1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #if HAVE_VALGRIND_MEMCHECK_H
4 #include <valgrind/memcheck.h>
7 #include <linux/dm-ioctl.h>
8 #include <linux/loop.h>
10 #include <sys/prctl.h>
15 #include <openssl/err.h>
16 #include <openssl/pem.h>
17 #include <openssl/x509.h>
20 #include "sd-device.h"
23 #include "architecture.h"
24 #include "ask-password-api.h"
25 #include "blkid-util.h"
26 #include "blockdev-util.h"
27 #include "chase-symlinks.h"
28 #include "conf-files.h"
30 #include "cryptsetup-util.h"
32 #include "device-nodes.h"
33 #include "device-util.h"
34 #include "discover-image.h"
35 #include "dissect-image.h"
39 #include "extension-release.h"
43 #include "fsck-util.h"
45 #include "hexdecoct.h"
46 #include "hostname-setup.h"
47 #include "id128-util.h"
48 #include "import-util.h"
50 #include "mount-util.h"
51 #include "mountpoint-util.h"
52 #include "namespace-util.h"
53 #include "nulstr-util.h"
54 #include "openssl-util.h"
56 #include "path-util.h"
57 #include "process-util.h"
58 #include "raw-clone.h"
59 #include "resize-fs.h"
60 #include "signal-util.h"
61 #include "stat-util.h"
62 #include "stdio-util.h"
63 #include "string-table.h"
64 #include "string-util.h"
66 #include "tmpfile-util.h"
67 #include "udev-util.h"
68 #include "user-util.h"
69 #include "xattr-util.h"
71 /* how many times to wait for the device nodes to appear */
72 #define N_DEVICE_NODE_LIST_ATTEMPTS 10
74 int probe_filesystem(const char *node
, char **ret_fstype
) {
75 /* Try to find device content type and return it in *ret_fstype. If nothing is found,
76 * 0/NULL will be returned. -EUCLEAN will be returned for ambiguous results, and an
77 * different error otherwise. */
80 _cleanup_(blkid_free_probep
) blkid_probe b
= NULL
;
85 b
= blkid_new_probe_from_filename(node
);
87 return errno_or_else(ENOMEM
);
89 blkid_probe_enable_superblocks(b
, 1);
90 blkid_probe_set_superblocks_flags(b
, BLKID_SUBLKS_TYPE
);
93 r
= blkid_do_safeprobe(b
);
95 log_debug("No type detected on partition %s", node
);
99 return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN
),
100 "Results ambiguous for partition %s", node
);
102 return errno_or_else(EIO
);
104 (void) blkid_probe_lookup_value(b
, "TYPE", &fstype
, NULL
);
126 static int enumerator_for_parent(sd_device
*d
, sd_device_enumerator
**ret
) {
127 _cleanup_(sd_device_enumerator_unrefp
) sd_device_enumerator
*e
= NULL
;
133 r
= sd_device_enumerator_new(&e
);
137 r
= sd_device_enumerator_add_match_subsystem(e
, "block", true);
141 r
= sd_device_enumerator_add_match_parent(e
, d
);
145 r
= sd_device_enumerator_add_match_sysattr(e
, "partition", NULL
, true);
153 static int device_is_partition(
155 sd_device
*expected_parent
,
156 blkid_partition pp
) {
158 const char *v
, *parent_syspath
, *expected_parent_syspath
;
159 blkid_loff_t bsize
, bstart
;
160 uint64_t size
, start
;
161 int partno
, bpartno
, r
;
165 assert(expected_parent
);
168 r
= sd_device_get_subsystem(d
, &v
);
171 if (!streq(v
, "block"))
174 if (sd_device_get_devtype(d
, &v
) < 0 || !streq(v
, "partition"))
177 r
= sd_device_get_parent(d
, &parent
);
179 return false; /* Doesn't have a parent? No relevant to us */
181 r
= sd_device_get_syspath(parent
, &parent_syspath
); /* Check parent of device of this action */
185 r
= sd_device_get_syspath(expected_parent
, &expected_parent_syspath
); /* Check parent of device we are looking for */
189 if (!path_equal(parent_syspath
, expected_parent_syspath
))
190 return false; /* Has a different parent than what we need, not interesting to us */
192 /* On kernel uevents we may find the partition number in the PARTN= field. Let's use that preferably,
193 * since it's cheaper and more importantly: the sysfs attribute "partition" appears to become
194 * available late, hence let's use the property instead, which is available at the moment we see the
196 r
= sd_device_get_property_value(d
, "PARTN", &v
);
198 r
= sd_device_get_sysattr_value(d
, "partition", &v
);
202 r
= safe_atoi(v
, &partno
);
207 bpartno
= blkid_partition_get_partno(pp
);
209 return errno_or_else(EIO
);
211 if (partno
!= bpartno
)
214 r
= sd_device_get_sysattr_value(d
, "start", &v
);
217 r
= safe_atou64(v
, &start
);
222 bstart
= blkid_partition_get_start(pp
);
224 return errno_or_else(EIO
);
226 if (start
!= (uint64_t) bstart
)
229 r
= sd_device_get_sysattr_value(d
, "size", &v
);
232 r
= safe_atou64(v
, &size
);
237 bsize
= blkid_partition_get_size(pp
);
239 return errno_or_else(EIO
);
241 if (size
!= (uint64_t) bsize
)
247 static int find_partition(
250 usec_t timestamp_not_before
,
251 DissectImageFlags flags
,
254 _cleanup_(sd_device_enumerator_unrefp
) sd_device_enumerator
*e
= NULL
;
262 r
= enumerator_for_parent(parent
, &e
);
266 FOREACH_DEVICE(e
, q
) {
269 if (!FLAGS_SET(flags
, DISSECT_IMAGE_NO_UDEV
)) {
270 r
= sd_device_get_usec_initialized(q
, &usec
);
271 if (r
== -EBUSY
) /* Not initialized yet */
276 if (timestamp_not_before
!= USEC_INFINITY
&&
277 usec
< timestamp_not_before
) /* udev database entry older than our attachment? Then it's not ours */
281 r
= device_is_partition(q
, parent
, pp
);
285 *ret
= sd_device_ref(q
);
294 sd_device
*parent_device
;
295 blkid_partition blkidp
;
298 uint64_t uevent_seqnum_not_before
;
299 usec_t timestamp_not_before
;
300 DissectImageFlags flags
;
303 static inline void wait_data_done(struct wait_data
*d
) {
304 sd_device_unref(d
->found
);
307 static int device_monitor_handler(sd_device_monitor
*monitor
, sd_device
*device
, void *userdata
) {
308 struct wait_data
*w
= userdata
;
313 if (device_for_action(device
, SD_DEVICE_REMOVE
))
316 if (w
->diskseq
!= 0) {
319 /* If w->diskseq is non-zero, then we must have a disk seqnum */
320 r
= sd_device_get_diskseq(device
, &diskseq
);
322 log_debug_errno(r
, "Dropping event because it has no diskseq, but waiting for %" PRIu64
, w
->diskseq
);
325 if (diskseq
< w
->diskseq
) {
326 log_debug("Dropping event because diskseq too old (%" PRIu64
" < %" PRIu64
")",
327 diskseq
, w
->diskseq
);
330 if (diskseq
> w
->diskseq
) {
332 goto finish
; /* Newer than what we were expecting, so we missed it, stop waiting */
334 } else if (w
->uevent_seqnum_not_before
!= UINT64_MAX
) {
337 r
= sd_device_get_seqnum(device
, &seqnum
);
341 if (seqnum
<= w
->uevent_seqnum_not_before
) { /* From an older use of this loop device */
342 log_debug("Dropping event because seqnum too old (%" PRIu64
" <= %" PRIu64
")",
343 seqnum
, w
->uevent_seqnum_not_before
);
348 r
= device_is_partition(device
, w
->parent_device
, w
->blkidp
);
351 if (r
== 0) /* Not the one we need */
354 /* It's the one we need! Yay! */
356 w
->found
= sd_device_ref(device
);
360 return sd_event_exit(sd_device_monitor_get_event(monitor
), r
);
363 static int timeout_handler(sd_event_source
*s
, uint64_t usec
, void *userdata
) {
364 struct wait_data
*w
= userdata
;
369 /* Why partition not appeared within the timeout? We may lost some uevent, as some properties
370 * were not ready when we received uevent... Not sure, but anyway, let's try to find the
371 * partition again before give up. */
373 r
= find_partition(w
->parent_device
, w
->blkidp
, w
->timestamp_not_before
, w
->flags
, &w
->found
);
375 return log_debug_errno(SYNTHETIC_ERRNO(ETIMEDOUT
),
376 "Partition still not appeared after timeout reached.");
378 return log_debug_errno(r
, "Failed to find partition: %m");
380 log_debug("Partition appeared after timeout reached.");
381 return sd_event_exit(sd_event_source_get_event(s
), 0);
384 static int retry_handler(sd_event_source
*s
, uint64_t usec
, void *userdata
) {
385 struct wait_data
*w
= userdata
;
390 r
= find_partition(w
->parent_device
, w
->blkidp
, w
->timestamp_not_before
, w
->flags
, &w
->found
);
393 return log_debug_errno(r
, "Failed to find partition: %m");
395 log_debug("Partition found by a periodic search.");
396 return sd_event_exit(sd_event_source_get_event(s
), 0);
399 r
= sd_event_source_set_time_relative(s
, 500 * USEC_PER_MSEC
);
403 return sd_event_source_set_enabled(s
, SD_EVENT_ONESHOT
);
406 static int wait_for_partition_device(
411 uint64_t uevent_seqnum_not_before
,
412 usec_t timestamp_not_before
,
413 DissectImageFlags flags
,
416 _cleanup_(sd_event_source_unrefp
) sd_event_source
*timeout_source
= NULL
, *retry_source
= NULL
;
417 _cleanup_(sd_device_monitor_unrefp
) sd_device_monitor
*monitor
= NULL
;
418 _cleanup_(sd_event_unrefp
) sd_event
*event
= NULL
;
425 r
= find_partition(parent
, pp
, timestamp_not_before
, flags
, ret
);
429 r
= sd_event_new(&event
);
433 r
= sd_device_monitor_new(&monitor
);
437 r
= sd_device_monitor_filter_add_match_subsystem_devtype(monitor
, "block", "partition");
441 r
= sd_device_monitor_filter_add_match_parent(monitor
, parent
, true);
445 r
= sd_device_monitor_filter_add_match_sysattr(monitor
, "partition", NULL
, true);
449 r
= sd_device_monitor_attach_event(monitor
, event
);
453 _cleanup_(wait_data_done
) struct wait_data w
= {
454 .parent_device
= parent
,
457 .uevent_seqnum_not_before
= uevent_seqnum_not_before
,
458 .timestamp_not_before
= timestamp_not_before
,
462 r
= sd_device_monitor_start(monitor
, device_monitor_handler
, &w
);
466 /* Check again, the partition might have appeared in the meantime */
467 r
= find_partition(parent
, pp
, timestamp_not_before
, flags
, ret
);
471 if (deadline
!= USEC_INFINITY
) {
472 r
= sd_event_add_time(
473 event
, &timeout_source
,
474 CLOCK_MONOTONIC
, deadline
, 0,
475 timeout_handler
, &w
);
479 r
= sd_event_source_set_exit_on_failure(timeout_source
, true);
484 /* If we don't have a disk sequence number then we cannot do exact matching,
485 * and we cannot know if we missed it or if it has not been sent yet, so set
486 * up additional retries to increase the chances of receiving the event. */
488 r
= sd_event_add_time_relative(
489 event
, &retry_source
,
490 CLOCK_MONOTONIC
, 500 * USEC_PER_MSEC
, 0,
495 r
= sd_event_source_set_exit_on_failure(retry_source
, true);
500 r
= sd_event_loop(event
);
505 *ret
= TAKE_PTR(w
.found
);
509 static void check_partition_flags(
511 unsigned long long pflags
,
512 unsigned long long supported
) {
516 /* Mask away all flags supported by this partition's type and the three flags the UEFI spec defines generically */
517 pflags
&= ~(supported
| GPT_FLAG_REQUIRED_PARTITION
| GPT_FLAG_NO_BLOCK_IO_PROTOCOL
| GPT_FLAG_LEGACY_BIOS_BOOTABLE
);
522 /* If there are other bits set, then log about it, to make things discoverable */
523 for (unsigned i
= 0; i
< sizeof(pflags
) * 8; i
++) {
524 unsigned long long bit
= 1ULL << i
;
525 if (!FLAGS_SET(pflags
, bit
))
528 log_debug("Unexpected partition flag %llu set on %s!", bit
, node
);
532 static int device_wait_for_initialization_harder(
534 const char *subsystem
,
538 usec_t start
, left
, retrigger_timeout
;
541 start
= now(CLOCK_MONOTONIC
);
542 left
= usec_sub_unsigned(deadline
, start
);
545 const char *sn
= NULL
;
547 (void) sd_device_get_sysname(device
, &sn
);
548 log_device_debug(device
,
549 "Waiting for device '%s' to initialize for %s.", strna(sn
), FORMAT_TIMESPAN(left
, 0));
552 if (left
!= USEC_INFINITY
)
553 retrigger_timeout
= CLAMP(left
/ 4, 1 * USEC_PER_SEC
, 5 * USEC_PER_SEC
); /* A fourth of the total timeout, but let's clamp to 1s…5s range */
555 retrigger_timeout
= 2 * USEC_PER_SEC
;
558 usec_t local_deadline
, n
;
561 n
= now(CLOCK_MONOTONIC
);
564 /* Find next deadline, when we'll retrigger */
565 local_deadline
= start
+
566 DIV_ROUND_UP(n
- start
, retrigger_timeout
) * retrigger_timeout
;
568 if (deadline
!= USEC_INFINITY
&& deadline
<= local_deadline
) {
569 local_deadline
= deadline
;
574 r
= device_wait_for_initialization(device
, subsystem
, local_deadline
, ret
);
575 if (r
>= 0 && DEBUG_LOGGING
) {
576 const char *sn
= NULL
;
578 (void) sd_device_get_sysname(device
, &sn
);
579 log_device_debug(device
,
580 "Successfully waited for device '%s' to initialize for %s.",
582 FORMAT_TIMESPAN(usec_sub_unsigned(now(CLOCK_MONOTONIC
), start
), 0));
585 if (r
!= -ETIMEDOUT
|| last_try
)
589 log_device_debug(device
,
590 "Device didn't initialize within %s, assuming lost event. Retriggering device.",
591 FORMAT_TIMESPAN(usec_sub_unsigned(now(CLOCK_MONOTONIC
), start
), 0));
593 r
= sd_device_trigger(device
, SD_DEVICE_CHANGE
);
600 #define DEVICE_TIMEOUT_USEC (45 * USEC_PER_SEC)
602 static void dissected_partition_done(DissectedPartition
*p
) {
608 free(p
->decrypted_fstype
);
609 free(p
->decrypted_node
);
610 free(p
->mount_options
);
612 *p
= (DissectedPartition
) {
620 const VeritySettings
*verity
,
621 const MountOptions
*mount_options
,
623 uint64_t uevent_seqnum_not_before
,
624 usec_t timestamp_not_before
,
625 DissectImageFlags flags
,
626 DissectedImage
**ret
) {
629 #ifdef GPT_ROOT_NATIVE
630 sd_id128_t root_uuid
= SD_ID128_NULL
, root_verity_uuid
= SD_ID128_NULL
;
632 #ifdef GPT_USR_NATIVE
633 sd_id128_t usr_uuid
= SD_ID128_NULL
, usr_verity_uuid
= SD_ID128_NULL
;
635 bool is_gpt
, is_mbr
, multiple_generic
= false,
636 generic_rw
= false, /* initialize to appease gcc */
637 generic_growfs
= false;
638 _cleanup_(sd_device_unrefp
) sd_device
*d
= NULL
;
639 _cleanup_(dissected_image_unrefp
) DissectedImage
*m
= NULL
;
640 _cleanup_(blkid_free_probep
) blkid_probe b
= NULL
;
641 _cleanup_free_
char *generic_node
= NULL
;
642 sd_id128_t generic_uuid
= SD_ID128_NULL
;
643 const char *pttype
= NULL
, *sysname
= NULL
;
645 int r
, generic_nr
= -1, n_partitions
;
651 assert(!verity
|| verity
->designator
< 0 || IN_SET(verity
->designator
, PARTITION_ROOT
, PARTITION_USR
));
652 assert(!verity
|| verity
->root_hash
|| verity
->root_hash_size
== 0);
653 assert(!verity
|| verity
->root_hash_sig
|| verity
->root_hash_sig_size
== 0);
654 assert(!verity
|| (verity
->root_hash
|| !verity
->root_hash_sig
));
655 assert(!((flags
& DISSECT_IMAGE_GPT_ONLY
) && (flags
& DISSECT_IMAGE_NO_PARTITION_TABLE
)));
657 /* Probes a disk image, and returns information about what it found in *ret.
659 * Returns -ENOPKG if no suitable partition table or file system could be found.
660 * Returns -EADDRNOTAVAIL if a root hash was specified but no matching root/verity partitions found.
661 * Returns -ENXIO if we couldn't find any partition suitable as root or /usr partition
662 * Returns -ENOTUNIQ if we only found multiple generic partitions and thus don't know what to do with that */
664 if (verity
&& verity
->root_hash
) {
665 sd_id128_t fsuuid
, vuuid
;
667 /* If a root hash is supplied, then we use the root partition that has a UUID that match the
668 * first 128bit of the root hash. And we use the verity partition that has a UUID that match
669 * the final 128bit. */
671 if (verity
->root_hash_size
< sizeof(sd_id128_t
))
674 memcpy(&fsuuid
, verity
->root_hash
, sizeof(sd_id128_t
));
675 memcpy(&vuuid
, (const uint8_t*) verity
->root_hash
+ verity
->root_hash_size
- sizeof(sd_id128_t
), sizeof(sd_id128_t
));
677 if (sd_id128_is_null(fsuuid
))
679 if (sd_id128_is_null(vuuid
))
682 /* If the verity data declares it's for the /usr partition, then search for that, in all
683 * other cases assume it's for the root partition. */
684 #ifdef GPT_USR_NATIVE
685 if (verity
->designator
== PARTITION_USR
) {
687 usr_verity_uuid
= vuuid
;
690 #ifdef GPT_ROOT_NATIVE
692 root_verity_uuid
= vuuid
;
694 #ifdef GPT_USR_NATIVE
699 if (fstat(fd
, &st
) < 0)
702 if (!S_ISBLK(st
.st_mode
))
705 r
= sd_device_new_from_stat_rdev(&d
, &st
);
709 if (!FLAGS_SET(flags
, DISSECT_IMAGE_NO_UDEV
)) {
710 _cleanup_(sd_device_unrefp
) sd_device
*initialized
= NULL
;
712 /* If udev support is enabled, then let's wait for the device to be initialized before we doing anything. */
714 r
= device_wait_for_initialization_harder(
717 usec_add(now(CLOCK_MONOTONIC
), DEVICE_TIMEOUT_USEC
),
723 d
= TAKE_PTR(initialized
);
726 b
= blkid_new_probe();
731 r
= blkid_probe_set_device(b
, fd
, 0, 0);
733 return errno_or_else(ENOMEM
);
735 if ((flags
& DISSECT_IMAGE_GPT_ONLY
) == 0) {
736 /* Look for file system superblocks, unless we only shall look for GPT partition tables */
737 blkid_probe_enable_superblocks(b
, 1);
738 blkid_probe_set_superblocks_flags(b
, BLKID_SUBLKS_TYPE
|BLKID_SUBLKS_USAGE
);
741 blkid_probe_enable_partitions(b
, 1);
742 blkid_probe_set_partitions_flags(b
, BLKID_PARTS_ENTRY_DETAILS
);
745 r
= blkid_do_safeprobe(b
);
746 if (IN_SET(r
, -2, 1))
747 return log_debug_errno(SYNTHETIC_ERRNO(ENOPKG
), "Failed to identify any partition table.");
749 return errno_or_else(EIO
);
751 m
= new0(DissectedImage
, 1);
755 r
= sd_device_get_sysname(d
, &sysname
);
757 return log_debug_errno(r
, "Failed to get device sysname: %m");
758 if (startswith(sysname
, "loop")) {
759 _cleanup_free_
char *name_stripped
= NULL
;
760 const char *full_path
;
762 r
= sd_device_get_sysattr_value(d
, "loop/backing_file", &full_path
);
764 log_debug_errno(r
, "Failed to lookup image name via loop device backing file sysattr, ignoring: %m");
766 r
= raw_strip_suffixes(basename(full_path
), &name_stripped
);
771 free_and_replace(m
->image_name
, name_stripped
);
773 r
= free_and_strdup(&m
->image_name
, sysname
);
778 if (!image_name_is_valid(m
->image_name
)) {
779 log_debug("Image name %s is not valid, ignoring", strempty(m
->image_name
));
780 m
->image_name
= mfree(m
->image_name
);
783 if ((!(flags
& DISSECT_IMAGE_GPT_ONLY
) &&
784 (flags
& DISSECT_IMAGE_GENERIC_ROOT
)) ||
785 (flags
& DISSECT_IMAGE_NO_PARTITION_TABLE
)) {
786 const char *usage
= NULL
;
788 /* If flags permit this, also allow using non-partitioned single-filesystem images */
790 (void) blkid_probe_lookup_value(b
, "USAGE", &usage
, NULL
);
791 if (STRPTR_IN_SET(usage
, "filesystem", "crypto")) {
792 const char *fstype
= NULL
, *options
= NULL
, *devname
= NULL
;
793 _cleanup_free_
char *t
= NULL
, *n
= NULL
, *o
= NULL
;
795 /* OK, we have found a file system, that's our root partition then. */
796 (void) blkid_probe_lookup_value(b
, "TYPE", &fstype
, NULL
);
804 r
= sd_device_get_devname(d
, &devname
);
812 m
->single_file_system
= true;
813 m
->encrypted
= streq_ptr(fstype
, "crypto_LUKS");
815 m
->has_verity
= verity
&& verity
->data_path
;
816 m
->verity_ready
= m
->has_verity
&&
818 (verity
->designator
< 0 || verity
->designator
== PARTITION_ROOT
);
820 m
->has_verity_sig
= false; /* signature not embedded, must be specified */
821 m
->verity_sig_ready
= m
->verity_ready
&&
822 verity
->root_hash_sig
;
824 options
= mount_options_from_designator(mount_options
, PARTITION_ROOT
);
831 m
->partitions
[PARTITION_ROOT
] = (DissectedPartition
) {
833 .rw
= !m
->verity_ready
&& !fstype_is_ro(fstype
),
835 .architecture
= _ARCHITECTURE_INVALID
,
836 .fstype
= TAKE_PTR(t
),
838 .mount_options
= TAKE_PTR(o
),
848 (void) blkid_probe_lookup_value(b
, "PTTYPE", &pttype
, NULL
);
852 is_gpt
= streq_ptr(pttype
, "gpt");
853 is_mbr
= streq_ptr(pttype
, "dos");
855 if (!is_gpt
&& ((flags
& DISSECT_IMAGE_GPT_ONLY
) || !is_mbr
))
858 /* We support external verity data partitions only if the image has no partition table */
859 if (verity
&& verity
->data_path
)
862 /* Safety check: refuse block devices that carry a partition table but for which the kernel doesn't
863 * do partition scanning. */
864 r
= blockdev_partscan_enabled(fd
);
868 return -EPROTONOSUPPORT
;
871 pl
= blkid_probe_get_partitions(b
);
873 return errno_or_else(ENOMEM
);
876 n_partitions
= blkid_partlist_numof_partitions(pl
);
877 if (n_partitions
< 0)
878 return errno_or_else(EIO
);
880 deadline
= usec_add(now(CLOCK_MONOTONIC
), DEVICE_TIMEOUT_USEC
);
881 for (int i
= 0; i
< n_partitions
; i
++) {
882 _cleanup_(sd_device_unrefp
) sd_device
*q
= NULL
;
883 unsigned long long pflags
;
884 blkid_loff_t start
, size
;
890 pp
= blkid_partlist_get_partition(pl
, i
);
892 return errno_or_else(EIO
);
894 r
= wait_for_partition_device(d
, pp
, deadline
, diskseq
, uevent_seqnum_not_before
, timestamp_not_before
, flags
, &q
);
898 r
= sd_device_get_devname(q
, &node
);
902 pflags
= blkid_partition_get_flags(pp
);
905 nr
= blkid_partition_get_partno(pp
);
907 return errno_or_else(EIO
);
910 start
= blkid_partition_get_start(pp
);
912 return errno_or_else(EIO
);
914 assert((uint64_t) start
< UINT64_MAX
/512);
917 size
= blkid_partition_get_size(pp
);
919 return errno_or_else(EIO
);
921 assert((uint64_t) size
< UINT64_MAX
/512);
924 PartitionDesignator designator
= _PARTITION_DESIGNATOR_INVALID
;
925 int architecture
= _ARCHITECTURE_INVALID
;
926 const char *stype
, *sid
, *fstype
= NULL
, *label
;
927 sd_id128_t type_id
, id
;
928 bool rw
= true, growfs
= false;
930 sid
= blkid_partition_get_uuid(pp
);
933 if (sd_id128_from_string(sid
, &id
) < 0)
936 stype
= blkid_partition_get_type_string(pp
);
939 if (sd_id128_from_string(stype
, &type_id
) < 0)
942 label
= blkid_partition_get_name(pp
); /* libblkid returns NULL here if empty */
944 if (sd_id128_equal(type_id
, GPT_HOME
)) {
946 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
948 if (pflags
& GPT_FLAG_NO_AUTO
)
951 designator
= PARTITION_HOME
;
952 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
953 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
955 } else if (sd_id128_equal(type_id
, GPT_SRV
)) {
957 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
959 if (pflags
& GPT_FLAG_NO_AUTO
)
962 designator
= PARTITION_SRV
;
963 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
964 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
966 } else if (sd_id128_equal(type_id
, GPT_ESP
)) {
968 /* Note that we don't check the GPT_FLAG_NO_AUTO flag for the ESP, as it is
969 * not defined there. We instead check the GPT_FLAG_NO_BLOCK_IO_PROTOCOL, as
970 * recommended by the UEFI spec (See "12.3.3 Number and Location of System
973 if (pflags
& GPT_FLAG_NO_BLOCK_IO_PROTOCOL
)
976 designator
= PARTITION_ESP
;
979 } else if (sd_id128_equal(type_id
, GPT_XBOOTLDR
)) {
981 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
983 if (pflags
& GPT_FLAG_NO_AUTO
)
986 designator
= PARTITION_XBOOTLDR
;
987 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
988 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
990 #ifdef GPT_ROOT_NATIVE
991 else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE
)) {
993 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
995 if (pflags
& GPT_FLAG_NO_AUTO
)
998 /* If a root ID is specified, ignore everything but the root id */
999 if (!sd_id128_is_null(root_uuid
) && !sd_id128_equal(root_uuid
, id
))
1002 designator
= PARTITION_ROOT
;
1003 architecture
= native_architecture();
1004 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1005 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1007 } else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE_VERITY
)) {
1009 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1011 if (pflags
& GPT_FLAG_NO_AUTO
)
1014 m
->has_verity
= true;
1016 /* If no verity configuration is specified, then don't do verity */
1019 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_ROOT
)
1022 /* If root hash is specified, then ignore everything but the root id */
1023 if (!sd_id128_is_null(root_verity_uuid
) && !sd_id128_equal(root_verity_uuid
, id
))
1026 designator
= PARTITION_ROOT_VERITY
;
1027 fstype
= "DM_verity_hash";
1028 architecture
= native_architecture();
1031 } else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE_VERITY_SIG
)) {
1033 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1035 if (pflags
& GPT_FLAG_NO_AUTO
)
1038 m
->has_verity_sig
= true;
1040 /* If root hash is specified explicitly, then ignore any embedded signature */
1043 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_ROOT
)
1045 if (verity
->root_hash
)
1048 designator
= PARTITION_ROOT_VERITY_SIG
;
1049 fstype
= "verity_hash_signature";
1050 architecture
= native_architecture();
1054 #ifdef GPT_ROOT_SECONDARY
1055 else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY
)) {
1057 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1059 if (pflags
& GPT_FLAG_NO_AUTO
)
1062 /* If a root ID is specified, ignore everything but the root id */
1063 if (!sd_id128_is_null(root_uuid
) && !sd_id128_equal(root_uuid
, id
))
1066 designator
= PARTITION_ROOT_SECONDARY
;
1067 architecture
= SECONDARY_ARCHITECTURE
;
1068 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1069 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1071 } else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY_VERITY
)) {
1073 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1075 if (pflags
& GPT_FLAG_NO_AUTO
)
1078 m
->has_verity
= true;
1080 /* Don't do verity if no verity config is passed in */
1083 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_ROOT
)
1086 /* If root hash is specified, then ignore everything but the root id */
1087 if (!sd_id128_is_null(root_verity_uuid
) && !sd_id128_equal(root_verity_uuid
, id
))
1090 designator
= PARTITION_ROOT_SECONDARY_VERITY
;
1091 fstype
= "DM_verity_hash";
1092 architecture
= SECONDARY_ARCHITECTURE
;
1095 } else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY_VERITY_SIG
)) {
1097 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1099 if (pflags
& GPT_FLAG_NO_AUTO
)
1102 m
->has_verity_sig
= true;
1104 /* If root hash is specified explicitly, then ignore any embedded signature */
1107 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_ROOT
)
1109 if (verity
->root_hash
)
1112 designator
= PARTITION_ROOT_SECONDARY_VERITY_SIG
;
1113 fstype
= "verity_hash_signature";
1114 architecture
= native_architecture();
1118 #ifdef GPT_USR_NATIVE
1119 else if (sd_id128_equal(type_id
, GPT_USR_NATIVE
)) {
1121 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1123 if (pflags
& GPT_FLAG_NO_AUTO
)
1126 /* If a usr ID is specified, ignore everything but the usr id */
1127 if (!sd_id128_is_null(usr_uuid
) && !sd_id128_equal(usr_uuid
, id
))
1130 designator
= PARTITION_USR
;
1131 architecture
= native_architecture();
1132 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1133 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1135 } else if (sd_id128_equal(type_id
, GPT_USR_NATIVE_VERITY
)) {
1137 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1139 if (pflags
& GPT_FLAG_NO_AUTO
)
1142 m
->has_verity
= true;
1146 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_USR
)
1149 /* If usr hash is specified, then ignore everything but the usr id */
1150 if (!sd_id128_is_null(usr_verity_uuid
) && !sd_id128_equal(usr_verity_uuid
, id
))
1153 designator
= PARTITION_USR_VERITY
;
1154 fstype
= "DM_verity_hash";
1155 architecture
= native_architecture();
1158 } else if (sd_id128_equal(type_id
, GPT_USR_NATIVE_VERITY_SIG
)) {
1160 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1162 if (pflags
& GPT_FLAG_NO_AUTO
)
1165 m
->has_verity_sig
= true;
1167 /* If usr hash is specified explicitly, then ignore any embedded signature */
1170 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_USR
)
1172 if (verity
->root_hash
)
1175 designator
= PARTITION_USR_VERITY_SIG
;
1176 fstype
= "verity_hash_signature";
1177 architecture
= native_architecture();
1181 #ifdef GPT_USR_SECONDARY
1182 else if (sd_id128_equal(type_id
, GPT_USR_SECONDARY
)) {
1184 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1186 if (pflags
& GPT_FLAG_NO_AUTO
)
1189 /* If a usr ID is specified, ignore everything but the usr id */
1190 if (!sd_id128_is_null(usr_uuid
) && !sd_id128_equal(usr_uuid
, id
))
1193 designator
= PARTITION_USR_SECONDARY
;
1194 architecture
= SECONDARY_ARCHITECTURE
;
1195 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1196 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1198 } else if (sd_id128_equal(type_id
, GPT_USR_SECONDARY_VERITY
)) {
1200 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1202 if (pflags
& GPT_FLAG_NO_AUTO
)
1205 m
->has_verity
= true;
1209 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_USR
)
1212 /* If usr hash is specified, then ignore everything but the root id */
1213 if (!sd_id128_is_null(usr_verity_uuid
) && !sd_id128_equal(usr_verity_uuid
, id
))
1216 designator
= PARTITION_USR_SECONDARY_VERITY
;
1217 fstype
= "DM_verity_hash";
1218 architecture
= SECONDARY_ARCHITECTURE
;
1221 } else if (sd_id128_equal(type_id
, GPT_USR_SECONDARY_VERITY_SIG
)) {
1223 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
);
1225 if (pflags
& GPT_FLAG_NO_AUTO
)
1228 m
->has_verity_sig
= true;
1230 /* If usr hash is specified explicitly, then ignore any embedded signature */
1233 if (verity
->designator
>= 0 && verity
->designator
!= PARTITION_USR
)
1235 if (verity
->root_hash
)
1238 designator
= PARTITION_USR_SECONDARY_VERITY_SIG
;
1239 fstype
= "verity_hash_signature";
1240 architecture
= native_architecture();
1244 else if (sd_id128_equal(type_id
, GPT_SWAP
)) {
1246 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
);
1248 if (pflags
& GPT_FLAG_NO_AUTO
)
1251 designator
= PARTITION_SWAP
;
1253 } else if (sd_id128_equal(type_id
, GPT_LINUX_GENERIC
)) {
1255 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1257 if (pflags
& GPT_FLAG_NO_AUTO
)
1261 multiple_generic
= true;
1264 generic_rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1265 generic_growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1267 generic_node
= strdup(node
);
1272 } else if (sd_id128_equal(type_id
, GPT_TMP
)) {
1274 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1276 if (pflags
& GPT_FLAG_NO_AUTO
)
1279 designator
= PARTITION_TMP
;
1280 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1281 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1283 } else if (sd_id128_equal(type_id
, GPT_VAR
)) {
1285 check_partition_flags(node
, pflags
, GPT_FLAG_NO_AUTO
|GPT_FLAG_READ_ONLY
|GPT_FLAG_GROWFS
);
1287 if (pflags
& GPT_FLAG_NO_AUTO
)
1290 if (!FLAGS_SET(flags
, DISSECT_IMAGE_RELAX_VAR_CHECK
)) {
1291 sd_id128_t var_uuid
;
1293 /* For /var we insist that the uuid of the partition matches the
1294 * HMAC-SHA256 of the /var GPT partition type uuid, keyed by machine
1295 * ID. Why? Unlike the other partitions /var is inherently
1296 * installation specific, hence we need to be careful not to mount it
1297 * in the wrong installation. By hashing the partition UUID from
1298 * /etc/machine-id we can securely bind the partition to the
1301 r
= sd_id128_get_machine_app_specific(GPT_VAR
, &var_uuid
);
1305 if (!sd_id128_equal(var_uuid
, id
)) {
1306 log_debug("Found a /var/ partition, but its UUID didn't match our expectations, ignoring.");
1311 designator
= PARTITION_VAR
;
1312 rw
= !(pflags
& GPT_FLAG_READ_ONLY
);
1313 growfs
= FLAGS_SET(pflags
, GPT_FLAG_GROWFS
);
1316 if (designator
!= _PARTITION_DESIGNATOR_INVALID
) {
1317 _cleanup_free_
char *t
= NULL
, *n
= NULL
, *o
= NULL
, *l
= NULL
;
1318 const char *options
= NULL
;
1320 if (m
->partitions
[designator
].found
) {
1321 /* For most partition types the first one we see wins. Except for the
1322 * rootfs and /usr, where we do a version compare of the label, and
1323 * let the newest version win. This permits a simple A/B versioning
1324 * scheme in OS images. */
1326 if (!PARTITION_DESIGNATOR_VERSIONED(designator
) ||
1327 strverscmp_improved(m
->partitions
[designator
].label
, label
) >= 0)
1330 dissected_partition_done(m
->partitions
+ designator
);
1349 options
= mount_options_from_designator(mount_options
, designator
);
1351 o
= strdup(options
);
1356 m
->partitions
[designator
] = (DissectedPartition
) {
1361 .architecture
= architecture
,
1362 .node
= TAKE_PTR(n
),
1363 .fstype
= TAKE_PTR(t
),
1364 .label
= TAKE_PTR(l
),
1366 .mount_options
= TAKE_PTR(o
),
1367 .offset
= (uint64_t) start
* 512,
1368 .size
= (uint64_t) size
* 512,
1372 } else if (is_mbr
) {
1374 switch (blkid_partition_get_type(pp
)) {
1376 case 0x83: /* Linux partition */
1378 if (pflags
!= 0x80) /* Bootable flag */
1382 multiple_generic
= true;
1386 generic_growfs
= false;
1387 generic_node
= strdup(node
);
1394 case 0xEA: { /* Boot Loader Spec extended $BOOT partition */
1395 _cleanup_free_
char *n
= NULL
, *o
= NULL
;
1396 sd_id128_t id
= SD_ID128_NULL
;
1397 const char *sid
, *options
= NULL
;
1399 /* First one wins */
1400 if (m
->partitions
[PARTITION_XBOOTLDR
].found
)
1403 sid
= blkid_partition_get_uuid(pp
);
1405 (void) sd_id128_from_string(sid
, &id
);
1411 options
= mount_options_from_designator(mount_options
, PARTITION_XBOOTLDR
);
1413 o
= strdup(options
);
1418 m
->partitions
[PARTITION_XBOOTLDR
] = (DissectedPartition
) {
1423 .architecture
= _ARCHITECTURE_INVALID
,
1424 .node
= TAKE_PTR(n
),
1426 .mount_options
= TAKE_PTR(o
),
1427 .offset
= (uint64_t) start
* 512,
1428 .size
= (uint64_t) size
* 512,
1436 if (m
->partitions
[PARTITION_ROOT
].found
) {
1437 /* If we found the primary arch, then invalidate the secondary arch to avoid any ambiguities,
1438 * since we never want to mount the secondary arch in this case. */
1439 m
->partitions
[PARTITION_ROOT_SECONDARY
].found
= false;
1440 m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
].found
= false;
1441 m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY_SIG
].found
= false;
1442 m
->partitions
[PARTITION_USR_SECONDARY
].found
= false;
1443 m
->partitions
[PARTITION_USR_SECONDARY_VERITY
].found
= false;
1444 m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
].found
= false;
1446 } else if (m
->partitions
[PARTITION_ROOT_VERITY
].found
||
1447 m
->partitions
[PARTITION_ROOT_VERITY_SIG
].found
)
1448 return -EADDRNOTAVAIL
; /* Verity found but no matching rootfs? Something is off, refuse. */
1450 else if (m
->partitions
[PARTITION_ROOT_SECONDARY
].found
) {
1452 /* No root partition found but there's one for the secondary architecture? Then upgrade
1453 * secondary arch to first */
1455 m
->partitions
[PARTITION_ROOT
] = m
->partitions
[PARTITION_ROOT_SECONDARY
];
1456 zero(m
->partitions
[PARTITION_ROOT_SECONDARY
]);
1457 m
->partitions
[PARTITION_ROOT_VERITY
] = m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
];
1458 zero(m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
]);
1459 m
->partitions
[PARTITION_ROOT_VERITY_SIG
] = m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY_SIG
];
1460 zero(m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY_SIG
]);
1462 m
->partitions
[PARTITION_USR
] = m
->partitions
[PARTITION_USR_SECONDARY
];
1463 zero(m
->partitions
[PARTITION_USR_SECONDARY
]);
1464 m
->partitions
[PARTITION_USR_VERITY
] = m
->partitions
[PARTITION_USR_SECONDARY_VERITY
];
1465 zero(m
->partitions
[PARTITION_USR_SECONDARY_VERITY
]);
1466 m
->partitions
[PARTITION_USR_VERITY_SIG
] = m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
];
1467 zero(m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
]);
1469 } else if (m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY
].found
||
1470 m
->partitions
[PARTITION_ROOT_SECONDARY_VERITY_SIG
].found
)
1471 return -EADDRNOTAVAIL
; /* as above */
1473 /* Hmm, we found a signature partition but no Verity data? Something is off. */
1474 if (m
->partitions
[PARTITION_ROOT_VERITY_SIG
].found
&& !m
->partitions
[PARTITION_ROOT_VERITY
].found
)
1475 return -EADDRNOTAVAIL
;
1477 if (m
->partitions
[PARTITION_USR
].found
) {
1478 /* Invalidate secondary arch /usr/ if we found the primary arch */
1479 m
->partitions
[PARTITION_USR_SECONDARY
].found
= false;
1480 m
->partitions
[PARTITION_USR_SECONDARY_VERITY
].found
= false;
1481 m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
].found
= false;
1483 } else if (m
->partitions
[PARTITION_USR_VERITY
].found
||
1484 m
->partitions
[PARTITION_USR_VERITY_SIG
].found
)
1485 return -EADDRNOTAVAIL
; /* as above */
1487 else if (m
->partitions
[PARTITION_USR_SECONDARY
].found
) {
1489 /* Upgrade secondary arch to primary */
1490 m
->partitions
[PARTITION_USR
] = m
->partitions
[PARTITION_USR_SECONDARY
];
1491 zero(m
->partitions
[PARTITION_USR_SECONDARY
]);
1492 m
->partitions
[PARTITION_USR_VERITY
] = m
->partitions
[PARTITION_USR_SECONDARY_VERITY
];
1493 zero(m
->partitions
[PARTITION_USR_SECONDARY_VERITY
]);
1494 m
->partitions
[PARTITION_USR_VERITY_SIG
] = m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
];
1495 zero(m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
]);
1497 } else if (m
->partitions
[PARTITION_USR_SECONDARY_VERITY
].found
||
1498 m
->partitions
[PARTITION_USR_SECONDARY_VERITY_SIG
].found
)
1499 return -EADDRNOTAVAIL
; /* as above */
1501 /* Hmm, we found a signature partition but no Verity data? Something is off. */
1502 if (m
->partitions
[PARTITION_USR_VERITY_SIG
].found
&& !m
->partitions
[PARTITION_USR_VERITY
].found
)
1503 return -EADDRNOTAVAIL
;
1505 /* If root and /usr are combined then insist that the architecture matches */
1506 if (m
->partitions
[PARTITION_ROOT
].found
&&
1507 m
->partitions
[PARTITION_USR
].found
&&
1508 (m
->partitions
[PARTITION_ROOT
].architecture
>= 0 &&
1509 m
->partitions
[PARTITION_USR
].architecture
>= 0 &&
1510 m
->partitions
[PARTITION_ROOT
].architecture
!= m
->partitions
[PARTITION_USR
].architecture
))
1511 return -EADDRNOTAVAIL
;
1513 if (!m
->partitions
[PARTITION_ROOT
].found
&&
1514 !m
->partitions
[PARTITION_USR
].found
&&
1515 (flags
& DISSECT_IMAGE_GENERIC_ROOT
) &&
1516 (!verity
|| !verity
->root_hash
|| verity
->designator
!= PARTITION_USR
)) {
1518 /* OK, we found nothing usable, then check if there's a single generic one distro, and use
1519 * that. If the root hash was set however, then we won't fall back to a generic node, because
1520 * the root hash decides. */
1522 /* If we didn't find a properly marked root partition, but we did find a single suitable
1523 * generic Linux partition, then use this as root partition, if the caller asked for it. */
1524 if (multiple_generic
)
1527 /* If we didn't find a generic node, then we can't fix this up either */
1529 _cleanup_free_
char *o
= NULL
;
1530 const char *options
;
1532 options
= mount_options_from_designator(mount_options
, PARTITION_ROOT
);
1534 o
= strdup(options
);
1539 assert(generic_nr
>= 0);
1540 m
->partitions
[PARTITION_ROOT
] = (DissectedPartition
) {
1543 .growfs
= generic_growfs
,
1544 .partno
= generic_nr
,
1545 .architecture
= _ARCHITECTURE_INVALID
,
1546 .node
= TAKE_PTR(generic_node
),
1547 .uuid
= generic_uuid
,
1548 .mount_options
= TAKE_PTR(o
),
1549 .offset
= UINT64_MAX
,
1555 /* Check if we have a root fs if we are told to do check. /usr alone is fine too, but only if appropriate flag for that is set too */
1556 if (FLAGS_SET(flags
, DISSECT_IMAGE_REQUIRE_ROOT
) &&
1557 !(m
->partitions
[PARTITION_ROOT
].found
|| (m
->partitions
[PARTITION_USR
].found
&& FLAGS_SET(flags
, DISSECT_IMAGE_USR_NO_ROOT
))))
1560 if (m
->partitions
[PARTITION_ROOT_VERITY
].found
) {
1561 /* We only support one verity partition per image, i.e. can't do for both /usr and root fs */
1562 if (m
->partitions
[PARTITION_USR_VERITY
].found
)
1565 /* We don't support verity enabled root with a split out /usr. Neither with nor without
1566 * verity there. (Note that we do support verity-less root with verity-full /usr, though.) */
1567 if (m
->partitions
[PARTITION_USR
].found
)
1568 return -EADDRNOTAVAIL
;
1572 /* If a verity designator is specified, then insist that the matching partition exists */
1573 if (verity
->designator
>= 0 && !m
->partitions
[verity
->designator
].found
)
1574 return -EADDRNOTAVAIL
;
1576 if (verity
->root_hash
) {
1577 /* If we have an explicit root hash and found the partitions for it, then we are ready to use
1578 * Verity, set things up for it */
1580 if (verity
->designator
< 0 || verity
->designator
== PARTITION_ROOT
) {
1581 if (!m
->partitions
[PARTITION_ROOT_VERITY
].found
|| !m
->partitions
[PARTITION_ROOT
].found
)
1582 return -EADDRNOTAVAIL
;
1584 /* If we found a verity setup, then the root partition is necessarily read-only. */
1585 m
->partitions
[PARTITION_ROOT
].rw
= false;
1586 m
->verity_ready
= true;
1589 assert(verity
->designator
== PARTITION_USR
);
1591 if (!m
->partitions
[PARTITION_USR_VERITY
].found
|| !m
->partitions
[PARTITION_USR
].found
)
1592 return -EADDRNOTAVAIL
;
1594 m
->partitions
[PARTITION_USR
].rw
= false;
1595 m
->verity_ready
= true;
1598 if (m
->verity_ready
)
1599 m
->verity_sig_ready
= !!verity
->root_hash_sig
;
1601 } else if (m
->partitions
[verity
->designator
== PARTITION_USR
? PARTITION_USR_VERITY_SIG
: PARTITION_ROOT_VERITY_SIG
].found
) {
1603 /* If we found an embedded signature partition, we are ready, too. */
1605 m
->verity_ready
= m
->verity_sig_ready
= true;
1606 m
->partitions
[verity
->designator
== PARTITION_USR
? PARTITION_USR
: PARTITION_ROOT
].rw
= false;
1610 blkid_free_probe(b
);
1613 /* Fill in file system types if we don't know them yet. */
1614 for (PartitionDesignator i
= 0; i
< _PARTITION_DESIGNATOR_MAX
; i
++) {
1615 DissectedPartition
*p
= m
->partitions
+ i
;
1620 if (!p
->fstype
&& p
->node
) {
1621 r
= probe_filesystem(p
->node
, &p
->fstype
);
1622 if (r
< 0 && r
!= -EUCLEAN
)
1626 if (streq_ptr(p
->fstype
, "crypto_LUKS"))
1627 m
->encrypted
= true;
1629 if (p
->fstype
&& fstype_is_ro(p
->fstype
))
1643 DissectedImage
* dissected_image_unref(DissectedImage
*m
) {
1647 for (PartitionDesignator i
= 0; i
< _PARTITION_DESIGNATOR_MAX
; i
++)
1648 dissected_partition_done(m
->partitions
+ i
);
1650 free(m
->image_name
);
1652 strv_free(m
->machine_info
);
1653 strv_free(m
->os_release
);
1654 strv_free(m
->extension_release
);
1659 static int is_loop_device(const char *path
) {
1660 char s
[SYS_BLOCK_PATH_MAX("/../loop/")];
1665 if (stat(path
, &st
) < 0)
1668 if (!S_ISBLK(st
.st_mode
))
1671 xsprintf_sys_block_path(s
, "/loop/", st
.st_dev
);
1672 if (access(s
, F_OK
) < 0) {
1673 if (errno
!= ENOENT
)
1676 /* The device itself isn't a loop device, but maybe it's a partition and its parent is? */
1677 xsprintf_sys_block_path(s
, "/../loop/", st
.st_dev
);
1678 if (access(s
, F_OK
) < 0)
1679 return errno
== ENOENT
? false : -errno
;
1685 static int run_fsck(const char *node
, const char *fstype
) {
1692 r
= fsck_exists(fstype
);
1694 log_debug_errno(r
, "Couldn't determine whether fsck for %s exists, proceeding anyway.", fstype
);
1698 log_debug("Not checking partition %s, as fsck for %s does not exist.", node
, fstype
);
1702 r
= safe_fork("(fsck)", FORK_RESET_SIGNALS
|FORK_CLOSE_ALL_FDS
|FORK_RLIMIT_NOFILE_SAFE
|FORK_DEATHSIG
|FORK_NULL_STDIO
, &pid
);
1704 return log_debug_errno(r
, "Failed to fork off fsck: %m");
1707 execl("/sbin/fsck", "/sbin/fsck", "-aT", node
, NULL
);
1709 log_debug_errno(errno
, "Failed to execl() fsck: %m");
1710 _exit(FSCK_OPERATIONAL_ERROR
);
1713 exit_status
= wait_for_terminate_and_check("fsck", pid
, 0);
1714 if (exit_status
< 0)
1715 return log_debug_errno(exit_status
, "Failed to fork off /sbin/fsck: %m");
1717 if ((exit_status
& ~FSCK_ERROR_CORRECTED
) != FSCK_SUCCESS
) {
1718 log_debug("fsck failed with exit status %i.", exit_status
);
1720 if ((exit_status
& (FSCK_SYSTEM_SHOULD_REBOOT
|FSCK_ERRORS_LEFT_UNCORRECTED
)) != 0)
1721 return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN
), "File system is corrupted, refusing.");
1723 log_debug("Ignoring fsck error.");
1729 static int fs_grow(const char *node_path
, const char *mount_path
) {
1730 _cleanup_close_
int mount_fd
= -1, node_fd
= -1;
1731 uint64_t size
, newsize
;
1734 node_fd
= open(node_path
, O_RDONLY
|O_CLOEXEC
|O_NONBLOCK
|O_NOCTTY
);
1736 return log_debug_errno(errno
, "Failed to open node device %s: %m", node_path
);
1738 if (ioctl(node_fd
, BLKGETSIZE64
, &size
) != 0)
1739 return log_debug_errno(errno
, "Failed to get block device size of %s: %m", node_path
);
1741 mount_fd
= open(mount_path
, O_RDONLY
|O_DIRECTORY
|O_CLOEXEC
);
1743 return log_debug_errno(errno
, "Failed to open mountd file system %s: %m", mount_path
);
1745 log_debug("Resizing \"%s\" to %"PRIu64
" bytes...", mount_path
, size
);
1746 r
= resize_fs(mount_fd
, size
, &newsize
);
1748 return log_debug_errno(r
, "Failed to resize \"%s\" to %"PRIu64
" bytes: %m", mount_path
, size
);
1750 if (newsize
== size
)
1751 log_debug("Successfully resized \"%s\" to %s bytes.",
1752 mount_path
, FORMAT_BYTES(newsize
));
1754 assert(newsize
< size
);
1755 log_debug("Successfully resized \"%s\" to %s bytes (%"PRIu64
" bytes lost due to blocksize).",
1756 mount_path
, FORMAT_BYTES(newsize
), size
- newsize
);
1762 static int mount_partition(
1763 DissectedPartition
*m
,
1765 const char *directory
,
1768 DissectImageFlags flags
) {
1770 _cleanup_free_
char *chased
= NULL
, *options
= NULL
;
1771 const char *p
, *node
, *fstype
;
1772 bool rw
, remap_uid_gid
= false;
1778 /* Use decrypted node and matching fstype if available, otherwise use the original device */
1779 node
= m
->decrypted_node
?: m
->node
;
1780 fstype
= m
->decrypted_node
? m
->decrypted_fstype
: m
->fstype
;
1782 if (!m
->found
|| !node
)
1785 return -EAFNOSUPPORT
;
1787 /* We are looking at an encrypted partition? This either means stacked encryption, or the caller didn't call dissected_image_decrypt() beforehand. Let's return a recognizable error for this case. */
1788 if (streq(fstype
, "crypto_LUKS"))
1791 rw
= m
->rw
&& !(flags
& DISSECT_IMAGE_MOUNT_READ_ONLY
);
1793 if (FLAGS_SET(flags
, DISSECT_IMAGE_FSCK
) && rw
) {
1794 r
= run_fsck(node
, fstype
);
1800 /* Automatically create missing mount points inside the image, if necessary. */
1801 r
= mkdir_p_root(where
, directory
, uid_shift
, (gid_t
) uid_shift
, 0755);
1802 if (r
< 0 && r
!= -EROFS
)
1805 r
= chase_symlinks(directory
, where
, CHASE_PREFIX_ROOT
, &chased
, NULL
);
1811 /* Create top-level mount if missing – but only if this is asked for. This won't modify the
1812 * image (as the branch above does) but the host hierarchy, and the created directory might
1813 * survive our mount in the host hierarchy hence. */
1814 if (FLAGS_SET(flags
, DISSECT_IMAGE_MKDIR
)) {
1815 r
= mkdir_p(where
, 0755);
1823 /* If requested, turn on discard support. */
1824 if (fstype_can_discard(fstype
) &&
1825 ((flags
& DISSECT_IMAGE_DISCARD
) ||
1826 ((flags
& DISSECT_IMAGE_DISCARD_ON_LOOP
) && is_loop_device(m
->node
) > 0))) {
1827 options
= strdup("discard");
1832 if (uid_is_valid(uid_shift
) && uid_shift
!= 0) {
1834 if (fstype_can_uid_gid(fstype
)) {
1835 _cleanup_free_
char *uid_option
= NULL
;
1837 if (asprintf(&uid_option
, "uid=" UID_FMT
",gid=" GID_FMT
, uid_shift
, (gid_t
) uid_shift
) < 0)
1840 if (!strextend_with_separator(&options
, ",", uid_option
))
1842 } else if (FLAGS_SET(flags
, DISSECT_IMAGE_MOUNT_IDMAPPED
))
1843 remap_uid_gid
= true;
1846 if (!isempty(m
->mount_options
))
1847 if (!strextend_with_separator(&options
, ",", m
->mount_options
))
1850 /* So, when you request MS_RDONLY from ext4, then this means nothing. It happily still writes to the
1851 * backing storage. What's worse, the BLKRO[GS]ET flag and (in case of loopback devices)
1852 * LO_FLAGS_READ_ONLY don't mean anything, they affect userspace accesses only, and write accesses
1853 * from the upper file system still get propagated through to the underlying file system,
1854 * unrestricted. To actually get ext4/xfs/btrfs to stop writing to the device we need to specify
1855 * "norecovery" as mount option, in addition to MS_RDONLY. Yes, this sucks, since it means we need to
1856 * carry a per file system table here.
1858 * Note that this means that we might not be able to mount corrupted file systems as read-only
1859 * anymore (since in some cases the kernel implementations will refuse mounting when corrupted,
1860 * read-only and "norecovery" is specified). But I think for the case of automatically determined
1861 * mount options for loopback devices this is the right choice, since otherwise using the same
1862 * loopback file twice even in read-only mode, is going to fail badly sooner or later. The usecase of
1863 * making reuse of the immutable images "just work" is more relevant to us than having read-only
1864 * access that actually modifies stuff work on such image files. Or to say this differently: if
1865 * people want their file systems to be fixed up they should just open them in writable mode, where
1866 * all these problems don't exist. */
1867 if (!rw
&& STRPTR_IN_SET(fstype
, "ext3", "ext4", "xfs", "btrfs"))
1868 if (!strextend_with_separator(&options
, ",", "norecovery"))
1871 r
= mount_nofollow_verbose(LOG_DEBUG
, node
, p
, fstype
, MS_NODEV
|(rw
? 0 : MS_RDONLY
), options
);
1875 if (rw
&& m
->growfs
&& FLAGS_SET(flags
, DISSECT_IMAGE_GROWFS
))
1876 (void) fs_grow(node
, p
);
1878 if (remap_uid_gid
) {
1879 r
= remount_idmap(p
, uid_shift
, uid_range
);
1887 static int mount_root_tmpfs(const char *where
, uid_t uid_shift
, DissectImageFlags flags
) {
1888 _cleanup_free_
char *options
= NULL
;
1893 /* For images that contain /usr/ but no rootfs, let's mount rootfs as tmpfs */
1895 if (FLAGS_SET(flags
, DISSECT_IMAGE_MKDIR
)) {
1896 r
= mkdir_p(where
, 0755);
1901 if (uid_is_valid(uid_shift
)) {
1902 if (asprintf(&options
, "uid=" UID_FMT
",gid=" GID_FMT
, uid_shift
, (gid_t
) uid_shift
) < 0)
1906 r
= mount_nofollow_verbose(LOG_DEBUG
, "rootfs", where
, "tmpfs", MS_NODEV
, options
);
1913 int dissected_image_mount(
1918 DissectImageFlags flags
) {
1920 int r
, xbootldr_mounted
;
1927 * -ENXIO → No root partition found
1928 * -EMEDIUMTYPE → DISSECT_IMAGE_VALIDATE_OS set but no os-release/extension-release file found
1929 * -EUNATCH → Encrypted partition found for which no dm-crypt was set up yet
1930 * -EUCLEAN → fsck for file system failed
1931 * -EBUSY → File system already mounted/used elsewhere (kernel)
1932 * -EAFNOSUPPORT → File system type not supported or not known
1935 if (!(m
->partitions
[PARTITION_ROOT
].found
||
1936 (m
->partitions
[PARTITION_USR
].found
&& FLAGS_SET(flags
, DISSECT_IMAGE_USR_NO_ROOT
))))
1937 return -ENXIO
; /* Require a root fs or at least a /usr/ fs (the latter is subject to a flag of its own) */
1939 if ((flags
& DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY
) == 0) {
1941 /* First mount the root fs. If there's none we use a tmpfs. */
1942 if (m
->partitions
[PARTITION_ROOT
].found
)
1943 r
= mount_partition(m
->partitions
+ PARTITION_ROOT
, where
, NULL
, uid_shift
, uid_range
, flags
);
1945 r
= mount_root_tmpfs(where
, uid_shift
, flags
);
1949 /* For us mounting root always means mounting /usr as well */
1950 r
= mount_partition(m
->partitions
+ PARTITION_USR
, where
, "/usr", uid_shift
, uid_range
, flags
);
1954 if ((flags
& (DISSECT_IMAGE_VALIDATE_OS
|DISSECT_IMAGE_VALIDATE_OS_EXT
)) != 0) {
1955 /* If either one of the validation flags are set, ensure that the image qualifies
1956 * as one or the other (or both). */
1959 if (FLAGS_SET(flags
, DISSECT_IMAGE_VALIDATE_OS
)) {
1960 r
= path_is_os_tree(where
);
1966 if (!ok
&& FLAGS_SET(flags
, DISSECT_IMAGE_VALIDATE_OS_EXT
)) {
1967 r
= path_is_extension_tree(where
, m
->image_name
);
1979 if (flags
& DISSECT_IMAGE_MOUNT_ROOT_ONLY
)
1982 r
= mount_partition(m
->partitions
+ PARTITION_HOME
, where
, "/home", uid_shift
, uid_range
, flags
);
1986 r
= mount_partition(m
->partitions
+ PARTITION_SRV
, where
, "/srv", uid_shift
, uid_range
, flags
);
1990 r
= mount_partition(m
->partitions
+ PARTITION_VAR
, where
, "/var", uid_shift
, uid_range
, flags
);
1994 r
= mount_partition(m
->partitions
+ PARTITION_TMP
, where
, "/var/tmp", uid_shift
, uid_range
, flags
);
1998 xbootldr_mounted
= mount_partition(m
->partitions
+ PARTITION_XBOOTLDR
, where
, "/boot", uid_shift
, uid_range
, flags
);
1999 if (xbootldr_mounted
< 0)
2000 return xbootldr_mounted
;
2002 if (m
->partitions
[PARTITION_ESP
].found
) {
2003 int esp_done
= false;
2005 /* Mount the ESP to /efi if it exists. If it doesn't exist, use /boot instead, but only if it
2006 * exists and is empty, and we didn't already mount the XBOOTLDR partition into it. */
2008 r
= chase_symlinks("/efi", where
, CHASE_PREFIX_ROOT
, NULL
, NULL
);
2013 /* /efi doesn't exist. Let's see if /boot is suitable then */
2015 if (!xbootldr_mounted
) {
2016 _cleanup_free_
char *p
= NULL
;
2018 r
= chase_symlinks("/boot", where
, CHASE_PREFIX_ROOT
, &p
, NULL
);
2022 } else if (dir_is_empty(p
) > 0) {
2023 /* It exists and is an empty directory. Let's mount the ESP there. */
2024 r
= mount_partition(m
->partitions
+ PARTITION_ESP
, where
, "/boot", uid_shift
, uid_range
, flags
);
2034 /* OK, let's mount the ESP now to /efi (possibly creating the dir if missing) */
2036 r
= mount_partition(m
->partitions
+ PARTITION_ESP
, where
, "/efi", uid_shift
, uid_range
, flags
);
2045 int dissected_image_mount_and_warn(
2050 DissectImageFlags flags
) {
2057 r
= dissected_image_mount(m
, where
, uid_shift
, uid_range
, flags
);
2059 return log_error_errno(r
, "Not root file system found in image.");
2060 if (r
== -EMEDIUMTYPE
)
2061 return log_error_errno(r
, "No suitable os-release/extension-release file in image found.");
2063 return log_error_errno(r
, "Encrypted file system discovered, but decryption not requested.");
2065 return log_error_errno(r
, "File system check on image failed.");
2067 return log_error_errno(r
, "File system already mounted elsewhere.");
2068 if (r
== -EAFNOSUPPORT
)
2069 return log_error_errno(r
, "File system type not supported or not known.");
2071 return log_error_errno(r
, "Failed to mount image: %m");
2076 #if HAVE_LIBCRYPTSETUP
2077 typedef struct DecryptedPartition
{
2078 struct crypt_device
*device
;
2081 } DecryptedPartition
;
2083 struct DecryptedImage
{
2084 DecryptedPartition
*decrypted
;
2089 DecryptedImage
* decrypted_image_unref(DecryptedImage
* d
) {
2090 #if HAVE_LIBCRYPTSETUP
2096 for (size_t i
= 0; i
< d
->n_decrypted
; i
++) {
2097 DecryptedPartition
*p
= d
->decrypted
+ i
;
2099 if (p
->device
&& p
->name
&& !p
->relinquished
) {
2100 r
= sym_crypt_deactivate_by_name(p
->device
, p
->name
, 0);
2102 log_debug_errno(r
, "Failed to deactivate encrypted partition %s", p
->name
);
2106 sym_crypt_free(p
->device
);
2116 #if HAVE_LIBCRYPTSETUP
2118 static int make_dm_name_and_node(const void *original_node
, const char *suffix
, char **ret_name
, char **ret_node
) {
2119 _cleanup_free_
char *name
= NULL
, *node
= NULL
;
2122 assert(original_node
);
2127 base
= strrchr(original_node
, '/');
2129 base
= original_node
;
2135 name
= strjoin(base
, suffix
);
2138 if (!filename_is_valid(name
))
2141 node
= path_join(sym_crypt_get_dir(), name
);
2145 *ret_name
= TAKE_PTR(name
);
2146 *ret_node
= TAKE_PTR(node
);
2151 static int decrypt_partition(
2152 DissectedPartition
*m
,
2153 const char *passphrase
,
2154 DissectImageFlags flags
,
2155 DecryptedImage
*d
) {
2157 _cleanup_free_
char *node
= NULL
, *name
= NULL
;
2158 _cleanup_(sym_crypt_freep
) struct crypt_device
*cd
= NULL
;
2164 if (!m
->found
|| !m
->node
|| !m
->fstype
)
2167 if (!streq(m
->fstype
, "crypto_LUKS"))
2173 r
= dlopen_cryptsetup();
2177 r
= make_dm_name_and_node(m
->node
, "-decrypted", &name
, &node
);
2181 if (!GREEDY_REALLOC0(d
->decrypted
, d
->n_decrypted
+ 1))
2184 r
= sym_crypt_init(&cd
, m
->node
);
2186 return log_debug_errno(r
, "Failed to initialize dm-crypt: %m");
2188 cryptsetup_enable_logging(cd
);
2190 r
= sym_crypt_load(cd
, CRYPT_LUKS
, NULL
);
2192 return log_debug_errno(r
, "Failed to load LUKS metadata: %m");
2194 r
= sym_crypt_activate_by_passphrase(cd
, name
, CRYPT_ANY_SLOT
, passphrase
, strlen(passphrase
),
2195 ((flags
& DISSECT_IMAGE_DEVICE_READ_ONLY
) ? CRYPT_ACTIVATE_READONLY
: 0) |
2196 ((flags
& DISSECT_IMAGE_DISCARD_ON_CRYPTO
) ? CRYPT_ACTIVATE_ALLOW_DISCARDS
: 0));
2198 log_debug_errno(r
, "Failed to activate LUKS device: %m");
2199 return r
== -EPERM
? -EKEYREJECTED
: r
;
2202 d
->decrypted
[d
->n_decrypted
++] = (DecryptedPartition
) {
2203 .name
= TAKE_PTR(name
),
2204 .device
= TAKE_PTR(cd
),
2207 m
->decrypted_node
= TAKE_PTR(node
);
2212 static int verity_can_reuse(
2213 const VeritySettings
*verity
,
2215 struct crypt_device
**ret_cd
) {
2217 /* If the same volume was already open, check that the root hashes match, and reuse it if they do */
2218 _cleanup_free_
char *root_hash_existing
= NULL
;
2219 _cleanup_(sym_crypt_freep
) struct crypt_device
*cd
= NULL
;
2220 struct crypt_params_verity crypt_params
= {};
2221 size_t root_hash_existing_size
;
2228 r
= sym_crypt_init_by_name(&cd
, name
);
2230 return log_debug_errno(r
, "Error opening verity device, crypt_init_by_name failed: %m");
2232 cryptsetup_enable_logging(cd
);
2234 r
= sym_crypt_get_verity_info(cd
, &crypt_params
);
2236 return log_debug_errno(r
, "Error opening verity device, crypt_get_verity_info failed: %m");
2238 root_hash_existing_size
= verity
->root_hash_size
;
2239 root_hash_existing
= malloc0(root_hash_existing_size
);
2240 if (!root_hash_existing
)
2243 r
= sym_crypt_volume_key_get(cd
, CRYPT_ANY_SLOT
, root_hash_existing
, &root_hash_existing_size
, NULL
, 0);
2245 return log_debug_errno(r
, "Error opening verity device, crypt_volume_key_get failed: %m");
2246 if (verity
->root_hash_size
!= root_hash_existing_size
||
2247 memcmp(root_hash_existing
, verity
->root_hash
, verity
->root_hash_size
) != 0)
2248 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Error opening verity device, it already exists but root hashes are different.");
2250 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
2251 /* Ensure that, if signatures are supported, we only reuse the device if the previous mount used the
2252 * same settings, so that a previous unsigned mount will not be reused if the user asks to use
2253 * signing for the new one, and vice versa. */
2254 if (!!verity
->root_hash_sig
!= !!(crypt_params
.flags
& CRYPT_VERITY_ROOT_HASH_SIGNATURE
))
2255 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Error opening verity device, it already exists but signature settings are not the same.");
2258 *ret_cd
= TAKE_PTR(cd
);
2262 static inline char* dm_deferred_remove_clean(char *name
) {
2266 (void) sym_crypt_deactivate_by_name(NULL
, name
, CRYPT_DEACTIVATE_DEFERRED
);
2269 DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean
);
2271 static int validate_signature_userspace(const VeritySettings
*verity
) {
2273 _cleanup_(sk_X509_free_allp
) STACK_OF(X509
) *sk
= NULL
;
2274 _cleanup_strv_free_
char **certs
= NULL
;
2275 _cleanup_(PKCS7_freep
) PKCS7
*p7
= NULL
;
2276 _cleanup_free_
char *s
= NULL
;
2277 _cleanup_(BIO_freep
) BIO
*bio
= NULL
; /* 'bio' must be freed first, 's' second, hence keep this order
2278 * of declaration in place, please */
2279 const unsigned char *d
;
2284 assert(verity
->root_hash
);
2285 assert(verity
->root_hash_sig
);
2287 /* Because installing a signature certificate into the kernel chain is so messy, let's optionally do
2288 * userspace validation. */
2290 r
= conf_files_list_nulstr(&certs
, ".crt", NULL
, CONF_FILES_REGULAR
|CONF_FILES_FILTER_MASKED
, CONF_PATHS_NULSTR("verity.d"));
2292 return log_debug_errno(r
, "Failed to enumerate certificates: %m");
2293 if (strv_isempty(certs
)) {
2294 log_debug("No userspace dm-verity certificates found.");
2298 d
= verity
->root_hash_sig
;
2299 p7
= d2i_PKCS7(NULL
, &d
, (long) verity
->root_hash_sig_size
);
2301 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to parse PKCS7 DER signature data.");
2303 s
= hexmem(verity
->root_hash
, verity
->root_hash_size
);
2305 return log_oom_debug();
2307 bio
= BIO_new_mem_buf(s
, strlen(s
));
2309 return log_oom_debug();
2311 sk
= sk_X509_new_null();
2313 return log_oom_debug();
2315 STRV_FOREACH(i
, certs
) {
2316 _cleanup_(X509_freep
) X509
*c
= NULL
;
2317 _cleanup_fclose_
FILE *f
= NULL
;
2319 f
= fopen(*i
, "re");
2321 log_debug_errno(errno
, "Failed to open '%s', ignoring: %m", *i
);
2325 c
= PEM_read_X509(f
, NULL
, NULL
, NULL
);
2327 log_debug("Failed to load X509 certificate '%s', ignoring.", *i
);
2331 if (sk_X509_push(sk
, c
) == 0)
2332 return log_oom_debug();
2337 r
= PKCS7_verify(p7
, sk
, NULL
, bio
, NULL
, PKCS7_NOINTERN
|PKCS7_NOVERIFY
);
2339 log_debug("Userspace PKCS#7 validation succeeded.");
2341 log_debug("Userspace PKCS#7 validation failed: %s", ERR_error_string(ERR_get_error(), NULL
));
2345 log_debug("Not doing client-side validation of dm-verity root hash signatures, OpenSSL support disabled.");
2350 static int do_crypt_activate_verity(
2351 struct crypt_device
*cd
,
2353 const VeritySettings
*verity
) {
2355 bool check_signature
;
2362 if (verity
->root_hash_sig
) {
2363 r
= getenv_bool_secure("SYSTEMD_DISSECT_VERITY_SIGNATURE");
2364 if (r
< 0 && r
!= -ENXIO
)
2365 log_debug_errno(r
, "Failed to parse $SYSTEMD_DISSECT_VERITY_SIGNATURE");
2367 check_signature
= r
!= 0;
2369 check_signature
= false;
2371 if (check_signature
) {
2373 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
2374 /* First, if we have support for signed keys in the kernel, then try that first. */
2375 r
= sym_crypt_activate_by_signed_key(
2379 verity
->root_hash_size
,
2380 verity
->root_hash_sig
,
2381 verity
->root_hash_sig_size
,
2382 CRYPT_ACTIVATE_READONLY
);
2386 log_debug("Validation of dm-verity signature failed via the kernel, trying userspace validation instead.");
2388 log_debug("Activation of verity device with signature requested, but not supported via the kernel by %s due to missing crypt_activate_by_signed_key(), trying userspace validation instead.",
2389 program_invocation_short_name
);
2392 /* So this didn't work via the kernel, then let's try userspace validation instead. If that
2393 * works we'll try to activate without telling the kernel the signature. */
2395 r
= validate_signature_userspace(verity
);
2399 return log_debug_errno(SYNTHETIC_ERRNO(ENOKEY
),
2400 "Activation of signed Verity volume worked neither via the kernel nor in userspace, can't activate.");
2403 return sym_crypt_activate_by_volume_key(
2407 verity
->root_hash_size
,
2408 CRYPT_ACTIVATE_READONLY
);
2411 static int verity_partition(
2412 PartitionDesignator designator
,
2413 DissectedPartition
*m
,
2414 DissectedPartition
*v
,
2415 const VeritySettings
*verity
,
2416 DissectImageFlags flags
,
2417 DecryptedImage
*d
) {
2419 _cleanup_(sym_crypt_freep
) struct crypt_device
*cd
= NULL
;
2420 _cleanup_(dm_deferred_remove_cleanp
) char *restore_deferred_remove
= NULL
;
2421 _cleanup_free_
char *node
= NULL
, *name
= NULL
;
2425 assert(v
|| (verity
&& verity
->data_path
));
2427 if (!verity
|| !verity
->root_hash
)
2429 if (!((verity
->designator
< 0 && designator
== PARTITION_ROOT
) ||
2430 (verity
->designator
== designator
)))
2433 if (!m
->found
|| !m
->node
|| !m
->fstype
)
2435 if (!verity
->data_path
) {
2436 if (!v
->found
|| !v
->node
|| !v
->fstype
)
2439 if (!streq(v
->fstype
, "DM_verity_hash"))
2443 r
= dlopen_cryptsetup();
2447 if (FLAGS_SET(flags
, DISSECT_IMAGE_VERITY_SHARE
)) {
2448 /* Use the roothash, which is unique per volume, as the device node name, so that it can be reused */
2449 _cleanup_free_
char *root_hash_encoded
= NULL
;
2451 root_hash_encoded
= hexmem(verity
->root_hash
, verity
->root_hash_size
);
2452 if (!root_hash_encoded
)
2455 r
= make_dm_name_and_node(root_hash_encoded
, "-verity", &name
, &node
);
2457 r
= make_dm_name_and_node(m
->node
, "-verity", &name
, &node
);
2461 r
= sym_crypt_init(&cd
, verity
->data_path
?: v
->node
);
2465 cryptsetup_enable_logging(cd
);
2467 r
= sym_crypt_load(cd
, CRYPT_VERITY
, NULL
);
2471 r
= sym_crypt_set_data_device(cd
, m
->node
);
2475 if (!GREEDY_REALLOC0(d
->decrypted
, d
->n_decrypted
+ 1))
2478 /* If activating fails because the device already exists, check the metadata and reuse it if it matches.
2479 * In case of ENODEV/ENOENT, which can happen if another process is activating at the exact same time,
2480 * retry a few times before giving up. */
2481 for (unsigned i
= 0; i
< N_DEVICE_NODE_LIST_ATTEMPTS
; i
++) {
2483 r
= do_crypt_activate_verity(cd
, name
, verity
);
2484 /* libdevmapper can return EINVAL when the device is already in the activation stage.
2485 * There's no way to distinguish this situation from a genuine error due to invalid
2486 * parameters, so immediately fall back to activating the device with a unique name.
2487 * Improvements in libcrypsetup can ensure this never happens:
2488 * https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/96 */
2489 if (r
== -EINVAL
&& FLAGS_SET(flags
, DISSECT_IMAGE_VERITY_SHARE
))
2490 return verity_partition(designator
, m
, v
, verity
, flags
& ~DISSECT_IMAGE_VERITY_SHARE
, d
);
2493 -EEXIST
, /* Volume is already open and ready to be used */
2494 -EBUSY
, /* Volume is being opened but not ready, crypt_init_by_name can fetch details */
2495 -ENODEV
/* Volume is being opened but not ready, crypt_init_by_name would fail, try to open again */))
2497 if (IN_SET(r
, -EEXIST
, -EBUSY
)) {
2498 struct crypt_device
*existing_cd
= NULL
;
2500 if (!restore_deferred_remove
){
2501 /* To avoid races, disable automatic removal on umount while setting up the new device. Restore it on failure. */
2502 r
= dm_deferred_remove_cancel(name
);
2503 /* If activation returns EBUSY there might be no deferred removal to cancel, that's fine */
2504 if (r
< 0 && r
!= -ENXIO
)
2505 return log_debug_errno(r
, "Disabling automated deferred removal for verity device %s failed: %m", node
);
2507 restore_deferred_remove
= strdup(name
);
2508 if (!restore_deferred_remove
)
2513 r
= verity_can_reuse(verity
, name
, &existing_cd
);
2514 /* Same as above, -EINVAL can randomly happen when it actually means -EEXIST */
2515 if (r
== -EINVAL
&& FLAGS_SET(flags
, DISSECT_IMAGE_VERITY_SHARE
))
2516 return verity_partition(designator
, m
, v
, verity
, flags
& ~DISSECT_IMAGE_VERITY_SHARE
, d
);
2517 if (!IN_SET(r
, 0, -ENODEV
, -ENOENT
, -EBUSY
))
2518 return log_debug_errno(r
, "Checking whether existing verity device %s can be reused failed: %m", node
);
2520 /* devmapper might say that the device exists, but the devlink might not yet have been
2521 * created. Check and wait for the udev event in that case. */
2522 r
= device_wait_for_devlink(node
, "block", usec_add(now(CLOCK_MONOTONIC
), 100 * USEC_PER_MSEC
), NULL
);
2523 /* Fallback to activation with a unique device if it's taking too long */
2524 if (r
== -ETIMEDOUT
)
2537 /* Device is being opened by another process, but it has not finished yet, yield for 2ms */
2538 (void) usleep(2 * USEC_PER_MSEC
);
2541 /* An existing verity device was reported by libcryptsetup/libdevmapper, but we can't use it at this time.
2542 * Fall back to activating it with a unique device name. */
2543 if (r
!= 0 && FLAGS_SET(flags
, DISSECT_IMAGE_VERITY_SHARE
))
2544 return verity_partition(designator
, m
, v
, verity
, flags
& ~DISSECT_IMAGE_VERITY_SHARE
, d
);
2546 /* Everything looks good and we'll be able to mount the device, so deferred remove will be re-enabled at that point. */
2547 restore_deferred_remove
= mfree(restore_deferred_remove
);
2549 d
->decrypted
[d
->n_decrypted
++] = (DecryptedPartition
) {
2550 .name
= TAKE_PTR(name
),
2551 .device
= TAKE_PTR(cd
),
2554 m
->decrypted_node
= TAKE_PTR(node
);
2560 int dissected_image_decrypt(
2562 const char *passphrase
,
2563 const VeritySettings
*verity
,
2564 DissectImageFlags flags
,
2565 DecryptedImage
**ret
) {
2567 #if HAVE_LIBCRYPTSETUP
2568 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*d
= NULL
;
2573 assert(!verity
|| verity
->root_hash
|| verity
->root_hash_size
== 0);
2577 * = 0 → There was nothing to decrypt
2578 * > 0 → Decrypted successfully
2579 * -ENOKEY → There's something to decrypt but no key was supplied
2580 * -EKEYREJECTED → Passed key was not correct
2583 if (verity
&& verity
->root_hash
&& verity
->root_hash_size
< sizeof(sd_id128_t
))
2586 if (!m
->encrypted
&& !m
->verity_ready
) {
2591 #if HAVE_LIBCRYPTSETUP
2592 d
= new0(DecryptedImage
, 1);
2596 for (PartitionDesignator i
= 0; i
< _PARTITION_DESIGNATOR_MAX
; i
++) {
2597 DissectedPartition
*p
= m
->partitions
+ i
;
2598 PartitionDesignator k
;
2603 r
= decrypt_partition(p
, passphrase
, flags
, d
);
2607 k
= PARTITION_VERITY_OF(i
);
2609 r
= verity_partition(i
, p
, m
->partitions
+ k
, verity
, flags
| DISSECT_IMAGE_VERITY_SHARE
, d
);
2614 if (!p
->decrypted_fstype
&& p
->decrypted_node
) {
2615 r
= probe_filesystem(p
->decrypted_node
, &p
->decrypted_fstype
);
2616 if (r
< 0 && r
!= -EUCLEAN
)
2629 int dissected_image_decrypt_interactively(
2631 const char *passphrase
,
2632 const VeritySettings
*verity
,
2633 DissectImageFlags flags
,
2634 DecryptedImage
**ret
) {
2636 _cleanup_strv_free_erase_
char **z
= NULL
;
2643 r
= dissected_image_decrypt(m
, passphrase
, verity
, flags
, ret
);
2646 if (r
== -EKEYREJECTED
)
2647 log_error_errno(r
, "Incorrect passphrase, try again!");
2648 else if (r
!= -ENOKEY
)
2649 return log_error_errno(r
, "Failed to decrypt image: %m");
2652 return log_error_errno(SYNTHETIC_ERRNO(EKEYREJECTED
),
2653 "Too many retries.");
2657 r
= ask_password_auto("Please enter image passphrase:", NULL
, "dissect", "dissect", "dissect.passphrase", USEC_INFINITY
, 0, &z
);
2659 return log_error_errno(r
, "Failed to query for passphrase: %m");
2665 int decrypted_image_relinquish(DecryptedImage
*d
) {
2668 /* Turns on automatic removal after the last use ended for all DM devices of this image, and sets a
2669 * boolean so that we don't clean it up ourselves either anymore */
2671 #if HAVE_LIBCRYPTSETUP
2674 for (size_t i
= 0; i
< d
->n_decrypted
; i
++) {
2675 DecryptedPartition
*p
= d
->decrypted
+ i
;
2677 if (p
->relinquished
)
2680 r
= sym_crypt_deactivate_by_name(NULL
, p
->name
, CRYPT_DEACTIVATE_DEFERRED
);
2682 return log_debug_errno(r
, "Failed to mark %s for auto-removal: %m", p
->name
);
2684 p
->relinquished
= true;
2691 static char *build_auxiliary_path(const char *image
, const char *suffix
) {
2698 e
= endswith(image
, ".raw");
2700 return strjoin(e
, suffix
);
2702 n
= new(char, e
- image
+ strlen(suffix
) + 1);
2706 strcpy(mempcpy(n
, image
, e
- image
), suffix
);
2710 void verity_settings_done(VeritySettings
*v
) {
2713 v
->root_hash
= mfree(v
->root_hash
);
2714 v
->root_hash_size
= 0;
2716 v
->root_hash_sig
= mfree(v
->root_hash_sig
);
2717 v
->root_hash_sig_size
= 0;
2719 v
->data_path
= mfree(v
->data_path
);
2722 int verity_settings_load(
2723 VeritySettings
*verity
,
2725 const char *root_hash_path
,
2726 const char *root_hash_sig_path
) {
2728 _cleanup_free_
void *root_hash
= NULL
, *root_hash_sig
= NULL
;
2729 size_t root_hash_size
= 0, root_hash_sig_size
= 0;
2730 _cleanup_free_
char *verity_data_path
= NULL
;
2731 PartitionDesignator designator
;
2736 assert(verity
->designator
< 0 || IN_SET(verity
->designator
, PARTITION_ROOT
, PARTITION_USR
));
2738 /* If we are asked to load the root hash for a device node, exit early */
2739 if (is_device_path(image
))
2742 r
= getenv_bool_secure("SYSTEMD_DISSECT_VERITY_SIDECAR");
2743 if (r
< 0 && r
!= -ENXIO
)
2744 log_debug_errno(r
, "Failed to parse $SYSTEMD_DISSECT_VERITY_SIDECAR, ignoring: %m");
2748 designator
= verity
->designator
;
2750 /* We only fill in what isn't already filled in */
2752 if (!verity
->root_hash
) {
2753 _cleanup_free_
char *text
= NULL
;
2755 if (root_hash_path
) {
2756 /* If explicitly specified it takes precedence */
2757 r
= read_one_line_file(root_hash_path
, &text
);
2762 designator
= PARTITION_ROOT
;
2764 /* Otherwise look for xattr and separate file, and first for the data for root and if
2765 * that doesn't exist for /usr */
2767 if (designator
< 0 || designator
== PARTITION_ROOT
) {
2768 r
= getxattr_malloc(image
, "user.verity.roothash", &text
, true);
2770 _cleanup_free_
char *p
= NULL
;
2772 if (!IN_SET(r
, -ENODATA
, -ENOENT
) && !ERRNO_IS_NOT_SUPPORTED(r
))
2775 p
= build_auxiliary_path(image
, ".roothash");
2779 r
= read_one_line_file(p
, &text
);
2780 if (r
< 0 && r
!= -ENOENT
)
2785 designator
= PARTITION_ROOT
;
2788 if (!text
&& (designator
< 0 || designator
== PARTITION_USR
)) {
2789 /* So in the "roothash" xattr/file name above the "root" of course primarily
2790 * refers to the root of the Verity Merkle tree. But coincidentally it also
2791 * is the hash for the *root* file system, i.e. the "root" neatly refers to
2792 * two distinct concepts called "root". Taking benefit of this happy
2793 * coincidence we call the file with the root hash for the /usr/ file system
2794 * `usrhash`, because `usrroothash` or `rootusrhash` would just be too
2795 * confusing. We thus drop the reference to the root of the Merkle tree, and
2796 * just indicate which file system it's about. */
2797 r
= getxattr_malloc(image
, "user.verity.usrhash", &text
, true);
2799 _cleanup_free_
char *p
= NULL
;
2801 if (!IN_SET(r
, -ENODATA
, -ENOENT
) && !ERRNO_IS_NOT_SUPPORTED(r
))
2804 p
= build_auxiliary_path(image
, ".usrhash");
2808 r
= read_one_line_file(p
, &text
);
2809 if (r
< 0 && r
!= -ENOENT
)
2814 designator
= PARTITION_USR
;
2819 r
= unhexmem(text
, strlen(text
), &root_hash
, &root_hash_size
);
2822 if (root_hash_size
< sizeof(sd_id128_t
))
2827 if ((root_hash
|| verity
->root_hash
) && !verity
->root_hash_sig
) {
2828 if (root_hash_sig_path
) {
2829 r
= read_full_file(root_hash_sig_path
, (char**) &root_hash_sig
, &root_hash_sig_size
);
2830 if (r
< 0 && r
!= -ENOENT
)
2834 designator
= PARTITION_ROOT
;
2836 if (designator
< 0 || designator
== PARTITION_ROOT
) {
2837 _cleanup_free_
char *p
= NULL
;
2839 /* Follow naming convention recommended by the relevant RFC:
2840 * https://tools.ietf.org/html/rfc5751#section-3.2.1 */
2841 p
= build_auxiliary_path(image
, ".roothash.p7s");
2845 r
= read_full_file(p
, (char**) &root_hash_sig
, &root_hash_sig_size
);
2846 if (r
< 0 && r
!= -ENOENT
)
2849 designator
= PARTITION_ROOT
;
2852 if (!root_hash_sig
&& (designator
< 0 || designator
== PARTITION_USR
)) {
2853 _cleanup_free_
char *p
= NULL
;
2855 p
= build_auxiliary_path(image
, ".usrhash.p7s");
2859 r
= read_full_file(p
, (char**) &root_hash_sig
, &root_hash_sig_size
);
2860 if (r
< 0 && r
!= -ENOENT
)
2863 designator
= PARTITION_USR
;
2867 if (root_hash_sig
&& root_hash_sig_size
== 0) /* refuse empty size signatures */
2871 if (!verity
->data_path
) {
2872 _cleanup_free_
char *p
= NULL
;
2874 p
= build_auxiliary_path(image
, ".verity");
2878 if (access(p
, F_OK
) < 0) {
2879 if (errno
!= ENOENT
)
2882 verity_data_path
= TAKE_PTR(p
);
2886 verity
->root_hash
= TAKE_PTR(root_hash
);
2887 verity
->root_hash_size
= root_hash_size
;
2890 if (root_hash_sig
) {
2891 verity
->root_hash_sig
= TAKE_PTR(root_hash_sig
);
2892 verity
->root_hash_sig_size
= root_hash_sig_size
;
2895 if (verity_data_path
)
2896 verity
->data_path
= TAKE_PTR(verity_data_path
);
2898 if (verity
->designator
< 0)
2899 verity
->designator
= designator
;
2904 int dissected_image_load_verity_sig_partition(
2907 VeritySettings
*verity
) {
2909 _cleanup_free_
void *root_hash
= NULL
, *root_hash_sig
= NULL
;
2910 _cleanup_(json_variant_unrefp
) JsonVariant
*v
= NULL
;
2911 size_t root_hash_size
, root_hash_sig_size
;
2912 _cleanup_free_
char *buf
= NULL
;
2913 PartitionDesignator d
;
2914 DissectedPartition
*p
;
2915 JsonVariant
*rh
, *sig
;
2924 if (verity
->root_hash
&& verity
->root_hash_sig
) /* Already loaded? */
2927 r
= getenv_bool_secure("SYSTEMD_DISSECT_VERITY_EMBEDDED");
2928 if (r
< 0 && r
!= -ENXIO
)
2929 log_debug_errno(r
, "Failed to parse $SYSTEMD_DISSECT_VERITY_EMBEDDED, ignoring: %m");
2933 d
= PARTITION_VERITY_SIG_OF(verity
->designator
< 0 ? PARTITION_ROOT
: verity
->designator
);
2936 p
= m
->partitions
+ d
;
2939 if (p
->offset
== UINT64_MAX
|| p
->size
== UINT64_MAX
)
2942 if (p
->size
> 4*1024*1024) /* Signature data cannot possible be larger than 4M, refuse that */
2945 buf
= new(char, p
->size
+1);
2949 n
= pread(fd
, buf
, p
->size
, p
->offset
);
2952 if ((uint64_t) n
!= p
->size
)
2955 e
= memchr(buf
, 0, p
->size
);
2957 /* If we found a NUL byte then the rest of the data must be NUL too */
2958 if (!memeqzero(e
, p
->size
- (e
- buf
)))
2959 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Signature data contains embedded NUL byte.");
2963 r
= json_parse(buf
, 0, &v
, NULL
, NULL
);
2965 return log_debug_errno(r
, "Failed to parse signature JSON data: %m");
2967 rh
= json_variant_by_key(v
, "rootHash");
2969 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Signature JSON object lacks 'rootHash' field.");
2970 if (!json_variant_is_string(rh
))
2971 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "'rootHash' field of signature JSON object is not a string.");
2973 r
= unhexmem(json_variant_string(rh
), SIZE_MAX
, &root_hash
, &root_hash_size
);
2975 return log_debug_errno(r
, "Failed to parse root hash field: %m");
2977 /* Check if specified root hash matches if it is specified */
2978 if (verity
->root_hash
&&
2979 memcmp_nn(verity
->root_hash
, verity
->root_hash_size
, root_hash
, root_hash_size
) != 0) {
2980 _cleanup_free_
char *a
= NULL
, *b
= NULL
;
2982 a
= hexmem(root_hash
, root_hash_size
);
2983 b
= hexmem(verity
->root_hash
, verity
->root_hash_size
);
2985 return log_debug_errno(r
, "Root hash in signature JSON data (%s) doesn't match configured hash (%s).", strna(a
), strna(b
));
2988 sig
= json_variant_by_key(v
, "signature");
2990 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "Signature JSON object lacks 'signature' field.");
2991 if (!json_variant_is_string(sig
))
2992 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "'signature' field of signature JSON object is not a string.");
2994 r
= unbase64mem(json_variant_string(sig
), SIZE_MAX
, &root_hash_sig
, &root_hash_sig_size
);
2996 return log_debug_errno(r
, "Failed to parse signature field: %m");
2998 free_and_replace(verity
->root_hash
, root_hash
);
2999 verity
->root_hash_size
= root_hash_size
;
3001 free_and_replace(verity
->root_hash_sig
, root_hash_sig
);
3002 verity
->root_hash_sig_size
= root_hash_sig_size
;
3007 int dissected_image_acquire_metadata(DissectedImage
*m
) {
3014 META_EXTENSION_RELEASE
,
3018 static const char *const paths
[_META_MAX
] = {
3019 [META_HOSTNAME
] = "/etc/hostname\0",
3020 [META_MACHINE_ID
] = "/etc/machine-id\0",
3021 [META_MACHINE_INFO
] = "/etc/machine-info\0",
3022 [META_OS_RELEASE
] = ("/etc/os-release\0"
3023 "/usr/lib/os-release\0"),
3024 [META_EXTENSION_RELEASE
] = "extension-release\0", /* Used only for logging. */
3027 _cleanup_strv_free_
char **machine_info
= NULL
, **os_release
= NULL
, **extension_release
= NULL
;
3028 _cleanup_close_pair_
int error_pipe
[2] = { -1, -1 };
3029 _cleanup_(rmdir_and_freep
) char *t
= NULL
;
3030 _cleanup_(sigkill_waitp
) pid_t child
= 0;
3031 sd_id128_t machine_id
= SD_ID128_NULL
;
3032 _cleanup_free_
char *hostname
= NULL
;
3033 unsigned n_meta_initialized
= 0;
3034 int fds
[2 * _META_MAX
], r
, v
;
3037 BLOCK_SIGNALS(SIGCHLD
);
3041 for (; n_meta_initialized
< _META_MAX
; n_meta_initialized
++) {
3042 if (!paths
[n_meta_initialized
]) {
3043 fds
[2*n_meta_initialized
] = fds
[2*n_meta_initialized
+1] = -1;
3047 if (pipe2(fds
+ 2*n_meta_initialized
, O_CLOEXEC
) < 0) {
3053 r
= mkdtemp_malloc("/tmp/dissect-XXXXXX", &t
);
3057 if (pipe2(error_pipe
, O_CLOEXEC
) < 0) {
3062 r
= safe_fork("(sd-dissect)", FORK_RESET_SIGNALS
|FORK_DEATHSIG
|FORK_NEW_MOUNTNS
|FORK_MOUNTNS_SLAVE
, &child
);
3066 error_pipe
[0] = safe_close(error_pipe
[0]);
3068 r
= dissected_image_mount(
3073 DISSECT_IMAGE_READ_ONLY
|
3074 DISSECT_IMAGE_MOUNT_ROOT_ONLY
|
3075 DISSECT_IMAGE_VALIDATE_OS
|
3076 DISSECT_IMAGE_VALIDATE_OS_EXT
|
3077 DISSECT_IMAGE_USR_NO_ROOT
);
3079 /* Let parent know the error */
3080 (void) write(error_pipe
[1], &r
, sizeof(r
));
3082 log_debug_errno(r
, "Failed to mount dissected image: %m");
3083 _exit(EXIT_FAILURE
);
3086 for (unsigned k
= 0; k
< _META_MAX
; k
++) {
3087 _cleanup_close_
int fd
= -ENOENT
;
3093 fds
[2*k
] = safe_close(fds
[2*k
]);
3095 if (k
== META_EXTENSION_RELEASE
) {
3096 /* As per the os-release spec, if the image is an extension it will have a file
3097 * named after the image name in extension-release.d/ - we use the image name
3098 * and try to resolve it with the extension-release helpers, as sometimes
3099 * the image names are mangled on deployment and do not match anymore.
3100 * Unlike other paths this is not fixed, and the image name
3101 * can be mangled on deployment, so by calling into the helper
3102 * we allow a fallback that matches on the first extension-release
3103 * file found in the directory, if one named after the image cannot
3104 * be found first. */
3105 r
= open_extension_release(t
, m
->image_name
, NULL
, &fd
);
3107 fd
= r
; /* Propagate the error. */
3109 NULSTR_FOREACH(p
, paths
[k
]) {
3110 fd
= chase_symlinks_and_open(p
, t
, CHASE_PREFIX_ROOT
, O_RDONLY
|O_CLOEXEC
|O_NOCTTY
, NULL
);
3115 log_debug_errno(fd
, "Failed to read %s file of image, ignoring: %m", paths
[k
]);
3116 fds
[2*k
+1] = safe_close(fds
[2*k
+1]);
3120 r
= copy_bytes(fd
, fds
[2*k
+1], UINT64_MAX
, 0);
3122 (void) write(error_pipe
[1], &r
, sizeof(r
));
3123 _exit(EXIT_FAILURE
);
3126 fds
[2*k
+1] = safe_close(fds
[2*k
+1]);
3129 _exit(EXIT_SUCCESS
);
3132 error_pipe
[1] = safe_close(error_pipe
[1]);
3134 for (unsigned k
= 0; k
< _META_MAX
; k
++) {
3135 _cleanup_fclose_
FILE *f
= NULL
;
3140 fds
[2*k
+1] = safe_close(fds
[2*k
+1]);
3142 f
= take_fdopen(&fds
[2*k
], "r");
3151 r
= read_etc_hostname_stream(f
, &hostname
);
3153 log_debug_errno(r
, "Failed to read /etc/hostname: %m");
3157 case META_MACHINE_ID
: {
3158 _cleanup_free_
char *line
= NULL
;
3160 r
= read_line(f
, LONG_LINE_MAX
, &line
);
3162 log_debug_errno(r
, "Failed to read /etc/machine-id: %m");
3164 r
= sd_id128_from_string(line
, &machine_id
);
3166 log_debug_errno(r
, "Image contains invalid /etc/machine-id: %s", line
);
3168 log_debug("/etc/machine-id file is empty.");
3169 else if (streq(line
, "uninitialized"))
3170 log_debug("/etc/machine-id file is uninitialized (likely aborted first boot).");
3172 log_debug("/etc/machine-id has unexpected length %i.", r
);
3177 case META_MACHINE_INFO
:
3178 r
= load_env_file_pairs(f
, "machine-info", &machine_info
);
3180 log_debug_errno(r
, "Failed to read /etc/machine-info: %m");
3184 case META_OS_RELEASE
:
3185 r
= load_env_file_pairs(f
, "os-release", &os_release
);
3187 log_debug_errno(r
, "Failed to read OS release file: %m");
3191 case META_EXTENSION_RELEASE
:
3192 r
= load_env_file_pairs(f
, "extension-release", &extension_release
);
3194 log_debug_errno(r
, "Failed to read extension release file: %m");
3200 r
= wait_for_terminate_and_check("(sd-dissect)", child
, 0);
3205 n
= read(error_pipe
[0], &v
, sizeof(v
));
3209 return v
; /* propagate error sent to us from child */
3213 if (r
!= EXIT_SUCCESS
)
3216 free_and_replace(m
->hostname
, hostname
);
3217 m
->machine_id
= machine_id
;
3218 strv_free_and_replace(m
->machine_info
, machine_info
);
3219 strv_free_and_replace(m
->os_release
, os_release
);
3220 strv_free_and_replace(m
->extension_release
, extension_release
);
3223 for (unsigned k
= 0; k
< n_meta_initialized
; k
++)
3224 safe_close_pair(fds
+ 2*k
);
3229 int dissect_image_and_warn(
3232 const VeritySettings
*verity
,
3233 const MountOptions
*mount_options
,
3235 uint64_t uevent_seqnum_not_before
,
3236 usec_t timestamp_not_before
,
3237 DissectImageFlags flags
,
3238 DissectedImage
**ret
) {
3240 _cleanup_free_
char *buffer
= NULL
;
3244 r
= fd_get_path(fd
, &buffer
);
3251 r
= dissect_image(fd
, verity
, mount_options
, diskseq
, uevent_seqnum_not_before
, timestamp_not_before
, flags
, ret
);
3255 return log_error_errno(r
, "Dissecting images is not supported, compiled without blkid support.");
3258 return log_error_errno(r
, "Couldn't identify a suitable partition table or file system in '%s'.", name
);
3260 case -EADDRNOTAVAIL
:
3261 return log_error_errno(r
, "No root partition for specified root hash found in '%s'.", name
);
3264 return log_error_errno(r
, "Multiple suitable root partitions found in image '%s'.", name
);
3267 return log_error_errno(r
, "No suitable root partition found in image '%s'.", name
);
3269 case -EPROTONOSUPPORT
:
3270 return log_error_errno(r
, "Device '%s' is loopback block device with partition scanning turned off, please turn it on.", name
);
3274 return log_error_errno(r
, "Failed to dissect image '%s': %m", name
);
3280 bool dissected_image_verity_candidate(const DissectedImage
*image
, PartitionDesignator partition_designator
) {
3283 /* Checks if this partition could theoretically do Verity. For non-partitioned images this only works
3284 * if there's an external verity file supplied, for which we can consult .has_verity. For partitioned
3285 * images we only check the partition type.
3287 * This call is used to decide whether to suppress or show a verity column in tabular output of the
3290 if (image
->single_file_system
)
3291 return partition_designator
== PARTITION_ROOT
&& image
->has_verity
;
3293 return PARTITION_VERITY_OF(partition_designator
) >= 0;
3296 bool dissected_image_verity_ready(const DissectedImage
*image
, PartitionDesignator partition_designator
) {
3297 PartitionDesignator k
;
3301 /* Checks if this partition has verity data available that we can activate. For non-partitioned this
3302 * works for the root partition, for others only if the associated verity partition was found. */
3304 if (!image
->verity_ready
)
3307 if (image
->single_file_system
)
3308 return partition_designator
== PARTITION_ROOT
;
3310 k
= PARTITION_VERITY_OF(partition_designator
);
3311 return k
>= 0 && image
->partitions
[k
].found
;
3314 bool dissected_image_verity_sig_ready(const DissectedImage
*image
, PartitionDesignator partition_designator
) {
3315 PartitionDesignator k
;
3319 /* Checks if this partition has verity signature data available that we can use. */
3321 if (!image
->verity_sig_ready
)
3324 if (image
->single_file_system
)
3325 return partition_designator
== PARTITION_ROOT
;
3327 k
= PARTITION_VERITY_SIG_OF(partition_designator
);
3328 return k
>= 0 && image
->partitions
[k
].found
;
3331 MountOptions
* mount_options_free_all(MountOptions
*options
) {
3334 while ((m
= options
)) {
3335 LIST_REMOVE(mount_options
, options
, m
);
3343 const char* mount_options_from_designator(const MountOptions
*options
, PartitionDesignator designator
) {
3344 const MountOptions
*m
;
3346 LIST_FOREACH(mount_options
, m
, options
)
3347 if (designator
== m
->partition_designator
&& !isempty(m
->options
))
3353 int mount_image_privately_interactively(
3355 DissectImageFlags flags
,
3356 char **ret_directory
,
3357 LoopDevice
**ret_loop_device
,
3358 DecryptedImage
**ret_decrypted_image
) {
3360 _cleanup_(verity_settings_done
) VeritySettings verity
= VERITY_SETTINGS_DEFAULT
;
3361 _cleanup_(loop_device_unrefp
) LoopDevice
*d
= NULL
;
3362 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*decrypted_image
= NULL
;
3363 _cleanup_(dissected_image_unrefp
) DissectedImage
*dissected_image
= NULL
;
3364 _cleanup_(rmdir_and_freep
) char *created_dir
= NULL
;
3365 _cleanup_free_
char *temp
= NULL
;
3368 /* Mounts an OS image at a temporary place, inside a newly created mount namespace of our own. This
3369 * is used by tools such as systemd-tmpfiles or systemd-firstboot to operate on some disk image
3373 assert(ret_directory
);
3374 assert(ret_loop_device
);
3375 assert(ret_decrypted_image
);
3377 r
= verity_settings_load(&verity
, image
, NULL
, NULL
);
3379 return log_error_errno(r
, "Failed to load root hash data: %m");
3381 r
= tempfn_random_child(NULL
, program_invocation_short_name
, &temp
);
3383 return log_error_errno(r
, "Failed to generate temporary mount directory: %m");
3385 r
= loop_device_make_by_path(
3387 FLAGS_SET(flags
, DISSECT_IMAGE_DEVICE_READ_ONLY
) ? O_RDONLY
: O_RDWR
,
3388 FLAGS_SET(flags
, DISSECT_IMAGE_NO_PARTITION_TABLE
) ? 0 : LO_FLAGS_PARTSCAN
,
3391 return log_error_errno(r
, "Failed to set up loopback device for %s: %m", image
);
3393 r
= dissect_image_and_warn(d
->fd
, image
, &verity
, NULL
, d
->diskseq
, d
->uevent_seqnum_not_before
, d
->timestamp_not_before
, flags
, &dissected_image
);
3397 r
= dissected_image_load_verity_sig_partition(dissected_image
, d
->fd
, &verity
);
3401 r
= dissected_image_decrypt_interactively(dissected_image
, NULL
, &verity
, flags
, &decrypted_image
);
3405 r
= detach_mount_namespace();
3407 return log_error_errno(r
, "Failed to detach mount namespace: %m");
3409 r
= mkdir_p(temp
, 0700);
3411 return log_error_errno(r
, "Failed to create mount point: %m");
3413 created_dir
= TAKE_PTR(temp
);
3415 r
= dissected_image_mount_and_warn(dissected_image
, created_dir
, UID_INVALID
, UID_INVALID
, flags
);
3419 if (decrypted_image
) {
3420 r
= decrypted_image_relinquish(decrypted_image
);
3422 return log_error_errno(r
, "Failed to relinquish DM devices: %m");
3425 loop_device_relinquish(d
);
3427 *ret_directory
= TAKE_PTR(created_dir
);
3428 *ret_loop_device
= TAKE_PTR(d
);
3429 *ret_decrypted_image
= TAKE_PTR(decrypted_image
);
3434 static const char *const partition_designator_table
[] = {
3435 [PARTITION_ROOT
] = "root",
3436 [PARTITION_ROOT_SECONDARY
] = "root-secondary",
3437 [PARTITION_USR
] = "usr",
3438 [PARTITION_USR_SECONDARY
] = "usr-secondary",
3439 [PARTITION_HOME
] = "home",
3440 [PARTITION_SRV
] = "srv",
3441 [PARTITION_ESP
] = "esp",
3442 [PARTITION_XBOOTLDR
] = "xbootldr",
3443 [PARTITION_SWAP
] = "swap",
3444 [PARTITION_ROOT_VERITY
] = "root-verity",
3445 [PARTITION_ROOT_SECONDARY_VERITY
] = "root-secondary-verity",
3446 [PARTITION_USR_VERITY
] = "usr-verity",
3447 [PARTITION_USR_SECONDARY_VERITY
] = "usr-secondary-verity",
3448 [PARTITION_ROOT_VERITY_SIG
] = "root-verity-sig",
3449 [PARTITION_ROOT_SECONDARY_VERITY_SIG
] = "root-secondary-verity-sig",
3450 [PARTITION_USR_VERITY_SIG
] = "usr-verity-sig",
3451 [PARTITION_USR_SECONDARY_VERITY_SIG
] = "usr-secondary-verity-sig",
3452 [PARTITION_TMP
] = "tmp",
3453 [PARTITION_VAR
] = "var",
3456 int verity_dissect_and_mount(
3459 const MountOptions
*options
,
3460 const char *required_host_os_release_id
,
3461 const char *required_host_os_release_version_id
,
3462 const char *required_host_os_release_sysext_level
) {
3464 _cleanup_(loop_device_unrefp
) LoopDevice
*loop_device
= NULL
;
3465 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*decrypted_image
= NULL
;
3466 _cleanup_(dissected_image_unrefp
) DissectedImage
*dissected_image
= NULL
;
3467 _cleanup_(verity_settings_done
) VeritySettings verity
= VERITY_SETTINGS_DEFAULT
;
3468 DissectImageFlags dissect_image_flags
;
3474 r
= verity_settings_load(&verity
, src
, NULL
, NULL
);
3476 return log_debug_errno(r
, "Failed to load root hash: %m");
3478 dissect_image_flags
= verity
.data_path
? DISSECT_IMAGE_NO_PARTITION_TABLE
: 0;
3480 r
= loop_device_make_by_path(
3483 verity
.data_path
? 0 : LO_FLAGS_PARTSCAN
,
3486 return log_debug_errno(r
, "Failed to create loop device for image: %m");
3492 loop_device
->diskseq
,
3493 loop_device
->uevent_seqnum_not_before
,
3494 loop_device
->timestamp_not_before
,
3495 dissect_image_flags
,
3497 /* No partition table? Might be a single-filesystem image, try again */
3498 if (!verity
.data_path
&& r
== -ENOPKG
)
3503 loop_device
->diskseq
,
3504 loop_device
->uevent_seqnum_not_before
,
3505 loop_device
->timestamp_not_before
,
3506 dissect_image_flags
| DISSECT_IMAGE_NO_PARTITION_TABLE
,
3509 return log_debug_errno(r
, "Failed to dissect image: %m");
3511 r
= dissected_image_load_verity_sig_partition(dissected_image
, loop_device
->fd
, &verity
);
3515 r
= dissected_image_decrypt(
3519 dissect_image_flags
,
3522 return log_debug_errno(r
, "Failed to decrypt dissected image: %m");
3524 r
= mkdir_p_label(dest
, 0755);
3526 return log_debug_errno(r
, "Failed to create destination directory %s: %m", dest
);
3527 r
= umount_recursive(dest
, 0);
3529 return log_debug_errno(r
, "Failed to umount under destination directory %s: %m", dest
);
3531 r
= dissected_image_mount(dissected_image
, dest
, UID_INVALID
, UID_INVALID
, dissect_image_flags
);
3533 return log_debug_errno(r
, "Failed to mount image: %m");
3535 /* If we got os-release values from the caller, then we need to match them with the image's
3536 * extension-release.d/ content. Return -EINVAL if there's any mismatch.
3537 * First, check the distro ID. If that matches, then check the new SYSEXT_LEVEL value if
3538 * available, or else fallback to VERSION_ID. */
3539 if (required_host_os_release_id
&&
3540 (required_host_os_release_version_id
|| required_host_os_release_sysext_level
)) {
3541 _cleanup_strv_free_
char **extension_release
= NULL
;
3543 r
= load_extension_release_pairs(dest
, dissected_image
->image_name
, &extension_release
);
3545 return log_debug_errno(r
, "Failed to parse image %s extension-release metadata: %m", dissected_image
->image_name
);
3547 r
= extension_release_validate(
3548 dissected_image
->image_name
,
3549 required_host_os_release_id
,
3550 required_host_os_release_version_id
,
3551 required_host_os_release_sysext_level
,
3554 return log_debug_errno(SYNTHETIC_ERRNO(ESTALE
), "Image %s extension-release metadata does not match the root's", dissected_image
->image_name
);
3556 return log_debug_errno(r
, "Failed to compare image %s extension-release metadata with the root's os-release: %m", dissected_image
->image_name
);
3559 if (decrypted_image
) {
3560 r
= decrypted_image_relinquish(decrypted_image
);
3562 return log_debug_errno(r
, "Failed to relinquish decrypted image: %m");
3565 loop_device_relinquish(loop_device
);
3570 DEFINE_STRING_TABLE_LOOKUP(partition_designator
, PartitionDesignator
);