From: Alexander Larsson <alexl@redhat.com>
To: miklos@szeredi.hu
Cc: linux-unionfs@vger.kernel.org, amir73il@gmail.com,
ebiggers@kernel.org, tytso@mit.edu, fsverity@lists.linux.dev,
Alexander Larsson <alexl@redhat.com>
Subject: [PATCH v3 0/4] ovl: Add support for fs-verity checking of lowerdata
Date: Mon, 12 Jun 2023 12:27:15 +0200 [thread overview]
Message-ID: <cover.1686565330.git.alexl@redhat.com> (raw)
This patchset adds support for using fs-verity to validate lowerdata
files by specifying an overlay.verity xattr on the metacopy
files.
This is primarily motivated by the Composefs usecase, where there will
be a read-only EROFS layer that contains redirect into a base data
layer which has fs-verity enabled on all files. However, it is also
useful in general if you want to ensure that the lowerdata files
matches the expected content over time.
I have also added some tests for this feature to xfstests[1].
I'm also CC:ing the fsverity list and maintainers because there is one
(tiny) fsverity change, and there may be interest in this usecase.
Changes since v2:
* Rebased on top of overlayfs-next
* We now alway do verity verification the first time the file content
is used, rather than doing it at lookup time for the non-lazy lookup
case.
Changes since v1:
* Rebased on v2 lazy lowerdata series
* Dropped the "validate" mount option variant. We now only support
"off", "on" and "require", where "off" is the default.
* We now store the digest algorithm used in the overlay.verity xattr.
* Dropped ability to configure default verity options, as this could
cause problems moving layers between machines.
* We now properly resolve dependent mount options by automatically
enabling metacopy and redirect_dir if verity is on, or failing
if the specified options conflict.
* Streamlined and fixed the handling of creds in ovl_ensure_verity_loaded().
* Renamed new helpers from ovl_entry_path_ to ovl_e_path_
[1] https://github.com/alexlarsson/xfstests/commits/verity-tests
Alexander Larsson (4):
fsverity: Export fsverity_get_digest
ovl: Add framework for verity support
ovl: Validate verity xattr when resolving lowerdata
ovl: Handle verity during copy-up
Documentation/filesystems/overlayfs.rst | 27 +++++
fs/overlayfs/copy_up.c | 33 +++++-
fs/overlayfs/file.c | 8 +-
fs/overlayfs/namei.c | 54 +++++++++-
fs/overlayfs/overlayfs.h | 12 ++-
fs/overlayfs/ovl_entry.h | 3 +
fs/overlayfs/super.c | 79 +++++++++++++-
fs/overlayfs/util.c | 133 ++++++++++++++++++++++++
fs/verity/measure.c | 1 +
9 files changed, 340 insertions(+), 10 deletions(-)
--
2.40.1
next reply other threads:[~2023-06-12 10:27 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-12 10:27 Alexander Larsson [this message]
2023-06-12 10:27 ` [PATCH v3 1/4] fsverity: Export fsverity_get_digest Alexander Larsson
2023-06-12 10:27 ` [PATCH v3 2/4] ovl: Add framework for verity support Alexander Larsson
2023-06-12 16:32 ` Eric Biggers
2023-06-13 5:18 ` Amir Goldstein
2023-06-13 6:37 ` Eric Biggers
2023-06-13 8:08 ` Alexander Larsson
2023-06-13 9:34 ` Amir Goldstein
2023-06-13 18:22 ` Eric Biggers
2023-06-14 5:24 ` Amir Goldstein
2023-06-14 7:57 ` Alexander Larsson
2023-06-15 23:52 ` Eric Biggers
2023-06-16 8:11 ` Alexander Larsson
2023-06-17 19:47 ` Eric Biggers
2023-06-19 7:58 ` Alexander Larsson
2023-06-12 10:27 ` [PATCH v3 3/4] ovl: Validate verity xattr when resolving lowerdata Alexander Larsson
2023-06-12 10:28 ` Alexander Larsson
2023-06-12 19:09 ` Eric Biggers
2023-06-13 11:41 ` Alexander Larsson
2023-06-13 17:57 ` Eric Biggers
2023-06-14 3:28 ` Eric Biggers
2023-06-14 5:39 ` Amir Goldstein
2023-06-14 7:19 ` Alexander Larsson
2023-06-12 10:28 ` [PATCH v3 4/4] ovl: Handle verity during copy-up Alexander Larsson
2023-06-12 10:52 ` Amir Goldstein
2023-06-12 10:54 ` [PATCH v3 0/4] ovl: Add support for fs-verity checking of lowerdata Amir Goldstein
2023-06-12 11:09 ` Alexander Larsson
2023-06-12 14:53 ` Alexander Larsson
2023-06-12 15:05 ` Amir Goldstein
2023-06-14 6:14 ` Amir Goldstein
2023-06-14 7:07 ` Eric Biggers
2023-06-14 7:16 ` Alexander Larsson
2023-06-22 9:36 ` Amir Goldstein
2023-06-22 9:51 ` Alexander Larsson
2023-06-22 11:45 ` Amir Goldstein
2023-06-26 13:01 ` Amir Goldstein
2023-07-03 8:11 ` Alexander Larsson
2023-07-06 7:10 ` Amir Goldstein
2023-07-06 7:50 ` Alexander Larsson
2023-06-22 16:12 ` Eric Biggers
2023-06-22 18:07 ` Amir Goldstein
2023-06-13 13:57 ` Alexander Larsson
2023-06-13 17:59 ` Eric Biggers
2023-06-14 7:15 ` Alexander Larsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1686565330.git.alexl@redhat.com \
--to=alexl@redhat.com \
--cc=amir73il@gmail.com \
--cc=ebiggers@kernel.org \
--cc=fsverity@lists.linux.dev \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.