Skip to content

Commit

Permalink
Use composefs crate for fsverity digest reading
Browse files Browse the repository at this point in the history
To increase the motivation to improve that crate and the C library;
especially the C library, because we *must* have it anyways because
we depend on the binaries and we are just not going to rewrite
everything in Rust in the near future.

(And if we *did* start a rewrite of the composefs core I think
 that rewrite should live in that repo, not this one)

Signed-off-by: Colin Walters <[email protected]>
  • Loading branch information
cgwalters committed Nov 6, 2024
1 parent ba238e5 commit 069de6d
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 33 deletions.
1 change: 1 addition & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ anyhow = { version = "1.0.89", features = ["backtrace"] }
async-compression = { version = "0.4.17", features = ["tokio", "gzip", "zstd"] }
clap = { version = "4.5.19", features = ["derive"] }
containers-image-proxy = "0.7.0"
composefs = "0.1.3"
hex = "0.4.3"
indicatif = { version = "0.17.8", features = ["tokio"] }
oci-spec = "0.7.0"
Expand Down
40 changes: 7 additions & 33 deletions src/fsverity/ioctl.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ use std::os::fd::AsFd;
use anyhow::Result;
use rustix::ioctl;

use super::FsVerityHashValue;
use super::{FsVerityHashValue, Sha256HashValue};

// See /usr/include/linux/fsverity.h
#[repr(C)]
Expand Down Expand Up @@ -43,36 +43,10 @@ pub fn fs_ioc_enable_verity<F: AsFd, H: FsVerityHashValue>(fd: F) -> Result<()>
Ok(())
}

#[repr(C)]
pub struct FsVerityDigest<F> {
digest_algorithm: u16,
digest_size: u16,
digest: F,
}

// #define FS_IOC_MEASURE_VERITY _IORW('f', 134, struct fsverity_digest)
type FsIocMeasureVerity = ioctl::ReadWriteOpcode<b'f', 134, FsVerityDigest<()>>;

pub fn fs_ioc_measure_verity<F: AsFd, H: FsVerityHashValue>(fd: F) -> Result<H> {
let digest_size = std::mem::size_of::<H>() as u16;
let digest_algorithm = H::ALGORITHM as u16;

let mut digest = FsVerityDigest::<H> {
digest_algorithm,
digest_size,
digest: H::EMPTY,
};

unsafe {
ioctl::ioctl(
fd,
ioctl::Updater::<FsIocMeasureVerity, FsVerityDigest<H>>::new(&mut digest),
)?;
}

if digest.digest_algorithm != digest_algorithm || digest.digest_size != digest_size {
Err(std::io::Error::from(std::io::ErrorKind::InvalidData))?
} else {
Ok(digest.digest)
}
pub fn fs_ioc_measure_verity<F: AsFd>(fd: F) -> Result<Sha256HashValue> {
let mut digest = composefs::fsverity::Digest::new();
composefs::fsverity::fsverity_digest_from_fd(fd.as_fd(), &mut digest)?;
let mut r = Sha256HashValue::EMPTY;
r.copy_from_slice(digest.get());
Ok(r)
}

0 comments on commit 069de6d

Please sign in to comment.