veritysetup-generator: add support for verity root options

This adds support for a new kernel root verity command line option
"verity_root_options=" which controls the behaviour of dm-verity by
forwarding options directly to systemd-veritysetup.

See `veritysetup(8)` for more details.

diff --git a/man/kernel-command-line.xml b/man/kernel-command-line.xml
index 7a4109916c154b7f87a9158234ba7e79f66e6533..c55b4b17abd77127ca18cbe488f8e0b9d0114cf7 100644 (file)
--- a/man/kernel-command-line.xml
+++ b/man/kernel-command-line.xml
@@ -361,6 +361,7 @@
         <term><varname>rd.systemd.verity=</varname></term>
         <term><varname>systemd.verity_root_data=</varname></term>
         <term><varname>systemd.verity_root_hash=</varname></term>
+        <term><varname>systemd.verity.root_options=</varname></term>
         <listitem>
           <para>Configures the integrity protection root hash for the root file system, and other related
           parameters. For details, see

diff --git a/man/systemd-veritysetup-generator.xml b/man/systemd-veritysetup-generator.xml
index d2736a7fd518dd2cfe7b3bc217da54897638b86c..86171ed005e840926e5b6dc31821efb7ea4cd0ad 100644 (file)
--- a/man/systemd-veritysetup-generator.xml
+++ b/man/systemd-veritysetup-generator.xml
@@ -81,6 +81,17 @@
         (see above).</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>systemd.verity_root_options=</varname></term>
+
+        <listitem><para>Takes a comma-separated list of dm-verity options. Expects the following options
+        <option>ignore-corruption</option>, <option>restart-on-corruption</option>, <option>ignore-zero-blocks</option>,
+        <option>check-at-most-once</option>, <option>panic-on-corruption</option> and
+        <option>root-hash-signature</option>. See
+        <citerefentry><refentrytitle>veritysetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> for more
+        details.</para></listitem>
+      </varlistentry>
+
     </variablelist>
   </refsect1>
 

diff --git a/src/veritysetup/veritysetup-generator.c b/src/veritysetup/veritysetup-generator.c
index 7c807c874aec2e7d797d04f79b22a11a4a306343..b706eb037311dd8e7ca0dfeeb9a8f47688af9826 100644 (file)
--- a/src/veritysetup/veritysetup-generator.c
+++ b/src/veritysetup/veritysetup-generator.c
@@ -29,13 +29,16 @@ static bool arg_enabled = true;
 static char *arg_root_hash = NULL;
 static char *arg_data_what = NULL;
 static char *arg_hash_what = NULL;
+static char *arg_options = NULL;
 
 STATIC_DESTRUCTOR_REGISTER(arg_root_hash, freep);
 STATIC_DESTRUCTOR_REGISTER(arg_data_what, freep);
 STATIC_DESTRUCTOR_REGISTER(arg_hash_what, freep);
+STATIC_DESTRUCTOR_REGISTER(arg_options, freep);
 
 static int create_device(void) {
-        _cleanup_free_ char *u = NULL, *v = NULL, *d = NULL, *e = NULL, *u_escaped = NULL, *v_escaped = NULL, *root_hash_escaped = NULL;
+        _cleanup_free_ char *u = NULL, *v = NULL, *d = NULL, *e = NULL, *u_escaped = NULL, *v_escaped = NULL,
+                            *root_hash_escaped = NULL, *options_escaped = NULL;
         _cleanup_fclose_ FILE *f = NULL;
         const char *to;
         int r;
@@ -57,7 +60,8 @@ static int create_device(void) {
 
         log_debug("Using root verity data device %s,\n"
                   "                  hash device %s,\n"
-                  "                and root hash %s.", arg_data_what, arg_hash_what, arg_root_hash);
+                  "                      options %s,\n"
+                  "                and root hash %s.", arg_data_what, arg_hash_what, arg_options, arg_root_hash);
 
         u = fstab_node_to_udev_node(arg_data_what);
         if (!u)
@@ -80,6 +84,10 @@ static int create_device(void) {
         if (r < 0)
                 return log_error_errno(r, "Failed to generate unit name: %m");
 
+        options_escaped = specifier_escape(arg_options ?: "");
+        if (!options_escaped)
+                return log_oom();
+
         root_hash_escaped = specifier_escape(arg_root_hash);
         if (!root_hash_escaped)
                 return log_oom();
@@ -102,11 +110,11 @@ static int create_device(void) {
                 "\n[Service]\n"
                 "Type=oneshot\n"
                 "RemainAfterExit=yes\n"
-                "ExecStart=" ROOTLIBEXECDIR "/systemd-veritysetup attach root '%s' '%s' '%s'\n"
+                "ExecStart=" ROOTLIBEXECDIR "/systemd-veritysetup attach root '%s' '%s' '%s' '%s'\n"
                 "ExecStop=" ROOTLIBEXECDIR "/systemd-veritysetup detach root\n",
                 d, e,
                 d, e,
-                u_escaped, v_escaped, root_hash_escaped);
+                u_escaped, v_escaped, root_hash_escaped, options_escaped);
 
         r = fflush_and_check(f);
         if (r < 0)
@@ -158,6 +166,16 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
                 r = free_and_strdup(&arg_hash_what, value);
                 if (r < 0)
                         return log_oom();
+
+        } else if (proc_cmdline_key_streq(key, "systemd.verity_root_options")) {
+
+                if (proc_cmdline_value_missing(key, value))
+                        return 0;
+
+                r = free_and_strdup(&arg_options, value);
+                if (r < 0)
+                        return log_oom();
+
         }
 
         return 0;

diff --git a/test/fuzz/fuzz-unit-file/directives.service b/test/fuzz/fuzz-unit-file/directives.service
index 464496e25753607edb88bfcbfc07847f95682684..2ea00ae52c0656d266024f9e21405231c1733ddf 100644 (file)
--- a/test/fuzz/fuzz-unit-file/directives.service
+++ b/test/fuzz/fuzz-unit-file/directives.service
@@ -326,6 +326,7 @@ systemd.unit=
 systemd.verity=
 systemd.verity_root_data=
 systemd.verity_root_hash=
+systemd.verity_root_options=
 systemd.volatile=
 systemd.wants=
 systemd.watchdog_device=