From 810708f4b820543b8585a36e84ccca4bc5b18fee Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 24 Feb 2025 11:32:00 +0100
Subject: [PATCH] integritysetup: add remote-integritysetup.target to match
 remote-{crypt|verity}setup.target

Let's make the three subsystems more alike, and add remote-*setup.traget
for all three, enable them all three in the presets, and make them
behave in a similar fashion.
---
 man/integritytab.xml                          | 47 +++++++++++++++++++
 man/systemd.special.xml                       | 14 +++++-
 presets/90-systemd.preset                     |  1 +
 src/integritysetup/integritysetup-generator.c | 28 +++++++++--
 units/meson.build                             |  5 ++
 units/remote-integritysetup.target            | 18 +++++++
 6 files changed, 107 insertions(+), 6 deletions(-)
 create mode 100644 units/remote-integritysetup.target

diff --git a/man/integritytab.xml b/man/integritytab.xml
index 32561e96f29..413f5f49bca 100644
--- a/man/integritytab.xml
+++ b/man/integritytab.xml
@@ -133,6 +133,53 @@
 
         <xi:include href="version-info.xml" xpointer="v250"/></listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><option>_netdev</option></term>
+
+        <listitem><para>Marks this veritysetup device as requiring network. It will be started after the
+        network is available, similarly to
+        <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        units marked with <option>_netdev</option>. The service unit to set up this device will be ordered
+        between <filename>remote-fs-pre.target</filename> and
+        <filename>remote-integritysetup.target</filename>, instead of
+        <filename>integritysetup-pre.target</filename> and <filename>integritysetup.target</filename>.</para>
+
+        <para>Hint: if this device is used for a mount point that is specified in <citerefentry
+        project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>, the
+        <option>_netdev</option> option should also be used for the mount point. Otherwise, a dependency loop
+        might be created where the mount point will be pulled in by <filename>local-fs.target</filename>,
+        while the service to configure the network is usually only started <emphasis>after</emphasis> the
+        local file system has been mounted.</para>
+
+        <xi:include href="version-info.xml" xpointer="v258"/>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>noauto</option></term>
+
+        <listitem><para>This device will not be added to <filename>integritysetup.target</filename>.  This
+        means that it will not be automatically enabled on boot, unless something else pulls it in. In
+        particular, if the device is used for a mount point, it'll be enabled automatically during boot,
+        unless the mount point itself is also disabled with <option>noauto</option>.</para>
+
+        <xi:include href="version-info.xml" xpointer="v258"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>nofail</option></term>
+
+        <listitem><para>This device will not be a hard dependency of
+        <filename>integritysetup.target</filename>. It'll still be pulled in and started, but the system will
+        not wait for the device to show up and be enabled, and boot will not fail if this is
+        unsuccessful. Note that other units that depend on the enabled device may still fail. In particular,
+        if the device is used for a mount point, the mount point itself also needs to have the
+        <option>nofail</option> option, or the boot will fail if the device is not enabled
+        successfully.</para>
+
+        <xi:include href="version-info.xml" xpointer="v258"/></listitem>
+      </varlistentry>
     </variablelist>
 
     <para>At early boot and when the system manager configuration is
diff --git a/man/systemd.special.xml b/man/systemd.special.xml
index ca3bf463ae0..a4ae3f8983f 100644
--- a/man/systemd.special.xml
+++ b/man/systemd.special.xml
@@ -66,6 +66,7 @@
     <filename>printer.target</filename>,
     <filename>reboot.target</filename>,
     <filename>remote-cryptsetup.target</filename>,
+    <filename>remote-integritysetup.target</filename>,
     <filename>remote-veritysetup.target</filename>,
     <filename>remote-fs-pre.target</filename>,
     <filename>remote-fs.target</filename>,
@@ -641,11 +642,22 @@
           <xi:include href="version-info.xml" xpointer="v235"/>
           </listitem>
         </varlistentry>
+        <varlistentry>
+          <term><filename>remote-integritysetup.target</filename></term>
+          <listitem>
+            <para>Similar to <filename>integritysetup.target</filename>, but for integrity protected devices
+            which are accessed over the network. It is used for
+            <citerefentry><refentrytitle>integritytab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+            entries marked with <option>_netdev</option>.</para>
+
+          <xi:include href="version-info.xml" xpointer="v258"/>
+          </listitem>
+        </varlistentry>
         <varlistentry>
           <term><filename>remote-veritysetup.target</filename></term>
           <listitem>
             <para>Similar to <filename>veritysetup.target</filename>, but for verity
-            integrity protected devices which are accessed over the network. It is used for
+            protected devices which are accessed over the network. It is used for
             <citerefentry><refentrytitle>veritytab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
             entries marked with <option>_netdev</option>.</para>
 
diff --git a/presets/90-systemd.preset b/presets/90-systemd.preset
index 5c3be288679..a12be9eba72 100644
--- a/presets/90-systemd.preset
+++ b/presets/90-systemd.preset
@@ -13,6 +13,7 @@
 
 enable remote-fs.target
 enable remote-cryptsetup.target
+enable remote-integritysetup.target
 enable remote-veritysetup.target
 enable machines.target
 
diff --git a/src/integritysetup/integritysetup-generator.c b/src/integritysetup/integritysetup-generator.c
index 72b890575ce..7b0863d9585 100644
--- a/src/integritysetup/integritysetup-generator.c
+++ b/src/integritysetup/integritysetup-generator.c
@@ -36,12 +36,17 @@ static int create_disk(
 
         _cleanup_free_ char *n = NULL, *dd = NULL, *e = NULL, *name_escaped = NULL, *key_file_escaped = NULL;
         _cleanup_fclose_ FILE *f = NULL;
-        int r;
         char *dmname = NULL;
+        bool noauto, nofail, netdev;
+        int r;
 
         assert(name);
         assert(device);
 
+        noauto = fstab_test_yes_no_option(options, "noauto\0" "auto\0");
+        nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
+        netdev = fstab_test_option(options, "_netdev\0");
+
         name_escaped = specifier_escape(name);
         if (!name_escaped)
                 return log_oom();
@@ -88,13 +93,20 @@ static int create_disk(
                 "Before=blockdev@dev-mapper-%%i.target\n"
                 "Wants=blockdev@dev-mapper-%%i.target\n"
                 "Conflicts=umount.target\n"
-                "Before=integritysetup.target\n"
                 "BindsTo=%s\n"
                 "After=%s\n"
                 "Before=umount.target\n",
                 arg_integritytab,
                 dd, dd);
 
+        if (netdev)
+                fprintf(f, "After=remote-fs-pre.target\n");
+
+        if (!nofail)
+                fprintf(f,
+                        "Before=%s\n",
+                        netdev ? "remote-integritysetup.target" : "integritysetup.target");
+
         fprintf(f,
                 "\n"
                 "[Service]\n"
@@ -110,9 +122,15 @@ static int create_disk(
         if (r < 0)
                 return log_error_errno(r, "Failed to write unit file %s: %m", n);
 
-        r = generator_add_symlink(arg_dest, "integritysetup.target", "requires", n);
-        if (r < 0)
-                return r;
+        if (!noauto) {
+                r = generator_add_symlink(
+                                arg_dest,
+                                netdev ? "remote-integritysetup.target" : "integritysetup.target",
+                                nofail ? "wants" : "requires",
+                                n);
+                if (r < 0)
+                        return r;
+        }
 
         dmname = strjoina("dev-mapper-", e, ".device");
         return generator_add_symlink(arg_dest, dmname, "requires", n);
diff --git a/units/meson.build b/units/meson.build
index edf09b79898..330dca30860 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -190,6 +190,11 @@ units = [
         },
         { 'file' : 'remote-fs-pre.target' },
         { 'file' : 'remote-fs.target' },
+        {
+          'file' : 'remote-integritysetup.target',
+          'conditions' : ['HAVE_LIBCRYPTSETUP'],
+          'symlinks' : ['initrd-root-device.target.wants/'],
+        },
         {
           'file' : 'remote-veritysetup.target',
           'conditions' : ['HAVE_LIBCRYPTSETUP'],
diff --git a/units/remote-integritysetup.target b/units/remote-integritysetup.target
new file mode 100644
index 00000000000..56c59b80073
--- /dev/null
+++ b/units/remote-integritysetup.target
@@ -0,0 +1,18 @@
+#  SPDX-License-Identifier: LGPL-2.1-or-later
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Remote Integrity Protected Volumes
+Documentation=man:systemd.special(7)
+After=remote-fs-pre.target integritysetup-pre.target
+DefaultDependencies=no
+Conflicts=shutdown.target
+
+[Install]
+WantedBy=multi-user.target
-- 
2.47.3