diff --git a/src/libostree/ostree-repo-composefs.c b/src/libostree/ostree-repo-composefs.c index aea52bc4ad..d6f0506b89 100644 --- a/src/libostree/ostree-repo-composefs.c +++ b/src/libostree/ostree-repo-composefs.c @@ -38,6 +38,8 @@ #include #endif +#define OSTREE_COMPOSEFS_INLINE_MAX_SIZE 64 + gboolean _ostree_repo_parse_composefs_config (OstreeRepo *self, GError **error) { @@ -327,32 +329,46 @@ checkout_one_composefs_file_at (OstreeRepo *repo, const char *checksum, struct l if (lcfs_node_set_payload (node, loose_path_buf) != 0) return glnx_null_throw_errno (error); - guchar *known_digest = NULL; + if (source_size <= OSTREE_COMPOSEFS_INLINE_MAX_SIZE) + { + guchar buf[OSTREE_COMPOSEFS_INLINE_MAX_SIZE]; + gsize bytes_read; -#ifdef HAVE_LINUX_FSVERITY_H - /* First try to get the digest directly from the bare repo file. - * This is the typical case when we're pulled into the target - * system repo with verity on and are recreating the composefs - * image during deploy. */ - char buf[sizeof (struct fsverity_digest) + OSTREE_SHA256_DIGEST_LEN]; + if (!g_input_stream_read_all (input, buf, source_size, &bytes_read, cancellable, error)) + return NULL; - if (G_IS_UNIX_INPUT_STREAM (input)) - { - int content_fd = g_unix_input_stream_get_fd (G_UNIX_INPUT_STREAM (input)); - struct fsverity_digest *d = (struct fsverity_digest *)&buf; - d->digest_size = OSTREE_SHA256_DIGEST_LEN; - - if (ioctl (content_fd, FS_IOC_MEASURE_VERITY, d) == 0 - && d->digest_size == OSTREE_SHA256_DIGEST_LEN - && d->digest_algorithm == FS_VERITY_HASH_ALG_SHA256) - known_digest = d->digest; + if (lcfs_node_set_content (node, buf, bytes_read) != 0) + return glnx_null_throw_errno (error); } + else + { + guchar *known_digest = NULL; + +#ifdef HAVE_LINUX_FSVERITY_H + /* First try to get the digest directly from the bare repo file. + * This is the typical case when we're pulled into the target + * system repo with verity on and are recreating the composefs + * image during deploy. */ + char buf[sizeof (struct fsverity_digest) + OSTREE_SHA256_DIGEST_LEN]; + + if (G_IS_UNIX_INPUT_STREAM (input)) + { + int content_fd = g_unix_input_stream_get_fd (G_UNIX_INPUT_STREAM (input)); + struct fsverity_digest *d = (struct fsverity_digest *)&buf; + d->digest_size = OSTREE_SHA256_DIGEST_LEN; + + if (ioctl (content_fd, FS_IOC_MEASURE_VERITY, d) == 0 + && d->digest_size == OSTREE_SHA256_DIGEST_LEN + && d->digest_algorithm == FS_VERITY_HASH_ALG_SHA256) + known_digest = d->digest; + } #endif - if (known_digest) - lcfs_node_set_fsverity_digest (node, known_digest); - else if (lcfs_node_set_fsverity_from_content (node, input, _composefs_read_cb) != 0) - return glnx_null_throw_errno (error); + if (known_digest) + lcfs_node_set_fsverity_digest (node, known_digest); + else if (lcfs_node_set_fsverity_from_content (node, input, _composefs_read_cb) != 0) + return glnx_null_throw_errno (error); + } } if (xattrs)