Hotfix functionality incompatible with composefs+verity #3187
Comments
|
Yeah. I don't think should allow this for a signed composefs. |
alexlarsson
added a commit
to alexlarsson/ostree
that referenced
this issue
Feb 22, 2024
As mentioned in ostreedev#3187, we can't allow a hotfix overlay of /usr when using signed composefs images as that would allow an attacker to persist something used across boots.
|
Thanks for noticing this! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I noticed the hotfix functionality (related to
ostree admin unlock --hotfix) is available even when one is using composefs (at least the part that applies the hotfix).Specifically, in this stretch of code,
ostree-prepare-rootchecks for the existence of a "hotfix overlay" by looking at the deployment directory even when composefs is in use. Unless I'm missing something, this would allow one to apply a hotfix on top of a composefs+verity image and hence bypass the integrity/authenticity guarantees you would normally expect. I suppose this is not intended, right?Since the hotfix is made of overlay directories (workdir, upperdir) which aren't signed I suppose composefs and hotfixing are not compatible...
The text was updated successfully, but these errors were encountered: