From: Daan De Meyer Date: Thu, 25 Sep 2025 17:57:36 +0000 (+0200) Subject: gpt: Introduce function to convert verity hash or sig to data partition X-Git-Tag: v259-rc1~420^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=946cc446c0355710075dd085b82da4e811dcd427;p=thirdparty%2Fsystemd.git gpt: Introduce function to convert verity hash or sig to data partition Let's rename the existing partition_verity_to_data() to partition_verity_hash_to_data() and make a new partition_verity_to_data() that handles both verity hash and verity signature partitions. Rename other functions to match the new naming. --- diff --git a/src/repart/repart.c b/src/repart/repart.c index 6bd0c157158..b74d9bb552b 100644 --- a/src/repart/repart.c +++ b/src/repart/repart.c @@ -2809,7 +2809,7 @@ static int partition_read_definition(Partition *p, const char *path, const char } /* Verity partitions are read only, let's imply the RO flag hence, unless explicitly configured otherwise. */ - if ((partition_designator_is_verity(p->type.designator) || p->verity == VERITY_DATA) && p->read_only < 0) + if ((partition_designator_is_verity_hash(p->type.designator) || p->verity == VERITY_DATA) && p->read_only < 0) p->read_only = true; /* Default to "growfs" on, unless read-only */ @@ -7500,7 +7500,7 @@ static int resolve_copy_blocks_auto_candidate_harder( * verity/verity-sig partition for it, based on udev metadata. */ const char *property; - if (partition_designator_is_verity(partition_type.designator)) + if (partition_designator_is_verity_hash(partition_type.designator)) property = "ID_DISSECT_PART_VERITY_DEVICE"; else if (partition_designator_is_verity_sig(partition_type.designator)) property = "ID_DISSECT_PART_VERITY_SIG_DEVICE"; diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index 63826acd9e4..56096bad3b1 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -1619,7 +1619,7 @@ static int dissect_image( if (m->partitions[di].found) { found_flags = PARTITION_POLICY_ENCRYPTED|PARTITION_POLICY_UNPROTECTED|PARTITION_POLICY_UNUSED; - PartitionDesignator vi = partition_verity_of(di); + PartitionDesignator vi = partition_verity_hash_of(di); if (vi >= 0 && m->partitions[vi].found) { found_flags |= PARTITION_POLICY_VERITY; @@ -3119,7 +3119,7 @@ int dissected_image_decrypt( if (r < 0) return r; - k = partition_verity_of(i); + k = partition_verity_hash_of(i); if (k >= 0) { flags |= getenv_bool("SYSTEMD_VERITY_SHARING") != 0 ? DISSECT_IMAGE_VERITY_SHARE : 0; @@ -3608,7 +3608,7 @@ int dissected_image_load_verity_sig_partition( if (!m->partitions[dd].found) return 0; - PartitionDesignator dv = partition_verity_of(dd); + PartitionDesignator dv = partition_verity_hash_of(dd); assert(dv >= 0); if (!m->partitions[dv].found) return 0; @@ -3734,7 +3734,7 @@ int dissected_image_guess_verity_roothash( if (!d->found) return 0; - PartitionDesignator dv = partition_verity_of(dd); + PartitionDesignator dv = partition_verity_hash_of(dd); assert(dv >= 0); DissectedPartition *p = m->partitions + dv; @@ -4178,7 +4178,7 @@ bool dissected_image_verity_candidate(const DissectedImage *image, PartitionDesi if (image->single_file_system) return partition_designator == PARTITION_ROOT && image->has_verity; - return partition_verity_of(partition_designator) >= 0; + return partition_verity_hash_of(partition_designator) >= 0; } bool dissected_image_verity_ready(const DissectedImage *image, PartitionDesignator partition_designator) { @@ -4195,7 +4195,7 @@ bool dissected_image_verity_ready(const DissectedImage *image, PartitionDesignat if (image->single_file_system) return partition_designator == PARTITION_ROOT; - k = partition_verity_of(partition_designator); + k = partition_verity_hash_of(partition_designator); return k >= 0 && image->partitions[k].found; } diff --git a/src/shared/gpt.c b/src/shared/gpt.c index 9bb66b7c403..b9b967e806f 100644 --- a/src/shared/gpt.c +++ b/src/shared/gpt.c @@ -31,7 +31,7 @@ bool partition_designator_is_versioned(PartitionDesignator d) { PARTITION_USR_VERITY_SIG); } -PartitionDesignator partition_verity_of(PartitionDesignator p) { +PartitionDesignator partition_verity_hash_of(PartitionDesignator p) { switch (p) { case PARTITION_ROOT: @@ -59,7 +59,7 @@ PartitionDesignator partition_verity_sig_of(PartitionDesignator p) { } } -PartitionDesignator partition_verity_to_data(PartitionDesignator d) { +PartitionDesignator partition_verity_hash_to_data(PartitionDesignator d) { switch (d) { case PARTITION_ROOT_VERITY: @@ -87,6 +87,14 @@ PartitionDesignator partition_verity_sig_to_data(PartitionDesignator d) { } } +PartitionDesignator partition_verity_to_data(PartitionDesignator d) { + PartitionDesignator e = partition_verity_hash_to_data(d); + if (e >= 0) + return e; + + return partition_verity_sig_to_data(d); +} + static const char *const partition_designator_table[_PARTITION_DESIGNATOR_MAX] = { [PARTITION_ROOT] = "root", [PARTITION_USR] = "usr", diff --git a/src/shared/gpt.h b/src/shared/gpt.h index 3261d0001b2..0103ac2f4a1 100644 --- a/src/shared/gpt.h +++ b/src/shared/gpt.h @@ -31,19 +31,24 @@ typedef enum PartitionDesignator { bool partition_designator_is_versioned(PartitionDesignator d) _const_; -PartitionDesignator partition_verity_of(PartitionDesignator p) _const_; +PartitionDesignator partition_verity_hash_of(PartitionDesignator p) _const_; PartitionDesignator partition_verity_sig_of(PartitionDesignator p) _const_; -PartitionDesignator partition_verity_to_data(PartitionDesignator d) _const_; +PartitionDesignator partition_verity_hash_to_data(PartitionDesignator d) _const_; PartitionDesignator partition_verity_sig_to_data(PartitionDesignator d) _const_; +PartitionDesignator partition_verity_to_data(PartitionDesignator d) _const_; -static inline bool partition_designator_is_verity(PartitionDesignator d) { - return partition_verity_to_data(d) >= 0; +static inline bool partition_designator_is_verity_hash(PartitionDesignator d) { + return partition_verity_hash_to_data(d) >= 0; } static inline bool partition_designator_is_verity_sig(PartitionDesignator d) { return partition_verity_sig_to_data(d) >= 0; } +static inline bool partition_designator_is_verity(PartitionDesignator d) { + return partition_verity_to_data(d) >= 0; +} + const char* partition_designator_to_string(PartitionDesignator d) _const_; PartitionDesignator partition_designator_from_string(const char *name) _pure_; diff --git a/src/shared/image-policy.c b/src/shared/image-policy.c index 16fc91e1fe9..7a248318ebf 100644 --- a/src/shared/image-policy.c +++ b/src/shared/image-policy.c @@ -76,12 +76,12 @@ static PartitionPolicyFlags partition_policy_normalized_flags(const PartitionPol /* If this is a verity or verity signature designator, then mask off all protection bits, this after * all needs no protection, because it *is* the protection */ - if (partition_verity_to_data(policy->designator) >= 0 || + if (partition_verity_hash_to_data(policy->designator) >= 0 || partition_verity_sig_to_data(policy->designator) >= 0) flags &= ~(PARTITION_POLICY_VERITY|PARTITION_POLICY_SIGNED|PARTITION_POLICY_ENCRYPTED); /* if this designator has no verity concept, then mask off verity protection flags */ - if (partition_verity_of(policy->designator) < 0) + if (partition_verity_hash_of(policy->designator) < 0) flags &= ~(PARTITION_POLICY_VERITY|PARTITION_POLICY_SIGNED); /* If the partition must be absent, then the gpt flags don't matter */ @@ -110,7 +110,7 @@ PartitionPolicyFlags image_policy_get(const ImagePolicy *policy, PartitionDesign /* Hmm, so this didn't work, then let's see if we can derive some policy from the underlying data * partition in case of verity/signature partitions */ - data_designator = partition_verity_to_data(designator); + data_designator = partition_verity_hash_to_data(designator); if (data_designator >= 0) { PartitionPolicyFlags data_flags; diff --git a/src/test/test-gpt.c b/src/test/test-gpt.c index 2c793181d9c..6772d46ef64 100644 --- a/src/test/test-gpt.c +++ b/src/test/test-gpt.c @@ -48,17 +48,20 @@ TEST(verity_mappings) { for (PartitionDesignator p = 0; p < _PARTITION_DESIGNATOR_MAX; p++) { PartitionDesignator q; - q = partition_verity_of(p); - assert_se(q < 0 || partition_verity_to_data(q) == p); + q = partition_verity_hash_of(p); + assert_se(q < 0 || partition_verity_hash_to_data(q) == p); q = partition_verity_sig_of(p); assert_se(q < 0 || partition_verity_sig_to_data(q) == p); - q = partition_verity_to_data(p); - assert_se(q < 0 || partition_verity_of(q) == p); + q = partition_verity_hash_to_data(p); + assert_se(q < 0 || partition_verity_hash_of(q) == p); q = partition_verity_sig_to_data(p); assert_se(q < 0 || partition_verity_sig_of(q) == p); + + q = partition_verity_to_data(p); + assert_se(q < 0 || partition_verity_hash_of(q) == p || partition_verity_sig_of(q) == p); } } diff --git a/src/udev/udev-builtin-dissect_image.c b/src/udev/udev-builtin-dissect_image.c index 444b0fce37d..32aea19a6fb 100644 --- a/src/udev/udev-builtin-dissect_image.c +++ b/src/udev/udev-builtin-dissect_image.c @@ -265,7 +265,7 @@ static int verb_probe(UdevEvent *event, sd_device *dev) { } /* Indicate whether this partition has verity protection */ - PartitionDesignator dv = partition_verity_of(d); + PartitionDesignator dv = partition_verity_hash_of(d); if (dv >= 0 && image->partitions[dv].found) { /* Add one property that indicates as a boolean whether Verity is available at all for this */ _cleanup_free_ char *f = NULL;