lib: Add a thin public API wrapper for FS_IOC_ENABLE_VERITY

The main thing is this helps ensure that other external software using the library uses the same fsverity parameters. There's also the aspect that using ioctl() from some non-C languages is tricky. Signed-off-by: Colin Walters <[email protected]>
cgwalters · May 27, 2024 · c940c5a · c940c5a
1 parent ef85111
commit c940c5a
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 19 deletions.
diff --git a/libcomposefs/lcfs-writer.c b/libcomposefs/lcfs-writer.c
@@ -635,6 +635,28 @@ static int read_content(int fd, size_t size, uint8_t *buf)
 	return 0;
 }
 
+// Given a file descriptor, enable fsverity.  This
+// is a thin wrapper for the underlying `FS_IOC_ENABLE_VERITY`
+// ioctl.  For example, it is an error if the file already
+// has verity enabled.
+int lcfs_fd_enable_fsverity(int fd)
+{
+	struct fsverity_enable_arg arg = {};
+
+	arg.version = 1;
+	arg.hash_algorithm = FS_VERITY_HASH_ALG_SHA256;
+	arg.block_size = 4096;
+	arg.salt_size = 0;
+	arg.salt_ptr = 0;
+	arg.sig_size = 0;
+	arg.sig_ptr = 0;
+
+	if (ioctl(fd, FS_IOC_ENABLE_VERITY, &arg) != 0) {
+		return -errno;
+	}
+	return 0;
+}
+
 static void digest_to_path(const uint8_t *csum, char *buf)
 {
 	static const char hexchars[] = "0123456789abcdef";

diff --git a/libcomposefs/lcfs-writer.h b/libcomposefs/lcfs-writer.h
@@ -157,5 +157,6 @@ LCFS_EXTERN int lcfs_fd_get_fsverity(uint8_t *digest, int fd);
 
 LCFS_EXTERN int lcfs_node_set_from_content(struct lcfs_node_s *node, int dirfd,
 					   const char *fname, int buildflags);
+LCFS_EXTERN int lcfs_fd_enable_fsverity(int fd);
 
 #endif
diff --git a/tools/mkcomposefs.c b/tools/mkcomposefs.c
@@ -702,24 +702,6 @@ static int join_paths(char **out, const char *path1, const char *path2)
 	return asprintf(out, "%.*s%s%s", len, path1, sep, path2);
 }
 
-static errint_t enable_verity(int fd)
-{
-	struct fsverity_enable_arg arg = {};
-
-	arg.version = 1;
-	arg.hash_algorithm = FS_VERITY_HASH_ALG_SHA256;
-	arg.block_size = 4096;
-	arg.salt_size = 0;
-	arg.salt_ptr = 0;
-	arg.sig_size = 0;
-	arg.sig_ptr = 0;
-
-	if (ioctl(fd, FS_IOC_ENABLE_VERITY, &arg) != 0) {
-		return -errno;
-	}
-	return 0;
-}
-
 static void cleanup_unlink_freep(void *pp)
 {
 	char *filename = *(char **)pp;
@@ -981,7 +963,7 @@ static int copy_file_with_dirs_if_needed(const char *src, const char *dst_base,
 		}
 
 		if (fstat(dfd, &statbuf) == 0) {
-			err = enable_verity(dfd);
+			err = lcfs_fd_enable_fsverity(dfd);
 			if (err < 0) {
 				/* Ignore errors, we're only trying to enable it */
 			}