On Tue, Mar 25, 2025 at 12:33 PM Amir Goldstein <amir73il@xxxxxxxxx> wrote:
>
> On Tue, Mar 25, 2025 at 11:46 AM Miklos Szeredi <mszeredi@xxxxxxxxxx> wrote:
> >
> > Allow the "verity" mount option to be used with "userxattr" data-only
> > layer(s).
> >
> > Previous patches made sure that with "userxattr" metacopy only works in the
> > lower -> data scenario.
> >
> > In this scenario the lower (metadata) layer must be secured against
> > tampering, in which case the verity checksums contained in this layer can
> > ensure integrity of data even in the case of an untrusted data layer.
> >
> > Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxxxxx>
> > ---
> > fs/overlayfs/params.c | 11 +++--------
> > 1 file changed, 3 insertions(+), 8 deletions(-)
> >
> > diff --git a/fs/overlayfs/params.c b/fs/overlayfs/params.c
> > index 54468b2b0fba..8ac0997dca13 100644
> > --- a/fs/overlayfs/params.c
> > +++ b/fs/overlayfs/params.c
> > @@ -846,8 +846,8 @@ int ovl_fs_params_verify(const struct ovl_fs_context *ctx,
> > config->uuid = OVL_UUID_NULL;
> > }
> >
> > - /* Resolve verity -> metacopy dependency */
> > - if (config->verity_mode && !config->metacopy) {
> > + /* Resolve verity -> metacopy dependency (unless used with userxattr) */
> > + if (config->verity_mode && !config->metacopy && !config->userxattr) {
>
> This is very un-intuitive to me.
>
> Why do we need to keep the dependency verity -> metacopy with trusted xattrs?
>
> Anyway, I'd like an ACK from composefs guys on this change.
What do you guys think about disallowing the relaxed
OVL_VERITY_ON mode in case of !metacopy or in case of userxattr?
I am not sure if it makes any sense wrt security, but if user is putting their
trust on the lower layer's immutable content, it feels like this content
should include the verity digests???
Thanks,
Amir.
