1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #if HAVE_VALGRIND_MEMCHECK_H
4 #include <valgrind/memcheck.h>
7 #include <linux/dm-ioctl.h>
8 #include <linux/loop.h>
10 #include <sys/prctl.h>
15 #include <openssl/err.h>
16 #include <openssl/pem.h>
17 #include <openssl/x509.h>
20 #include "sd-device.h"
23 #include "architecture.h"
24 #include "ask-password-api.h"
25 #include "blkid-util.h"
26 #include "blockdev-util.h"
27 #include "chase-symlinks.h"
28 #include "conf-files.h"
30 #include "cryptsetup-util.h"
32 #include "device-nodes.h"
33 #include "device-util.h"
34 #include "discover-image.h"
35 #include "dissect-image.h"
39 #include "extension-release.h"
43 #include "fsck-util.h"
45 #include "hexdecoct.h"
46 #include "hostname-setup.h"
47 #include "id128-util.h"
48 #include "import-util.h"
50 #include "mkdir-label.h"
51 #include "mount-util.h"
52 #include "mountpoint-util.h"
53 #include "namespace-util.h"
54 #include "nulstr-util.h"
55 #include "openssl-util.h"
57 #include "path-util.h"
58 #include "process-util.h"
59 #include "raw-clone.h"
60 #include "resize-fs.h"
61 #include "signal-util.h"
62 #include "stat-util.h"
63 #include "stdio-util.h"
64 #include "string-table.h"
65 #include "string-util.h"
67 #include "tmpfile-util.h"
68 #include "udev-util.h"
69 #include "user-util.h"
70 #include "xattr-util.h"
72 /* how many times to wait for the device nodes to appear */
73 #define N_DEVICE_NODE_LIST_ATTEMPTS 10
75 int probe_filesystem(const char *node
, char **ret_fstype
) {
76 /* Try to find device content type and return it in *ret_fstype. If nothing is found,
77 * 0/NULL will be returned. -EUCLEAN will be returned for ambiguous results, and an
78 * different error otherwise. */
81 _cleanup_(blkid_free_probep
) blkid_probe b
= NULL
;
86 b
= blkid_new_probe_from_filename(node
);
88 return errno_or_else(ENOMEM
);
90 blkid_probe_enable_superblocks(b
, 1);
91 blkid_probe_set_superblocks_flags(b
, BLKID_SUBLKS_TYPE
);
94 r
= blkid_do_safeprobe(b
);
96 log_debug("No type detected on partition %s", node
);
100 return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN
),
101 "Results ambiguous for partition %s", node
);
103 return errno_or_else(EIO
);
105 (void) blkid_probe_lookup_value(b
, "TYPE", &fstype
, NULL
);
127 static int enumerator_for_parent(sd_device
*d
, sd_device_enumerator
**ret
) {
128 _cleanup_(sd_device_enumerator_unrefp
) sd_device_enumerator
*e
= NULL
;
134 r
= sd_device_enumerator_new(&e
);
138 r
= sd_device_enumerator_add_match_subsystem(e
, "block", true);
142 r
= sd_device_enumerator_add_match_parent(e
, d
);
146 r
= sd_device_enumerator_add_match_sysattr(e
, "partition", NULL
, true);
154 static int device_is_partition(
156 sd_device
*expected_parent
,
157 blkid_partition pp
) {
159 const char *v
, *parent_syspath
, *expected_parent_syspath
;
160 blkid_loff_t bsize
, bstart
;
161 uint64_t size
, start
;
162 int partno
, bpartno
, r
;
166 assert(expected_parent
);
169 r
= sd_device_get_subsystem(d
, &v
);
172 if (!streq(v
, "block"))
175 if (sd_device_get_devtype(d
, &v
) < 0 || !streq(v
, "partition"))
178 r
= sd_device_get_parent(d
, &parent
);
180 return false; /* Doesn't have a parent? No relevant to us */
182 r
= sd_device_get_syspath(parent
, &parent_syspath
); /* Check parent of device of this action */
186 r
= sd_device_get_syspath(expected_parent
, &expected_parent_syspath
); /* Check parent of device we are looking for */
190 if (!path_equal(parent_syspath
, expected_parent_syspath
))
191 return false; /* Has a different parent than what we need, not interesting to us */
193 /* On kernel uevents we may find the partition number in the PARTN= field. Let's use that preferably,
194 * since it's cheaper and more importantly: the sysfs attribute "partition" appears to become
195 * available late, hence let's use the property instead, which is available at the moment we see the
197 r
= sd_device_get_property_value(d
, "PARTN", &v
);
199 r
= sd_device_get_sysattr_value(d
, "partition", &v
);
203 r
= safe_atoi(v
, &partno
);
208 bpartno
= blkid_partition_get_partno(pp
);
210 return errno_or_else(EIO
);
212 if (partno
!= bpartno
)
215 r
= sd_device_get_sysattr_value(d
, "start", &v
);
218 r
= safe_atou64(v
, &start
);
223 bstart
= blkid_partition_get_start(pp
);
225 return errno_or_else(EIO
);
227 if (start
!= (uint64_t) bstart
)
230 r
= sd_device_get_sysattr_value(d
, "size", &v
);
233 r
= safe_atou64(v
, &size
);
238 bsize
= blkid_partition_get_size(pp
);
240 return errno_or_else(EIO
);
242 if (size
!= (uint64_t) bsize
)
248 static int find_partition(
251 usec_t timestamp_not_before
,
252 DissectImageFlags flags
,
255 _cleanup_(sd_device_enumerator_unrefp
) sd_device_enumerator
*e
= NULL
;
263 r
= enumerator_for_parent(parent
, &e
);
267 FOREACH_DEVICE(e
, q
) {
270 if (!FLAGS_SET(flags
, DISSECT_IMAGE_NO_UDEV
)) {
271 r
= sd_device_get_usec_initialized(q
, &usec
);
272 if (r
== -EBUSY
) /* Not initialized yet */
277 if (timestamp_not_before
!= USEC_INFINITY
&&
278 usec
< timestamp_not_before
) /* udev database entry older than our attachment? Then it's not ours */
282 r
= device_is_partition(q
, parent
, pp
);
286 *ret
= sd_device_ref(q
);
295 sd_device
*parent_device
;
296 blkid_partition blkidp
;
299 uint64_t uevent_seqnum_not_before
;
300 usec_t timestamp_not_before
;
301 DissectImageFlags flags
;
304 static inline void wait_data_done(struct wait_data
*d
) {
305 sd_device_unref(d
->found
);
308 static int device_monitor_handler(sd_device_monitor
*monitor
, sd_device
*device
, void *userdata
) {
309 struct wait_data
*w
= userdata
;
314 if (device_for_action(device
, SD_DEVICE_REMOVE
))
317 if (w
->diskseq
!= 0) {
320 /* If w->diskseq is non-zero, then we must have a disk seqnum */
321 r
= sd_device_get_diskseq(device
, &diskseq
);
323 log_debug_errno(r
, "Dropping event because it has no diskseq, but waiting for %" PRIu64
, w
->diskseq
);
326 if (diskseq
< w
->diskseq
) {
327 log_debug("Dropping event because diskseq too old (%" PRIu64
" < %" PRIu64
")",
328 diskseq
, w
->diskseq
);
331 if (diskseq
> w
->diskseq
) {
333 goto finish
; /* Newer than what we were expecting, so we missed it, stop waiting */
335 } else if (w
->uevent_seqnum_not_before
!= UINT64_MAX
) {
338 r
= sd_device_get_seqnum(device
, &seqnum
);
342 if (seqnum
<= w
->uevent_seqnum_not_before
) { /* From an older use of this loop device */
343 log_debug("Dropping event because seqnum too old (%" PRIu64
" <= %" PRIu64
")",
344 seqnum
, w
->uevent_seqnum_not_before
);
349 r
= device_is_partition(device
, w
->parent_device
, w
->blkidp
);
352 if (r
== 0) /* Not the one we need */
355 /* It's the one we need! Yay! */
357 w
->found
= sd_device_ref(device
);
361 return sd_event_exit(sd_device_monitor_get_event(monitor
), r
);
364 static int timeout_handler(sd_event_source
*s
, uint64_t usec
, void *userdata
) {
365 struct wait_data
*w
= userdata
;
370 /* Why partition not appeared within the timeout? We may lost some uevent, as some properties
371 * were not ready when we received uevent... Not sure, but anyway, let's try to find the
372 * partition again before give up. */
374 r
= find_partition(w
->parent_device
, w
->blkidp
, w
->timestamp_not_before
, w
->flags
, &w
->found
);
376 return log_debug_errno(SYNTHETIC_ERRNO(ETIMEDOUT
),
377 "Partition still not appeared after timeout reached.");
379 return log_debug_errno(r
, "Failed to find partition: %m");
381 log_debug("Partition appeared after timeout reached.");
382 return sd_event_exit(sd_event_source_get_event(s
), 0);
385 static int retry_handler(sd_event_source
*s
, uint64_t usec
, void *userdata
) {
386 struct wait_data
*w
= userdata
;
391 r
= find_partition(w
->parent_device
, w
->blkidp
, w
->timestamp_not_before
, w
->flags
, &w
->found
);
394 return log_debug_errno(r
, "Failed to find partition: %m");
396 log_debug("Partition found by a periodic search.");
397 return sd_event_exit(sd_event_source_get_event(s
), 0);
400 r
= sd_event_source_set_time_relative(s
, 500 * USEC_PER_MSEC
);
404 return sd_event_source_set_enabled(s
, SD_EVENT_ONESHOT
);
407 static int wait_for_partition_device(
412 uint64_t uevent_seqnum_not_before
,
413 usec_t timestamp_not_before
,
414 DissectImageFlags flags
,
417 _cleanup_(sd_event_source_unrefp
) sd_event_source
*timeout_source
= NULL
, *retry_source
= NULL
;
418 _cleanup_(sd_device_monitor_unrefp
) sd_device_monitor
*monitor
= NULL
;
419 _cleanup_(sd_event_unrefp
) sd_event
*event
= NULL
;
426 r
= find_partition(parent
, pp
, timestamp_not_before
, flags
, ret
);
430 r
= sd_event_new(&event
);
434 r
= sd_device_monitor_new(&monitor
);
438 r
= sd_device_monitor_filter_add_match_subsystem_devtype(monitor
, "block", "partition");
442 r
= sd_device_monitor_filter_add_match_parent(monitor
, parent
, true);
446 r
= sd_device_monitor_filter_add_match_sysattr(monitor
, "partition", NULL
, true);
450 r
= sd_device_monitor_attach_event(monitor
, event
);
454 _cleanup_(wait_data_done
) struct wait_data w
= {
455 .parent_device
= parent
,
458 .uevent_seqnum_not_before
= uevent_seqnum_not_before
,
459 .timestamp_not_before
= timestamp_not_before
,
463 r
= sd_device_monitor_start(monitor
, device_monitor_handler
, &w
);
467 /* Check again, the partition might have appeared in the meantime */
468 r
= find_partition(parent
, pp
, timestamp_not_before
, flags
, ret
);
472 if (deadline
!= USEC_INFINITY
) {
473 r
= sd_event_add_time(
474 event
, &timeout_source
,
475 CLOCK_MONOTONIC
, deadline
, 0,
476 timeout_handler
, &w
);
480 r
= sd_event_source_set_exit_on_failure(timeout_source
, true);
485 /* If we don't have a disk sequence number then we cannot do exact matching,
486 * and we cannot know if we missed it or if it has not been sent yet, so set
487 * up additional retries to increase the chances of receiving the event. */
489 r
= sd_event_add_time_relative(
490 event
, &retry_source
,
491 CLOCK_MONOTONIC
, 500 * USEC_PER_MSEC
, 0,
496 r
= sd_event_source_set_exit_on_failure(retry_source
, true);
501 r
= sd_event_loop(event
);
506 *ret
= TAKE_PTR(w
.found
);
510 static void check_partition_flags(
512 unsigned long long pflags
,
513 unsigned long long supported
) {
517 /* Mask away all flags supported by this partition's type and the three flags the UEFI spec defines generically */
518 pflags
&= ~(supported
| GPT_FLAG_REQUIRED_PARTITION
| GPT_FLAG_NO_BLOCK_IO_PROTOCOL
| GPT_FLAG_LEGACY_BIOS_BOOTABLE
);
523 /* If there are other bits set, then log about it, to make things discoverable */
524 for (unsigned i
= 0; i
< sizeof(pflags
) * 8; i
++) {
525 unsigned long long bit
= 1ULL << i
;
526 if (!FLAGS_SET(pflags
, bit
))
529 log_debug("Unexpected partition flag %llu set on %s!", bit
, node
);
533 static int device_wait_for_initialization_harder(
535 const char *subsystem
,
539 usec_t start
, left
, retrigger_timeout
;
542 start
= now(CLOCK_MONOTONIC
);
543 left
= usec_sub_unsigned(deadline
, start
);
546 const char *sn
= NULL
;
548 (void) sd_device_get_sysname(device
, &sn
);
549 log_device_debug(device
,
550 "Will wait up to %s for '%s' to initialize…", FORMAT_TIMESPAN(left
, 0), strna(sn
));
553 if (left
!= USEC_INFINITY
)
554 retrigger_timeout
= CLAMP(left
/ 4, 1 * USEC_PER_SEC
, 5 * USEC_PER_SEC
); /* A fourth of the total timeout, but let's clamp to 1s…5s range */
556 retrigger_timeout
= 2 * USEC_PER_SEC
;
559 usec_t local_deadline
, n
;
562 n
= now(CLOCK_MONOTONIC
);
565 /* Find next deadline, when we'll retrigger */
566 local_deadline
= start
+
567 DIV_ROUND_UP(n
- start
, retrigger_timeout
) * retrigger_timeout
;
569 if (deadline
!= USEC_INFINITY
&& deadline
<= local_deadline
) {
570 local_deadline
= deadline
;
575 r
= device_wait_for_initialization(device
, subsystem
, local_deadline
, ret
);
576 if (r
>= 0 && DEBUG_LOGGING
) {
577 const char *sn
= NULL
;
579 (void) sd_device_get_sysname(device
, &sn
);
580 log_device_debug(device
,
581 "Successfully waited for device '%s' to initialize for %s.",
583 FORMAT_TIMESPAN(usec_sub_unsigned(now(CLOCK_MONOTONIC
), start
), 0));
586 if (r
!= -ETIMEDOUT
|| last_try
)
590 log_device_debug(device
,
591 "Device didn't initialize within %s, assuming lost event. Retriggering device.",
592 FORMAT_TIMESPAN(usec_sub_unsigned(now(CLOCK_MONOTONIC
), start
), 0));
594 r
= sd_device_trigger(device
, SD_DEVICE_CHANGE
);
601 #define DEVICE_TIMEOUT_USEC (45 * USEC_PER_SEC)
603 static void dissected_partition_done(DissectedPartition
*p
) {
609 free(p
->decrypted_fstype
);
610 free(p
->decrypted_node
);
611 free(p
->mount_options
);
613 *p
= (DissectedPartition
) {
621 const VeritySettings
*verity
,
622 const MountOptions
*mount_options
,
624 uint64_t uevent_seqnum_not_before
,
625 usec_t timestamp_not_before
,
626 DissectImageFlags flags
,
627 DissectedImage
**ret
) {
630 #ifdef GPT_ROOT_NATIVE
631 sd_id128_t root_uuid
= SD_ID128_NULL
, root_verity_uuid
= SD_ID128_NULL
;
633 #ifdef GPT_USR_NATIVE
634 sd_id128_t usr_uuid
= SD_ID128_NULL
, usr_verity_uuid
= SD_ID128_NULL
;
636 bool is_gpt
, is_mbr
, multiple_generic
= false,
637 generic_rw
= false, /* initialize to appease gcc */
638 generic_growfs
= false;
639 _cleanup_(sd_device_unrefp
) sd_device
*d
= NULL
;
640 _cleanup_(dissected_image_unrefp
) DissectedImage
*m
= NULL
;
641 _cleanup_(blkid_free_probep
) blkid_probe b
= NULL
;
642 _cleanup_free_
char *generic_node
= NULL
;
643 sd_id128_t generic_uuid
= SD_ID128_NULL
;
644 const char *pttype
= NULL
, *sysname
= NULL
;
646 int r
, generic_nr
= -1, n_partitions
;
652 assert(!verity
|| verity
->designator
< 0 || IN_SET(verity
->designator
, PARTITION_ROOT
, PARTITION_USR
));
653 assert(!verity
|| verity
->root_hash
|| verity
->root_hash_size
== 0);
654 assert(!verity
|| verity
->root_hash_sig
|| verity
->root_hash_sig_size
== 0);
655 assert(!verity
|| (verity
->root_hash
|| !verity
->root_hash_sig
));
656 assert(!((flags
& DISSECT_IMAGE_GPT_ONLY
) && (flags
& DISSECT_IMAGE_NO_PARTITION_TABLE
)));
658 /* Probes a disk image, and returns information about what it found in *ret.
660 * Returns -ENOPKG if no suitable partition table or file system could be found.
661 * Returns -EADDRNOTAVAIL if a root hash was specified but no matching root/verity partitions found.
662 * Returns -ENXIO if we couldn't find any partition suitable as root or /usr partition
663 * Returns -ENOTUNIQ if we only found multiple generic partitions and thus don't know what to do with that */
665 if (verity
&& verity
->root_hash
) {
666 sd_id128_t fsuuid
, vuuid
;
668 /* If a root hash is supplied, then we use the root partition that has a UUID that match the
669 * first 128bit of the root hash. And we use the verity partition that has a UUID that match
670 * the final 128bit. */
672 if (verity
->root_hash_size
< sizeof(sd_id128_t
))
675 memcpy(&fsuuid
, verity
->root_hash
, sizeof(sd_id128_t
));
676 memcpy(&vuuid
, (const uint8_t*) verity
->root_hash
+ verity
->root_hash_size
- sizeof(sd_id128_t
), sizeof(sd_id128_t
));
678 if (sd_id128_is_null(fsuuid
))
680 if (sd_id128_is_null(vuuid
))
683 /* If the verity data declares it's for the /usr partition, then search for that, in all
684 * other cases assume it's for the root partition. */
685 #ifdef GPT_USR_NATIVE
686 if (verity
->designator
== PARTITION_USR
) {
688 usr_verity_uuid
= vuuid
;
691 #ifdef GPT_ROOT_NATIVE
693 root_verity_uuid
= vuuid
;
695 #ifdef GPT_USR_NATIVE
700 if (fstat(fd
, &st
) < 0)
703 if (!S_ISBLK(st
.st_mode
))
706 r
= sd_device_new_from_stat_rdev(&d
, &st
);
710 if (!FLAGS_SET(flags
, DISSECT_IMAGE_NO_UDEV
)) {
711 _cleanup_(sd_device_unrefp
) sd_device
*initialized
= NULL
;
713 /* If udev support is enabled, then let's wait for the device to be initialized before we doing anything. */
715 r
= device_wait_for_initialization_harder(
718 usec_add(now(CLOCK_MONOTONIC
), DEVICE_TIMEOUT_USEC
),
724 d
= TAKE_PTR(initialized
);
727 b
= blkid_new_probe();
732 r
= blkid_probe_set_device(b
, fd
, 0, 0);
734 return errno_or_else(ENOMEM
);
736 if ((flags
& DISSECT_IMAGE_GPT_ONLY
) == 0) {
737 /* Look for file system superblocks, unless we only shall look for GPT partition tables */
738 blkid_probe_enable_superblocks(b
, 1);
739 blkid_probe_set_superblocks_flags(b
, BLKID_SUBLKS_TYPE
|BLKID_SUBLKS_USAGE
);
742 blkid_probe_enable_partitions(b
, 1);
743 blkid_probe_set_partitions_flags(b
, BLKID_PARTS_ENTRY_DETAILS
);
746 r
= blkid_do_safeprobe(b
);
747 if (IN_SET(r
, -2, 1))
748 return log_debug_errno(SYNTHETIC_ERRNO(ENOPKG
), "Failed to identify any partition table.");
750 return errno_or_else(EIO
);
752 m
= new(DissectedImage
, 1);
756 *m
= (DissectedImage
) {
757 .has_init_system
= -1,
760 r
= sd_device_get_sysname(d
, &sysname
);
762 return log_debug_errno(r
, "Failed to get device sysname: %m");
763 if (startswith(sysname
, "loop")) {
764 _cleanup_free_
char *name_stripped
= NULL
;
765 const char *full_path
;
767 r
= sd_device_get_sysattr_value(d
, "loop/backing_file", &full_path
);
769 log_debug_errno(r
, "Failed to lookup image name via loop device backing file sysattr, ignoring: %m");
771 r
= raw_strip_suffixes(basename(full_path
), &name_stripped
);
776 free_and_replace(m
->image_name
, name_stripped
);
778 r
= free_and_strdup(&m
->image_name
, sysname
);
783 if (!image_name_is_valid(m
->image_name
)) {
784 log_debug("Image name %s is not valid, ignoring", strempty(m
->image_name
));
785 m
->image_name
= mfree(m
->image_name
);
788 if ((!(flags
& DISSECT_IMAGE_GPT_ONLY
) &&
789 (flags
& DISSECT_IMAGE_GENERIC_ROOT
)) ||
790 (flags
& DISSECT_IMAGE_NO_PARTITION_TABLE
)) {
791 const char *usage
= NULL
;
793 /* If flags permit this, also allow using non-partitioned single-filesystem images */
795 (void) blkid_probe_lookup_value(b
, "USAGE", &usage
, NULL
);
796 if (STRPTR_IN_SET(usage
, "filesystem", "crypto")) {
797 const char *fstype
= NULL
, *options
= NULL
, *devname
= NULL
;
798 _cleanup_free_
char *t
= NULL
, *n
= NULL
, *o
= NULL
;
800 /* OK, we have found a file system, that's our root partition then. */
801 (void) blkid_probe_lookup_value(b
, "TYPE", &fstype
, NULL
);
809 r
= sd_device_get_devname(d
, &devname
);
817 m
->single_file_system
= true;
818 m
->encrypted
= streq_ptr(fstype
, "crypto_LUKS");
820 m
->has_verity
= verity
&& verity
->data_path
;
821 m
->verity_ready
= m
->has_verity
&&
823 (verity
->designator
< 0 || verity
->designator
== PARTITION_ROOT
);
825 m
->has_verity_sig
= false; /* signature not embedded, must be specified */
826 m
->verity_sig_ready
= m
->verity_ready
&&
827 verity
->root_hash_sig
;
829 options
= mount_options_from_designator(mount_options
, PARTITION_ROOT
);
836 m
->partitions
[PARTITION_ROOT
] = (DissectedPartition
) {
838 .rw
= !m
->verity_ready
&& !fstype_is_ro(fstype
),
840 .architecture
= _ARCHITECTURE_INVALID
,
841 .fstype
= TAKE_PTR(t
),
843 .mount_options
= TAKE_PTR(o
),
853 (void) blkid_probe_lookup_value(b
, "PTTYPE", &pttype
, NULL
);
857 is_gpt
= streq_ptr(pttype
, "gpt");
858 is_mbr
= streq_ptr(pttype
, "dos");
860 if (!is_gpt
&& ((flags
& DISSECT_IMAGE_GPT_ONLY
) || !is_mbr
))
863 /* We support external verity data partitions only if the image has no partition table */
864 if (verity
&& verity
->data_path
)
867 /* Safety check: refuse block devices that carry a partition table but for which the kernel doesn't
868 * do partition scanning. */
869 r
= blockdev_partscan_enabled(fd
);
873 return -EPROTONOSUPPORT
;
876 pl
= blkid_probe_get_partitions(b
);
878 return errno_or_else(ENOMEM
);
881 n_partitions
= blkid_partlist_numof_partitions(pl
);
882 if (n_partitions
< 0)
883 return errno_or_else(EIO
);
885 deadline
= usec_add(now(CLOCK_MONOTONIC
), DEVICE_TIMEOUT_USEC
);
886 for (int i
= 0; i
< n_partitions
; i
++) {
887 _cleanup_(sd_device_unrefp
) sd_device
*q
= NULL
;
888 unsigned long long pflags
;
889 blkid_loff_t start
, size
;
895 pp
= blkid_partlist_get_partition(pl
, i
);
897 return errno_or_else(EIO
);
899 r
= wait_for_partition_device(d
, pp
, deadline
, diskseq
, uevent_seqnum_not_before
, timestamp_not_before
, flags
, &q
);
903 r
= sd_device_get_devname(q
, &node
);
907 pflags
= blkid_partition_get_flags(pp
);
910 nr
= blkid_partition_get_partno(pp
);
912 return errno_or_else(EIO
);
915 start
= blkid_partition_get_start(pp
);
917 return errno_or_else(EIO
);
919 assert((uint64_t) start
< UINT64_MAX
/512);
922 size
= blkid_partition_get_size(pp
);
924 return errno_or_else(EIO
);
926 assert((uint64_t) size
< UINT64_MAX
/512);
929 PartitionDesignator designator
= _PARTITION_DESIGNATOR_INVALID
;
930 int architecture
= _ARCHITECTURE_INVALID
;
931 const char *stype
, *sid
, *fstype
= NULL
, *label
;
932 sd_id128_t type_id
, id
;
933 bool rw
= true, growfs
= false;
935 sid
= blkid_partition_get_uuid(pp
);
938 if (sd_id128_from_string(sid
, &id
) < 0)
941 stype
= blkid_partition_get_type_string(pp
);
944 if (sd_id128_from_string(stype
, &type_id
) < 0)
947 label
= blkid_partition_get_name(pp
); /* libblkid returns NULL here if empty */
949 if (sd_id128_equal(type_id
, GPT_HOME
)) {
951 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
953 if (pflags
& GPT_FLAG_NO_AUTO
)
956 designator
= PARTITION_HOME
;
957 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
958 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
960 } else if (sd_id128_equal(type_id
, GPT_SRV
)) {
962 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
964 if (pflags
& GPT_FLAG_NO_AUTO
)
967 designator
= PARTITION_SRV
;
968 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
969 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
971 } else if (sd_id128_equal(type_id
, GPT_ESP
)) {
973 /* Note that we don't check the GPT_FLAG_NO_AUTO flag for the ESP, as it is
974 * not defined there. We instead check the GPT_FLAG_NO_BLOCK_IO_PROTOCOL, as
975 * recommended by the UEFI spec (See "12.3.3 Number and Location of System
978 if (pflags
& GPT_FLAG_NO_BLOCK_IO_PROTOCOL
)
981 designator
= PARTITION_ESP
;
984 } else if (sd_id128_equal(type_id
, GPT_XBOOTLDR
)) {
986 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
988 if (pflags
& GPT_FLAG_NO_AUTO
)
991 designator
= PARTITION_XBOOTLDR
;
992 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
993 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
995 #ifdef GPT_ROOT_NATIVE
996 else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE
)) {
998 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1000 if (pflags
& GPT_FLAG_NO_AUTO
)
1003 /* If a root ID is specified, ignore everything but the root id */
1004 if (!sd_id128_is_null(root_uuid
) && !sd_id128_equal(root_uuid
, id
))
1007 designator
= PARTITION_ROOT
;
1008 architecture
= native_architecture();
1009 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1010 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1012 } else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE_VERITY
)) {
1014 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1016 if (pflags
& GPT_FLAG_NO_AUTO
)
1019 m
->has_verity
= true;
1021 /* If no verity configuration is specified, then don't do verity */
1024 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_ROOT
)
1027 /* If root hash is specified, then ignore everything but the root id */
1028 if (!sd_id128_is_null(root_verity_uuid
) && !sd_id128_equal(root_verity_uuid
, id
))
1031 designator
= PARTITION_ROOT_VERITY
;
1032 fstype
= "DM_verity_hash";
1033 architecture
= native_architecture();
1036 } else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE_VERITY_SIG
)) {
1038 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1040 if (pflags
& GPT_FLAG_NO_AUTO
)
1043 m
->has_verity_sig
= true;
1045 /* If root hash is specified explicitly, then ignore any embedded signature */
1048 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_ROOT
)
1050 if (verity
->root_hash
)
1053 designator
= PARTITION_ROOT_VERITY_SIG
;
1054 fstype
= "verity_hash_signature";
1055 architecture
= native_architecture();
1059 #ifdef GPT_ROOT_SECONDARY
1060 else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY
)) {
1062 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1064 if (pflags
& GPT_FLAG_NO_AUTO
)
1067 /* If a root ID is specified, ignore everything but the root id */
1068 if (!sd_id128_is_null(root_uuid
) && !sd_id128_equal(root_uuid
, id
))
1071 designator
= PARTITION_ROOT_SECONDARY
;
1072 architecture
= SECONDARY_ARCHITECTURE
;
1073 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1074 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1076 } else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY_VERITY
)) {
1078 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1080 if (pflags
& GPT_FLAG_NO_AUTO
)
1083 m
->has_verity
= true;
1085 /* Don't do verity if no verity config is passed in */
1088 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_ROOT
)
1091 /* If root hash is specified, then ignore everything but the root id */
1092 if (!sd_id128_is_null(root_verity_uuid
) && !sd_id128_equal(root_verity_uuid
, id
))
1095 designator
= PARTITION_ROOT_SECONDARY_VERITY
;
1096 fstype
= "DM_verity_hash";
1097 architecture
= SECONDARY_ARCHITECTURE
;
1100 } else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY_VERITY_SIG
)) {
1102 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1104 if (pflags
& GPT_FLAG_NO_AUTO
)
1107 m
->has_verity_sig
= true;
1109 /* If root hash is specified explicitly, then ignore any embedded signature */
1112 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_ROOT
)
1114 if (verity
->root_hash
)
1117 designator
= PARTITION_ROOT_SECONDARY_VERITY_SIG
;
1118 fstype
= "verity_hash_signature";
1119 architecture
= native_architecture();
1123 #ifdef GPT_USR_NATIVE
1124 else if (sd_id128_equal(type_id
, GPT_USR_NATIVE
)) {
1126 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1128 if (pflags
& GPT_FLAG_NO_AUTO
)
1131 /* If a usr ID is specified, ignore everything but the usr id */
1132 if (!sd_id128_is_null(usr_uuid
) && !sd_id128_equal(usr_uuid
, id
))
1135 designator
= PARTITION_USR
;
1136 architecture
= native_architecture();
1137 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1138 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1140 } else if (sd_id128_equal(type_id
, GPT_USR_NATIVE_VERITY
)) {
1142 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1144 if (pflags
& GPT_FLAG_NO_AUTO
)
1147 m
->has_verity
= true;
1151 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_USR
)
1154 /* If usr hash is specified, then ignore everything but the usr id */
1155 if (!sd_id128_is_null(usr_verity_uuid
) && !sd_id128_equal(usr_verity_uuid
, id
))
1158 designator
= PARTITION_USR_VERITY
;
1159 fstype
= "DM_verity_hash";
1160 architecture
= native_architecture();
1163 } else if (sd_id128_equal(type_id
, GPT_USR_NATIVE_VERITY_SIG
)) {
1165 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1167 if (pflags
& GPT_FLAG_NO_AUTO
)
1170 m
->has_verity_sig
= true;
1172 /* If usr hash is specified explicitly, then ignore any embedded signature */
1175 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_USR
)
1177 if (verity
->root_hash
)
1180 designator
= PARTITION_USR_VERITY_SIG
;
1181 fstype
= "verity_hash_signature";
1182 architecture
= native_architecture();
1186 #ifdef GPT_USR_SECONDARY
1187 else if (sd_id128_equal(type_id
, GPT_USR_SECONDARY
)) {
1189 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1191 if (pflags
& GPT_FLAG_NO_AUTO
)
1194 /* If a usr ID is specified, ignore everything but the usr id */
1195 if (!sd_id128_is_null(usr_uuid
) && !sd_id128_equal(usr_uuid
, id
))
1198 designator
= PARTITION_USR_SECONDARY
;
1199 architecture
= SECONDARY_ARCHITECTURE
;
1200 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1201 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1203 } else if (sd_id128_equal(type_id
, GPT_USR_SECONDARY_VERITY
)) {
1205 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1207 if (pflags
& GPT_FLAG_NO_AUTO
)
1210 m
->has_verity
= true;
1214 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_USR
)
1217 /* If usr hash is specified, then ignore everything but the root id */
1218 if (!sd_id128_is_null(usr_verity_uuid
) && !sd_id128_equal(usr_verity_uuid
, id
))
1221 designator
= PARTITION_USR_SECONDARY_VERITY
;
1222 fstype
= "DM_verity_hash";
1223 architecture
= SECONDARY_ARCHITECTURE
;
1226 } else if (sd_id128_equal(type_id
, GPT_USR_SECONDARY_VERITY_SIG
)) {
1228 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1230 if (pflags
& GPT_FLAG_NO_AUTO
)
1233 m
->has_verity_sig
= true;
1235 /* If usr hash is specified explicitly, then ignore any embedded signature */
1238 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_USR
)
1240 if (verity
->root_hash
)
1243 designator
= PARTITION_USR_SECONDARY_VERITY_SIG
;
1244 fstype
= "verity_hash_signature";
1245 architecture
= native_architecture();
1249 else if (sd_id128_equal(type_id
, GPT_SWAP
)) {
1251 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
);
1253 if (pflags
& GPT_FLAG_NO_AUTO
)
1256 designator
= PARTITION_SWAP
;
1258 } else if (sd_id128_equal(type_id
, GPT_LINUX_GENERIC
)) {
1260 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1262 if (pflags
& GPT_FLAG_NO_AUTO
)
1266 multiple_generic
= true;
1269 generic_rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1270 generic_growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1272 generic_node
= strdup(node
);
1277 } else if (sd_id128_equal(type_id
, GPT_TMP
)) {
1279 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1281 if (pflags
& GPT_FLAG_NO_AUTO
)
1284 designator
= PARTITION_TMP
;
1285 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1286 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1288 } else if (sd_id128_equal(type_id
, GPT_VAR
)) {
1290 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1292 if (pflags
& GPT_FLAG_NO_AUTO
)
1295 if (!FLAGS_SET(flags
, DISSECT_IMAGE_RELAX_VAR_CHECK
)) {
1296 sd_id128_t var_uuid
;
1298 /* For /var we insist that the uuid of the partition matches the
1299 * HMAC-SHA256 of the /var GPT partition type uuid, keyed by machine
1300 * ID. Why? Unlike the other partitions /var is inherently
1301 * installation specific, hence we need to be careful not to mount it
1302 * in the wrong installation. By hashing the partition UUID from
1303 * /etc/machine-id we can securely bind the partition to the
1306 r
= sd_id128_get_machine_app_specific(GPT_VAR
, &var_uuid
);
1310 if (!sd_id128_equal(var_uuid
, id
)) {
1311 log_debug("Found a /var/ partition, but its UUID didn't match our expectations, ignoring.");
1316 designator
= PARTITION_VAR
;
1317 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1318 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1321 if (designator
!= _PARTITION_DESIGNATOR_INVALID
) {
1322 _cleanup_free_
char *t
= NULL
, *n
= NULL
, *o
= NULL
, *l
= NULL
;
1323 const char *options
= NULL
;
1325 if (m
->partitions
[designator
].found
) {
1326 /* For most partition types the first one we see wins. Except for the
1327 * rootfs and /usr, where we do a version compare of the label, and
1328 * let the newest version win. This permits a simple A/B versioning
1329 * scheme in OS images. */
1331 if (!PARTITION_DESIGNATOR_VERSIONED(designator
) ||
1332 strverscmp_improved(m
->partitions
[designator
].label
, label
) >= 0)
1335 dissected_partition_done(m
->partitions
+ designator
);
1354 options
= mount_options_from_designator(mount_options
, designator
);
1356 o
= strdup(options
);
1361 m
->partitions
[designator
] = (DissectedPartition
) {
1366 .architecture
= architecture
,
1367 .node
= TAKE_PTR(n
),
1368 .fstype
= TAKE_PTR(t
),
1369 .label
= TAKE_PTR(l
),
1371 .mount_options
= TAKE_PTR(o
),
1372 .offset
= (uint64_t) start
* 512,
1373 .size
= (uint64_t) size
* 512,
1377 } else if (is_mbr
) {
1379 switch (blkid_partition_get_type(pp
)) {
1381 case 0x83: /* Linux partition */
1383 if (pflags
!= 0x80) /* Bootable flag */
1387 multiple_generic
= true;
1391 generic_growfs
= false;
1392 generic_node
= strdup(node
);
1399 case 0xEA: { /* Boot Loader Spec extended $BOOT partition */
1400 _cleanup_free_
char *n
= NULL
, *o
= NULL
;
1401 sd_id128_t id
= SD_ID128_NULL
;
1402 const char *sid
, *options
= NULL
;
1404 /* First one wins */
1405 if (m
->partitions
[PARTITION_XBOOTLDR
].found
)
1408 sid
= blkid_partition_get_uuid(pp
);
1410 (void) sd_id128_from_string(sid
, &id
);
1416 options
= mount_options_from_designator(mount_options
, PARTITION_XBOOTLDR
);
1418 o
= strdup(options
);
1423 m
->partitions
[PARTITION_XBOOTLDR
] = (DissectedPartition
) {
1428 .architecture
= _ARCHITECTURE_INVALID
,
1429 .node
= TAKE_PTR(n
),
1431 .mount_options
= TAKE_PTR(o
),
1432 .offset
= (uint64_t) start
* 512,
1433 .size
= (uint64_t) size
* 512,
1441 if (m
->partitions
[PARTITION_ROOT
].found
) {
1442 /* If we found the primary arch, then invalidate the secondary arch to avoid any ambiguities,
1443 * since we never want to mount the secondary arch in this case. */
1444 m
->partitions
[PARTITION_ROOT_SECONDARY
].found
= false;
1445 m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
].found
= false;
1446 m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY_SIG
].found
= false;
1447 m
->partitions
[PARTITION_USR_SECONDARY
].found
= false;
1448 m
->partitions
[PARTITION_USR_SECONDARY_VERITY
].found
= false;
1449 m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
].found
= false;
1451 } else if (m
->partitions
[PARTITION_ROOT_VERITY
].found
||
1452 m
->partitions
[PARTITION_ROOT_VERITY_SIG
].found
)
1453 return -EADDRNOTAVAIL
; /* Verity found but no matching rootfs? Something is off, refuse. */
1455 else if (m
->partitions
[PARTITION_ROOT_SECONDARY
].found
) {
1457 /* No root partition found but there's one for the secondary architecture? Then upgrade
1458 * secondary arch to first */
1460 m
->partitions
[PARTITION_ROOT
] = m
->partitions
[PARTITION_ROOT_SECONDARY
];
1461 zero(m
->partitions
[PARTITION_ROOT_SECONDARY
]);
1462 m
->partitions
[PARTITION_ROOT_VERITY
] = m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
];
1463 zero(m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
]);
1464 m
->partitions
[PARTITION_ROOT_VERITY_SIG
] = m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY_SIG
];
1465 zero(m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY_SIG
]);
1467 m
->partitions
[PARTITION_USR
] = m
->partitions
[PARTITION_USR_SECONDARY
];
1468 zero(m
->partitions
[PARTITION_USR_SECONDARY
]);
1469 m
->partitions
[PARTITION_USR_VERITY
] = m
->partitions
[PARTITION_USR_SECONDARY_VERITY
];
1470 zero(m
->partitions
[PARTITION_USR_SECONDARY_VERITY
]);
1471 m
->partitions
[PARTITION_USR_VERITY_SIG
] = m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
];
1472 zero(m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
]);
1474 } else if (m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
].found
||
1475 m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY_SIG
].found
)
1476 return -EADDRNOTAVAIL
; /* as above */
1478 /* Hmm, we found a signature partition but no Verity data? Something is off. */
1479 if (m
->partitions
[PARTITION_ROOT_VERITY_SIG
].found
&& !m
->partitions
[PARTITION_ROOT_VERITY
].found
)
1480 return -EADDRNOTAVAIL
;
1482 if (m
->partitions
[PARTITION_USR
].found
) {
1483 /* Invalidate secondary arch /usr/ if we found the primary arch */
1484 m
->partitions
[PARTITION_USR_SECONDARY
].found
= false;
1485 m
->partitions
[PARTITION_USR_SECONDARY_VERITY
].found
= false;
1486 m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
].found
= false;
1488 } else if (m
->partitions
[PARTITION_USR_VERITY
].found
||
1489 m
->partitions
[PARTITION_USR_VERITY_SIG
].found
)
1490 return -EADDRNOTAVAIL
; /* as above */
1492 else if (m
->partitions
[PARTITION_USR_SECONDARY
].found
) {
1494 /* Upgrade secondary arch to primary */
1495 m
->partitions
[PARTITION_USR
] = m
->partitions
[PARTITION_USR_SECONDARY
];
1496 zero(m
->partitions
[PARTITION_USR_SECONDARY
]);
1497 m
->partitions
[PARTITION_USR_VERITY
] = m
->partitions
[PARTITION_USR_SECONDARY_VERITY
];
1498 zero(m
->partitions
[PARTITION_USR_SECONDARY_VERITY
]);
1499 m
->partitions
[PARTITION_USR_VERITY_SIG
] = m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
];
1500 zero(m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
]);
1502 } else if (m
->partitions
[PARTITION_USR_SECONDARY_VERITY
].found
||
1503 m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
].found
)
1504 return -EADDRNOTAVAIL
; /* as above */
1506 /* Hmm, we found a signature partition but no Verity data? Something is off. */
1507 if (m
->partitions
[PARTITION_USR_VERITY_SIG
].found
&& !m
->partitions
[PARTITION_USR_VERITY
].found
)
1508 return -EADDRNOTAVAIL
;
1510 /* If root and /usr are combined then insist that the architecture matches */
1511 if (m
->partitions
[PARTITION_ROOT
].found
&&
1512 m
->partitions
[PARTITION_USR
].found
&&
1513 (m
->partitions
[PARTITION_ROOT
].architecture
>= 0 &&
1514 m
->partitions
[PARTITION_USR
].architecture
>= 0 &&
1515 m
->partitions
[PARTITION_ROOT
].architecture
!= m
->partitions
[PARTITION_USR
].architecture
))
1516 return -EADDRNOTAVAIL
;
1518 if (!m
->partitions
[PARTITION_ROOT
].found
&&
1519 !m
->partitions
[PARTITION_USR
].found
&&
1520 (flags
& DISSECT_IMAGE_GENERIC_ROOT
) &&
1521 (!verity
|| !verity
->root_hash
|| verity
->designator
!= PARTITION_USR
)) {
1523 /* OK, we found nothing usable, then check if there's a single generic one distro, and use
1524 * that. If the root hash was set however, then we won't fall back to a generic node, because
1525 * the root hash decides. */
1527 /* If we didn't find a properly marked root partition, but we did find a single suitable
1528 * generic Linux partition, then use this as root partition, if the caller asked for it. */
1529 if (multiple_generic
)
1532 /* If we didn't find a generic node, then we can't fix this up either */
1534 _cleanup_free_
char *o
= NULL
;
1535 const char *options
;
1537 options
= mount_options_from_designator(mount_options
, PARTITION_ROOT
);
1539 o
= strdup(options
);
1544 assert(generic_nr
>= 0);
1545 m
->partitions
[PARTITION_ROOT
] = (DissectedPartition
) {
1548 .growfs
= generic_growfs
,
1549 .partno
= generic_nr
,
1550 .architecture
= _ARCHITECTURE_INVALID
,
1551 .node
= TAKE_PTR(generic_node
),
1552 .uuid
= generic_uuid
,
1553 .mount_options
= TAKE_PTR(o
),
1554 .offset
= UINT64_MAX
,
1560 /* Check if we have a root fs if we are told to do check. /usr alone is fine too, but only if appropriate flag for that is set too */
1561 if (FLAGS_SET(flags
, DISSECT_IMAGE_REQUIRE_ROOT
) &&
1562 !(m
->partitions
[PARTITION_ROOT
].found
|| (m
->partitions
[PARTITION_USR
].found
&& FLAGS_SET(flags
, DISSECT_IMAGE_USR_NO_ROOT
))))
1565 if (m
->partitions
[PARTITION_ROOT_VERITY
].found
) {
1566 /* We only support one verity partition per image, i.e. can't do for both /usr and root fs */
1567 if (m
->partitions
[PARTITION_USR_VERITY
].found
)
1570 /* We don't support verity enabled root with a split out /usr. Neither with nor without
1571 * verity there. (Note that we do support verity-less root with verity-full /usr, though.) */
1572 if (m
->partitions
[PARTITION_USR
].found
)
1573 return -EADDRNOTAVAIL
;
1577 /* If a verity designator is specified, then insist that the matching partition exists */
1578 if (verity
->designator
>= 0 && !m
->partitions
[verity
->designator
].found
)
1579 return -EADDRNOTAVAIL
;
1581 if (verity
->root_hash
) {
1582 /* If we have an explicit root hash and found the partitions for it, then we are ready to use
1583 * Verity, set things up for it */
1585 if (verity
->designator
< 0 || verity
->designator
== PARTITION_ROOT
) {
1586 if (!m
->partitions
[PARTITION_ROOT_VERITY
].found
|| !m
->partitions
[PARTITION_ROOT
].found
)
1587 return -EADDRNOTAVAIL
;
1589 /* If we found a verity setup, then the root partition is necessarily read-only. */
1590 m
->partitions
[PARTITION_ROOT
].rw
= false;
1591 m
->verity_ready
= true;
1594 assert(verity
->designator
== PARTITION_USR
);
1596 if (!m
->partitions
[PARTITION_USR_VERITY
].found
|| !m
->partitions
[PARTITION_USR
].found
)
1597 return -EADDRNOTAVAIL
;
1599 m
->partitions
[PARTITION_USR
].rw
= false;
1600 m
->verity_ready
= true;
1603 if (m
->verity_ready
)
1604 m
->verity_sig_ready
= verity
->root_hash_sig
;
1606 } else if (m
->partitions
[verity
->designator
== PARTITION_USR
? PARTITION_USR_VERITY_SIG
: PARTITION_ROOT_VERITY_SIG
].found
) {
1608 /* If we found an embedded signature partition, we are ready, too. */
1610 m
->verity_ready
= m
->verity_sig_ready
= true;
1611 m
->partitions
[verity
->designator
== PARTITION_USR
? PARTITION_USR
: PARTITION_ROOT
].rw
= false;
1615 blkid_free_probe(b
);
1618 /* Fill in file system types if we don't know them yet. */
1619 for (PartitionDesignator i
= 0; i
< _PARTITION_DESIGNATOR_MAX
; i
++) {
1620 DissectedPartition
*p
= m
->partitions
+ i
;
1625 if (!p
->fstype
&& p
->node
) {
1626 r
= probe_filesystem(p
->node
, &p
->fstype
);
1627 if (r
< 0 && r
!= -EUCLEAN
)
1631 if (streq_ptr(p
->fstype
, "crypto_LUKS"))
1632 m
->encrypted
= true;
1634 if (p
->fstype
&& fstype_is_ro(p
->fstype
))
1648 DissectedImage
* dissected_image_unref(DissectedImage
*m
) {
1652 for (PartitionDesignator i
= 0; i
< _PARTITION_DESIGNATOR_MAX
; i
++)
1653 dissected_partition_done(m
->partitions
+ i
);
1655 free(m
->image_name
);
1657 strv_free(m
->machine_info
);
1658 strv_free(m
->os_release
);
1659 strv_free(m
->extension_release
);
1664 static int is_loop_device(const char *path
) {
1665 char s
[SYS_BLOCK_PATH_MAX("/../loop/")];
1670 if (stat(path
, &st
) < 0)
1673 if (!S_ISBLK(st
.st_mode
))
1676 xsprintf_sys_block_path(s
, "/loop/", st
.st_dev
);
1677 if (access(s
, F_OK
) < 0) {
1678 if (errno
!= ENOENT
)
1681 /* The device itself isn't a loop device, but maybe it's a partition and its parent is? */
1682 xsprintf_sys_block_path(s
, "/../loop/", st
.st_dev
);
1683 if (access(s
, F_OK
) < 0)
1684 return errno
== ENOENT
? false : -errno
;
1690 static int run_fsck(const char *node
, const char *fstype
) {
1697 r
= fsck_exists(fstype
);
1699 log_debug_errno(r
, "Couldn't determine whether fsck for %s exists, proceeding anyway.", fstype
);
1703 log_debug("Not checking partition %s, as fsck for %s does not exist.", node
, fstype
);
1707 r
= safe_fork("(fsck)", FORK_RESET_SIGNALS
|FORK_CLOSE_ALL_FDS
|FORK_RLIMIT_NOFILE_SAFE
|FORK_DEATHSIG
|FORK_NULL_STDIO
, &pid
);
1709 return log_debug_errno(r
, "Failed to fork off fsck: %m");
1712 execl("/sbin/fsck", "/sbin/fsck", "-aT", node
, NULL
);
1714 log_debug_errno(errno
, "Failed to execl() fsck: %m");
1715 _exit(FSCK_OPERATIONAL_ERROR
);
1718 exit_status
= wait_for_terminate_and_check("fsck", pid
, 0);
1719 if (exit_status
< 0)
1720 return log_debug_errno(exit_status
, "Failed to fork off /sbin/fsck: %m");
1722 if ((exit_status
& ~FSCK_ERROR_CORRECTED
) != FSCK_SUCCESS
) {
1723 log_debug("fsck failed with exit status %i.", exit_status
);
1725 if ((exit_status
& (FSCK_SYSTEM_SHOULD_REBOOT
|FSCK_ERRORS_LEFT_UNCORRECTED
)) != 0)
1726 return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN
), "File system is corrupted, refusing.");
1728 log_debug("Ignoring fsck error.");
1734 static int fs_grow(const char *node_path
, const char *mount_path
) {
1735 _cleanup_close_
int mount_fd
= -1, node_fd
= -1;
1736 uint64_t size
, newsize
;
1739 node_fd
= open(node_path
, O_RDONLY
|O_CLOEXEC
|O_NONBLOCK
|O_NOCTTY
);
1741 return log_debug_errno(errno
, "Failed to open node device %s: %m", node_path
);
1743 if (ioctl(node_fd
, BLKGETSIZE64
, &size
) != 0)
1744 return log_debug_errno(errno
, "Failed to get block device size of %s: %m", node_path
);
1746 mount_fd
= open(mount_path
, O_RDONLY
|O_DIRECTORY
|O_CLOEXEC
);
1748 return log_debug_errno(errno
, "Failed to open mountd file system %s: %m", mount_path
);
1750 log_debug("Resizing \"%s\" to %"PRIu64
" bytes...", mount_path
, size
);
1751 r
= resize_fs(mount_fd
, size
, &newsize
);
1753 return log_debug_errno(r
, "Failed to resize \"%s\" to %"PRIu64
" bytes: %m", mount_path
, size
);
1755 if (newsize
== size
)
1756 log_debug("Successfully resized \"%s\" to %s bytes.",
1757 mount_path
, FORMAT_BYTES(newsize
));
1759 assert(newsize
< size
);
1760 log_debug("Successfully resized \"%s\" to %s bytes (%"PRIu64
" bytes lost due to blocksize).",
1761 mount_path
, FORMAT_BYTES(newsize
), size
- newsize
);
1767 static int mount_partition(
1768 DissectedPartition
*m
,
1770 const char *directory
,
1773 DissectImageFlags flags
) {
1775 _cleanup_free_
char *chased
= NULL
, *options
= NULL
;
1776 const char *p
, *node
, *fstype
;
1777 bool rw
, remap_uid_gid
= false;
1783 /* Use decrypted node and matching fstype if available, otherwise use the original device */
1784 node
= m
->decrypted_node
?: m
->node
;
1785 fstype
= m
->decrypted_node
? m
->decrypted_fstype
: m
->fstype
;
1787 if (!m
->found
|| !node
)
1790 return -EAFNOSUPPORT
;
1792 /* We are looking at an encrypted partition? This either means stacked encryption, or the caller didn't call dissected_image_decrypt() beforehand. Let's return a recognizable error for this case. */
1793 if (streq(fstype
, "crypto_LUKS"))
1796 rw
= m
->rw
&& !(flags
& DISSECT_IMAGE_MOUNT_READ_ONLY
);
1798 if (FLAGS_SET(flags
, DISSECT_IMAGE_FSCK
) && rw
) {
1799 r
= run_fsck(node
, fstype
);
1805 /* Automatically create missing mount points inside the image, if necessary. */
1806 r
= mkdir_p_root(where
, directory
, uid_shift
, (gid_t
) uid_shift
, 0755);
1807 if (r
< 0 && r
!= -EROFS
)
1810 r
= chase_symlinks(directory
, where
, CHASE_PREFIX_ROOT
, &chased
, NULL
);
1816 /* Create top-level mount if missing – but only if this is asked for. This won't modify the
1817 * image (as the branch above does) but the host hierarchy, and the created directory might
1818 * survive our mount in the host hierarchy hence. */
1819 if (FLAGS_SET(flags
, DISSECT_IMAGE_MKDIR
)) {
1820 r
= mkdir_p(where
, 0755);
1828 /* If requested, turn on discard support. */
1829 if (fstype_can_discard(fstype
) &&
1830 ((flags
& DISSECT_IMAGE_DISCARD
) ||
1831 ((flags
& DISSECT_IMAGE_DISCARD_ON_LOOP
) && is_loop_device(m
->node
) > 0))) {
1832 options
= strdup("discard");
1837 if (uid_is_valid(uid_shift
) && uid_shift
!= 0) {
1839 if (fstype_can_uid_gid(fstype
)) {
1840 _cleanup_free_
char *uid_option
= NULL
;
1842 if (asprintf(&uid_option
, "uid=" UID_FMT
",gid=" GID_FMT
, uid_shift
, (gid_t
) uid_shift
) < 0)
1845 if (!strextend_with_separator(&options
, ",", uid_option
))
1847 } else if (FLAGS_SET(flags
, DISSECT_IMAGE_MOUNT_IDMAPPED
))
1848 remap_uid_gid
= true;
1851 if (!isempty(m
->mount_options
))
1852 if (!strextend_with_separator(&options
, ",", m
->mount_options
))
1855 /* So, when you request MS_RDONLY from ext4, then this means nothing. It happily still writes to the
1856 * backing storage. What's worse, the BLKRO[GS]ET flag and (in case of loopback devices)
1857 * LO_FLAGS_READ_ONLY don't mean anything, they affect userspace accesses only, and write accesses
1858 * from the upper file system still get propagated through to the underlying file system,
1859 * unrestricted. To actually get ext4/xfs/btrfs to stop writing to the device we need to specify
1860 * "norecovery" as mount option, in addition to MS_RDONLY. Yes, this sucks, since it means we need to
1861 * carry a per file system table here.
1863 * Note that this means that we might not be able to mount corrupted file systems as read-only
1864 * anymore (since in some cases the kernel implementations will refuse mounting when corrupted,
1865 * read-only and "norecovery" is specified). But I think for the case of automatically determined
1866 * mount options for loopback devices this is the right choice, since otherwise using the same
1867 * loopback file twice even in read-only mode, is going to fail badly sooner or later. The usecase of
1868 * making reuse of the immutable images "just work" is more relevant to us than having read-only
1869 * access that actually modifies stuff work on such image files. Or to say this differently: if
1870 * people want their file systems to be fixed up they should just open them in writable mode, where
1871 * all these problems don't exist. */
1872 if (!rw
&& STRPTR_IN_SET(fstype
, "ext3", "ext4", "xfs", "btrfs"))
1873 if (!strextend_with_separator(&options
, ",", "norecovery"))
1876 r
= mount_nofollow_verbose(LOG_DEBUG
, node
, p
, fstype
, MS_NODEV
|(rw
? 0 : MS_RDONLY
), options
);
1880 if (rw
&& m
->growfs
&& FLAGS_SET(flags
, DISSECT_IMAGE_GROWFS
))
1881 (void) fs_grow(node
, p
);
1883 if (remap_uid_gid
) {
1884 r
= remount_idmap(p
, uid_shift
, uid_range
);
1892 static int mount_root_tmpfs(const char *where
, uid_t uid_shift
, DissectImageFlags flags
) {
1893 _cleanup_free_
char *options
= NULL
;
1898 /* For images that contain /usr/ but no rootfs, let's mount rootfs as tmpfs */
1900 if (FLAGS_SET(flags
, DISSECT_IMAGE_MKDIR
)) {
1901 r
= mkdir_p(where
, 0755);
1906 if (uid_is_valid(uid_shift
)) {
1907 if (asprintf(&options
, "uid=" UID_FMT
",gid=" GID_FMT
, uid_shift
, (gid_t
) uid_shift
) < 0)
1911 r
= mount_nofollow_verbose(LOG_DEBUG
, "rootfs", where
, "tmpfs", MS_NODEV
, options
);
1918 int dissected_image_mount(
1923 DissectImageFlags flags
) {
1925 int r
, xbootldr_mounted
;
1932 * -ENXIO → No root partition found
1933 * -EMEDIUMTYPE → DISSECT_IMAGE_VALIDATE_OS set but no os-release/extension-release file found
1934 * -EUNATCH → Encrypted partition found for which no dm-crypt was set up yet
1935 * -EUCLEAN → fsck for file system failed
1936 * -EBUSY → File system already mounted/used elsewhere (kernel)
1937 * -EAFNOSUPPORT → File system type not supported or not known
1940 if (!(m
->partitions
[PARTITION_ROOT
].found
||
1941 (m
->partitions
[PARTITION_USR
].found
&& FLAGS_SET(flags
, DISSECT_IMAGE_USR_NO_ROOT
))))
1942 return -ENXIO
; /* Require a root fs or at least a /usr/ fs (the latter is subject to a flag of its own) */
1944 if ((flags
& DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY
) == 0) {
1946 /* First mount the root fs. If there's none we use a tmpfs. */
1947 if (m
->partitions
[PARTITION_ROOT
].found
)
1948 r
= mount_partition(m
->partitions
+ PARTITION_ROOT
, where
, NULL
, uid_shift
, uid_range
, flags
);
1950 r
= mount_root_tmpfs(where
, uid_shift
, flags
);
1954 /* For us mounting root always means mounting /usr as well */
1955 r
= mount_partition(m
->partitions
+ PARTITION_USR
, where
, "/usr", uid_shift
, uid_range
, flags
);
1959 if ((flags
& (DISSECT_IMAGE_VALIDATE_OS
|DISSECT_IMAGE_VALIDATE_OS_EXT
)) != 0) {
1960 /* If either one of the validation flags are set, ensure that the image qualifies
1961 * as one or the other (or both). */
1964 if (FLAGS_SET(flags
, DISSECT_IMAGE_VALIDATE_OS
)) {
1965 r
= path_is_os_tree(where
);
1971 if (!ok
&& FLAGS_SET(flags
, DISSECT_IMAGE_VALIDATE_OS_EXT
)) {
1972 r
= path_is_extension_tree(where
, m
->image_name
);
1984 if (flags
& DISSECT_IMAGE_MOUNT_ROOT_ONLY
)
1987 r
= mount_partition(m
->partitions
+ PARTITION_HOME
, where
, "/home", uid_shift
, uid_range
, flags
);
1991 r
= mount_partition(m
->partitions
+ PARTITION_SRV
, where
, "/srv", uid_shift
, uid_range
, flags
);
1995 r
= mount_partition(m
->partitions
+ PARTITION_VAR
, where
, "/var", uid_shift
, uid_range
, flags
);
1999 r
= mount_partition(m
->partitions
+ PARTITION_TMP
, where
, "/var/tmp", uid_shift
, uid_range
, flags
);
2003 xbootldr_mounted
= mount_partition(m
->partitions
+ PARTITION_XBOOTLDR
, where
, "/boot", uid_shift
, uid_range
, flags
);
2004 if (xbootldr_mounted
< 0)
2005 return xbootldr_mounted
;
2007 if (m
->partitions
[PARTITION_ESP
].found
) {
2008 int esp_done
= false;
2010 /* Mount the ESP to /efi if it exists. If it doesn't exist, use /boot instead, but only if it
2011 * exists and is empty, and we didn't already mount the XBOOTLDR partition into it. */
2013 r
= chase_symlinks("/efi", where
, CHASE_PREFIX_ROOT
, NULL
, NULL
);
2018 /* /efi doesn't exist. Let's see if /boot is suitable then */
2020 if (!xbootldr_mounted
) {
2021 _cleanup_free_
char *p
= NULL
;
2023 r
= chase_symlinks("/boot", where
, CHASE_PREFIX_ROOT
, &p
, NULL
);
2027 } else if (dir_is_empty(p
) > 0) {
2028 /* It exists and is an empty directory. Let's mount the ESP there. */
2029 r
= mount_partition(m
->partitions
+ PARTITION_ESP
, where
, "/boot", uid_shift
, uid_range
, flags
);
2039 /* OK, let's mount the ESP now to /efi (possibly creating the dir if missing) */
2041 r
= mount_partition(m
->partitions
+ PARTITION_ESP
, where
, "/efi", uid_shift
, uid_range
, flags
);
2050 int dissected_image_mount_and_warn(
2055 DissectImageFlags flags
) {
2062 r
= dissected_image_mount(m
, where
, uid_shift
, uid_range
, flags
);
2064 return log_error_errno(r
, "Not root file system found in image.");
2065 if (r
== -EMEDIUMTYPE
)
2066 return log_error_errno(r
, "No suitable os-release/extension-release file in image found.");
2068 return log_error_errno(r
, "Encrypted file system discovered, but decryption not requested.");
2070 return log_error_errno(r
, "File system check on image failed.");
2072 return log_error_errno(r
, "File system already mounted elsewhere.");
2073 if (r
== -EAFNOSUPPORT
)
2074 return log_error_errno(r
, "File system type not supported or not known.");
2076 return log_error_errno(r
, "Failed to mount image: %m");
2081 #if HAVE_LIBCRYPTSETUP
2082 typedef struct DecryptedPartition
{
2083 struct crypt_device
*device
;
2086 } DecryptedPartition
;
2088 struct DecryptedImage
{
2089 DecryptedPartition
*decrypted
;
2094 DecryptedImage
* decrypted_image_unref(DecryptedImage
* d
) {
2095 #if HAVE_LIBCRYPTSETUP
2101 for (size_t i
= 0; i
< d
->n_decrypted
; i
++) {
2102 DecryptedPartition
*p
= d
->decrypted
+ i
;
2104 if (p
->device
&& p
->name
&& !p
->relinquished
) {
2105 r
= sym_crypt_deactivate_by_name(p
->device
, p
->name
, 0);
2107 log_debug_errno(r
, "Failed to deactivate encrypted partition %s", p
->name
);
2111 sym_crypt_free(p
->device
);
2121 #if HAVE_LIBCRYPTSETUP
2123 static int make_dm_name_and_node(const void *original_node
, const char *suffix
, char **ret_name
, char **ret_node
) {
2124 _cleanup_free_
char *name
= NULL
, *node
= NULL
;
2127 assert(original_node
);
2132 base
= strrchr(original_node
, '/');
2134 base
= original_node
;
2140 name
= strjoin(base
, suffix
);
2143 if (!filename_is_valid(name
))
2146 node
= path_join(sym_crypt_get_dir(), name
);
2150 *ret_name
= TAKE_PTR(name
);
2151 *ret_node
= TAKE_PTR(node
);
2156 static int decrypt_partition(
2157 DissectedPartition
*m
,
2158 const char *passphrase
,
2159 DissectImageFlags flags
,
2160 DecryptedImage
*d
) {
2162 _cleanup_free_
char *node
= NULL
, *name
= NULL
;
2163 _cleanup_(sym_crypt_freep
) struct crypt_device
*cd
= NULL
;
2169 if (!m
->found
|| !m
->node
|| !m
->fstype
)
2172 if (!streq(m
->fstype
, "crypto_LUKS"))
2178 r
= dlopen_cryptsetup();
2182 r
= make_dm_name_and_node(m
->node
, "-decrypted", &name
, &node
);
2186 if (!GREEDY_REALLOC0(d
->decrypted
, d
->n_decrypted
+ 1))
2189 r
= sym_crypt_init(&cd
, m
->node
);
2191 return log_debug_errno(r
, "Failed to initialize dm-crypt: %m");
2193 cryptsetup_enable_logging(cd
);
2195 r
= sym_crypt_load(cd
, CRYPT_LUKS
, NULL
);
2197 return log_debug_errno(r
, "Failed to load LUKS metadata: %m");
2199 r
= sym_crypt_activate_by_passphrase(cd
, name
, CRYPT_ANY_SLOT
, passphrase
, strlen(passphrase
),
2200 ((flags
& DISSECT_IMAGE_DEVICE_READ_ONLY
) ? CRYPT_ACTIVATE_READONLY
: 0) |
2201 ((flags
& DISSECT_IMAGE_DISCARD_ON_CRYPTO
) ? CRYPT_ACTIVATE_ALLOW_DISCARDS
: 0));
2203 log_debug_errno(r
, "Failed to activate LUKS device: %m");
2204 return r
== -EPERM
? -EKEYREJECTED
: r
;
2207 d
->decrypted
[d
->n_decrypted
++] = (DecryptedPartition
) {
2208 .name
= TAKE_PTR(name
),
2209 .device
= TAKE_PTR(cd
),
2212 m
->decrypted_node
= TAKE_PTR(node
);
2217 static int verity_can_reuse(
2218 const VeritySettings
*verity
,
2220 struct crypt_device
**ret_cd
) {
2222 /* If the same volume was already open, check that the root hashes match, and reuse it if they do */
2223 _cleanup_free_
char *root_hash_existing
= NULL
;
2224 _cleanup_(sym_crypt_freep
) struct crypt_device
*cd
= NULL
;
2225 struct crypt_params_verity crypt_params
= {};
2226 size_t root_hash_existing_size
;
2233 r
= sym_crypt_init_by_name(&cd
, name
);
2235 return log_debug_errno(r
, "Error opening verity device, crypt_init_by_name failed: %m");
2237 cryptsetup_enable_logging(cd
);
2239 r
= sym_crypt_get_verity_info(cd
, &crypt_params
);
2241 return log_debug_errno(r
, "Error opening verity device, crypt_get_verity_info failed: %m");
2243 root_hash_existing_size
= verity
->root_hash_size
;
2244 root_hash_existing
= malloc0(root_hash_existing_size
);
2245 if (!root_hash_existing
)
2248 r
= sym_crypt_volume_key_get(cd
, CRYPT_ANY_SLOT
, root_hash_existing
, &root_hash_existing_size
, NULL
, 0);
2250 return log_debug_errno(r
, "Error opening verity device, crypt_volume_key_get failed: %m");
2251 if (verity
->root_hash_size
!= root_hash_existing_size
||
2252 memcmp(root_hash_existing
, verity
->root_hash
, verity
->root_hash_size
) != 0)
2253 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Error opening verity device, it already exists but root hashes are different.");
2255 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
2256 /* Ensure that, if signatures are supported, we only reuse the device if the previous mount used the
2257 * same settings, so that a previous unsigned mount will not be reused if the user asks to use
2258 * signing for the new one, and vice versa. */
2259 if (!!verity
->root_hash_sig
!= !!(crypt_params
.flags
& CRYPT_VERITY_ROOT_HASH_SIGNATURE
))
2260 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Error opening verity device, it already exists but signature settings are not the same.");
2263 *ret_cd
= TAKE_PTR(cd
);
2267 static inline char* dm_deferred_remove_clean(char *name
) {
2271 (void) sym_crypt_deactivate_by_name(NULL
, name
, CRYPT_DEACTIVATE_DEFERRED
);
2274 DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean
);
2276 static int validate_signature_userspace(const VeritySettings
*verity
) {
2278 _cleanup_(sk_X509_free_allp
) STACK_OF(X509
) *sk
= NULL
;
2279 _cleanup_strv_free_
char **certs
= NULL
;
2280 _cleanup_(PKCS7_freep
) PKCS7
*p7
= NULL
;
2281 _cleanup_free_
char *s
= NULL
;
2282 _cleanup_(BIO_freep
) BIO
*bio
= NULL
; /* 'bio' must be freed first, 's' second, hence keep this order
2283 * of declaration in place, please */
2284 const unsigned char *d
;
2289 assert(verity
->root_hash
);
2290 assert(verity
->root_hash_sig
);
2292 /* Because installing a signature certificate into the kernel chain is so messy, let's optionally do
2293 * userspace validation. */
2295 r
= conf_files_list_nulstr(&certs
, ".crt", NULL
, CONF_FILES_REGULAR
|CONF_FILES_FILTER_MASKED
, CONF_PATHS_NULSTR("verity.d"));
2297 return log_debug_errno(r
, "Failed to enumerate certificates: %m");
2298 if (strv_isempty(certs
)) {
2299 log_debug("No userspace dm-verity certificates found.");
2303 d
= verity
->root_hash_sig
;
2304 p7
= d2i_PKCS7(NULL
, &d
, (long) verity
->root_hash_sig_size
);
2306 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to parse PKCS7 DER signature data.");
2308 s
= hexmem(verity
->root_hash
, verity
->root_hash_size
);
2310 return log_oom_debug();
2312 bio
= BIO_new_mem_buf(s
, strlen(s
));
2314 return log_oom_debug();
2316 sk
= sk_X509_new_null();
2318 return log_oom_debug();
2320 STRV_FOREACH(i
, certs
) {
2321 _cleanup_(X509_freep
) X509
*c
= NULL
;
2322 _cleanup_fclose_
FILE *f
= NULL
;
2324 f
= fopen(*i
, "re");
2326 log_debug_errno(errno
, "Failed to open '%s', ignoring: %m", *i
);
2330 c
= PEM_read_X509(f
, NULL
, NULL
, NULL
);
2332 log_debug("Failed to load X509 certificate '%s', ignoring.", *i
);
2336 if (sk_X509_push(sk
, c
) == 0)
2337 return log_oom_debug();
2342 r
= PKCS7_verify(p7
, sk
, NULL
, bio
, NULL
, PKCS7_NOINTERN
|PKCS7_NOVERIFY
);
2344 log_debug("Userspace PKCS#7 validation succeeded.");
2346 log_debug("Userspace PKCS#7 validation failed: %s", ERR_error_string(ERR_get_error(), NULL
));
2350 log_debug("Not doing client-side validation of dm-verity root hash signatures, OpenSSL support disabled.");
2355 static int do_crypt_activate_verity(
2356 struct crypt_device
*cd
,
2358 const VeritySettings
*verity
) {
2360 bool check_signature
;
2367 if (verity
->root_hash_sig
) {
2368 r
= getenv_bool_secure("SYSTEMD_DISSECT_VERITY_SIGNATURE");
2369 if (r
< 0 && r
!= -ENXIO
)
2370 log_debug_errno(r
, "Failed to parse $SYSTEMD_DISSECT_VERITY_SIGNATURE");
2372 check_signature
= r
!= 0;
2374 check_signature
= false;
2376 if (check_signature
) {
2378 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
2379 /* First, if we have support for signed keys in the kernel, then try that first. */
2380 r
= sym_crypt_activate_by_signed_key(
2384 verity
->root_hash_size
,
2385 verity
->root_hash_sig
,
2386 verity
->root_hash_sig_size
,
2387 CRYPT_ACTIVATE_READONLY
);
2391 log_debug("Validation of dm-verity signature failed via the kernel, trying userspace validation instead.");
2393 log_debug("Activation of verity device with signature requested, but not supported via the kernel by %s due to missing crypt_activate_by_signed_key(), trying userspace validation instead.",
2394 program_invocation_short_name
);
2397 /* So this didn't work via the kernel, then let's try userspace validation instead. If that
2398 * works we'll try to activate without telling the kernel the signature. */
2400 r
= validate_signature_userspace(verity
);
2404 return log_debug_errno(SYNTHETIC_ERRNO(ENOKEY
),
2405 "Activation of signed Verity volume worked neither via the kernel nor in userspace, can't activate.");
2408 return sym_crypt_activate_by_volume_key(
2412 verity
->root_hash_size
,
2413 CRYPT_ACTIVATE_READONLY
);
2416 static int verity_partition(
2417 PartitionDesignator designator
,
2418 DissectedPartition
*m
,
2419 DissectedPartition
*v
,
2420 const VeritySettings
*verity
,
2421 DissectImageFlags flags
,
2422 DecryptedImage
*d
) {
2424 _cleanup_(sym_crypt_freep
) struct crypt_device
*cd
= NULL
;
2425 _cleanup_(dm_deferred_remove_cleanp
) char *restore_deferred_remove
= NULL
;
2426 _cleanup_free_
char *node
= NULL
, *name
= NULL
;
2430 assert(v
|| (verity
&& verity
->data_path
));
2432 if (!verity
|| !verity
->root_hash
)
2434 if (!((verity
->designator
< 0 && designator
== PARTITION_ROOT
) ||
2435 (verity
->designator
== designator
)))
2438 if (!m
->found
|| !m
->node
|| !m
->fstype
)
2440 if (!verity
->data_path
) {
2441 if (!v
->found
|| !v
->node
|| !v
->fstype
)
2444 if (!streq(v
->fstype
, "DM_verity_hash"))
2448 r
= dlopen_cryptsetup();
2452 if (FLAGS_SET(flags
, DISSECT_IMAGE_VERITY_SHARE
)) {
2453 /* Use the roothash, which is unique per volume, as the device node name, so that it can be reused */
2454 _cleanup_free_
char *root_hash_encoded
= NULL
;
2456 root_hash_encoded
= hexmem(verity
->root_hash
, verity
->root_hash_size
);
2457 if (!root_hash_encoded
)
2460 r
= make_dm_name_and_node(root_hash_encoded
, "-verity", &name
, &node
);
2462 r
= make_dm_name_and_node(m
->node
, "-verity", &name
, &node
);
2466 r
= sym_crypt_init(&cd
, verity
->data_path
?: v
->node
);
2470 cryptsetup_enable_logging(cd
);
2472 r
= sym_crypt_load(cd
, CRYPT_VERITY
, NULL
);
2476 r
= sym_crypt_set_data_device(cd
, m
->node
);
2480 if (!GREEDY_REALLOC0(d
->decrypted
, d
->n_decrypted
+ 1))
2483 /* If activating fails because the device already exists, check the metadata and reuse it if it matches.
2484 * In case of ENODEV/ENOENT, which can happen if another process is activating at the exact same time,
2485 * retry a few times before giving up. */
2486 for (unsigned i
= 0; i
< N_DEVICE_NODE_LIST_ATTEMPTS
; i
++) {
2488 r
= do_crypt_activate_verity(cd
, name
, verity
);
2489 /* libdevmapper can return EINVAL when the device is already in the activation stage.
2490 * There's no way to distinguish this situation from a genuine error due to invalid
2491 * parameters, so immediately fall back to activating the device with a unique name.
2492 * Improvements in libcrypsetup can ensure this never happens:
2493 * https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/96 */
2494 if (r
== -EINVAL
&& FLAGS_SET(flags
, DISSECT_IMAGE_VERITY_SHARE
))
2495 return verity_partition(designator
, m
, v
, verity
, flags
& ~DISSECT_IMAGE_VERITY_SHARE
, d
);
2498 -EEXIST
, /* Volume is already open and ready to be used */
2499 -EBUSY
, /* Volume is being opened but not ready, crypt_init_by_name can fetch details */
2500 -ENODEV
/* Volume is being opened but not ready, crypt_init_by_name would fail, try to open again */))
2502 if (IN_SET(r
, -EEXIST
, -EBUSY
)) {
2503 struct crypt_device
*existing_cd
= NULL
;
2505 if (!restore_deferred_remove
){
2506 /* To avoid races, disable automatic removal on umount while setting up the new device. Restore it on failure. */
2507 r
= dm_deferred_remove_cancel(name
);
2508 /* If activation returns EBUSY there might be no deferred removal to cancel, that's fine */
2509 if (r
< 0 && r
!= -ENXIO
)
2510 return log_debug_errno(r
, "Disabling automated deferred removal for verity device %s failed: %m", node
);
2512 restore_deferred_remove
= strdup(name
);
2513 if (!restore_deferred_remove
)
2518 r
= verity_can_reuse(verity
, name
, &existing_cd
);
2519 /* Same as above, -EINVAL can randomly happen when it actually means -EEXIST */
2520 if (r
== -EINVAL
&& FLAGS_SET(flags
, DISSECT_IMAGE_VERITY_SHARE
))
2521 return verity_partition(designator
, m
, v
, verity
, flags
& ~DISSECT_IMAGE_VERITY_SHARE
, d
);
2522 if (!IN_SET(r
, 0, -ENODEV
, -ENOENT
, -EBUSY
))
2523 return log_debug_errno(r
, "Checking whether existing verity device %s can be reused failed: %m", node
);
2525 /* devmapper might say that the device exists, but the devlink might not yet have been
2526 * created. Check and wait for the udev event in that case. */
2527 r
= device_wait_for_devlink(node
, "block", usec_add(now(CLOCK_MONOTONIC
), 100 * USEC_PER_MSEC
), NULL
);
2528 /* Fallback to activation with a unique device if it's taking too long */
2529 if (r
== -ETIMEDOUT
)
2542 /* Device is being opened by another process, but it has not finished yet, yield for 2ms */
2543 (void) usleep(2 * USEC_PER_MSEC
);
2546 /* An existing verity device was reported by libcryptsetup/libdevmapper, but we can't use it at this time.
2547 * Fall back to activating it with a unique device name. */
2548 if (r
!= 0 && FLAGS_SET(flags
, DISSECT_IMAGE_VERITY_SHARE
))
2549 return verity_partition(designator
, m
, v
, verity
, flags
& ~DISSECT_IMAGE_VERITY_SHARE
, d
);
2551 /* Everything looks good and we'll be able to mount the device, so deferred remove will be re-enabled at that point. */
2552 restore_deferred_remove
= mfree(restore_deferred_remove
);
2554 d
->decrypted
[d
->n_decrypted
++] = (DecryptedPartition
) {
2555 .name
= TAKE_PTR(name
),
2556 .device
= TAKE_PTR(cd
),
2559 m
->decrypted_node
= TAKE_PTR(node
);
2565 int dissected_image_decrypt(
2567 const char *passphrase
,
2568 const VeritySettings
*verity
,
2569 DissectImageFlags flags
,
2570 DecryptedImage
**ret
) {
2572 #if HAVE_LIBCRYPTSETUP
2573 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*d
= NULL
;
2578 assert(!verity
|| verity
->root_hash
|| verity
->root_hash_size
== 0);
2582 * = 0 → There was nothing to decrypt
2583 * > 0 → Decrypted successfully
2584 * -ENOKEY → There's something to decrypt but no key was supplied
2585 * -EKEYREJECTED → Passed key was not correct
2588 if (verity
&& verity
->root_hash
&& verity
->root_hash_size
< sizeof(sd_id128_t
))
2591 if (!m
->encrypted
&& !m
->verity_ready
) {
2596 #if HAVE_LIBCRYPTSETUP
2597 d
= new0(DecryptedImage
, 1);
2601 for (PartitionDesignator i
= 0; i
< _PARTITION_DESIGNATOR_MAX
; i
++) {
2602 DissectedPartition
*p
= m
->partitions
+ i
;
2603 PartitionDesignator k
;
2608 r
= decrypt_partition(p
, passphrase
, flags
, d
);
2612 k
= PARTITION_VERITY_OF(i
);
2614 r
= verity_partition(i
, p
, m
->partitions
+ k
, verity
, flags
| DISSECT_IMAGE_VERITY_SHARE
, d
);
2619 if (!p
->decrypted_fstype
&& p
->decrypted_node
) {
2620 r
= probe_filesystem(p
->decrypted_node
, &p
->decrypted_fstype
);
2621 if (r
< 0 && r
!= -EUCLEAN
)
2634 int dissected_image_decrypt_interactively(
2636 const char *passphrase
,
2637 const VeritySettings
*verity
,
2638 DissectImageFlags flags
,
2639 DecryptedImage
**ret
) {
2641 _cleanup_strv_free_erase_
char **z
= NULL
;
2648 r
= dissected_image_decrypt(m
, passphrase
, verity
, flags
, ret
);
2651 if (r
== -EKEYREJECTED
)
2652 log_error_errno(r
, "Incorrect passphrase, try again!");
2653 else if (r
!= -ENOKEY
)
2654 return log_error_errno(r
, "Failed to decrypt image: %m");
2657 return log_error_errno(SYNTHETIC_ERRNO(EKEYREJECTED
),
2658 "Too many retries.");
2662 r
= ask_password_auto("Please enter image passphrase:", NULL
, "dissect", "dissect", "dissect.passphrase", USEC_INFINITY
, 0, &z
);
2664 return log_error_errno(r
, "Failed to query for passphrase: %m");
2670 int decrypted_image_relinquish(DecryptedImage
*d
) {
2673 /* Turns on automatic removal after the last use ended for all DM devices of this image, and sets a
2674 * boolean so that we don't clean it up ourselves either anymore */
2676 #if HAVE_LIBCRYPTSETUP
2679 for (size_t i
= 0; i
< d
->n_decrypted
; i
++) {
2680 DecryptedPartition
*p
= d
->decrypted
+ i
;
2682 if (p
->relinquished
)
2685 r
= sym_crypt_deactivate_by_name(NULL
, p
->name
, CRYPT_DEACTIVATE_DEFERRED
);
2687 return log_debug_errno(r
, "Failed to mark %s for auto-removal: %m", p
->name
);
2689 p
->relinquished
= true;
2696 static char *build_auxiliary_path(const char *image
, const char *suffix
) {
2703 e
= endswith(image
, ".raw");
2705 return strjoin(e
, suffix
);
2707 n
= new(char, e
- image
+ strlen(suffix
) + 1);
2711 strcpy(mempcpy(n
, image
, e
- image
), suffix
);
2715 void verity_settings_done(VeritySettings
*v
) {
2718 v
->root_hash
= mfree(v
->root_hash
);
2719 v
->root_hash_size
= 0;
2721 v
->root_hash_sig
= mfree(v
->root_hash_sig
);
2722 v
->root_hash_sig_size
= 0;
2724 v
->data_path
= mfree(v
->data_path
);
2727 int verity_settings_load(
2728 VeritySettings
*verity
,
2730 const char *root_hash_path
,
2731 const char *root_hash_sig_path
) {
2733 _cleanup_free_
void *root_hash
= NULL
, *root_hash_sig
= NULL
;
2734 size_t root_hash_size
= 0, root_hash_sig_size
= 0;
2735 _cleanup_free_
char *verity_data_path
= NULL
;
2736 PartitionDesignator designator
;
2741 assert(verity
->designator
< 0 || IN_SET(verity
->designator
, PARTITION_ROOT
, PARTITION_USR
));
2743 /* If we are asked to load the root hash for a device node, exit early */
2744 if (is_device_path(image
))
2747 r
= getenv_bool_secure("SYSTEMD_DISSECT_VERITY_SIDECAR");
2748 if (r
< 0 && r
!= -ENXIO
)
2749 log_debug_errno(r
, "Failed to parse $SYSTEMD_DISSECT_VERITY_SIDECAR, ignoring: %m");
2753 designator
= verity
->designator
;
2755 /* We only fill in what isn't already filled in */
2757 if (!verity
->root_hash
) {
2758 _cleanup_free_
char *text
= NULL
;
2760 if (root_hash_path
) {
2761 /* If explicitly specified it takes precedence */
2762 r
= read_one_line_file(root_hash_path
, &text
);
2767 designator
= PARTITION_ROOT
;
2769 /* Otherwise look for xattr and separate file, and first for the data for root and if
2770 * that doesn't exist for /usr */
2772 if (designator
< 0 || designator
== PARTITION_ROOT
) {
2773 r
= getxattr_malloc(image
, "user.verity.roothash", &text
);
2775 _cleanup_free_
char *p
= NULL
;
2777 if (!IN_SET(r
, -ENODATA
, -ENOENT
) && !ERRNO_IS_NOT_SUPPORTED(r
))
2780 p
= build_auxiliary_path(image
, ".roothash");
2784 r
= read_one_line_file(p
, &text
);
2785 if (r
< 0 && r
!= -ENOENT
)
2790 designator
= PARTITION_ROOT
;
2793 if (!text
&& (designator
< 0 || designator
== PARTITION_USR
)) {
2794 /* So in the "roothash" xattr/file name above the "root" of course primarily
2795 * refers to the root of the Verity Merkle tree. But coincidentally it also
2796 * is the hash for the *root* file system, i.e. the "root" neatly refers to
2797 * two distinct concepts called "root". Taking benefit of this happy
2798 * coincidence we call the file with the root hash for the /usr/ file system
2799 * `usrhash`, because `usrroothash` or `rootusrhash` would just be too
2800 * confusing. We thus drop the reference to the root of the Merkle tree, and
2801 * just indicate which file system it's about. */
2802 r
= getxattr_malloc(image
, "user.verity.usrhash", &text
);
2804 _cleanup_free_
char *p
= NULL
;
2806 if (!IN_SET(r
, -ENODATA
, -ENOENT
) && !ERRNO_IS_NOT_SUPPORTED(r
))
2809 p
= build_auxiliary_path(image
, ".usrhash");
2813 r
= read_one_line_file(p
, &text
);
2814 if (r
< 0 && r
!= -ENOENT
)
2819 designator
= PARTITION_USR
;
2824 r
= unhexmem(text
, strlen(text
), &root_hash
, &root_hash_size
);
2827 if (root_hash_size
< sizeof(sd_id128_t
))
2832 if ((root_hash
|| verity
->root_hash
) && !verity
->root_hash_sig
) {
2833 if (root_hash_sig_path
) {
2834 r
= read_full_file(root_hash_sig_path
, (char**) &root_hash_sig
, &root_hash_sig_size
);
2835 if (r
< 0 && r
!= -ENOENT
)
2839 designator
= PARTITION_ROOT
;
2841 if (designator
< 0 || designator
== PARTITION_ROOT
) {
2842 _cleanup_free_
char *p
= NULL
;
2844 /* Follow naming convention recommended by the relevant RFC:
2845 * https://tools.ietf.org/html/rfc5751#section-3.2.1 */
2846 p
= build_auxiliary_path(image
, ".roothash.p7s");
2850 r
= read_full_file(p
, (char**) &root_hash_sig
, &root_hash_sig_size
);
2851 if (r
< 0 && r
!= -ENOENT
)
2854 designator
= PARTITION_ROOT
;
2857 if (!root_hash_sig
&& (designator
< 0 || designator
== PARTITION_USR
)) {
2858 _cleanup_free_
char *p
= NULL
;
2860 p
= build_auxiliary_path(image
, ".usrhash.p7s");
2864 r
= read_full_file(p
, (char**) &root_hash_sig
, &root_hash_sig_size
);
2865 if (r
< 0 && r
!= -ENOENT
)
2868 designator
= PARTITION_USR
;
2872 if (root_hash_sig
&& root_hash_sig_size
== 0) /* refuse empty size signatures */
2876 if (!verity
->data_path
) {
2877 _cleanup_free_
char *p
= NULL
;
2879 p
= build_auxiliary_path(image
, ".verity");
2883 if (access(p
, F_OK
) < 0) {
2884 if (errno
!= ENOENT
)
2887 verity_data_path
= TAKE_PTR(p
);
2891 verity
->root_hash
= TAKE_PTR(root_hash
);
2892 verity
->root_hash_size
= root_hash_size
;
2895 if (root_hash_sig
) {
2896 verity
->root_hash_sig
= TAKE_PTR(root_hash_sig
);
2897 verity
->root_hash_sig_size
= root_hash_sig_size
;
2900 if (verity_data_path
)
2901 verity
->data_path
= TAKE_PTR(verity_data_path
);
2903 if (verity
->designator
< 0)
2904 verity
->designator
= designator
;
2909 int dissected_image_load_verity_sig_partition(
2912 VeritySettings
*verity
) {
2914 _cleanup_free_
void *root_hash
= NULL
, *root_hash_sig
= NULL
;
2915 _cleanup_(json_variant_unrefp
) JsonVariant
*v
= NULL
;
2916 size_t root_hash_size
, root_hash_sig_size
;
2917 _cleanup_free_
char *buf
= NULL
;
2918 PartitionDesignator d
;
2919 DissectedPartition
*p
;
2920 JsonVariant
*rh
, *sig
;
2929 if (verity
->root_hash
&& verity
->root_hash_sig
) /* Already loaded? */
2932 r
= getenv_bool_secure("SYSTEMD_DISSECT_VERITY_EMBEDDED");
2933 if (r
< 0 && r
!= -ENXIO
)
2934 log_debug_errno(r
, "Failed to parse $SYSTEMD_DISSECT_VERITY_EMBEDDED, ignoring: %m");
2938 d
= PARTITION_VERITY_SIG_OF(verity
->designator
< 0 ? PARTITION_ROOT
: verity
->designator
);
2941 p
= m
->partitions
+ d
;
2944 if (p
->offset
== UINT64_MAX
|| p
->size
== UINT64_MAX
)
2947 if (p
->size
> 4*1024*1024) /* Signature data cannot possible be larger than 4M, refuse that */
2950 buf
= new(char, p
->size
+1);
2954 n
= pread(fd
, buf
, p
->size
, p
->offset
);
2957 if ((uint64_t) n
!= p
->size
)
2960 e
= memchr(buf
, 0, p
->size
);
2962 /* If we found a NUL byte then the rest of the data must be NUL too */
2963 if (!memeqzero(e
, p
->size
- (e
- buf
)))
2964 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Signature data contains embedded NUL byte.");
2968 r
= json_parse(buf
, 0, &v
, NULL
, NULL
);
2970 return log_debug_errno(r
, "Failed to parse signature JSON data: %m");
2972 rh
= json_variant_by_key(v
, "rootHash");
2974 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Signature JSON object lacks 'rootHash' field.");
2975 if (!json_variant_is_string(rh
))
2976 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "'rootHash' field of signature JSON object is not a string.");
2978 r
= unhexmem(json_variant_string(rh
), SIZE_MAX
, &root_hash
, &root_hash_size
);
2980 return log_debug_errno(r
, "Failed to parse root hash field: %m");
2982 /* Check if specified root hash matches if it is specified */
2983 if (verity
->root_hash
&&
2984 memcmp_nn(verity
->root_hash
, verity
->root_hash_size
, root_hash
, root_hash_size
) != 0) {
2985 _cleanup_free_
char *a
= NULL
, *b
= NULL
;
2987 a
= hexmem(root_hash
, root_hash_size
);
2988 b
= hexmem(verity
->root_hash
, verity
->root_hash_size
);
2990 return log_debug_errno(r
, "Root hash in signature JSON data (%s) doesn't match configured hash (%s).", strna(a
), strna(b
));
2993 sig
= json_variant_by_key(v
, "signature");
2995 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Signature JSON object lacks 'signature' field.");
2996 if (!json_variant_is_string(sig
))
2997 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "'signature' field of signature JSON object is not a string.");
2999 r
= unbase64mem(json_variant_string(sig
), SIZE_MAX
, &root_hash_sig
, &root_hash_sig_size
);
3001 return log_debug_errno(r
, "Failed to parse signature field: %m");
3003 free_and_replace(verity
->root_hash
, root_hash
);
3004 verity
->root_hash_size
= root_hash_size
;
3006 free_and_replace(verity
->root_hash_sig
, root_hash_sig
);
3007 verity
->root_hash_sig_size
= root_hash_sig_size
;
3012 int dissected_image_acquire_metadata(DissectedImage
*m
) {
3019 META_EXTENSION_RELEASE
,
3020 META_HAS_INIT_SYSTEM
,
3024 static const char *const paths
[_META_MAX
] = {
3025 [META_HOSTNAME
] = "/etc/hostname\0",
3026 [META_MACHINE_ID
] = "/etc/machine-id\0",
3027 [META_MACHINE_INFO
] = "/etc/machine-info\0",
3028 [META_OS_RELEASE
] = ("/etc/os-release\0"
3029 "/usr/lib/os-release\0"),
3030 [META_EXTENSION_RELEASE
] = "extension-release\0", /* Used only for logging. */
3031 [META_HAS_INIT_SYSTEM
] = "has-init-system\0", /* ditto */
3034 _cleanup_strv_free_
char **machine_info
= NULL
, **os_release
= NULL
, **extension_release
= NULL
;
3035 _cleanup_close_pair_
int error_pipe
[2] = { -1, -1 };
3036 _cleanup_(rmdir_and_freep
) char *t
= NULL
;
3037 _cleanup_(sigkill_waitp
) pid_t child
= 0;
3038 sd_id128_t machine_id
= SD_ID128_NULL
;
3039 _cleanup_free_
char *hostname
= NULL
;
3040 unsigned n_meta_initialized
= 0;
3041 int fds
[2 * _META_MAX
], r
, v
;
3042 int has_init_system
= -1;
3045 BLOCK_SIGNALS(SIGCHLD
);
3049 for (; n_meta_initialized
< _META_MAX
; n_meta_initialized
++) {
3050 if (!paths
[n_meta_initialized
]) {
3051 fds
[2*n_meta_initialized
] = fds
[2*n_meta_initialized
+1] = -1;
3055 if (pipe2(fds
+ 2*n_meta_initialized
, O_CLOEXEC
) < 0) {
3061 r
= mkdtemp_malloc("/tmp/dissect-XXXXXX", &t
);
3065 if (pipe2(error_pipe
, O_CLOEXEC
) < 0) {
3070 r
= safe_fork("(sd-dissect)", FORK_RESET_SIGNALS
|FORK_DEATHSIG
|FORK_NEW_MOUNTNS
|FORK_MOUNTNS_SLAVE
, &child
);
3074 /* Child in a new mount namespace */
3075 error_pipe
[0] = safe_close(error_pipe
[0]);
3077 r
= dissected_image_mount(
3082 DISSECT_IMAGE_READ_ONLY
|
3083 DISSECT_IMAGE_MOUNT_ROOT_ONLY
|
3084 DISSECT_IMAGE_VALIDATE_OS
|
3085 DISSECT_IMAGE_VALIDATE_OS_EXT
|
3086 DISSECT_IMAGE_USR_NO_ROOT
);
3088 log_debug_errno(r
, "Failed to mount dissected image: %m");
3092 for (unsigned k
= 0; k
< _META_MAX
; k
++) {
3093 _cleanup_close_
int fd
= -ENOENT
;
3099 fds
[2*k
] = safe_close(fds
[2*k
]);
3103 case META_EXTENSION_RELEASE
:
3104 /* As per the os-release spec, if the image is an extension it will have a file
3105 * named after the image name in extension-release.d/ - we use the image name
3106 * and try to resolve it with the extension-release helpers, as sometimes
3107 * the image names are mangled on deployment and do not match anymore.
3108 * Unlike other paths this is not fixed, and the image name
3109 * can be mangled on deployment, so by calling into the helper
3110 * we allow a fallback that matches on the first extension-release
3111 * file found in the directory, if one named after the image cannot
3112 * be found first. */
3113 r
= open_extension_release(t
, m
->image_name
, NULL
, &fd
);
3115 fd
= r
; /* Propagate the error. */
3118 case META_HAS_INIT_SYSTEM
: {
3122 FOREACH_STRING(init
,
3123 "/usr/lib/systemd/systemd", /* systemd on /usr merged system */
3124 "/lib/systemd/systemd", /* systemd on /usr non-merged systems */
3125 "/sbin/init") { /* traditional path the Linux kernel invokes */
3127 r
= chase_symlinks(init
, t
, CHASE_PREFIX_ROOT
, NULL
, NULL
);
3130 log_debug_errno(r
, "Failed to resolve %s, ignoring: %m", init
);
3137 r
= loop_write(fds
[2*k
+1], &found
, sizeof(found
), false);
3145 NULSTR_FOREACH(p
, paths
[k
]) {
3146 fd
= chase_symlinks_and_open(p
, t
, CHASE_PREFIX_ROOT
, O_RDONLY
|O_CLOEXEC
|O_NOCTTY
, NULL
);
3153 log_debug_errno(fd
, "Failed to read %s file of image, ignoring: %m", paths
[k
]);
3154 fds
[2*k
+1] = safe_close(fds
[2*k
+1]);
3158 r
= copy_bytes(fd
, fds
[2*k
+1], UINT64_MAX
, 0);
3162 fds
[2*k
+1] = safe_close(fds
[2*k
+1]);
3165 _exit(EXIT_SUCCESS
);
3168 /* Let parent know the error */
3169 (void) write(error_pipe
[1], &r
, sizeof(r
));
3170 _exit(EXIT_FAILURE
);
3173 error_pipe
[1] = safe_close(error_pipe
[1]);
3175 for (unsigned k
= 0; k
< _META_MAX
; k
++) {
3176 _cleanup_fclose_
FILE *f
= NULL
;
3181 fds
[2*k
+1] = safe_close(fds
[2*k
+1]);
3183 f
= take_fdopen(&fds
[2*k
], "r");
3192 r
= read_etc_hostname_stream(f
, &hostname
);
3194 log_debug_errno(r
, "Failed to read /etc/hostname: %m");
3198 case META_MACHINE_ID
: {
3199 _cleanup_free_
char *line
= NULL
;
3201 r
= read_line(f
, LONG_LINE_MAX
, &line
);
3203 log_debug_errno(r
, "Failed to read /etc/machine-id: %m");
3205 r
= sd_id128_from_string(line
, &machine_id
);
3207 log_debug_errno(r
, "Image contains invalid /etc/machine-id: %s", line
);
3209 log_debug("/etc/machine-id file is empty.");
3210 else if (streq(line
, "uninitialized"))
3211 log_debug("/etc/machine-id file is uninitialized (likely aborted first boot).");
3213 log_debug("/etc/machine-id has unexpected length %i.", r
);
3218 case META_MACHINE_INFO
:
3219 r
= load_env_file_pairs(f
, "machine-info", &machine_info
);
3221 log_debug_errno(r
, "Failed to read /etc/machine-info: %m");
3225 case META_OS_RELEASE
:
3226 r
= load_env_file_pairs(f
, "os-release", &os_release
);
3228 log_debug_errno(r
, "Failed to read OS release file: %m");
3232 case META_EXTENSION_RELEASE
:
3233 r
= load_env_file_pairs(f
, "extension-release", &extension_release
);
3235 log_debug_errno(r
, "Failed to read extension release file: %m");
3239 case META_HAS_INIT_SYSTEM
: {
3244 nr
= fread(&b
, 1, sizeof(b
), f
);
3245 if (nr
!= sizeof(b
))
3246 log_debug_errno(errno_or_else(EIO
), "Failed to read has-init-system boolean: %m");
3248 has_init_system
= b
;
3254 r
= wait_for_terminate_and_check("(sd-dissect)", child
, 0);
3259 n
= read(error_pipe
[0], &v
, sizeof(v
));
3263 return v
; /* propagate error sent to us from child */
3267 if (r
!= EXIT_SUCCESS
)
3270 free_and_replace(m
->hostname
, hostname
);
3271 m
->machine_id
= machine_id
;
3272 strv_free_and_replace(m
->machine_info
, machine_info
);
3273 strv_free_and_replace(m
->os_release
, os_release
);
3274 strv_free_and_replace(m
->extension_release
, extension_release
);
3275 m
->has_init_system
= has_init_system
;
3278 for (unsigned k
= 0; k
< n_meta_initialized
; k
++)
3279 safe_close_pair(fds
+ 2*k
);
3284 int dissect_image_and_warn(
3287 const VeritySettings
*verity
,
3288 const MountOptions
*mount_options
,
3290 uint64_t uevent_seqnum_not_before
,
3291 usec_t timestamp_not_before
,
3292 DissectImageFlags flags
,
3293 DissectedImage
**ret
) {
3295 _cleanup_free_
char *buffer
= NULL
;
3299 r
= fd_get_path(fd
, &buffer
);
3306 r
= dissect_image(fd
, verity
, mount_options
, diskseq
, uevent_seqnum_not_before
, timestamp_not_before
, flags
, ret
);
3310 return log_error_errno(r
, "Dissecting images is not supported, compiled without blkid support.");
3313 return log_error_errno(r
, "Couldn't identify a suitable partition table or file system in '%s'.", name
);
3315 case -EADDRNOTAVAIL
:
3316 return log_error_errno(r
, "No root partition for specified root hash found in '%s'.", name
);
3319 return log_error_errno(r
, "Multiple suitable root partitions found in image '%s'.", name
);
3322 return log_error_errno(r
, "No suitable root partition found in image '%s'.", name
);
3324 case -EPROTONOSUPPORT
:
3325 return log_error_errno(r
, "Device '%s' is loopback block device with partition scanning turned off, please turn it on.", name
);
3328 return log_error_errno(r
,
3329 "Combining partitioned images (such as '%s') with external Verity data (such as '%s') not supported. "
3330 "(Consider setting $SYSTEMD_DISSECT_VERITY_SIDECAR=0 to disable automatic discovery of external Verity data.)",
3331 name
, strna(verity
? verity
->data_path
: NULL
));
3334 return log_error_errno(r
, "Specified image '%s' is not a block device.", name
);
3338 return log_error_errno(r
, "Failed to dissect image '%s': %m", name
);
3344 bool dissected_image_verity_candidate(const DissectedImage
*image
, PartitionDesignator partition_designator
) {
3347 /* Checks if this partition could theoretically do Verity. For non-partitioned images this only works
3348 * if there's an external verity file supplied, for which we can consult .has_verity. For partitioned
3349 * images we only check the partition type.
3351 * This call is used to decide whether to suppress or show a verity column in tabular output of the
3354 if (image
->single_file_system
)
3355 return partition_designator
== PARTITION_ROOT
&& image
->has_verity
;
3357 return PARTITION_VERITY_OF(partition_designator
) >= 0;
3360 bool dissected_image_verity_ready(const DissectedImage
*image
, PartitionDesignator partition_designator
) {
3361 PartitionDesignator k
;
3365 /* Checks if this partition has verity data available that we can activate. For non-partitioned this
3366 * works for the root partition, for others only if the associated verity partition was found. */
3368 if (!image
->verity_ready
)
3371 if (image
->single_file_system
)
3372 return partition_designator
== PARTITION_ROOT
;
3374 k
= PARTITION_VERITY_OF(partition_designator
);
3375 return k
>= 0 && image
->partitions
[k
].found
;
3378 bool dissected_image_verity_sig_ready(const DissectedImage
*image
, PartitionDesignator partition_designator
) {
3379 PartitionDesignator k
;
3383 /* Checks if this partition has verity signature data available that we can use. */
3385 if (!image
->verity_sig_ready
)
3388 if (image
->single_file_system
)
3389 return partition_designator
== PARTITION_ROOT
;
3391 k
= PARTITION_VERITY_SIG_OF(partition_designator
);
3392 return k
>= 0 && image
->partitions
[k
].found
;
3395 MountOptions
* mount_options_free_all(MountOptions
*options
) {
3398 while ((m
= options
)) {
3399 LIST_REMOVE(mount_options
, options
, m
);
3407 const char* mount_options_from_designator(const MountOptions
*options
, PartitionDesignator designator
) {
3408 const MountOptions
*m
;
3410 LIST_FOREACH(mount_options
, m
, options
)
3411 if (designator
== m
->partition_designator
&& !isempty(m
->options
))
3417 int mount_image_privately_interactively(
3419 DissectImageFlags flags
,
3420 char **ret_directory
,
3421 LoopDevice
**ret_loop_device
,
3422 DecryptedImage
**ret_decrypted_image
) {
3424 _cleanup_(verity_settings_done
) VeritySettings verity
= VERITY_SETTINGS_DEFAULT
;
3425 _cleanup_(loop_device_unrefp
) LoopDevice
*d
= NULL
;
3426 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*decrypted_image
= NULL
;
3427 _cleanup_(dissected_image_unrefp
) DissectedImage
*dissected_image
= NULL
;
3428 _cleanup_(rmdir_and_freep
) char *created_dir
= NULL
;
3429 _cleanup_free_
char *temp
= NULL
;
3432 /* Mounts an OS image at a temporary place, inside a newly created mount namespace of our own. This
3433 * is used by tools such as systemd-tmpfiles or systemd-firstboot to operate on some disk image
3437 assert(ret_directory
);
3438 assert(ret_loop_device
);
3439 assert(ret_decrypted_image
);
3441 r
= verity_settings_load(&verity
, image
, NULL
, NULL
);
3443 return log_error_errno(r
, "Failed to load root hash data: %m");
3445 r
= tempfn_random_child(NULL
, program_invocation_short_name
, &temp
);
3447 return log_error_errno(r
, "Failed to generate temporary mount directory: %m");
3449 r
= loop_device_make_by_path(
3451 FLAGS_SET(flags
, DISSECT_IMAGE_DEVICE_READ_ONLY
) ? O_RDONLY
: O_RDWR
,
3452 FLAGS_SET(flags
, DISSECT_IMAGE_NO_PARTITION_TABLE
) ? 0 : LO_FLAGS_PARTSCAN
,
3455 return log_error_errno(r
, "Failed to set up loopback device for %s: %m", image
);
3457 r
= dissect_image_and_warn(d
->fd
, image
, &verity
, NULL
, d
->diskseq
, d
->uevent_seqnum_not_before
, d
->timestamp_not_before
, flags
, &dissected_image
);
3461 r
= dissected_image_load_verity_sig_partition(dissected_image
, d
->fd
, &verity
);
3465 r
= dissected_image_decrypt_interactively(dissected_image
, NULL
, &verity
, flags
, &decrypted_image
);
3469 r
= detach_mount_namespace();
3471 return log_error_errno(r
, "Failed to detach mount namespace: %m");
3473 r
= mkdir_p(temp
, 0700);
3475 return log_error_errno(r
, "Failed to create mount point: %m");
3477 created_dir
= TAKE_PTR(temp
);
3479 r
= dissected_image_mount_and_warn(dissected_image
, created_dir
, UID_INVALID
, UID_INVALID
, flags
);
3483 if (decrypted_image
) {
3484 r
= decrypted_image_relinquish(decrypted_image
);
3486 return log_error_errno(r
, "Failed to relinquish DM devices: %m");
3489 loop_device_relinquish(d
);
3491 *ret_directory
= TAKE_PTR(created_dir
);
3492 *ret_loop_device
= TAKE_PTR(d
);
3493 *ret_decrypted_image
= TAKE_PTR(decrypted_image
);
3498 static const char *const partition_designator_table
[] = {
3499 [PARTITION_ROOT
] = "root",
3500 [PARTITION_ROOT_SECONDARY
] = "root-secondary",
3501 [PARTITION_USR
] = "usr",
3502 [PARTITION_USR_SECONDARY
] = "usr-secondary",
3503 [PARTITION_HOME
] = "home",
3504 [PARTITION_SRV
] = "srv",
3505 [PARTITION_ESP
] = "esp",
3506 [PARTITION_XBOOTLDR
] = "xbootldr",
3507 [PARTITION_SWAP
] = "swap",
3508 [PARTITION_ROOT_VERITY
] = "root-verity",
3509 [PARTITION_ROOT_SECONDARY_VERITY
] = "root-secondary-verity",
3510 [PARTITION_USR_VERITY
] = "usr-verity",
3511 [PARTITION_USR_SECONDARY_VERITY
] = "usr-secondary-verity",
3512 [PARTITION_ROOT_VERITY_SIG
] = "root-verity-sig",
3513 [PARTITION_ROOT_SECONDARY_VERITY_SIG
] = "root-secondary-verity-sig",
3514 [PARTITION_USR_VERITY_SIG
] = "usr-verity-sig",
3515 [PARTITION_USR_SECONDARY_VERITY_SIG
] = "usr-secondary-verity-sig",
3516 [PARTITION_TMP
] = "tmp",
3517 [PARTITION_VAR
] = "var",
3520 int verity_dissect_and_mount(
3523 const MountOptions
*options
,
3524 const char *required_host_os_release_id
,
3525 const char *required_host_os_release_version_id
,
3526 const char *required_host_os_release_sysext_level
,
3527 const char *required_sysext_scope
) {
3529 _cleanup_(loop_device_unrefp
) LoopDevice
*loop_device
= NULL
;
3530 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*decrypted_image
= NULL
;
3531 _cleanup_(dissected_image_unrefp
) DissectedImage
*dissected_image
= NULL
;
3532 _cleanup_(verity_settings_done
) VeritySettings verity
= VERITY_SETTINGS_DEFAULT
;
3533 DissectImageFlags dissect_image_flags
;
3539 r
= verity_settings_load(&verity
, src
, NULL
, NULL
);
3541 return log_debug_errno(r
, "Failed to load root hash: %m");
3543 dissect_image_flags
= verity
.data_path
? DISSECT_IMAGE_NO_PARTITION_TABLE
: 0;
3545 r
= loop_device_make_by_path(
3548 verity
.data_path
? 0 : LO_FLAGS_PARTSCAN
,
3551 return log_debug_errno(r
, "Failed to create loop device for image: %m");
3557 loop_device
->diskseq
,
3558 loop_device
->uevent_seqnum_not_before
,
3559 loop_device
->timestamp_not_before
,
3560 dissect_image_flags
,
3562 /* No partition table? Might be a single-filesystem image, try again */
3563 if (!verity
.data_path
&& r
== -ENOPKG
)
3568 loop_device
->diskseq
,
3569 loop_device
->uevent_seqnum_not_before
,
3570 loop_device
->timestamp_not_before
,
3571 dissect_image_flags
| DISSECT_IMAGE_NO_PARTITION_TABLE
,
3574 return log_debug_errno(r
, "Failed to dissect image: %m");
3576 r
= dissected_image_load_verity_sig_partition(dissected_image
, loop_device
->fd
, &verity
);
3580 r
= dissected_image_decrypt(
3584 dissect_image_flags
,
3587 return log_debug_errno(r
, "Failed to decrypt dissected image: %m");
3589 r
= mkdir_p_label(dest
, 0755);
3591 return log_debug_errno(r
, "Failed to create destination directory %s: %m", dest
);
3592 r
= umount_recursive(dest
, 0);
3594 return log_debug_errno(r
, "Failed to umount under destination directory %s: %m", dest
);
3596 r
= dissected_image_mount(dissected_image
, dest
, UID_INVALID
, UID_INVALID
, dissect_image_flags
);
3598 return log_debug_errno(r
, "Failed to mount image: %m");
3600 /* If we got os-release values from the caller, then we need to match them with the image's
3601 * extension-release.d/ content. Return -EINVAL if there's any mismatch.
3602 * First, check the distro ID. If that matches, then check the new SYSEXT_LEVEL value if
3603 * available, or else fallback to VERSION_ID. */
3604 if (required_host_os_release_id
&&
3605 (required_host_os_release_version_id
|| required_host_os_release_sysext_level
)) {
3606 _cleanup_strv_free_
char **extension_release
= NULL
;
3608 r
= load_extension_release_pairs(dest
, dissected_image
->image_name
, &extension_release
);
3610 return log_debug_errno(r
, "Failed to parse image %s extension-release metadata: %m", dissected_image
->image_name
);
3612 r
= extension_release_validate(
3613 dissected_image
->image_name
,
3614 required_host_os_release_id
,
3615 required_host_os_release_version_id
,
3616 required_host_os_release_sysext_level
,
3617 required_sysext_scope
,
3620 return log_debug_errno(SYNTHETIC_ERRNO(ESTALE
), "Image %s extension-release metadata does not match the root's", dissected_image
->image_name
);
3622 return log_debug_errno(r
, "Failed to compare image %s extension-release metadata with the root's os-release: %m", dissected_image
->image_name
);
3625 if (decrypted_image
) {
3626 r
= decrypted_image_relinquish(decrypted_image
);
3628 return log_debug_errno(r
, "Failed to relinquish decrypted image: %m");
3631 loop_device_relinquish(loop_device
);
3636 DEFINE_STRING_TABLE_LOOKUP(partition_designator
, PartitionDesignator
);