Adjust all code to use ComposefsRepository alias

cgwalters · cgwalters · commit 837dc4412c56 · 2025-10-02T14:04:42.000-04:00
This ensures we're SHA-512 across the board.

Signed-off-by: Colin Walters &lt;walters@verbum.org&gt;
diff --git a/crates/initramfs/src/lib.rs b/crates/initramfs/src/lib.rs
@@ -22,7 +22,7 @@ use rustix::{
 use serde::Deserialize;
 
 use composefs::{
-    fsverity::{FsVerityHashValue, Sha256HashValue},
+    fsverity::{FsVerityHashValue, Sha512HashValue},
     mount::FsHandle,
     mountcompat::{overlayfs_set_fd, overlayfs_set_lower_and_data_fds, prepare_mount},
     repository::Repository,
@@ -207,7 +207,7 @@ fn open_root_fs(path: &Path) -> Result<OwnedFd> {
 /// * insecure - Whether fsverity is optional or not
 #[context("Mounting composefs image")]
 pub fn mount_composefs_image(sysroot: &OwnedFd, name: &str, insecure: bool) -> Result<OwnedFd> {
-    let mut repo = Repository::<Sha256HashValue>::open_path(sysroot, "composefs")?;
+    let mut repo = Repository::<Sha512HashValue>::open_path(sysroot, "composefs")?;
     repo.set_insecure(insecure);
     repo.mount(name).context("Failed to mount composefs image")
 }
@@ -282,7 +282,7 @@ pub fn setup_root(args: Args) -> Result<()> {
         // TODO: Deduplicate this with composefs branch karg parser
         None => &std::fs::read_to_string("/proc/cmdline")?,
     };
-    let (image, insecure) = get_cmdline_composefs::<Sha256HashValue>(cmdline)?;
+    let (image, insecure) = get_cmdline_composefs::<Sha512HashValue>(cmdline)?;
 
     let new_root = match args.root_fs {
         Some(path) => open_root_fs(&path).context("Failed to clone specified root fs")?,
diff --git a/crates/lib/src/bootc_composefs/boot.rs b/crates/lib/src/bootc_composefs/boot.rs
@@ -14,14 +14,11 @@ use cap_std_ext::{
 };
 use clap::ValueEnum;
 use composefs::fs::read_file;
-use composefs::tree::{FileSystem, RegularFile};
+use composefs::tree::RegularFile;
 use composefs_boot::bootloader::{PEType, EFI_ADDON_DIR_EXT, EFI_ADDON_FILE_EXT, EFI_EXT};
 use composefs_boot::BootOps;
 use fn_error_context::context;
-use ostree_ext::composefs::{
-    fsverity::{FsVerityHashValue, Sha256HashValue},
-    repository::Repository as ComposefsRepository,
-};
+use ostree_ext::composefs::fsverity::{FsVerityHashValue, Sha512HashValue};
 use ostree_ext::composefs_boot::bootloader::UsrLibModulesVmlinuz;
 use ostree_ext::composefs_boot::{
     bootloader::BootEntry as ComposefsBootEntry, cmdline::get_cmdline_composefs,
@@ -32,14 +29,14 @@ use rustix::path::Arg;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
-use crate::bootc_composefs::repo::open_composefs_repo;
 use crate::bootc_composefs::state::{get_booted_bls, write_composefs_state};
 use crate::bootc_composefs::status::get_sorted_uki_boot_entries;
 use crate::composefs_consts::{TYPE1_ENT_PATH, TYPE1_ENT_PATH_STAGED};
 use crate::parsers::bls_config::{BLSConfig, BLSConfigType};
 use crate::parsers::grub_menuconfig::MenuEntry;
 use crate::spec::ImageReference;
 use crate::task::Task;
+use crate::{bootc_composefs::repo::open_composefs_repo, store::ComposefsFilesystem};
 use crate::{
     composefs_consts::{
         BOOT_LOADER_ENTRIES, COMPOSEFS_CMDLINE, ORIGIN_KEY_BOOT, ORIGIN_KEY_BOOT_DIGEST,
@@ -68,9 +65,9 @@ const SYSTEMD_UKI_DIR: &str = "EFI/Linux/bootc";
 
 pub(crate) enum BootSetupType<'a> {
     /// For initial setup, i.e. install to-disk
-    Setup((&'a RootSetup, &'a State, &'a FileSystem<Sha256HashValue>)),
+    Setup((&'a RootSetup, &'a State, &'a ComposefsFilesystem)),
     /// For `bootc upgrade`
-    Upgrade((&'a FileSystem<Sha256HashValue>, &'a Host)),
+    Upgrade((&'a ComposefsFilesystem, &'a Host)),
 }
 
 #[derive(
@@ -107,8 +104,8 @@ impl TryFrom<&str> for BootType {
     }
 }
 
-impl From<&ComposefsBootEntry<Sha256HashValue>> for BootType {
-    fn from(entry: &ComposefsBootEntry<Sha256HashValue>) -> Self {
+impl From<&ComposefsBootEntry<Sha512HashValue>> for BootType {
+    fn from(entry: &ComposefsBootEntry<Sha512HashValue>) -> Self {
         match entry {
             ComposefsBootEntry::Type1(..) => Self::Bls,
             ComposefsBootEntry::Type2(..) => Self::Uki,
@@ -181,8 +178,8 @@ pub fn type1_entry_conf_file_name(sort_key: impl std::fmt::Display) -> String {
 /// * repo - The composefs repository
 #[context("Computing boot digest")]
 fn compute_boot_digest(
-    entry: &UsrLibModulesVmlinuz<Sha256HashValue>,
-    repo: &ComposefsRepository<Sha256HashValue>,
+    entry: &UsrLibModulesVmlinuz<Sha512HashValue>,
+    repo: &crate::store::ComposefsRepository,
 ) -> Result<String> {
     let vmlinuz = read_file(&entry.vmlinuz, &repo).context("Reading vmlinuz")?;
 
@@ -255,9 +252,9 @@ fn find_vmlinuz_initrd_duplicates(digest: &str) -> Result<Option<String>> {
 #[context("Writing BLS entries to disk")]
 fn write_bls_boot_entries_to_disk(
     boot_dir: &Utf8PathBuf,
-    deployment_id: &Sha256HashValue,
-    entry: &UsrLibModulesVmlinuz<Sha256HashValue>,
-    repo: &ComposefsRepository<Sha256HashValue>,
+    deployment_id: &Sha512HashValue,
+    entry: &UsrLibModulesVmlinuz<Sha512HashValue>,
+    repo: &crate::store::ComposefsRepository,
 ) -> Result<()> {
     let id_hex = deployment_id.to_hex();
 
@@ -300,8 +297,8 @@ fn write_bls_boot_entries_to_disk(
 /// # Returns
 /// - (title, version)
 fn osrel_title_and_version(
-    fs: &FileSystem<Sha256HashValue>,
-    repo: &ComposefsRepository<Sha256HashValue>,
+    fs: &crate::store::ComposefsFilesystem,
+    repo: &crate::store::ComposefsRepository,
 ) -> Result<Option<(Option<String>, Option<String>)>> {
     // Every update should have its own /usr/lib/os-release
     let (dir, fname) = fs
@@ -359,9 +356,9 @@ struct BLSEntryPath<'a> {
 pub(crate) fn setup_composefs_bls_boot(
     setup_type: BootSetupType,
     // TODO: Make this generic
-    repo: ComposefsRepository<Sha256HashValue>,
-    id: &Sha256HashValue,
-    entry: &ComposefsBootEntry<Sha256HashValue>,
+    repo: crate::store::ComposefsRepository,
+    id: &Sha512HashValue,
+    entry: &ComposefsBootEntry<Sha512HashValue>,
 ) -> Result<String> {
     let id_hex = id.to_hex();
 
@@ -569,8 +566,8 @@ pub(crate) fn setup_composefs_bls_boot(
 /// Writes a PortableExecutable to ESP along with any PE specific or Global addons
 #[context("Writing {file_path} to ESP")]
 fn write_pe_to_esp(
-    repo: &ComposefsRepository<Sha256HashValue>,
-    file: &RegularFile<Sha256HashValue>,
+    repo: &crate::store::ComposefsRepository,
+    file: &RegularFile<Sha512HashValue>,
     file_path: &Utf8Path,
     pe_type: PEType,
     uki_id: &String,
@@ -588,7 +585,7 @@ fn write_pe_to_esp(
         let cmdline = uki::get_cmdline(&efi_bin).context("Getting UKI cmdline")?;
 
         let (composefs_cmdline, insecure) =
-            get_cmdline_composefs::<Sha256HashValue>(cmdline).context("Parsing composefs=")?;
+            get_cmdline_composefs::<Sha512HashValue>(cmdline).context("Parsing composefs=")?;
 
         // If the UKI cmdline does not match what the user has passed as cmdline option
         // NOTE: This will only be checked for new installs and now upgrades/switches
@@ -676,7 +673,7 @@ fn write_grub_uki_menuentry(
     root_path: Utf8PathBuf,
     setup_type: &BootSetupType,
     boot_label: String,
-    id: &Sha256HashValue,
+    id: &Sha512HashValue,
     esp_device: &String,
 ) -> Result<()> {
     let boot_dir = root_path.join("boot");
@@ -764,7 +761,7 @@ fn write_systemd_uki_config(
     esp_dir: &Dir,
     setup_type: &BootSetupType,
     boot_label: String,
-    id: &Sha256HashValue,
+    id: &Sha512HashValue,
 ) -> Result<()> {
     let default_sort_key = "0";
 
@@ -833,9 +830,9 @@ fn write_systemd_uki_config(
 pub(crate) fn setup_composefs_uki_boot(
     setup_type: BootSetupType,
     // TODO: Make this generic
-    repo: ComposefsRepository<Sha256HashValue>,
-    id: &Sha256HashValue,
-    entries: Vec<ComposefsBootEntry<Sha256HashValue>>,
+    repo: crate::store::ComposefsRepository,
+    id: &Sha512HashValue,
+    entries: Vec<ComposefsBootEntry<Sha512HashValue>>,
 ) -> Result<()> {
     let (root_path, esp_device, bootloader, is_insecure_from_opts, uki_addons) = match setup_type {
         BootSetupType::Setup((root_setup, state, ..)) => {
diff --git a/crates/lib/src/bootc_composefs/repo.rs b/crates/lib/src/bootc_composefs/repo.rs
@@ -4,9 +4,7 @@ use std::sync::Arc;
 use anyhow::{Context, Result};
 
 use ostree_ext::composefs::{
-    fsverity::{FsVerityHashValue, Sha256HashValue},
-    repository::Repository as ComposefsRepository,
-    tree::FileSystem,
+    fsverity::{FsVerityHashValue, Sha512HashValue},
     util::Sha256Digest,
 };
 use ostree_ext::composefs_boot::{bootloader::BootEntry as ComposefsBootEntry, BootOps};
@@ -20,10 +18,8 @@ use cap_std_ext::cap_std::{ambient_authority, fs::Dir};
 
 use crate::install::{RootSetup, State};
 
-pub(crate) fn open_composefs_repo(
-    rootfs_dir: &Dir,
-) -> Result<ComposefsRepository<Sha256HashValue>> {
-    ComposefsRepository::open_path(rootfs_dir, "composefs")
+pub(crate) fn open_composefs_repo(rootfs_dir: &Dir) -> Result<crate::store::ComposefsRepository> {
+    crate::store::ComposefsRepository::open_path(rootfs_dir, "composefs")
         .context("Failed to open composefs repository")
 }
 
@@ -78,10 +74,10 @@ pub(crate) async fn pull_composefs_repo(
     transport: &String,
     image: &String,
 ) -> Result<(
-    ComposefsRepository<Sha256HashValue>,
-    Vec<ComposefsBootEntry<Sha256HashValue>>,
-    Sha256HashValue,
-    FileSystem<Sha256HashValue>,
+    crate::store::ComposefsRepository,
+    Vec<ComposefsBootEntry<Sha512HashValue>>,
+    Sha512HashValue,
+    crate::store::ComposefsFilesystem,
 )> {
     let rootfs_dir = Dir::open_ambient_dir("/sysroot", ambient_authority())?;
 
@@ -98,8 +94,9 @@ pub(crate) async fn pull_composefs_repo(
     tracing::info!("id: {}, verity: {}", hex::encode(id), verity.to_hex());
 
     let repo = open_composefs_repo(&rootfs_dir)?;
-    let mut fs = create_composefs_filesystem(&repo, &hex::encode(id), None)
-        .context("Failed to create composefs filesystem")?;
+    let mut fs: crate::store::ComposefsFilesystem =
+        create_composefs_filesystem(&repo, &hex::encode(id), None)
+            .context("Failed to create composefs filesystem")?;
 
     let entries = fs.transform_for_boot(&repo)?;
     let id = fs.commit_image(&repo, None)?;
diff --git a/crates/lib/src/bootc_composefs/state.rs b/crates/lib/src/bootc_composefs/state.rs
@@ -10,7 +10,7 @@ use camino::Utf8PathBuf;
 use cap_std_ext::cap_std::ambient_authority;
 use cap_std_ext::cap_std::fs::Dir;
 use cap_std_ext::dirext::CapStdExtDirExt;
-use composefs::fsverity::{FsVerityHashValue, Sha256HashValue};
+use composefs::fsverity::{FsVerityHashValue, Sha512HashValue};
 use fn_error_context::context;
 
 use ostree_ext::container::deploy::ORIGIN_CONTAINER;
@@ -107,7 +107,7 @@ pub(crate) fn copy_etc_to_state(
 #[context("Writing composefs state")]
 pub(crate) fn write_composefs_state(
     root_path: &Utf8PathBuf,
-    deployment_id: Sha256HashValue,
+    deployment_id: Sha512HashValue,
     imgref: &ImageReference,
     staged: bool,
     boot_type: BootType,
diff --git a/crates/lib/src/store/mod.rs b/crates/lib/src/store/mod.rs
@@ -37,6 +37,7 @@ use crate::utils::deployment_fd;
 /// See https://github.com/containers/composefs-rs/issues/159
 pub type ComposefsRepository =
     composefs::repository::Repository<composefs::fsverity::Sha512HashValue>;
+pub type ComposefsFilesystem = composefs::tree::FileSystem<composefs::fsverity::Sha512HashValue>;
 
 /// Path to the physical root
 pub const SYSROOT: &str = "sysroot";
