Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support fs-verity for mkfs.ext4 -d #201

Open
allisonkarlitskaya opened this issue Oct 28, 2024 · 4 comments · May be fixed by #203
Open

Support fs-verity for mkfs.ext4 -d #201

allisonkarlitskaya opened this issue Oct 28, 2024 · 4 comments · May be fixed by #203

Comments

@allisonkarlitskaya
Copy link

When creating a new ext4 filesystem with -O verity enabled, -d ought to check if the files in the given directory are verity-enabled and — if they are — flag them for verity also in the new filesystem. This would require computing the merkle tree in userspace (which is definitely annoying, but wouldn't be so difficult).

This feature would be extremely helpful for creating OS images with fs-verity-enabled files inside of them, as we want to do in the composefs project.

@allisonkarlitskaya
Copy link
Author

Actually, reading https://docs.kernel.org/filesystems/fsverity.html it looks like we could use FS_IOC_READ_VERITY_METADATA to get the existing fs-verity data out of the running host filesystem. That would substantially reduce the required effort here.

@allisonkarlitskaya
Copy link
Author

I think I could write a patch for this, given confirmation that the idea is welcome and some guidance on the implementation approach. I'd probably add some code near the bottom of copy_file() in create_inode.c to call a function to read the fsverity data and write it in the manner described in https://docs.kernel.org/filesystems/ext4/overview.html#verity-files but maybe there is a better way?

@tytso
Copy link
Owner

tytso commented Nov 12, 2024

I'm certainly willing to look at patches, so long as they are maintainable. Do you know how you plan to calculate the merkle tree in userspace? I suspect this may add some external dependencies in terms shared libraries? I always worry about bloating mke2fs or adding mandatory package depenndencies which tend to make distributions' release engineers cranky.

Solution to this might include having some separate binary to calculate the Merkle tree, since it might be something which is useful beyond just mke2fs -d (or maybe there is some external package which already has the Merkle tree calculation as a separate program) or using dlopen to dynamically load any shared libraries if they might happen to be necessary. We've done this before in e2fsprogs, but I suspect the first (having an external binary which mke2fs can run if mke2fs -d is requested to create a fsverity file system is the better one.

The other thing to consider is you want to control which files need to be have a Merkle tree attached, and whether you need to digitally sign the Merkle tree --- and if so, using which private / public key pair, and where to get access to the private key pair.

@allisonkarlitskaya
Copy link
Author

I'm certainly willing to look at patches, so long as they are maintainable. Do you know how you plan to calculate the merkle tree in userspace? I suspect this may add some external dependencies in terms shared libraries? I always worry about bloating mke2fs or adding mandatory package depenndencies which tend to make distributions' release engineers cranky.

My reading of https://docs.kernel.org/filesystems/fsverity.html#fs-ioc-read-verity-metadata says that we can use the FS_IOC_READ_VERITY_METADATA to get the data directly from the running system. We would include exactly the data that we query from the host — no more, no less. I'm reasonably certain that this would be sufficient, and it would avoid us from having to encode any specific knowledge about fs-verity or merkle trees.

As for signing — I have no interest in this feature. I feel like it's probably not commonly used? Even the docs warn against it:

Please take great care before using this feature. It is not the only way to do signatures with fs-verity, and the alternatives (such as userspace signature verification, and IMA appraisal) can be much better. It’s also easy to fall into a trap of thinking this feature solves more problems than it actually does.

It's certainly not used for our usecase.

allisonkarlitskaya added a commit to allisonkarlitskaya/e2fsprogs that referenced this issue Nov 25, 2024
When creating a filesystem with `mke2fs -O verity` and populating
content via `-d`, check if that content is fs-verity enabled, and if it
is, copy the fs-verity metadata from the host-native filesystem into the
created filesystem.

This currently doesn't work for reading from btrfs, which fails to
implement the required ioctl(), but it will work between two ext4
filesystems.

Closes: tytso#201
Signed-off-by: Allison Karlitskaya <[email protected]>
@allisonkarlitskaya allisonkarlitskaya linked a pull request Nov 25, 2024 that will close this issue
4 tasks
allisonkarlitskaya added a commit to allisonkarlitskaya/e2fsprogs that referenced this issue Nov 28, 2024
When creating a filesystem with `mke2fs -O verity` and populating
content via `-d`, check if that content is fs-verity enabled, and if it
is, copy the fs-verity metadata from the host-native filesystem into the
created filesystem.

This currently doesn't work for reading from btrfs, which fails to
implement the required ioctl(), but it will work between two ext4
filesystems.

Closes: tytso#201
Signed-off-by: Allison Karlitskaya <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants