Merge pull request #1266 from allisonkarlitskaya/new-fsverity

various: adapt to new composefs-rs fsverity API

Author: cgwalters

Cargo.lock

@@ -1,7 +1,7 @@
 [licenses]
 allow = ["Apache-2.0", "Apache-2.0 WITH LLVM-exception", "MIT",
          "BSD-3-Clause", "BSD-2-Clause", "Zlib",
-         "Unlicense", "CC0-1.0",
+         "Unlicense", "CC0-1.0", "BSL-1.0",
          "Unicode-DFS-2016", "Unicode-3.0"]
 private = { ignore = true }
 

deny.toml

@@ -1197,16 +1197,15 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 FsverityOpts::Measure { path } => {
                     let fd =
                         std::fs::File::open(&path).with_context(|| format!("Reading {path}"))?;
-                    let digest =
-                        fsverity::measure_verity_digest::<_, fsverity::Sha256HashValue>(&fd)?;
+                    let digest: fsverity::Sha256HashValue = fsverity::measure_verity(&fd)?;
                     let digest = hex::encode(digest);
                     println!("{digest}");
                     Ok(())
                 }
                 FsverityOpts::Enable { path } => {
                     let fd =
                         std::fs::File::open(&path).with_context(|| format!("Reading {path}"))?;
-                    fsverity::ioctl::fs_ioc_enable_verity::<_, fsverity::Sha256HashValue>(&fd)?;
+                    fsverity::enable_verity::<fsverity::Sha256HashValue>(&fd)?;
                     Ok(())
                 }
             },

lib/src/cli.rs

@@ -164,7 +164,7 @@ fn verity_state_of_objects(
         };
         let f = d.open(&name)?;
         let r: Option<composefs::fsverity::Sha256HashValue> =
-            composefs::fsverity::ioctl::fs_ioc_measure_verity(f.as_fd())?;
+            composefs::fsverity::measure_verity_opt(f.as_fd())?;
         drop(f);
         if r.is_some() {
             enabled += 1;

lib/src/fsck.rs

@@ -20,7 +20,7 @@ ostree = { features = ["v2025_1"], version = "0.20.0" }
 anyhow = { workspace = true }
 bootc-utils = { path = "../utils" }
 camino = { workspace = true, features = ["serde1"] }
-composefs = { git = "https://github.com/containers/composefs-rs", rev = "55ae2e9ba72f6afda4887d746e6b98f0a1875ac4" }
+composefs = { git = "https://github.com/containers/composefs-rs", rev = "821eeae93e48f1ee381c49b8cd4d22fda92d27a2" }
 chrono = { workspace = true }
 olpc-cjson = "0.1.1"
 clap = { workspace = true, features = ["derive","cargo"] }

ostree-ext/Cargo.toml

@@ -46,11 +46,7 @@ pub fn is_verity_enabled(repo: &ostree::Repo) -> Result<RepoVerityState> {
         .with_context(|| format!("Opening repository {CONFIG_PATH}"))?;
     // We use the flag of having fsverity set on the repository config as a flag to say that
     // fsverity is fully enabled; all objects have it.
-    let enabled =
-        composefs_fsverity::measure_verity_digest::<_, composefs_fsverity::Sha256HashValue>(
-            config.as_fd(),
-        )
-        .is_ok();
+    let enabled = composefs_fsverity::measure_verity::<Sha256HashValue>(config.as_fd()).is_ok();
     Ok(RepoVerityState { desired, enabled })
 }
 
@@ -67,10 +63,9 @@ fn enable_fsverity_in_objdir(d: &Dir) -> anyhow::Result<()> {
         };
         let f = d.open(&name)?;
         let enabled =
-            composefs::fsverity::ioctl::fs_ioc_measure_verity::<_, Sha256HashValue>(f.as_fd())?
-                .is_some();
+            composefs::fsverity::measure_verity_opt::<Sha256HashValue>(f.as_fd())?.is_some();
         if !enabled {
-            composefs_fsverity::ioctl::fs_ioc_enable_verity::<_, Sha256HashValue>(&f)?;
+            composefs_fsverity::enable_verity::<Sha256HashValue>(&f)?;
         }
     }
     Ok(())
@@ -128,11 +123,9 @@ pub async fn ensure_verity(repo: &ostree::Repo) -> Result<()> {
     // And finally, enable fsverity as a flag that we have successfully
     // enabled fsverity on all objects.
     let f = repodir.open(CONFIG_PATH)?;
-    match composefs_fsverity::ioctl::fs_ioc_enable_verity::<_, composefs_fsverity::Sha256HashValue>(
-        f.as_fd(),
-    ) {
+    match composefs_fsverity::enable_verity::<Sha256HashValue>(f.as_fd()) {
         Ok(()) => Ok(()),
-        Err(e) if e.kind() == std::io::ErrorKind::AlreadyExists => Ok(()),
+        Err(composefs_fsverity::EnableVerityError::AlreadyEnabled) => Ok(()),
         Err(e) => Err(e.into()),
     }
 }