2 This file is part of systemd.
4 Copyright 2016 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 #ifdef HAVE_LIBCRYPTSETUP
21 #include <libcryptsetup.h>
23 #include <linux/dm-ioctl.h>
24 #include <sys/mount.h>
26 #include "architecture.h"
27 #include "ask-password-api.h"
28 #include "blkid-util.h"
29 #include "dissect-image.h"
32 #include "mount-util.h"
33 #include "path-util.h"
34 #include "stat-util.h"
35 #include "stdio-util.h"
36 #include "string-table.h"
37 #include "string-util.h"
38 #include "udev-util.h"
40 static int probe_filesystem(const char *node
, char **ret_fstype
) {
42 _cleanup_blkid_free_probe_ blkid_probe b
= NULL
;
46 b
= blkid_new_probe_from_filename(node
);
50 blkid_probe_enable_superblocks(b
, 1);
51 blkid_probe_set_superblocks_flags(b
, BLKID_SUBLKS_TYPE
);
54 r
= blkid_do_safeprobe(b
);
55 if (r
== -2 || r
== 1) {
56 log_debug("Failed to identify any partition type on partition %s", node
);
66 (void) blkid_probe_lookup_value(b
, "TYPE", &fstype
, NULL
);
87 int dissect_image(int fd
, const void *root_hash
, size_t root_hash_size
, DissectImageFlags flags
, DissectedImage
**ret
) {
90 sd_id128_t root_uuid
= SD_ID128_NULL
, verity_uuid
= SD_ID128_NULL
;
91 _cleanup_udev_enumerate_unref_
struct udev_enumerate
*e
= NULL
;
92 bool is_gpt
, is_mbr
, generic_rw
, multiple_generic
= false;
93 _cleanup_udev_device_unref_
struct udev_device
*d
= NULL
;
94 _cleanup_(dissected_image_unrefp
) DissectedImage
*m
= NULL
;
95 _cleanup_blkid_free_probe_ blkid_probe b
= NULL
;
96 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
97 _cleanup_free_
char *generic_node
= NULL
;
98 sd_id128_t generic_uuid
= SD_ID128_NULL
;
99 const char *pttype
= NULL
;
100 struct udev_list_entry
*first
, *item
;
108 assert(root_hash
|| root_hash_size
== 0);
110 /* Probes a disk image, and returns information about what it found in *ret.
112 * Returns -ENOPKG if no suitable partition table or file system could be found.
113 * Returns -EADDRNOTAVAIL if a root hash was specified but no matching root/verity partitions found. */
116 /* If a root hash is supplied, then we use the root partition that has a UUID that match the first
117 * 128bit of the root hash. And we use the verity partition that has a UUID that match the final
120 if (root_hash_size
< sizeof(sd_id128_t
))
123 memcpy(&root_uuid
, root_hash
, sizeof(sd_id128_t
));
124 memcpy(&verity_uuid
, (const uint8_t*) root_hash
+ root_hash_size
- sizeof(sd_id128_t
), sizeof(sd_id128_t
));
126 if (sd_id128_is_null(root_uuid
))
128 if (sd_id128_is_null(verity_uuid
))
132 if (fstat(fd
, &st
) < 0)
135 if (!S_ISBLK(st
.st_mode
))
138 b
= blkid_new_probe();
143 r
= blkid_probe_set_device(b
, fd
, 0, 0);
151 if ((flags
& DISSECT_IMAGE_GPT_ONLY
) == 0) {
152 /* Look for file system superblocks, unless we only shall look for GPT partition tables */
153 blkid_probe_enable_superblocks(b
, 1);
154 blkid_probe_set_superblocks_flags(b
, BLKID_SUBLKS_TYPE
|BLKID_SUBLKS_USAGE
);
157 blkid_probe_enable_partitions(b
, 1);
158 blkid_probe_set_partitions_flags(b
, BLKID_PARTS_ENTRY_DETAILS
);
161 r
= blkid_do_safeprobe(b
);
162 if (r
== -2 || r
== 1) {
163 log_debug("Failed to identify any partition table.");
173 m
= new0(DissectedImage
, 1);
177 if (!(flags
& DISSECT_IMAGE_GPT_ONLY
) &&
178 (flags
& DISSECT_IMAGE_REQUIRE_ROOT
)) {
179 const char *usage
= NULL
;
181 (void) blkid_probe_lookup_value(b
, "USAGE", &usage
, NULL
);
182 if (STRPTR_IN_SET(usage
, "filesystem", "crypto")) {
183 _cleanup_free_
char *t
= NULL
, *n
= NULL
;
184 const char *fstype
= NULL
;
186 /* OK, we have found a file system, that's our root partition then. */
187 (void) blkid_probe_lookup_value(b
, "TYPE", &fstype
, NULL
);
195 if (asprintf(&n
, "/dev/block/%u:%u", major(st
.st_rdev
), minor(st
.st_rdev
)) < 0)
198 m
->partitions
[PARTITION_ROOT
] = (DissectedPartition
) {
202 .architecture
= _ARCHITECTURE_INVALID
,
209 m
->encrypted
= streq(fstype
, "crypto_LUKS");
218 (void) blkid_probe_lookup_value(b
, "PTTYPE", &pttype
, NULL
);
222 is_gpt
= streq_ptr(pttype
, "gpt");
223 is_mbr
= streq_ptr(pttype
, "dos");
225 if (!is_gpt
&& ((flags
& DISSECT_IMAGE_GPT_ONLY
) || !is_mbr
))
229 pl
= blkid_probe_get_partitions(b
);
241 d
= udev_device_new_from_devnum(udev
, 'b', st
.st_rdev
);
249 log_debug("Kernel partitions never appeared.");
253 e
= udev_enumerate_new(udev
);
257 r
= udev_enumerate_add_match_parent(e
, d
);
261 r
= udev_enumerate_scan_devices(e
);
265 /* Count the partitions enumerated by the kernel */
267 first
= udev_enumerate_get_list_entry(e
);
268 udev_list_entry_foreach(item
, first
)
271 /* Count the partitions enumerated by blkid */
272 z
= blkid_partlist_numof_partitions(pl
);
276 log_debug("blkid and kernel partition list do not match.");
282 /* The kernel has probed fewer partitions than blkid? Maybe the kernel prober is still running
283 * or it got EBUSY because udev already opened the device. Let's reprobe the device, which is a
284 * synchronous call that waits until probing is complete. */
286 for (j
= 0; j
< 20; j
++) {
288 r
= ioctl(fd
, BLKRRPART
, 0);
291 if (r
>= 0 || r
!= -EBUSY
)
294 /* If something else has the device open, such as an udev rule, the ioctl will return
295 * EBUSY. Since there's no way to wait until it isn't busy anymore, let's just wait a
296 * bit, and try again.
298 * This is really something they should fix in the kernel! */
300 usleep(50 * USEC_PER_MSEC
);
307 e
= udev_enumerate_unref(e
);
310 first
= udev_enumerate_get_list_entry(e
);
311 udev_list_entry_foreach(item
, first
) {
312 _cleanup_udev_device_unref_
struct udev_device
*q
;
313 unsigned long long pflags
;
319 q
= udev_device_new_from_syspath(udev
, udev_list_entry_get_name(item
));
323 qn
= udev_device_get_devnum(q
);
327 if (st
.st_rdev
== qn
)
330 node
= udev_device_get_devnode(q
);
334 pp
= blkid_partlist_devno_to_partition(pl
, qn
);
338 pflags
= blkid_partition_get_flags(pp
);
340 nr
= blkid_partition_get_partno(pp
);
345 int designator
= _PARTITION_DESIGNATOR_INVALID
, architecture
= _ARCHITECTURE_INVALID
;
346 const char *stype
, *sid
, *fstype
= NULL
;
347 sd_id128_t type_id
, id
;
350 sid
= blkid_partition_get_uuid(pp
);
353 if (sd_id128_from_string(sid
, &id
) < 0)
356 stype
= blkid_partition_get_type_string(pp
);
359 if (sd_id128_from_string(stype
, &type_id
) < 0)
362 if (sd_id128_equal(type_id
, GPT_HOME
)) {
364 if (pflags
& GPT_FLAG_NO_AUTO
)
367 designator
= PARTITION_HOME
;
368 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
369 } else if (sd_id128_equal(type_id
, GPT_SRV
)) {
371 if (pflags
& GPT_FLAG_NO_AUTO
)
374 designator
= PARTITION_SRV
;
375 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
376 } else if (sd_id128_equal(type_id
, GPT_ESP
)) {
378 /* Note that we don't check the GPT_FLAG_NO_AUTO flag for the ESP, as it is not defined
379 * there. We instead check the GPT_FLAG_NO_BLOCK_IO_PROTOCOL, as recommended by the
380 * UEFI spec (See "12.3.3 Number and Location of System Partitions"). */
382 if (pflags
& GPT_FLAG_NO_BLOCK_IO_PROTOCOL
)
385 designator
= PARTITION_ESP
;
388 #ifdef GPT_ROOT_NATIVE
389 else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE
)) {
391 if (pflags
& GPT_FLAG_NO_AUTO
)
394 /* If a root ID is specified, ignore everything but the root id */
395 if (!sd_id128_is_null(root_uuid
) && !sd_id128_equal(root_uuid
, id
))
398 designator
= PARTITION_ROOT
;
399 architecture
= native_architecture();
400 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
401 } else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE_VERITY
)) {
403 if (pflags
& GPT_FLAG_NO_AUTO
)
406 m
->can_verity
= true;
408 /* Ignore verity unless a root hash is specified */
409 if (sd_id128_is_null(verity_uuid
) || !sd_id128_equal(verity_uuid
, id
))
412 designator
= PARTITION_ROOT_VERITY
;
413 fstype
= "DM_verity_hash";
414 architecture
= native_architecture();
418 #ifdef GPT_ROOT_SECONDARY
419 else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY
)) {
421 if (pflags
& GPT_FLAG_NO_AUTO
)
424 /* If a root ID is specified, ignore everything but the root id */
425 if (!sd_id128_is_null(root_uuid
) && !sd_id128_equal(root_uuid
, id
))
428 designator
= PARTITION_ROOT_SECONDARY
;
429 architecture
= SECONDARY_ARCHITECTURE
;
430 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
431 } else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY_VERITY
)) {
433 if (pflags
& GPT_FLAG_NO_AUTO
)
436 m
->can_verity
= true;
438 /* Ignore verity unless root has is specified */
439 if (sd_id128_is_null(verity_uuid
) || !sd_id128_equal(verity_uuid
, id
))
442 designator
= PARTITION_ROOT_SECONDARY_VERITY
;
443 fstype
= "DM_verity_hash";
444 architecture
= SECONDARY_ARCHITECTURE
;
448 else if (sd_id128_equal(type_id
, GPT_SWAP
)) {
450 if (pflags
& GPT_FLAG_NO_AUTO
)
453 designator
= PARTITION_SWAP
;
455 } else if (sd_id128_equal(type_id
, GPT_LINUX_GENERIC
)) {
457 if (pflags
& GPT_FLAG_NO_AUTO
)
461 multiple_generic
= true;
464 generic_rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
466 generic_node
= strdup(node
);
472 if (designator
!= _PARTITION_DESIGNATOR_INVALID
) {
473 _cleanup_free_
char *t
= NULL
, *n
= NULL
;
476 if (m
->partitions
[designator
].found
)
489 m
->partitions
[designator
] = (DissectedPartition
) {
493 .architecture
= architecture
,
504 if (pflags
!= 0x80) /* Bootable flag */
507 if (blkid_partition_get_type(pp
) != 0x83) /* Linux partition */
511 multiple_generic
= true;
515 generic_node
= strdup(node
);
522 if (!m
->partitions
[PARTITION_ROOT
].found
) {
523 /* No root partition found? Then let's see if ther's one for the secondary architecture. And if not
524 * either, then check if there's a single generic one, and use that. */
526 if (m
->partitions
[PARTITION_ROOT_VERITY
].found
)
527 return -EADDRNOTAVAIL
;
529 if (m
->partitions
[PARTITION_ROOT_SECONDARY
].found
) {
530 m
->partitions
[PARTITION_ROOT
] = m
->partitions
[PARTITION_ROOT_SECONDARY
];
531 zero(m
->partitions
[PARTITION_ROOT_SECONDARY
]);
533 m
->partitions
[PARTITION_ROOT_VERITY
] = m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
];
534 zero(m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
]);
536 } else if (flags
& DISSECT_IMAGE_REQUIRE_ROOT
) {
538 /* If the root has was set, then we won't fallback to a generic node, because the root hash
541 return -EADDRNOTAVAIL
;
543 /* If we didn't find a generic node, then we can't fix this up either */
547 /* If we didn't find a properly marked root partition, but we did find a single suitable
548 * generic Linux partition, then use this as root partition, if the caller asked for it. */
549 if (multiple_generic
)
552 m
->partitions
[PARTITION_ROOT
] = (DissectedPartition
) {
555 .partno
= generic_nr
,
556 .architecture
= _ARCHITECTURE_INVALID
,
557 .node
= generic_node
,
558 .uuid
= generic_uuid
,
566 if (!m
->partitions
[PARTITION_ROOT_VERITY
].found
|| !m
->partitions
[PARTITION_ROOT
].found
)
567 return -EADDRNOTAVAIL
;
569 /* If we found the primary root with the hash, then we definitely want to suppress any secondary root
570 * (which would be weird, after all the root hash should only be assigned to one pair of
572 m
->partitions
[PARTITION_ROOT_SECONDARY
].found
= false;
573 m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
].found
= false;
575 /* If we found a verity setup, then the root partition is necessarily read-only. */
576 m
->partitions
[PARTITION_ROOT
].rw
= false;
584 /* Fill in file system types if we don't know them yet. */
585 for (i
= 0; i
< _PARTITION_DESIGNATOR_MAX
; i
++) {
586 DissectedPartition
*p
= m
->partitions
+ i
;
591 if (!p
->fstype
&& p
->node
) {
592 r
= probe_filesystem(p
->node
, &p
->fstype
);
597 if (streq_ptr(p
->fstype
, "crypto_LUKS"))
610 DissectedImage
* dissected_image_unref(DissectedImage
*m
) {
616 for (i
= 0; i
< _PARTITION_DESIGNATOR_MAX
; i
++) {
617 free(m
->partitions
[i
].fstype
);
618 free(m
->partitions
[i
].node
);
619 free(m
->partitions
[i
].decrypted_fstype
);
620 free(m
->partitions
[i
].decrypted_node
);
627 static int is_loop_device(const char *path
) {
628 char s
[strlen("/sys/dev/block/") + DECIMAL_STR_MAX(dev_t
) + 1 + DECIMAL_STR_MAX(dev_t
) + strlen("/../loop/")];
633 if (stat(path
, &st
) < 0)
636 if (!S_ISBLK(st
.st_mode
))
639 xsprintf(s
, "/sys/dev/block/%u:%u/loop/", major(st
.st_rdev
), minor(st
.st_rdev
));
640 if (access(s
, F_OK
) < 0) {
644 /* The device itself isn't a loop device, but maybe it's a partition and its parent is? */
645 xsprintf(s
, "/sys/dev/block/%u:%u/../loop/", major(st
.st_rdev
), minor(st
.st_rdev
));
646 if (access(s
, F_OK
) < 0)
647 return errno
== ENOENT
? false : -errno
;
653 static int mount_partition(
654 DissectedPartition
*m
,
656 const char *directory
,
657 DissectImageFlags flags
) {
659 const char *p
, *options
= NULL
, *node
, *fstype
;
665 node
= m
->decrypted_node
?: m
->node
;
666 fstype
= m
->decrypted_fstype
?: m
->fstype
;
668 if (!m
->found
|| !node
|| !fstype
)
671 /* Stacked encryption? Yuck */
672 if (streq_ptr(fstype
, "crypto_LUKS"))
675 rw
= m
->rw
&& !(flags
& DISSECT_IMAGE_READ_ONLY
);
678 p
= strjoina(where
, directory
);
682 /* If requested, turn on discard support. */
683 if (STR_IN_SET(fstype
, "btrfs", "ext4", "vfat", "xfs") &&
684 ((flags
& DISSECT_IMAGE_DISCARD
) ||
685 ((flags
& DISSECT_IMAGE_DISCARD_ON_LOOP
) && is_loop_device(m
->node
))))
688 return mount_verbose(LOG_DEBUG
, node
, p
, fstype
, MS_NODEV
|(rw
? 0 : MS_RDONLY
), options
);
691 int dissected_image_mount(DissectedImage
*m
, const char *where
, DissectImageFlags flags
) {
697 if (!m
->partitions
[PARTITION_ROOT
].found
)
700 r
= mount_partition(m
->partitions
+ PARTITION_ROOT
, where
, NULL
, flags
);
704 r
= mount_partition(m
->partitions
+ PARTITION_HOME
, where
, "/home", flags
);
708 r
= mount_partition(m
->partitions
+ PARTITION_SRV
, where
, "/srv", flags
);
712 if (m
->partitions
[PARTITION_ESP
].found
) {
715 /* Mount the ESP to /efi if it exists and is empty. If it doesn't exist, use /boot instead. */
718 x
= strjoina(where
, mp
);
722 x
= strjoina(where
, mp
);
726 r
= mount_partition(m
->partitions
+ PARTITION_ESP
, where
, mp
, flags
);
735 #ifdef HAVE_LIBCRYPTSETUP
736 typedef struct DecryptedPartition
{
737 struct crypt_device
*device
;
740 } DecryptedPartition
;
742 struct DecryptedImage
{
743 DecryptedPartition
*decrypted
;
749 DecryptedImage
* decrypted_image_unref(DecryptedImage
* d
) {
750 #ifdef HAVE_LIBCRYPTSETUP
757 for (i
= 0; i
< d
->n_decrypted
; i
++) {
758 DecryptedPartition
*p
= d
->decrypted
+ i
;
760 if (p
->device
&& p
->name
&& !p
->relinquished
) {
761 r
= crypt_deactivate(p
->device
, p
->name
);
763 log_debug_errno(r
, "Failed to deactivate encrypted partition %s", p
->name
);
767 crypt_free(p
->device
);
776 #ifdef HAVE_LIBCRYPTSETUP
778 static int make_dm_name_and_node(const void *original_node
, const char *suffix
, char **ret_name
, char **ret_node
) {
779 _cleanup_free_
char *name
= NULL
, *node
= NULL
;
782 assert(original_node
);
787 base
= strrchr(original_node
, '/');
794 name
= strjoin(base
, suffix
);
797 if (!filename_is_valid(name
))
800 node
= strjoin(crypt_get_dir(), "/", name
);
811 static int decrypt_partition(
812 DissectedPartition
*m
,
813 const char *passphrase
,
814 DissectImageFlags flags
,
817 _cleanup_free_
char *node
= NULL
, *name
= NULL
;
818 struct crypt_device
*cd
;
824 if (!m
->found
|| !m
->node
|| !m
->fstype
)
827 if (!streq(m
->fstype
, "crypto_LUKS"))
830 r
= make_dm_name_and_node(m
->node
, "-decrypted", &name
, &node
);
834 if (!GREEDY_REALLOC0(d
->decrypted
, d
->n_allocated
, d
->n_decrypted
+ 1))
837 r
= crypt_init(&cd
, m
->node
);
841 r
= crypt_load(cd
, CRYPT_LUKS1
, NULL
);
845 r
= crypt_activate_by_passphrase(cd
, name
, CRYPT_ANY_SLOT
, passphrase
, strlen(passphrase
),
846 ((flags
& DISSECT_IMAGE_READ_ONLY
) ? CRYPT_ACTIVATE_READONLY
: 0) |
847 ((flags
& DISSECT_IMAGE_DISCARD_ON_CRYPTO
) ? CRYPT_ACTIVATE_ALLOW_DISCARDS
: 0));
855 d
->decrypted
[d
->n_decrypted
].name
= name
;
858 d
->decrypted
[d
->n_decrypted
].device
= cd
;
861 m
->decrypted_node
= node
;
871 static int verity_partition(
872 DissectedPartition
*m
,
873 DissectedPartition
*v
,
874 const void *root_hash
,
875 size_t root_hash_size
,
876 DissectImageFlags flags
,
879 _cleanup_free_
char *node
= NULL
, *name
= NULL
;
880 struct crypt_device
*cd
;
889 if (!m
->found
|| !m
->node
|| !m
->fstype
)
891 if (!v
->found
|| !v
->node
|| !v
->fstype
)
894 if (!streq(v
->fstype
, "DM_verity_hash"))
897 r
= make_dm_name_and_node(m
->node
, "-verity", &name
, &node
);
901 if (!GREEDY_REALLOC0(d
->decrypted
, d
->n_allocated
, d
->n_decrypted
+ 1))
904 r
= crypt_init(&cd
, v
->node
);
908 r
= crypt_load(cd
, CRYPT_VERITY
, NULL
);
912 r
= crypt_set_data_device(cd
, m
->node
);
916 r
= crypt_activate_by_volume_key(cd
, name
, root_hash
, root_hash_size
, CRYPT_ACTIVATE_READONLY
);
920 d
->decrypted
[d
->n_decrypted
].name
= name
;
923 d
->decrypted
[d
->n_decrypted
].device
= cd
;
926 m
->decrypted_node
= node
;
937 int dissected_image_decrypt(
939 const char *passphrase
,
940 const void *root_hash
,
941 size_t root_hash_size
,
942 DissectImageFlags flags
,
943 DecryptedImage
**ret
) {
945 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*d
= NULL
;
946 #ifdef HAVE_LIBCRYPTSETUP
952 assert(root_hash
|| root_hash_size
== 0);
956 * = 0 → There was nothing to decrypt
957 * > 0 → Decrypted successfully
958 * -ENOKEY → There's some to decrypt but no key was supplied
959 * -EKEYREJECTED → Passed key was not correct
962 if (root_hash
&& root_hash_size
< sizeof(sd_id128_t
))
965 if (!m
->encrypted
&& !m
->verity
) {
970 #ifdef HAVE_LIBCRYPTSETUP
971 if (m
->encrypted
&& !passphrase
)
974 d
= new0(DecryptedImage
, 1);
978 for (i
= 0; i
< _PARTITION_DESIGNATOR_MAX
; i
++) {
979 DissectedPartition
*p
= m
->partitions
+ i
;
985 r
= decrypt_partition(p
, passphrase
, flags
, d
);
989 k
= PARTITION_VERITY_OF(i
);
991 r
= verity_partition(p
, m
->partitions
+ k
, root_hash
, root_hash_size
, flags
, d
);
996 if (!p
->decrypted_fstype
&& p
->decrypted_node
) {
997 r
= probe_filesystem(p
->decrypted_node
, &p
->decrypted_fstype
);
1012 int dissected_image_decrypt_interactively(
1014 const char *passphrase
,
1015 const void *root_hash
,
1016 size_t root_hash_size
,
1017 DissectImageFlags flags
,
1018 DecryptedImage
**ret
) {
1020 _cleanup_strv_free_erase_
char **z
= NULL
;
1027 r
= dissected_image_decrypt(m
, passphrase
, root_hash
, root_hash_size
, flags
, ret
);
1030 if (r
== -EKEYREJECTED
)
1031 log_error_errno(r
, "Incorrect passphrase, try again!");
1032 else if (r
!= -ENOKEY
) {
1033 log_error_errno(r
, "Failed to decrypt image: %m");
1038 log_error("Too many retries.");
1039 return -EKEYREJECTED
;
1044 r
= ask_password_auto("Please enter image passphrase!", NULL
, "dissect", "dissect", USEC_INFINITY
, 0, &z
);
1046 return log_error_errno(r
, "Failed to query for passphrase: %m");
1052 #ifdef HAVE_LIBCRYPTSETUP
1053 static int deferred_remove(DecryptedPartition
*p
) {
1055 struct dm_ioctl dm
= {
1059 DM_VERSION_PATCHLEVEL
1061 .data_size
= sizeof(dm
),
1062 .flags
= DM_DEFERRED_REMOVE
,
1065 _cleanup_close_
int fd
= -1;
1069 /* Unfortunately, libcryptsetup doesn't provide a proper API for this, hence call the ioctl() directly. */
1071 fd
= open("/dev/mapper/control", O_RDWR
|O_CLOEXEC
);
1075 strncpy(dm
.name
, p
->name
, sizeof(dm
.name
));
1077 if (ioctl(fd
, DM_DEV_REMOVE
, &dm
))
1084 int decrypted_image_relinquish(DecryptedImage
*d
) {
1086 #ifdef HAVE_LIBCRYPTSETUP
1093 /* Turns on automatic removal after the last use ended for all DM devices of this image, and sets a boolean so
1094 * that we don't clean it up ourselves either anymore */
1096 #ifdef HAVE_LIBCRYPTSETUP
1097 for (i
= 0; i
< d
->n_decrypted
; i
++) {
1098 DecryptedPartition
*p
= d
->decrypted
+ i
;
1100 if (p
->relinquished
)
1103 r
= deferred_remove(p
);
1105 return log_debug_errno(r
, "Failed to mark %s for auto-removal: %m", p
->name
);
1107 p
->relinquished
= true;
1114 static const char *const partition_designator_table
[] = {
1115 [PARTITION_ROOT
] = "root",
1116 [PARTITION_ROOT_SECONDARY
] = "root-secondary",
1117 [PARTITION_HOME
] = "home",
1118 [PARTITION_SRV
] = "srv",
1119 [PARTITION_ESP
] = "esp",
1120 [PARTITION_SWAP
] = "swap",
1121 [PARTITION_ROOT_VERITY
] = "root-verity",
1122 [PARTITION_ROOT_SECONDARY_VERITY
] = "root-secondary-verity",
1125 DEFINE_STRING_TABLE_LOOKUP(partition_designator
, int);