dissect-image: Add usr verity partition coverage

diff --git a/test/units/TEST-50-DISSECT.dissect.sh b/test/units/TEST-50-DISSECT.dissect.sh
index f87bda82ce295f103b0d6abae8de2ac5a3d47dde..d82f8c40fdc12dbe320736a102e2568d91336cf0 100755 (executable)
--- a/test/units/TEST-50-DISSECT.dissect.sh
+++ b/test/units/TEST-50-DISSECT.dissect.sh
@@ -160,6 +160,8 @@ mv "$MINIMAL_IMAGE.foohash" "$MINIMAL_IMAGE.roothash"
 # Derive partition UUIDs from root hash, in UUID syntax
 ROOT_UUID="$(systemd-id128 -u show "$(head -c 32 "$MINIMAL_IMAGE.roothash")" -u | tail -n 1 | cut -b 6-)"
 VERITY_UUID="$(systemd-id128 -u show "$(tail -c 32 "$MINIMAL_IMAGE.roothash")" -u | tail -n 1 | cut -b 6-)"
+USR_UUID="$ROOT_UUID"
+USR_VERITY_UUID="$VERITY_UUID"
 
 systemd-dissect --json=short \
                 --root-hash "$MINIMAL_IMAGE_ROOTHASH" \
@@ -177,6 +179,20 @@ if [[ -n "${OPENSSL_CONFIG:-}" ]]; then
 fi
 systemd-dissect --root-hash "$MINIMAL_IMAGE_ROOTHASH" "$MINIMAL_IMAGE.gpt" | grep -F "MARKER=1" >/dev/null
 systemd-dissect --root-hash "$MINIMAL_IMAGE_ROOTHASH" "$MINIMAL_IMAGE.gpt" | grep -F -f <(sed 's/"//g' "$OS_RELEASE") >/dev/null
+systemd-dissect --json=short \
+                --usr-hash "$MINIMAL_IMAGE_ROOTHASH" \
+                "$MINIMAL_IMAGE.usr.gpt" | \
+                grep '{"rw":"ro","designator":"usr","partition_uuid":"'"$USR_UUID"'","partition_label":"Usr Partition","fstype":"squashfs","architecture":"'"$ARCHITECTURE"'","verity":"signed",' >/dev/null
+systemd-dissect --json=short \
+                --usr-hash "$MINIMAL_IMAGE_ROOTHASH" \
+                "$MINIMAL_IMAGE.usr.gpt" | \
+                grep '{"rw":"ro","designator":"usr-verity","partition_uuid":"'"$USR_VERITY_UUID"'","partition_label":"Usr Verity Partition","fstype":"DM_verity_hash","architecture":"'"$ARCHITECTURE"'","verity":null,' >/dev/null
+if [[ -n "${OPENSSL_CONFIG:-}" ]]; then
+    systemd-dissect --json=short \
+                    --usr-hash "$MINIMAL_IMAGE_ROOTHASH" \
+                    "$MINIMAL_IMAGE.usr.gpt" | \
+                    grep -E '{"rw":"ro","designator":"usr-verity-sig","partition_uuid":"'".*"'","partition_label":"Usr Signature Partition","fstype":"verity_hash_signature","architecture":"'"$ARCHITECTURE"'","verity":null,' >/dev/null
+fi
 
 # Test image policies
 systemd-dissect --validate "$MINIMAL_IMAGE.gpt"
@@ -194,6 +210,12 @@ systemd-dissect --validate "$MINIMAL_IMAGE.gpt" --image-policy=root=verity:swap=
 systemd-dissect --validate "$MINIMAL_IMAGE.gpt" --image-policy=root=signed
 (! systemd-dissect --validate "$MINIMAL_IMAGE.gpt" --image-policy=root=signed:root-verity-sig=unused+absent)
 (! systemd-dissect --validate "$MINIMAL_IMAGE.gpt" --image-policy=root=signed:root-verity=unused+absent)
+systemd-dissect --validate "$MINIMAL_IMAGE.usr.gpt" --image-policy=usr=verity
+systemd-dissect --validate "$MINIMAL_IMAGE.usr.gpt" --image-policy=usr=verity:usr-verity-sig=unused+absent
+(! systemd-dissect --validate "$MINIMAL_IMAGE.usr.gpt" --image-policy=usr=verity:usr-verity=unused+absent)
+systemd-dissect --validate "$MINIMAL_IMAGE.usr.gpt" --image-policy=usr=signed
+(! systemd-dissect --validate "$MINIMAL_IMAGE.usr.gpt" --image-policy=usr=signed:usr-verity-sig=unused+absent)
+(! systemd-dissect --validate "$MINIMAL_IMAGE.usr.gpt" --image-policy=usr=signed:usr-verity=unused+absent)
 
 # Test RootImagePolicy= unit file setting
 systemd-run --wait -P \

diff --git a/test/units/TEST-50-DISSECT.sh b/test/units/TEST-50-DISSECT.sh
index 99e4991402393a61996896016845c3b3c98eafd8..973f18483789dc26a97b20d78d3cc41cc89cdc7e 100755 (executable)
--- a/test/units/TEST-50-DISSECT.sh
+++ b/test/units/TEST-50-DISSECT.sh
@@ -55,6 +55,9 @@ export OPENSSL_CONFIG
 export OS_RELEASE
 export ROOT_GUID
 export SIGNATURE_GUID
+export USR_GUID
+export USR_SIGNATURE_GUID
+export USR_VERITY_GUID
 export VERITY_GUID
 
 machine="$(uname -m)"
@@ -62,51 +65,81 @@ if [[ "$machine" == "x86_64" ]]; then
     ROOT_GUID=4f68bce3-e8cd-4db1-96e7-fbcaf984b709
     VERITY_GUID=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5
     SIGNATURE_GUID=41092b05-9fc8-4523-994f-2def0408b176
+    USR_GUID=8484680c-9521-48c6-9c11-b0720656f69e
+    USR_VERITY_GUID=77ff5f63-e7b6-4633-acf4-1565b864c0e6
+    USR_SIGNATURE_GUID=e7bb33fb-06cf-4e81-8273-e543b413e2e2
     ARCHITECTURE="x86-64"
 elif [[ "$machine" =~ ^(i386|i686|x86)$ ]]; then
     ROOT_GUID=44479540-f297-41b2-9af7-d131d5f0458a
     VERITY_GUID=d13c5d3b-b5d1-422a-b29f-9454fdc89d76
     SIGNATURE_GUID=5996fc05-109c-48de-808b-23fa0830b676
+    USR_GUID=75250d76-8cc6-458e-bd66-bd47cc81a812
+    USR_VERITY_GUID=8f461b0d-14ee-4e81-9aa9-049b6fb97abd
+    USR_SIGNATURE_GUID=974a71c0-de41-43c3-be5d-5c5ccd1ad2c0
     ARCHITECTURE="x86"
 elif [[ "$machine" =~ ^(aarch64|aarch64_be|armv8b|armv8l)$ ]]; then
     ROOT_GUID=b921b045-1df0-41c3-af44-4c6f280d3fae
     VERITY_GUID=df3300ce-d69f-4c92-978c-9bfb0f38d820
     SIGNATURE_GUID=6db69de6-29f4-4758-a7a5-962190f00ce3
+    USR_GUID=b0e01050-ee5f-4390-949a-9101b17104e9
+    USR_VERITY_GUID=6e11a4e7-fbca-4ded-b9e9-e1a512bb664e
+    USR_SIGNATURE_GUID=c23ce4ff-44bd-4b00-b2d4-b41b3419e02a
     ARCHITECTURE="arm64"
 elif [[ "$machine" == "arm" ]]; then
     ROOT_GUID=69dad710-2ce4-4e3c-b16c-21a1d49abed3
     VERITY_GUID=7386cdf2-203c-47a9-a498-f2ecce45a2d6
     SIGNATURE_GUID=42b0455f-eb11-491d-98d3-56145ba9d037
+    USR_GUID=7d0359a3-02b3-4f0a-865c-654403e70625
+    USR_VERITY_GUID=c215d751-7bcd-4649-be90-6627490a4c05
+    USR_SIGNATURE_GUID=d7ff812f-37d1-4902-a810-d76ba57b975a
     ARCHITECTURE="arm"
 elif [[ "$machine" == "ia64" ]]; then
     ROOT_GUID=993d8d3d-f80e-4225-855a-9daf8ed7ea97
     VERITY_GUID=86ed10d5-b607-45bb-8957-d350f23d0571
     SIGNATURE_GUID=e98b36ee-32ba-4882-9b12-0ce14655f46a
+    USR_GUID=4301d2a6-4e3b-4b2a-bb94-9e0b2c4225ea
+    USR_VERITY_GUID=6a491e03-3be7-4545-8e38-83320e0ea880
+    USR_SIGNATURE_GUID=8de58bc2-2a43-460d-b14e-a76e4a17b47f
     ARCHITECTURE="ia64"
 elif [[ "$machine" == "loongarch64" ]]; then
     ROOT_GUID=77055800-792c-4f94-b39a-98c91b762bb6
     VERITY_GUID=f3393b22-e9af-4613-a948-9d3bfbd0c535
     SIGNATURE_GUID=5afb67eb-ecc8-4f85-ae8e-ac1e7c50e7d0
+    USR_GUID=e611c702-575c-4cbe-9a46-434fa0bf7e3f
+    USR_VERITY_GUID=f46b2c26-59ae-48f0-9106-c50ed47f673d
+    USR_SIGNATURE_GUID=b024f315-d330-444c-8461-44bbde524e99
     ARCHITECTURE="loongarch64"
 elif [[ "$machine" == "s390x" ]]; then
     ROOT_GUID=5eead9a9-fe09-4a1e-a1d7-520d00531306
     VERITY_GUID=b325bfbe-c7be-4ab8-8357-139e652d2f6b
     SIGNATURE_GUID=c80187a5-73a3-491a-901a-017c3fa953e9
+    USR_GUID=8a4f5770-50aa-4ed3-874a-99b710db6fea
+    USR_VERITY_GUID=31741cc4-1a2a-4111-a581-e00b447d2d06
+    USR_SIGNATURE_GUID=3f324816-667b-46ae-86ee-9b0c0c6c11b4
     ARCHITECTURE="s390x"
 elif [[ "$machine" == "ppc64le" ]]; then
     ROOT_GUID=c31c45e6-3f39-412e-80fb-4809c4980599
     VERITY_GUID=906bd944-4589-4aae-a4e4-dd983917446a
     SIGNATURE_GUID=d4a236e7-e873-4c07-bf1d-bf6cf7f1c3c6
+    USR_GUID=15bb03af-77e7-4d4a-b12b-c0d084f7491c
+    USR_VERITY_GUID=ee2b9983-21e8-4153-86d9-b6901a54d1ce
+    USR_SIGNATURE_GUID=c8bfbd1e-268e-4521-8bba-bf314c399557
     ARCHITECTURE="ppc64-le"
 elif [[ "$machine" == "riscv64" ]]; then
     ROOT_GUID=72ec70a6-cf74-40e6-bd49-4bda08e8f224
     VERITY_GUID=b6ed5582-440b-4209-b8da-5ff7c419ea3d
     SIGNATURE_GUID=efe0f087-ea8d-4469-821a-4c2a96a8386a
+    USR_GUID=beaec34b-8442-439b-a40b-984381ed097d
+    USR_VERITY_GUID=8f1056be-9b05-47c4-81d6-be53128e5b54
+    USR_SIGNATURE_GUID=d2f9000a-7a18-453f-b5cd-4d32f77a7b32
     ARCHITECTURE="riscv64"
 elif [[ "$machine" == "riscv32" ]]; then
     ROOT_GUID=60d5a7fe-8e7d-435c-b714-3dd8162144e1
     VERITY_GUID=ae0253be-1167-4007-ac68-43926c14c5de
     SIGNATURE_GUID=3a112a75-8729-4380-b4cf-764d79934448
+    USR_GUID=b933fb22-5c3f-4f91-af90-e2bb0fa50702
+    USR_VERITY_GUID=cb1ee4e3-8cd0-4136-a0a4-aa61a32e8730
+    USR_SIGNATURE_GUID=c3836a13-3137-45ba-b583-b16c50fe5eb4
     ARCHITECTURE="riscv32"
 else
     echo "Unexpected uname -m: $machine in TEST-50-DISSECT.sh, please fix me"
@@ -197,6 +230,42 @@ udevadm lock --timeout=60 --device="${loop}p3" dd if="$MINIMAL_IMAGE.verity-sig"
 losetup -d "$loop"
 udevadm settle --timeout=60
 
+# Construct the same image with /usr verity partitions to exercise the usr-specific code paths.
+usr_size="$(du --apparent-size -k "$MINIMAL_IMAGE.raw" | cut -f1)"
+usr_verity_size="$(du --apparent-size -k "$MINIMAL_IMAGE.verity" | cut -f1)"
+usr_signature_size=4
+truncate -s $(((8192+usr_size*2+usr_verity_size*2+usr_signature_size*2)*512)) "$MINIMAL_IMAGE.usr.gpt"
+if [[ "$usr_size" -ge 1024 ]]; then
+    usr_size="$((usr_size/1024 + 1))MiB"
+else
+    usr_size="${usr_size}KiB"
+fi
+usr_verity_size="$((usr_verity_size * 2))KiB"
+usr_signature_size="$((usr_signature_size * 2))KiB"
+uuid="$(head -c 32 "$MINIMAL_IMAGE.roothash" | sed -r 's/(.{8})(.{4})(.{4})(.{4})(.+)/\1-\2-\3-\4-\5/')"
+echo -e "label: gpt\nsize=$usr_size, type=$USR_GUID, uuid=$uuid" | sfdisk "$MINIMAL_IMAGE.usr.gpt"
+uuid="$(tail -c 32 "$MINIMAL_IMAGE.roothash" | sed -r 's/(.{8})(.{4})(.{4})(.{4})(.+)/\1-\2-\3-\4-\5/')"
+echo -e "size=$usr_verity_size, type=$USR_VERITY_GUID, uuid=$uuid" | sfdisk "$MINIMAL_IMAGE.usr.gpt" --append
+echo -e "size=$usr_signature_size, type=$USR_SIGNATURE_GUID" | sfdisk "$MINIMAL_IMAGE.usr.gpt" --append
+
+sfdisk --part-label "$MINIMAL_IMAGE.usr.gpt" 1 "Usr Partition"
+sfdisk --part-label "$MINIMAL_IMAGE.usr.gpt" 2 "Usr Verity Partition"
+sfdisk --part-label "$MINIMAL_IMAGE.usr.gpt" 3 "Usr Signature Partition"
+loop="$(losetup --show -P -f "$MINIMAL_IMAGE.usr.gpt")"
+partitions=(
+    "${loop:?}p1"
+    "${loop:?}p2"
+    "${loop:?}p3"
+)
+# The kernel sometimes(?) does not emit "add" uevent for loop block partition devices.
+# Let's not expect the devices to be initialized.
+udevadm wait --timeout=60 --settle --initialized=no "${partitions[@]}"
+udevadm lock --timeout=60 --device="${loop}p1" dd if="$MINIMAL_IMAGE.raw" of="${loop}p1"
+udevadm lock --timeout=60 --device="${loop}p2" dd if="$MINIMAL_IMAGE.verity" of="${loop}p2"
+udevadm lock --timeout=60 --device="${loop}p3" dd if="$MINIMAL_IMAGE.verity-sig" of="${loop}p3"
+losetup -d "$loop"
+udevadm settle --timeout=60
+
 : "Run subtests"
 
 run_subtests