From: Lennart Poettering <lennart@amutable.com>
Date: Thu, 2 Apr 2026 14:18:14 +0000 (+0200)
Subject: Support `CopyBlocks=` for `Verity={hash,sig}` (#41393)
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5af9b6dd045cb658d3d9f33876162cd75bcd4306;p=thirdparty%2Fsystemd.git

Support `CopyBlocks=` for `Verity={hash,sig}` (#41393)

This enables deriving the minimum size of the `Verity=hash` partition
using the `Verity=` logic when the size of the `Verity=data` partition
is bigger than the `CopyBlocks=` target.

This enables using `Minimize=true` for an "installer image" and later
using sd-repart to install to a system with reserve space for future
updates by specifying `Size{Min,Max}Bytes=` only in the `Verity=data`
partition, without needing to hardcode the corresponding size for the
`Verity=hash` partition.

While not strictly necessary for `Verity=signature` partitions (since
they have a fixed size) there isn't too much reason to not support it,
since then you can still specify `VerityMatchKey=` to indicate that the
partition is logically still part of that group of partitions.

---

Alternative to: https://github.com/systemd/systemd/pull/41156
Fixes https://github.com/systemd/systemd/issues/40995
---

5af9b6dd045cb658d3d9f33876162cd75bcd4306