From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 23 Mar 2021 13:07:53 +0000 (+0100)
Subject: dissect: make the --image= switch of our various tools honour Verity data
X-Git-Tag: v249-rc1~503
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=27ec815eb4de702e2dcc3ef841c0e7ad40823187;p=thirdparty%2Fsystemd.git

dissect: make the --image= switch of our various tools honour Verity data

This adds simple Verity support to
mount_image_privately_interactively(): we dicover the verity metadata
and use it.
---

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index c022368dfbd..70739412a2f 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -2629,6 +2629,7 @@ int mount_image_privately_interactively(
                 LoopDevice **ret_loop_device,
                 DecryptedImage **ret_decrypted_image) {
 
+        _cleanup_(verity_settings_done) VeritySettings verity = VERITY_SETTINGS_DEFAULT;
         _cleanup_(loop_device_unrefp) LoopDevice *d = NULL;
         _cleanup_(decrypted_image_unrefp) DecryptedImage *decrypted_image = NULL;
         _cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL;
@@ -2645,6 +2646,10 @@ int mount_image_privately_interactively(
         assert(ret_loop_device);
         assert(ret_decrypted_image);
 
+        r = verity_settings_load(&verity, image, NULL, NULL);
+        if (r < 0)
+                return log_error_errno(r, "Failed to load root hash data: %m");
+
         r = tempfn_random_child(NULL, program_invocation_short_name, &temp);
         if (r < 0)
                 return log_error_errno(r, "Failed to generate temporary mount directory: %m");
@@ -2657,11 +2662,11 @@ int mount_image_privately_interactively(
         if (r < 0)
                 return log_error_errno(r, "Failed to set up loopback device: %m");
 
-        r = dissect_image_and_warn(d->fd, image, NULL, NULL, flags, &dissected_image);
+        r = dissect_image_and_warn(d->fd, image, &verity, NULL, flags, &dissected_image);
         if (r < 0)
                 return r;
 
-        r = dissected_image_decrypt_interactively(dissected_image, NULL, NULL, flags, &decrypted_image);
+        r = dissected_image_decrypt_interactively(dissected_image, NULL, &verity, flags, &decrypted_image);
         if (r < 0)
                 return r;