Commits on Jan 25, 2021

1. WIP: Use fsverity library, require keys and add signatures too …

   At the time we added fsverity code to ostree, fsverity was
   just a CLI tool; since then it has
   gained a C shared library which wraps all the signature
   bits and the enablement `ioctl()` conveniently.
   
   This makes it much easier for us to support signatures, so
   do so.  Note that at this time, because ostree doesn't define
   a mechanism to transport fsverity signatures across repositories,
   this is mostly only useful for locally-generated signatures.
   
   The idea however is this is a starting point from which we can
   build more support, including signature transport, remote keys,
   etc.
   
   In order to simplify things, drop support for "opportunistic"
   use of fsverity.  In practice we expect people using this
   to set it up fully, or not at all.  The "read only files"
   aspect *is* useful, but complicated the code too much relative
   to its benefit.
   
   Also drop support for using fsverity for `/boot` for now; in
   practice most things there are read by the bootloader,
   which doesn't know about fsverity.  Instead those should
   be covered by e.g. Secure Boot.  This ensures that
   we only have one high level API `_ostree_tmpf_fsverity()`
   that is invoked from the core commit path.
   
   xref https://lwn.net/Articles/842002
   xref ostreedev#1959
   xref coreos/rpm-ostree#1883

   

   cgwalters committed Jan 25, 2021
   Configuration menu

   • View commit details
   • Copy full SHA for b8957bf
   • Browse repository at this point

   Copy the full SHA

   b8957bf View commit details

   Browse the repository at this point in the history