composefs: Handle fs-verity disabled insall/updates

Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>

Author: Johan-Liebert1

crates/lib/src/bootc_composefs/boot.rs

@@ -94,7 +94,6 @@ use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
 use crate::parsers::bls_config::{BLSConfig, BLSConfigType};
-use crate::parsers::grub_menuconfig::MenuEntry;
 use crate::task::Task;
 use crate::{
     bootc_composefs::repo::get_imgref,
@@ -119,6 +118,7 @@ use crate::{
     },
     spec::{Bootloader, Host},
 };
+use crate::{parsers::grub_menuconfig::MenuEntry, store::BootedComposefs};
 
 use crate::install::{RootSetup, State};
 
@@ -155,7 +155,14 @@ pub(crate) enum BootSetupType<'a> {
         ),
     ),
     /// For `bootc upgrade`
-    Upgrade((&'a Storage, &'a ComposefsFilesystem, &'a Host)),
+    Upgrade(
+        (
+            &'a Storage,
+            &'a BootedComposefs,
+            &'a ComposefsFilesystem,
+            &'a Host,
+        ),
+    ),
 }
 
 #[derive(
@@ -532,7 +539,7 @@ pub(crate) fn setup_composefs_bls_boot(
             )
         }
 
-        BootSetupType::Upgrade((storage, fs, host)) => {
+        BootSetupType::Upgrade((storage, booted_cfs, fs, host)) => {
             let sysroot_parent = get_sysroot_parent_dev(&storage.physical_root)?;
             let bootloader = host.require_composefs_booted()?.bootloader.clone();
 
@@ -551,7 +558,12 @@ pub(crate) fn setup_composefs_bls_boot(
             };
 
             // Copy all cmdline args, replacing only `composefs=`
-            let param = format!("{COMPOSEFS_CMDLINE}={id_hex}");
+            let param = if booted_cfs.cmdline.insecure {
+                format!("{COMPOSEFS_CMDLINE}=?{id_hex}")
+            } else {
+                format!("{COMPOSEFS_CMDLINE}={id_hex}")
+            };
+
             let param =
                 Parameter::parse(&param).context("Failed to create 'composefs=' parameter")?;
             cmdline.add_or_modify(&param);
@@ -1083,7 +1095,7 @@ pub(crate) fn setup_composefs_uki_boot(
             )
         }
 
-        BootSetupType::Upgrade((storage, _, host)) => {
+        BootSetupType::Upgrade((storage, booted_cfs, _, host)) => {
             let sysroot = Utf8PathBuf::from("/sysroot"); // Still needed for root_path
             let sysroot_parent = get_sysroot_parent_dev(&storage.physical_root)?;
             let bootloader = host.require_composefs_booted()?.bootloader.clone();
@@ -1092,7 +1104,7 @@ pub(crate) fn setup_composefs_uki_boot(
                 sysroot,
                 get_esp_partition(&sysroot_parent)?.0,
                 bootloader,
-                false,
+                booted_cfs.cmdline.insecure,
                 None,
             )
         }
@@ -1224,8 +1236,11 @@ pub(crate) async fn setup_composefs_boot(
     root_setup: &RootSetup,
     state: &State,
     image_id: &str,
+    insecure: bool,
 ) -> Result<()> {
-    let repo = open_composefs_repo(&root_setup.physical_root)?;
+    let mut repo = open_composefs_repo(&root_setup.physical_root)?;
+    repo.set_insecure(insecure);
+
     let mut fs = create_composefs_filesystem(&repo, image_id, None)?;
     let entries = fs.transform_for_boot(&repo)?;
     let id = fs.commit_image(&repo, None)?;
@@ -1296,6 +1311,7 @@ pub(crate) async fn setup_composefs_boot(
             &state.source.imageref.name,
         ))
         .await?,
+        insecure,
     )
     .await?;
 

crates/lib/src/bootc_composefs/finalize.rs

@@ -24,7 +24,11 @@ pub(crate) async fn get_etc_diff(storage: &Storage, booted_cfs: &BootedComposefs
 
     // Mount the booted EROFS image to get pristine etc
     let sysroot_fd = storage.physical_root.reopen_as_ownedfd()?;
-    let composefs_fd = mount_composefs_image(&sysroot_fd, &booted_composefs.verity, false)?;
+    let composefs_fd = mount_composefs_image(
+        &sysroot_fd,
+        &booted_composefs.verity,
+        booted_cfs.cmdline.insecure,
+    )?;
 
     let erofs_tmp_mnt = TempMount::mount_fd(&composefs_fd)?;
 
@@ -68,7 +72,11 @@ pub(crate) async fn composefs_backend_finalize(
 
     // Mount the booted EROFS image to get pristine etc
     let sysroot_fd = storage.physical_root.reopen_as_ownedfd()?;
-    let composefs_fd = mount_composefs_image(&sysroot_fd, &booted_composefs.verity, false)?;
+    let composefs_fd = mount_composefs_image(
+        &sysroot_fd,
+        &booted_composefs.verity,
+        booted_cfs.cmdline.insecure,
+    )?;
 
     let erofs_tmp_mnt = TempMount::mount_fd(&composefs_fd)?;
 

crates/lib/src/bootc_composefs/repo.rs

@@ -23,12 +23,14 @@ pub(crate) fn open_composefs_repo(rootfs_dir: &Dir) -> Result<crate::store::Comp
 pub(crate) async fn initialize_composefs_repository(
     state: &State,
     root_setup: &RootSetup,
+    insecure: bool,
 ) -> Result<(String, impl FsVerityHashValue)> {
     let rootfs_dir = &root_setup.physical_root;
 
     crate::store::ensure_composefs_dir(rootfs_dir)?;
 
-    let repo = open_composefs_repo(rootfs_dir)?;
+    let mut repo = open_composefs_repo(rootfs_dir)?;
+    repo.set_insecure(insecure);
 
     let OstreeExtImgRef {
         name: image_name,
@@ -71,6 +73,7 @@ pub(crate) fn get_imgref(transport: &str, image: &str) -> String {
 pub(crate) async fn pull_composefs_repo(
     transport: &String,
     image: &String,
+    insecure: bool,
 ) -> Result<(
     crate::store::ComposefsRepository,
     Vec<ComposefsBootEntry<Sha512HashValue>>,
@@ -79,7 +82,8 @@ pub(crate) async fn pull_composefs_repo(
 )> {
     let rootfs_dir = Dir::open_ambient_dir("/sysroot", ambient_authority())?;
 
-    let repo = open_composefs_repo(&rootfs_dir).context("Opening composefs repo")?;
+    let mut repo = open_composefs_repo(&rootfs_dir).context("Opening composefs repo")?;
+    repo.set_insecure(insecure);
 
     let final_imgref = get_imgref(transport, image);
 
@@ -91,7 +95,9 @@ pub(crate) async fn pull_composefs_repo(
 
     tracing::info!("ID: {id}, Verity: {}", verity.to_hex());
 
-    let repo = open_composefs_repo(&rootfs_dir)?;
+    let mut repo = open_composefs_repo(&rootfs_dir)?;
+    repo.set_insecure(insecure);
+
     let mut fs: crate::store::ComposefsFilesystem =
         create_composefs_filesystem(&repo, &id, None)
             .context("Failed to create composefs filesystem")?;

crates/lib/src/bootc_composefs/selinux.rs

@@ -76,7 +76,7 @@ fn get_selinux_policy_for_deployment(
     let (deployment_root, _mount_guard) = if *booted_cmdline.digest == *depl_id {
         (Dir::open_ambient_dir("/", ambient_authority())?, None)
     } else {
-        let composefs_fd = mount_composefs_image(&sysroot_fd, depl_id, false)?;
+        let composefs_fd = mount_composefs_image(&sysroot_fd, depl_id, booted_cmdline.insecure)?;
         let erofs_tmp_mnt = TempMount::mount_fd(&composefs_fd)?;
 
         (erofs_tmp_mnt.fd.try_clone()?, Some(erofs_tmp_mnt))

crates/lib/src/bootc_composefs/soft_reboot.rs

@@ -108,7 +108,11 @@ pub(crate) async fn prepare_soft_reboot_composefs(
 
     create_dir_all(NEXTROOT).context("Creating nextroot")?;
 
-    let cmdline = Cmdline::from(format!("{COMPOSEFS_CMDLINE}={deployment_id}"));
+    let cmdline = if booted_cfs.cmdline.insecure {
+        Cmdline::from(format!("{COMPOSEFS_CMDLINE}=?{deployment_id}"))
+    } else {
+        Cmdline::from(format!("{COMPOSEFS_CMDLINE}={deployment_id}"))
+    };
 
     let args = bootc_initramfs_setup::Args {
         cmd: vec![],

crates/lib/src/bootc_composefs/state.rs

@@ -87,6 +87,7 @@ pub(crate) fn initialize_state(
     erofs_id: &String,
     state_path: &Utf8PathBuf,
     initialize_var: bool,
+    insecure: bool,
 ) -> Result<()> {
     let sysroot_fd = open(
         sysroot_path.as_std_path(),
@@ -95,7 +96,8 @@ pub(crate) fn initialize_state(
     )
     .context("Opening sysroot")?;
 
-    let composefs_fd = bootc_initramfs_setup::mount_composefs_image(&sysroot_fd, &erofs_id, false)?;
+    let composefs_fd =
+        bootc_initramfs_setup::mount_composefs_image(&sysroot_fd, &erofs_id, insecure)?;
 
     let tempdir = TempMount::mount_fd(composefs_fd)?;
 
@@ -234,6 +236,7 @@ pub(crate) async fn write_composefs_state(
     boot_type: BootType,
     boot_digest: String,
     container_details: &ImgConfigManifest,
+    insecure: bool,
 ) -> Result<()> {
     let state_path = root_path
         .join(STATE_DIR_RELATIVE)
@@ -256,6 +259,7 @@ pub(crate) async fn write_composefs_state(
         &deployment_id.to_hex(),
         &state_path,
         staged.is_none(),
+        insecure,
     )?;
 
     let ImageReference {

crates/lib/src/bootc_composefs/status.rs

@@ -55,7 +55,6 @@ pub(crate) struct ImgConfigManifest {
 /// A parsed composefs command line
 #[derive(Clone)]
 pub(crate) struct ComposefsCmdline {
-    #[allow(dead_code)]
     pub insecure: bool,
     pub digest: Box<str>,
 }

crates/lib/src/bootc_composefs/update.rs

@@ -251,7 +251,12 @@ pub(crate) async fn do_upgrade(
 ) -> Result<()> {
     start_finalize_stated_svc()?;
 
-    let (repo, entries, id, fs) = pull_composefs_repo(&imgref.transport, &imgref.image).await?;
+    let (repo, entries, id, fs) = pull_composefs_repo(
+        &imgref.transport,
+        &imgref.image,
+        booted_cfs.cmdline.insecure,
+    )
+    .await?;
 
     let Some(entry) = entries.iter().next() else {
         anyhow::bail!("No boot entries!");
@@ -267,15 +272,15 @@ pub(crate) async fn do_upgrade(
 
     let boot_digest = match boot_type {
         BootType::Bls => setup_composefs_bls_boot(
-            BootSetupType::Upgrade((storage, &fs, &host)),
+            BootSetupType::Upgrade((storage, booted_cfs, &fs, &host)),
             repo,
             &id,
             entry,
             &mounted_fs,
         )?,
 
         BootType::Uki => setup_composefs_uki_boot(
-            BootSetupType::Upgrade((storage, &fs, &host)),
+            BootSetupType::Upgrade((storage, booted_cfs, &fs, &host)),
             repo,
             &id,
             entries,
@@ -293,6 +298,7 @@ pub(crate) async fn do_upgrade(
         boot_type,
         boot_digest,
         img_manifest_config,
+        booted_cfs.cmdline.insecure,
     )
     .await?;
 

crates/lib/src/install.rs

@@ -1909,10 +1909,12 @@ async fn install_to_filesystem_impl(
     if state.composefs_options.composefs_backend {
         // Load a fd for the mounted target physical root
 
-        let (id, verity) = initialize_composefs_repository(state, rootfs).await?;
+        let (id, verity) =
+            initialize_composefs_repository(state, rootfs, state.composefs_options.insecure)
+                .await?;
         tracing::info!("id: {id}, verity: {}", verity.to_hex());
 
-        setup_composefs_boot(rootfs, state, &id).await?;
+        setup_composefs_boot(rootfs, state, &id, state.composefs_options.insecure).await?;
     } else {
         ostree_install(state, rootfs, cleanup).await?;
     }

crates/lib/src/parsers/bls_config.rs

@@ -13,6 +13,7 @@ use std::collections::HashMap;
 use std::fmt::Display;
 use uapi_version::Version;
 
+use crate::bootc_composefs::status::ComposefsCmdline;
 use crate::composefs_consts::COMPOSEFS_CMDLINE;
 
 #[derive(Debug, PartialEq, Eq, Default)]
@@ -189,15 +190,16 @@ impl BLSConfig {
 
                 let kv = cmdline
                     .find(COMPOSEFS_CMDLINE)
-                    .ok_or(anyhow::anyhow!("No composefs= param"))?;
+                    .ok_or_else(|| anyhow::anyhow!("No composefs= param"))?;
 
                 let value = kv
                     .value()
-                    .ok_or(anyhow::anyhow!("Empty composefs= param"))?;
+                    .ok_or_else(|| anyhow::anyhow!("Empty composefs= param"))?;
 
-                let value = value.to_owned();
+                let cfs_cmdline = ComposefsCmdline::new(value);
 
-                Ok(value)
+                // TODO(Johan-Liebert1): We lose the info here that this is insecure
+                Ok(cfs_cmdline.digest.to_string().clone())
             }
 
             BLSConfigType::Unknown => anyhow::bail!("Unknown config type"),