diff options
| author | Chong Cai <chongc@google.com> | 2021-08-12 14:59:27 -0700 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2021-08-12 15:02:32 -0700 |
| commit | 5f132ae1f889829e57ef6b2117342247b0f75b3a (patch) | |
| tree | c5a7355a6187290a795b41d4a3f846ca56d2a751 | |
| parent | 345eb4a666eb64c31fc050209abac974520236a3 (diff) | |
Clear Merkle files before measuring verity fs
PiperOrigin-RevId: 390467957
| -rw-r--r-- | runsc/cmd/verity_prepare.go | 7 | ||||
| -rw-r--r-- | tools/verity/measure_tool.go | 30 |
2 files changed, 36 insertions, 1 deletions
diff --git a/runsc/cmd/verity_prepare.go b/runsc/cmd/verity_prepare.go index 85d762a51..44c1d05db 100644 --- a/runsc/cmd/verity_prepare.go +++ b/runsc/cmd/verity_prepare.go @@ -82,7 +82,7 @@ func (c *VerityPrepare) Execute(_ context.Context, f *flag.FlagSet, args ...inte }, Process: &specs.Process{ Cwd: absRoot, - Args: []string{c.tool, "--path", "/verityroot"}, + Args: []string{c.tool, "--path", "/verityroot", "--rawpath", "/rawroot"}, Env: os.Environ(), Capabilities: specutils.AllCapabilities(), }, @@ -94,6 +94,11 @@ func (c *VerityPrepare) Execute(_ context.Context, f *flag.FlagSet, args ...inte Type: "bind", Options: []string{"verity.roothash="}, }, + { + Source: c.dir, + Destination: "/rawroot", + Type: "bind", + }, }, } diff --git a/tools/verity/measure_tool.go b/tools/verity/measure_tool.go index 0d314ae70..4a0bc497a 100644 --- a/tools/verity/measure_tool.go +++ b/tools/verity/measure_tool.go @@ -21,12 +21,14 @@ import ( "io/ioutil" "log" "os" + "strings" "syscall" "gvisor.dev/gvisor/pkg/abi/linux" ) var path = flag.String("path", "", "path to the verity file system.") +var rawpath = flag.String("rawpath", "", "path to the raw file system.") const maxDigestSize = 64 @@ -40,6 +42,14 @@ func main() { if *path == "" { log.Fatalf("no path provided") } + if *rawpath == "" { + log.Fatalf("no rawpath provided") + } + // TODO(b/182315468): Optimize the Merkle tree generate process to + // allow only updating certain files/directories. + if err := clearMerkle(*rawpath); err != nil { + log.Fatalf("Failed to clear merkle files in %s: %v", *rawpath, err) + } if err := enableDir(*path); err != nil { log.Fatalf("Failed to enable file system %s: %v", *path, err) } @@ -49,6 +59,26 @@ func main() { } } +func clearMerkle(path string) error { + files, err := ioutil.ReadDir(path) + if err != nil { + return err + } + + for _, file := range files { + if file.IsDir() { + if err := clearMerkle(path + "/" + file.Name()); err != nil { + return err + } + } else if strings.HasPrefix(file.Name(), ".merkle.verity") { + if err := os.Remove(path + "/" + file.Name()); err != nil { + return err + } + } + } + return nil +} + // enableDir enables verity features on all the files and sub-directories within // path. func enableDir(path string) error { |