As of the version 39 of Fedora Silverblue all the basic code is merged to support a composefs-based root filesystem.
To try it, do:
- Update to the latest version (I tested 39.20240115.0)
- Configure ostree to create and use composefs images:
$ sudo ostree config set ex-integrity.composefs yes
- Trigger a manual (re)deploy of the current version:
$ sudo ostree admin deploy fedora/39/x86_64/silverblue
- Reboot into the new deploy
- If using ext4 filesystem for rootfs (not needed for btrfs), enable “verity” feature on it:
$ sudo tune2fs -O verity /dev/vda3 # Change to right root disk
- Enable fs-verity on all pre-existing ostree repo files:
$ sudo ostree admin post-copy
At this point, the rootfs should be be a composefs mount. You can verify it by looking at the mount, which should look like this:
$ findmnt / TARGET SOURCE FSTYPE OPTIONS / overlay overlay ro,relatime,seclabel,lowerdir=/run/ostree/.private/cfsroot-lower::/sysroot/ostree/repo/objects,redirect_dir=on,metacopy=on
So, what does this mean?
First of all, it means the rootfs is truly read-only:
# touch /usr/new_file touch: cannot touch '/usr/new_file': Read-only file system
The above error message happens also with regular ostree, but in that case it is only a read-only mount flag, and a root user can re-mount it read-write to modify it (or modify the backing directories in /ostree). However, when using composefs, the root filesystem is a combination of a erofs mount (from /ostree/deploy/fedora/deploy/*/.ostree.cfs) and an overlayfs with no writable directories, and neither of these have any ability to write to disk.
In addition, the system is set up to validate all file accesses, as the composefs image has recorded the expected fs-verity checksums for all files and overlayfs can validate them on use.
To fully complete the validation, Silverblue will just need a few additions (which I hope will be done soon):
- Each build should generate a one-use signature keypair
- The ostree commit should be signed with the private key
- Add public key as /etc/ostree/initramfs-root-binding.key
- Add /usr/lib/ostree/prepare-root.conf with this content:
[composefs] enabled=yes signed=yes
These files will be copied into the initrd, and during boot the public key will be used to validate the composefs image, which in turn guarantee that all file accesses give the correct, unchanged data.
To further improve security, the initramfs and the kernel can be combined into a Unified Kernel Image and signed. Then SecureBoot can guarantee that your system will not boot any other initramfs, and thus no other userspace.