The PuzzleFS container filesystem

Posted Sep 26, 2023 14:30 UTC (Tue) by alexl (subscriber, #19068)
In reply to: The PuzzleFS container filesystem by bluca
Parent article: The PuzzleFS container filesystem

You can use dm-verity to protect a composefs-style erofs image, but you would have to use fs-verity to verity the blob storage layer.

The PuzzleFS container filesystem

Posted Sep 26, 2023 14:52 UTC (Tue) by hsiangkao (guest, #123981) [Link] (2 responses)

> you would have to use fs-verity to verity the blob storage layer

I think if some blob storage layer is just an EROFS image, you could directly apply dm-verity on these layers.
And check dm-verity root digests of these layers before mounting. I think that would be in the same effect, anyway.

We can also use fs-verity to verity the blob storage layers if these layers are on a RW fs (the current composefs does.)

The PuzzleFS container filesystem

Posted Sep 26, 2023 15:02 UTC (Tue) by alexl (subscriber, #19068) [Link] (1 responses)

Yes, this is doable, but its kinda a weird way to store the blobs. The main goal of a system like this is to share the blobs between different images, and having the blob store be per-image is contrary to this goal.

The PuzzleFS container filesystem

Posted Sep 26, 2023 15:09 UTC (Tue) by hsiangkao (guest, #123981) [Link]

Yes, I know that is not composefs intended use cases.
I'm not sure if some people really rely on layering concept (such as system using raw partitions/devices without real filesystem storage), anyway.