From 92a867cff46b8f884f3ce357bc56e0e1aabab87a Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 14 Jul 2023 09:20:06 -0400 Subject: [PATCH] mount.composefs: Drop fs-verity signature verification We will encourage use of userspace verification. Basically higher level tools should have metadata that contains the composefs digest covered by a signature, then pass that expected digest to `mount.composefs`. Closes: https://github.com/containers/composefs/issues/151 --- libcomposefs/lcfs-mount.c | 35 ----------------------------------- libcomposefs/lcfs-mount.h | 1 - tools/mountcomposefs.c | 4 ---- 3 files changed, 40 deletions(-) diff --git a/libcomposefs/lcfs-mount.c b/libcomposefs/lcfs-mount.c index a90336d3..8ec76e15 100644 --- a/libcomposefs/lcfs-mount.c +++ b/libcomposefs/lcfs-mount.c @@ -250,41 +250,6 @@ static int lcfs_validate_verity_fd(struct lcfs_mount_state_s *state) char buf[MAX_DIGEST_SIZE]; } buf; int res; - bool require_signature; - char sig_data[1]; - struct fsverity_read_metadata_arg read_metadata = { 0 }; - - require_signature = (state->options->flags & - LCFS_MOUNT_FLAGS_REQUIRE_FSVERITY_SIGNATURE) != 0; - if (require_signature) { - /* First ensure fs-verity is enabled for the image, - * the actual digest doesn't matter at this point. */ - buf.fsv.digest_size = MAX_DIGEST_SIZE; - res = ioctl(state->fd, FS_IOC_MEASURE_VERITY, &buf.fsv); - if (res == -1) { - if (errno == ENODATA || errno == EOPNOTSUPP || errno == ENOTTY) - return -ENOVERITY; - return -errno; - } - - /* If the file has verity enabled, has a signature and - * we were able to open it, then the kernel will have - * verified it against the kernel keyring, making it - * valid. So, we read just one byte of the signature, - * to validate that a signature exist in the file */ - - read_metadata.metadata_type = FS_VERITY_METADATA_TYPE_SIGNATURE; - read_metadata.offset = 0; - read_metadata.length = sizeof(sig_data); - read_metadata.buf_ptr = (size_t)&sig_data; - - res = ioctl(state->fd, FS_IOC_READ_VERITY_METADATA, &read_metadata); - if (res == -1) { - if (errno == ENODATA) - return -ENOSIGNATURE; - return -errno; - } - } if (state->expected_digest_len != 0) { buf.fsv.digest_size = MAX_DIGEST_SIZE; diff --git a/libcomposefs/lcfs-mount.h b/libcomposefs/lcfs-mount.h index 17085032..d8e837b1 100644 --- a/libcomposefs/lcfs-mount.h +++ b/libcomposefs/lcfs-mount.h @@ -35,7 +35,6 @@ enum lcfs_mount_flags_t { LCFS_MOUNT_FLAGS_NONE = 0, LCFS_MOUNT_FLAGS_REQUIRE_VERITY = (1 << 0), LCFS_MOUNT_FLAGS_READONLY = (1 << 1), - LCFS_MOUNT_FLAGS_REQUIRE_FSVERITY_SIGNATURE = (1 << 2), LCFS_MOUNT_FLAGS_IDMAP = (1 << 3), LCFS_MOUNT_FLAGS_DISABLE_VERITY = (1 << 4), diff --git a/tools/mountcomposefs.c b/tools/mountcomposefs.c index af9b7e49..81a15a7a 100644 --- a/tools/mountcomposefs.c +++ b/tools/mountcomposefs.c @@ -172,8 +172,6 @@ int main(int argc, char **argv) opt_verity = true; } else if (strcmp("noverity", key) == 0) { opt_noverity = true; - } else if (strcmp("signed", key) == 0) { - opt_signed = true; } else if (strcmp("upperdir", key) == 0) { if (value == NULL) printexit("No value specified for upperdir option\n"); @@ -239,8 +237,6 @@ int main(int argc, char **argv) options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY; if (opt_noverity) options.flags |= LCFS_MOUNT_FLAGS_DISABLE_VERITY; - if (opt_signed) - options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_FSVERITY_SIGNATURE; if (opt_ro) options.flags |= LCFS_MOUNT_FLAGS_READONLY;