From: Lennart Poettering Date: Thu, 20 Mar 2025 13:35:50 +0000 (+0100) Subject: veritysetup: when we fail to unlock a disk with the root hash signature logic, retry... X-Git-Tag: v258-rc1~923^2~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=96386bb5a75c512fa44a218676770b9655abd4d6;p=thirdparty%2Fsystemd.git veritysetup: when we fail to unlock a disk with the root hash signature logic, retry without Currently, there's no nice way to get a key into the dm-verity kernel keyring unless recompiling the kernel, or enabling SB or buying into shim. Neither sounds particularly attractive. hence provide a reasonable fallback: if unlocking with signed roothash doesn#t work, just try without. maybe the kernel policy allows this, maybe not. It's worth a try. --- diff --git a/src/veritysetup/veritysetup.c b/src/veritysetup/veritysetup.c index 6fd5527424a..5f92cc90113 100644 --- a/src/veritysetup/veritysetup.c +++ b/src/veritysetup/veritysetup.c @@ -415,13 +415,22 @@ static int verb_attach(int argc, char *argv[], void *userdata) { if (r < 0) return log_error_errno(r, "Failed to configure data device: %m"); - if (arg_root_hash_signature_size > 0) + if (arg_root_hash_signature_size > 0) { #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY r = crypt_activate_by_signed_key(cd, volume, rh, rh_size, arg_root_hash_signature, arg_root_hash_signature_size, arg_activate_flags); + if (r < 0) { + log_info_errno(r, "Unable to activate verity device '%s' with root hash signature (%m), retrying without.", volume); + + r = crypt_activate_by_volume_key(cd, volume, rh, rh_size, arg_activate_flags); + if (r < 0) + return log_error_errno(r, "Failed to activate verity device '%s' both with and without root hash signature: %m", volume); + + log_info("Activation of verity device '%s' succeeded without root hash signature.", volume); + } #else assert_not_reached(); #endif - else + } else r = crypt_activate_by_volume_key(cd, volume, rh, rh_size, arg_activate_flags); if (r < 0) return log_error_errno(r, "Failed to set up verity device '%s': %m", volume);