]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6d2d38e)
dissect: Accept signature for usr+usr-verity+usr-verity-sig images
authorValentin David <me@valentindavid.com>
Tue, 19 Sep 2023 18:31:04 +0000 (20:31 +0200)
committerLuca Boccassi <luca.boccassi@gmail.com>
Wed, 20 Sep 2023 09:21:56 +0000 (10:21 +0100)
An image with usr+usr-verity+usr-verity-sig without sidecar files would not be
detected as signed because it would looke for root-verity-sig instead. Because
dissect was not able to detect it, it also made /usr sysexts using an usr
partition to not be mounted with verity.

src/shared/dissect-image.c patch | blob | blame | history

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 88a8b008b48c9499c0e145d1f5d9bc8735d3a8e9..be4a3d1738f6c4f8b6026435911e62bc3b62d4c7 100644 (file)
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -1442,8 +1442,11 @@ static int dissect_image(
                 if (verity->designator >= 0 && !m->partitions[verity->designator].found)
                         return -EADDRNOTAVAIL;
 
-                bool have_verity_sig_partition =
-                        m->partitions[verity->designator == PARTITION_USR ? PARTITION_USR_VERITY_SIG : PARTITION_ROOT_VERITY_SIG].found;
+                bool have_verity_sig_partition;
+                if (verity->designator >= 0)
+                        have_verity_sig_partition = m->partitions[verity->designator == PARTITION_USR ? PARTITION_USR_VERITY_SIG : PARTITION_ROOT_VERITY_SIG].found;
+                else
+                        have_verity_sig_partition = m->partitions[PARTITION_USR_VERITY_SIG].found || m->partitions[PARTITION_ROOT_VERITY_SIG].found;
 
                 if (verity->root_hash) {
                         /* If we have an explicit root hash and found the partitions for it, then we are ready to use
@@ -1475,7 +1478,12 @@ static int dissect_image(
                         /* If we found an embedded signature partition, we are ready, too. */
 
                         m->verity_ready = m->verity_sig_ready = true;
-                        m->partitions[verity->designator == PARTITION_USR ? PARTITION_USR : PARTITION_ROOT].rw = false;
+                        if (verity->designator >= 0)
+                                m->partitions[verity->designator == PARTITION_USR ? PARTITION_USR : PARTITION_ROOT].rw = false;
+                        else if (m->partitions[PARTITION_USR_VERITY_SIG].found)
+                                m->partitions[PARTITION_USR].rw = false;
+                        else if (m->partitions[PARTITION_ROOT_VERITY_SIG].found)
+                                m->partitions[PARTITION_ROOT].rw = false;
                 }
         }
 
Unnamed repository; edit this file 'description' to name the repository.