Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

many: snap integrity discovery run mode #15044

Draft
wants to merge 13 commits into
base: master
Choose a base branch
from
Draft

many: snap integrity discovery run mode #15044

wants to merge 13 commits into from

Conversation

sespiros
Copy link
Contributor

@sespiros sespiros commented Feb 7, 2025

This is based on top of:

and enables mounting snaps with integrity data in run mode.

Jira: https://warthogs.atlassian.net/browse/FR-10111

sespiros added 13 commits January 29, 2025 21:45
@sespiros
c/snap-bootstrap: split test suite in separate files per mode
67896f7 
c/snap-bootstrap: add separate file for installrun mode (preseed) and further refactors
@sespiros
s/i/dmverity: add VeritySuperblock.EncodedSalt() method
247d944
@sespiros
s/integrity: rework snap integrity API
b80a8c0 
the new design simplifies how snap dm-verity data for a corresponding
snap are generated and used by having them as a separate file (i.e
located next to the snap file) instead of attaching them at the end of
their snap file by default.

The extra integrity data header is removed as all the information
needed to mount a snap with its verity data (root hash, salt, other
parameters) will be retrieved from a new integrity stanza in
snap-revision assertions.
@sespiros
s/i/integrity.go: add comments for IntegrityDataParams struct
12fa68d
@sespiros
s/i/integrity.go: address minor comments
91789af
@sespiros
s/integrity: refactor error handling for LookupDmVerityData
181d453 
  - stopped exporting veritySuperBlock.Validate(). Call it as part of
  ReadSuperBlock() instead.
  - rename LookupDmVerityData to LookupDmVerityDataAndCrossCheck.
  - create 2 error types ErrDmVerityDataNotFound and
    ErrUnexpectedDmVerityData. These error types will be useful for
    instance in snap-bootstrap. snap-bootstrap will need to make a
    decision about whether to generate data in case
    ErrDmVerityDataNotFound or wrap the error with extra context such as
    "dm-verity data found on disk don't match assertion" in case
    ErrUnexpectedDmVerityData.
@sespiros
s/integrity: add doc comments for custom error codes of LookupDmVerit…
af635e7 
…yDataAndCrossCheck
@sespiros
s/integrity: rename IntegrityDataParams's check() to crossCheck()
299534f
@sespiros
s/integrity: add extra test to validate that we surface any error ret…
0346716 
…urned by ReadDmVeritySuperblock
@sespiros
multiple: support for detecting and using integrity data for seed snaps
013ec2b 
This commit adds support for looking up dm-verity integrity data
for asserted snaps in the seed (ones that have verified assertions
available).

snap-bootstrap can then use these integrity data parameters to call to
the snap integrity API in order to either detect available dm-verity
hash data or generate them. It will then proceed with mounting the
snaps using dm-verity.
@sespiros
seed/seed20.go: add clarifying comments for lookupIntegrityData errors
acff0fb
@sespiros
c/snap-bootstrap: add tests for install/recover mode with snaps with …
00ecf1a 
…integrity data
@sespiros
c/snap-bootstrap: add support for integrity data for essential snaps …
977b913 
…in run mode
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sespiros