tools/create-gce-image.sh: enable encrypt+verity in the image

google / syzkaller

syzkaller is an unsupervised coverage-guided kernel fuzzer

Apache License 2.0

5.4k stars 1.23k forks source link

tools/create-gce-image.sh: enable encrypt+verity in the image #1417

Open dvyukov opened 5 years ago

dvyukov commented 5 years ago

See discussion on https://github.com/google/syzkaller/pull/1410 for details. If we enable encrypt+verity features in the root image, then we can get more coverage for these things. However, we need newer mkfs on the host to build such images. So this will require upgrading the host OS too.

ebiggers commented 4 years ago

@dvyukov is there any update on this? There's also interest in enabling the -E encoding=utf8 mkfs option so that the ext4 Unicode / casefolding support in kernel v5.2+ will be fuzzed too.

dvyukov commented 4 years ago

No updates and no ETA. We just need 1 binary, but getting it will involve recreating whole syzbot infrastructure from scratch manually, other things will probably break in process and will need to be fixed.

dvyukov commented 3 years ago

I am working on this.

-O encrypt and -E encoding=utf8 are incompatible, so we need to choose one for the root disk:

$ mkfs.ext4 -O 64bit,ext_attr,encrypt,verity,extents,huge_file,flex_bg,dir_nlink,sparse_super,resize_inode,has_journal -E encoding=utf8 disk.raw
mke2fs 1.45.6 (20-Mar-2020)
mkfs.ext4: The encrypt and casefold features are not compatible.
They can not be both enabled simultaneously.

Any preference?

ebiggers commented 3 years ago

I'd prefer -O encrypt, though I am biased because I maintain the encryption support. There are kernel and e2fsprogs patches in progress to support encrypt and casefold together, but they are taking longer than expected.

dvyukov commented 3 years ago

Another issue with encrypt/verity surfaced: older kernels don't support these features, this breaks bisection.

ebiggers commented 2 years ago

There are kernel and e2fsprogs patches in progress to support encrypt and casefold together, but they are taking longer than expected.

An update on this: ext4 supports encrypt and casefold together since Linux v5.13.

RonjaPonja commented 1 year ago

FWIW: We had encrypt and verity enabled for a while now.

However I'm about to submit a PR to deactivate verity again. Ext4 images with verity enabled can't be mounted on linux v5.3 and before, causing a ton of bad bisections.

If we think this is important we need support for picking different rootfs images based on kernel version during bisection. We already have something similar for compiler versions.

a-nogikh commented 1 year ago

If we think this is important we need support for picking different rootfs images based on kernel version during bisection. We already have something similar for compiler versions.

I think in the end it might well be the way to go.

RonjaPonja commented 1 year ago

Agreed, though for now we should get under control what we have.