composefs/install: Store the entire UKI cmdline

Instead of only getting the "insecure" bit from the composefs parameter
in the UKI kernel commandline, store the entire thing

Tests written by Claude

Assisted-by: Claude Code (Opus)
Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>

Author: Johan-Liebert1

Cargo.lock

@@ -77,6 +77,17 @@ impl ComposefsCmdline {
             digest: digest_str.into(),
         }
     }
+
+    /// Search for the `composefs=` parameter in the passed in kernel command line
+    pub(crate) fn find_in_cmdline(cmdline: &Cmdline) -> Option<Self> {
+        match cmdline.find(COMPOSEFS_CMDLINE) {
+            Some(param) => {
+                let value = param.value()?;
+                Some(Self::new(value))
+            }
+            None => None,
+        }
+    }
 }
 
 impl std::fmt::Display for ComposefsCmdline {
@@ -935,4 +946,56 @@ mod tests {
 
         Ok(())
     }
+
+    #[test]
+    fn test_find_in_cmdline() {
+        const DIGEST: &str = "8b7df143d91c716ecfa5fc1730022f6b421b05cedee8fd52b1fc65a96030ad52";
+
+        // Test case: cmdline contains composefs parameter
+        let cmdline = Cmdline::from(format!("root=UUID=abc123 rw composefs={}", DIGEST));
+        let result = ComposefsCmdline::find_in_cmdline(&cmdline);
+        assert!(result.is_some());
+        let cfs = result.unwrap();
+        assert_eq!(cfs.digest.as_ref(), DIGEST);
+        assert!(!cfs.allow_missing_fsverity);
+
+        // Test case: cmdline contains composefs parameter with allow_missing_fsverity
+        let cmdline = Cmdline::from(format!("root=UUID=abc123 rw composefs=?{}", DIGEST));
+        let result = ComposefsCmdline::find_in_cmdline(&cmdline);
+        assert!(result.is_some());
+        let cfs = result.unwrap();
+        assert_eq!(cfs.digest.as_ref(), DIGEST);
+        assert!(cfs.allow_missing_fsverity);
+
+        // Test case: cmdline does not contain composefs parameter
+        let cmdline = Cmdline::from("root=UUID=abc123 rw quiet");
+        let result = ComposefsCmdline::find_in_cmdline(&cmdline);
+        assert!(result.is_none());
+
+        // Test case: empty cmdline
+        let cmdline = Cmdline::from("");
+        let result = ComposefsCmdline::find_in_cmdline(&cmdline);
+        assert!(result.is_none());
+
+        // Test case: cmdline with other parameters and composefs at different positions
+        let cmdline = Cmdline::from(format!("quiet composefs={} loglevel=3", DIGEST));
+        let result = ComposefsCmdline::find_in_cmdline(&cmdline);
+        assert!(result.is_some());
+        let cfs = result.unwrap();
+        assert_eq!(cfs.digest.as_ref(), DIGEST);
+        assert!(!cfs.allow_missing_fsverity);
+
+        // Test case: cmdline with composefs at the beginning
+        let cmdline = Cmdline::from(format!("composefs=?{} root=UUID=abc123 quiet", DIGEST));
+        let result = ComposefsCmdline::find_in_cmdline(&cmdline);
+        assert!(result.is_some());
+        let cfs = result.unwrap();
+        assert_eq!(cfs.digest.as_ref(), DIGEST);
+        assert!(cfs.allow_missing_fsverity);
+
+        // Test case: cmdline with similar parameter names (should not match)
+        let cmdline = Cmdline::from(format!("composefs_backup={} root=UUID=abc123", DIGEST));
+        let result = ComposefsCmdline::find_in_cmdline(&cmdline);
+        assert!(result.is_none());
+    }
 }

crates/lib/src/bootc_composefs/status.rs

@@ -187,6 +187,7 @@ use serde::{Deserialize, Serialize};
 
 #[cfg(feature = "install-to-disk")]
 use self::baseline::InstallBlockDeviceOpts;
+use crate::bootc_composefs::status::ComposefsCmdline;
 use crate::bootc_composefs::{boot::setup_composefs_boot, repo::initialize_composefs_repository};
 use crate::boundimage::{BoundImage, ResolvedBoundImage};
 use crate::containerenv::ContainerExecutionInfo;
@@ -1679,10 +1680,12 @@ async fn prepare_install(
     // NOTE: This isn't really 100% accurate 100% of the time as the cmdline can be in an addon
     match kernel {
         Some(k) => match k.k_type {
-            crate::kernel::KernelType::Uki {
-                allow_missing_fsverity,
-                ..
-            } => {
+            crate::kernel::KernelType::Uki { cmdline, .. } => {
+                let allow_missing_fsverity = cmdline.is_some_and(|cmd| {
+                    ComposefsCmdline::find_in_cmdline(&cmd)
+                        .is_some_and(|cfs_cmdline| cfs_cmdline.allow_missing_fsverity)
+                });
+
                 if !allow_missing_fsverity {
                     anyhow::ensure!(
                         root_filesystem.supports_fsverity(),
@@ -1703,14 +1706,14 @@ async fn prepare_install(
     // If `--allow-missing-verity` is already passed via CLI, don't modify
     if composefs_options.composefs_backend && !composefs_options.allow_missing_verity && !is_uki {
         composefs_options.allow_missing_verity = !root_filesystem.supports_fsverity();
-
-        tracing::info!(
-            allow_missing_fsverity = composefs_options.allow_missing_verity,
-            uki = is_uki,
-            "ComposeFS install prep",
-        );
     }
 
+    tracing::info!(
+        allow_missing_fsverity = composefs_options.allow_missing_verity,
+        uki = is_uki,
+        "ComposeFS install prep",
+    );
+
     if let Some(crate::spec::Bootloader::None) = config_opts.bootloader {
         if cfg!(target_arch = "s390x") {
             anyhow::bail!("Bootloader set to none is not supported for the s390x architecture");

crates/lib/src/install.rs

@@ -14,8 +14,6 @@ use cap_std_ext::dirext::CapStdExtDirExt;
 use serde::Serialize;
 
 use crate::bootc_composefs::boot::EFI_LINUX;
-use crate::bootc_composefs::status::ComposefsCmdline;
-use crate::composefs_consts::COMPOSEFS_CMDLINE;
 
 /// Information about the kernel in a container image.
 #[derive(Debug, Serialize)]
@@ -37,7 +35,9 @@ pub(crate) struct Kernel {
 pub(crate) enum KernelType {
     Uki {
         path: Utf8PathBuf,
-        allow_missing_fsverity: bool,
+        /// The commandline we found in the UKI
+        /// Again due to UKI Addons, we may or may not have it in the UKI itself
+        cmdline: Option<Cmdline<'static>>,
     },
     Vmlinuz {
         path: Utf8PathBuf,
@@ -79,31 +79,23 @@ pub(crate) fn find_kernel(root: &Dir) -> Result<Option<KernelInternal>> {
         // Best effort to check for composefs=?verity in the UKI cmdline
         let cmdline = composefs_boot::uki::get_section(&uki, ".cmdline");
 
-        let allow_missing_fsverity = match cmdline {
+        let cmdline = match cmdline {
             Some(Ok(cmdline)) => {
                 let cmdline_str = std::str::from_utf8(cmdline)?;
-
-                let cmdline = Cmdline::from(cmdline_str);
-
-                match cmdline.find(COMPOSEFS_CMDLINE) {
-                    Some(param) => ComposefsCmdline::new(&param).allow_missing_fsverity,
-
-                    // The cmdline might be in an addon, so don't allow missing verity
-                    None => false,
-                }
+                Some(Cmdline::from(cmdline_str.to_owned()))
             }
 
             Some(Err(uki_error)) => match uki_error {
                 composefs_boot::uki::UkiError::MissingSection(_) => {
                     // TODO(Johan-Liebert1): Check this when we have full UKI Addons support
                     // The cmdline might be in an addon, so don't allow missing verity
-                    false
+                    None
                 }
 
                 e => anyhow::bail!("Failed to read UKI cmdline: {e:?}"),
             },
 
-            None => false,
+            None => None,
         };
 
         return Ok(Some(KernelInternal {
@@ -113,7 +105,7 @@ pub(crate) fn find_kernel(root: &Dir) -> Result<Option<KernelInternal>> {
             },
             k_type: KernelType::Uki {
                 path: uki_path,
-                allow_missing_fsverity,
+                cmdline,
             },
         }));
     }