Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

verity: check after activation for any corruption #18

Merged

Conversation

mikemccracken
Copy link
Contributor

ActivateByVolumeKey does check for corruption via the dm_status task after activation, but if it finds that it was corrupted, it only logs that to stderr and returns 0 anyway.

For cases where corruption can be detected immediately, we want to fail the mounting, so we add a second check of the same task after activating the device (or after checking the hash on an existing device), and fail early.

@mikemccracken
Copy link
Contributor Author

mikemccracken commented Sep 26, 2024

Testing notes: I had a stacker-built OCI image with two layers, 4c798c57305b4a14d1959295ebcdd10c290cb48c7675b78556b711d83cf600ac and
02ed19c9150b6c01ed38433e6fb6a493c418822ef9c0146a4d6e6b718ab1e124.

I modified a little bit of one of them:

dd if=/dev/random of=build/oci/blobs/sha256/4c798c57305b4a14d1959295ebcdd10c290cb48c7675b78556b711d83cf600ac conv=notrunc seek=100 count=100
# shasum no longer matches name:
4986606ef4a7be76e3a70988e3b212832170a00924311bbccb055b7a95e02316  build/oci/blobs/sha256/4c798c57305b4a14d1959295ebcdd10c290cb48c7675b78556b711d83cf600ac

Then with the current main branch, I just attempt to mount the image (note- need to be sure that the underlying dm devices are dmsetup removed or else we don't go through the same codepath and won't even see the message)

you will see the warning about corruption detection but the image still mounts without error:

sudo ../atomfs/bin/atomfs --debug mount build/oci:minbase-squashfs atomfsmountpoint/
2024/09/26 15:15:42 debug -> ws.recurse             digest=sha256:f51558b9fc630141ba9757b82a1acae11d765a38d396eaf957e019e19947a1c7
2024/09/26 15:15:42 debug <- ws.recurse             digest=sha256:f51558b9fc630141ba9757b82a1acae11d765a38d396eaf957e019e19947a1c7
2024/09/26 15:15:42 debug casext.ResolveReference(minbase-squashfs) got these descriptors refs=[{[{application/vnd.oci.image.manifest.v1+json sha256:f51558b9fc630141ba9757b82a1acae11d765a38d396eaf957e019e19947a1c7 6233 [] map[org.opencontainers.image.ref.name:minbase-squashfs] [] <nil> }]}]
Verity device detected corruption after activation.
embrane@atom-lab-8:~/ssd/c3$ echo $?
0
embrane@atom-lab-8:~/ssd/c3$ ls atomfsmountpoint/
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var

Copy link

codecov bot commented Sep 26, 2024

Codecov Report

Attention: Patch coverage is 0% with 22 lines in your changes missing coverage. Please review.

Project coverage is 16.15%. Comparing base (ad93e06) to head (4837f40).
Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
squashfs/verity.go 0.00% 19 Missing ⚠️
molecule.go 0.00% 3 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main      #18      +/-   ##
==========================================
- Coverage   16.52%   16.15%   -0.37%     
==========================================
  Files           6        6              
  Lines         932      953      +21     
==========================================
  Hits          154      154              
- Misses        757      778      +21     
  Partials       21       21              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@mikemccracken mikemccracken marked this pull request as draft September 26, 2024 23:30
@mikemccracken
Copy link
Contributor Author

mikemccracken commented Sep 26, 2024

converted to draft because I just realized that the new ConfirmExistingVerityDeviceCurrentValidity function doesn't need the rootHash argument and would be more useful without it

(edit, fixed)

ActivateByVolumeKey does check for corruption via the dm_status task
after activation, but if it finds that it was corrupted, it only logs
that to stderr and returns 0 anyway.

For cases where corruption can be detected immediately, we want to fail
the mounting, so we add a second check of the same task after activating
the device (or after checking the hash on an existing device), and fail
early.

Signed-off-by: Michael McCracken <[email protected]>
If we are mounting a mol where one of the atoms already been mounted,
then we should check the already-mounted devices for any corruption
reported by devicemapper as well, and at least fail to mount the new
image using them.

Signed-off-by: Michael McCracken <[email protected]>
@mikemccracken mikemccracken force-pushed the 2024.09.26/main/look-for-corruption branch from abbd1a8 to 4837f40 Compare September 26, 2024 23:33
@mikemccracken mikemccracken marked this pull request as ready for review September 26, 2024 23:33
@mikemccracken mikemccracken mentioned this pull request Sep 27, 2024
@hallyn hallyn merged commit 820120d into project-machine:main Sep 28, 2024
3 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants