Fsverity content verification #10007
Conversation
|
Hi @Jenkins-J. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Jenkins-J
force-pushed
the
fsverity-content-verification
branch
4 times, most recently
from
e77afe7
to
aa28f9e
Compare
Jenkins-J
force-pushed
the
fsverity-content-verification
branch
from
26cc644
to
7ab2438
Compare
There was a problem hiding this comment.
Just to clarify, would you like a unit test of the modified writer Commit method, the functions in the fsverity package, or both?
There was a problem hiding this comment.
Thank you, I will work on creating those unit tests.
There was a problem hiding this comment.
@AkihiroSuda I've created some tests for the new functionality, please take a look. Thank you.
|
Please squash the commits |
|
|
||
| args.blockSize = uint32(blockSize) | ||
|
|
||
| _, _, errno := unix.Syscall(syscall.SYS_IOCTL, f.Fd(), uintptr(unix.FS_IOC_ENABLE_VERITY), uintptr(unsafe.Pointer(args))) |
There was a problem hiding this comment.
content.Provider needs to call FS_IOC_MEASURE_VERITY ?
There was a problem hiding this comment.
The fsverity module will automatically verify the integrity of the data on every read operation of the enabled file. If fsverity detects corruption, the read operation will return an error. The case where we would need to call FS_IOC_MEASURE_VERITY manually is if we wanted to detect intentional, malicious corruption of the blob data. In that case, we would measure the data after fsverity is enabled on the blob, safely store the known-good digest, then when the blob data a is read by the provider, call FS_IOC_MEASURE_VERITY again and compare the returned digest to the known-good value.
I'd be happy to implement this if the malicious corruption of blob data is a case containerd should cover.
There was a problem hiding this comment.
Yes, it would be nice to cover malicious corruption.
Can be another PR.
Implement calls to the fsverity kernel module, allowing containerd to enable fsverity on blob data in the content store. This causes fsverity to veirfy the integrity of blob data when the blob is read. Signed-off-by: James Jenkins <James.Jenkins@ibm.com>
Jenkins-J
force-pushed
the
fsverity-content-verification
branch
from
7ab2438
to
36e1ad4
Compare
Jenkins-J
force-pushed
the
fsverity-content-verification
branch
from
efc8f9b
to
bf8dc69
Compare
|
HI @AkihiroSuda shall we target this to v2.1 release? It's good feature but we still have pending work items in 2.0, like transfer service migration for CRI. |
I think this is safe to have in v2.0, but can be postponed to v2.1 if you have a concern.
I'm not sure we can complete this in v2.0, as we will retain schema1 (now disabled by default). |
It's in content store code path. But yeah, it looks good and safe to have in 2.0.
Sure. |
pkg/fsverity/fsverity_test.go
Outdated
| defer func() { | ||
| err := m.Close() | ||
| if err != nil { | ||
| fmt.Printf("could not close mountinfo\n") |
There was a problem hiding this comment.
| fmt.Printf("could not close mountinfo\n") | |
| t.Fatalf("could not close mountinfo: %v", err) |
There was a problem hiding this comment.
@AkihiroSuda This change is in a helper function, resolveDevicePath, which does not have access to the testing.T variable t. I've modified it so now the appropriate error message is returned from this function. I can pass the variable t as a parameter to these helper functions instead if you believe the code would be more readable that way.
Jenkins-J
force-pushed
the
fsverity-content-verification
branch
3 times, most recently
from
a5d7cda
to
5a9bd0d
Compare
Signed-off-by: James Jenkins <James.Jenkins@ibm.com>
Jenkins-J
force-pushed
the
fsverity-content-verification
branch
from
5a9bd0d
to
9ba5d37
Compare
|
Run out of bandwidth this week. Will take a look this after travel. |
|
|
||
| func TestIsEnabled(t *testing.T) { | ||
|
|
||
| testDir := filepath.Join(t.TempDir(), "content") |
There was a problem hiding this comment.
I think we can use truncate and mkfs.ext4 -O verity to create testable environment for this function.
verity is not default option in most distros so it would help.
It can be handled in the follow-up.
plugins/content/local/writer.go
Outdated
| integritySupported bool | ||
| supportErr error | ||
| ) | ||
| if integritySupported, supportErr = fsverity.IsSupported(w.s.root); integritySupported { |
There was a problem hiding this comment.
I think the IsSupported cache should be handled in content local plugin.
The fsverity.IsSupported is just handled once. If we change the input from A to B, the cache might not be correct.
There was a problem hiding this comment.
I've updated the implementation to cache IsSupported value in the content plugin.
Cache the result of the IsSupported fsverity method in the content plugin instead of in the fsverity package. Signed-off-by: James Jenkins <James.Jenkins@ibm.com>
plugins/content/local/writer.go
Outdated
| startedAt time.Time | ||
| updatedAt time.Time | ||
| once sync.Once | ||
| integritySupported bool |
There was a problem hiding this comment.
what about moving this to store struct?
type store struct {
root string
ls LabelStore
integritySupported bool
}So that we can just run fsverity.IsSupported once and all the writers from same store can share it.
There was a problem hiding this comment.
Thank you, that makes more sense now. I've made the change.
pkg/fsverity/fsverity_linux.go
Outdated
| } | ||
|
|
||
| digestFile.Close() | ||
| defer os.RemoveAll(integrityDir) |
pkg/fsverity/fsverity_linux.go
Outdated
| return s, err | ||
| } | ||
|
|
||
| integrityDir := filepath.Join(rootPath, "integrity") |
There was a problem hiding this comment.
I think we can rename this to .fsverity-check by os.MkdirTemp. So, the node admin will know it's tempdir to verify something.
There was a problem hiding this comment.
Done. Thank you for the suggestion.
Move cached fsverity integrity supported value from the local content writer to the local content store. Signed-off-by: James Jenkins <James.Jenkins@ibm.com>
Clean up fsverity IsSupproted function, improving readability. Signed-off-by: James Jenkins <James.Jenkins@ibm.com>
The Linux Kernel fs-verity feature can be utilized to verify the integrity of blob data in the content store. Enabling fs-verity on the blob data allows fs-verity to verify the integrity of the data at the time it is read. A read error will occur if fs-verity detects any accidental corruption of the data.
Here, containerd will enable fs-verity on the content blob files if it determines that both the kernel and the filesystem support fs-verity operations.
Addresses issue #3849 and issue #953.