1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #if HAVE_VALGRIND_MEMCHECK_H
4 #include <valgrind/memcheck.h>
7 #include <linux/dm-ioctl.h>
8 #include <linux/loop.h>
10 #include <sys/prctl.h>
15 #include <openssl/err.h>
16 #include <openssl/pem.h>
17 #include <openssl/x509.h>
20 #include "sd-device.h"
23 #include "architecture.h"
24 #include "ask-password-api.h"
25 #include "blkid-util.h"
26 #include "blockdev-util.h"
27 #include "conf-files.h"
29 #include "cryptsetup-util.h"
31 #include "device-nodes.h"
32 #include "device-util.h"
33 #include "discover-image.h"
34 #include "dissect-image.h"
38 #include "extension-release.h"
42 #include "fsck-util.h"
44 #include "hexdecoct.h"
45 #include "hostname-setup.h"
46 #include "id128-util.h"
47 #include "import-util.h"
49 #include "mount-util.h"
50 #include "mountpoint-util.h"
51 #include "namespace-util.h"
52 #include "nulstr-util.h"
53 #include "openssl-util.h"
55 #include "path-util.h"
56 #include "process-util.h"
57 #include "raw-clone.h"
58 #include "resize-fs.h"
59 #include "signal-util.h"
60 #include "stat-util.h"
61 #include "stdio-util.h"
62 #include "string-table.h"
63 #include "string-util.h"
65 #include "tmpfile-util.h"
66 #include "udev-util.h"
67 #include "user-util.h"
68 #include "xattr-util.h"
70 /* how many times to wait for the device nodes to appear */
71 #define N_DEVICE_NODE_LIST_ATTEMPTS 10
73 int probe_filesystem(const char *node
, char **ret_fstype
) {
74 /* Try to find device content type and return it in *ret_fstype. If nothing is found,
75 * 0/NULL will be returned. -EUCLEAN will be returned for ambiguous results, and an
76 * different error otherwise. */
79 _cleanup_(blkid_free_probep
) blkid_probe b
= NULL
;
84 b
= blkid_new_probe_from_filename(node
);
86 return errno_or_else(ENOMEM
);
88 blkid_probe_enable_superblocks(b
, 1);
89 blkid_probe_set_superblocks_flags(b
, BLKID_SUBLKS_TYPE
);
92 r
= blkid_do_safeprobe(b
);
94 log_debug("No type detected on partition %s", node
);
98 return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN
),
99 "Results ambiguous for partition %s", node
);
101 return errno_or_else(EIO
);
103 (void) blkid_probe_lookup_value(b
, "TYPE", &fstype
, NULL
);
125 static int enumerator_for_parent(sd_device
*d
, sd_device_enumerator
**ret
) {
126 _cleanup_(sd_device_enumerator_unrefp
) sd_device_enumerator
*e
= NULL
;
132 r
= sd_device_enumerator_new(&e
);
136 r
= sd_device_enumerator_add_match_subsystem(e
, "block", true);
140 r
= sd_device_enumerator_add_match_parent(e
, d
);
144 r
= sd_device_enumerator_add_match_sysattr(e
, "partition", NULL
, true);
152 static int device_is_partition(
154 sd_device
*expected_parent
,
155 blkid_partition pp
) {
157 const char *v
, *parent_syspath
, *expected_parent_syspath
;
158 blkid_loff_t bsize
, bstart
;
159 uint64_t size
, start
;
160 int partno
, bpartno
, r
;
164 assert(expected_parent
);
167 r
= sd_device_get_subsystem(d
, &v
);
170 if (!streq(v
, "block"))
173 if (sd_device_get_devtype(d
, &v
) < 0 || !streq(v
, "partition"))
176 r
= sd_device_get_parent(d
, &parent
);
178 return false; /* Doesn't have a parent? No relevant to us */
180 r
= sd_device_get_syspath(parent
, &parent_syspath
); /* Check parent of device of this action */
184 r
= sd_device_get_syspath(expected_parent
, &expected_parent_syspath
); /* Check parent of device we are looking for */
188 if (!path_equal(parent_syspath
, expected_parent_syspath
))
189 return false; /* Has a different parent than what we need, not interesting to us */
191 /* On kernel uevents we may find the partition number in the PARTN= field. Let's use that preferably,
192 * since it's cheaper and more importantly: the sysfs attribute "partition" appears to become
193 * available late, hence let's use the property instead, which is available at the moment we see the
195 r
= sd_device_get_property_value(d
, "PARTN", &v
);
197 r
= sd_device_get_sysattr_value(d
, "partition", &v
);
201 r
= safe_atoi(v
, &partno
);
206 bpartno
= blkid_partition_get_partno(pp
);
208 return errno_or_else(EIO
);
210 if (partno
!= bpartno
)
213 r
= sd_device_get_sysattr_value(d
, "start", &v
);
216 r
= safe_atou64(v
, &start
);
221 bstart
= blkid_partition_get_start(pp
);
223 return errno_or_else(EIO
);
225 if (start
!= (uint64_t) bstart
)
228 r
= sd_device_get_sysattr_value(d
, "size", &v
);
231 r
= safe_atou64(v
, &size
);
236 bsize
= blkid_partition_get_size(pp
);
238 return errno_or_else(EIO
);
240 if (size
!= (uint64_t) bsize
)
246 static int find_partition(
249 usec_t timestamp_not_before
,
250 DissectImageFlags flags
,
253 _cleanup_(sd_device_enumerator_unrefp
) sd_device_enumerator
*e
= NULL
;
261 r
= enumerator_for_parent(parent
, &e
);
265 FOREACH_DEVICE(e
, q
) {
268 if (!FLAGS_SET(flags
, DISSECT_IMAGE_NO_UDEV
)) {
269 r
= sd_device_get_usec_initialized(q
, &usec
);
270 if (r
== -EBUSY
) /* Not initialized yet */
275 if (timestamp_not_before
!= USEC_INFINITY
&&
276 usec
< timestamp_not_before
) /* udev database entry older than our attachment? Then it's not ours */
280 r
= device_is_partition(q
, parent
, pp
);
284 *ret
= sd_device_ref(q
);
293 sd_device
*parent_device
;
294 blkid_partition blkidp
;
297 uint64_t uevent_seqnum_not_before
;
298 usec_t timestamp_not_before
;
299 DissectImageFlags flags
;
302 static inline void wait_data_done(struct wait_data
*d
) {
303 sd_device_unref(d
->found
);
306 static int device_monitor_handler(sd_device_monitor
*monitor
, sd_device
*device
, void *userdata
) {
307 struct wait_data
*w
= userdata
;
312 if (device_for_action(device
, SD_DEVICE_REMOVE
))
315 if (w
->diskseq
!= 0) {
318 /* If w->diskseq is non-zero, then we must have a disk seqnum */
319 r
= sd_device_get_diskseq(device
, &diskseq
);
321 log_debug_errno(r
, "Dropping event because it has no diskseq, but waiting for %" PRIu64
, w
->diskseq
);
324 if (diskseq
< w
->diskseq
) {
325 log_debug("Dropping event because diskseq too old (%" PRIu64
" < %" PRIu64
")",
326 diskseq
, w
->diskseq
);
329 if (diskseq
> w
->diskseq
) {
331 goto finish
; /* Newer than what we were expecting, so we missed it, stop waiting */
333 } else if (w
->uevent_seqnum_not_before
!= UINT64_MAX
) {
336 r
= sd_device_get_seqnum(device
, &seqnum
);
340 if (seqnum
<= w
->uevent_seqnum_not_before
) { /* From an older use of this loop device */
341 log_debug("Dropping event because seqnum too old (%" PRIu64
" <= %" PRIu64
")",
342 seqnum
, w
->uevent_seqnum_not_before
);
347 r
= device_is_partition(device
, w
->parent_device
, w
->blkidp
);
350 if (r
== 0) /* Not the one we need */
353 /* It's the one we need! Yay! */
355 w
->found
= sd_device_ref(device
);
359 return sd_event_exit(sd_device_monitor_get_event(monitor
), r
);
362 static int timeout_handler(sd_event_source
*s
, uint64_t usec
, void *userdata
) {
363 struct wait_data
*w
= userdata
;
368 /* Why partition not appeared within the timeout? We may lost some uevent, as some properties
369 * were not ready when we received uevent... Not sure, but anyway, let's try to find the
370 * partition again before give up. */
372 r
= find_partition(w
->parent_device
, w
->blkidp
, w
->timestamp_not_before
, w
->flags
, &w
->found
);
374 return log_debug_errno(SYNTHETIC_ERRNO(ETIMEDOUT
),
375 "Partition still not appeared after timeout reached.");
377 return log_debug_errno(r
, "Failed to find partition: %m");
379 log_debug("Partition appeared after timeout reached.");
380 return sd_event_exit(sd_event_source_get_event(s
), 0);
383 static int retry_handler(sd_event_source
*s
, uint64_t usec
, void *userdata
) {
384 struct wait_data
*w
= userdata
;
389 r
= find_partition(w
->parent_device
, w
->blkidp
, w
->timestamp_not_before
, w
->flags
, &w
->found
);
392 return log_debug_errno(r
, "Failed to find partition: %m");
394 log_debug("Partition found by a periodic search.");
395 return sd_event_exit(sd_event_source_get_event(s
), 0);
398 r
= sd_event_source_set_time_relative(s
, 500 * USEC_PER_MSEC
);
402 return sd_event_source_set_enabled(s
, SD_EVENT_ONESHOT
);
405 static int wait_for_partition_device(
410 uint64_t uevent_seqnum_not_before
,
411 usec_t timestamp_not_before
,
412 DissectImageFlags flags
,
415 _cleanup_(sd_event_source_unrefp
) sd_event_source
*timeout_source
= NULL
, *retry_source
= NULL
;
416 _cleanup_(sd_device_monitor_unrefp
) sd_device_monitor
*monitor
= NULL
;
417 _cleanup_(sd_event_unrefp
) sd_event
*event
= NULL
;
424 r
= find_partition(parent
, pp
, timestamp_not_before
, flags
, ret
);
428 r
= sd_event_new(&event
);
432 r
= sd_device_monitor_new(&monitor
);
436 r
= sd_device_monitor_filter_add_match_subsystem_devtype(monitor
, "block", "partition");
440 r
= sd_device_monitor_filter_add_match_parent(monitor
, parent
, true);
444 r
= sd_device_monitor_filter_add_match_sysattr(monitor
, "partition", NULL
, true);
448 r
= sd_device_monitor_attach_event(monitor
, event
);
452 _cleanup_(wait_data_done
) struct wait_data w
= {
453 .parent_device
= parent
,
456 .uevent_seqnum_not_before
= uevent_seqnum_not_before
,
457 .timestamp_not_before
= timestamp_not_before
,
461 r
= sd_device_monitor_start(monitor
, device_monitor_handler
, &w
);
465 /* Check again, the partition might have appeared in the meantime */
466 r
= find_partition(parent
, pp
, timestamp_not_before
, flags
, ret
);
470 if (deadline
!= USEC_INFINITY
) {
471 r
= sd_event_add_time(
472 event
, &timeout_source
,
473 CLOCK_MONOTONIC
, deadline
, 0,
474 timeout_handler
, &w
);
478 r
= sd_event_source_set_exit_on_failure(timeout_source
, true);
483 /* If we don't have a disk sequence number then we cannot do exact matching,
484 * and we cannot know if we missed it or if it has not been sent yet, so set
485 * up additional retries to increase the chances of receiving the event. */
487 r
= sd_event_add_time_relative(
488 event
, &retry_source
,
489 CLOCK_MONOTONIC
, 500 * USEC_PER_MSEC
, 0,
494 r
= sd_event_source_set_exit_on_failure(retry_source
, true);
499 r
= sd_event_loop(event
);
504 *ret
= TAKE_PTR(w
.found
);
508 static void check_partition_flags(
510 unsigned long long pflags
,
511 unsigned long long supported
) {
515 /* Mask away all flags supported by this partition's type and the three flags the UEFI spec defines generically */
516 pflags
&= ~(supported
| GPT_FLAG_REQUIRED_PARTITION
| GPT_FLAG_NO_BLOCK_IO_PROTOCOL
| GPT_FLAG_LEGACY_BIOS_BOOTABLE
);
521 /* If there are other bits set, then log about it, to make things discoverable */
522 for (unsigned i
= 0; i
< sizeof(pflags
) * 8; i
++) {
523 unsigned long long bit
= 1ULL << i
;
524 if (!FLAGS_SET(pflags
, bit
))
527 log_debug("Unexpected partition flag %llu set on %s!", bit
, node
);
531 static int device_wait_for_initialization_harder(
533 const char *subsystem
,
537 usec_t start
, left
, retrigger_timeout
;
540 start
= now(CLOCK_MONOTONIC
);
541 left
= usec_sub_unsigned(deadline
, start
);
544 const char *sn
= NULL
;
546 (void) sd_device_get_sysname(device
, &sn
);
547 log_device_debug(device
,
548 "Waiting for device '%s' to initialize for %s.", strna(sn
), FORMAT_TIMESPAN(left
, 0));
551 if (left
!= USEC_INFINITY
)
552 retrigger_timeout
= CLAMP(left
/ 4, 1 * USEC_PER_SEC
, 5 * USEC_PER_SEC
); /* A fourth of the total timeout, but let's clamp to 1s…5s range */
554 retrigger_timeout
= 2 * USEC_PER_SEC
;
557 usec_t local_deadline
, n
;
560 n
= now(CLOCK_MONOTONIC
);
563 /* Find next deadline, when we'll retrigger */
564 local_deadline
= start
+
565 DIV_ROUND_UP(n
- start
, retrigger_timeout
) * retrigger_timeout
;
567 if (deadline
!= USEC_INFINITY
&& deadline
<= local_deadline
) {
568 local_deadline
= deadline
;
573 r
= device_wait_for_initialization(device
, subsystem
, local_deadline
, ret
);
574 if (r
>= 0 && DEBUG_LOGGING
) {
575 const char *sn
= NULL
;
577 (void) sd_device_get_sysname(device
, &sn
);
578 log_device_debug(device
,
579 "Successfully waited for device '%s' to initialize for %s.",
581 FORMAT_TIMESPAN(usec_sub_unsigned(now(CLOCK_MONOTONIC
), start
), 0));
584 if (r
!= -ETIMEDOUT
|| last_try
)
588 log_device_debug(device
,
589 "Device didn't initialize within %s, assuming lost event. Retriggering device.",
590 FORMAT_TIMESPAN(usec_sub_unsigned(now(CLOCK_MONOTONIC
), start
), 0));
592 r
= sd_device_trigger(device
, SD_DEVICE_CHANGE
);
599 #define DEVICE_TIMEOUT_USEC (45 * USEC_PER_SEC)
601 static void dissected_partition_done(DissectedPartition
*p
) {
607 free(p
->decrypted_fstype
);
608 free(p
->decrypted_node
);
609 free(p
->mount_options
);
611 *p
= (DissectedPartition
) {
619 const VeritySettings
*verity
,
620 const MountOptions
*mount_options
,
622 uint64_t uevent_seqnum_not_before
,
623 usec_t timestamp_not_before
,
624 DissectImageFlags flags
,
625 DissectedImage
**ret
) {
628 #ifdef GPT_ROOT_NATIVE
629 sd_id128_t root_uuid
= SD_ID128_NULL
, root_verity_uuid
= SD_ID128_NULL
;
631 #ifdef GPT_USR_NATIVE
632 sd_id128_t usr_uuid
= SD_ID128_NULL
, usr_verity_uuid
= SD_ID128_NULL
;
634 bool is_gpt
, is_mbr
, multiple_generic
= false,
635 generic_rw
= false, /* initialize to appease gcc */
636 generic_growfs
= false;
637 _cleanup_(sd_device_unrefp
) sd_device
*d
= NULL
;
638 _cleanup_(dissected_image_unrefp
) DissectedImage
*m
= NULL
;
639 _cleanup_(blkid_free_probep
) blkid_probe b
= NULL
;
640 _cleanup_free_
char *generic_node
= NULL
;
641 sd_id128_t generic_uuid
= SD_ID128_NULL
;
642 const char *pttype
= NULL
, *sysname
= NULL
;
644 int r
, generic_nr
= -1, n_partitions
;
650 assert(!verity
|| verity
->designator
< 0 || IN_SET(verity
->designator
, PARTITION_ROOT
, PARTITION_USR
));
651 assert(!verity
|| verity
->root_hash
|| verity
->root_hash_size
== 0);
652 assert(!verity
|| verity
->root_hash_sig
|| verity
->root_hash_sig_size
== 0);
653 assert(!verity
|| (verity
->root_hash
|| !verity
->root_hash_sig
));
654 assert(!((flags
& DISSECT_IMAGE_GPT_ONLY
) && (flags
& DISSECT_IMAGE_NO_PARTITION_TABLE
)));
656 /* Probes a disk image, and returns information about what it found in *ret.
658 * Returns -ENOPKG if no suitable partition table or file system could be found.
659 * Returns -EADDRNOTAVAIL if a root hash was specified but no matching root/verity partitions found.
660 * Returns -ENXIO if we couldn't find any partition suitable as root or /usr partition
661 * Returns -ENOTUNIQ if we only found multiple generic partitions and thus don't know what to do with that */
663 if (verity
&& verity
->root_hash
) {
664 sd_id128_t fsuuid
, vuuid
;
666 /* If a root hash is supplied, then we use the root partition that has a UUID that match the
667 * first 128bit of the root hash. And we use the verity partition that has a UUID that match
668 * the final 128bit. */
670 if (verity
->root_hash_size
< sizeof(sd_id128_t
))
673 memcpy(&fsuuid
, verity
->root_hash
, sizeof(sd_id128_t
));
674 memcpy(&vuuid
, (const uint8_t*) verity
->root_hash
+ verity
->root_hash_size
- sizeof(sd_id128_t
), sizeof(sd_id128_t
));
676 if (sd_id128_is_null(fsuuid
))
678 if (sd_id128_is_null(vuuid
))
681 /* If the verity data declares it's for the /usr partition, then search for that, in all
682 * other cases assume it's for the root partition. */
683 #ifdef GPT_USR_NATIVE
684 if (verity
->designator
== PARTITION_USR
) {
686 usr_verity_uuid
= vuuid
;
689 #ifdef GPT_ROOT_NATIVE
691 root_verity_uuid
= vuuid
;
693 #ifdef GPT_USR_NATIVE
698 if (fstat(fd
, &st
) < 0)
701 if (!S_ISBLK(st
.st_mode
))
704 r
= sd_device_new_from_stat_rdev(&d
, &st
);
708 if (!FLAGS_SET(flags
, DISSECT_IMAGE_NO_UDEV
)) {
709 _cleanup_(sd_device_unrefp
) sd_device
*initialized
= NULL
;
711 /* If udev support is enabled, then let's wait for the device to be initialized before we doing anything. */
713 r
= device_wait_for_initialization_harder(
716 usec_add(now(CLOCK_MONOTONIC
), DEVICE_TIMEOUT_USEC
),
722 d
= TAKE_PTR(initialized
);
725 b
= blkid_new_probe();
730 r
= blkid_probe_set_device(b
, fd
, 0, 0);
732 return errno_or_else(ENOMEM
);
734 if ((flags
& DISSECT_IMAGE_GPT_ONLY
) == 0) {
735 /* Look for file system superblocks, unless we only shall look for GPT partition tables */
736 blkid_probe_enable_superblocks(b
, 1);
737 blkid_probe_set_superblocks_flags(b
, BLKID_SUBLKS_TYPE
|BLKID_SUBLKS_USAGE
);
740 blkid_probe_enable_partitions(b
, 1);
741 blkid_probe_set_partitions_flags(b
, BLKID_PARTS_ENTRY_DETAILS
);
744 r
= blkid_do_safeprobe(b
);
745 if (IN_SET(r
, -2, 1))
746 return log_debug_errno(SYNTHETIC_ERRNO(ENOPKG
), "Failed to identify any partition table.");
748 return errno_or_else(EIO
);
750 m
= new0(DissectedImage
, 1);
754 r
= sd_device_get_sysname(d
, &sysname
);
756 return log_debug_errno(r
, "Failed to get device sysname: %m");
757 if (startswith(sysname
, "loop")) {
758 _cleanup_free_
char *name_stripped
= NULL
;
759 const char *full_path
;
761 r
= sd_device_get_sysattr_value(d
, "loop/backing_file", &full_path
);
763 log_debug_errno(r
, "Failed to lookup image name via loop device backing file sysattr, ignoring: %m");
765 r
= raw_strip_suffixes(basename(full_path
), &name_stripped
);
770 free_and_replace(m
->image_name
, name_stripped
);
772 r
= free_and_strdup(&m
->image_name
, sysname
);
777 if (!image_name_is_valid(m
->image_name
)) {
778 log_debug("Image name %s is not valid, ignoring", strempty(m
->image_name
));
779 m
->image_name
= mfree(m
->image_name
);
782 if ((!(flags
& DISSECT_IMAGE_GPT_ONLY
) &&
783 (flags
& DISSECT_IMAGE_GENERIC_ROOT
)) ||
784 (flags
& DISSECT_IMAGE_NO_PARTITION_TABLE
)) {
785 const char *usage
= NULL
;
787 /* If flags permit this, also allow using non-partitioned single-filesystem images */
789 (void) blkid_probe_lookup_value(b
, "USAGE", &usage
, NULL
);
790 if (STRPTR_IN_SET(usage
, "filesystem", "crypto")) {
791 const char *fstype
= NULL
, *options
= NULL
, *devname
= NULL
;
792 _cleanup_free_
char *t
= NULL
, *n
= NULL
, *o
= NULL
;
794 /* OK, we have found a file system, that's our root partition then. */
795 (void) blkid_probe_lookup_value(b
, "TYPE", &fstype
, NULL
);
803 r
= sd_device_get_devname(d
, &devname
);
811 m
->single_file_system
= true;
812 m
->encrypted
= streq_ptr(fstype
, "crypto_LUKS");
814 m
->has_verity
= verity
&& verity
->data_path
;
815 m
->verity_ready
= m
->has_verity
&&
817 (verity
->designator
< 0 || verity
->designator
== PARTITION_ROOT
);
819 m
->has_verity_sig
= false; /* signature not embedded, must be specified */
820 m
->verity_sig_ready
= m
->verity_ready
&&
821 verity
->root_hash_sig
;
823 options
= mount_options_from_designator(mount_options
, PARTITION_ROOT
);
830 m
->partitions
[PARTITION_ROOT
] = (DissectedPartition
) {
832 .rw
= !m
->verity_ready
&& !fstype_is_ro(fstype
),
834 .architecture
= _ARCHITECTURE_INVALID
,
835 .fstype
= TAKE_PTR(t
),
837 .mount_options
= TAKE_PTR(o
),
847 (void) blkid_probe_lookup_value(b
, "PTTYPE", &pttype
, NULL
);
851 is_gpt
= streq_ptr(pttype
, "gpt");
852 is_mbr
= streq_ptr(pttype
, "dos");
854 if (!is_gpt
&& ((flags
& DISSECT_IMAGE_GPT_ONLY
) || !is_mbr
))
857 /* We support external verity data partitions only if the image has no partition table */
858 if (verity
&& verity
->data_path
)
861 /* Safety check: refuse block devices that carry a partition table but for which the kernel doesn't
862 * do partition scanning. */
863 r
= blockdev_partscan_enabled(fd
);
867 return -EPROTONOSUPPORT
;
870 pl
= blkid_probe_get_partitions(b
);
872 return errno_or_else(ENOMEM
);
875 n_partitions
= blkid_partlist_numof_partitions(pl
);
876 if (n_partitions
< 0)
877 return errno_or_else(EIO
);
879 deadline
= usec_add(now(CLOCK_MONOTONIC
), DEVICE_TIMEOUT_USEC
);
880 for (int i
= 0; i
< n_partitions
; i
++) {
881 _cleanup_(sd_device_unrefp
) sd_device
*q
= NULL
;
882 unsigned long long pflags
;
883 blkid_loff_t start
, size
;
889 pp
= blkid_partlist_get_partition(pl
, i
);
891 return errno_or_else(EIO
);
893 r
= wait_for_partition_device(d
, pp
, deadline
, diskseq
, uevent_seqnum_not_before
, timestamp_not_before
, flags
, &q
);
897 r
= sd_device_get_devname(q
, &node
);
901 pflags
= blkid_partition_get_flags(pp
);
904 nr
= blkid_partition_get_partno(pp
);
906 return errno_or_else(EIO
);
909 start
= blkid_partition_get_start(pp
);
911 return errno_or_else(EIO
);
913 assert((uint64_t) start
< UINT64_MAX
/512);
916 size
= blkid_partition_get_size(pp
);
918 return errno_or_else(EIO
);
920 assert((uint64_t) size
< UINT64_MAX
/512);
923 PartitionDesignator designator
= _PARTITION_DESIGNATOR_INVALID
;
924 int architecture
= _ARCHITECTURE_INVALID
;
925 const char *stype
, *sid
, *fstype
= NULL
, *label
;
926 sd_id128_t type_id
, id
;
927 bool rw
= true, growfs
= false;
929 sid
= blkid_partition_get_uuid(pp
);
932 if (sd_id128_from_string(sid
, &id
) < 0)
935 stype
= blkid_partition_get_type_string(pp
);
938 if (sd_id128_from_string(stype
, &type_id
) < 0)
941 label
= blkid_partition_get_name(pp
); /* libblkid returns NULL here if empty */
943 if (sd_id128_equal(type_id
, GPT_HOME
)) {
945 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
947 if (pflags
& GPT_FLAG_NO_AUTO
)
950 designator
= PARTITION_HOME
;
951 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
952 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
954 } else if (sd_id128_equal(type_id
, GPT_SRV
)) {
956 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
958 if (pflags
& GPT_FLAG_NO_AUTO
)
961 designator
= PARTITION_SRV
;
962 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
963 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
965 } else if (sd_id128_equal(type_id
, GPT_ESP
)) {
967 /* Note that we don't check the GPT_FLAG_NO_AUTO flag for the ESP, as it is
968 * not defined there. We instead check the GPT_FLAG_NO_BLOCK_IO_PROTOCOL, as
969 * recommended by the UEFI spec (See "12.3.3 Number and Location of System
972 if (pflags
& GPT_FLAG_NO_BLOCK_IO_PROTOCOL
)
975 designator
= PARTITION_ESP
;
978 } else if (sd_id128_equal(type_id
, GPT_XBOOTLDR
)) {
980 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
982 if (pflags
& GPT_FLAG_NO_AUTO
)
985 designator
= PARTITION_XBOOTLDR
;
986 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
987 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
989 #ifdef GPT_ROOT_NATIVE
990 else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE
)) {
992 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
994 if (pflags
& GPT_FLAG_NO_AUTO
)
997 /* If a root ID is specified, ignore everything but the root id */
998 if (!sd_id128_is_null(root_uuid
) && !sd_id128_equal(root_uuid
, id
))
1001 designator
= PARTITION_ROOT
;
1002 architecture
= native_architecture();
1003 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1004 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1006 } else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE_VERITY
)) {
1008 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1010 if (pflags
& GPT_FLAG_NO_AUTO
)
1013 m
->has_verity
= true;
1015 /* If no verity configuration is specified, then don't do verity */
1018 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_ROOT
)
1021 /* If root hash is specified, then ignore everything but the root id */
1022 if (!sd_id128_is_null(root_verity_uuid
) && !sd_id128_equal(root_verity_uuid
, id
))
1025 designator
= PARTITION_ROOT_VERITY
;
1026 fstype
= "DM_verity_hash";
1027 architecture
= native_architecture();
1030 } else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE_VERITY_SIG
)) {
1032 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1034 if (pflags
& GPT_FLAG_NO_AUTO
)
1037 m
->has_verity_sig
= true;
1039 /* If root hash is specified explicitly, then ignore any embedded signature */
1042 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_ROOT
)
1044 if (verity
->root_hash
)
1047 designator
= PARTITION_ROOT_VERITY_SIG
;
1048 fstype
= "verity_hash_signature";
1049 architecture
= native_architecture();
1053 #ifdef GPT_ROOT_SECONDARY
1054 else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY
)) {
1056 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1058 if (pflags
& GPT_FLAG_NO_AUTO
)
1061 /* If a root ID is specified, ignore everything but the root id */
1062 if (!sd_id128_is_null(root_uuid
) && !sd_id128_equal(root_uuid
, id
))
1065 designator
= PARTITION_ROOT_SECONDARY
;
1066 architecture
= SECONDARY_ARCHITECTURE
;
1067 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1068 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1070 } else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY_VERITY
)) {
1072 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1074 if (pflags
& GPT_FLAG_NO_AUTO
)
1077 m
->has_verity
= true;
1079 /* Don't do verity if no verity config is passed in */
1082 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_ROOT
)
1085 /* If root hash is specified, then ignore everything but the root id */
1086 if (!sd_id128_is_null(root_verity_uuid
) && !sd_id128_equal(root_verity_uuid
, id
))
1089 designator
= PARTITION_ROOT_SECONDARY_VERITY
;
1090 fstype
= "DM_verity_hash";
1091 architecture
= SECONDARY_ARCHITECTURE
;
1094 } else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY_VERITY_SIG
)) {
1096 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1098 if (pflags
& GPT_FLAG_NO_AUTO
)
1101 m
->has_verity_sig
= true;
1103 /* If root hash is specified explicitly, then ignore any embedded signature */
1106 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_ROOT
)
1108 if (verity
->root_hash
)
1111 designator
= PARTITION_ROOT_SECONDARY_VERITY_SIG
;
1112 fstype
= "verity_hash_signature";
1113 architecture
= native_architecture();
1117 #ifdef GPT_USR_NATIVE
1118 else if (sd_id128_equal(type_id
, GPT_USR_NATIVE
)) {
1120 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1122 if (pflags
& GPT_FLAG_NO_AUTO
)
1125 /* If a usr ID is specified, ignore everything but the usr id */
1126 if (!sd_id128_is_null(usr_uuid
) && !sd_id128_equal(usr_uuid
, id
))
1129 designator
= PARTITION_USR
;
1130 architecture
= native_architecture();
1131 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1132 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1134 } else if (sd_id128_equal(type_id
, GPT_USR_NATIVE_VERITY
)) {
1136 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1138 if (pflags
& GPT_FLAG_NO_AUTO
)
1141 m
->has_verity
= true;
1145 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_USR
)
1148 /* If usr hash is specified, then ignore everything but the usr id */
1149 if (!sd_id128_is_null(usr_verity_uuid
) && !sd_id128_equal(usr_verity_uuid
, id
))
1152 designator
= PARTITION_USR_VERITY
;
1153 fstype
= "DM_verity_hash";
1154 architecture
= native_architecture();
1157 } else if (sd_id128_equal(type_id
, GPT_USR_NATIVE_VERITY_SIG
)) {
1159 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1161 if (pflags
& GPT_FLAG_NO_AUTO
)
1164 m
->has_verity_sig
= true;
1166 /* If usr hash is specified explicitly, then ignore any embedded signature */
1169 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_USR
)
1171 if (verity
->root_hash
)
1174 designator
= PARTITION_USR_VERITY_SIG
;
1175 fstype
= "verity_hash_signature";
1176 architecture
= native_architecture();
1180 #ifdef GPT_USR_SECONDARY
1181 else if (sd_id128_equal(type_id
, GPT_USR_SECONDARY
)) {
1183 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1185 if (pflags
& GPT_FLAG_NO_AUTO
)
1188 /* If a usr ID is specified, ignore everything but the usr id */
1189 if (!sd_id128_is_null(usr_uuid
) && !sd_id128_equal(usr_uuid
, id
))
1192 designator
= PARTITION_USR_SECONDARY
;
1193 architecture
= SECONDARY_ARCHITECTURE
;
1194 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1195 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1197 } else if (sd_id128_equal(type_id
, GPT_USR_SECONDARY_VERITY
)) {
1199 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1201 if (pflags
& GPT_FLAG_NO_AUTO
)
1204 m
->has_verity
= true;
1208 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_USR
)
1211 /* If usr hash is specified, then ignore everything but the root id */
1212 if (!sd_id128_is_null(usr_verity_uuid
) && !sd_id128_equal(usr_verity_uuid
, id
))
1215 designator
= PARTITION_USR_SECONDARY_VERITY
;
1216 fstype
= "DM_verity_hash";
1217 architecture
= SECONDARY_ARCHITECTURE
;
1220 } else if (sd_id128_equal(type_id
, GPT_USR_SECONDARY_VERITY_SIG
)) {
1222 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1224 if (pflags
& GPT_FLAG_NO_AUTO
)
1227 m
->has_verity_sig
= true;
1229 /* If usr hash is specified explicitly, then ignore any embedded signature */
1232 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_USR
)
1234 if (verity
->root_hash
)
1237 designator
= PARTITION_USR_SECONDARY_VERITY_SIG
;
1238 fstype
= "verity_hash_signature";
1239 architecture
= native_architecture();
1243 else if (sd_id128_equal(type_id
, GPT_SWAP
)) {
1245 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
);
1247 if (pflags
& GPT_FLAG_NO_AUTO
)
1250 designator
= PARTITION_SWAP
;
1252 } else if (sd_id128_equal(type_id
, GPT_LINUX_GENERIC
)) {
1254 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1256 if (pflags
& GPT_FLAG_NO_AUTO
)
1260 multiple_generic
= true;
1263 generic_rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1264 generic_growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1266 generic_node
= strdup(node
);
1271 } else if (sd_id128_equal(type_id
, GPT_TMP
)) {
1273 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1275 if (pflags
& GPT_FLAG_NO_AUTO
)
1278 designator
= PARTITION_TMP
;
1279 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1280 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1282 } else if (sd_id128_equal(type_id
, GPT_VAR
)) {
1284 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1286 if (pflags
& GPT_FLAG_NO_AUTO
)
1289 if (!FLAGS_SET(flags
, DISSECT_IMAGE_RELAX_VAR_CHECK
)) {
1290 sd_id128_t var_uuid
;
1292 /* For /var we insist that the uuid of the partition matches the
1293 * HMAC-SHA256 of the /var GPT partition type uuid, keyed by machine
1294 * ID. Why? Unlike the other partitions /var is inherently
1295 * installation specific, hence we need to be careful not to mount it
1296 * in the wrong installation. By hashing the partition UUID from
1297 * /etc/machine-id we can securely bind the partition to the
1300 r
= sd_id128_get_machine_app_specific(GPT_VAR
, &var_uuid
);
1304 if (!sd_id128_equal(var_uuid
, id
)) {
1305 log_debug("Found a /var/ partition, but its UUID didn't match our expectations, ignoring.");
1310 designator
= PARTITION_VAR
;
1311 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1312 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1315 if (designator
!= _PARTITION_DESIGNATOR_INVALID
) {
1316 _cleanup_free_
char *t
= NULL
, *n
= NULL
, *o
= NULL
, *l
= NULL
;
1317 const char *options
= NULL
;
1319 if (m
->partitions
[designator
].found
) {
1320 /* For most partition types the first one we see wins. Except for the
1321 * rootfs and /usr, where we do a version compare of the label, and
1322 * let the newest version win. This permits a simple A/B versioning
1323 * scheme in OS images. */
1325 if (!PARTITION_DESIGNATOR_VERSIONED(designator
) ||
1326 strverscmp_improved(m
->partitions
[designator
].label
, label
) >= 0)
1329 dissected_partition_done(m
->partitions
+ designator
);
1348 options
= mount_options_from_designator(mount_options
, designator
);
1350 o
= strdup(options
);
1355 m
->partitions
[designator
] = (DissectedPartition
) {
1360 .architecture
= architecture
,
1361 .node
= TAKE_PTR(n
),
1362 .fstype
= TAKE_PTR(t
),
1363 .label
= TAKE_PTR(l
),
1365 .mount_options
= TAKE_PTR(o
),
1366 .offset
= (uint64_t) start
* 512,
1367 .size
= (uint64_t) size
* 512,
1371 } else if (is_mbr
) {
1373 switch (blkid_partition_get_type(pp
)) {
1375 case 0x83: /* Linux partition */
1377 if (pflags
!= 0x80) /* Bootable flag */
1381 multiple_generic
= true;
1385 generic_growfs
= false;
1386 generic_node
= strdup(node
);
1393 case 0xEA: { /* Boot Loader Spec extended $BOOT partition */
1394 _cleanup_free_
char *n
= NULL
, *o
= NULL
;
1395 sd_id128_t id
= SD_ID128_NULL
;
1396 const char *sid
, *options
= NULL
;
1398 /* First one wins */
1399 if (m
->partitions
[PARTITION_XBOOTLDR
].found
)
1402 sid
= blkid_partition_get_uuid(pp
);
1404 (void) sd_id128_from_string(sid
, &id
);
1410 options
= mount_options_from_designator(mount_options
, PARTITION_XBOOTLDR
);
1412 o
= strdup(options
);
1417 m
->partitions
[PARTITION_XBOOTLDR
] = (DissectedPartition
) {
1422 .architecture
= _ARCHITECTURE_INVALID
,
1423 .node
= TAKE_PTR(n
),
1425 .mount_options
= TAKE_PTR(o
),
1426 .offset
= (uint64_t) start
* 512,
1427 .size
= (uint64_t) size
* 512,
1435 if (m
->partitions
[PARTITION_ROOT
].found
) {
1436 /* If we found the primary arch, then invalidate the secondary arch to avoid any ambiguities,
1437 * since we never want to mount the secondary arch in this case. */
1438 m
->partitions
[PARTITION_ROOT_SECONDARY
].found
= false;
1439 m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
].found
= false;
1440 m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY_SIG
].found
= false;
1441 m
->partitions
[PARTITION_USR_SECONDARY
].found
= false;
1442 m
->partitions
[PARTITION_USR_SECONDARY_VERITY
].found
= false;
1443 m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
].found
= false;
1445 } else if (m
->partitions
[PARTITION_ROOT_VERITY
].found
||
1446 m
->partitions
[PARTITION_ROOT_VERITY_SIG
].found
)
1447 return -EADDRNOTAVAIL
; /* Verity found but no matching rootfs? Something is off, refuse. */
1449 else if (m
->partitions
[PARTITION_ROOT_SECONDARY
].found
) {
1451 /* No root partition found but there's one for the secondary architecture? Then upgrade
1452 * secondary arch to first */
1454 m
->partitions
[PARTITION_ROOT
] = m
->partitions
[PARTITION_ROOT_SECONDARY
];
1455 zero(m
->partitions
[PARTITION_ROOT_SECONDARY
]);
1456 m
->partitions
[PARTITION_ROOT_VERITY
] = m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
];
1457 zero(m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
]);
1458 m
->partitions
[PARTITION_ROOT_VERITY_SIG
] = m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY_SIG
];
1459 zero(m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY_SIG
]);
1461 m
->partitions
[PARTITION_USR
] = m
->partitions
[PARTITION_USR_SECONDARY
];
1462 zero(m
->partitions
[PARTITION_USR_SECONDARY
]);
1463 m
->partitions
[PARTITION_USR_VERITY
] = m
->partitions
[PARTITION_USR_SECONDARY_VERITY
];
1464 zero(m
->partitions
[PARTITION_USR_SECONDARY_VERITY
]);
1465 m
->partitions
[PARTITION_USR_VERITY_SIG
] = m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
];
1466 zero(m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
]);
1468 } else if (m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
].found
||
1469 m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY_SIG
].found
)
1470 return -EADDRNOTAVAIL
; /* as above */
1472 /* Hmm, we found a signature partition but no Verity data? Something is off. */
1473 if (m
->partitions
[PARTITION_ROOT_VERITY_SIG
].found
&& !m
->partitions
[PARTITION_ROOT_VERITY
].found
)
1474 return -EADDRNOTAVAIL
;
1476 if (m
->partitions
[PARTITION_USR
].found
) {
1477 /* Invalidate secondary arch /usr/ if we found the primary arch */
1478 m
->partitions
[PARTITION_USR_SECONDARY
].found
= false;
1479 m
->partitions
[PARTITION_USR_SECONDARY_VERITY
].found
= false;
1480 m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
].found
= false;
1482 } else if (m
->partitions
[PARTITION_USR_VERITY
].found
||
1483 m
->partitions
[PARTITION_USR_VERITY_SIG
].found
)
1484 return -EADDRNOTAVAIL
; /* as above */
1486 else if (m
->partitions
[PARTITION_USR_SECONDARY
].found
) {
1488 /* Upgrade secondary arch to primary */
1489 m
->partitions
[PARTITION_USR
] = m
->partitions
[PARTITION_USR_SECONDARY
];
1490 zero(m
->partitions
[PARTITION_USR_SECONDARY
]);
1491 m
->partitions
[PARTITION_USR_VERITY
] = m
->partitions
[PARTITION_USR_SECONDARY_VERITY
];
1492 zero(m
->partitions
[PARTITION_USR_SECONDARY_VERITY
]);
1493 m
->partitions
[PARTITION_USR_VERITY_SIG
] = m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
];
1494 zero(m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
]);
1496 } else if (m
->partitions
[PARTITION_USR_SECONDARY_VERITY
].found
||
1497 m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
].found
)
1498 return -EADDRNOTAVAIL
; /* as above */
1500 /* Hmm, we found a signature partition but no Verity data? Something is off. */
1501 if (m
->partitions
[PARTITION_USR_VERITY_SIG
].found
&& !m
->partitions
[PARTITION_USR_VERITY
].found
)
1502 return -EADDRNOTAVAIL
;
1504 /* If root and /usr are combined then insist that the architecture matches */
1505 if (m
->partitions
[PARTITION_ROOT
].found
&&
1506 m
->partitions
[PARTITION_USR
].found
&&
1507 (m
->partitions
[PARTITION_ROOT
].architecture
>= 0 &&
1508 m
->partitions
[PARTITION_USR
].architecture
>= 0 &&
1509 m
->partitions
[PARTITION_ROOT
].architecture
!= m
->partitions
[PARTITION_USR
].architecture
))
1510 return -EADDRNOTAVAIL
;
1512 if (!m
->partitions
[PARTITION_ROOT
].found
&&
1513 !m
->partitions
[PARTITION_USR
].found
&&
1514 (flags
& DISSECT_IMAGE_GENERIC_ROOT
) &&
1515 (!verity
|| !verity
->root_hash
|| verity
->designator
!= PARTITION_USR
)) {
1517 /* OK, we found nothing usable, then check if there's a single generic one distro, and use
1518 * that. If the root hash was set however, then we won't fall back to a generic node, because
1519 * the root hash decides. */
1521 /* If we didn't find a properly marked root partition, but we did find a single suitable
1522 * generic Linux partition, then use this as root partition, if the caller asked for it. */
1523 if (multiple_generic
)
1526 /* If we didn't find a generic node, then we can't fix this up either */
1528 _cleanup_free_
char *o
= NULL
;
1529 const char *options
;
1531 options
= mount_options_from_designator(mount_options
, PARTITION_ROOT
);
1533 o
= strdup(options
);
1538 assert(generic_nr
>= 0);
1539 m
->partitions
[PARTITION_ROOT
] = (DissectedPartition
) {
1542 .growfs
= generic_growfs
,
1543 .partno
= generic_nr
,
1544 .architecture
= _ARCHITECTURE_INVALID
,
1545 .node
= TAKE_PTR(generic_node
),
1546 .uuid
= generic_uuid
,
1547 .mount_options
= TAKE_PTR(o
),
1548 .offset
= UINT64_MAX
,
1554 /* Check if we have a root fs if we are told to do check. /usr alone is fine too, but only if appropriate flag for that is set too */
1555 if (FLAGS_SET(flags
, DISSECT_IMAGE_REQUIRE_ROOT
) &&
1556 !(m
->partitions
[PARTITION_ROOT
].found
|| (m
->partitions
[PARTITION_USR
].found
&& FLAGS_SET(flags
, DISSECT_IMAGE_USR_NO_ROOT
))))
1559 if (m
->partitions
[PARTITION_ROOT_VERITY
].found
) {
1560 /* We only support one verity partition per image, i.e. can't do for both /usr and root fs */
1561 if (m
->partitions
[PARTITION_USR_VERITY
].found
)
1564 /* We don't support verity enabled root with a split out /usr. Neither with nor without
1565 * verity there. (Note that we do support verity-less root with verity-full /usr, though.) */
1566 if (m
->partitions
[PARTITION_USR
].found
)
1567 return -EADDRNOTAVAIL
;
1571 /* If a verity designator is specified, then insist that the matching partition exists */
1572 if (verity
->designator
>= 0 && !m
->partitions
[verity
->designator
].found
)
1573 return -EADDRNOTAVAIL
;
1575 if (verity
->root_hash
) {
1576 /* If we have an explicit root hash and found the partitions for it, then we are ready to use
1577 * Verity, set things up for it */
1579 if (verity
->designator
< 0 || verity
->designator
== PARTITION_ROOT
) {
1580 if (!m
->partitions
[PARTITION_ROOT_VERITY
].found
|| !m
->partitions
[PARTITION_ROOT
].found
)
1581 return -EADDRNOTAVAIL
;
1583 /* If we found a verity setup, then the root partition is necessarily read-only. */
1584 m
->partitions
[PARTITION_ROOT
].rw
= false;
1585 m
->verity_ready
= true;
1588 assert(verity
->designator
== PARTITION_USR
);
1590 if (!m
->partitions
[PARTITION_USR_VERITY
].found
|| !m
->partitions
[PARTITION_USR
].found
)
1591 return -EADDRNOTAVAIL
;
1593 m
->partitions
[PARTITION_USR
].rw
= false;
1594 m
->verity_ready
= true;
1597 if (m
->verity_ready
)
1598 m
->verity_sig_ready
= !!verity
->root_hash_sig
;
1600 } else if (m
->partitions
[verity
->designator
== PARTITION_USR
? PARTITION_USR_VERITY_SIG
: PARTITION_ROOT_VERITY_SIG
].found
) {
1602 /* If we found an embedded signature partition, we are ready, too. */
1604 m
->verity_ready
= m
->verity_sig_ready
= true;
1605 m
->partitions
[verity
->designator
== PARTITION_USR
? PARTITION_USR
: PARTITION_ROOT
].rw
= false;
1609 blkid_free_probe(b
);
1612 /* Fill in file system types if we don't know them yet. */
1613 for (PartitionDesignator i
= 0; i
< _PARTITION_DESIGNATOR_MAX
; i
++) {
1614 DissectedPartition
*p
= m
->partitions
+ i
;
1619 if (!p
->fstype
&& p
->node
) {
1620 r
= probe_filesystem(p
->node
, &p
->fstype
);
1621 if (r
< 0 && r
!= -EUCLEAN
)
1625 if (streq_ptr(p
->fstype
, "crypto_LUKS"))
1626 m
->encrypted
= true;
1628 if (p
->fstype
&& fstype_is_ro(p
->fstype
))
1642 DissectedImage
* dissected_image_unref(DissectedImage
*m
) {
1646 for (PartitionDesignator i
= 0; i
< _PARTITION_DESIGNATOR_MAX
; i
++)
1647 dissected_partition_done(m
->partitions
+ i
);
1649 free(m
->image_name
);
1651 strv_free(m
->machine_info
);
1652 strv_free(m
->os_release
);
1653 strv_free(m
->extension_release
);
1658 static int is_loop_device(const char *path
) {
1659 char s
[SYS_BLOCK_PATH_MAX("/../loop/")];
1664 if (stat(path
, &st
) < 0)
1667 if (!S_ISBLK(st
.st_mode
))
1670 xsprintf_sys_block_path(s
, "/loop/", st
.st_dev
);
1671 if (access(s
, F_OK
) < 0) {
1672 if (errno
!= ENOENT
)
1675 /* The device itself isn't a loop device, but maybe it's a partition and its parent is? */
1676 xsprintf_sys_block_path(s
, "/../loop/", st
.st_dev
);
1677 if (access(s
, F_OK
) < 0)
1678 return errno
== ENOENT
? false : -errno
;
1684 static int run_fsck(const char *node
, const char *fstype
) {
1691 r
= fsck_exists(fstype
);
1693 log_debug_errno(r
, "Couldn't determine whether fsck for %s exists, proceeding anyway.", fstype
);
1697 log_debug("Not checking partition %s, as fsck for %s does not exist.", node
, fstype
);
1701 r
= safe_fork("(fsck)", FORK_RESET_SIGNALS
|FORK_CLOSE_ALL_FDS
|FORK_RLIMIT_NOFILE_SAFE
|FORK_DEATHSIG
|FORK_NULL_STDIO
, &pid
);
1703 return log_debug_errno(r
, "Failed to fork off fsck: %m");
1706 execl("/sbin/fsck", "/sbin/fsck", "-aT", node
, NULL
);
1708 log_debug_errno(errno
, "Failed to execl() fsck: %m");
1709 _exit(FSCK_OPERATIONAL_ERROR
);
1712 exit_status
= wait_for_terminate_and_check("fsck", pid
, 0);
1713 if (exit_status
< 0)
1714 return log_debug_errno(exit_status
, "Failed to fork off /sbin/fsck: %m");
1716 if ((exit_status
& ~FSCK_ERROR_CORRECTED
) != FSCK_SUCCESS
) {
1717 log_debug("fsck failed with exit status %i.", exit_status
);
1719 if ((exit_status
& (FSCK_SYSTEM_SHOULD_REBOOT
|FSCK_ERRORS_LEFT_UNCORRECTED
)) != 0)
1720 return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN
), "File system is corrupted, refusing.");
1722 log_debug("Ignoring fsck error.");
1728 static int fs_grow(const char *node_path
, const char *mount_path
) {
1729 _cleanup_close_
int mount_fd
= -1, node_fd
= -1;
1730 uint64_t size
, newsize
;
1733 node_fd
= open(node_path
, O_RDONLY
|O_CLOEXEC
|O_NONBLOCK
|O_NOCTTY
);
1735 return log_debug_errno(errno
, "Failed to open node device %s: %m", node_path
);
1737 if (ioctl(node_fd
, BLKGETSIZE64
, &size
) != 0)
1738 return log_debug_errno(errno
, "Failed to get block device size of %s: %m", node_path
);
1740 mount_fd
= open(mount_path
, O_RDONLY
|O_DIRECTORY
|O_CLOEXEC
);
1742 return log_debug_errno(errno
, "Failed to open mountd file system %s: %m", mount_path
);
1744 log_debug("Resizing \"%s\" to %"PRIu64
" bytes...", mount_path
, size
);
1745 r
= resize_fs(mount_fd
, size
, &newsize
);
1747 return log_debug_errno(r
, "Failed to resize \"%s\" to %"PRIu64
" bytes: %m", mount_path
, size
);
1749 if (newsize
== size
)
1750 log_debug("Successfully resized \"%s\" to %s bytes.",
1751 mount_path
, FORMAT_BYTES(newsize
));
1753 assert(newsize
< size
);
1754 log_debug("Successfully resized \"%s\" to %s bytes (%"PRIu64
" bytes lost due to blocksize).",
1755 mount_path
, FORMAT_BYTES(newsize
), size
- newsize
);
1761 static int mount_partition(
1762 DissectedPartition
*m
,
1764 const char *directory
,
1767 DissectImageFlags flags
) {
1769 _cleanup_free_
char *chased
= NULL
, *options
= NULL
;
1770 const char *p
, *node
, *fstype
;
1771 bool rw
, remap_uid_gid
= false;
1777 /* Use decrypted node and matching fstype if available, otherwise use the original device */
1778 node
= m
->decrypted_node
?: m
->node
;
1779 fstype
= m
->decrypted_node
? m
->decrypted_fstype
: m
->fstype
;
1781 if (!m
->found
|| !node
)
1784 return -EAFNOSUPPORT
;
1786 /* We are looking at an encrypted partition? This either means stacked encryption, or the caller didn't call dissected_image_decrypt() beforehand. Let's return a recognizable error for this case. */
1787 if (streq(fstype
, "crypto_LUKS"))
1790 rw
= m
->rw
&& !(flags
& DISSECT_IMAGE_MOUNT_READ_ONLY
);
1792 if (FLAGS_SET(flags
, DISSECT_IMAGE_FSCK
) && rw
) {
1793 r
= run_fsck(node
, fstype
);
1799 /* Automatically create missing mount points inside the image, if necessary. */
1800 r
= mkdir_p_root(where
, directory
, uid_shift
, (gid_t
) uid_shift
, 0755);
1801 if (r
< 0 && r
!= -EROFS
)
1804 r
= chase_symlinks(directory
, where
, CHASE_PREFIX_ROOT
, &chased
, NULL
);
1810 /* Create top-level mount if missing – but only if this is asked for. This won't modify the
1811 * image (as the branch above does) but the host hierarchy, and the created directory might
1812 * survive our mount in the host hierarchy hence. */
1813 if (FLAGS_SET(flags
, DISSECT_IMAGE_MKDIR
)) {
1814 r
= mkdir_p(where
, 0755);
1822 /* If requested, turn on discard support. */
1823 if (fstype_can_discard(fstype
) &&
1824 ((flags
& DISSECT_IMAGE_DISCARD
) ||
1825 ((flags
& DISSECT_IMAGE_DISCARD_ON_LOOP
) && is_loop_device(m
->node
) > 0))) {
1826 options
= strdup("discard");
1831 if (uid_is_valid(uid_shift
) && uid_shift
!= 0) {
1833 if (fstype_can_uid_gid(fstype
)) {
1834 _cleanup_free_
char *uid_option
= NULL
;
1836 if (asprintf(&uid_option
, "uid=" UID_FMT
",gid=" GID_FMT
, uid_shift
, (gid_t
) uid_shift
) < 0)
1839 if (!strextend_with_separator(&options
, ",", uid_option
))
1841 } else if (FLAGS_SET(flags
, DISSECT_IMAGE_MOUNT_IDMAPPED
))
1842 remap_uid_gid
= true;
1845 if (!isempty(m
->mount_options
))
1846 if (!strextend_with_separator(&options
, ",", m
->mount_options
))
1849 /* So, when you request MS_RDONLY from ext4, then this means nothing. It happily still writes to the
1850 * backing storage. What's worse, the BLKRO[GS]ET flag and (in case of loopback devices)
1851 * LO_FLAGS_READ_ONLY don't mean anything, they affect userspace accesses only, and write accesses
1852 * from the upper file system still get propagated through to the underlying file system,
1853 * unrestricted. To actually get ext4/xfs/btrfs to stop writing to the device we need to specify
1854 * "norecovery" as mount option, in addition to MS_RDONLY. Yes, this sucks, since it means we need to
1855 * carry a per file system table here.
1857 * Note that this means that we might not be able to mount corrupted file systems as read-only
1858 * anymore (since in some cases the kernel implementations will refuse mounting when corrupted,
1859 * read-only and "norecovery" is specified). But I think for the case of automatically determined
1860 * mount options for loopback devices this is the right choice, since otherwise using the same
1861 * loopback file twice even in read-only mode, is going to fail badly sooner or later. The usecase of
1862 * making reuse of the immutable images "just work" is more relevant to us than having read-only
1863 * access that actually modifies stuff work on such image files. Or to say this differently: if
1864 * people want their file systems to be fixed up they should just open them in writable mode, where
1865 * all these problems don't exist. */
1866 if (!rw
&& STRPTR_IN_SET(fstype
, "ext3", "ext4", "xfs", "btrfs"))
1867 if (!strextend_with_separator(&options
, ",", "norecovery"))
1870 r
= mount_nofollow_verbose(LOG_DEBUG
, node
, p
, fstype
, MS_NODEV
|(rw
? 0 : MS_RDONLY
), options
);
1874 if (rw
&& m
->growfs
&& FLAGS_SET(flags
, DISSECT_IMAGE_GROWFS
))
1875 (void) fs_grow(node
, p
);
1877 if (remap_uid_gid
) {
1878 r
= remount_idmap(p
, uid_shift
, uid_range
);
1886 static int mount_root_tmpfs(const char *where
, uid_t uid_shift
, DissectImageFlags flags
) {
1887 _cleanup_free_
char *options
= NULL
;
1892 /* For images that contain /usr/ but no rootfs, let's mount rootfs as tmpfs */
1894 if (FLAGS_SET(flags
, DISSECT_IMAGE_MKDIR
)) {
1895 r
= mkdir_p(where
, 0755);
1900 if (uid_is_valid(uid_shift
)) {
1901 if (asprintf(&options
, "uid=" UID_FMT
",gid=" GID_FMT
, uid_shift
, (gid_t
) uid_shift
) < 0)
1905 r
= mount_nofollow_verbose(LOG_DEBUG
, "rootfs", where
, "tmpfs", MS_NODEV
, options
);
1912 int dissected_image_mount(
1917 DissectImageFlags flags
) {
1919 int r
, xbootldr_mounted
;
1926 * -ENXIO → No root partition found
1927 * -EMEDIUMTYPE → DISSECT_IMAGE_VALIDATE_OS set but no os-release/extension-release file found
1928 * -EUNATCH → Encrypted partition found for which no dm-crypt was set up yet
1929 * -EUCLEAN → fsck for file system failed
1930 * -EBUSY → File system already mounted/used elsewhere (kernel)
1931 * -EAFNOSUPPORT → File system type not supported or not known
1934 if (!(m
->partitions
[PARTITION_ROOT
].found
||
1935 (m
->partitions
[PARTITION_USR
].found
&& FLAGS_SET(flags
, DISSECT_IMAGE_USR_NO_ROOT
))))
1936 return -ENXIO
; /* Require a root fs or at least a /usr/ fs (the latter is subject to a flag of its own) */
1938 if ((flags
& DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY
) == 0) {
1940 /* First mount the root fs. If there's none we use a tmpfs. */
1941 if (m
->partitions
[PARTITION_ROOT
].found
)
1942 r
= mount_partition(m
->partitions
+ PARTITION_ROOT
, where
, NULL
, uid_shift
, uid_range
, flags
);
1944 r
= mount_root_tmpfs(where
, uid_shift
, flags
);
1948 /* For us mounting root always means mounting /usr as well */
1949 r
= mount_partition(m
->partitions
+ PARTITION_USR
, where
, "/usr", uid_shift
, uid_range
, flags
);
1953 if ((flags
& (DISSECT_IMAGE_VALIDATE_OS
|DISSECT_IMAGE_VALIDATE_OS_EXT
)) != 0) {
1954 /* If either one of the validation flags are set, ensure that the image qualifies
1955 * as one or the other (or both). */
1958 if (FLAGS_SET(flags
, DISSECT_IMAGE_VALIDATE_OS
)) {
1959 r
= path_is_os_tree(where
);
1965 if (!ok
&& FLAGS_SET(flags
, DISSECT_IMAGE_VALIDATE_OS_EXT
)) {
1966 r
= path_is_extension_tree(where
, m
->image_name
);
1978 if (flags
& DISSECT_IMAGE_MOUNT_ROOT_ONLY
)
1981 r
= mount_partition(m
->partitions
+ PARTITION_HOME
, where
, "/home", uid_shift
, uid_range
, flags
);
1985 r
= mount_partition(m
->partitions
+ PARTITION_SRV
, where
, "/srv", uid_shift
, uid_range
, flags
);
1989 r
= mount_partition(m
->partitions
+ PARTITION_VAR
, where
, "/var", uid_shift
, uid_range
, flags
);
1993 r
= mount_partition(m
->partitions
+ PARTITION_TMP
, where
, "/var/tmp", uid_shift
, uid_range
, flags
);
1997 xbootldr_mounted
= mount_partition(m
->partitions
+ PARTITION_XBOOTLDR
, where
, "/boot", uid_shift
, uid_range
, flags
);
1998 if (xbootldr_mounted
< 0)
1999 return xbootldr_mounted
;
2001 if (m
->partitions
[PARTITION_ESP
].found
) {
2002 int esp_done
= false;
2004 /* Mount the ESP to /efi if it exists. If it doesn't exist, use /boot instead, but only if it
2005 * exists and is empty, and we didn't already mount the XBOOTLDR partition into it. */
2007 r
= chase_symlinks("/efi", where
, CHASE_PREFIX_ROOT
, NULL
, NULL
);
2012 /* /efi doesn't exist. Let's see if /boot is suitable then */
2014 if (!xbootldr_mounted
) {
2015 _cleanup_free_
char *p
= NULL
;
2017 r
= chase_symlinks("/boot", where
, CHASE_PREFIX_ROOT
, &p
, NULL
);
2021 } else if (dir_is_empty(p
) > 0) {
2022 /* It exists and is an empty directory. Let's mount the ESP there. */
2023 r
= mount_partition(m
->partitions
+ PARTITION_ESP
, where
, "/boot", uid_shift
, uid_range
, flags
);
2033 /* OK, let's mount the ESP now to /efi (possibly creating the dir if missing) */
2035 r
= mount_partition(m
->partitions
+ PARTITION_ESP
, where
, "/efi", uid_shift
, uid_range
, flags
);
2044 int dissected_image_mount_and_warn(
2049 DissectImageFlags flags
) {
2056 r
= dissected_image_mount(m
, where
, uid_shift
, uid_range
, flags
);
2058 return log_error_errno(r
, "Not root file system found in image.");
2059 if (r
== -EMEDIUMTYPE
)
2060 return log_error_errno(r
, "No suitable os-release/extension-release file in image found.");
2062 return log_error_errno(r
, "Encrypted file system discovered, but decryption not requested.");
2064 return log_error_errno(r
, "File system check on image failed.");
2066 return log_error_errno(r
, "File system already mounted elsewhere.");
2067 if (r
== -EAFNOSUPPORT
)
2068 return log_error_errno(r
, "File system type not supported or not known.");
2070 return log_error_errno(r
, "Failed to mount image: %m");
2075 #if HAVE_LIBCRYPTSETUP
2076 typedef struct DecryptedPartition
{
2077 struct crypt_device
*device
;
2080 } DecryptedPartition
;
2082 struct DecryptedImage
{
2083 DecryptedPartition
*decrypted
;
2088 DecryptedImage
* decrypted_image_unref(DecryptedImage
* d
) {
2089 #if HAVE_LIBCRYPTSETUP
2095 for (size_t i
= 0; i
< d
->n_decrypted
; i
++) {
2096 DecryptedPartition
*p
= d
->decrypted
+ i
;
2098 if (p
->device
&& p
->name
&& !p
->relinquished
) {
2099 r
= sym_crypt_deactivate_by_name(p
->device
, p
->name
, 0);
2101 log_debug_errno(r
, "Failed to deactivate encrypted partition %s", p
->name
);
2105 sym_crypt_free(p
->device
);
2115 #if HAVE_LIBCRYPTSETUP
2117 static int make_dm_name_and_node(const void *original_node
, const char *suffix
, char **ret_name
, char **ret_node
) {
2118 _cleanup_free_
char *name
= NULL
, *node
= NULL
;
2121 assert(original_node
);
2126 base
= strrchr(original_node
, '/');
2128 base
= original_node
;
2134 name
= strjoin(base
, suffix
);
2137 if (!filename_is_valid(name
))
2140 node
= path_join(sym_crypt_get_dir(), name
);
2144 *ret_name
= TAKE_PTR(name
);
2145 *ret_node
= TAKE_PTR(node
);
2150 static int decrypt_partition(
2151 DissectedPartition
*m
,
2152 const char *passphrase
,
2153 DissectImageFlags flags
,
2154 DecryptedImage
*d
) {
2156 _cleanup_free_
char *node
= NULL
, *name
= NULL
;
2157 _cleanup_(sym_crypt_freep
) struct crypt_device
*cd
= NULL
;
2163 if (!m
->found
|| !m
->node
|| !m
->fstype
)
2166 if (!streq(m
->fstype
, "crypto_LUKS"))
2172 r
= dlopen_cryptsetup();
2176 r
= make_dm_name_and_node(m
->node
, "-decrypted", &name
, &node
);
2180 if (!GREEDY_REALLOC0(d
->decrypted
, d
->n_decrypted
+ 1))
2183 r
= sym_crypt_init(&cd
, m
->node
);
2185 return log_debug_errno(r
, "Failed to initialize dm-crypt: %m");
2187 cryptsetup_enable_logging(cd
);
2189 r
= sym_crypt_load(cd
, CRYPT_LUKS
, NULL
);
2191 return log_debug_errno(r
, "Failed to load LUKS metadata: %m");
2193 r
= sym_crypt_activate_by_passphrase(cd
, name
, CRYPT_ANY_SLOT
, passphrase
, strlen(passphrase
),
2194 ((flags
& DISSECT_IMAGE_DEVICE_READ_ONLY
) ? CRYPT_ACTIVATE_READONLY
: 0) |
2195 ((flags
& DISSECT_IMAGE_DISCARD_ON_CRYPTO
) ? CRYPT_ACTIVATE_ALLOW_DISCARDS
: 0));
2197 log_debug_errno(r
, "Failed to activate LUKS device: %m");
2198 return r
== -EPERM
? -EKEYREJECTED
: r
;
2201 d
->decrypted
[d
->n_decrypted
++] = (DecryptedPartition
) {
2202 .name
= TAKE_PTR(name
),
2203 .device
= TAKE_PTR(cd
),
2206 m
->decrypted_node
= TAKE_PTR(node
);
2211 static int verity_can_reuse(
2212 const VeritySettings
*verity
,
2214 struct crypt_device
**ret_cd
) {
2216 /* If the same volume was already open, check that the root hashes match, and reuse it if they do */
2217 _cleanup_free_
char *root_hash_existing
= NULL
;
2218 _cleanup_(sym_crypt_freep
) struct crypt_device
*cd
= NULL
;
2219 struct crypt_params_verity crypt_params
= {};
2220 size_t root_hash_existing_size
;
2227 r
= sym_crypt_init_by_name(&cd
, name
);
2229 return log_debug_errno(r
, "Error opening verity device, crypt_init_by_name failed: %m");
2231 cryptsetup_enable_logging(cd
);
2233 r
= sym_crypt_get_verity_info(cd
, &crypt_params
);
2235 return log_debug_errno(r
, "Error opening verity device, crypt_get_verity_info failed: %m");
2237 root_hash_existing_size
= verity
->root_hash_size
;
2238 root_hash_existing
= malloc0(root_hash_existing_size
);
2239 if (!root_hash_existing
)
2242 r
= sym_crypt_volume_key_get(cd
, CRYPT_ANY_SLOT
, root_hash_existing
, &root_hash_existing_size
, NULL
, 0);
2244 return log_debug_errno(r
, "Error opening verity device, crypt_volume_key_get failed: %m");
2245 if (verity
->root_hash_size
!= root_hash_existing_size
||
2246 memcmp(root_hash_existing
, verity
->root_hash
, verity
->root_hash_size
) != 0)
2247 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Error opening verity device, it already exists but root hashes are different.");
2249 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
2250 /* Ensure that, if signatures are supported, we only reuse the device if the previous mount used the
2251 * same settings, so that a previous unsigned mount will not be reused if the user asks to use
2252 * signing for the new one, and vice versa. */
2253 if (!!verity
->root_hash_sig
!= !!(crypt_params
.flags
& CRYPT_VERITY_ROOT_HASH_SIGNATURE
))
2254 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Error opening verity device, it already exists but signature settings are not the same.");
2257 *ret_cd
= TAKE_PTR(cd
);
2261 static inline char* dm_deferred_remove_clean(char *name
) {
2265 (void) sym_crypt_deactivate_by_name(NULL
, name
, CRYPT_DEACTIVATE_DEFERRED
);
2268 DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean
);
2270 static int validate_signature_userspace(const VeritySettings
*verity
) {
2272 _cleanup_(sk_X509_free_allp
) STACK_OF(X509
) *sk
= NULL
;
2273 _cleanup_strv_free_
char **certs
= NULL
;
2274 _cleanup_(PKCS7_freep
) PKCS7
*p7
= NULL
;
2275 _cleanup_free_
char *s
= NULL
;
2276 _cleanup_(BIO_freep
) BIO
*bio
= NULL
; /* 'bio' must be freed first, 's' second, hence keep this order
2277 * of declaration in place, please */
2278 const unsigned char *d
;
2283 assert(verity
->root_hash
);
2284 assert(verity
->root_hash_sig
);
2286 /* Because installing a signature certificate into the kernel chain is so messy, let's optionally do
2287 * userspace validation. */
2289 r
= conf_files_list_nulstr(&certs
, ".crt", NULL
, CONF_FILES_REGULAR
|CONF_FILES_FILTER_MASKED
, CONF_PATHS_NULSTR("verity.d"));
2291 return log_debug_errno(r
, "Failed to enumerate certificates: %m");
2292 if (strv_isempty(certs
)) {
2293 log_debug("No userspace dm-verity certificates found.");
2297 d
= verity
->root_hash_sig
;
2298 p7
= d2i_PKCS7(NULL
, &d
, (long) verity
->root_hash_sig_size
);
2300 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to parse PKCS7 DER signature data.");
2302 s
= hexmem(verity
->root_hash
, verity
->root_hash_size
);
2304 return log_oom_debug();
2306 bio
= BIO_new_mem_buf(s
, strlen(s
));
2308 return log_oom_debug();
2310 sk
= sk_X509_new_null();
2312 return log_oom_debug();
2314 STRV_FOREACH(i
, certs
) {
2315 _cleanup_(X509_freep
) X509
*c
= NULL
;
2316 _cleanup_fclose_
FILE *f
= NULL
;
2318 f
= fopen(*i
, "re");
2320 log_debug_errno(errno
, "Failed to open '%s', ignoring: %m", *i
);
2324 c
= PEM_read_X509(f
, NULL
, NULL
, NULL
);
2326 log_debug("Failed to load X509 certificate '%s', ignoring.", *i
);
2330 if (sk_X509_push(sk
, c
) == 0)
2331 return log_oom_debug();
2336 r
= PKCS7_verify(p7
, sk
, NULL
, bio
, NULL
, PKCS7_NOINTERN
|PKCS7_NOVERIFY
);
2338 log_debug("Userspace PKCS#7 validation succeeded.");
2340 log_debug("Userspace PKCS#7 validation failed: %s", ERR_error_string(ERR_get_error(), NULL
));
2344 log_debug("Not doing client-side validation of dm-verity root hash signatures, OpenSSL support disabled.");
2349 static int do_crypt_activate_verity(
2350 struct crypt_device
*cd
,
2352 const VeritySettings
*verity
) {
2354 bool check_signature
;
2361 if (verity
->root_hash_sig
) {
2362 r
= getenv_bool_secure("SYSTEMD_DISSECT_VERITY_SIGNATURE");
2363 if (r
< 0 && r
!= -ENXIO
)
2364 log_debug_errno(r
, "Failed to parse $SYSTEMD_DISSECT_VERITY_SIGNATURE");
2366 check_signature
= r
!= 0;
2368 check_signature
= false;
2370 if (check_signature
) {
2372 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
2373 /* First, if we have support for signed keys in the kernel, then try that first. */
2374 r
= sym_crypt_activate_by_signed_key(
2378 verity
->root_hash_size
,
2379 verity
->root_hash_sig
,
2380 verity
->root_hash_sig_size
,
2381 CRYPT_ACTIVATE_READONLY
);
2385 log_debug("Validation of dm-verity signature failed via the kernel, trying userspace validation instead.");
2387 log_debug("Activation of verity device with signature requested, but not supported via the kernel by %s due to missing crypt_activate_by_signed_key(), trying userspace validation instead.",
2388 program_invocation_short_name
);
2391 /* So this didn't work via the kernel, then let's try userspace validation instead. If that
2392 * works we'll try to activate without telling the kernel the signature. */
2394 r
= validate_signature_userspace(verity
);
2398 return log_debug_errno(SYNTHETIC_ERRNO(ENOKEY
),
2399 "Activation of signed Verity volume worked neither via the kernel nor in userspace, can't activate.");
2402 return sym_crypt_activate_by_volume_key(
2406 verity
->root_hash_size
,
2407 CRYPT_ACTIVATE_READONLY
);
2410 static int verity_partition(
2411 PartitionDesignator designator
,
2412 DissectedPartition
*m
,
2413 DissectedPartition
*v
,
2414 const VeritySettings
*verity
,
2415 DissectImageFlags flags
,
2416 DecryptedImage
*d
) {
2418 _cleanup_(sym_crypt_freep
) struct crypt_device
*cd
= NULL
;
2419 _cleanup_(dm_deferred_remove_cleanp
) char *restore_deferred_remove
= NULL
;
2420 _cleanup_free_
char *node
= NULL
, *name
= NULL
;
2424 assert(v
|| (verity
&& verity
->data_path
));
2426 if (!verity
|| !verity
->root_hash
)
2428 if (!((verity
->designator
< 0 && designator
== PARTITION_ROOT
) ||
2429 (verity
->designator
== designator
)))
2432 if (!m
->found
|| !m
->node
|| !m
->fstype
)
2434 if (!verity
->data_path
) {
2435 if (!v
->found
|| !v
->node
|| !v
->fstype
)
2438 if (!streq(v
->fstype
, "DM_verity_hash"))
2442 r
= dlopen_cryptsetup();
2446 if (FLAGS_SET(flags
, DISSECT_IMAGE_VERITY_SHARE
)) {
2447 /* Use the roothash, which is unique per volume, as the device node name, so that it can be reused */
2448 _cleanup_free_
char *root_hash_encoded
= NULL
;
2450 root_hash_encoded
= hexmem(verity
->root_hash
, verity
->root_hash_size
);
2451 if (!root_hash_encoded
)
2454 r
= make_dm_name_and_node(root_hash_encoded
, "-verity", &name
, &node
);
2456 r
= make_dm_name_and_node(m
->node
, "-verity", &name
, &node
);
2460 r
= sym_crypt_init(&cd
, verity
->data_path
?: v
->node
);
2464 cryptsetup_enable_logging(cd
);
2466 r
= sym_crypt_load(cd
, CRYPT_VERITY
, NULL
);
2470 r
= sym_crypt_set_data_device(cd
, m
->node
);
2474 if (!GREEDY_REALLOC0(d
->decrypted
, d
->n_decrypted
+ 1))
2477 /* If activating fails because the device already exists, check the metadata and reuse it if it matches.
2478 * In case of ENODEV/ENOENT, which can happen if another process is activating at the exact same time,
2479 * retry a few times before giving up. */
2480 for (unsigned i
= 0; i
< N_DEVICE_NODE_LIST_ATTEMPTS
; i
++) {
2482 r
= do_crypt_activate_verity(cd
, name
, verity
);
2483 /* libdevmapper can return EINVAL when the device is already in the activation stage.
2484 * There's no way to distinguish this situation from a genuine error due to invalid
2485 * parameters, so immediately fall back to activating the device with a unique name.
2486 * Improvements in libcrypsetup can ensure this never happens:
2487 * https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/96 */
2488 if (r
== -EINVAL
&& FLAGS_SET(flags
, DISSECT_IMAGE_VERITY_SHARE
))
2489 return verity_partition(designator
, m
, v
, verity
, flags
& ~DISSECT_IMAGE_VERITY_SHARE
, d
);
2492 -EEXIST
, /* Volume is already open and ready to be used */
2493 -EBUSY
, /* Volume is being opened but not ready, crypt_init_by_name can fetch details */
2494 -ENODEV
/* Volume is being opened but not ready, crypt_init_by_name would fail, try to open again */))
2496 if (IN_SET(r
, -EEXIST
, -EBUSY
)) {
2497 struct crypt_device
*existing_cd
= NULL
;
2499 if (!restore_deferred_remove
){
2500 /* To avoid races, disable automatic removal on umount while setting up the new device. Restore it on failure. */
2501 r
= dm_deferred_remove_cancel(name
);
2502 /* If activation returns EBUSY there might be no deferred removal to cancel, that's fine */
2503 if (r
< 0 && r
!= -ENXIO
)
2504 return log_debug_errno(r
, "Disabling automated deferred removal for verity device %s failed: %m", node
);
2506 restore_deferred_remove
= strdup(name
);
2507 if (!restore_deferred_remove
)
2512 r
= verity_can_reuse(verity
, name
, &existing_cd
);
2513 /* Same as above, -EINVAL can randomly happen when it actually means -EEXIST */
2514 if (r
== -EINVAL
&& FLAGS_SET(flags
, DISSECT_IMAGE_VERITY_SHARE
))
2515 return verity_partition(designator
, m
, v
, verity
, flags
& ~DISSECT_IMAGE_VERITY_SHARE
, d
);
2516 if (!IN_SET(r
, 0, -ENODEV
, -ENOENT
, -EBUSY
))
2517 return log_debug_errno(r
, "Checking whether existing verity device %s can be reused failed: %m", node
);
2519 /* devmapper might say that the device exists, but the devlink might not yet have been
2520 * created. Check and wait for the udev event in that case. */
2521 r
= device_wait_for_devlink(node
, "block", usec_add(now(CLOCK_MONOTONIC
), 100 * USEC_PER_MSEC
), NULL
);
2522 /* Fallback to activation with a unique device if it's taking too long */
2523 if (r
== -ETIMEDOUT
)
2536 /* Device is being opened by another process, but it has not finished yet, yield for 2ms */
2537 (void) usleep(2 * USEC_PER_MSEC
);
2540 /* An existing verity device was reported by libcryptsetup/libdevmapper, but we can't use it at this time.
2541 * Fall back to activating it with a unique device name. */
2542 if (r
!= 0 && FLAGS_SET(flags
, DISSECT_IMAGE_VERITY_SHARE
))
2543 return verity_partition(designator
, m
, v
, verity
, flags
& ~DISSECT_IMAGE_VERITY_SHARE
, d
);
2545 /* Everything looks good and we'll be able to mount the device, so deferred remove will be re-enabled at that point. */
2546 restore_deferred_remove
= mfree(restore_deferred_remove
);
2548 d
->decrypted
[d
->n_decrypted
++] = (DecryptedPartition
) {
2549 .name
= TAKE_PTR(name
),
2550 .device
= TAKE_PTR(cd
),
2553 m
->decrypted_node
= TAKE_PTR(node
);
2559 int dissected_image_decrypt(
2561 const char *passphrase
,
2562 const VeritySettings
*verity
,
2563 DissectImageFlags flags
,
2564 DecryptedImage
**ret
) {
2566 #if HAVE_LIBCRYPTSETUP
2567 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*d
= NULL
;
2572 assert(!verity
|| verity
->root_hash
|| verity
->root_hash_size
== 0);
2576 * = 0 → There was nothing to decrypt
2577 * > 0 → Decrypted successfully
2578 * -ENOKEY → There's something to decrypt but no key was supplied
2579 * -EKEYREJECTED → Passed key was not correct
2582 if (verity
&& verity
->root_hash
&& verity
->root_hash_size
< sizeof(sd_id128_t
))
2585 if (!m
->encrypted
&& !m
->verity_ready
) {
2590 #if HAVE_LIBCRYPTSETUP
2591 d
= new0(DecryptedImage
, 1);
2595 for (PartitionDesignator i
= 0; i
< _PARTITION_DESIGNATOR_MAX
; i
++) {
2596 DissectedPartition
*p
= m
->partitions
+ i
;
2597 PartitionDesignator k
;
2602 r
= decrypt_partition(p
, passphrase
, flags
, d
);
2606 k
= PARTITION_VERITY_OF(i
);
2608 r
= verity_partition(i
, p
, m
->partitions
+ k
, verity
, flags
| DISSECT_IMAGE_VERITY_SHARE
, d
);
2613 if (!p
->decrypted_fstype
&& p
->decrypted_node
) {
2614 r
= probe_filesystem(p
->decrypted_node
, &p
->decrypted_fstype
);
2615 if (r
< 0 && r
!= -EUCLEAN
)
2628 int dissected_image_decrypt_interactively(
2630 const char *passphrase
,
2631 const VeritySettings
*verity
,
2632 DissectImageFlags flags
,
2633 DecryptedImage
**ret
) {
2635 _cleanup_strv_free_erase_
char **z
= NULL
;
2642 r
= dissected_image_decrypt(m
, passphrase
, verity
, flags
, ret
);
2645 if (r
== -EKEYREJECTED
)
2646 log_error_errno(r
, "Incorrect passphrase, try again!");
2647 else if (r
!= -ENOKEY
)
2648 return log_error_errno(r
, "Failed to decrypt image: %m");
2651 return log_error_errno(SYNTHETIC_ERRNO(EKEYREJECTED
),
2652 "Too many retries.");
2656 r
= ask_password_auto("Please enter image passphrase:", NULL
, "dissect", "dissect", "dissect.passphrase", USEC_INFINITY
, 0, &z
);
2658 return log_error_errno(r
, "Failed to query for passphrase: %m");
2664 int decrypted_image_relinquish(DecryptedImage
*d
) {
2667 /* Turns on automatic removal after the last use ended for all DM devices of this image, and sets a
2668 * boolean so that we don't clean it up ourselves either anymore */
2670 #if HAVE_LIBCRYPTSETUP
2673 for (size_t i
= 0; i
< d
->n_decrypted
; i
++) {
2674 DecryptedPartition
*p
= d
->decrypted
+ i
;
2676 if (p
->relinquished
)
2679 r
= sym_crypt_deactivate_by_name(NULL
, p
->name
, CRYPT_DEACTIVATE_DEFERRED
);
2681 return log_debug_errno(r
, "Failed to mark %s for auto-removal: %m", p
->name
);
2683 p
->relinquished
= true;
2690 static char *build_auxiliary_path(const char *image
, const char *suffix
) {
2697 e
= endswith(image
, ".raw");
2699 return strjoin(e
, suffix
);
2701 n
= new(char, e
- image
+ strlen(suffix
) + 1);
2705 strcpy(mempcpy(n
, image
, e
- image
), suffix
);
2709 void verity_settings_done(VeritySettings
*v
) {
2712 v
->root_hash
= mfree(v
->root_hash
);
2713 v
->root_hash_size
= 0;
2715 v
->root_hash_sig
= mfree(v
->root_hash_sig
);
2716 v
->root_hash_sig_size
= 0;
2718 v
->data_path
= mfree(v
->data_path
);
2721 int verity_settings_load(
2722 VeritySettings
*verity
,
2724 const char *root_hash_path
,
2725 const char *root_hash_sig_path
) {
2727 _cleanup_free_
void *root_hash
= NULL
, *root_hash_sig
= NULL
;
2728 size_t root_hash_size
= 0, root_hash_sig_size
= 0;
2729 _cleanup_free_
char *verity_data_path
= NULL
;
2730 PartitionDesignator designator
;
2735 assert(verity
->designator
< 0 || IN_SET(verity
->designator
, PARTITION_ROOT
, PARTITION_USR
));
2737 /* If we are asked to load the root hash for a device node, exit early */
2738 if (is_device_path(image
))
2741 r
= getenv_bool_secure("SYSTEMD_DISSECT_VERITY_SIDECAR");
2742 if (r
< 0 && r
!= -ENXIO
)
2743 log_debug_errno(r
, "Failed to parse $SYSTEMD_DISSECT_VERITY_SIDECAR, ignoring: %m");
2747 designator
= verity
->designator
;
2749 /* We only fill in what isn't already filled in */
2751 if (!verity
->root_hash
) {
2752 _cleanup_free_
char *text
= NULL
;
2754 if (root_hash_path
) {
2755 /* If explicitly specified it takes precedence */
2756 r
= read_one_line_file(root_hash_path
, &text
);
2761 designator
= PARTITION_ROOT
;
2763 /* Otherwise look for xattr and separate file, and first for the data for root and if
2764 * that doesn't exist for /usr */
2766 if (designator
< 0 || designator
== PARTITION_ROOT
) {
2767 r
= getxattr_malloc(image
, "user.verity.roothash", &text
, true);
2769 _cleanup_free_
char *p
= NULL
;
2771 if (!IN_SET(r
, -ENODATA
, -ENOENT
) && !ERRNO_IS_NOT_SUPPORTED(r
))
2774 p
= build_auxiliary_path(image
, ".roothash");
2778 r
= read_one_line_file(p
, &text
);
2779 if (r
< 0 && r
!= -ENOENT
)
2784 designator
= PARTITION_ROOT
;
2787 if (!text
&& (designator
< 0 || designator
== PARTITION_USR
)) {
2788 /* So in the "roothash" xattr/file name above the "root" of course primarily
2789 * refers to the root of the Verity Merkle tree. But coincidentally it also
2790 * is the hash for the *root* file system, i.e. the "root" neatly refers to
2791 * two distinct concepts called "root". Taking benefit of this happy
2792 * coincidence we call the file with the root hash for the /usr/ file system
2793 * `usrhash`, because `usrroothash` or `rootusrhash` would just be too
2794 * confusing. We thus drop the reference to the root of the Merkle tree, and
2795 * just indicate which file system it's about. */
2796 r
= getxattr_malloc(image
, "user.verity.usrhash", &text
, true);
2798 _cleanup_free_
char *p
= NULL
;
2800 if (!IN_SET(r
, -ENODATA
, -ENOENT
) && !ERRNO_IS_NOT_SUPPORTED(r
))
2803 p
= build_auxiliary_path(image
, ".usrhash");
2807 r
= read_one_line_file(p
, &text
);
2808 if (r
< 0 && r
!= -ENOENT
)
2813 designator
= PARTITION_USR
;
2818 r
= unhexmem(text
, strlen(text
), &root_hash
, &root_hash_size
);
2821 if (root_hash_size
< sizeof(sd_id128_t
))
2826 if ((root_hash
|| verity
->root_hash
) && !verity
->root_hash_sig
) {
2827 if (root_hash_sig_path
) {
2828 r
= read_full_file(root_hash_sig_path
, (char**) &root_hash_sig
, &root_hash_sig_size
);
2829 if (r
< 0 && r
!= -ENOENT
)
2833 designator
= PARTITION_ROOT
;
2835 if (designator
< 0 || designator
== PARTITION_ROOT
) {
2836 _cleanup_free_
char *p
= NULL
;
2838 /* Follow naming convention recommended by the relevant RFC:
2839 * https://tools.ietf.org/html/rfc5751#section-3.2.1 */
2840 p
= build_auxiliary_path(image
, ".roothash.p7s");
2844 r
= read_full_file(p
, (char**) &root_hash_sig
, &root_hash_sig_size
);
2845 if (r
< 0 && r
!= -ENOENT
)
2848 designator
= PARTITION_ROOT
;
2851 if (!root_hash_sig
&& (designator
< 0 || designator
== PARTITION_USR
)) {
2852 _cleanup_free_
char *p
= NULL
;
2854 p
= build_auxiliary_path(image
, ".usrhash.p7s");
2858 r
= read_full_file(p
, (char**) &root_hash_sig
, &root_hash_sig_size
);
2859 if (r
< 0 && r
!= -ENOENT
)
2862 designator
= PARTITION_USR
;
2866 if (root_hash_sig
&& root_hash_sig_size
== 0) /* refuse empty size signatures */
2870 if (!verity
->data_path
) {
2871 _cleanup_free_
char *p
= NULL
;
2873 p
= build_auxiliary_path(image
, ".verity");
2877 if (access(p
, F_OK
) < 0) {
2878 if (errno
!= ENOENT
)
2881 verity_data_path
= TAKE_PTR(p
);
2885 verity
->root_hash
= TAKE_PTR(root_hash
);
2886 verity
->root_hash_size
= root_hash_size
;
2889 if (root_hash_sig
) {
2890 verity
->root_hash_sig
= TAKE_PTR(root_hash_sig
);
2891 verity
->root_hash_sig_size
= root_hash_sig_size
;
2894 if (verity_data_path
)
2895 verity
->data_path
= TAKE_PTR(verity_data_path
);
2897 if (verity
->designator
< 0)
2898 verity
->designator
= designator
;
2903 int dissected_image_load_verity_sig_partition(
2906 VeritySettings
*verity
) {
2908 _cleanup_free_
void *root_hash
= NULL
, *root_hash_sig
= NULL
;
2909 _cleanup_(json_variant_unrefp
) JsonVariant
*v
= NULL
;
2910 size_t root_hash_size
, root_hash_sig_size
;
2911 _cleanup_free_
char *buf
= NULL
;
2912 PartitionDesignator d
;
2913 DissectedPartition
*p
;
2914 JsonVariant
*rh
, *sig
;
2923 if (verity
->root_hash
&& verity
->root_hash_sig
) /* Already loaded? */
2926 r
= getenv_bool_secure("SYSTEMD_DISSECT_VERITY_EMBEDDED");
2927 if (r
< 0 && r
!= -ENXIO
)
2928 log_debug_errno(r
, "Failed to parse $SYSTEMD_DISSECT_VERITY_EMBEDDED, ignoring: %m");
2932 d
= PARTITION_VERITY_SIG_OF(verity
->designator
< 0 ? PARTITION_ROOT
: verity
->designator
);
2935 p
= m
->partitions
+ d
;
2938 if (p
->offset
== UINT64_MAX
|| p
->size
== UINT64_MAX
)
2941 if (p
->size
> 4*1024*1024) /* Signature data cannot possible be larger than 4M, refuse that */
2944 buf
= new(char, p
->size
+1);
2948 n
= pread(fd
, buf
, p
->size
, p
->offset
);
2951 if ((uint64_t) n
!= p
->size
)
2954 e
= memchr(buf
, 0, p
->size
);
2956 /* If we found a NUL byte then the rest of the data must be NUL too */
2957 if (!memeqzero(e
, p
->size
- (e
- buf
)))
2958 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Signature data contains embedded NUL byte.");
2962 r
= json_parse(buf
, 0, &v
, NULL
, NULL
);
2964 return log_debug_errno(r
, "Failed to parse signature JSON data: %m");
2966 rh
= json_variant_by_key(v
, "rootHash");
2968 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Signature JSON object lacks 'rootHash' field.");
2969 if (!json_variant_is_string(rh
))
2970 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "'rootHash' field of signature JSON object is not a string.");
2972 r
= unhexmem(json_variant_string(rh
), SIZE_MAX
, &root_hash
, &root_hash_size
);
2974 return log_debug_errno(r
, "Failed to parse root hash field: %m");
2976 /* Check if specified root hash matches if it is specified */
2977 if (verity
->root_hash
&&
2978 memcmp_nn(verity
->root_hash
, verity
->root_hash_size
, root_hash
, root_hash_size
) != 0) {
2979 _cleanup_free_
char *a
= NULL
, *b
= NULL
;
2981 a
= hexmem(root_hash
, root_hash_size
);
2982 b
= hexmem(verity
->root_hash
, verity
->root_hash_size
);
2984 return log_debug_errno(r
, "Root hash in signature JSON data (%s) doesn't match configured hash (%s).", strna(a
), strna(b
));
2987 sig
= json_variant_by_key(v
, "signature");
2989 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Signature JSON object lacks 'signature' field.");
2990 if (!json_variant_is_string(sig
))
2991 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "'signature' field of signature JSON object is not a string.");
2993 r
= unbase64mem(json_variant_string(sig
), SIZE_MAX
, &root_hash_sig
, &root_hash_sig_size
);
2995 return log_debug_errno(r
, "Failed to parse signature field: %m");
2997 free_and_replace(verity
->root_hash
, root_hash
);
2998 verity
->root_hash_size
= root_hash_size
;
3000 free_and_replace(verity
->root_hash_sig
, root_hash_sig
);
3001 verity
->root_hash_sig_size
= root_hash_sig_size
;
3006 int dissected_image_acquire_metadata(DissectedImage
*m
) {
3013 META_EXTENSION_RELEASE
,
3017 static const char *const paths
[_META_MAX
] = {
3018 [META_HOSTNAME
] = "/etc/hostname\0",
3019 [META_MACHINE_ID
] = "/etc/machine-id\0",
3020 [META_MACHINE_INFO
] = "/etc/machine-info\0",
3021 [META_OS_RELEASE
] = ("/etc/os-release\0"
3022 "/usr/lib/os-release\0"),
3023 [META_EXTENSION_RELEASE
] = "extension-release\0", /* Used only for logging. */
3026 _cleanup_strv_free_
char **machine_info
= NULL
, **os_release
= NULL
, **extension_release
= NULL
;
3027 _cleanup_close_pair_
int error_pipe
[2] = { -1, -1 };
3028 _cleanup_(rmdir_and_freep
) char *t
= NULL
;
3029 _cleanup_(sigkill_waitp
) pid_t child
= 0;
3030 sd_id128_t machine_id
= SD_ID128_NULL
;
3031 _cleanup_free_
char *hostname
= NULL
;
3032 unsigned n_meta_initialized
= 0;
3033 int fds
[2 * _META_MAX
], r
, v
;
3036 BLOCK_SIGNALS(SIGCHLD
);
3040 for (; n_meta_initialized
< _META_MAX
; n_meta_initialized
++) {
3041 if (!paths
[n_meta_initialized
]) {
3042 fds
[2*n_meta_initialized
] = fds
[2*n_meta_initialized
+1] = -1;
3046 if (pipe2(fds
+ 2*n_meta_initialized
, O_CLOEXEC
) < 0) {
3052 r
= mkdtemp_malloc("/tmp/dissect-XXXXXX", &t
);
3056 if (pipe2(error_pipe
, O_CLOEXEC
) < 0) {
3061 r
= safe_fork("(sd-dissect)", FORK_RESET_SIGNALS
|FORK_DEATHSIG
|FORK_NEW_MOUNTNS
|FORK_MOUNTNS_SLAVE
, &child
);
3065 error_pipe
[0] = safe_close(error_pipe
[0]);
3067 r
= dissected_image_mount(
3072 DISSECT_IMAGE_READ_ONLY
|
3073 DISSECT_IMAGE_MOUNT_ROOT_ONLY
|
3074 DISSECT_IMAGE_VALIDATE_OS
|
3075 DISSECT_IMAGE_VALIDATE_OS_EXT
|
3076 DISSECT_IMAGE_USR_NO_ROOT
);
3078 /* Let parent know the error */
3079 (void) write(error_pipe
[1], &r
, sizeof(r
));
3081 log_debug_errno(r
, "Failed to mount dissected image: %m");
3082 _exit(EXIT_FAILURE
);
3085 for (unsigned k
= 0; k
< _META_MAX
; k
++) {
3086 _cleanup_close_
int fd
= -ENOENT
;
3092 fds
[2*k
] = safe_close(fds
[2*k
]);
3094 if (k
== META_EXTENSION_RELEASE
) {
3095 /* As per the os-release spec, if the image is an extension it will have a file
3096 * named after the image name in extension-release.d/ - we use the image name
3097 * and try to resolve it with the extension-release helpers, as sometimes
3098 * the image names are mangled on deployment and do not match anymore.
3099 * Unlike other paths this is not fixed, and the image name
3100 * can be mangled on deployment, so by calling into the helper
3101 * we allow a fallback that matches on the first extension-release
3102 * file found in the directory, if one named after the image cannot
3103 * be found first. */
3104 r
= open_extension_release(t
, m
->image_name
, NULL
, &fd
);
3106 fd
= r
; /* Propagate the error. */
3108 NULSTR_FOREACH(p
, paths
[k
]) {
3109 fd
= chase_symlinks_and_open(p
, t
, CHASE_PREFIX_ROOT
, O_RDONLY
|O_CLOEXEC
|O_NOCTTY
, NULL
);
3114 log_debug_errno(fd
, "Failed to read %s file of image, ignoring: %m", paths
[k
]);
3115 fds
[2*k
+1] = safe_close(fds
[2*k
+1]);
3119 r
= copy_bytes(fd
, fds
[2*k
+1], UINT64_MAX
, 0);
3121 (void) write(error_pipe
[1], &r
, sizeof(r
));
3122 _exit(EXIT_FAILURE
);
3125 fds
[2*k
+1] = safe_close(fds
[2*k
+1]);
3128 _exit(EXIT_SUCCESS
);
3131 error_pipe
[1] = safe_close(error_pipe
[1]);
3133 for (unsigned k
= 0; k
< _META_MAX
; k
++) {
3134 _cleanup_fclose_
FILE *f
= NULL
;
3139 fds
[2*k
+1] = safe_close(fds
[2*k
+1]);
3141 f
= take_fdopen(&fds
[2*k
], "r");
3150 r
= read_etc_hostname_stream(f
, &hostname
);
3152 log_debug_errno(r
, "Failed to read /etc/hostname: %m");
3156 case META_MACHINE_ID
: {
3157 _cleanup_free_
char *line
= NULL
;
3159 r
= read_line(f
, LONG_LINE_MAX
, &line
);
3161 log_debug_errno(r
, "Failed to read /etc/machine-id: %m");
3163 r
= sd_id128_from_string(line
, &machine_id
);
3165 log_debug_errno(r
, "Image contains invalid /etc/machine-id: %s", line
);
3167 log_debug("/etc/machine-id file is empty.");
3168 else if (streq(line
, "uninitialized"))
3169 log_debug("/etc/machine-id file is uninitialized (likely aborted first boot).");
3171 log_debug("/etc/machine-id has unexpected length %i.", r
);
3176 case META_MACHINE_INFO
:
3177 r
= load_env_file_pairs(f
, "machine-info", &machine_info
);
3179 log_debug_errno(r
, "Failed to read /etc/machine-info: %m");
3183 case META_OS_RELEASE
:
3184 r
= load_env_file_pairs(f
, "os-release", &os_release
);
3186 log_debug_errno(r
, "Failed to read OS release file: %m");
3190 case META_EXTENSION_RELEASE
:
3191 r
= load_env_file_pairs(f
, "extension-release", &extension_release
);
3193 log_debug_errno(r
, "Failed to read extension release file: %m");
3199 r
= wait_for_terminate_and_check("(sd-dissect)", child
, 0);
3204 n
= read(error_pipe
[0], &v
, sizeof(v
));
3208 return v
; /* propagate error sent to us from child */
3212 if (r
!= EXIT_SUCCESS
)
3215 free_and_replace(m
->hostname
, hostname
);
3216 m
->machine_id
= machine_id
;
3217 strv_free_and_replace(m
->machine_info
, machine_info
);
3218 strv_free_and_replace(m
->os_release
, os_release
);
3219 strv_free_and_replace(m
->extension_release
, extension_release
);
3222 for (unsigned k
= 0; k
< n_meta_initialized
; k
++)
3223 safe_close_pair(fds
+ 2*k
);
3228 int dissect_image_and_warn(
3231 const VeritySettings
*verity
,
3232 const MountOptions
*mount_options
,
3234 uint64_t uevent_seqnum_not_before
,
3235 usec_t timestamp_not_before
,
3236 DissectImageFlags flags
,
3237 DissectedImage
**ret
) {
3239 _cleanup_free_
char *buffer
= NULL
;
3243 r
= fd_get_path(fd
, &buffer
);
3250 r
= dissect_image(fd
, verity
, mount_options
, diskseq
, uevent_seqnum_not_before
, timestamp_not_before
, flags
, ret
);
3254 return log_error_errno(r
, "Dissecting images is not supported, compiled without blkid support.");
3257 return log_error_errno(r
, "Couldn't identify a suitable partition table or file system in '%s'.", name
);
3259 case -EADDRNOTAVAIL
:
3260 return log_error_errno(r
, "No root partition for specified root hash found in '%s'.", name
);
3263 return log_error_errno(r
, "Multiple suitable root partitions found in image '%s'.", name
);
3266 return log_error_errno(r
, "No suitable root partition found in image '%s'.", name
);
3268 case -EPROTONOSUPPORT
:
3269 return log_error_errno(r
, "Device '%s' is loopback block device with partition scanning turned off, please turn it on.", name
);
3273 return log_error_errno(r
, "Failed to dissect image '%s': %m", name
);
3279 bool dissected_image_verity_candidate(const DissectedImage
*image
, PartitionDesignator partition_designator
) {
3282 /* Checks if this partition could theoretically do Verity. For non-partitioned images this only works
3283 * if there's an external verity file supplied, for which we can consult .has_verity. For partitioned
3284 * images we only check the partition type.
3286 * This call is used to decide whether to suppress or show a verity column in tabular output of the
3289 if (image
->single_file_system
)
3290 return partition_designator
== PARTITION_ROOT
&& image
->has_verity
;
3292 return PARTITION_VERITY_OF(partition_designator
) >= 0;
3295 bool dissected_image_verity_ready(const DissectedImage
*image
, PartitionDesignator partition_designator
) {
3296 PartitionDesignator k
;
3300 /* Checks if this partition has verity data available that we can activate. For non-partitioned this
3301 * works for the root partition, for others only if the associated verity partition was found. */
3303 if (!image
->verity_ready
)
3306 if (image
->single_file_system
)
3307 return partition_designator
== PARTITION_ROOT
;
3309 k
= PARTITION_VERITY_OF(partition_designator
);
3310 return k
>= 0 && image
->partitions
[k
].found
;
3313 bool dissected_image_verity_sig_ready(const DissectedImage
*image
, PartitionDesignator partition_designator
) {
3314 PartitionDesignator k
;
3318 /* Checks if this partition has verity signature data available that we can use. */
3320 if (!image
->verity_sig_ready
)
3323 if (image
->single_file_system
)
3324 return partition_designator
== PARTITION_ROOT
;
3326 k
= PARTITION_VERITY_SIG_OF(partition_designator
);
3327 return k
>= 0 && image
->partitions
[k
].found
;
3330 MountOptions
* mount_options_free_all(MountOptions
*options
) {
3333 while ((m
= options
)) {
3334 LIST_REMOVE(mount_options
, options
, m
);
3342 const char* mount_options_from_designator(const MountOptions
*options
, PartitionDesignator designator
) {
3343 const MountOptions
*m
;
3345 LIST_FOREACH(mount_options
, m
, options
)
3346 if (designator
== m
->partition_designator
&& !isempty(m
->options
))
3352 int mount_image_privately_interactively(
3354 DissectImageFlags flags
,
3355 char **ret_directory
,
3356 LoopDevice
**ret_loop_device
,
3357 DecryptedImage
**ret_decrypted_image
) {
3359 _cleanup_(verity_settings_done
) VeritySettings verity
= VERITY_SETTINGS_DEFAULT
;
3360 _cleanup_(loop_device_unrefp
) LoopDevice
*d
= NULL
;
3361 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*decrypted_image
= NULL
;
3362 _cleanup_(dissected_image_unrefp
) DissectedImage
*dissected_image
= NULL
;
3363 _cleanup_(rmdir_and_freep
) char *created_dir
= NULL
;
3364 _cleanup_free_
char *temp
= NULL
;
3367 /* Mounts an OS image at a temporary place, inside a newly created mount namespace of our own. This
3368 * is used by tools such as systemd-tmpfiles or systemd-firstboot to operate on some disk image
3372 assert(ret_directory
);
3373 assert(ret_loop_device
);
3374 assert(ret_decrypted_image
);
3376 r
= verity_settings_load(&verity
, image
, NULL
, NULL
);
3378 return log_error_errno(r
, "Failed to load root hash data: %m");
3380 r
= tempfn_random_child(NULL
, program_invocation_short_name
, &temp
);
3382 return log_error_errno(r
, "Failed to generate temporary mount directory: %m");
3384 r
= loop_device_make_by_path(
3386 FLAGS_SET(flags
, DISSECT_IMAGE_DEVICE_READ_ONLY
) ? O_RDONLY
: O_RDWR
,
3387 FLAGS_SET(flags
, DISSECT_IMAGE_NO_PARTITION_TABLE
) ? 0 : LO_FLAGS_PARTSCAN
,
3390 return log_error_errno(r
, "Failed to set up loopback device for %s: %m", image
);
3392 r
= dissect_image_and_warn(d
->fd
, image
, &verity
, NULL
, d
->diskseq
, d
->uevent_seqnum_not_before
, d
->timestamp_not_before
, flags
, &dissected_image
);
3396 r
= dissected_image_load_verity_sig_partition(dissected_image
, d
->fd
, &verity
);
3400 r
= dissected_image_decrypt_interactively(dissected_image
, NULL
, &verity
, flags
, &decrypted_image
);
3404 r
= detach_mount_namespace();
3406 return log_error_errno(r
, "Failed to detach mount namespace: %m");
3408 r
= mkdir_p(temp
, 0700);
3410 return log_error_errno(r
, "Failed to create mount point: %m");
3412 created_dir
= TAKE_PTR(temp
);
3414 r
= dissected_image_mount_and_warn(dissected_image
, created_dir
, UID_INVALID
, UID_INVALID
, flags
);
3418 if (decrypted_image
) {
3419 r
= decrypted_image_relinquish(decrypted_image
);
3421 return log_error_errno(r
, "Failed to relinquish DM devices: %m");
3424 loop_device_relinquish(d
);
3426 *ret_directory
= TAKE_PTR(created_dir
);
3427 *ret_loop_device
= TAKE_PTR(d
);
3428 *ret_decrypted_image
= TAKE_PTR(decrypted_image
);
3433 static const char *const partition_designator_table
[] = {
3434 [PARTITION_ROOT
] = "root",
3435 [PARTITION_ROOT_SECONDARY
] = "root-secondary",
3436 [PARTITION_USR
] = "usr",
3437 [PARTITION_USR_SECONDARY
] = "usr-secondary",
3438 [PARTITION_HOME
] = "home",
3439 [PARTITION_SRV
] = "srv",
3440 [PARTITION_ESP
] = "esp",
3441 [PARTITION_XBOOTLDR
] = "xbootldr",
3442 [PARTITION_SWAP
] = "swap",
3443 [PARTITION_ROOT_VERITY
] = "root-verity",
3444 [PARTITION_ROOT_SECONDARY_VERITY
] = "root-secondary-verity",
3445 [PARTITION_USR_VERITY
] = "usr-verity",
3446 [PARTITION_USR_SECONDARY_VERITY
] = "usr-secondary-verity",
3447 [PARTITION_ROOT_VERITY_SIG
] = "root-verity-sig",
3448 [PARTITION_ROOT_SECONDARY_VERITY_SIG
] = "root-secondary-verity-sig",
3449 [PARTITION_USR_VERITY_SIG
] = "usr-verity-sig",
3450 [PARTITION_USR_SECONDARY_VERITY_SIG
] = "usr-secondary-verity-sig",
3451 [PARTITION_TMP
] = "tmp",
3452 [PARTITION_VAR
] = "var",
3455 int verity_dissect_and_mount(
3458 const MountOptions
*options
,
3459 const char *required_host_os_release_id
,
3460 const char *required_host_os_release_version_id
,
3461 const char *required_host_os_release_sysext_level
) {
3463 _cleanup_(loop_device_unrefp
) LoopDevice
*loop_device
= NULL
;
3464 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*decrypted_image
= NULL
;
3465 _cleanup_(dissected_image_unrefp
) DissectedImage
*dissected_image
= NULL
;
3466 _cleanup_(verity_settings_done
) VeritySettings verity
= VERITY_SETTINGS_DEFAULT
;
3467 DissectImageFlags dissect_image_flags
;
3473 r
= verity_settings_load(&verity
, src
, NULL
, NULL
);
3475 return log_debug_errno(r
, "Failed to load root hash: %m");
3477 dissect_image_flags
= verity
.data_path
? DISSECT_IMAGE_NO_PARTITION_TABLE
: 0;
3479 r
= loop_device_make_by_path(
3482 verity
.data_path
? 0 : LO_FLAGS_PARTSCAN
,
3485 return log_debug_errno(r
, "Failed to create loop device for image: %m");
3491 loop_device
->diskseq
,
3492 loop_device
->uevent_seqnum_not_before
,
3493 loop_device
->timestamp_not_before
,
3494 dissect_image_flags
,
3496 /* No partition table? Might be a single-filesystem image, try again */
3497 if (!verity
.data_path
&& r
== -ENOPKG
)
3502 loop_device
->diskseq
,
3503 loop_device
->uevent_seqnum_not_before
,
3504 loop_device
->timestamp_not_before
,
3505 dissect_image_flags
| DISSECT_IMAGE_NO_PARTITION_TABLE
,
3508 return log_debug_errno(r
, "Failed to dissect image: %m");
3510 r
= dissected_image_load_verity_sig_partition(dissected_image
, loop_device
->fd
, &verity
);
3514 r
= dissected_image_decrypt(
3518 dissect_image_flags
,
3521 return log_debug_errno(r
, "Failed to decrypt dissected image: %m");
3523 r
= mkdir_p_label(dest
, 0755);
3525 return log_debug_errno(r
, "Failed to create destination directory %s: %m", dest
);
3526 r
= umount_recursive(dest
, 0);
3528 return log_debug_errno(r
, "Failed to umount under destination directory %s: %m", dest
);
3530 r
= dissected_image_mount(dissected_image
, dest
, UID_INVALID
, UID_INVALID
, dissect_image_flags
);
3532 return log_debug_errno(r
, "Failed to mount image: %m");
3534 /* If we got os-release values from the caller, then we need to match them with the image's
3535 * extension-release.d/ content. Return -EINVAL if there's any mismatch.
3536 * First, check the distro ID. If that matches, then check the new SYSEXT_LEVEL value if
3537 * available, or else fallback to VERSION_ID. */
3538 if (required_host_os_release_id
&&
3539 (required_host_os_release_version_id
|| required_host_os_release_sysext_level
)) {
3540 _cleanup_strv_free_
char **extension_release
= NULL
;
3542 r
= load_extension_release_pairs(dest
, dissected_image
->image_name
, &extension_release
);
3544 return log_debug_errno(r
, "Failed to parse image %s extension-release metadata: %m", dissected_image
->image_name
);
3546 r
= extension_release_validate(
3547 dissected_image
->image_name
,
3548 required_host_os_release_id
,
3549 required_host_os_release_version_id
,
3550 required_host_os_release_sysext_level
,
3553 return log_debug_errno(SYNTHETIC_ERRNO(ESTALE
), "Image %s extension-release metadata does not match the root's", dissected_image
->image_name
);
3555 return log_debug_errno(r
, "Failed to compare image %s extension-release metadata with the root's os-release: %m", dissected_image
->image_name
);
3558 if (decrypted_image
) {
3559 r
= decrypted_image_relinquish(decrypted_image
);
3561 return log_debug_errno(r
, "Failed to relinquish decrypted image: %m");
3564 loop_device_relinquish(loop_device
);
3569 DEFINE_STRING_TABLE_LOOKUP(partition_designator
, PartitionDesignator
);