composefs: Use ComposefsCmdline to handle missing verity

In a few places we were simply searching for the value of composefs
cmdline param in the BLS config options, which would not work as
expected in cases where missing verity is allowed as the `?` was being
counted as part of the digest.

Instead, we now use ComposefsCmdline which properly handles the parsing
of `?` and the digest

Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>

Author: Johan-Liebert1

crates/lib/src/bootc_composefs/boot.rs

@@ -550,7 +550,7 @@ pub(crate) fn setup_composefs_bls_boot(
             let bootloader = host.require_composefs_booted()?.bootloader.clone();
 
             let boot_dir = storage.require_boot_dir()?;
-            let current_cfg = get_booted_bls(&boot_dir)?;
+            let current_cfg = get_booted_bls(&boot_dir, booted_cfs)?;
 
             let mut cmdline = match current_cfg.cfg_type {
                 BLSConfigType::NonEFI { options, .. } => {
@@ -775,7 +775,12 @@ pub(crate) fn setup_composefs_bls_boot(
     let (config_path, booted_bls) = if is_upgrade {
         let boot_dir = Dir::open_ambient_dir(&entry_paths.config_path, ambient_authority())?;
 
-        let mut booted_bls = get_booted_bls(&boot_dir)?;
+        let BootSetupType::Upgrade((_, booted_cfs, ..)) = setup_type else {
+            // This is just for sanity
+            unreachable!("enum mismatch");
+        };
+
+        let mut booted_bls = get_booted_bls(&boot_dir, booted_cfs)?;
         booted_bls.sort_key = Some(secondary_sort_key(&os_id));
 
         let staged_path = loader_path.join(STAGED_BOOT_LOADER_ENTRIES);
@@ -1052,12 +1057,12 @@ fn write_systemd_uki_config(
             (esp_dir.open_dir(TYPE1_ENT_PATH)?, None)
         }
 
-        BootSetupType::Upgrade(_) => {
+        BootSetupType::Upgrade((_, booted_cfs, ..)) => {
             esp_dir
                 .create_dir_all(TYPE1_ENT_PATH_STAGED)
                 .with_context(|| format!("Creating {TYPE1_ENT_PATH_STAGED}"))?;
 
-            let mut booted_bls = get_booted_bls(&esp_dir)?;
+            let mut booted_bls = get_booted_bls(&esp_dir, booted_cfs)?;
             booted_bls.sort_key = Some(secondary_sort_key(os_id));
 
             (esp_dir.open_dir(TYPE1_ENT_PATH_STAGED)?, Some(booted_bls))

crates/lib/src/bootc_composefs/state.rs

@@ -28,38 +28,28 @@ use rustix::{
 use crate::bootc_composefs::boot::BootType;
 use crate::bootc_composefs::repo::get_imgref;
 use crate::bootc_composefs::status::{
-    ImgConfigManifest, StagedDeployment, get_sorted_type1_boot_entries,
+    ComposefsCmdline, ImgConfigManifest, StagedDeployment, get_sorted_type1_boot_entries,
 };
 use crate::parsers::bls_config::BLSConfigType;
 use crate::store::{BootedComposefs, Storage};
 use crate::{
     composefs_consts::{
-        COMPOSEFS_CMDLINE, COMPOSEFS_STAGED_DEPLOYMENT_FNAME, COMPOSEFS_TRANSIENT_STATE_DIR,
-        ORIGIN_KEY_BOOT, ORIGIN_KEY_BOOT_DIGEST, ORIGIN_KEY_BOOT_TYPE, SHARED_VAR_PATH,
-        STATE_DIR_RELATIVE,
+        COMPOSEFS_STAGED_DEPLOYMENT_FNAME, COMPOSEFS_TRANSIENT_STATE_DIR, ORIGIN_KEY_BOOT,
+        ORIGIN_KEY_BOOT_DIGEST, ORIGIN_KEY_BOOT_TYPE, SHARED_VAR_PATH, STATE_DIR_RELATIVE,
     },
     parsers::bls_config::BLSConfig,
     spec::ImageReference,
     spec::{FilesystemOverlay, FilesystemOverlayAccessMode, FilesystemOverlayPersistence},
     utils::path_relative_to,
 };
 
-pub(crate) fn get_booted_bls(boot_dir: &Dir) -> Result<BLSConfig> {
-    let cmdline = Cmdline::from_proc()?;
-    let booted = cmdline
-        .find(COMPOSEFS_CMDLINE)
-        .ok_or_else(|| anyhow::anyhow!("Failed to find composefs parameter in kernel cmdline"))?;
-
+pub(crate) fn get_booted_bls(boot_dir: &Dir, booted_cfs: &BootedComposefs) -> Result<BLSConfig> {
     let sorted_entries = get_sorted_type1_boot_entries(boot_dir, true)?;
 
     for entry in sorted_entries {
         match &entry.cfg_type {
             BLSConfigType::EFI { efi } => {
-                let composefs_param_value = booted.value().ok_or_else(|| {
-                    anyhow::anyhow!("Failed to get composefs kernel cmdline value")
-                })?;
-
-                if efi.as_str().contains(composefs_param_value) {
+                if efi.as_str().contains(&*booted_cfs.cmdline.digest) {
                     return Ok(entry);
                 }
             }
@@ -69,9 +59,10 @@ pub(crate) fn get_booted_bls(boot_dir: &Dir) -> Result<BLSConfig> {
                     anyhow::bail!("options not found in bls config")
                 };
 
-                let opts = Cmdline::from(opts);
+                let cfs_cmdline = ComposefsCmdline::find_in_cmdline(&Cmdline::from(opts))
+                    .ok_or_else(|| anyhow::anyhow!("composefs param not found in cmdline"))?;
 
-                if opts.iter().any(|v| v == booted) {
+                if cfs_cmdline.digest == booted_cfs.cmdline.digest {
                     return Ok(entry);
                 }
             }

crates/lib/src/parsers/bls_config.rs

@@ -191,20 +191,11 @@ impl BLSConfig {
             }
 
             BLSConfigType::NonEFI { options, .. } => {
-                let options = options.as_ref().ok_or(anyhow::anyhow!("No options"))?;
+                let options = options.as_ref().ok_or_else(|| anyhow::anyhow!("No options"))?;
 
-                let cmdline = Cmdline::from(&options);
-
-                let kv = cmdline
-                    .find(COMPOSEFS_CMDLINE)
+                let cfs_cmdline = ComposefsCmdline::find_in_cmdline(&Cmdline::from(&options))
                     .ok_or_else(|| anyhow::anyhow!("No composefs= param"))?;
 
-                let value = kv
-                    .value()
-                    .ok_or_else(|| anyhow::anyhow!("Empty composefs= param"))?;
-
-                let cfs_cmdline = ComposefsCmdline::new(value);
-
                 // TODO(Johan-Liebert1): We lose the info here that this is insecure
                 Ok(cfs_cmdline.digest.to_string().clone())
             }