Skip to content

Commit

Permalink
composefs: Inline small files
Browse files Browse the repository at this point in the history
Since we're changing composefs format anyway (due to the usr/etc relabel)
might as well import the change from mkcomposefs that inlines files up
to 64 bytes.
  • Loading branch information
alexlarsson committed Oct 2, 2023
1 parent e2bb81f commit 1841d0b
Showing 1 changed file with 37 additions and 21 deletions.
58 changes: 37 additions & 21 deletions src/libostree/ostree-repo-composefs.c
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@
#include <linux/fsverity.h>
#endif

#define OSTREE_COMPOSEFS_INLINE_MAX_SIZE 64

gboolean
_ostree_repo_parse_composefs_config (OstreeRepo *self, GError **error)
{
Expand Down Expand Up @@ -327,32 +329,46 @@ checkout_one_composefs_file_at (OstreeRepo *repo, const char *checksum, struct l
if (lcfs_node_set_payload (node, loose_path_buf) != 0)
return glnx_null_throw_errno (error);

guchar *known_digest = NULL;
if (source_size <= OSTREE_COMPOSEFS_INLINE_MAX_SIZE)
{
guchar buf[OSTREE_COMPOSEFS_INLINE_MAX_SIZE];
gsize bytes_read;

#ifdef HAVE_LINUX_FSVERITY_H
/* First try to get the digest directly from the bare repo file.
* This is the typical case when we're pulled into the target
* system repo with verity on and are recreating the composefs
* image during deploy. */
char buf[sizeof (struct fsverity_digest) + OSTREE_SHA256_DIGEST_LEN];
if (!g_input_stream_read_all (input, buf, source_size, &bytes_read, cancellable, error))
return NULL;

if (G_IS_UNIX_INPUT_STREAM (input))
{
int content_fd = g_unix_input_stream_get_fd (G_UNIX_INPUT_STREAM (input));
struct fsverity_digest *d = (struct fsverity_digest *)&buf;
d->digest_size = OSTREE_SHA256_DIGEST_LEN;

if (ioctl (content_fd, FS_IOC_MEASURE_VERITY, d) == 0
&& d->digest_size == OSTREE_SHA256_DIGEST_LEN
&& d->digest_algorithm == FS_VERITY_HASH_ALG_SHA256)
known_digest = d->digest;
if (lcfs_node_set_content (node, buf, bytes_read) != 0)
return glnx_null_throw_errno (error);
}
else
{
guchar *known_digest = NULL;

#ifdef HAVE_LINUX_FSVERITY_H
/* First try to get the digest directly from the bare repo file.
* This is the typical case when we're pulled into the target
* system repo with verity on and are recreating the composefs
* image during deploy. */
char buf[sizeof (struct fsverity_digest) + OSTREE_SHA256_DIGEST_LEN];

if (G_IS_UNIX_INPUT_STREAM (input))
{
int content_fd = g_unix_input_stream_get_fd (G_UNIX_INPUT_STREAM (input));
struct fsverity_digest *d = (struct fsverity_digest *)&buf;
d->digest_size = OSTREE_SHA256_DIGEST_LEN;

if (ioctl (content_fd, FS_IOC_MEASURE_VERITY, d) == 0
&& d->digest_size == OSTREE_SHA256_DIGEST_LEN
&& d->digest_algorithm == FS_VERITY_HASH_ALG_SHA256)
known_digest = d->digest;
}
#endif

if (known_digest)
lcfs_node_set_fsverity_digest (node, known_digest);
else if (lcfs_node_set_fsverity_from_content (node, input, _composefs_read_cb) != 0)
return glnx_null_throw_errno (error);
if (known_digest)
lcfs_node_set_fsverity_digest (node, known_digest);
else if (lcfs_node_set_fsverity_from_content (node, input, _composefs_read_cb) != 0)
return glnx_null_throw_errno (error);
}
}

if (xattrs)
Expand Down

0 comments on commit 1841d0b

Please sign in to comment.