diff --git a/src/libostree/ostree-repo-checkout.c b/src/libostree/ostree-repo-checkout.c index 8696229b37..2e50c30ded 100644 --- a/src/libostree/ostree-repo-checkout.c +++ b/src/libostree/ostree-repo-checkout.c @@ -1346,9 +1346,14 @@ ostree_repo_checkout_composefs (OstreeRepo *self, GVariant *options, int destina if (!ostree_composefs_target_write (target, tmpf.fd, &fsverity_digest, cancellable, error)) return FALSE; - /* If the commit specified a composefs digest, verify it */ - if (!compare_verity_digests (metadata_composefs, fsverity_digest, error)) - return FALSE; + /* If the commit specified a composefs digest and the target is known to have fsverity, + * then double check our ouptut. + */ + if (verity == OT_TRISTATE_YES) + { + if (!compare_verity_digests (metadata_composefs, fsverity_digest, error)) + return FALSE; + } if (!glnx_fchmod (tmpf.fd, 0644, error)) return FALSE; diff --git a/tests/inst/src/composefs.rs b/tests/inst/src/composefs.rs index eddccd1d6e..d4fadd759a 100644 --- a/tests/inst/src/composefs.rs +++ b/tests/inst/src/composefs.rs @@ -153,7 +153,7 @@ pub(crate) fn itest_composefs() -> Result<()> { return Ok(()); } { - let fstype = cmd!(sh, "stat -f / -c %T").read()?; + let fstype = cmd!(sh, "stat -f /sysroot -c %T").read()?; if fstype.trim() == "xfs" { println!("SKIP no xfs fsverity yet"); return Ok(()); diff --git a/tests/kolainst/destructive/bootupd-static.sh b/tests/kolainst/destructive/bootupd-static.sh deleted file mode 100755 index 670178e47d..0000000000 --- a/tests/kolainst/destructive/bootupd-static.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash -set -xeuo pipefail - -. ${KOLA_EXT_DATA}/libinsttest.sh - -require_writable_sysroot -prepare_tmpdir - -bootupd_state=/boot/bootupd-state.json -mount -o remount,rw /boot -if grep -qFe "\"static-configs\"" "${bootupd_state}"; then - echo "Host is using static configs already, overriding this" - jq --compact-output '.["static-configs"] = null' < "${bootupd_state}" > "${bootupd_state}".new - mv "${bootupd_state}.new" "${bootupd_state}" -fi - -# Print the current value for reference, it's "none" on FCOS derivatives -ostree config get sysroot.bootloader || true -ostree config set sysroot.bootloader auto - -ostree admin deploy --stage "${host_commit}" -systemctl stop ostree-finalize-staged.service -used_bootloader=$(journalctl -u ostree-finalize-staged -o json MESSAGE_ID=dd440e3e549083b63d0efc7dc15255f1 | tail -1 | jq -r .OSTREE_BOOTLOADER) -# We're verifying the legacy default now -assert_streq "${used_bootloader}" "grub2" -ostree admin undeploy 0 - -# Now synthesize a bootupd config which uses static configs -jq '. + {"static-configs": {}}' < "${bootupd_state}" > "${bootupd_state}".new -mv "${bootupd_state}.new" "${bootupd_state}" -ostree admin deploy --stage "${host_commit}" -systemctl stop ostree-finalize-staged.service -used_bootloader=$(journalctl -u ostree-finalize-staged -o json MESSAGE_ID=dd440e3e549083b63d0efc7dc15255f1 | tail -1 | jq -r .OSTREE_BOOTLOADER) -assert_streq "${used_bootloader}" "none" - -echo "ok bootupd static" diff --git a/tests/test-composefs.sh b/tests/test-composefs.sh index 12813cf2a9..72f81284ec 100755 --- a/tests/test-composefs.sh +++ b/tests/test-composefs.sh @@ -62,4 +62,14 @@ composefs-info dump test2-co-noverity.cfs > dump.txt assert_file_has_content_literal dump.txt '/baz/cow 4 100644 1 0 0 0 0.0 f6/a517d53831a40cff3886a965c70d57aa50797a8e5ea965b2c49cc575a6ff51.file - -' tap_ok "checkout composefs noverity" +# Test with a corrupted composefs digest +$OSTREE commit ${COMMIT_ARGS} -b test-composefs-bad-digest --tree=ref=test-composefs \ + '--add-metadata=ostree.composefs.digest.v0=[byte 0x13, 0xae, 0xae, 0xed, 0xc0, 0x34, 0xd1, 0x39, 0xef, 0xfc, 0xd6, 0x6f, 0xe3, 0xdb, 0x08, 0xd3, 0x32, 0x8a, 0xec, 0x2f, 0x02, 0xc5 +, 0xa7, 0x8a, 0xee, 0xa6, 0x0f, 0x34, 0x6d, 0x7a, 0x22, 0x6d]' +if $OSTREE checkout --composefs test-composefs-bad-digest test2-co.cfs 2>err.txt; then + fatal "checked out composefs with mismatched digest" +fi +assert_file_has_content_literal err.txt "doesn't match expected digest" +tap_ok "checkout composefs bad digest" + tap_end