image-rs: add image block device dm-verity and mount #270
Conversation
ChengyuZhu6
requested review from
sameo,
jiangliu,
arronwy,
lumjjb,
jialez0 and
Xynnn007
as code owners
ChengyuZhu6
force-pushed
the
image_block_verity_with_mount
branch
3 times, most recently
from
4662773 to
f777e8e
Compare
|
|
Thanks, I have updated. |
ChengyuZhu6
force-pushed
the
image_block_verity_with_mount
branch
from
f777e8e to
fca8f07
Compare
ChengyuZhu6
force-pushed
the
image_block_verity_with_mount
branch
from
7e4d7f3 to
fca8f07
Compare
image-rs/src/image.rs
Outdated
| @@ -39,7 +41,6 @@ use crate::nydus::{service, utils}; | |||
| /// The reason for using the `/run` directory here is that in general HW-TEE, | |||
| /// the `/run` directory is mounted in `tmpfs`, which is located in the encrypted memory protected by HW-TEE. | |||
| pub const IMAGE_SECURITY_CONFIG_DIR: &str = "/run/image-security"; | |||
|
|
|||
image-rs/src/image.rs
Outdated
| @@ -421,6 +422,33 @@ impl ImageClient { | |||
|
|
|||
| Ok(image_id) | |||
| } | |||
| /// set_image creates a mapping backed by image block device <source_device_path> and | |||
ChengyuZhu6
force-pushed
the
image_block_verity_with_mount
branch
5 times, most recently
from
7c0e680 to
63e3078
Compare
ChengyuZhu6
force-pushed
the
image_block_verity_with_mount
branch
from
63e3078 to
5ad0b28
Compare
image-rs/src/verity.rs
Outdated
| data_device_path: &str, | ||
| ) -> Result<String> { | ||
| let veritysetup_path: &str = veritysetup_exists()?; | ||
| let output = Command::new(veritysetup_path) |
There was a problem hiding this comment.
How about using https://docs.rs/devicemapper/latest/devicemapper/struct.DM.html to get rid of the dependency on veritysetup binary?
There was a problem hiding this comment.
I haven't used devicemapper, but @jiangliu's comment seems right to me. Related to this: it looks like verity_option doesn't get sanity-checked or sanitized anywhere, so its values get plugged directly into the args to versitysetup when issuing the Command. Using a library call (@jiangliu's suggestion) and/or sanity-checking those values might make error handling/checking easier.
There was a problem hiding this comment.
I haven't used devicemapper, but @jiangliu's comment seems right to me. Related to this: it looks like
verity_optiondoesn't get sanity-checked or sanitized anywhere, so its values get plugged directly into the args toversitysetupwhen issuing theCommand. Using a library call (@jiangliu's suggestion) and/or sanity-checking those values might make error handling/checking easier.
Yes, I agree with @jiangliu's comment and I am working on using the devicemapper library to handle/check the options.
ChengyuZhu6
force-pushed
the
image_block_verity_with_mount
branch
6 times, most recently
from
f9785a4 to
257362c
Compare
ChengyuZhu6
force-pushed
the
image_block_verity_with_mount
branch
15 times, most recently
from
100ed06 to
a4f6c55
Compare
Implement image block device integrity check using dm-verity and mount/umount the verity device in image-rs. Signed-off-by: ChengyuZhu6 <[email protected]>
ChengyuZhu6
force-pushed
the
image_block_verity_with_mount
branch
from
a4f6c55 to
f5c3825
Compare
After image-rs added the image-block-device integrity check using dm-verity a new dependency is now needed, so install that. Refer the following PR for more information: confidential-containers/guest-components#270 Fixes: kata-containers#7580 Signed-off-by: Suraj Deshmukh <[email protected]>
After image-rs added the image-block-device integrity check using dm-verity a new dependency is now needed, so install that. Refer the following PR for more information: confidential-containers/guest-components#270 Fixes: kata-containers#7580 Signed-off-by: Suraj Deshmukh <[email protected]>
After image-rs added the image-block-device integrity check using dm-verity a new dependency is now needed, so install that. Refer the following PR for more information: confidential-containers/guest-components#270 Fixes: kata-containers#7580 Signed-off-by: Suraj Deshmukh <[email protected]>
After image-rs added the image-block-device integrity check using dm-verity a new dependency is now needed, so install that. Refer the following PR for more information: confidential-containers/guest-components#270 Signed-off-by: Suraj Deshmukh <[email protected]>
After image-rs added the image-block-device integrity check using dm-verity a new dependency is now needed, so install that. Refer the following PR for more information: confidential-containers/guest-components#270 Fixes: kata-containers#7580 Signed-off-by: Suraj Deshmukh <[email protected]>
After image-rs added the image-block-device integrity check using dm-verity a new dependency is now needed, so install that. Refer the following PR for more information: confidential-containers/guest-components#270 Fixes: kata-containers#7580 Signed-off-by: Suraj Deshmukh <[email protected]>
After image-rs added the image-block-device integrity check using dm-verity a new dependency is now needed, so install that. Refer the following PR for more information: confidential-containers/guest-components#270 Fixes: kata-containers#7580 Signed-off-by: Suraj Deshmukh <[email protected]>
After image-rs added the image-block-device integrity check using dm-verity a new dependency is now needed, so install that. Refer the following PR for more information: confidential-containers/guest-components#270 Fixes: kata-containers#7580 Signed-off-by: Suraj Deshmukh <[email protected]>
Implement image block device integrity check using dm-verity and mount the verity device in image-rs.
Notes: the kernel should be upgrade to >=6.4 for mounting the verity device with erofs tarfs.