feat(security): make composefs verity opt-in via mios.toml [security]

Sealed-image opt-in (gap #1 from the bootc-comparison audit). The
existing 40-composefs-verity.sh wrote /usr/lib/ostree/prepare-root.conf
unconditionally with composefs in fs-verity mode. fs-verity requires
ext4 or btrfs -- on XFS roots (some cloud images, some podman-machine
disks) this bricks the deploy. There was no operator-facing escape
hatch.

Adds [security] table to mios.toml SSOT:

  composefs_mode = "verity" | "yes" | "off"
  mask_systemd_remount_fs = true | false

  - "verity"  current behavior (tamper-evident, ext4/btrfs only). Default.
  - "yes"     composefs read-only /usr without verity (works on XFS too;
              upstream FCOS/bootc default).
  - "off"     skip prepare-root.conf rewrite entirely; honor base image.

automation/40-composefs-verity.sh now:
  - Sources lib/packages.sh for the canonical _resolve_mios_toml chain
    (so /etc/mios/ + ~/.config/ overrides land here too).
  - Inlines a minimal _read_mios_scalar awk helper (the same shape as
    get_packages_from_toml -- top-level scalars, strips quotes + inline
    comments).
  - Branches on composefs_mode and renders the matching prepare-root.conf
    body. The "yes" body keeps the [root] / [etc] transient=false stanzas
    so the immutable-/usr posture stays intact even without verity.
  - Only masks systemd-remount-fs.service when verity is selected AND
    mask_systemd_remount_fs is truthy. The "yes" path uses the upstream
    mount sequence and doesn't need the mask.
  - Logs the resolved mode + whether it backed up an existing config.

No behavior change for existing deployments: default is "verity", which
matches the pre-commit unconditional path. Operators on XFS/cloud
substrates can drop a single override into /etc/mios/mios.toml:

  [security]
  composefs_mode = "yes"

and the next bootc switch flips to the non-verity path without code
changes.

Verified: bash -n on the rewritten script; tomllib + the awk resolver
both round-trip the new [security] table; the resolver also continues
to read [hwcaps] cleanly (no regression to the existing toml consumers).

Author: Kabuki94

automation/40-composefs-verity.sh

@@ -1,18 +1,93 @@
 #!/usr/bin/env bash
-# 40-composefs-verity.sh - promote composefs from default (yes) to verity mode
-# Tamper-evident root. Requires ext4 or btrfs target FS (NOT xfs).
+# 40-composefs-verity.sh -- render /usr/lib/ostree/prepare-root.conf based
+# on the operator-tunable [security].composefs_mode knob in mios.toml.
+#
+# SSOT: usr/share/mios/mios.toml [security].composefs_mode
+#       (resolved through the documented overlay chain by lib/packages.sh
+#        + this script's local _read_mios_scalar awk helper).
+#
+# Modes:
+#   verity  -- composefs in fs-verity mode (tamper-evident root). Default.
+#              Requires ext4 or btrfs. Also masks systemd-remount-fs.service
+#              (known-broken on Fedora 42+ with composefs) when
+#              [security].mask_systemd_remount_fs = true.
+#   yes     -- composefs enabled without verity. Works on XFS too.
+#   off     -- skip prepare-root.conf rewrite entirely; honor base image.
+#
+# See usr/share/mios/mios.toml [security] prose for the full rationale.
 set -euo pipefail
-source "$(dirname "${BASH_SOURCE[0]}")/lib/common.sh"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=lib/common.sh
+source "${SCRIPT_DIR}/lib/common.sh"
+# shellcheck source=lib/packages.sh
+# Pulled in for _resolve_mios_toml; the same TOML overlay chain that
+# packages.sh uses is what we want for [security] too.
+source "${SCRIPT_DIR}/lib/packages.sh"
+
+# _read_mios_scalar <table> <key> -- read a top-level scalar from the
+# [<table>] block of the resolved mios.toml. Strips quotes and inline
+# comments. Returns empty string when the key is absent.
+_read_mios_scalar() {
+    local table="$1" key="$2" toml_path
+    toml_path="$(_resolve_mios_toml 2>/dev/null || true)"
+    [[ -n "$toml_path" && -f "$toml_path" ]] || return 0
+    awk -v table="$table" -v key="$key" '
+        /^\[/ {
+            in_section = 0
+            line = $0
+            sub(/^\[/, "", line); sub(/\][[:space:]]*$/, "", line)
+            gsub(/[[:space:]]/, "", line)
+            if (line == table) in_section = 1
+            next
+        }
+        in_section {
+            if (match($0, "^[[:space:]]*" key "[[:space:]]*=")) {
+                value = $0
+                sub(/^[^=]*=[[:space:]]*/, "", value)
+                sub(/[[:space:]]*#.*$/, "", value)
+                gsub(/^[[:space:]]+|[[:space:]]+$/, "", value)
+                gsub(/^"|"$/, "", value)
+                print value
+                exit 0
+            }
+        }
+    ' "$toml_path"
+}
+
+MODE="$(_read_mios_scalar security composefs_mode)"
+MODE="${MODE:-verity}"
+MASK_REMOUNT="$(_read_mios_scalar security mask_systemd_remount_fs)"
+MASK_REMOUNT="${MASK_REMOUNT:-true}"
+
+case "$MODE" in
+    verity|yes|off) ;;
+    *)
+        warn "[40-composefs-verity] unknown composefs_mode='${MODE}', falling back to 'verity'"
+        MODE="verity"
+        ;;
+esac
+
+if [[ "$MODE" == "off" ]]; then
+    log "[40-composefs-verity] composefs_mode=off -- honoring base image's prepare-root.conf"
+    exit 0
+fi
 
 conf=/usr/lib/ostree/prepare-root.conf
 if [[ -f "$conf" ]]; then
-    log "backing up existing $conf -> ${conf}.orig"
+    log "[40-composefs-verity] backing up existing $conf -> ${conf}.orig"
     cp -a "$conf" "${conf}.orig"
 fi
 
-cat > "$conf" <<'EOF'
+# Render the table according to the requested mode. The [root] / [etc]
+# transient = false stanzas are independent of verity vs yes -- they
+# enforce immutable / non-tmpfs root and /etc on every composefs path.
+log "[40-composefs-verity] writing $conf with composefs mode=${MODE}"
+case "$MODE" in
+    verity)
+        cat > "$conf" <<'EOF'
 # 'MiOS': composefs in verity mode. Tamper-evident root.
 # Target filesystems must support fsverity (ext4, btrfs). XFS is NOT supported.
+# SSOT: mios.toml [security].composefs_mode = "verity".
 [composefs]
 enabled = verity
 
@@ -22,9 +97,32 @@ transient = false
 [etc]
 transient = false
 EOF
+        ;;
+    yes)
+        cat > "$conf" <<'EOF'
+# 'MiOS': composefs enabled (no verity). Read-only /usr without the
+# fs-verity cryptographic chain -- works on every composefs-capable
+# filesystem (ext4, btrfs, XFS). Default upstream FCOS / bootc posture.
+# SSOT: mios.toml [security].composefs_mode = "yes".
+[composefs]
+enabled = yes
+
+[root]
+transient = false
+
+[etc]
+transient = false
+EOF
+        ;;
+esac
 
-# Mask systemd-remount-fs (known-broken with composefs on F42+)
-log "masking systemd-remount-fs.service (composefs interop bug)"
-ln -sf /dev/null /etc/systemd/system/systemd-remount-fs.service
+# systemd-remount-fs masking: only relevant in verity mode (where the
+# composefs/remount-fs interop bug surfaces). The "yes" path uses the
+# upstream-default mount sequence and does not need the mask.
+if [[ "$MODE" == "verity" && "$MASK_REMOUNT" =~ ^(true|TRUE|1|yes|YES)$ ]]; then
+    log "[40-composefs-verity] masking systemd-remount-fs.service (composefs/remount interop bug)"
+    install -d -m 0755 /etc/systemd/system
+    ln -sf /dev/null /etc/systemd/system/systemd-remount-fs.service
+fi
 
-log "composefs verity mode configured"
+log "[40-composefs-verity] composefs mode=${MODE} configured"

usr/share/mios/mios.toml

@@ -257,6 +257,57 @@ ld_so_hwcaps_autoselect = true
 # usr/share/doc/mios/reference/hwcaps.md).
 native_rebuild = false
 
+# ----------------------------------------------------------------------------
+# [security] -- sealed-image and tamper-evident root knobs.
+#
+# composefs_mode controls how /usr/lib/ostree/prepare-root.conf is
+# rendered by automation/40-composefs-verity.sh:
+#
+#   "verity"   composefs in fs-verity mode (default). Tamper-evident
+#              root: every ostree object is content-addressed and
+#              cryptographically chained back to a single trusted root
+#              digest. Requires the target filesystem to support
+#              fs-verity natively (ext4, btrfs). XFS does NOT support
+#              fs-verity and will fail to boot if this mode is selected
+#              on an XFS root.
+#   "yes"      composefs enabled without verity. Same content-addressed
+#              read-only /usr root, but no cryptographic integrity
+#              chain on individual objects. Works on every filesystem
+#              composefs supports (including XFS) and is the upstream
+#              FCOS / bootc default.
+#   "off"      do not write prepare-root.conf at all. Falls through to
+#              whatever the base image (ucore-hci / fedora-bootc /
+#              UBlue) already configured. Use this when running on a
+#              host that already has a custom prepare-root.conf you
+#              don't want MiOS to clobber.
+#
+# Why this is opt-in rather than always-on:
+#   - On bare-metal hosts with ext4/btrfs, "verity" is the strongest
+#     anti-tamper posture we can ship without rebuilding userland against
+#     a signing key (the native-rebuild track in [hwcaps]).
+#   - Inside WSL2 / podman-machine / cloud images that target XFS,
+#     "verity" will brick the deploy. "yes" keeps the read-only-/usr
+#     guarantee without the verity dependency on the underlying FS.
+#   - Day-N+1: when sealed-image fs-verity userspace + signing-key
+#     plumbing lands (the "sealed-image-track" referenced in
+#     usr/share/doc/mios/reference/bootc-comparison.md), this same key
+#     gates the cryptographic boot path. Operators who already set
+#     "verity" today inherit it automatically; operators on "off"/"yes"
+#     keep their existing posture.
+#
+# Default policy: "verity" matches the existing behavior of the script
+# before this knob was introduced (no behavior change for existing
+# deployments).
+# ----------------------------------------------------------------------------
+[security]
+composefs_mode = "verity"
+# When composefs is in verity mode, automation/40-composefs-verity.sh
+# also masks systemd-remount-fs.service (known-broken with composefs on
+# Fedora 42+). Set to false to skip the mask if the base image's
+# systemd-remount-fs has been patched. No effect when composefs_mode is
+# "yes" or "off".
+mask_systemd_remount_fs = true
+
 # ----------------------------------------------------------------------------
 # [packages] -- runtime SSOT for every dnf install in MiOS. Each
 # [packages.<section>] sub-table below carries a `pkgs = [...]` array;