惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hacker News - Newest:
Hacker News - Newest: "LLM"
U
Unit 42
月光博客
月光博客
T
The Blog of Author Tim Ferriss
Jina AI
Jina AI
Microsoft Azure Blog
Microsoft Azure Blog
有赞技术团队
有赞技术团队
P
Proofpoint News Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
Vercel News
Vercel News
博客园 - 三生石上(FineUI控件)
美团技术团队
D
Docker
大猫的无限游戏
大猫的无限游戏
人人都是产品经理
人人都是产品经理
J
Java Code Geeks
Google DeepMind News
Google DeepMind News
博客园 - 司徒正美
The Cloudflare Blog
博客园 - 叶小钗
M
MIT News - Artificial intelligence
AI
AI
Security Archives - TechRepublic
Security Archives - TechRepublic
The Register - Security
The Register - Security
C
Cybersecurity and Infrastructure Security Agency CISA
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
宝玉的分享
宝玉的分享
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Security Latest
Security Latest
Recorded Future
Recorded Future
Cloudbric
Cloudbric
K
Kaspersky official blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
V
Visual Studio Blog
Apple Machine Learning Research
Apple Machine Learning Research
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园_首页
T
Threat Research - Cisco Blogs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Last Week in AI
Last Week in AI
I
Intezer
The Hacker News
The Hacker News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
H
Hacker News: Front Page
Attack and Defense Labs
Attack and Defense Labs
MongoDB | Blog
MongoDB | Blog
O
OpenAI News
Hacker News: Ask HN
Hacker News: Ask HN
WordPress大学
WordPress大学
Project Zero
Project Zero

Alexander Larsson

Announcing composefs 1.0 Composefs state of the union Using Composefs in OSTree Quadlet, an easier way to run system containers Scaling Flathub 100x Compatibility in a sandboxed world Putting container updates on a diet Introducing GVariant schemas Gthree – ready to play
Testing composefs in Silverblue
alexl · 2024-01-15 · via Alexander Larsson

Skip to content

As of the version 39 of Fedora Silverblue all the basic code is  merged to support a composefs-based root filesystem.

To try it, do:

      • Update to the latest version (I tested 39.20240115.0)
      • Configure ostree to create and use composefs images:
        $ sudo ostree config set ex-integrity.composefs yes
      • Trigger a manual (re)deploy of the current version:
        $ sudo ostree admin deploy fedora/39/x86_64/silverblue
      • Reboot into the new deploy
      • If using ext4 filesystem for rootfs (not needed for btrfs), enable “verity” feature on it:
        $ sudo tune2fs -O verity /dev/vda3 # Change to right root disk
      • Enable fs-verity on all pre-existing ostree repo files:
        $ sudo ostree admin post-copy

At this point, the rootfs should be be a composefs mount. You can verify it by looking at the mount, which should look like this:

$ findmnt /
TARGET SOURCE  FSTYPE  OPTIONS
/ overlay overlay ro,relatime,seclabel,lowerdir=/run/ostree/.private/cfsroot-lower::/sysroot/ostree/repo/objects,redirect_dir=on,metacopy=on

So, what does this mean?

First of all, it means the rootfs is truly read-only:

# touch /usr/new_file
touch: cannot touch '/usr/new_file': Read-only file system

The above error message happens also with regular ostree, but in that case it is only a read-only mount flag, and a root user can re-mount it read-write to modify it (or modify the backing directories in /ostree). However, when using composefs, the root filesystem is a combination of a erofs mount (from /ostree/deploy/fedora/deploy/*/.ostree.cfs) and an overlayfs with no writable directories, and neither of these have any ability to write to disk.

In addition, the system is set up to validate all file accesses, as the composefs image has recorded the expected fs-verity checksums for all files and overlayfs  can validate them on use.

To fully complete the validation, Silverblue will just need a few additions (which I hope will be done soon):

  • Each build should generate a one-use signature keypair
  • The ostree commit should be signed with the private key
  • Add public key as /etc/ostree/initramfs-root-binding.key
  • Add /usr/lib/ostree/prepare-root.conf with this content:
    [composefs]
    enabled=yes
    signed=yes

    These files will be copied into the initrd, and during boot the public key will be used to validate the composefs image, which in turn guarantee that all file accesses give the correct, unchanged data.

To further improve security, the initramfs and the kernel can be combined into a Unified Kernel Image and signed. Then SecureBoot can guarantee that your system will not boot any other initramfs, and thus no other userspace.