From: Valentin David <me@valentindavid.com>
Date: Tue, 19 Sep 2023 18:31:04 +0000 (+0200)
Subject: dissect: Accept signature for usr+usr-verity+usr-verity-sig images
X-Git-Tag: v255-rc1~483
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=01086e76f2f5405280e078630fb85a3560402d48;p=thirdparty%2Fsystemd.git

dissect: Accept signature for usr+usr-verity+usr-verity-sig images

An image with usr+usr-verity+usr-verity-sig without sidecar files would not be
detected as signed because it would looke for root-verity-sig instead. Because
dissect was not able to detect it, it also made /usr sysexts using an usr
partition to not be mounted with verity.
---

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 88a8b008b48..be4a3d1738f 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -1442,8 +1442,11 @@ static int dissect_image(
                 if (verity->designator >= 0 && !m->partitions[verity->designator].found)
                         return -EADDRNOTAVAIL;
 
-                bool have_verity_sig_partition =
-                        m->partitions[verity->designator == PARTITION_USR ? PARTITION_USR_VERITY_SIG : PARTITION_ROOT_VERITY_SIG].found;
+                bool have_verity_sig_partition;
+                if (verity->designator >= 0)
+                        have_verity_sig_partition = m->partitions[verity->designator == PARTITION_USR ? PARTITION_USR_VERITY_SIG : PARTITION_ROOT_VERITY_SIG].found;
+                else
+                        have_verity_sig_partition = m->partitions[PARTITION_USR_VERITY_SIG].found || m->partitions[PARTITION_ROOT_VERITY_SIG].found;
 
                 if (verity->root_hash) {
                         /* If we have an explicit root hash and found the partitions for it, then we are ready to use
@@ -1475,7 +1478,12 @@ static int dissect_image(
                         /* If we found an embedded signature partition, we are ready, too. */
 
                         m->verity_ready = m->verity_sig_ready = true;
-                        m->partitions[verity->designator == PARTITION_USR ? PARTITION_USR : PARTITION_ROOT].rw = false;
+                        if (verity->designator >= 0)
+                                m->partitions[verity->designator == PARTITION_USR ? PARTITION_USR : PARTITION_ROOT].rw = false;
+                        else if (m->partitions[PARTITION_USR_VERITY_SIG].found)
+                                m->partitions[PARTITION_USR].rw = false;
+                        else if (m->partitions[PARTITION_ROOT_VERITY_SIG].found)
+                                m->partitions[PARTITION_ROOT].rw = false;
                 }
         }