lib: two new fsverity APIs

cgwalters commented 3 months ago

Add API+CLI to get fsverity digests efficiently

Add an API that first tries to ask the kernel for the fsverity digest, and returns it if present, but otherwise does a fallback to in-memory computation. The primary use case here is systems which want to canonically index files by their fsverity digest (as opposed to e.g. sha256). If the filesystem in the future starts supporting fsverity (as e.g. XFS is slated to do) then this allows an efficient in-place upgrade.
Expose the measurement in the CLI. fsverity-utils isn't installed everywhere, and also today composefs makes hard decisions (like using sha256) that that project doesn't do.

Signed-off-by: Colin Walters walters@verbum.org

lib: Add a thin public API wrapper for FS_IOC_ENABLE_VERITY

The main thing is this helps ensure that other external software using the library uses the same fsverity parameters. There's also the aspect that using ioctl() from some non-C languages is tricky.

Signed-off-by: Colin Walters walters@verbum.org

alexlarsson commented 3 months ago

Do we possibly want to be able to do the measurement computation in parallel for multiple files?

cgwalters commented 3 months ago

Do we possibly want to be able to do the measurement computation in parallel for multiple files?

That's easy to do though in e.g. Rust where there's tons of tooling for that.

cgwalters commented 3 months ago

I extended this with another small patch too to add a wrapper for the enable ioctl.

containers / composefs

lib: two new fsverity APIs #285