From: Lennart Poettering Date: Mon, 2 Jun 2025 16:31:40 +0000 (+0200) Subject: udev: add udev properties that point to verity/verity sig metadata partitions from... X-Git-Tag: v258-rc1~368^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=188467dfd9290b7d6246b68fc82ac70436fd6c29;p=thirdparty%2Fsystemd.git udev: add udev properties that point to verity/verity sig metadata partitions from data partitions This extends the dissect_image builtin to actually add device node references to the device nodes where the associated data is placed, if we can find it. This is kept very generic, and independent from the roothash properties and suchlike, since it makes sense to make it possible to set these properties also independently of the dissect-image builtin. The device path is a /dev/disk/by-diskseq/ symlink, so that we have stable reference that are not subject to dev_t reuses. --- diff --git a/src/udev/udev-builtin-dissect_image.c b/src/udev/udev-builtin-dissect_image.c index 02aa8fcbea9..444b0fce37d 100644 --- a/src/udev/udev-builtin-dissect_image.c +++ b/src/udev/udev-builtin-dissect_image.c @@ -124,6 +124,11 @@ static int verb_probe(UdevEvent *event, sd_device *dev) { return 0; } + uint64_t diskseq; + r = sd_device_get_diskseq(dev, &diskseq); + if (r < 0) + return log_device_debug_errno(dev, r, "Failed to get diskseq of '%s': %m", devnode); + r = blockdev_partscan_enabled(dev); if (r < 0) return log_device_debug_errno(dev, r, "Failed to determine if block device '%s' supports partitions: %m", devnode); @@ -262,11 +267,22 @@ static int verb_probe(UdevEvent *event, sd_device *dev) { /* Indicate whether this partition has verity protection */ PartitionDesignator dv = partition_verity_of(d); if (dv >= 0 && image->partitions[dv].found) { + /* Add one property that indicates as a boolean whether Verity is available at all for this */ _cleanup_free_ char *f = NULL; if (asprintf(&f, "ID_DISSECT_PART%i_HAS_VERITY", p->partno) < 0) return log_oom_debug(); (void) udev_builtin_add_property(event, f, "1"); + + /* Add a second property that indicates where the block device is found with the + * Verity data. We maintain this in an independent property, since Verity data might + * be available from other sources too, not just block devices, and we'd like to keep + * the props somewhat open for that. */ + f = mfree(f); + if (asprintf(&f, "ID_DISSECT_PART%i_VERITY_DEVICE", p->partno) < 0) + return log_oom_debug(); + + (void) udev_builtin_add_propertyf(event, f, "/dev/disk/by-diskseq/%" PRIu64 "-part%i", diskseq, image->partitions[dv].partno); } dv = partition_verity_sig_of(d); @@ -276,6 +292,12 @@ static int verb_probe(UdevEvent *event, sd_device *dev) { return log_oom_debug(); (void) udev_builtin_add_property(event, f, "1"); + + f = mfree(f); + if (asprintf(&f, "ID_DISSECT_PART%i_VERITY_SIG_DEVICE", p->partno) < 0) + return log_oom_debug(); + + (void) udev_builtin_add_propertyf(event, f, "/dev/disk/by-diskseq/%" PRIu64 "-part%i", diskseq, image->partitions[dv].partno); } if (d == verity.designator) { @@ -344,7 +366,12 @@ static int verb_copy(UdevEvent *event, sd_device *dev) { if (r < 0) return log_device_debug_errno(dev, r, "Failed to get partition number of partition block device '%s': %m", devnode); - FOREACH_STRING(f, "_DESIGNATOR", "_ARCHITECTURE", "_HAS_VERITY", "_HAS_VERITY_SIG", "_ROOTHASH", "_ROOTHASH_SIG") { + FOREACH_STRING(f, + "_DESIGNATOR", "_ARCHITECTURE", + "_HAS_VERITY", "_HAS_VERITY_SIG", + "_ROOTHASH", "_ROOTHASH_SIG", + "_VERITY_DEVICE", "_VERITY_SIG_DEVICE") { + /* The property on the parent device contains the partition number */ _cleanup_free_ char *p = strjoin("ID_DISSECT_PART", partn, f); if (!p)