mount.composefs: Drop fs-verity signature verification

We will encourage use of userspace verification. Basically higher level tools should have metadata that contains the composefs digest covered by a signature, then pass that expected digest to `mount.composefs`. Closes: containers#151
cgwalters · Jul 14, 2023 · 92a867c · 92a867c
1 parent e1f8e7f
commit 92a867c
Show file tree

Hide file tree

Showing 3 changed files with 0 additions and 40 deletions.
diff --git a/libcomposefs/lcfs-mount.c b/libcomposefs/lcfs-mount.c
@@ -250,41 +250,6 @@ static int lcfs_validate_verity_fd(struct lcfs_mount_state_s *state)
 		char buf[MAX_DIGEST_SIZE];
 	} buf;
 	int res;
-	bool require_signature;
-	char sig_data[1];
-	struct fsverity_read_metadata_arg read_metadata = { 0 };
-
-	require_signature = (state->options->flags &
-			     LCFS_MOUNT_FLAGS_REQUIRE_FSVERITY_SIGNATURE) != 0;
-	if (require_signature) {
-		/* First ensure fs-verity is enabled for the image,
-		 * the actual digest doesn't matter at this point. */
-		buf.fsv.digest_size = MAX_DIGEST_SIZE;
-		res = ioctl(state->fd, FS_IOC_MEASURE_VERITY, &buf.fsv);
-		if (res == -1) {
-			if (errno == ENODATA || errno == EOPNOTSUPP || errno == ENOTTY)
-				return -ENOVERITY;
-			return -errno;
-		}
-
-		/* If the file has verity enabled, has a signature and
-		 * we were able to open it, then the kernel will have
-		 * verified it against the kernel keyring, making it
-		 * valid. So, we read just one byte of the signature,
-		 * to validate that a signature exist in the file */
-
-		read_metadata.metadata_type = FS_VERITY_METADATA_TYPE_SIGNATURE;
-		read_metadata.offset = 0;
-		read_metadata.length = sizeof(sig_data);
-		read_metadata.buf_ptr = (size_t)&sig_data;
-
-		res = ioctl(state->fd, FS_IOC_READ_VERITY_METADATA, &read_metadata);
-		if (res == -1) {
-			if (errno == ENODATA)
-				return -ENOSIGNATURE;
-			return -errno;
-		}
-	}
 
 	if (state->expected_digest_len != 0) {
 		buf.fsv.digest_size = MAX_DIGEST_SIZE;

diff --git a/libcomposefs/lcfs-mount.h b/libcomposefs/lcfs-mount.h
@@ -35,7 +35,6 @@ enum lcfs_mount_flags_t {
 	LCFS_MOUNT_FLAGS_NONE = 0,
 	LCFS_MOUNT_FLAGS_REQUIRE_VERITY = (1 << 0),
 	LCFS_MOUNT_FLAGS_READONLY = (1 << 1),
-	LCFS_MOUNT_FLAGS_REQUIRE_FSVERITY_SIGNATURE = (1 << 2),
 	LCFS_MOUNT_FLAGS_IDMAP = (1 << 3),
 	LCFS_MOUNT_FLAGS_DISABLE_VERITY = (1 << 4),
 

diff --git a/tools/mountcomposefs.c b/tools/mountcomposefs.c
@@ -172,8 +172,6 @@ int main(int argc, char **argv)
 			opt_verity = true;
 		} else if (strcmp("noverity", key) == 0) {
 			opt_noverity = true;
-		} else if (strcmp("signed", key) == 0) {
-			opt_signed = true;
 		} else if (strcmp("upperdir", key) == 0) {
 			if (value == NULL)
 				printexit("No value specified for upperdir option\n");
@@ -239,8 +237,6 @@ int main(int argc, char **argv)
 		options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY;
 	if (opt_noverity)
 		options.flags |= LCFS_MOUNT_FLAGS_DISABLE_VERITY;
-	if (opt_signed)
-		options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_FSVERITY_SIGNATURE;
 	if (opt_ro)
 		options.flags |= LCFS_MOUNT_FLAGS_READONLY;