1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #if HAVE_VALGRIND_MEMCHECK_H
4 #include <valgrind/memcheck.h>
7 #include <linux/dm-ioctl.h>
8 #include <linux/loop.h>
10 #include <sys/prctl.h>
14 #include "sd-device.h"
17 #include "architecture.h"
18 #include "ask-password-api.h"
19 #include "blkid-util.h"
20 #include "blockdev-util.h"
22 #include "cryptsetup-util.h"
24 #include "device-nodes.h"
25 #include "device-util.h"
26 #include "discover-image.h"
27 #include "dissect-image.h"
30 #include "extension-release.h"
34 #include "fsck-util.h"
36 #include "hexdecoct.h"
37 #include "hostname-setup.h"
38 #include "id128-util.h"
39 #include "import-util.h"
41 #include "mount-util.h"
42 #include "mountpoint-util.h"
43 #include "namespace-util.h"
44 #include "nulstr-util.h"
46 #include "path-util.h"
47 #include "process-util.h"
48 #include "raw-clone.h"
49 #include "signal-util.h"
50 #include "stat-util.h"
51 #include "stdio-util.h"
52 #include "string-table.h"
53 #include "string-util.h"
55 #include "tmpfile-util.h"
56 #include "udev-util.h"
57 #include "user-util.h"
58 #include "xattr-util.h"
60 /* how many times to wait for the device nodes to appear */
61 #define N_DEVICE_NODE_LIST_ATTEMPTS 10
63 int probe_filesystem(const char *node
, char **ret_fstype
) {
64 /* Try to find device content type and return it in *ret_fstype. If nothing is found,
65 * 0/NULL will be returned. -EUCLEAN will be returned for ambiguous results, and an
66 * different error otherwise. */
69 _cleanup_(blkid_free_probep
) blkid_probe b
= NULL
;
74 b
= blkid_new_probe_from_filename(node
);
76 return errno_or_else(ENOMEM
);
78 blkid_probe_enable_superblocks(b
, 1);
79 blkid_probe_set_superblocks_flags(b
, BLKID_SUBLKS_TYPE
);
82 r
= blkid_do_safeprobe(b
);
84 log_debug("No type detected on partition %s", node
);
88 return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN
),
89 "Results ambiguous for partition %s", node
);
91 return errno_or_else(EIO
);
93 (void) blkid_probe_lookup_value(b
, "TYPE", &fstype
, NULL
);
115 static int enumerator_for_parent(sd_device
*d
, sd_device_enumerator
**ret
) {
116 _cleanup_(sd_device_enumerator_unrefp
) sd_device_enumerator
*e
= NULL
;
122 r
= sd_device_enumerator_new(&e
);
126 r
= sd_device_enumerator_allow_uninitialized(e
);
130 r
= sd_device_enumerator_add_match_parent(e
, d
);
138 static int device_is_partition(sd_device
*d
, blkid_partition pp
) {
139 blkid_loff_t bsize
, bstart
;
140 uint64_t size
, start
;
141 int partno
, bpartno
, r
;
147 r
= sd_device_get_subsystem(d
, &ss
);
150 if (!streq(ss
, "block"))
153 r
= sd_device_get_sysattr_value(d
, "partition", &v
);
154 if (r
== -ENOENT
|| /* Not a partition device */
155 ERRNO_IS_PRIVILEGE(r
)) /* Not ready to access? */
159 r
= safe_atoi(v
, &partno
);
164 bpartno
= blkid_partition_get_partno(pp
);
166 return errno_or_else(EIO
);
168 if (partno
!= bpartno
)
171 r
= sd_device_get_sysattr_value(d
, "start", &v
);
174 r
= safe_atou64(v
, &start
);
179 bstart
= blkid_partition_get_start(pp
);
181 return errno_or_else(EIO
);
183 if (start
!= (uint64_t) bstart
)
186 r
= sd_device_get_sysattr_value(d
, "size", &v
);
189 r
= safe_atou64(v
, &size
);
194 bsize
= blkid_partition_get_size(pp
);
196 return errno_or_else(EIO
);
198 if (size
!= (uint64_t) bsize
)
204 static int find_partition(
209 _cleanup_(sd_device_enumerator_unrefp
) sd_device_enumerator
*e
= NULL
;
217 r
= enumerator_for_parent(parent
, &e
);
221 FOREACH_DEVICE(e
, q
) {
222 r
= device_is_partition(q
, pp
);
226 *ret
= sd_device_ref(q
);
235 sd_device
*parent_device
;
236 blkid_partition blkidp
;
240 static inline void wait_data_done(struct wait_data
*d
) {
241 sd_device_unref(d
->found
);
244 static int device_monitor_handler(sd_device_monitor
*monitor
, sd_device
*device
, void *userdata
) {
245 const char *parent1_path
, *parent2_path
;
246 struct wait_data
*w
= userdata
;
252 if (device_for_action(device
, SD_DEVICE_REMOVE
))
255 r
= sd_device_get_parent(device
, &pp
);
257 return 0; /* Doesn't have a parent? No relevant to us */
259 r
= sd_device_get_syspath(pp
, &parent1_path
); /* Check parent of device of this action */
263 r
= sd_device_get_syspath(w
->parent_device
, &parent2_path
); /* Check parent of device we are looking for */
267 if (!path_equal(parent1_path
, parent2_path
))
268 return 0; /* Has a different parent than what we need, not interesting to us */
270 r
= device_is_partition(device
, w
->blkidp
);
273 if (r
== 0) /* Not the one we need */
276 /* It's the one we need! Yay! */
278 w
->found
= sd_device_ref(device
);
282 return sd_event_exit(sd_device_monitor_get_event(monitor
), r
);
285 static int wait_for_partition_device(
291 _cleanup_(sd_event_source_unrefp
) sd_event_source
*timeout_source
= NULL
;
292 _cleanup_(sd_device_monitor_unrefp
) sd_device_monitor
*monitor
= NULL
;
293 _cleanup_(sd_event_unrefp
) sd_event
*event
= NULL
;
300 r
= find_partition(parent
, pp
, ret
);
304 r
= sd_event_new(&event
);
308 r
= sd_device_monitor_new(&monitor
);
312 r
= sd_device_monitor_filter_add_match_subsystem_devtype(monitor
, "block", "partition");
316 r
= sd_device_monitor_attach_event(monitor
, event
);
320 _cleanup_(wait_data_done
) struct wait_data w
= {
321 .parent_device
= parent
,
325 r
= sd_device_monitor_start(monitor
, device_monitor_handler
, &w
);
329 /* Check again, the partition might have appeared in the meantime */
330 r
= find_partition(parent
, pp
, ret
);
334 if (deadline
!= USEC_INFINITY
) {
335 r
= sd_event_add_time(
336 event
, &timeout_source
,
337 CLOCK_MONOTONIC
, deadline
, 0,
338 NULL
, INT_TO_PTR(-ETIMEDOUT
));
343 r
= sd_event_loop(event
);
348 *ret
= TAKE_PTR(w
.found
);
352 static void check_partition_flags(
354 unsigned long long pflags
,
355 unsigned long long supported
) {
359 /* Mask away all flags supported by this partition's type and the three flags the UEFI spec defines generically */
360 pflags
&= ~(supported
| GPT_FLAG_REQUIRED_PARTITION
| GPT_FLAG_NO_BLOCK_IO_PROTOCOL
| GPT_FLAG_LEGACY_BIOS_BOOTABLE
);
365 /* If there are other bits set, then log about it, to make things discoverable */
366 for (unsigned i
= 0; i
< sizeof(pflags
) * 8; i
++) {
367 unsigned long long bit
= 1ULL << i
;
368 if (!FLAGS_SET(pflags
, bit
))
371 log_debug("Unexpected partition flag %llu set on %s!", bit
, node
);
375 static int device_wait_for_initialization_harder(
377 const char *subsystem
,
381 _cleanup_free_
char *uevent
= NULL
;
382 usec_t start
, left
, retrigger_timeout
;
385 start
= now(CLOCK_MONOTONIC
);
386 left
= usec_sub_unsigned(deadline
, start
);
389 char buf
[FORMAT_TIMESPAN_MAX
];
390 const char *sn
= NULL
;
392 (void) sd_device_get_sysname(device
, &sn
);
393 log_debug("Waiting for device '%s' to initialize for %s.", strna(sn
), format_timespan(buf
, sizeof(buf
), left
, 0));
396 if (left
!= USEC_INFINITY
)
397 retrigger_timeout
= CLAMP(left
/ 4, 1 * USEC_PER_SEC
, 5 * USEC_PER_SEC
); /* A fourth of the total timeout, but let's clamp to 1s…5s range */
399 retrigger_timeout
= 2 * USEC_PER_SEC
;
402 usec_t local_deadline
, n
;
405 n
= now(CLOCK_MONOTONIC
);
408 /* Find next deadline, when we'll retrigger */
409 local_deadline
= start
+
410 DIV_ROUND_UP(n
- start
, retrigger_timeout
) * retrigger_timeout
;
412 if (deadline
!= USEC_INFINITY
&& deadline
<= local_deadline
) {
413 local_deadline
= deadline
;
418 r
= device_wait_for_initialization(device
, subsystem
, local_deadline
, ret
);
419 if (r
>= 0 && DEBUG_LOGGING
) {
420 char buf
[FORMAT_TIMESPAN_MAX
];
421 const char *sn
= NULL
;
423 (void) sd_device_get_sysname(device
, &sn
);
424 log_debug("Successfully waited for device '%s' to initialize for %s.", strna(sn
), format_timespan(buf
, sizeof(buf
), usec_sub_unsigned(now(CLOCK_MONOTONIC
), start
), 0));
427 if (r
!= -ETIMEDOUT
|| last_try
)
433 r
= sd_device_get_syspath(device
, &syspath
);
437 uevent
= path_join(syspath
, "uevent");
443 char buf
[FORMAT_TIMESPAN_MAX
];
445 log_debug("Device didn't initialize within %s, assuming lost event. Retriggering device through %s.",
446 format_timespan(buf
, sizeof(buf
), usec_sub_unsigned(now(CLOCK_MONOTONIC
), start
), 0),
450 r
= write_string_file(uevent
, "change", WRITE_STRING_FILE_DISABLE_BUFFER
);
457 #define DEVICE_TIMEOUT_USEC (45 * USEC_PER_SEC)
459 static void dissected_partition_done(DissectedPartition
*p
) {
465 free(p
->decrypted_fstype
);
466 free(p
->decrypted_node
);
467 free(p
->mount_options
);
469 *p
= (DissectedPartition
) {
477 const VeritySettings
*verity
,
478 const MountOptions
*mount_options
,
479 DissectImageFlags flags
,
480 DissectedImage
**ret
) {
483 #ifdef GPT_ROOT_NATIVE
484 sd_id128_t root_uuid
= SD_ID128_NULL
, root_verity_uuid
= SD_ID128_NULL
;
486 #ifdef GPT_USR_NATIVE
487 sd_id128_t usr_uuid
= SD_ID128_NULL
, usr_verity_uuid
= SD_ID128_NULL
;
489 bool is_gpt
, is_mbr
, generic_rw
, multiple_generic
= false;
490 _cleanup_(sd_device_unrefp
) sd_device
*d
= NULL
;
491 _cleanup_(dissected_image_unrefp
) DissectedImage
*m
= NULL
;
492 _cleanup_(blkid_free_probep
) blkid_probe b
= NULL
;
493 _cleanup_free_
char *generic_node
= NULL
;
494 sd_id128_t generic_uuid
= SD_ID128_NULL
;
495 const char *pttype
= NULL
, *sysname
= NULL
;
497 int r
, generic_nr
, n_partitions
;
503 assert(!verity
|| verity
->root_hash
|| verity
->root_hash_size
== 0);
504 assert(!((flags
& DISSECT_IMAGE_GPT_ONLY
) && (flags
& DISSECT_IMAGE_NO_PARTITION_TABLE
)));
506 /* Probes a disk image, and returns information about what it found in *ret.
508 * Returns -ENOPKG if no suitable partition table or file system could be found.
509 * Returns -EADDRNOTAVAIL if a root hash was specified but no matching root/verity partitions found.
510 * Returns -ENXIO if we couldn't find any partition suitable as root or /usr partition
511 * Returns -ENOTUNIQ if we only found multiple generic partitions and thus don't know what to do with that */
513 if (verity
&& verity
->root_hash
) {
514 sd_id128_t fsuuid
, vuuid
;
516 /* If a root hash is supplied, then we use the root partition that has a UUID that match the
517 * first 128bit of the root hash. And we use the verity partition that has a UUID that match
518 * the final 128bit. */
520 if (verity
->root_hash_size
< sizeof(sd_id128_t
))
523 memcpy(&fsuuid
, verity
->root_hash
, sizeof(sd_id128_t
));
524 memcpy(&vuuid
, (const uint8_t*) verity
->root_hash
+ verity
->root_hash_size
- sizeof(sd_id128_t
), sizeof(sd_id128_t
));
526 if (sd_id128_is_null(fsuuid
))
528 if (sd_id128_is_null(vuuid
))
531 /* If the verity data declares it's for the /usr partition, then search for that, in all
532 * other cases assume it's for the root partition. */
533 #ifdef GPT_USR_NATIVE
534 if (verity
->designator
== PARTITION_USR
) {
536 usr_verity_uuid
= vuuid
;
539 #ifdef GPT_ROOT_NATIVE
541 root_verity_uuid
= vuuid
;
543 #ifdef GPT_USR_NATIVE
548 if (fstat(fd
, &st
) < 0)
551 if (!S_ISBLK(st
.st_mode
))
554 r
= sd_device_new_from_stat_rdev(&d
, &st
);
558 if (!FLAGS_SET(flags
, DISSECT_IMAGE_NO_UDEV
)) {
559 _cleanup_(sd_device_unrefp
) sd_device
*initialized
= NULL
;
561 /* If udev support is enabled, then let's wait for the device to be initialized before we doing anything. */
563 r
= device_wait_for_initialization_harder(
566 usec_add(now(CLOCK_MONOTONIC
), DEVICE_TIMEOUT_USEC
),
572 d
= TAKE_PTR(initialized
);
575 b
= blkid_new_probe();
580 r
= blkid_probe_set_device(b
, fd
, 0, 0);
582 return errno_or_else(ENOMEM
);
584 if ((flags
& DISSECT_IMAGE_GPT_ONLY
) == 0) {
585 /* Look for file system superblocks, unless we only shall look for GPT partition tables */
586 blkid_probe_enable_superblocks(b
, 1);
587 blkid_probe_set_superblocks_flags(b
, BLKID_SUBLKS_TYPE
|BLKID_SUBLKS_USAGE
);
590 blkid_probe_enable_partitions(b
, 1);
591 blkid_probe_set_partitions_flags(b
, BLKID_PARTS_ENTRY_DETAILS
);
594 r
= blkid_do_safeprobe(b
);
595 if (IN_SET(r
, -2, 1))
596 return log_debug_errno(SYNTHETIC_ERRNO(ENOPKG
), "Failed to identify any partition table.");
598 return errno_or_else(EIO
);
600 m
= new0(DissectedImage
, 1);
604 r
= sd_device_get_sysname(d
, &sysname
);
606 return log_debug_errno(r
, "Failed to get device sysname: %m");
607 if (startswith(sysname
, "loop")) {
608 _cleanup_free_
char *name_stripped
= NULL
;
609 const char *full_path
;
611 r
= sd_device_get_sysattr_value(d
, "loop/backing_file", &full_path
);
613 log_debug_errno(r
, "Failed to lookup image name via loop device backing file sysattr, ignoring: %m");
615 r
= raw_strip_suffixes(basename(full_path
), &name_stripped
);
620 free_and_replace(m
->image_name
, name_stripped
);
622 r
= free_and_strdup(&m
->image_name
, sysname
);
627 if (!image_name_is_valid(m
->image_name
)) {
628 log_debug("Image name %s is not valid, ignoring", strempty(m
->image_name
));
629 m
->image_name
= mfree(m
->image_name
);
632 if ((!(flags
& DISSECT_IMAGE_GPT_ONLY
) &&
633 (flags
& DISSECT_IMAGE_GENERIC_ROOT
)) ||
634 (flags
& DISSECT_IMAGE_NO_PARTITION_TABLE
)) {
635 const char *usage
= NULL
;
637 /* If flags permit this, also allow using non-partitioned single-filesystem images */
639 (void) blkid_probe_lookup_value(b
, "USAGE", &usage
, NULL
);
640 if (STRPTR_IN_SET(usage
, "filesystem", "crypto")) {
641 const char *fstype
= NULL
, *options
= NULL
, *devname
= NULL
;
642 _cleanup_free_
char *t
= NULL
, *n
= NULL
, *o
= NULL
;
644 /* OK, we have found a file system, that's our root partition then. */
645 (void) blkid_probe_lookup_value(b
, "TYPE", &fstype
, NULL
);
653 r
= sd_device_get_devname(d
, &devname
);
661 m
->single_file_system
= true;
662 m
->verity
= verity
&& verity
->root_hash
&& verity
->data_path
&& (verity
->designator
< 0 || verity
->designator
== PARTITION_ROOT
);
663 m
->can_verity
= verity
&& verity
->data_path
;
665 options
= mount_options_from_designator(mount_options
, PARTITION_ROOT
);
672 m
->partitions
[PARTITION_ROOT
] = (DissectedPartition
) {
676 .architecture
= _ARCHITECTURE_INVALID
,
677 .fstype
= TAKE_PTR(t
),
679 .mount_options
= TAKE_PTR(o
),
682 m
->encrypted
= streq_ptr(fstype
, "crypto_LUKS");
689 (void) blkid_probe_lookup_value(b
, "PTTYPE", &pttype
, NULL
);
693 is_gpt
= streq_ptr(pttype
, "gpt");
694 is_mbr
= streq_ptr(pttype
, "dos");
696 if (!is_gpt
&& ((flags
& DISSECT_IMAGE_GPT_ONLY
) || !is_mbr
))
699 /* Safety check: refuse block devices that carry a partition table but for which the kernel doesn't
700 * do partition scanning. */
701 r
= blockdev_partscan_enabled(fd
);
705 return -EPROTONOSUPPORT
;
708 pl
= blkid_probe_get_partitions(b
);
710 return errno_or_else(ENOMEM
);
713 n_partitions
= blkid_partlist_numof_partitions(pl
);
714 if (n_partitions
< 0)
715 return errno_or_else(EIO
);
717 deadline
= usec_add(now(CLOCK_MONOTONIC
), DEVICE_TIMEOUT_USEC
);
718 for (int i
= 0; i
< n_partitions
; i
++) {
719 _cleanup_(sd_device_unrefp
) sd_device
*q
= NULL
;
720 unsigned long long pflags
;
726 pp
= blkid_partlist_get_partition(pl
, i
);
728 return errno_or_else(EIO
);
730 r
= wait_for_partition_device(d
, pp
, deadline
, &q
);
734 r
= sd_device_get_devname(q
, &node
);
738 pflags
= blkid_partition_get_flags(pp
);
741 nr
= blkid_partition_get_partno(pp
);
743 return errno_or_else(EIO
);
746 PartitionDesignator designator
= _PARTITION_DESIGNATOR_INVALID
;
747 int architecture
= _ARCHITECTURE_INVALID
;
748 const char *stype
, *sid
, *fstype
= NULL
, *label
;
749 sd_id128_t type_id
, id
;
752 sid
= blkid_partition_get_uuid(pp
);
755 if (sd_id128_from_string(sid
, &id
) < 0)
758 stype
= blkid_partition_get_type_string(pp
);
761 if (sd_id128_from_string(stype
, &type_id
) < 0)
764 label
= blkid_partition_get_name(pp
); /* libblkid returns NULL here if empty */
766 if (sd_id128_equal(type_id
, GPT_HOME
)) {
768 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
770 if (pflags
& GPT_FLAG_NO_AUTO
)
773 designator
= PARTITION_HOME
;
774 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
776 } else if (sd_id128_equal(type_id
, GPT_SRV
)) {
778 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
780 if (pflags
& GPT_FLAG_NO_AUTO
)
783 designator
= PARTITION_SRV
;
784 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
786 } else if (sd_id128_equal(type_id
, GPT_ESP
)) {
788 /* Note that we don't check the GPT_FLAG_NO_AUTO flag for the ESP, as it is
789 * not defined there. We instead check the GPT_FLAG_NO_BLOCK_IO_PROTOCOL, as
790 * recommended by the UEFI spec (See "12.3.3 Number and Location of System
793 if (pflags
& GPT_FLAG_NO_BLOCK_IO_PROTOCOL
)
796 designator
= PARTITION_ESP
;
799 } else if (sd_id128_equal(type_id
, GPT_XBOOTLDR
)) {
801 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
803 if (pflags
& GPT_FLAG_NO_AUTO
)
806 designator
= PARTITION_XBOOTLDR
;
807 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
809 #ifdef GPT_ROOT_NATIVE
810 else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE
)) {
812 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
814 if (pflags
& GPT_FLAG_NO_AUTO
)
817 /* If a root ID is specified, ignore everything but the root id */
818 if (!sd_id128_is_null(root_uuid
) && !sd_id128_equal(root_uuid
, id
))
821 designator
= PARTITION_ROOT
;
822 architecture
= native_architecture();
823 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
825 } else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE_VERITY
)) {
827 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
829 if (pflags
& GPT_FLAG_NO_AUTO
)
832 m
->can_verity
= true;
834 /* Ignore verity unless a root hash is specified */
835 if (sd_id128_is_null(root_verity_uuid
) || !sd_id128_equal(root_verity_uuid
, id
))
838 designator
= PARTITION_ROOT_VERITY
;
839 fstype
= "DM_verity_hash";
840 architecture
= native_architecture();
844 #ifdef GPT_ROOT_SECONDARY
845 else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY
)) {
847 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
849 if (pflags
& GPT_FLAG_NO_AUTO
)
852 /* If a root ID is specified, ignore everything but the root id */
853 if (!sd_id128_is_null(root_uuid
) && !sd_id128_equal(root_uuid
, id
))
856 designator
= PARTITION_ROOT_SECONDARY
;
857 architecture
= SECONDARY_ARCHITECTURE
;
858 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
860 } else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY_VERITY
)) {
862 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
864 if (pflags
& GPT_FLAG_NO_AUTO
)
867 m
->can_verity
= true;
869 /* Ignore verity unless root has is specified */
870 if (sd_id128_is_null(root_verity_uuid
) || !sd_id128_equal(root_verity_uuid
, id
))
873 designator
= PARTITION_ROOT_SECONDARY_VERITY
;
874 fstype
= "DM_verity_hash";
875 architecture
= SECONDARY_ARCHITECTURE
;
879 #ifdef GPT_USR_NATIVE
880 else if (sd_id128_equal(type_id
, GPT_USR_NATIVE
)) {
882 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
884 if (pflags
& GPT_FLAG_NO_AUTO
)
887 /* If a usr ID is specified, ignore everything but the usr id */
888 if (!sd_id128_is_null(usr_uuid
) && !sd_id128_equal(usr_uuid
, id
))
891 designator
= PARTITION_USR
;
892 architecture
= native_architecture();
893 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
895 } else if (sd_id128_equal(type_id
, GPT_USR_NATIVE_VERITY
)) {
897 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
899 if (pflags
& GPT_FLAG_NO_AUTO
)
902 m
->can_verity
= true;
904 /* Ignore verity unless a usr hash is specified */
905 if (sd_id128_is_null(usr_verity_uuid
) || !sd_id128_equal(usr_verity_uuid
, id
))
908 designator
= PARTITION_USR_VERITY
;
909 fstype
= "DM_verity_hash";
910 architecture
= native_architecture();
914 #ifdef GPT_USR_SECONDARY
915 else if (sd_id128_equal(type_id
, GPT_USR_SECONDARY
)) {
917 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
919 if (pflags
& GPT_FLAG_NO_AUTO
)
922 /* If a usr ID is specified, ignore everything but the usr id */
923 if (!sd_id128_is_null(usr_uuid
) && !sd_id128_equal(usr_uuid
, id
))
926 designator
= PARTITION_USR_SECONDARY
;
927 architecture
= SECONDARY_ARCHITECTURE
;
928 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
930 } else if (sd_id128_equal(type_id
, GPT_USR_SECONDARY_VERITY
)) {
932 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
934 if (pflags
& GPT_FLAG_NO_AUTO
)
937 m
->can_verity
= true;
939 /* Ignore verity unless usr has is specified */
940 if (sd_id128_is_null(usr_verity_uuid
) || !sd_id128_equal(usr_verity_uuid
, id
))
943 designator
= PARTITION_USR_SECONDARY_VERITY
;
944 fstype
= "DM_verity_hash";
945 architecture
= SECONDARY_ARCHITECTURE
;
949 else if (sd_id128_equal(type_id
, GPT_SWAP
)) {
951 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
);
953 if (pflags
& GPT_FLAG_NO_AUTO
)
956 designator
= PARTITION_SWAP
;
959 } else if (sd_id128_equal(type_id
, GPT_LINUX_GENERIC
)) {
961 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
963 if (pflags
& GPT_FLAG_NO_AUTO
)
967 multiple_generic
= true;
970 generic_rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
972 generic_node
= strdup(node
);
977 } else if (sd_id128_equal(type_id
, GPT_TMP
)) {
979 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
981 if (pflags
& GPT_FLAG_NO_AUTO
)
984 designator
= PARTITION_TMP
;
985 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
987 } else if (sd_id128_equal(type_id
, GPT_VAR
)) {
989 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
991 if (pflags
& GPT_FLAG_NO_AUTO
)
994 if (!FLAGS_SET(flags
, DISSECT_IMAGE_RELAX_VAR_CHECK
)) {
997 /* For /var we insist that the uuid of the partition matches the
998 * HMAC-SHA256 of the /var GPT partition type uuid, keyed by machine
999 * ID. Why? Unlike the other partitions /var is inherently
1000 * installation specific, hence we need to be careful not to mount it
1001 * in the wrong installation. By hashing the partition UUID from
1002 * /etc/machine-id we can securely bind the partition to the
1005 r
= sd_id128_get_machine_app_specific(GPT_VAR
, &var_uuid
);
1009 if (!sd_id128_equal(var_uuid
, id
)) {
1010 log_debug("Found a /var/ partition, but its UUID didn't match our expectations, ignoring.");
1015 designator
= PARTITION_VAR
;
1016 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1019 if (designator
!= _PARTITION_DESIGNATOR_INVALID
) {
1020 _cleanup_free_
char *t
= NULL
, *n
= NULL
, *o
= NULL
, *l
= NULL
;
1021 const char *options
= NULL
;
1023 if (m
->partitions
[designator
].found
) {
1024 /* For most partition types the first one we see wins. Except for the
1025 * rootfs and /usr, where we do a version compare of the label, and
1026 * let the newest version win. This permits a simple A/B versioning
1027 * scheme in OS images. */
1029 if (!PARTITION_DESIGNATOR_VERSIONED(designator
) ||
1030 strverscmp_improved(m
->partitions
[designator
].label
, label
) >= 0)
1033 dissected_partition_done(m
->partitions
+ designator
);
1052 options
= mount_options_from_designator(mount_options
, designator
);
1054 o
= strdup(options
);
1059 m
->partitions
[designator
] = (DissectedPartition
) {
1063 .architecture
= architecture
,
1064 .node
= TAKE_PTR(n
),
1065 .fstype
= TAKE_PTR(t
),
1066 .label
= TAKE_PTR(l
),
1068 .mount_options
= TAKE_PTR(o
),
1072 } else if (is_mbr
) {
1074 switch (blkid_partition_get_type(pp
)) {
1076 case 0x83: /* Linux partition */
1078 if (pflags
!= 0x80) /* Bootable flag */
1082 multiple_generic
= true;
1086 generic_node
= strdup(node
);
1093 case 0xEA: { /* Boot Loader Spec extended $BOOT partition */
1094 _cleanup_free_
char *n
= NULL
, *o
= NULL
;
1095 sd_id128_t id
= SD_ID128_NULL
;
1096 const char *sid
, *options
= NULL
;
1098 /* First one wins */
1099 if (m
->partitions
[PARTITION_XBOOTLDR
].found
)
1102 sid
= blkid_partition_get_uuid(pp
);
1104 (void) sd_id128_from_string(sid
, &id
);
1110 options
= mount_options_from_designator(mount_options
, PARTITION_XBOOTLDR
);
1112 o
= strdup(options
);
1117 m
->partitions
[PARTITION_XBOOTLDR
] = (DissectedPartition
) {
1121 .architecture
= _ARCHITECTURE_INVALID
,
1122 .node
= TAKE_PTR(n
),
1124 .mount_options
= TAKE_PTR(o
),
1132 if (m
->partitions
[PARTITION_ROOT
].found
) {
1133 /* If we found the primary arch, then invalidate the secondary arch to avoid any ambiguities,
1134 * since we never want to mount the secondary arch in this case. */
1135 m
->partitions
[PARTITION_ROOT_SECONDARY
].found
= false;
1136 m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
].found
= false;
1137 m
->partitions
[PARTITION_USR_SECONDARY
].found
= false;
1138 m
->partitions
[PARTITION_USR_SECONDARY_VERITY
].found
= false;
1140 } else if (m
->partitions
[PARTITION_ROOT_VERITY
].found
)
1141 return -EADDRNOTAVAIL
; /* Verity found but no matching rootfs? Something is off, refuse. */
1143 else if (m
->partitions
[PARTITION_ROOT_SECONDARY
].found
) {
1145 /* No root partition found but there's one for the secondary architecture? Then upgrade
1146 * secondary arch to first */
1148 m
->partitions
[PARTITION_ROOT
] = m
->partitions
[PARTITION_ROOT_SECONDARY
];
1149 zero(m
->partitions
[PARTITION_ROOT_SECONDARY
]);
1150 m
->partitions
[PARTITION_ROOT_VERITY
] = m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
];
1151 zero(m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
]);
1153 m
->partitions
[PARTITION_USR
] = m
->partitions
[PARTITION_USR_SECONDARY
];
1154 zero(m
->partitions
[PARTITION_USR_SECONDARY
]);
1155 m
->partitions
[PARTITION_USR_VERITY
] = m
->partitions
[PARTITION_USR_SECONDARY_VERITY
];
1156 zero(m
->partitions
[PARTITION_USR_SECONDARY_VERITY
]);
1158 } else if (m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
].found
)
1159 return -EADDRNOTAVAIL
; /* as above */
1161 else if (m
->partitions
[PARTITION_USR
].found
) {
1163 /* Invalidate secondary arch /usr/ if we found the primary arch */
1164 m
->partitions
[PARTITION_USR_SECONDARY
].found
= false;
1165 m
->partitions
[PARTITION_USR_SECONDARY_VERITY
].found
= false;
1167 } else if (m
->partitions
[PARTITION_USR_VERITY
].found
)
1168 return -EADDRNOTAVAIL
; /* as above */
1170 else if (m
->partitions
[PARTITION_USR_SECONDARY
].found
) {
1172 /* Upgrade secondary arch to primary */
1173 m
->partitions
[PARTITION_USR
] = m
->partitions
[PARTITION_USR_SECONDARY
];
1174 zero(m
->partitions
[PARTITION_USR_SECONDARY
]);
1175 m
->partitions
[PARTITION_USR_VERITY
] = m
->partitions
[PARTITION_USR_SECONDARY_VERITY
];
1176 zero(m
->partitions
[PARTITION_USR_SECONDARY_VERITY
]);
1178 } else if (m
->partitions
[PARTITION_USR_SECONDARY_VERITY
].found
)
1179 return -EADDRNOTAVAIL
; /* as above */
1181 else if ((flags
& DISSECT_IMAGE_GENERIC_ROOT
) &&
1182 (!verity
|| !verity
->root_hash
)) {
1184 /* OK, we found nothing usable, then check if there's a single generic one distro, and use
1185 * that. If the root hash was set however, then we won't fall back to a generic node, because
1186 * the root hash decides. */
1188 /* If we didn't find a properly marked root partition, but we did find a single suitable
1189 * generic Linux partition, then use this as root partition, if the caller asked for it. */
1190 if (multiple_generic
)
1193 /* If we didn't find a generic node, then we can't fix this up either */
1195 _cleanup_free_
char *o
= NULL
;
1196 const char *options
;
1198 options
= mount_options_from_designator(mount_options
, PARTITION_ROOT
);
1200 o
= strdup(options
);
1205 m
->partitions
[PARTITION_ROOT
] = (DissectedPartition
) {
1208 .partno
= generic_nr
,
1209 .architecture
= _ARCHITECTURE_INVALID
,
1210 .node
= TAKE_PTR(generic_node
),
1211 .uuid
= generic_uuid
,
1212 .mount_options
= TAKE_PTR(o
),
1217 /* Check if we have a root fs if we are told to do check. /usr alone is fine too, but only if appropriate flag for that is set too */
1218 if (FLAGS_SET(flags
, DISSECT_IMAGE_REQUIRE_ROOT
) &&
1219 !(m
->partitions
[PARTITION_ROOT
].found
|| (m
->partitions
[PARTITION_USR
].found
&& FLAGS_SET(flags
, DISSECT_IMAGE_USR_NO_ROOT
))))
1222 /* Refuse if we found a verity partition for /usr but no matching file system partition */
1223 if (!m
->partitions
[PARTITION_USR
].found
&& m
->partitions
[PARTITION_USR_VERITY
].found
)
1224 return -EADDRNOTAVAIL
;
1226 /* Combinations of verity /usr with verity-less root is OK, but the reverse is not */
1227 if (m
->partitions
[PARTITION_ROOT_VERITY
].found
&& m
->partitions
[PARTITION_USR
].found
&& !m
->partitions
[PARTITION_USR_VERITY
].found
)
1228 return -EADDRNOTAVAIL
;
1230 if (verity
&& verity
->root_hash
) {
1231 if (verity
->designator
< 0 || verity
->designator
== PARTITION_ROOT
) {
1232 if (!m
->partitions
[PARTITION_ROOT_VERITY
].found
|| !m
->partitions
[PARTITION_ROOT
].found
)
1233 return -EADDRNOTAVAIL
;
1235 /* If we found a verity setup, then the root partition is necessarily read-only. */
1236 m
->partitions
[PARTITION_ROOT
].rw
= false;
1240 if (verity
->designator
== PARTITION_USR
) {
1241 if (!m
->partitions
[PARTITION_USR_VERITY
].found
|| !m
->partitions
[PARTITION_USR
].found
)
1242 return -EADDRNOTAVAIL
;
1244 m
->partitions
[PARTITION_USR
].rw
= false;
1249 blkid_free_probe(b
);
1252 /* Fill in file system types if we don't know them yet. */
1253 for (PartitionDesignator i
= 0; i
< _PARTITION_DESIGNATOR_MAX
; i
++) {
1254 DissectedPartition
*p
= m
->partitions
+ i
;
1259 if (!p
->fstype
&& p
->node
) {
1260 r
= probe_filesystem(p
->node
, &p
->fstype
);
1261 if (r
< 0 && r
!= -EUCLEAN
)
1265 if (streq_ptr(p
->fstype
, "crypto_LUKS"))
1266 m
->encrypted
= true;
1268 if (p
->fstype
&& fstype_is_ro(p
->fstype
))
1279 DissectedImage
* dissected_image_unref(DissectedImage
*m
) {
1283 for (PartitionDesignator i
= 0; i
< _PARTITION_DESIGNATOR_MAX
; i
++)
1284 dissected_partition_done(m
->partitions
+ i
);
1286 free(m
->image_name
);
1288 strv_free(m
->machine_info
);
1289 strv_free(m
->os_release
);
1290 strv_free(m
->extension_release
);
1295 static int is_loop_device(const char *path
) {
1296 char s
[SYS_BLOCK_PATH_MAX("/../loop/")];
1301 if (stat(path
, &st
) < 0)
1304 if (!S_ISBLK(st
.st_mode
))
1307 xsprintf_sys_block_path(s
, "/loop/", st
.st_dev
);
1308 if (access(s
, F_OK
) < 0) {
1309 if (errno
!= ENOENT
)
1312 /* The device itself isn't a loop device, but maybe it's a partition and its parent is? */
1313 xsprintf_sys_block_path(s
, "/../loop/", st
.st_dev
);
1314 if (access(s
, F_OK
) < 0)
1315 return errno
== ENOENT
? false : -errno
;
1321 static int run_fsck(const char *node
, const char *fstype
) {
1328 r
= fsck_exists(fstype
);
1330 log_debug_errno(r
, "Couldn't determine whether fsck for %s exists, proceeding anyway.", fstype
);
1334 log_debug("Not checking partition %s, as fsck for %s does not exist.", node
, fstype
);
1338 r
= safe_fork("(fsck)", FORK_RESET_SIGNALS
|FORK_CLOSE_ALL_FDS
|FORK_RLIMIT_NOFILE_SAFE
|FORK_DEATHSIG
|FORK_NULL_STDIO
, &pid
);
1340 return log_debug_errno(r
, "Failed to fork off fsck: %m");
1343 execl("/sbin/fsck", "/sbin/fsck", "-aT", node
, NULL
);
1345 log_debug_errno(errno
, "Failed to execl() fsck: %m");
1346 _exit(FSCK_OPERATIONAL_ERROR
);
1349 exit_status
= wait_for_terminate_and_check("fsck", pid
, 0);
1350 if (exit_status
< 0)
1351 return log_debug_errno(exit_status
, "Failed to fork off /sbin/fsck: %m");
1353 if ((exit_status
& ~FSCK_ERROR_CORRECTED
) != FSCK_SUCCESS
) {
1354 log_debug("fsck failed with exit status %i.", exit_status
);
1356 if ((exit_status
& (FSCK_SYSTEM_SHOULD_REBOOT
|FSCK_ERRORS_LEFT_UNCORRECTED
)) != 0)
1357 return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN
), "File system is corrupted, refusing.");
1359 log_debug("Ignoring fsck error.");
1365 static int mount_partition(
1366 DissectedPartition
*m
,
1368 const char *directory
,
1370 DissectImageFlags flags
) {
1372 _cleanup_free_
char *chased
= NULL
, *options
= NULL
;
1373 const char *p
, *node
, *fstype
;
1380 /* Use decrypted node and matching fstype if available, otherwise use the original device */
1381 node
= m
->decrypted_node
?: m
->node
;
1382 fstype
= m
->decrypted_node
? m
->decrypted_fstype
: m
->fstype
;
1384 if (!m
->found
|| !node
)
1387 return -EAFNOSUPPORT
;
1389 /* We are looking at an encrypted partition? This either means stacked encryption, or the caller didn't call dissected_image_decrypt() beforehand. Let's return a recognizable error for this case. */
1390 if (streq(fstype
, "crypto_LUKS"))
1393 rw
= m
->rw
&& !(flags
& DISSECT_IMAGE_READ_ONLY
);
1395 if (FLAGS_SET(flags
, DISSECT_IMAGE_FSCK
) && rw
) {
1396 r
= run_fsck(node
, fstype
);
1402 /* Automatically create missing mount points inside the image, if necessary. */
1403 r
= mkdir_p_root(where
, directory
, uid_shift
, (gid_t
) uid_shift
, 0755);
1404 if (r
< 0 && r
!= -EROFS
)
1407 r
= chase_symlinks(directory
, where
, CHASE_PREFIX_ROOT
, &chased
, NULL
);
1413 /* Create top-level mount if missing – but only if this is asked for. This won't modify the
1414 * image (as the branch above does) but the host hierarchy, and the created directory might
1415 * survive our mount in the host hierarchy hence. */
1416 if (FLAGS_SET(flags
, DISSECT_IMAGE_MKDIR
)) {
1417 r
= mkdir_p(where
, 0755);
1425 /* If requested, turn on discard support. */
1426 if (fstype_can_discard(fstype
) &&
1427 ((flags
& DISSECT_IMAGE_DISCARD
) ||
1428 ((flags
& DISSECT_IMAGE_DISCARD_ON_LOOP
) && is_loop_device(m
->node
) > 0))) {
1429 options
= strdup("discard");
1434 if (uid_is_valid(uid_shift
) && uid_shift
!= 0 && fstype_can_uid_gid(fstype
)) {
1435 _cleanup_free_
char *uid_option
= NULL
;
1437 if (asprintf(&uid_option
, "uid=" UID_FMT
",gid=" GID_FMT
, uid_shift
, (gid_t
) uid_shift
) < 0)
1440 if (!strextend_with_separator(&options
, ",", uid_option
))
1444 if (!isempty(m
->mount_options
))
1445 if (!strextend_with_separator(&options
, ",", m
->mount_options
))
1448 r
= mount_nofollow_verbose(LOG_DEBUG
, node
, p
, fstype
, MS_NODEV
|(rw
? 0 : MS_RDONLY
), options
);
1455 static int mount_root_tmpfs(const char *where
, uid_t uid_shift
, DissectImageFlags flags
) {
1456 _cleanup_free_
char *options
= NULL
;
1461 /* For images that contain /usr/ but no rootfs, let's mount rootfs as tmpfs */
1463 if (FLAGS_SET(flags
, DISSECT_IMAGE_MKDIR
)) {
1464 r
= mkdir_p(where
, 0755);
1469 if (uid_is_valid(uid_shift
)) {
1470 if (asprintf(&options
, "uid=" UID_FMT
",gid=" GID_FMT
, uid_shift
, (gid_t
) uid_shift
) < 0)
1474 r
= mount_nofollow_verbose(LOG_DEBUG
, "rootfs", where
, "tmpfs", MS_NODEV
, options
);
1481 int dissected_image_mount(DissectedImage
*m
, const char *where
, uid_t uid_shift
, DissectImageFlags flags
) {
1482 int r
, xbootldr_mounted
;
1489 * -ENXIO → No root partition found
1490 * -EMEDIUMTYPE → DISSECT_IMAGE_VALIDATE_OS set but no os-release/extension-release file found
1491 * -EUNATCH → Encrypted partition found for which no dm-crypt was set up yet
1492 * -EUCLEAN → fsck for file system failed
1493 * -EBUSY → File system already mounted/used elsewhere (kernel)
1494 * -EAFNOSUPPORT → File system type not supported or not known
1497 if (!(m
->partitions
[PARTITION_ROOT
].found
||
1498 (m
->partitions
[PARTITION_USR
].found
&& FLAGS_SET(flags
, DISSECT_IMAGE_USR_NO_ROOT
))))
1499 return -ENXIO
; /* Require a root fs or at least a /usr/ fs (the latter is subject to a flag of its own) */
1501 if ((flags
& DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY
) == 0) {
1503 /* First mount the root fs. If there's none we use a tmpfs. */
1504 if (m
->partitions
[PARTITION_ROOT
].found
)
1505 r
= mount_partition(m
->partitions
+ PARTITION_ROOT
, where
, NULL
, uid_shift
, flags
);
1507 r
= mount_root_tmpfs(where
, uid_shift
, flags
);
1511 /* For us mounting root always means mounting /usr as well */
1512 r
= mount_partition(m
->partitions
+ PARTITION_USR
, where
, "/usr", uid_shift
, flags
);
1516 if (flags
& DISSECT_IMAGE_VALIDATE_OS
) {
1517 r
= path_is_os_tree(where
);
1521 r
= path_is_extension_tree(where
, m
->image_name
);
1525 return -EMEDIUMTYPE
;
1530 if (flags
& DISSECT_IMAGE_MOUNT_ROOT_ONLY
)
1533 r
= mount_partition(m
->partitions
+ PARTITION_HOME
, where
, "/home", uid_shift
, flags
);
1537 r
= mount_partition(m
->partitions
+ PARTITION_SRV
, where
, "/srv", uid_shift
, flags
);
1541 r
= mount_partition(m
->partitions
+ PARTITION_VAR
, where
, "/var", uid_shift
, flags
);
1545 r
= mount_partition(m
->partitions
+ PARTITION_TMP
, where
, "/var/tmp", uid_shift
, flags
);
1549 xbootldr_mounted
= mount_partition(m
->partitions
+ PARTITION_XBOOTLDR
, where
, "/boot", uid_shift
, flags
);
1550 if (xbootldr_mounted
< 0)
1551 return xbootldr_mounted
;
1553 if (m
->partitions
[PARTITION_ESP
].found
) {
1554 int esp_done
= false;
1556 /* Mount the ESP to /efi if it exists. If it doesn't exist, use /boot instead, but only if it
1557 * exists and is empty, and we didn't already mount the XBOOTLDR partition into it. */
1559 r
= chase_symlinks("/efi", where
, CHASE_PREFIX_ROOT
, NULL
, NULL
);
1564 /* /efi doesn't exist. Let's see if /boot is suitable then */
1566 if (!xbootldr_mounted
) {
1567 _cleanup_free_
char *p
= NULL
;
1569 r
= chase_symlinks("/boot", where
, CHASE_PREFIX_ROOT
, &p
, NULL
);
1573 } else if (dir_is_empty(p
) > 0) {
1574 /* It exists and is an empty directory. Let's mount the ESP there. */
1575 r
= mount_partition(m
->partitions
+ PARTITION_ESP
, where
, "/boot", uid_shift
, flags
);
1585 /* OK, let's mount the ESP now to /efi (possibly creating the dir if missing) */
1587 r
= mount_partition(m
->partitions
+ PARTITION_ESP
, where
, "/efi", uid_shift
, flags
);
1596 int dissected_image_mount_and_warn(DissectedImage
*m
, const char *where
, uid_t uid_shift
, DissectImageFlags flags
) {
1602 r
= dissected_image_mount(m
, where
, uid_shift
, flags
);
1604 return log_error_errno(r
, "Not root file system found in image.");
1605 if (r
== -EMEDIUMTYPE
)
1606 return log_error_errno(r
, "No suitable os-release/extension-release file in image found.");
1608 return log_error_errno(r
, "Encrypted file system discovered, but decryption not requested.");
1610 return log_error_errno(r
, "File system check on image failed.");
1612 return log_error_errno(r
, "File system already mounted elsewhere.");
1613 if (r
== -EAFNOSUPPORT
)
1614 return log_error_errno(r
, "File system type not supported or not known.");
1616 return log_error_errno(r
, "Failed to mount image: %m");
1621 #if HAVE_LIBCRYPTSETUP
1622 typedef struct DecryptedPartition
{
1623 struct crypt_device
*device
;
1626 } DecryptedPartition
;
1628 struct DecryptedImage
{
1629 DecryptedPartition
*decrypted
;
1635 DecryptedImage
* decrypted_image_unref(DecryptedImage
* d
) {
1636 #if HAVE_LIBCRYPTSETUP
1642 for (size_t i
= 0; i
< d
->n_decrypted
; i
++) {
1643 DecryptedPartition
*p
= d
->decrypted
+ i
;
1645 if (p
->device
&& p
->name
&& !p
->relinquished
) {
1646 r
= sym_crypt_deactivate_by_name(p
->device
, p
->name
, 0);
1648 log_debug_errno(r
, "Failed to deactivate encrypted partition %s", p
->name
);
1652 sym_crypt_free(p
->device
);
1662 #if HAVE_LIBCRYPTSETUP
1664 static int make_dm_name_and_node(const void *original_node
, const char *suffix
, char **ret_name
, char **ret_node
) {
1665 _cleanup_free_
char *name
= NULL
, *node
= NULL
;
1668 assert(original_node
);
1673 base
= strrchr(original_node
, '/');
1675 base
= original_node
;
1681 name
= strjoin(base
, suffix
);
1684 if (!filename_is_valid(name
))
1687 node
= path_join(sym_crypt_get_dir(), name
);
1691 *ret_name
= TAKE_PTR(name
);
1692 *ret_node
= TAKE_PTR(node
);
1697 static int decrypt_partition(
1698 DissectedPartition
*m
,
1699 const char *passphrase
,
1700 DissectImageFlags flags
,
1701 DecryptedImage
*d
) {
1703 _cleanup_free_
char *node
= NULL
, *name
= NULL
;
1704 _cleanup_(sym_crypt_freep
) struct crypt_device
*cd
= NULL
;
1710 if (!m
->found
|| !m
->node
|| !m
->fstype
)
1713 if (!streq(m
->fstype
, "crypto_LUKS"))
1719 r
= dlopen_cryptsetup();
1723 r
= make_dm_name_and_node(m
->node
, "-decrypted", &name
, &node
);
1727 if (!GREEDY_REALLOC0(d
->decrypted
, d
->n_allocated
, d
->n_decrypted
+ 1))
1730 r
= sym_crypt_init(&cd
, m
->node
);
1732 return log_debug_errno(r
, "Failed to initialize dm-crypt: %m");
1734 cryptsetup_enable_logging(cd
);
1736 r
= sym_crypt_load(cd
, CRYPT_LUKS
, NULL
);
1738 return log_debug_errno(r
, "Failed to load LUKS metadata: %m");
1740 r
= sym_crypt_activate_by_passphrase(cd
, name
, CRYPT_ANY_SLOT
, passphrase
, strlen(passphrase
),
1741 ((flags
& DISSECT_IMAGE_READ_ONLY
) ? CRYPT_ACTIVATE_READONLY
: 0) |
1742 ((flags
& DISSECT_IMAGE_DISCARD_ON_CRYPTO
) ? CRYPT_ACTIVATE_ALLOW_DISCARDS
: 0));
1744 log_debug_errno(r
, "Failed to activate LUKS device: %m");
1745 return r
== -EPERM
? -EKEYREJECTED
: r
;
1748 d
->decrypted
[d
->n_decrypted
++] = (DecryptedPartition
) {
1749 .name
= TAKE_PTR(name
),
1750 .device
= TAKE_PTR(cd
),
1753 m
->decrypted_node
= TAKE_PTR(node
);
1758 static int verity_can_reuse(
1759 const VeritySettings
*verity
,
1761 struct crypt_device
**ret_cd
) {
1763 /* If the same volume was already open, check that the root hashes match, and reuse it if they do */
1764 _cleanup_free_
char *root_hash_existing
= NULL
;
1765 _cleanup_(sym_crypt_freep
) struct crypt_device
*cd
= NULL
;
1766 struct crypt_params_verity crypt_params
= {};
1767 size_t root_hash_existing_size
;
1774 r
= sym_crypt_init_by_name(&cd
, name
);
1776 return log_debug_errno(r
, "Error opening verity device, crypt_init_by_name failed: %m");
1778 r
= sym_crypt_get_verity_info(cd
, &crypt_params
);
1780 return log_debug_errno(r
, "Error opening verity device, crypt_get_verity_info failed: %m");
1782 root_hash_existing_size
= verity
->root_hash_size
;
1783 root_hash_existing
= malloc0(root_hash_existing_size
);
1784 if (!root_hash_existing
)
1787 r
= sym_crypt_volume_key_get(cd
, CRYPT_ANY_SLOT
, root_hash_existing
, &root_hash_existing_size
, NULL
, 0);
1789 return log_debug_errno(r
, "Error opening verity device, crypt_volume_key_get failed: %m");
1790 if (verity
->root_hash_size
!= root_hash_existing_size
||
1791 memcmp(root_hash_existing
, verity
->root_hash
, verity
->root_hash_size
) != 0)
1792 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Error opening verity device, it already exists but root hashes are different.");
1794 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
1795 /* Ensure that, if signatures are supported, we only reuse the device if the previous mount used the
1796 * same settings, so that a previous unsigned mount will not be reused if the user asks to use
1797 * signing for the new one, and vice versa. */
1798 if (!!verity
->root_hash_sig
!= !!(crypt_params
.flags
& CRYPT_VERITY_ROOT_HASH_SIGNATURE
))
1799 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Error opening verity device, it already exists but signature settings are not the same.");
1802 *ret_cd
= TAKE_PTR(cd
);
1806 static inline char* dm_deferred_remove_clean(char *name
) {
1810 (void) sym_crypt_deactivate_by_name(NULL
, name
, CRYPT_DEACTIVATE_DEFERRED
);
1813 DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean
);
1815 static int verity_partition(
1816 PartitionDesignator designator
,
1817 DissectedPartition
*m
,
1818 DissectedPartition
*v
,
1819 const VeritySettings
*verity
,
1820 DissectImageFlags flags
,
1821 DecryptedImage
*d
) {
1823 _cleanup_(sym_crypt_freep
) struct crypt_device
*cd
= NULL
;
1824 _cleanup_(dm_deferred_remove_cleanp
) char *restore_deferred_remove
= NULL
;
1825 _cleanup_free_
char *node
= NULL
, *name
= NULL
;
1829 assert(v
|| (verity
&& verity
->data_path
));
1831 if (!verity
|| !verity
->root_hash
)
1833 if (!((verity
->designator
< 0 && designator
== PARTITION_ROOT
) ||
1834 (verity
->designator
== designator
)))
1837 if (!m
->found
|| !m
->node
|| !m
->fstype
)
1839 if (!verity
->data_path
) {
1840 if (!v
->found
|| !v
->node
|| !v
->fstype
)
1843 if (!streq(v
->fstype
, "DM_verity_hash"))
1847 r
= dlopen_cryptsetup();
1851 if (FLAGS_SET(flags
, DISSECT_IMAGE_VERITY_SHARE
)) {
1852 /* Use the roothash, which is unique per volume, as the device node name, so that it can be reused */
1853 _cleanup_free_
char *root_hash_encoded
= NULL
;
1855 root_hash_encoded
= hexmem(verity
->root_hash
, verity
->root_hash_size
);
1856 if (!root_hash_encoded
)
1859 r
= make_dm_name_and_node(root_hash_encoded
, "-verity", &name
, &node
);
1861 r
= make_dm_name_and_node(m
->node
, "-verity", &name
, &node
);
1865 r
= sym_crypt_init(&cd
, verity
->data_path
?: v
->node
);
1869 cryptsetup_enable_logging(cd
);
1871 r
= sym_crypt_load(cd
, CRYPT_VERITY
, NULL
);
1875 r
= sym_crypt_set_data_device(cd
, m
->node
);
1879 if (!GREEDY_REALLOC0(d
->decrypted
, d
->n_allocated
, d
->n_decrypted
+ 1))
1882 /* If activating fails because the device already exists, check the metadata and reuse it if it matches.
1883 * In case of ENODEV/ENOENT, which can happen if another process is activating at the exact same time,
1884 * retry a few times before giving up. */
1885 for (unsigned i
= 0; i
< N_DEVICE_NODE_LIST_ATTEMPTS
; i
++) {
1886 if (verity
->root_hash_sig
) {
1887 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
1888 r
= sym_crypt_activate_by_signed_key(
1892 verity
->root_hash_size
,
1893 verity
->root_hash_sig
,
1894 verity
->root_hash_sig_size
,
1895 CRYPT_ACTIVATE_READONLY
);
1897 r
= log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
),
1898 "Activation of verity device with signature requested, but not supported by %s due to missing crypt_activate_by_signed_key().", program_invocation_short_name
);
1901 r
= sym_crypt_activate_by_volume_key(
1905 verity
->root_hash_size
,
1906 CRYPT_ACTIVATE_READONLY
);
1907 /* libdevmapper can return EINVAL when the device is already in the activation stage.
1908 * There's no way to distinguish this situation from a genuine error due to invalid
1909 * parameters, so immediately fall back to activating the device with a unique name.
1910 * Improvements in libcrypsetup can ensure this never happens:
1911 * https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/96 */
1912 if (r
== -EINVAL
&& FLAGS_SET(flags
, DISSECT_IMAGE_VERITY_SHARE
))
1913 return verity_partition(designator
, m
, v
, verity
, flags
& ~DISSECT_IMAGE_VERITY_SHARE
, d
);
1916 -EEXIST
, /* Volume is already open and ready to be used */
1917 -EBUSY
, /* Volume is being opened but not ready, crypt_init_by_name can fetch details */
1918 -ENODEV
/* Volume is being opened but not ready, crypt_init_by_name would fail, try to open again */))
1920 if (IN_SET(r
, -EEXIST
, -EBUSY
)) {
1921 struct crypt_device
*existing_cd
= NULL
;
1923 if (!restore_deferred_remove
){
1924 /* To avoid races, disable automatic removal on umount while setting up the new device. Restore it on failure. */
1925 r
= dm_deferred_remove_cancel(name
);
1926 /* If activation returns EBUSY there might be no deferred removal to cancel, that's fine */
1927 if (r
< 0 && r
!= -ENXIO
)
1928 return log_debug_errno(r
, "Disabling automated deferred removal for verity device %s failed: %m", node
);
1930 restore_deferred_remove
= strdup(name
);
1931 if (!restore_deferred_remove
)
1936 r
= verity_can_reuse(verity
, name
, &existing_cd
);
1937 /* Same as above, -EINVAL can randomly happen when it actually means -EEXIST */
1938 if (r
== -EINVAL
&& FLAGS_SET(flags
, DISSECT_IMAGE_VERITY_SHARE
))
1939 return verity_partition(designator
, m
, v
, verity
, flags
& ~DISSECT_IMAGE_VERITY_SHARE
, d
);
1940 if (!IN_SET(r
, 0, -ENODEV
, -ENOENT
, -EBUSY
))
1941 return log_debug_errno(r
, "Checking whether existing verity device %s can be reused failed: %m", node
);
1943 /* devmapper might say that the device exists, but the devlink might not yet have been
1944 * created. Check and wait for the udev event in that case. */
1945 r
= device_wait_for_devlink(node
, "block", usec_add(now(CLOCK_MONOTONIC
), 100 * USEC_PER_MSEC
), NULL
);
1946 /* Fallback to activation with a unique device if it's taking too long */
1947 if (r
== -ETIMEDOUT
)
1960 /* Device is being opened by another process, but it has not finished yet, yield for 2ms */
1961 (void) usleep(2 * USEC_PER_MSEC
);
1964 /* An existing verity device was reported by libcryptsetup/libdevmapper, but we can't use it at this time.
1965 * Fall back to activating it with a unique device name. */
1966 if (r
!= 0 && FLAGS_SET(flags
, DISSECT_IMAGE_VERITY_SHARE
))
1967 return verity_partition(designator
, m
, v
, verity
, flags
& ~DISSECT_IMAGE_VERITY_SHARE
, d
);
1969 /* Everything looks good and we'll be able to mount the device, so deferred remove will be re-enabled at that point. */
1970 restore_deferred_remove
= mfree(restore_deferred_remove
);
1972 d
->decrypted
[d
->n_decrypted
++] = (DecryptedPartition
) {
1973 .name
= TAKE_PTR(name
),
1974 .device
= TAKE_PTR(cd
),
1977 m
->decrypted_node
= TAKE_PTR(node
);
1983 int dissected_image_decrypt(
1985 const char *passphrase
,
1986 const VeritySettings
*verity
,
1987 DissectImageFlags flags
,
1988 DecryptedImage
**ret
) {
1990 #if HAVE_LIBCRYPTSETUP
1991 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*d
= NULL
;
1996 assert(!verity
|| verity
->root_hash
|| verity
->root_hash_size
== 0);
2000 * = 0 → There was nothing to decrypt
2001 * > 0 → Decrypted successfully
2002 * -ENOKEY → There's something to decrypt but no key was supplied
2003 * -EKEYREJECTED → Passed key was not correct
2006 if (verity
&& verity
->root_hash
&& verity
->root_hash_size
< sizeof(sd_id128_t
))
2009 if (!m
->encrypted
&& !m
->verity
) {
2014 #if HAVE_LIBCRYPTSETUP
2015 d
= new0(DecryptedImage
, 1);
2019 for (PartitionDesignator i
= 0; i
< _PARTITION_DESIGNATOR_MAX
; i
++) {
2020 DissectedPartition
*p
= m
->partitions
+ i
;
2021 PartitionDesignator k
;
2026 r
= decrypt_partition(p
, passphrase
, flags
, d
);
2030 k
= PARTITION_VERITY_OF(i
);
2032 r
= verity_partition(i
, p
, m
->partitions
+ k
, verity
, flags
| DISSECT_IMAGE_VERITY_SHARE
, d
);
2037 if (!p
->decrypted_fstype
&& p
->decrypted_node
) {
2038 r
= probe_filesystem(p
->decrypted_node
, &p
->decrypted_fstype
);
2039 if (r
< 0 && r
!= -EUCLEAN
)
2052 int dissected_image_decrypt_interactively(
2054 const char *passphrase
,
2055 const VeritySettings
*verity
,
2056 DissectImageFlags flags
,
2057 DecryptedImage
**ret
) {
2059 _cleanup_strv_free_erase_
char **z
= NULL
;
2066 r
= dissected_image_decrypt(m
, passphrase
, verity
, flags
, ret
);
2069 if (r
== -EKEYREJECTED
)
2070 log_error_errno(r
, "Incorrect passphrase, try again!");
2071 else if (r
!= -ENOKEY
)
2072 return log_error_errno(r
, "Failed to decrypt image: %m");
2075 return log_error_errno(SYNTHETIC_ERRNO(EKEYREJECTED
),
2076 "Too many retries.");
2080 r
= ask_password_auto("Please enter image passphrase:", NULL
, "dissect", "dissect", "dissect.passphrase", USEC_INFINITY
, 0, &z
);
2082 return log_error_errno(r
, "Failed to query for passphrase: %m");
2088 int decrypted_image_relinquish(DecryptedImage
*d
) {
2091 /* Turns on automatic removal after the last use ended for all DM devices of this image, and sets a
2092 * boolean so that we don't clean it up ourselves either anymore */
2094 #if HAVE_LIBCRYPTSETUP
2097 for (size_t i
= 0; i
< d
->n_decrypted
; i
++) {
2098 DecryptedPartition
*p
= d
->decrypted
+ i
;
2100 if (p
->relinquished
)
2103 r
= sym_crypt_deactivate_by_name(NULL
, p
->name
, CRYPT_DEACTIVATE_DEFERRED
);
2105 return log_debug_errno(r
, "Failed to mark %s for auto-removal: %m", p
->name
);
2107 p
->relinquished
= true;
2114 static char *build_auxiliary_path(const char *image
, const char *suffix
) {
2121 e
= endswith(image
, ".raw");
2123 return strjoin(e
, suffix
);
2125 n
= new(char, e
- image
+ strlen(suffix
) + 1);
2129 strcpy(mempcpy(n
, image
, e
- image
), suffix
);
2133 void verity_settings_done(VeritySettings
*v
) {
2136 v
->root_hash
= mfree(v
->root_hash
);
2137 v
->root_hash_size
= 0;
2139 v
->root_hash_sig
= mfree(v
->root_hash_sig
);
2140 v
->root_hash_sig_size
= 0;
2142 v
->data_path
= mfree(v
->data_path
);
2145 int verity_settings_load(
2146 VeritySettings
*verity
,
2148 const char *root_hash_path
,
2149 const char *root_hash_sig_path
) {
2151 _cleanup_free_
void *root_hash
= NULL
, *root_hash_sig
= NULL
;
2152 size_t root_hash_size
= 0, root_hash_sig_size
= 0;
2153 _cleanup_free_
char *verity_data_path
= NULL
;
2154 PartitionDesignator designator
;
2159 assert(verity
->designator
< 0 || IN_SET(verity
->designator
, PARTITION_ROOT
, PARTITION_USR
));
2161 /* If we are asked to load the root hash for a device node, exit early */
2162 if (is_device_path(image
))
2165 designator
= verity
->designator
;
2167 /* We only fill in what isn't already filled in */
2169 if (!verity
->root_hash
) {
2170 _cleanup_free_
char *text
= NULL
;
2172 if (root_hash_path
) {
2173 /* If explicitly specified it takes precedence */
2174 r
= read_one_line_file(root_hash_path
, &text
);
2179 designator
= PARTITION_ROOT
;
2181 /* Otherwise look for xattr and separate file, and first for the data for root and if
2182 * that doesn't exist for /usr */
2184 if (designator
< 0 || designator
== PARTITION_ROOT
) {
2185 r
= getxattr_malloc(image
, "user.verity.roothash", &text
, true);
2187 _cleanup_free_
char *p
= NULL
;
2189 if (!IN_SET(r
, -ENODATA
, -ENOENT
) && !ERRNO_IS_NOT_SUPPORTED(r
))
2192 p
= build_auxiliary_path(image
, ".roothash");
2196 r
= read_one_line_file(p
, &text
);
2197 if (r
< 0 && r
!= -ENOENT
)
2202 designator
= PARTITION_ROOT
;
2205 if (!text
&& (designator
< 0 || designator
== PARTITION_USR
)) {
2206 /* So in the "roothash" xattr/file name above the "root" of course primarily
2207 * refers to the root of the Verity Merkle tree. But coincidentally it also
2208 * is the hash for the *root* file system, i.e. the "root" neatly refers to
2209 * two distinct concepts called "root". Taking benefit of this happy
2210 * coincidence we call the file with the root hash for the /usr/ file system
2211 * `usrhash`, because `usrroothash` or `rootusrhash` would just be too
2212 * confusing. We thus drop the reference to the root of the Merkle tree, and
2213 * just indicate which file system it's about. */
2214 r
= getxattr_malloc(image
, "user.verity.usrhash", &text
, true);
2216 _cleanup_free_
char *p
= NULL
;
2218 if (!IN_SET(r
, -ENODATA
, -ENOENT
) && !ERRNO_IS_NOT_SUPPORTED(r
))
2221 p
= build_auxiliary_path(image
, ".usrhash");
2225 r
= read_one_line_file(p
, &text
);
2226 if (r
< 0 && r
!= -ENOENT
)
2231 designator
= PARTITION_USR
;
2236 r
= unhexmem(text
, strlen(text
), &root_hash
, &root_hash_size
);
2239 if (root_hash_size
< sizeof(sd_id128_t
))
2244 if ((root_hash
|| verity
->root_hash
) && !verity
->root_hash_sig
) {
2245 if (root_hash_sig_path
) {
2246 r
= read_full_file(root_hash_sig_path
, (char**) &root_hash_sig
, &root_hash_sig_size
);
2247 if (r
< 0 && r
!= -ENOENT
)
2251 designator
= PARTITION_ROOT
;
2253 if (designator
< 0 || designator
== PARTITION_ROOT
) {
2254 _cleanup_free_
char *p
= NULL
;
2256 /* Follow naming convention recommended by the relevant RFC:
2257 * https://tools.ietf.org/html/rfc5751#section-3.2.1 */
2258 p
= build_auxiliary_path(image
, ".roothash.p7s");
2262 r
= read_full_file(p
, (char**) &root_hash_sig
, &root_hash_sig_size
);
2263 if (r
< 0 && r
!= -ENOENT
)
2266 designator
= PARTITION_ROOT
;
2269 if (!root_hash_sig
&& (designator
< 0 || designator
== PARTITION_USR
)) {
2270 _cleanup_free_
char *p
= NULL
;
2272 p
= build_auxiliary_path(image
, ".usrhash.p7s");
2276 r
= read_full_file(p
, (char**) &root_hash_sig
, &root_hash_sig_size
);
2277 if (r
< 0 && r
!= -ENOENT
)
2280 designator
= PARTITION_USR
;
2284 if (root_hash_sig
&& root_hash_sig_size
== 0) /* refuse empty size signatures */
2288 if (!verity
->data_path
) {
2289 _cleanup_free_
char *p
= NULL
;
2291 p
= build_auxiliary_path(image
, ".verity");
2295 if (access(p
, F_OK
) < 0) {
2296 if (errno
!= ENOENT
)
2299 verity_data_path
= TAKE_PTR(p
);
2303 verity
->root_hash
= TAKE_PTR(root_hash
);
2304 verity
->root_hash_size
= root_hash_size
;
2307 if (root_hash_sig
) {
2308 verity
->root_hash_sig
= TAKE_PTR(root_hash_sig
);
2309 verity
->root_hash_sig_size
= root_hash_sig_size
;
2312 if (verity_data_path
)
2313 verity
->data_path
= TAKE_PTR(verity_data_path
);
2315 if (verity
->designator
< 0)
2316 verity
->designator
= designator
;
2321 int dissected_image_acquire_metadata(DissectedImage
*m
) {
2328 META_EXTENSION_RELEASE
,
2332 static const char *paths
[_META_MAX
] = {
2333 [META_HOSTNAME
] = "/etc/hostname\0",
2334 [META_MACHINE_ID
] = "/etc/machine-id\0",
2335 [META_MACHINE_INFO
] = "/etc/machine-info\0",
2336 [META_OS_RELEASE
] = "/etc/os-release\0"
2337 "/usr/lib/os-release\0",
2338 [META_EXTENSION_RELEASE
] = NULL
,
2341 _cleanup_strv_free_
char **machine_info
= NULL
, **os_release
= NULL
, **extension_release
= NULL
;
2342 _cleanup_close_pair_
int error_pipe
[2] = { -1, -1 };
2343 _cleanup_(rmdir_and_freep
) char *t
= NULL
;
2344 _cleanup_(sigkill_waitp
) pid_t child
= 0;
2345 sd_id128_t machine_id
= SD_ID128_NULL
;
2346 _cleanup_free_
char *hostname
= NULL
;
2347 unsigned n_meta_initialized
= 0;
2348 int fds
[2 * _META_MAX
], r
, v
;
2351 BLOCK_SIGNALS(SIGCHLD
);
2355 /* As per the os-release spec, if the image is an extension it will have a file
2356 * named after the image name in extension-release.d/ */
2357 if (m
->image_name
) {
2360 ext
= strjoina("/usr/lib/extension-release.d/extension-release.", m
->image_name
, "0");
2361 ext
[strlen(ext
) - 1] = '\0'; /* Extra \0 for NULSTR_FOREACH using placeholder from above */
2362 paths
[META_EXTENSION_RELEASE
] = ext
;
2364 log_debug("No image name available, will skip extension-release metadata");
2366 for (; n_meta_initialized
< _META_MAX
; n_meta_initialized
++) {
2367 if (!paths
[n_meta_initialized
]) {
2368 fds
[2*n_meta_initialized
] = fds
[2*n_meta_initialized
+1] = -1;
2372 if (pipe2(fds
+ 2*n_meta_initialized
, O_CLOEXEC
) < 0) {
2378 r
= mkdtemp_malloc("/tmp/dissect-XXXXXX", &t
);
2382 if (pipe2(error_pipe
, O_CLOEXEC
) < 0) {
2387 r
= safe_fork("(sd-dissect)", FORK_RESET_SIGNALS
|FORK_DEATHSIG
|FORK_NEW_MOUNTNS
|FORK_MOUNTNS_SLAVE
, &child
);
2391 error_pipe
[0] = safe_close(error_pipe
[0]);
2393 r
= dissected_image_mount(
2397 DISSECT_IMAGE_READ_ONLY
|
2398 DISSECT_IMAGE_MOUNT_ROOT_ONLY
|
2399 DISSECT_IMAGE_VALIDATE_OS
|
2400 DISSECT_IMAGE_USR_NO_ROOT
);
2402 /* Let parent know the error */
2403 (void) write(error_pipe
[1], &r
, sizeof(r
));
2405 log_debug_errno(r
, "Failed to mount dissected image: %m");
2406 _exit(EXIT_FAILURE
);
2409 for (unsigned k
= 0; k
< _META_MAX
; k
++) {
2410 _cleanup_close_
int fd
= -ENOENT
;
2416 fds
[2*k
] = safe_close(fds
[2*k
]);
2418 NULSTR_FOREACH(p
, paths
[k
]) {
2419 fd
= chase_symlinks_and_open(p
, t
, CHASE_PREFIX_ROOT
, O_RDONLY
|O_CLOEXEC
|O_NOCTTY
, NULL
);
2424 log_debug_errno(fd
, "Failed to read %s file of image, ignoring: %m", paths
[k
]);
2425 fds
[2*k
+1] = safe_close(fds
[2*k
+1]);
2429 r
= copy_bytes(fd
, fds
[2*k
+1], UINT64_MAX
, 0);
2431 (void) write(error_pipe
[1], &r
, sizeof(r
));
2432 _exit(EXIT_FAILURE
);
2435 fds
[2*k
+1] = safe_close(fds
[2*k
+1]);
2438 _exit(EXIT_SUCCESS
);
2441 error_pipe
[1] = safe_close(error_pipe
[1]);
2443 for (unsigned k
= 0; k
< _META_MAX
; k
++) {
2444 _cleanup_fclose_
FILE *f
= NULL
;
2449 fds
[2*k
+1] = safe_close(fds
[2*k
+1]);
2451 f
= take_fdopen(&fds
[2*k
], "r");
2460 r
= read_etc_hostname_stream(f
, &hostname
);
2462 log_debug_errno(r
, "Failed to read /etc/hostname: %m");
2466 case META_MACHINE_ID
: {
2467 _cleanup_free_
char *line
= NULL
;
2469 r
= read_line(f
, LONG_LINE_MAX
, &line
);
2471 log_debug_errno(r
, "Failed to read /etc/machine-id: %m");
2473 r
= sd_id128_from_string(line
, &machine_id
);
2475 log_debug_errno(r
, "Image contains invalid /etc/machine-id: %s", line
);
2477 log_debug("/etc/machine-id file is empty.");
2478 else if (streq(line
, "uninitialized"))
2479 log_debug("/etc/machine-id file is uninitialized (likely aborted first boot).");
2481 log_debug("/etc/machine-id has unexpected length %i.", r
);
2486 case META_MACHINE_INFO
:
2487 r
= load_env_file_pairs(f
, "machine-info", &machine_info
);
2489 log_debug_errno(r
, "Failed to read /etc/machine-info: %m");
2493 case META_OS_RELEASE
:
2494 r
= load_env_file_pairs(f
, "os-release", &os_release
);
2496 log_debug_errno(r
, "Failed to read OS release file: %m");
2500 case META_EXTENSION_RELEASE
:
2501 r
= load_env_file_pairs(f
, "extension-release", &extension_release
);
2503 log_debug_errno(r
, "Failed to read extension release file: %m");
2509 r
= wait_for_terminate_and_check("(sd-dissect)", child
, 0);
2514 n
= read(error_pipe
[0], &v
, sizeof(v
));
2518 return v
; /* propagate error sent to us from child */
2522 if (r
!= EXIT_SUCCESS
)
2525 free_and_replace(m
->hostname
, hostname
);
2526 m
->machine_id
= machine_id
;
2527 strv_free_and_replace(m
->machine_info
, machine_info
);
2528 strv_free_and_replace(m
->os_release
, os_release
);
2529 strv_free_and_replace(m
->extension_release
, extension_release
);
2532 for (unsigned k
= 0; k
< n_meta_initialized
; k
++)
2533 safe_close_pair(fds
+ 2*k
);
2538 int dissect_image_and_warn(
2541 const VeritySettings
*verity
,
2542 const MountOptions
*mount_options
,
2543 DissectImageFlags flags
,
2544 DissectedImage
**ret
) {
2546 _cleanup_free_
char *buffer
= NULL
;
2550 r
= fd_get_path(fd
, &buffer
);
2557 r
= dissect_image(fd
, verity
, mount_options
, flags
, ret
);
2561 return log_error_errno(r
, "Dissecting images is not supported, compiled without blkid support.");
2564 return log_error_errno(r
, "Couldn't identify a suitable partition table or file system in '%s'.", name
);
2566 case -EADDRNOTAVAIL
:
2567 return log_error_errno(r
, "No root partition for specified root hash found in '%s'.", name
);
2570 return log_error_errno(r
, "Multiple suitable root partitions found in image '%s'.", name
);
2573 return log_error_errno(r
, "No suitable root partition found in image '%s'.", name
);
2575 case -EPROTONOSUPPORT
:
2576 return log_error_errno(r
, "Device '%s' is loopback block device with partition scanning turned off, please turn it on.", name
);
2580 return log_error_errno(r
, "Failed to dissect image '%s': %m", name
);
2586 bool dissected_image_can_do_verity(const DissectedImage
*image
, PartitionDesignator partition_designator
) {
2587 if (image
->single_file_system
)
2588 return partition_designator
== PARTITION_ROOT
&& image
->can_verity
;
2590 return PARTITION_VERITY_OF(partition_designator
) >= 0;
2593 bool dissected_image_has_verity(const DissectedImage
*image
, PartitionDesignator partition_designator
) {
2596 if (image
->single_file_system
)
2597 return partition_designator
== PARTITION_ROOT
&& image
->verity
;
2599 k
= PARTITION_VERITY_OF(partition_designator
);
2600 return k
>= 0 && image
->partitions
[k
].found
;
2603 MountOptions
* mount_options_free_all(MountOptions
*options
) {
2606 while ((m
= options
)) {
2607 LIST_REMOVE(mount_options
, options
, m
);
2615 const char* mount_options_from_designator(const MountOptions
*options
, PartitionDesignator designator
) {
2616 const MountOptions
*m
;
2618 LIST_FOREACH(mount_options
, m
, options
)
2619 if (designator
== m
->partition_designator
&& !isempty(m
->options
))
2625 int mount_image_privately_interactively(
2627 DissectImageFlags flags
,
2628 char **ret_directory
,
2629 LoopDevice
**ret_loop_device
,
2630 DecryptedImage
**ret_decrypted_image
) {
2632 _cleanup_(verity_settings_done
) VeritySettings verity
= VERITY_SETTINGS_DEFAULT
;
2633 _cleanup_(loop_device_unrefp
) LoopDevice
*d
= NULL
;
2634 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*decrypted_image
= NULL
;
2635 _cleanup_(dissected_image_unrefp
) DissectedImage
*dissected_image
= NULL
;
2636 _cleanup_(rmdir_and_freep
) char *created_dir
= NULL
;
2637 _cleanup_free_
char *temp
= NULL
;
2640 /* Mounts an OS image at a temporary place, inside a newly created mount namespace of our own. This
2641 * is used by tools such as systemd-tmpfiles or systemd-firstboot to operate on some disk image
2645 assert(ret_directory
);
2646 assert(ret_loop_device
);
2647 assert(ret_decrypted_image
);
2649 r
= verity_settings_load(&verity
, image
, NULL
, NULL
);
2651 return log_error_errno(r
, "Failed to load root hash data: %m");
2653 r
= tempfn_random_child(NULL
, program_invocation_short_name
, &temp
);
2655 return log_error_errno(r
, "Failed to generate temporary mount directory: %m");
2657 r
= loop_device_make_by_path(
2659 FLAGS_SET(flags
, DISSECT_IMAGE_READ_ONLY
) ? O_RDONLY
: O_RDWR
,
2660 FLAGS_SET(flags
, DISSECT_IMAGE_NO_PARTITION_TABLE
) ? 0 : LO_FLAGS_PARTSCAN
,
2663 return log_error_errno(r
, "Failed to set up loopback device: %m");
2665 r
= dissect_image_and_warn(d
->fd
, image
, &verity
, NULL
, flags
, &dissected_image
);
2669 r
= dissected_image_decrypt_interactively(dissected_image
, NULL
, &verity
, flags
, &decrypted_image
);
2673 r
= detach_mount_namespace();
2675 return log_error_errno(r
, "Failed to detach mount namespace: %m");
2677 r
= mkdir_p(temp
, 0700);
2679 return log_error_errno(r
, "Failed to create mount point: %m");
2681 created_dir
= TAKE_PTR(temp
);
2683 r
= dissected_image_mount_and_warn(dissected_image
, created_dir
, UID_INVALID
, flags
);
2687 if (decrypted_image
) {
2688 r
= decrypted_image_relinquish(decrypted_image
);
2690 return log_error_errno(r
, "Failed to relinquish DM devices: %m");
2693 loop_device_relinquish(d
);
2695 *ret_directory
= TAKE_PTR(created_dir
);
2696 *ret_loop_device
= TAKE_PTR(d
);
2697 *ret_decrypted_image
= TAKE_PTR(decrypted_image
);
2702 static const char *const partition_designator_table
[] = {
2703 [PARTITION_ROOT
] = "root",
2704 [PARTITION_ROOT_SECONDARY
] = "root-secondary",
2705 [PARTITION_USR
] = "usr",
2706 [PARTITION_USR_SECONDARY
] = "usr-secondary",
2707 [PARTITION_HOME
] = "home",
2708 [PARTITION_SRV
] = "srv",
2709 [PARTITION_ESP
] = "esp",
2710 [PARTITION_XBOOTLDR
] = "xbootldr",
2711 [PARTITION_SWAP
] = "swap",
2712 [PARTITION_ROOT_VERITY
] = "root-verity",
2713 [PARTITION_ROOT_SECONDARY_VERITY
] = "root-secondary-verity",
2714 [PARTITION_USR_VERITY
] = "usr-verity",
2715 [PARTITION_USR_SECONDARY_VERITY
] = "usr-secondary-verity",
2716 [PARTITION_TMP
] = "tmp",
2717 [PARTITION_VAR
] = "var",
2720 int verity_dissect_and_mount(
2723 const MountOptions
*options
,
2724 const char *required_host_os_release_id
,
2725 const char *required_host_os_release_version_id
,
2726 const char *required_host_os_release_sysext_level
) {
2728 _cleanup_(loop_device_unrefp
) LoopDevice
*loop_device
= NULL
;
2729 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*decrypted_image
= NULL
;
2730 _cleanup_(dissected_image_unrefp
) DissectedImage
*dissected_image
= NULL
;
2731 _cleanup_(verity_settings_done
) VeritySettings verity
= VERITY_SETTINGS_DEFAULT
;
2732 DissectImageFlags dissect_image_flags
;
2738 r
= verity_settings_load(&verity
, src
, NULL
, NULL
);
2740 return log_debug_errno(r
, "Failed to load root hash: %m");
2742 dissect_image_flags
= verity
.data_path
? DISSECT_IMAGE_NO_PARTITION_TABLE
: 0;
2744 r
= loop_device_make_by_path(
2747 verity
.data_path
? 0 : LO_FLAGS_PARTSCAN
,
2750 return log_debug_errno(r
, "Failed to create loop device for image: %m");
2756 dissect_image_flags
,
2758 /* No partition table? Might be a single-filesystem image, try again */
2759 if (!verity
.data_path
&& r
== -ENOPKG
)
2764 dissect_image_flags
|DISSECT_IMAGE_NO_PARTITION_TABLE
,
2767 return log_debug_errno(r
, "Failed to dissect image: %m");
2769 r
= dissected_image_decrypt(
2773 dissect_image_flags
,
2776 return log_debug_errno(r
, "Failed to decrypt dissected image: %m");
2778 r
= mkdir_p_label(dest
, 0755);
2780 return log_debug_errno(r
, "Failed to create destination directory %s: %m", dest
);
2781 r
= umount_recursive(dest
, 0);
2783 return log_debug_errno(r
, "Failed to umount under destination directory %s: %m", dest
);
2785 r
= dissected_image_mount(dissected_image
, dest
, UID_INVALID
, dissect_image_flags
);
2787 return log_debug_errno(r
, "Failed to mount image: %m");
2789 /* If we got os-release values from the caller, then we need to match them with the image's
2790 * extension-release.d/ content. Return -EINVAL if there's any mismatch.
2791 * First, check the distro ID. If that matches, then check the new SYSEXT_LEVEL value if
2792 * available, or else fallback to VERSION_ID. */
2793 if (required_host_os_release_id
&&
2794 (required_host_os_release_version_id
|| required_host_os_release_sysext_level
)) {
2795 _cleanup_strv_free_
char **extension_release
= NULL
;
2797 r
= load_extension_release_pairs(dest
, dissected_image
->image_name
, &extension_release
);
2799 return log_debug_errno(r
, "Failed to parse image %s extension-release metadata: %m", dissected_image
->image_name
);
2801 r
= extension_release_validate(
2802 dissected_image
->image_name
,
2803 required_host_os_release_id
,
2804 required_host_os_release_version_id
,
2805 required_host_os_release_sysext_level
,
2808 return log_debug_errno(SYNTHETIC_ERRNO(ESTALE
), "Image %s extension-release metadata does not match the root's", dissected_image
->image_name
);
2810 return log_debug_errno(r
, "Failed to compare image %s extension-release metadata with the root's os-release: %m", dissected_image
->image_name
);
2813 if (decrypted_image
) {
2814 r
= decrypted_image_relinquish(decrypted_image
);
2816 return log_debug_errno(r
, "Failed to relinquish decrypted image: %m");
2819 loop_device_relinquish(loop_device
);
2824 DEFINE_STRING_TABLE_LOOKUP(partition_designator
, PartitionDesignator
);