dissect-image: tighten checks on root + /usr/ combinations

Our code logic doesn't support images with two verity partitions at the
moment, hence refuse this early (with ENOTUNIQ)

Also, go even further and refuse any combinations of verity enabled root
with verity-less /usr, simplify because that is unsafe and defeats the
point of verity. (i.e. we want to give the guarantee that for
auto-discovered verity magic we guarantee that the data afterwards
available in /usr is safe).

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 8a139d4f8c665f4d718b59aef057a1883d14d2d2..9547dad808f7dd849bd7d59020226393a006d982 100644 (file)
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -1390,9 +1390,16 @@ int dissect_image(
             !(m->partitions[PARTITION_ROOT].found || (m->partitions[PARTITION_USR].found && FLAGS_SET(flags, DISSECT_IMAGE_USR_NO_ROOT))))
                 return -ENXIO;
 
-        /* Combinations of verity /usr with verity-less root is OK, but the reverse is not */
-        if (m->partitions[PARTITION_ROOT_VERITY].found && m->partitions[PARTITION_USR].found && !m->partitions[PARTITION_USR_VERITY].found)
-                return -EADDRNOTAVAIL;
+        if (m->partitions[PARTITION_ROOT_VERITY].found) {
+                /* We only support one verity partition per image, i.e. can't do for both /usr and root fs */
+                if (m->partitions[PARTITION_USR_VERITY].found)
+                        return -ENOTUNIQ;
+
+                /* We don't support verity enabled root with a split out /usr. Neither with nor without
+                 * verity there. (Note that we do support verity-less root with verity-full /usr, though.) */
+                if (m->partitions[PARTITION_USR].found)
+                        return -EADDRNOTAVAIL;
+        }
 
         if (verity && verity->root_hash) {
                 if (verity->designator < 0 || verity->designator == PARTITION_ROOT) {