From 21bf3152af2a2893852b61c12bce1c61adf2b6cd Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Mon, 11 Nov 2024 15:21:41 +0000
Subject: [PATCH] wip

---
 lib/src/cli.rs            | 40 +++++++++++++++++++++++++++++----------
 lib/src/install/config.rs |  2 +-
 lib/src/store/mod.rs      |  1 +
 3 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/lib/src/cli.rs b/lib/src/cli.rs
index 96738f356..a7c11a5a4 100644
--- a/lib/src/cli.rs
+++ b/lib/src/cli.rs
@@ -303,8 +303,9 @@ pub(crate) enum InternalsOpts {
     FixupEtcFstab,
     /// Should only be used by `make update-generated`
     PrintJsonSchema,
-    /// Perform consistency checking.
-    Fsck,
+    /// Operate on the global storage
+    #[clap(subcommand)]
+    Storage(StorageOpts),
     /// Perform cleanup actions
     Cleanup,
     /// Proxy frontend for the `ostree-ext` CLI.
@@ -319,6 +320,18 @@ pub(crate) enum InternalsOpts {
     },
 }
 
+#[derive(Debug, clap::Subcommand, PartialEq, Eq)]
+pub(crate) enum StorageOpts {
+    /// Perform consistency checking
+    Fsck,
+    /// Output state of verity or dynamically enable it
+    Verity {
+        /// Change fsverity state to enabled.
+        #[clap(long)]
+        enable: bool,
+    },
+}
+
 #[derive(Debug, clap::Subcommand, PartialEq, Eq)]
 pub(crate) enum StateOpts {
     /// Remove all ostree deployments from this system
@@ -964,16 +977,23 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 )
                 .await
             }
-            InternalsOpts::Fsck => {
+            InternalsOpts::Storage(opts) => {
                 let storage = get_storage().await?;
-                let r = crate::fsck::fsck(&storage).await?;
-                match r.errors.as_slice() {
-                    [] => {}
-                    errs => {
-                        for err in errs {
-                            eprintln!("error: {err}");
+                match opts {
+                    StorageOpts::Fsck => {
+                        let r = crate::fsck::fsck(&storage).await?;
+                        match r.errors.as_slice() {
+                            [] => {}
+                            errs => {
+                                for err in errs {
+                                    eprintln!("error: {err}");
+                                }
+                                anyhow::bail!("fsck found errors");
+                            }
                         }
-                        anyhow::bail!("fsck found errors");
+                    }
+                    StorageOpts::Verity { enable } => {
+                        
                     }
                 }
                 Ok(())
diff --git a/lib/src/install/config.rs b/lib/src/install/config.rs
index 1b1a7916d..2e0194047 100644
--- a/lib/src/install/config.rs
+++ b/lib/src/install/config.rs
@@ -601,7 +601,7 @@ fsverity = "enabled"
     assert_eq!(install.fsverity.as_ref().unwrap(), &Tristate::Enabled);
     let o: InstallConfigurationToplevel = toml::from_str(
         r##"[install]
-fsverity = "optional"
+fsverity = "maybe"
 "##,
     )
     .unwrap();
diff --git a/lib/src/store/mod.rs b/lib/src/store/mod.rs
index 06ccaf260..34f1a36ca 100644
--- a/lib/src/store/mod.rs
+++ b/lib/src/store/mod.rs
@@ -15,6 +15,7 @@ use crate::spec::ImageStatus;
 
 mod ostree_container;
 
+/// The configuration option for fsverity
 pub(crate) const REPO_VERITY_CONFIG: &str = "ex-integrity.fsverity";
 
 pub(crate) struct Storage {