examples: test with fs-verity disabled

croissanne · allisonkarlitskaya · commit fca625fc5f77 · 2025-06-24T15:13:09.000+02:00
In run-repart there are three cases that need to be supported:
- run systemd-repart with `fsverity=copy`;
- run systemd-repart without fs-verity support (FS_VERITY_MODE=none);
- run systemd-repart without fs-verity support, but fix it after (FS_VERITY_MODE=fix).

Test with fs-verity disabled on both ext4 (no fs-verity on the root
image, but supported by the sysroot filesystem) and xfs (no fs-verity
supported).

Signed-off-by: Sanne Raymaekers &lt;sanne.raymaekers@gmail.com&gt;
diff --git a/.github/workflows/examples.yml b/.github/workflows/examples.yml
@@ -26,6 +26,8 @@ jobs:
           - { dir: 'uki', os: 'fedora' }
           - { dir: 'unified', os: 'fedora' }
           - { dir: 'unified-secureboot', os: 'fedora' }
+          - { dir: 'bls', os: 'arch', fsfmt: 'ext4', verity: 'none' }
+          - { dir: 'bls', os: 'arch', fsfmt: 'xfs', verity: 'none' }
       fail-fast: false
 
     steps:
@@ -71,4 +73,6 @@ jobs:
     - name: Run example tests
       run: |
         export PATH="${HOME}/bin:${PATH}"
+        export FS_FORMAT=${{ matrix.example.fsfmt }}
+        export FS_VERITY_MODE=${{ matrix.example.verity }}
         examples/test/run ${{ matrix.example.dir }} ${{ matrix.example.os }}
diff --git a/examples/bls/build b/examples/bls/build
@@ -56,6 +56,11 @@ podman build \
 BASE_ID="$(sed s/sha256:// tmp/base.iid)"
 
 ${CFSCTL} oci pull containers-storage:${BASE_ID}
+
+if [ "${FS_VERITY_MODE:-repart}" = "none" ]; then
+    CFSCTL="$CFSCTL --insecure"
+fi
+
 ${CFSCTL} oci prepare-boot "${BASE_ID}" --bootdir tmp/efi --cmdline console=ttyS0,115200 --entry-id=example --cmdline rw
 
 ../common/install-systemd-boot
diff --git a/examples/common/check-config b/examples/common/check-config
@@ -40,19 +40,19 @@ fi
 #
 # All the tests past this point can be skipped if we're doing after-the-fact
 # verity fixups using the fix-verity script.
-if [ "${FIX_VERITY:-}" = "1" ]; then
+if [ "${FS_VERITY_MODE:-repart}" = "fix" ] || [ "${FS_VERITY_MODE:-repart}" = "none" ]; then
     exit 0
 fi
 
 if ! grep -sq 'fsverity=' "${systemd_repart}"; then
     echo "*** Your systemd-repart doesn't seem to have fs-verity support"
-    echo "*** See the install-patched-tools script, or set FIX_VERITY=1..."
+    echo "*** See the install-patched-tools script, or set FS_VERITY_MODE=fix..."
     exit 1
 fi
 
 if ! grep -sq 'fs-verity support' "${mkfs_ext4}"; then
     echo "*** Your mkfs.ext4 doesn't seem to have fs-verity support"
-    echo "*** See the install-patched-tools script, or set FIX_VERITY=1..."
+    echo "*** See the install-patched-tools script, or set FS_VERITY_MODE=fix..."
     exit 1
 fi
 
@@ -62,6 +62,6 @@ check_metadata() {
 
 if check_metadata "$0"; then
     echo "*** Your working directory doesn't seem to support FS_IOC_READ_VERITY_METADATA"
-    echo "*** You're probably using btrfs on an older kernel version.  Try FIX_VERITY=1..."
+    echo "*** You're probably using btrfs on an older kernel version.  Try FS_VERITY_MODE=fix..."
     exit 1
 fi
diff --git a/examples/common/repart.d/01-esp.conf b/examples/common/repart.d/01-esp.conf
diff --git a/examples/common/repart.d/02-sysroot.conf b/examples/common/repart.d/02-sysroot.conf
diff --git a/examples/common/run-repart b/examples/common/run-repart
@@ -7,15 +7,33 @@ chcon -R system_u:object_r:usr_t:s0 tmp/sysroot/composefs
 chcon system_u:object_r:var_t:s0 tmp/sysroot/state/*/var
 chcon system_u:object_r:etc_t:s0 tmp/sysroot/state/*/etc/*
 
-definitions="${0%/*}/repart.d"
+definitions='tmp/repart.d'
+export SYSTEMD_REPART_MKFS_OPTIONS_EXT4='-O verity'
 
-if [ "${FIX_VERITY:-}" = '1' ]; then
-    export SYSTEMD_REPART_MKFS_OPTIONS_EXT4='-O verity'
-    cp -r "${definitions}" tmp/repart.d
-    sed -i 's/:fsverity=copy//' tmp/repart.d/02-sysroot.conf
-    definitions='tmp/repart.d'
+mkdir -p "$definitions"
+
+cat <<EOF > tmp/repart.d/01-esp.conf
+[Partition]
+Type=esp
+Format=vfat
+CopyFiles=/efi:/
+SizeMinBytes=512M
+SizeMaxBytes=512M
+EOF
+
+if [ "${FS_VERITY_MODE:-repart}" = 'repart' ]; then
+    COPY_FILES_FLAG="/sysroot:/:fsverity=copy"
 fi
 
+cat <<EOF > tmp/repart.d/02-sysroot.conf
+[Partition]
+Type=root
+Format=${FS_FORMAT:-ext4}
+SizeMinBytes=10G
+SizeMaxBytes=10G
+CopyFiles=${COPY_FILES_FLAG:-/sysroot:/}
+EOF
+
 # Setting TMPDIR here has a couple of advantages:
 #  - we already have our own temporary directory
 #  - systemd-repart can copy the files faster when they are in the same partition
@@ -30,6 +48,6 @@ TMPDIR="${PWD}/tmp" systemd-repart \
     --definitions="${definitions}" \
     "$1"
 
-if [ "${FIX_VERITY:-}" = '1' ]; then
+if [ "${FS_VERITY_MODE:-repart}" = 'fix' ]; then
     "${0%/*}/fix-verity/fix-verity" "$1"
 fi
diff --git a/examples/test/run-tests b/examples/test/run-tests
@@ -11,7 +11,10 @@ def test_basic(m: testvm.Machine):
     m.execute('! touch /a')
 
     # the content of /sysroot is what we expect
-    assert m.execute('ls /sysroot') == 'composefs\nlost+found\nstate\n'
+    # lost+found is only available on ext4, and this also tests xfs
+    assert [
+        name for name in m.execute('ls /sysroot').splitlines() if name != 'lost+found'
+    ] == ['composefs', 'state']
 
     # make sure /etc and /var persist across a reboot
     m.write('/etc/persists.conf', 'hihi conf')
