feat: add verity command for data integrity verification

This commit introduces a new `verity` subcommand to support content integrity
verification of data directories using cryptographic hashing (SHA-256).

The `verity` command includes three subcommands:
- `format`: Scans a data directory, computes SHA-256 hashes for all files,
  generates metadata (JSON), and outputs a root hash representing the entire
  directory state.
- `verify`: Validates the integrity of a data directory against a known root
  hash and metadata file, ensuring no files have been modified.
- `dump`: Extracts and displays either the full metadata or the root hash from
  an existing metadata file.

Metadata is saved as a JSON file (`cryptpilot.metadata.json` by default),
listing each file path and its corresponding hash. The root hash is derived
from the serialized metadata, enabling secure anchoring in trusted environments.

Implementation details:
- New CLI structures added in `cli.rs` with proper argument parsing.
- Modular command implementation under `src/cmd/verity/`.
- Integration into the global command dispatch via `IntoCommand`.
- Files are processed asynchronously using `tokio` and `async_walkdir`.
- Excludes metadata file during scanning to prevent self-inclusion.

This feature is useful for verifying system-critical directories during boot
or in security-sensitive workflows.

Signed-off-by: Kun Lai <laikun@linux.alibaba.com>

Author: imlk0

src/cli.rs

@@ -44,6 +44,81 @@ pub enum GlobalSubcommand {
     /// Running during system booting (both initrd stage and system stage).
     #[command(name = "boot-service")]
     BootService(BootServiceOptions),
+
+    /// Calculate reference values (hashes) for a given model directory.
+    #[command(name = "verity")]
+    Verity(VerityOptions),
+}
+
+#[derive(Debug, Args)]
+#[command(args_conflicts_with_subcommands = true)]
+pub struct VerityOptions {
+    #[command(subcommand)]
+    pub command: VeritySubcommand,
+}
+
+#[derive(Subcommand, Debug)]
+pub enum VeritySubcommand {
+    /// Format and calculate reference values (hashes) for a given data directory.
+    #[command(name = "format")]
+    Format(FormatOptions),
+
+    /// Verify the integrity of a data directory against reference values.
+    #[command(name = "verify")]
+    Verify(VerifyOptions),
+
+    /// Dump metadata or root hash of a data directory.
+    #[command(name = "dump")]
+    Dump(DumpOptions),
+}
+
+#[derive(Parser, Debug)]
+pub struct FormatOptions {
+    /// Path to the data directory to calculate reference values for
+    #[arg()]
+    pub data_dir: std::path::PathBuf,
+
+    /// Output file path for the metadata JSON result
+    #[arg(short, long)]
+    pub metadata: Option<std::path::PathBuf>,
+
+    /// Output file path for the root hash ("-" for stdout)
+    #[arg(long)]
+    pub hash_output: std::path::PathBuf,
+}
+
+#[derive(Parser, Debug)]
+pub struct VerifyOptions {
+    /// Path to the data directory to verify
+    #[arg()]
+    pub data_dir: std::path::PathBuf,
+
+    /// Expected root hash for verification
+    #[arg()]
+    pub hash: String,
+
+    /// Path to the metadata JSON file
+    #[arg(short, long)]
+    pub metadata: Option<std::path::PathBuf>,
+}
+
+#[derive(Parser, Debug)]
+pub struct DumpOptions {
+    /// Path to the data directory
+    #[arg(long, required_unless_present = "metadata")]
+    pub data_dir: Option<std::path::PathBuf>,
+
+    /// Path to the metadata JSON file
+    #[arg(long, required_unless_present = "data_dir")]
+    pub metadata: Option<std::path::PathBuf>,
+
+    /// Print full metadata
+    #[arg(long, required_unless_present = "print_root_hash")]
+    pub print_metadata: bool,
+
+    /// Print only the root hash instead of full metadata
+    #[arg(long, required_unless_present = "print_metadata")]
+    pub print_root_hash: bool,
 }
 
 #[derive(Parser, Debug)]

src/cmd/mod.rs

@@ -8,6 +8,7 @@ pub mod fde;
 pub mod init;
 pub mod open;
 pub mod show;
+pub mod verity;
 
 #[async_trait]
 pub trait Command {
@@ -40,6 +41,7 @@ impl IntoCommand for crate::cli::GlobalSubcommand {
                 })
             }
             crate::cli::GlobalSubcommand::Fde(fde_options) => fde_options.into_command(),
+            crate::cli::GlobalSubcommand::Verity(verity_options) => verity_options.into_command(),
         }
     }
 }

src/cmd/verity/dump.rs

@@ -0,0 +1,58 @@
+use anyhow::Result;
+use async_trait::async_trait;
+use serde::{Deserialize, Serialize};
+use sha2::{Digest, Sha256};
+use tokio::fs;
+
+use crate::cmd::Command;
+
+const DEFAULT_METADATA_FILE: &str = "cryptpilot.metadata.json";
+
+pub struct DumpCommand {
+    pub options: crate::cli::DumpOptions,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+struct FileInfo {
+    path: String,
+    sha256: String,
+}
+
+#[async_trait]
+impl Command for DumpCommand {
+    async fn run(&self) -> Result<()> {
+        tracing::info!("Starting verity dump command");
+
+        // Determine the metadata file path
+        let metadata_path = if let Some(ref metadata) = self.options.metadata {
+            metadata.clone()
+        } else if let Some(ref data_dir) = self.options.data_dir {
+            data_dir.join(DEFAULT_METADATA_FILE)
+        } else {
+            anyhow::bail!("Either --metadata or --data-dir must be specified");
+        };
+
+        tracing::info!("Reading metadata from: {:?}", metadata_path);
+
+        // Read metadata file
+        let metadata_content = fs::read_to_string(&metadata_path).await?;
+        let file_infos: Vec<FileInfo> = serde_json::from_str(&metadata_content)?;
+
+        // Handle output based on flags
+        if self.options.print_root_hash {
+            // Calculate and print root hash
+            let mut hasher = Sha256::new();
+            hasher.update(&metadata_content);
+            let root_hash = hex::encode(hasher.finalize());
+            println!("{}", root_hash);
+        } else if self.options.print_metadata {
+            // Print full metadata JSON
+            let metadata_content = serde_json::to_string_pretty(&file_infos)?;
+            println!("{}", metadata_content);
+        } else {
+            anyhow::bail!("Either --print-root-hash or --print-metadata must be specified");
+        };
+
+        Ok(())
+    }
+}

src/cmd/verity/format.rs

@@ -0,0 +1,113 @@
+use anyhow::Result;
+use async_trait::async_trait;
+use async_walkdir::WalkDir;
+use futures::StreamExt;
+use serde::{Deserialize, Serialize};
+use sha2::{Digest, Sha256};
+use std::path::{Path, PathBuf};
+use tokio::fs;
+
+use crate::cmd::Command;
+
+const DEFAULT_METADATA_FILE: &str = "cryptpilot.metadata.json";
+
+pub struct FormatCommand {
+    pub options: crate::cli::FormatOptions,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+struct FileInfo {
+    path: String,
+    sha256: String,
+}
+
+#[async_trait]
+impl Command for FormatCommand {
+    async fn run(&self) -> Result<()> {
+        tracing::info!("Starting verity format command");
+        tracing::info!("Data directory: {:?}", self.options.data_dir);
+
+        // Collect all file paths
+        let mut files = Vec::new();
+        self.collect_files(&self.options.data_dir, &mut files)
+            .await?;
+
+        tracing::info!("Found {} files in data directory", files.len());
+
+        // Sort file paths to ensure deterministic output
+        files.sort();
+
+        // Calculate hash for each file
+        let mut file_infos = Vec::new();
+        for file_path in files {
+            tracing::debug!("Processing file: {:?}", file_path);
+            let content = fs::read(&file_path).await?;
+            let hash = hex::encode(Sha256::digest(&content));
+
+            let relative_path = file_path
+                .strip_prefix(&self.options.data_dir)?
+                .to_path_buf();
+            let path_str = relative_path.to_string_lossy().to_string();
+
+            file_infos.push(FileInfo {
+                path: path_str,
+                sha256: hash,
+            });
+        }
+
+        // Generate JSON metadata
+        let json = serde_json::to_string_pretty(&file_infos)?;
+        tracing::debug!("Generated metadata JSON with {} entries", file_infos.len());
+
+        // Determine the actual metadata file path
+        let metadata_path = if let Some(ref metadata) = self.options.metadata {
+            if metadata.is_absolute() {
+                metadata.clone()
+            } else {
+                self.options.data_dir.join(metadata)
+            }
+        } else {
+            self.options.data_dir.join(DEFAULT_METADATA_FILE)
+        };
+
+        tracing::info!("Writing metadata to: {:?}", metadata_path);
+
+        // Write JSON metadata to file
+        fs::write(&metadata_path, &json).await?;
+
+        // Calculate overall directory root hash
+        let mut hasher = Sha256::new();
+        hasher.update(&json);
+        let root_hash = hex::encode(hasher.finalize());
+
+        tracing::info!("Root hash calculated: {}", root_hash);
+
+        // Write root hash to specified output or stdout
+        if self.options.hash_output.as_os_str() == "-" {
+            println!("{}", root_hash);
+        } else {
+            tracing::info!("Writing root hash to: {:?}", self.options.hash_output);
+            fs::write(&self.options.hash_output, &root_hash).await?;
+        }
+
+        Ok(())
+    }
+}
+
+impl FormatCommand {
+    async fn collect_files(&self, dir: &Path, files: &mut Vec<PathBuf>) -> Result<()> {
+        let mut entries = WalkDir::new(dir);
+
+        while let Some(Ok(entry)) = entries.next().await {
+            if entry.path().file_name() == Some(std::ffi::OsStr::new(DEFAULT_METADATA_FILE)) {
+                continue;
+            }
+
+            if entry.file_type().await.map_or(false, |ft| ft.is_file()) {
+                files.push(entry.path());
+            }
+        }
+
+        Ok(())
+    }
+}

src/cmd/verity/mod.rs

@@ -0,0 +1,27 @@
+use crate::cmd::{Command, IntoCommand};
+
+mod format;
+mod verify;
+mod dump;
+
+impl IntoCommand for crate::cli::VerityOptions {
+    fn into_command(self) -> Box<dyn Command> {
+        match self.command {
+            crate::cli::VeritySubcommand::Format(format_options) => {
+                Box::new(format::FormatCommand {
+                    options: format_options,
+                })
+            }
+            crate::cli::VeritySubcommand::Verify(verify_options) => {
+                Box::new(verify::VerifyCommand {
+                    options: verify_options,
+                })
+            }
+            crate::cli::VeritySubcommand::Dump(dump_options) => {
+                Box::new(dump::DumpCommand {
+                    options: dump_options,
+                })
+            }
+        }
+    }
+}

src/cmd/verity/verify.rs

@@ -0,0 +1,87 @@
+use anyhow::Result;
+use async_trait::async_trait;
+use serde::{Deserialize, Serialize};
+use sha2::{Digest, Sha256};
+use tokio::fs;
+
+use crate::cmd::Command;
+
+const DEFAULT_METADATA_FILE: &str = "cryptpilot.metadata.json";
+
+pub struct VerifyCommand {
+    pub options: crate::cli::VerifyOptions,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+struct FileInfo {
+    path: String,
+    sha256: String,
+}
+
+#[async_trait]
+impl Command for VerifyCommand {
+    async fn run(&self) -> Result<()> {
+        tracing::info!("Starting verity verify command");
+        tracing::info!("Data directory: {:?}", self.options.data_dir);
+        tracing::info!("Expected root hash: {}", self.options.hash);
+
+        // Determine the metadata file path
+        let metadata_path = if let Some(ref metadata) = self.options.metadata {
+            if metadata.is_absolute() {
+                metadata.clone()
+            } else {
+                self.options.data_dir.join(metadata)
+            }
+        } else {
+            self.options.data_dir.join(DEFAULT_METADATA_FILE)
+        };
+
+        tracing::info!("Reading metadata from: {:?}", metadata_path);
+
+        // Read metadata file
+        let metadata_content = fs::read_to_string(&metadata_path).await?;
+        let file_infos: Vec<FileInfo> = serde_json::from_str(&metadata_content)?;
+
+        // Calculate overall directory root hash from metadata
+        let mut hasher = Sha256::new();
+        hasher.update(&metadata_content);
+        let root_hash = hex::encode(hasher.finalize());
+
+        // Compare root hash with expected hash
+        if root_hash != self.options.hash {
+            anyhow::bail!(
+                "Root hash mismatch. Expected: {}, Actual: {}",
+                self.options.hash,
+                root_hash
+            );
+        }
+
+        tracing::info!("Root hash verification passed");
+
+        // Verify each file
+        for file_info in file_infos {
+            let file_path = self.options.data_dir.join(&file_info.path);
+            tracing::debug!("Verifying file: {:?}", file_path);
+
+            // Read file content
+            let content = fs::read(&file_path).await?;
+
+            // Calculate file hash
+            let hash = hex::encode(Sha256::digest(&content));
+
+            // Compare with expected hash
+            if hash != file_info.sha256 {
+                anyhow::bail!(
+                    "File hash mismatch for {}. Expected: {}, Actual: {}",
+                    file_info.path,
+                    file_info.sha256,
+                    hash
+                );
+            }
+        }
+
+        tracing::info!("All file hash verifications passed");
+
+        Ok(())
+    }
+}