composefs: Disable auto fsverity enforcement on unsupported fs

On filesystems that do not support fsverity, we now do not auto enforce
fsverity. On filesystems that do support it, we look at the
`--allow-missing-verity` option, if passed in by the user, and if true,
fs-verity enforcement is disabled and vice-versa.

In case of UKIs, we take a different approach of looking at the UKI
cmdline beforehand and checking if the `composefs=` parameter has `?` or
not. This approach, though valid, fails in a few cases, viz,

- The cmdline is in a UKI addon
- The target image is not the one we're currently running in

Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>

Author: Johan-Liebert1

crates/lib/src/install.rs

@@ -193,14 +193,15 @@ use crate::containerenv::ContainerExecutionInfo;
 use crate::deploy::{
     MergeState, PreparedImportMeta, PreparedPullResult, prepare_for_pull, pull_from_prepared,
 };
+use crate::install::config::Filesystem as FilesystemEnum;
 use crate::lsm;
 use crate::progress_jsonl::ProgressWriter;
 use crate::spec::{Bootloader, ImageReference};
 use crate::store::Storage;
 use crate::task::Task;
 use crate::utils::sigpolicy_from_opt;
 use bootc_kernel_cmdline::{INITRD_ARG_PREFIX, ROOTFLAGS, bytes, utf8};
-use bootc_mount::Filesystem;
+use bootc_mount::{Filesystem, inspect_filesystem};
 use composefs::fsverity::FsVerityHashValue;
 
 /// The toplevel boot directory
@@ -1507,6 +1508,7 @@ async fn prepare_install(
     source_opts: InstallSourceOpts,
     target_opts: InstallTargetOpts,
     mut composefs_options: InstallComposefsOpts,
+    target_fs: Option<FilesystemEnum>,
 ) -> Result<Arc<State>> {
     tracing::trace!("Preparing install");
     let rootfs = cap_std::fs::Dir::open_ambient_dir("/", cap_std::ambient_authority())
@@ -1576,12 +1578,15 @@ async fn prepare_install(
     };
     tracing::debug!("Target image reference: {target_imgref}");
 
-    let composefs_required = if let Some(root) = target_rootfs.as_ref() {
-        crate::kernel::find_kernel(root)?
-            .map(|k| k.kernel.unified)
-            .unwrap_or(false)
+    let (composefs_required, kernel) = if let Some(root) = target_rootfs.as_ref() {
+        let kernel = crate::kernel::find_kernel(root)?;
+
+        (
+            kernel.as_ref().map(|k| k.kernel.unified).unwrap_or(false),
+            kernel,
+        )
     } else {
-        false
+        (false, None)
     };
 
     tracing::debug!("Composefs required: {composefs_required}");
@@ -1656,6 +1661,59 @@ async fn prepare_install(
         tracing::debug!("No install configuration found");
     }
 
+    let root_filesystem = target_fs
+        .or(install_config
+            .as_ref()
+            .and_then(|c| c.filesystem_root())
+            .and_then(|r| r.fstype))
+        .ok_or_else(|| anyhow::anyhow!("No root filesystem specified"))?;
+
+    let mut is_uki = false;
+
+    // For composefs backend, automatically disable fs-verity hard requirement if the
+    // filesystem doesn't support it
+    //
+    // If we have a sealed UKI on our hands, then we can assume that user wanted fs-verity so
+    // we hard require it in that particular case
+    //
+    // NOTE: This isn't really 100% accurate 100% of the time as the cmdline can be in an addon
+    match kernel {
+        Some(k) => match k.k_type {
+            crate::kernel::KernelType::Uki {
+                allow_missing_fsverity,
+                ..
+            } => {
+                if !allow_missing_fsverity {
+                    anyhow::ensure!(
+                        root_filesystem.supports_fsverity(),
+                        "Specified filesystem {root_filesystem} does not support fs-verity"
+                    );
+                }
+
+                composefs_options.allow_missing_verity = allow_missing_fsverity;
+                is_uki = true;
+            }
+
+            crate::kernel::KernelType::Vmlinuz { .. } => {}
+        },
+
+        None => {}
+    }
+
+    // If `--allow-missing-verity` is already passed via CLI, don't modify
+    if composefs_options.composefs_backend && !composefs_options.allow_missing_verity && !is_uki {
+        composefs_options.allow_missing_verity = !root_filesystem.supports_fsverity();
+
+        tracing::debug!(
+            "Missing fsverity {}",
+            if composefs_options.allow_missing_verity {
+                "allowed"
+            } else {
+                "not allowed"
+            }
+        );
+    }
+
     if let Some(crate::spec::Bootloader::None) = config_opts.bootloader {
         if cfg!(target_arch = "s390x") {
             anyhow::bail!("Bootloader set to none is not supported for the s390x architecture");
@@ -1994,6 +2052,7 @@ pub(crate) async fn install_to_disk(mut opts: InstallToDiskOpts) -> Result<()> {
         opts.source_opts,
         opts.target_opts,
         opts.composefs_opts,
+        block_opts.filesystem,
     )
     .await?;
 
@@ -2294,6 +2353,8 @@ pub(crate) async fn install_to_filesystem(
         target_path
     );
 
+    let fs_inspect = inspect_filesystem(&opts.filesystem_opts.root_path)?;
+
     // Gather global state, destructuring the provided options.
     // IMPORTANT: We might re-execute the current process in this function (for SELinux among other things)
     // IMPORTANT: and hence anything that is done before MUST BE IDEMPOTENT.
@@ -2304,6 +2365,7 @@ pub(crate) async fn install_to_filesystem(
         opts.source_opts,
         opts.target_opts,
         opts.composefs_opts,
+        Some(fs_inspect.fstype.as_str().try_into()?),
     )
     .await?;
 

crates/lib/src/install/config.rs

@@ -32,6 +32,25 @@ impl std::fmt::Display for Filesystem {
     }
 }
 
+impl TryFrom<&str> for Filesystem {
+    type Error = anyhow::Error;
+
+    fn try_from(value: &str) -> Result<Self, Self::Error> {
+        match value {
+            "xfs" => Ok(Self::Xfs),
+            "ext4" => Ok(Self::Ext4),
+            "btrfs" => Ok(Self::Btrfs),
+            other => anyhow::bail!("Unknown filesystem: {}", other),
+        }
+    }
+}
+
+impl Filesystem {
+    pub(crate) fn supports_fsverity(&self) -> bool {
+        matches!(self, Self::Ext4 | Self::Btrfs)
+    }
+}
+
 /// The toplevel config entry for installation configs stored
 /// in bootc/install (e.g. /etc/bootc/install/05-custom.toml)
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]

crates/lib/src/kernel.rs

@@ -6,13 +6,16 @@
 
 use std::path::Path;
 
-use anyhow::Result;
+use anyhow::{Context, Result};
+use bootc_kernel_cmdline::utf8::Cmdline;
 use camino::Utf8PathBuf;
 use cap_std_ext::cap_std::fs::Dir;
 use cap_std_ext::dirext::CapStdExtDirExt;
 use serde::Serialize;
 
 use crate::bootc_composefs::boot::EFI_LINUX;
+use crate::bootc_composefs::status::ComposefsCmdline;
+use crate::composefs_consts::COMPOSEFS_CMDLINE;
 
 /// Information about the kernel in a container image.
 #[derive(Debug, Serialize)]
@@ -31,8 +34,11 @@ pub(crate) struct Kernel {
 /// UKI kernels only have the single PE binary, whereas
 /// traditional "vmlinuz" kernels have distinct kernel and
 /// initramfs.
-pub(crate) enum KernelPath {
-    Uki(Utf8PathBuf),
+pub(crate) enum KernelType {
+    Uki {
+        path: Utf8PathBuf,
+        allow_missing_fsverity: bool,
+    },
     Vmlinuz {
         path: Utf8PathBuf,
         initramfs: Utf8PathBuf,
@@ -47,7 +53,7 @@ pub(crate) enum KernelPath {
 /// to get the "public" form where needed.
 pub(crate) struct KernelInternal {
     pub(crate) kernel: Kernel,
-    pub(crate) path: KernelPath,
+    pub(crate) k_type: KernelType,
 }
 
 impl From<KernelInternal> for Kernel {
@@ -67,12 +73,48 @@ pub(crate) fn find_kernel(root: &Dir) -> Result<Option<KernelInternal>> {
     // First, try to find a UKI
     if let Some(uki_path) = find_uki_path(root)? {
         let version = uki_path.file_stem().unwrap_or(uki_path.as_str()).to_owned();
+
+        let uki = root.read(&uki_path).context("Reading UKI")?;
+
+        // Best effort to check for composefs=?verity in the UKI cmdline
+        let cmdline = composefs_boot::uki::get_section(&uki, ".cmdline");
+
+        let allow_missing_fsverity = match cmdline {
+            Some(Ok(cmdline)) => {
+                let cmdline_str = std::str::from_utf8(cmdline)?;
+
+                let cmdline = Cmdline::from(cmdline_str);
+
+                match cmdline.find(COMPOSEFS_CMDLINE) {
+                    Some(param) => ComposefsCmdline::new(&param).allow_missing_fsverity,
+
+                    // The cmdline might be in an addon, so don't allow missing verity
+                    None => false,
+                }
+            }
+
+            Some(Err(uki_error)) => match uki_error {
+                composefs_boot::uki::UkiError::MissingSection(_) => {
+                    // TODO(Johan-Liebert1): Check this when we have full UKI Addons support
+                    // The cmdline might be in an addon, so don't allow missing verity
+                    false
+                }
+
+                e => anyhow::bail!("Failed to read UKI cmdline: {e:?}"),
+            },
+
+            None => false,
+        };
+
         return Ok(Some(KernelInternal {
             kernel: Kernel {
                 version,
                 unified: true,
             },
-            path: KernelPath::Uki(uki_path),
+            k_type: KernelType::Uki {
+                path: uki_path,
+                allow_missing_fsverity,
+            },
         }));
     }
 
@@ -89,7 +131,7 @@ pub(crate) fn find_kernel(root: &Dir) -> Result<Option<KernelInternal>> {
                 version,
                 unified: false,
             },
-            path: KernelPath::Vmlinuz {
+            k_type: KernelType::Vmlinuz {
                 path: vmlinuz,
                 initramfs,
             },
@@ -156,8 +198,8 @@ mod tests {
         let kernel_internal = find_kernel(&tempdir)?.expect("should find kernel");
         assert_eq!(kernel_internal.kernel.version, "6.12.0-100.fc41.x86_64");
         assert!(!kernel_internal.kernel.unified);
-        match &kernel_internal.path {
-            KernelPath::Vmlinuz { path, initramfs } => {
+        match &kernel_internal.k_type {
+            KernelType::Vmlinuz { path, initramfs } => {
                 assert_eq!(
                     path.as_str(),
                     "usr/lib/modules/6.12.0-100.fc41.x86_64/vmlinuz"
@@ -167,7 +209,7 @@ mod tests {
                     "usr/lib/modules/6.12.0-100.fc41.x86_64/initramfs.img"
                 );
             }
-            KernelPath::Uki(_) => panic!("Expected Vmlinuz, got Uki"),
+            KernelType::Uki { .. } => panic!("Expected Vmlinuz, got Uki"),
         }
         Ok(())
     }
@@ -181,11 +223,11 @@ mod tests {
         let kernel_internal = find_kernel(&tempdir)?.expect("should find kernel");
         assert_eq!(kernel_internal.kernel.version, "fedora-6.12.0");
         assert!(kernel_internal.kernel.unified);
-        match &kernel_internal.path {
-            KernelPath::Uki(path) => {
+        match &kernel_internal.k_type {
+            KernelType::Uki { path, .. } => {
                 assert_eq!(path.as_str(), "boot/EFI/Linux/fedora-6.12.0.efi");
             }
-            KernelPath::Vmlinuz { .. } => panic!("Expected Uki, got Vmlinuz"),
+            KernelType::Vmlinuz { .. } => panic!("Expected Uki, got Vmlinuz"),
         }
         Ok(())
     }

crates/lib/src/ukify.rs

@@ -56,9 +56,9 @@ pub(crate) fn build_ukify(
         .ok_or_else(|| anyhow::anyhow!("No kernel found in {rootfs}"))?;
 
     // Extract vmlinuz and initramfs paths, or bail if this is already a UKI
-    let (vmlinuz_path, initramfs_path) = match kernel.path {
-        crate::kernel::KernelPath::Vmlinuz { path, initramfs } => (path, initramfs),
-        crate::kernel::KernelPath::Uki(path) => {
+    let (vmlinuz_path, initramfs_path) = match kernel.k_type {
+        crate::kernel::KernelType::Vmlinuz { path, initramfs } => (path, initramfs),
+        crate::kernel::KernelType::Uki { path, .. } => {
             anyhow::bail!("Cannot build UKI: rootfs already contains a UKI at {path}");
         }
     };