Re: WIP: verity support for overlayfs

[Alexander Larsson <alexl@redhat.com>]

On Thu, Mar 9, 2023 at 3:59 PM Miklos Szeredi <miklos@szeredi.hu> wrote:
>
> On Wed, 8 Mar 2023 at 16:29, Alexander Larsson <alexl@redhat.com> wrote:
> >
> > As was recently discussed in the various threads about composefs we
> > want the ability to specify a fs-verity digest for metacopy files,
> > such that the lower file used for the data is guaranteed to have the
> > specified digest.
> >
> > I wrote an initial version of this here:
> >
> >   https://github.com/alexlarsson/linux/tree/overlay-verity
> >
> > I would like some feedback on this approach. Does it make sense?
> >
> > For context, here is the main commit text:
> >
> > This adds support for a new overlay xattr "overlay.verity", which
> > contains a fs-verity digest. This is used for metacopy files, and
> > whenever the lowerdata file is accessed overlayfs can verify that
> > the data file fs-verity digest matches the expected one.
> >
> > By default this is ignored, but if the mount option "verity_policy" is
> > set to "validate" or "require", then all accesses validate any
> > specified digest. If you use "require" it additionally fails to access
> > metacopy file if the verity xattr is missing.
> >
> > The digest is validated during ovl_open() as well as when the lower file
> > is copied up. Additionally the overlay.verity xattr is copied to the
> > upper file during a metacopy operation, in order to later do the validation
> > of the digest when the copy-up happens.
>
> Hmm, so what exactly happens if the file is copied up and then
> modified?  The verification will fail, no?

When we do a meta-copy-up we need to look at the data file and
synthesize an overlay.verity xattr in the upper dir based on the
existing fs-verity diges. At least if the file has fs-verity enabled.
And indeed, in the verify_policy=required case, if there is no
fs-verity in the lower file we should fall back to a full copy-up
instead of a metacopy-up, or we will end up with a metacopy we can't
validate.

However, if you actually modify a file I don't really see the problem,
you will get a non-verified upper layer file with the changes. It will
not fail validation because it is at that point not validated. Really
we can only expect to validate the lower layers.


--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                Red Hat, Inc
       alexl@redhat.com         alexander.larsson@gmail.com