From: Luca Boccassi <bluca@debian.org>
Date: Wed, 11 Sep 2024 16:23:35 +0000 (+0200)
Subject: dissect: do not attempt to load verity for just-built images
X-Git-Tag: v25~305
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=335393789d9879aa2b97df8b65d435a97bab7c24;p=thirdparty%2Fmkosi.git

dissect: do not attempt to load verity for just-built images

Verity is useful to establish trust at runtime in production
environments where we don't know if a payload is trusted in advance,
but we can implicitly trust the image we just built ourselves, so set
the env vars to disable loading images using verity when building
sub-images
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index e4301705c..3460984c6 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -153,7 +153,9 @@ def mount_base_trees(context: Context) -> Iterator[None]:
                 extract_tar(path, d, sandbox=context.sandbox)
                 bases += [d]
             elif path.suffix == ".raw":
-                run(["systemd-dissect", "--mount", "--mkdir", path, d])
+                run(
+                    ["systemd-dissect", "--mount", "--mkdir", path, d],
+                    env=dict(SYSTEMD_DISSECT_VERITY_EMBEDDED="no", SYSTEMD_DISSECT_VERITY_SIDECAR="no"))
                 stack.callback(lambda: run(["systemd-dissect", "--umount", "--rmdir", d]))
                 bases += [d]
             else:
@@ -996,6 +998,7 @@ def install_tree(
     elif src.suffix == ".raw":
         run(
             ["systemd-dissect", "--copy-from", workdir(src), "/", workdir(t)],
+            env=dict(SYSTEMD_DISSECT_VERITY_EMBEDDED="no", SYSTEMD_DISSECT_VERITY_SIDECAR="no"),
             sandbox=config.sandbox(
                 binary="systemd-dissect",
                 devices=True,