Use composefs crate for fsverity digest reading

.github/workflows/rust.yml

@@ -10,17 +10,20 @@ env:
   CARGO_TERM_COLOR: always
 
 jobs:
-  build:
-
+  build-fedora:
     runs-on: ubuntu-24.04
+    container:
+      image: quay.io/fedora/fedora:41
+      options: "--privileged --pid=host -v /var/tmp:/var/tmp -v /:/run/host"
 
     steps:
+    - run: dnf -y install cargo clippy composefs-devel e2fsprogs
     - name: Enable fs-verity on /
-      run: sudo tune2fs -O verity $(findmnt -vno SOURCE /)
+      run: tune2fs -O verity $(findmnt -vno SOURCE /run/host)
     - uses: actions/checkout@v4
     - name: Build
       run: cargo build --verbose
     - name: Clippy
       run: cargo clippy
     - name: Run tests
-      run: cargo test --verbose
+      run: env CFS_TEST_TMPDIR=/run/host/var/tmp cargo test --verbose

Cargo.toml

@@ -10,6 +10,7 @@ anyhow = { version = "1.0.89", features = ["backtrace"] }
 async-compression = { version = "0.4.17", features = ["tokio", "gzip", "zstd"] }
 clap = { version = "4.5.19", features = ["derive"] }
 containers-image-proxy = "0.7.0"
+composefs = "0.1.3"
 hex = "0.4.3"
 indicatif = { version = "0.17.8", features = ["tokio"] }
 oci-spec = "0.7.0"

src/fsverity/ioctl.rs

@@ -3,7 +3,7 @@ use std::os::fd::AsFd;
 use anyhow::Result;
 use rustix::ioctl;
 
-use super::FsVerityHashValue;
+use super::{FsVerityHashValue, Sha256HashValue};
 
 // See /usr/include/linux/fsverity.h
 #[repr(C)]
@@ -43,36 +43,10 @@ pub fn fs_ioc_enable_verity<F: AsFd, H: FsVerityHashValue>(fd: F) -> Result<()>
     Ok(())
 }
 
-#[repr(C)]
-pub struct FsVerityDigest<F> {
-    digest_algorithm: u16,
-    digest_size: u16,
-    digest: F,
-}
-
-// #define FS_IOC_MEASURE_VERITY   _IORW('f', 134, struct fsverity_digest)
-type FsIocMeasureVerity = ioctl::ReadWriteOpcode<b'f', 134, FsVerityDigest<()>>;
-
-pub fn fs_ioc_measure_verity<F: AsFd, H: FsVerityHashValue>(fd: F) -> Result<H> {
-    let digest_size = std::mem::size_of::<H>() as u16;
-    let digest_algorithm = H::ALGORITHM as u16;
-
-    let mut digest = FsVerityDigest::<H> {
-        digest_algorithm,
-        digest_size,
-        digest: H::EMPTY,
-    };
-
-    unsafe {
-        ioctl::ioctl(
-            fd,
-            ioctl::Updater::<FsIocMeasureVerity, FsVerityDigest<H>>::new(&mut digest),
-        )?;
-    }
-
-    if digest.digest_algorithm != digest_algorithm || digest.digest_size != digest_size {
-        Err(std::io::Error::from(std::io::ErrorKind::InvalidData))?
-    } else {
-        Ok(digest.digest)
-    }
+pub fn fs_ioc_measure_verity<F: AsFd>(fd: F) -> Result<Sha256HashValue> {
+    let mut digest = composefs::fsverity::Digest::new();
+    composefs::fsverity::fsverity_digest_from_fd(fd.as_fd(), &mut digest)?;
+    let mut r = Sha256HashValue::EMPTY;
+    r.copy_from_slice(digest.get());
+    Ok(r)
 }

tests/repo.rs

@@ -24,7 +24,10 @@ fn example_layer() -> Result<Vec<u8>> {
     Ok(builder.into_inner()?)
 }
 
-fn home_var_tmp() -> Result<PathBuf> {
+fn test_global_tmpdir() -> Result<PathBuf> {
+    if let Some(path) = std::env::var_os("CFS_TEST_TMPDIR") {
+        return Ok(path.into());
+    }
     // We can't use /tmp because that's usually a tmpfs (no fsverity)
     // We also can't use /var/tmp because it's an overlayfs in toolbox (no fsverity)
     // So let's try something in the user's homedir?
@@ -41,7 +44,7 @@ fn test_layer() -> Result<()> {
     context.update(&layer);
     let layer_id: [u8; 32] = context.finalize().into();
 
-    let tmpfile = tempfile::TempDir::with_prefix_in("composefs-test-", home_var_tmp()?)?;
+    let tmpfile = tempfile::TempDir::with_prefix_in("composefs-test-", test_global_tmpdir()?)?;
     let repo = Repository::open_path(tmpfile.path().to_path_buf())?;
     let id = oci::import_layer(&repo, &layer_id, Some("name"), &mut layer.as_slice())?;