bootc-dev · cgwalters · Aug 1, 2025 · Jul 23, 2025 · Jul 23, 2025 · Jul 23, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/lib/Cargo.toml b/crates/lib/Cargo.toml
@@ -56,8 +56,7 @@ tini = "1.3.0"
 comfy-table = "7.1.1"
 thiserror = { workspace = true }
 canon-json = { workspace = true }
-openat = "0.1.21"
-openat-ext = "0.2.3"
+nom = "8.0.0"
 
 [dev-dependencies]
 similar-asserts = { workspace = true }

diff --git a/crates/lib/src/bls_config.rs b/crates/lib/src/bls_config.rs
diff --git a/crates/lib/src/cli.rs b/crates/lib/src/cli.rs
@@ -20,7 +20,7 @@ use ostree_container::store::PrepareResult;
 use ostree_ext::composefs::fsverity;
 use ostree_ext::composefs::fsverity::FsVerityHashValue;
 use ostree_ext::container as ostree_container;
-use ostree_ext::container_utils::{composefs_booted, ostree_booted};
+use ostree_ext::container_utils::ostree_booted;
 use ostree_ext::keyfileext::KeyFileExt;
 use ostree_ext::ostree;
 use schemars::schema_for;
@@ -36,7 +36,7 @@ use crate::progress_jsonl::{ProgressWriter, RawProgressFd};
 use crate::spec::Host;
 use crate::spec::ImageReference;
 use crate::status::composefs_deployment_status;
-use crate::utils::sigpolicy_from_opt;
+use crate::utils::{composefs_booted, sigpolicy_from_opt};
 
 /// Shared progress options
 #[derive(Debug, Parser, PartialEq, Eq)]
@@ -798,13 +798,29 @@ async fn upgrade_composefs(_opts: UpgradeOpts) -> Result<()> {
     };
 
     let boot_type = BootType::from(&entry);
+    let mut boot_digest = None;
 
     match boot_type {
-        BootType::Bls => setup_composefs_bls_boot(BootSetupType::Upgrade, repo, &id, entry),
-        BootType::Uki => setup_composefs_uki_boot(BootSetupType::Upgrade, repo, &id, entry),
-    }?;
+        BootType::Bls => {
+            boot_digest = Some(setup_composefs_bls_boot(
+                BootSetupType::Upgrade,
+                repo,
+                &id,
+                entry,
+            )?)
+        }
 
-    write_composefs_state(&Utf8PathBuf::from("/sysroot"), id, imgref, true, boot_type)?;
+        BootType::Uki => setup_composefs_uki_boot(BootSetupType::Upgrade, repo, &id, entry)?,
+    };
+
+    write_composefs_state(
+        &Utf8PathBuf::from("/sysroot"),
+        id,
+        imgref,
+        true,
+        boot_type,
+        boot_digest,
+    )?;
 
     Ok(())
 }
@@ -966,18 +982,27 @@ async fn switch_composefs(opts: SwitchOpts) -> Result<()> {
     };
 
     let boot_type = BootType::from(&entry);
+    let mut boot_digest = None;
 
     match boot_type {
-        BootType::Bls => setup_composefs_bls_boot(BootSetupType::Upgrade, repo, &id, entry),
-        BootType::Uki => setup_composefs_uki_boot(BootSetupType::Upgrade, repo, &id, entry),
-    }?;
+        BootType::Bls => {
+            boot_digest = Some(setup_composefs_bls_boot(
+                BootSetupType::Upgrade,
+                repo,
+                &id,
+                entry,
+            )?)
+        }
+        BootType::Uki => setup_composefs_uki_boot(BootSetupType::Upgrade, repo, &id, entry)?,
+    };
 
     write_composefs_state(
         &Utf8PathBuf::from("/sysroot"),
         id,
         &target_imgref,
         true,
         boot_type,
+        boot_digest,
     )?;
 
     Ok(())

diff --git a/crates/lib/src/composefs_consts.rs b/crates/lib/src/composefs_consts.rs
@@ -0,0 +1,38 @@
+/// composefs= paramter in kernel cmdline
+pub const COMPOSEFS_CMDLINE: &str = "composefs=";
+/// composefs=? paramter in kernel cmdline. The `?` signifies that the fs-verity validation is
+/// optional in case the filesystem doesn't support it.
+pub const COMPOSEFS_INSECURE_CMDLINE: &str = "composefs=?";
+
+/// Directory to store transient state, such as staged deployemnts etc
+pub(crate) const COMPOSEFS_TRANSIENT_STATE_DIR: &str = "/run/composefs";
+/// File created in /run/composefs to record a staged-deployment
+pub(crate) const COMPOSEFS_STAGED_DEPLOYMENT_FNAME: &str = "staged-deployment";
+
+/// Absolute path to composefs-native state directory
+pub(crate) const STATE_DIR_ABS: &str = "/sysroot/state/deploy";
+/// Relative path to composefs-native state directory. Relative to /sysroot
+pub(crate) const STATE_DIR_RELATIVE: &str = "state/deploy";
+/// Relative path to the shared 'var' directory. Relative to /sysroot
+pub(crate) const SHARED_VAR_PATH: &str = "state/os/default/var";
+
+/// Section in .origin file to store boot related metadata
+pub(crate) const ORIGIN_KEY_BOOT: &str = "boot";
+/// Whether the deployment was booted with BLS or UKI
+pub(crate) const ORIGIN_KEY_BOOT_TYPE: &str = "boot_type";
+/// Key to store the SHA256 sum of vmlinuz + initrd for a deployment
+pub(crate) const ORIGIN_KEY_BOOT_DIGEST: &str = "digest";
+
+/// Filename for `loader/entries`
+pub(crate) const BOOT_LOADER_ENTRIES: &str = "entries";
+/// Filename for staged boot loader entries
+pub(crate) const STAGED_BOOT_LOADER_ENTRIES: &str = "entries.staged";
+/// Filename for rollback boot loader entries
+pub(crate) const ROLLBACK_BOOT_LOADER_ENTRIES: &str = STAGED_BOOT_LOADER_ENTRIES;
+
+/// Filename for grub user config
+pub(crate) const USER_CFG: &str = "user.cfg";
+/// Filename for staged grub user config
+pub(crate) const USER_CFG_STAGED: &str = "user.cfg.staged";
+/// Filename for rollback grub user config
+pub(crate) const USER_CFG_ROLLBACK: &str = USER_CFG_STAGED;