From: Luca Boccassi <bluca@debian.org>
Date: Mon, 9 Oct 2023 14:56:37 +0000 (+0100)
Subject: dissect: avoid clobbering device-mapper error when activating verity
X-Git-Tag: v255-rc1~291
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ace07128ac014d5e7d7d1664beb58e5f3700d59c;p=thirdparty%2Fsystemd.git

dissect: avoid clobbering device-mapper error when activating verity

The device-mapper driver can return a wild variety of errors when trying
to activate the same dm-verity volume concurrently, as it might happen
with an image. There is a fallback logic in place, but the original
return code was clobbered when userspace signature check was added.
Add it back.

Follow-up for c2fa92e7e8907d9
---

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 5c30e4f0af9..278d2291a28 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -2609,7 +2609,7 @@ static int do_crypt_activate_verity(
                 const VeritySettings *verity) {
 
         bool check_signature;
-        int r;
+        int r, k;
 
         assert(cd);
         assert(name);
@@ -2639,20 +2639,23 @@ static int do_crypt_activate_verity(
                 if (r >= 0)
                         return r;
 
-                log_debug("Validation of dm-verity signature failed via the kernel, trying userspace validation instead.");
+                log_debug_errno(r, "Validation of dm-verity signature failed via the kernel, trying userspace validation instead: %m");
 #else
                 log_debug("Activation of verity device with signature requested, but not supported via the kernel by %s due to missing crypt_activate_by_signed_key(), trying userspace validation instead.",
                           program_invocation_short_name);
+                r = 0; /* Set for the propagation below */
 #endif
 
                 /* So this didn't work via the kernel, then let's try userspace validation instead. If that
                  * works we'll try to activate without telling the kernel the signature. */
 
-                r = validate_signature_userspace(verity);
-                if (r < 0)
-                        return r;
-                if (r == 0)
-                        return log_debug_errno(SYNTHETIC_ERRNO(ENOKEY),
+                /* Preferably propagate the original kernel error, so that the fallback logic can work,
+                 * as the device-mapper is finicky around concurrent activations of the same volume */
+                k = validate_signature_userspace(verity);
+                if (k < 0)
+                        return r < 0 ? r : k;
+                if (k == 0)
+                        return log_debug_errno(r < 0 ? r : SYNTHETIC_ERRNO(ENOKEY),
                                                "Activation of signed Verity volume worked neither via the kernel nor in userspace, can't activate.");
         }