On Thu, Mar 9, 2023 at 3:59 PM Miklos Szeredi <miklos@xxxxxxxxxx> wrote: > > On Wed, 8 Mar 2023 at 16:29, Alexander Larsson <alexl@xxxxxxxxxx> wrote: > > > > As was recently discussed in the various threads about composefs we > > want the ability to specify a fs-verity digest for metacopy files, > > such that the lower file used for the data is guaranteed to have the > > specified digest. > > > > I wrote an initial version of this here: > > > > https://github.com/alexlarsson/linux/tree/overlay-verity > > > > I would like some feedback on this approach. Does it make sense? > > > > For context, here is the main commit text: > > > > This adds support for a new overlay xattr "overlay.verity", which > > contains a fs-verity digest. This is used for metacopy files, and > > whenever the lowerdata file is accessed overlayfs can verify that > > the data file fs-verity digest matches the expected one. > > > > By default this is ignored, but if the mount option "verity_policy" is > > set to "validate" or "require", then all accesses validate any > > specified digest. If you use "require" it additionally fails to access > > metacopy file if the verity xattr is missing. > > > > The digest is validated during ovl_open() as well as when the lower file > > is copied up. Additionally the overlay.verity xattr is copied to the > > upper file during a metacopy operation, in order to later do the validation > > of the digest when the copy-up happens. > > Hmm, so what exactly happens if the file is copied up and then > modified? The verification will fail, no? When we do a meta-copy-up we need to look at the data file and synthesize an overlay.verity xattr in the upper dir based on the existing fs-verity diges. At least if the file has fs-verity enabled. And indeed, in the verify_policy=required case, if there is no fs-verity in the lower file we should fall back to a full copy-up instead of a metacopy-up, or we will end up with a metacopy we can't validate. However, if you actually modify a file I don't really see the problem, you will get a non-verified upper layer file with the changes. It will not fail validation because it is at that point not validated. Really we can only expect to validate the lower layers. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Alexander Larsson Red Hat, Inc alexl@xxxxxxxxxx alexander.larsson@xxxxxxxxx
