As was recently discussed in the various threads about composefs we want the ability to specify a fs-verity digest for metacopy files, such that the lower file used for the data is guaranteed to have the specified digest. I wrote an initial version of this here: https://github.com/alexlarsson/linux/tree/overlay-verity I would like some feedback on this approach. Does it make sense? For context, here is the main commit text: This adds support for a new overlay xattr "overlay.verity", which contains a fs-verity digest. This is used for metacopy files, and whenever the lowerdata file is accessed overlayfs can verify that the data file fs-verity digest matches the expected one. By default this is ignored, but if the mount option "verity_policy" is set to "validate" or "require", then all accesses validate any specified digest. If you use "require" it additionally fails to access metacopy file if the verity xattr is missing. The digest is validated during ovl_open() as well as when the lower file is copied up. Additionally the overlay.verity xattr is copied to the upper file during a metacopy operation, in order to later do the validation of the digest when the copy-up happens. The primary usecase of this is to use a overlay mount with two lower directories, the lower being a shared content-addressed-storage containing fs-verity enabled files, and the upper being a read-only filesystem (such as erofs) containing metacopy files with the redirect xattr set pointing into the lower cas storage, as well as the verity xattr. If this is combined with fs-verity or dm-verify for the read-only filesystem then the entire mount is validated, even though the backing files are shared between different images. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Alexander Larsson Red Hat, Inc alexl@xxxxxxxxxx alexander.larsson@xxxxxxxxx
