Read all data into memory in one Read call and verify them block by
block instead of read each block during verification. This is for
performance purpose to avoid invoking multiple syscalls.
PiperOrigin-RevId: 391877937
The unordered map may generate different hash due to its order. The
children map needs to be sorted each time before hashing to avoid false
verification failure due to the map.
Store the sorted children map in verity dentry to avoid sorting it each
time verification happens.
Also serialize the whole VerityDescriptor struct to hash now that the
map is removed from it.
PiperOrigin-RevId: 382201560
Split usermem package to help remove syserror dependency in go_marshal.
New hostarch package contains code not dependent on syserror.
PiperOrigin-RevId: 365651233
children names map can be used to verify whether a child is expected
during walking, so that we can detect unexpected modifications that
deleted/renamed both the target file and the corresponding merkle tree
file.
PiperOrigin-RevId: 342170715
The file size can now also be verified. Also, since we are zero-padding
the last block of the data, we cannot differentiate the cases between
zero-padded block from the blocks that are ends with zeroes. With the
size included this can be addressed, as those cases would have different
file size.
PiperOrigin-RevId: 340695510
Merkle tree library was originally using Read/Seek to access data and
tree, since the parameters are io.ReadSeeker. This could cause race
conditions if multiple threads accesses the same fd to read. Here we
change to use ReaderAt, and implement it with PRead to make it thread
safe.
PiperOrigin-RevId: 336779260
PRead is implemented by read from the underlying file in blocks, and
verify each block. The verified contents are saved into the output
buffer.
PiperOrigin-RevId: 332092267
Implement walk directories in gvisor verity file system. For each step,
the child dentry is verified against a verified parent root hash.
PiperOrigin-RevId: 329358747
If the data is in the same Reader as the merkle tree, we should verify
from the first layer in the tree, instead of from the beginning.
PiperOrigin-RevId: 328230988
Chong Cai
Zach Koopmans
gVisor bot