Skip to content

2023.6
Compare
Choose a tag to compare
@cgwalters cgwalters released this 25 Aug 15:17
· 385 commits to main since this release
v2023.6
dab8051

signing: ed25519 can now be backed by openssl

If ostree is compiled with OpenSSL support (as it is on e.g. Fedora derivatives), this also enables an OpenSSL-backed implementation of the ed25519 signature support. Previously, this required libsodium - which can still be used if desired instead of openssl.

composefs changes

Now enabled at build time (but disabled at runtime) by default

On systems with sufficiently new glibc and fsverity, ostree enables support for composefs at build time. It continues to be disabled by default at runtime.

composefs now supports signature verification

There is support for an "initramfs root binding key" that can be injected into the initramfs, and used to verify the ostree commit (including its embedded composefs checksum). One suggested model is to follow how e.g. Fedora signs kernel modules with a transient throwaway key. For more, please see the ostree/composefs doc.

Note that composefs continues to be classified as experimental.

Configuration format has changed

The old ot-composefs kernel argument is no longer honored in favor of a configuration file that should be present in the initramfs.

ostree-prepare-root other changes

  • A new configuration file in the initramfs is honored: /etc/ostree/prepare-root.conf
  • This configuration file can also specify the readonly-sysroot default, which is now recommended
  • Improved Android Boot support
  • The sysroot.readonly flag can now also be configured from here, and this is recommended
  • /run/ostree-booted is now non-empty, and contains serialized state (this is an implementation detail)
  • Several preparatory code cleanups for other changes
  • ostree-prepare-root has a new man page which documents the previous state, along with the above

ostree admin set-default

A long-overdue CLI verb to change the default deployment for the next boot.

sysroot other bugfixes and changes

  • It is now supported to have /usr/etc with an empty /etc. This is preparatory for supporting a transient /etc.
  • Finally fixed the global sync timeout at shutdown
  • Increased verbosity of changes
  • ostree admin deploy now honors --stateroot as we prefer that term over --os

trivial-httpd

The remnants of the deprecated ostree trivial-httpd CLI are now completely gone.

Alexander Larsson (8):
      tests: Fix composefs test
      sign-ed25519: Drop some uses of libsodium
      sign-ed25519: Implement sign and verify using openssl
      CI: Enable --with-crypto=openssl on debian testing to test openssl signatures
      libotutil: Link to crypto libs
      ostree-prepare-root: Validate ed25519 signatures when requested
      Read composefs configuration from initrd instead of commandline
      prepare-root: Only support base64 formated public key files

Colin Walters (84):
      tests/transactionality: Port a bit to xshell
      tests: Drop unused alias
      tests: Enable mtime test
      docs: Update user and group section
      Separate prepare-root static path
      prepare-root: Link to glib
      configure: post-release version bump
      Drop "ostree trivial-httpd" CLI, move to tests directory
      fetcher: Always open tmpfiles in repo (except on FUSE)
      show: Add --print-hex
      build-sys: Add libsodium to OT_DEP_CRYPTO
      Factor out a libotcore
      build: Drop `make syntax-check`
      Add an internal constant for the composefs image name
      prepare-root: Use otutil and g_print
      prepare-root: Drop unused verity flag querying
      sysroot: Add some error prefixing for bootversion
      prepare-root: Use constant for ed25519 signature
      prepare-root: Add metadata for composefs to `/run/ostree-booted`
      remount: Don't overwrite /run/ostree-booted
      remount: Use new metadata in `/run/ostree-booted` for composefs
      prepare-root: Drop dead `pivot_root` code
      Use /run/ostree-booted metadata for sysroot-ro state passing
      man: Add ostree-prepare-root
      mount: Fix gcc -fanalyzer warning for parsing androidboot.slot_suffix
      build-sys: Enable composefs at *build time* by default
      prepare-root: Refactor composefs config handling
      commit: Add `--sign-from-file`
      tests: Remove dead references to "SEED"
      sign-ed25519: More verbose errors for invalid length
      sign-ed25519: Add some comments for data structure
      sign-ed25519: Don't set sk unless we've validated it
      generator: Deduplicate ostree= karg parsing
      prepare-root: Drop code mounting `/proc`
      prepare-root: Drop more dead code
      Add an always-on `inode64` feature
      composefs: Use lowerdir in /run
      generator: Stop creating `/run/ostree-booted`
      src/generator: Move all logic into libostree-1.so
      kernel-args: Move private functions out of public header
      sysroot: Add a bit more error prefixing
      repo: Clarify when we fail to parse a remote
      prepare-root: Introduce `ostree/prepare-root.conf`
      prepare-root: Default sysroot.readonly=true if composefs
      prepare-root: Don't parse target root when composefs enabled
      tree-wide: Consistently `(void)g_variant_lookup()`
      core, switchroot: Harden a bit against `g_variant_get_data() == NULL`
      checksum-utils: Add an assertion that `buf != NULL`
      deploy: Be way more verbose about what we're doing
      tests/destructive: Turn off global sync()
      deploy: Support an empty `/etc` and populated `/usr/etc`
      composefs: Only call `_get_symlink_target()` on symlinks
      os-init: Create a mount namespace
      Add `admin set-default`
      More fully drop `trivial-httpd` entrypoint
      deploy: Fix mutex locking for global sync timeout
      README.md: Drop dead mailing list, link to GH discussions
      prepare-root: Use declare-and-initialize
      prepare-root: Check for empty string, not strlen > 0
      prepare-root: Use ptrarray, not linked list
      switchroot,generator: Only read /proc/cmdline once
      deploy: Add some error prefixing
      prepare-root: Minor clarifications
      repo: Bump lock timeout to 5 minutes
      Add `ostree admin stateroot-init` as alias for `os-init`
      admin-deploy: Add `--stateroot` as alias for `--os`
      admin: Port to c99 style
      remote-add: Port to c99 style
      lzma: Port to C99 style
      checkout: Port to C99 style
      cli/set-origin: Port to C99 style
      tests/destructive: Port more to xshell
      build-sys: Disable composefs on too-old Linux headers
      tests: Add otcore unit tests
      tests/inst: Update to latest ostree-ext
      cmd/init: Port to C99 style
      cmd/grub2-generate: Port to C99 style
      Move prepare-root karg helpers into otcore, add unit tests
      deploy: Add bootloader-naming-2 opt-init
      ci: Add c9s build
      build-sys: Look for both linux/mount.h and sys/mount.h
      build-sys: Really fix composefs check
      Release 2023.6
      configure: post-release version bump

Eric Curtin (6):
      android-boot: Remove dependency on ostree= karg, use androidboot.slot_suffix=
      Remove steal_pointer and steal_pointer_impl as we link in glib now
      bootloader: fold all Android Bootloader specific logic into prepare-root
      prepare-root: On a non-A/B androidboot system, boot system slot a
      prepare-root: Changes made to find_proc_cmdline_key
      prepare-root: If composefs is configured as "maybe" don't fail

dependabot[bot] (5):
      build(deps): bump composefs from `412cb5e` to `ac729b5`
      build(deps): bump composefs from `ac729b5` to `1704f82`
      build(deps): bump libglnx from `07e3e49` to `c02eb59`
      build(deps): bump composefs from `1704f82` to `a6e827d`
      build(deps): bump composefs from `a6e827d` to `1aed878`

samcday (1):
      docs: update boot loader spec link
Assets 3