Merge pull request #119 from alexlarsson/no-libfsverity

Drop libsfverity dependency
containers · Apr 25, 2023 · 3a3b172 · 3a3b172
2 parents 925d286 + 4be9e30
commit 3a3b172
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 17 deletions.
diff --git a/composefs.spec.in b/composefs.spec.in
@@ -7,7 +7,7 @@ License:        GPLv2+
 URL:            https://github.com/containers/composefs
 Source0:        https://github.com/containers/composefs/releases/download/%{version}/%{name}-%{version}.tar.xz
 
-BuildRequires:  gcc automake libtool openssl-devel fsverity-utils-devel yajl-devel
+BuildRequires:  gcc automake libtool openssl-devel yajl-devel
 Requires:       %{name}-libs = %{version}-%{release}
 
 %description

diff --git a/configure.ac b/configure.ac
@@ -36,8 +36,6 @@ AC_COMPILE_IFELSE(
 		 AC_DEFINE([HAVE_FSCONFIG_CMD_CREATE_LINUX_MOUNT_H], 1, [Define if FSCONFIG_CMD_CREATE is available in linux/mount.h])],
 	[AC_MSG_RESULT(no)])
 
-PKG_CHECK_MODULES(FSVERITY, libfsverity)
-
 PKG_CHECK_MODULES(LCFS_DEP_CRYPTO, libcrypto,[
       AC_DEFINE([HAVE_OPENSSL], 1, [Define if we have openssl])
       with_openssl=yes

diff --git a/tools/Makefile.am b/tools/Makefile.am
@@ -6,13 +6,13 @@ if USE_YAJL
 noinst_PROGRAMS += writer-json
 endif
 
-AM_CFLAGS = $(WARN_CFLAGS) $(FSVERITY_CFLAGS) -I$(top_srcdir)/
+AM_CFLAGS = $(WARN_CFLAGS) -I$(top_srcdir)/
 
 dump_SOURCES = dump.c
 dump_LDADD = ../libcomposefs/libcomposefs.la $(LIBCRYPTO_LIBS)
 
 mkcomposefs_SOURCES = mkcomposefs.c
-mkcomposefs_LDADD =  ../libcomposefs/libcomposefs.la $(LIBCRYPTO_LIBS) $(FSVERITY_LIBS)
+mkcomposefs_LDADD =  ../libcomposefs/libcomposefs.la $(LIBCRYPTO_LIBS)
 
 mount_composefs_SOURCES = mountcomposefs.c
 mount_composefs_LDADD = ../libcomposefs/libcomposefs.la $(LIBCRYPTO_LIBS)

diff --git a/tools/mkcomposefs.c b/tools/mkcomposefs.c
@@ -29,9 +29,10 @@
 #include <errno.h>
 #include <unistd.h>
 #include <fcntl.h>
-#include <sys/types.h>
 #include <getopt.h>
-#include <libfsverity.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <linux/fsverity.h>
 
 static void digest_to_string(const uint8_t *csum, char *buf)
 {
@@ -183,6 +184,24 @@ static int join_paths(char **out, const char *path1, const char *path2)
 	return asprintf(out, "%.*s%s%s", len, path1, sep, path2);
 }
 
+static int enable_verity(int fd, off_t size)
+{
+	struct fsverity_enable_arg arg = {};
+
+	arg.version = 1;
+	arg.hash_algorithm = FS_VERITY_HASH_ALG_SHA256;
+	arg.block_size = 4096;
+	arg.salt_size = 0;
+	arg.salt_ptr = 0;
+	arg.sig_size = 0;
+	arg.sig_ptr = 0;
+
+	if (ioctl(fd, FS_IOC_ENABLE_VERITY, &arg) != 0) {
+		return -errno;
+	}
+	return 0;
+}
+
 static int copy_file_with_dirs_if_needed(const char *src, const char *dst_base,
 					 const char *dst, mode_t mode,
 					 bool try_enable_fsverity)
@@ -265,16 +284,7 @@ static int copy_file_with_dirs_if_needed(const char *src, const char *dst_base,
 		}
 
 		if (fstat(dfd, &statbuf) == 0) {
-			struct libfsverity_merkle_tree_params params = {
-				1,
-				FS_VERITY_HASH_ALG_SHA256,
-				statbuf.st_size,
-				4096,
-				0,
-				NULL
-			};
-
-			res = libfsverity_enable(dfd, &params);
+			res = enable_verity(dfd, statbuf.st_size);
 			if (res < 0) {
 				/* Ignore errors, we're only trying to enable it */
 			}