git.ipfire.org Git - thirdparty/systemd.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Fri, 14 Mar 2025 10:57:34 +0000 (11:57 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Thu, 3 Apr 2025 09:08:57 +0000 (11:08 +0200)
commit	e34c89897af9b0c7af49d0137bf04fa31b172c4a
tree	6758ea35adb069c2705edac290e053a1c809781e	tree \| snapshot
parent	923eabf085a03a213af3a2c0eeb2086bcf5959a5	commit \| diff

dissect-image: guess verity root hash from the resources we found

When dissecting an image, let's make use of the Verity data even if we
got told no root hash explicitly: we can simply determine it by
concatenating the data partition uuid with the verity partition uuid.

Of course, on first thought this doesn't really add much: if the root
hash is not pinned from somewhere, this does not guarantee trust in
the image.

However, this is very useful for attestation: if we have the root hash
we can measure it before mounting things, even if we don't actually
authenticate it.

Hence, at best this helps us with attestation, at worst it doesn't improve
security but certainly doesn't hurt it.

docs/ENVIRONMENT.md		diff \| blob \| blame \| history
src/core/namespace.c		diff \| blob \| blame \| history
src/dissect/dissect.c		diff \| blob \| blame \| history
src/mountfsd/mountwork.c		diff \| blob \| blame \| history
src/nspawn/nspawn.c		diff \| blob \| blame \| history
src/shared/dissect-image.c		diff \| blob \| blame \| history
src/shared/dissect-image.h		diff \| blob \| blame \| history
src/sysext/sysext.c		diff \| blob \| blame \| history
src/udev/udev-builtin-dissect_image.c		diff \| blob \| blame \| history