also check for ostreedev/ostree#3354 - if that's set then we should key off it too.

In fact, maybe that should be the sole interface for now.

@cgwalters cgwalters force-pushed the install-config-verity branch 2 times, most recently from 403be9a to 0cea6bc Compare February 1, 2025 03:12
@cgwalters cgwalters mentioned this pull request Feb 1, 2025
Merged
@cgwalters cgwalters force-pushed the install-config-verity branch 2 times, most recently from d32c973 to cfad476 Compare February 3, 2025 14:33
@cgwalters
Copy link
Collaborator Author

So this is getting closer, but I'm seeing an issue where some zero-sized objects (different ones due to different selinux labels) don't have fsverity enabled. It must be an ostree bug, but I wasn't able to reproduce in a quick test.

@cgwalters cgwalters added the area/composefs Issues related to composefs label Mar 5, 2025
@cgwalters cgwalters mentioned this pull request Mar 6, 2025
Merged
@cgwalters
internals: Add new bootc internals fsck
3e4050d 
Split this out of the fsverity PR.

We obviously want a `fsck` command. This starts by doing
just two checks:

- A verification of `etc/resolv.conf`; this tests
  bootc-dev@98995f6
- Just run `ostree fsck`

But obvious things we should be adding here are:

- Verifying kargs
- Verifying LBIs

etc.

Signed-off-by: Colin Walters <[email protected]>
@cgwalters
Copy link
Collaborator Author

Split out of this PR so far as prep:

@cgwalters
install: Honor composefs.enabled=verity
64b2c82 
Key off the ostree prepare-root config to require fsverity
on all objects.

As part of this:

- Add a dependency on composefs-rs just for the fsverity querying
  APIs, and as prep for further integration.
- Add `bootc internals fsck`, which verifies the expected
  fsverity state.

Signed-off-by: Colin Walters <[email protected]>
@cgwalters cgwalters force-pushed the install-config-verity branch from cfad476 to 64b2c82 Compare March 9, 2025 17:40
@github-actions github-actions bot added the documentation Improvements or additions to documentation label Mar 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@allisonkarlitskaya allisonkarlitskaya Awaiting requested review from allisonkarlitskaya

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
area/composefs Issues related to composefs area/install Issues related to `bootc install` do-not-merge/work-in-progress documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cgwalters @allisonkarlitskaya