veritysetup: when we fail to unlock a disk with the root hash signature logic, retry...

Currently, there's no nice way to get a key into the dm-verity kernel
keyring unless recompiling the kernel, or enabling SB or buying into
shim. Neither sounds particularly attractive.

hence provide a reasonable fallback: if unlocking with signed roothash
doesn#t work, just try without. maybe the kernel policy allows this,
maybe not. It's worth a try.

diff --git a/src/veritysetup/veritysetup.c b/src/veritysetup/veritysetup.c
index 6fd5527424a3839980a090880b21b7fb51f3e392..5f92cc901138d7ef0dd31ad77cdbd870060710be 100644 (file)
--- a/src/veritysetup/veritysetup.c
+++ b/src/veritysetup/veritysetup.c
@@ -415,13 +415,22 @@ static int verb_attach(int argc, char *argv[], void *userdata) {
         if (r < 0)
                 return log_error_errno(r, "Failed to configure data device: %m");
 
-        if (arg_root_hash_signature_size > 0)
+        if (arg_root_hash_signature_size > 0) {
 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
                 r = crypt_activate_by_signed_key(cd, volume, rh, rh_size, arg_root_hash_signature, arg_root_hash_signature_size, arg_activate_flags);
+                if (r < 0) {
+                        log_info_errno(r, "Unable to activate verity device '%s' with root hash signature (%m), retrying without.", volume);
+
+                        r = crypt_activate_by_volume_key(cd, volume, rh, rh_size, arg_activate_flags);
+                        if (r < 0)
+                                return log_error_errno(r, "Failed to activate verity device '%s' both with and without root hash signature: %m", volume);
+
+                        log_info("Activation of verity device '%s' succeeded without root hash signature.", volume);
+                }
 #else
                 assert_not_reached();
 #endif
-        else
+        } else
                 r = crypt_activate_by_volume_key(cd, volume, rh, rh_size, arg_activate_flags);
         if (r < 0)
                 return log_error_errno(r, "Failed to set up verity device '%s': %m", volume);