From: Lennart Poettering Date: Wed, 8 Sep 2021 14:56:42 +0000 (+0200) Subject: dissect-image: rename verity flag booleans X-Git-Tag: v250-rc1~701^2~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c3c88d67c0ccd6fe883c79e0c5aa5c79379853ff;p=thirdparty%2Fsystemd.git dissect-image: rename verity flag booleans Let's make the booleans indicating verity state a bit more descriptive. Let's rename: can_verity → has_verity: because that's really what this about whether verity data is included in the image. Whether we actually can use it is a different story. verity → verity_ready: this one should tell us if we have everything need to actually set it up, hence explicitly say "ready to use" in the name. No change in behaviour. Just a bit of renaming. --- diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 0966db4abe5..ff2081d405a 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -5710,7 +5710,7 @@ static int run(int argc, char *argv[]) { if (r < 0) goto finish; - if (!arg_verity_settings.root_hash && dissected_image->can_verity) + if (!arg_verity_settings.root_hash && dissected_image->has_verity) log_notice("Note: image %s contains verity information, but no root hash specified! Proceeding without integrity checking.", arg_image); r = dissected_image_decrypt_interactively( diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index 81ae0c3ffc7..6b73c650e21 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -797,8 +797,12 @@ int dissect_image( return -ENOMEM; m->single_file_system = true; - m->verity = verity && verity->root_hash && verity->data_path && (verity->designator < 0 || verity->designator == PARTITION_ROOT); - m->can_verity = verity && verity->data_path; + m->encrypted = streq_ptr(fstype, "crypto_LUKS"); + + m->has_verity = verity && verity->data_path; + m->verity_ready = m->has_verity && + verity->root_hash && + (verity->designator < 0 || verity->designator == PARTITION_ROOT); options = mount_options_from_designator(mount_options, PARTITION_ROOT); if (options) { @@ -809,7 +813,7 @@ int dissect_image( m->partitions[PARTITION_ROOT] = (DissectedPartition) { .found = true, - .rw = !m->verity, + .rw = !m->verity_ready, .partno = -1, .architecture = _ARCHITECTURE_INVALID, .fstype = TAKE_PTR(t), @@ -817,8 +821,6 @@ int dissect_image( .mount_options = TAKE_PTR(o), }; - m->encrypted = streq_ptr(fstype, "crypto_LUKS"); - *ret = TAKE_PTR(m); return 0; } @@ -971,7 +973,7 @@ int dissect_image( if (pflags & GPT_FLAG_NO_AUTO) continue; - m->can_verity = true; + m->has_verity = true; /* Ignore verity unless a root hash is specified */ if (sd_id128_is_null(root_verity_uuid) || !sd_id128_equal(root_verity_uuid, id)) @@ -1007,7 +1009,7 @@ int dissect_image( if (pflags & GPT_FLAG_NO_AUTO) continue; - m->can_verity = true; + m->has_verity = true; /* Ignore verity unless root has is specified */ if (sd_id128_is_null(root_verity_uuid) || !sd_id128_equal(root_verity_uuid, id)) @@ -1043,7 +1045,7 @@ int dissect_image( if (pflags & GPT_FLAG_NO_AUTO) continue; - m->can_verity = true; + m->has_verity = true; /* Ignore verity unless a usr hash is specified */ if (sd_id128_is_null(usr_verity_uuid) || !sd_id128_equal(usr_verity_uuid, id)) @@ -1079,7 +1081,7 @@ int dissect_image( if (pflags & GPT_FLAG_NO_AUTO) continue; - m->can_verity = true; + m->has_verity = true; /* Ignore verity unless usr has is specified */ if (sd_id128_is_null(usr_verity_uuid) || !sd_id128_equal(usr_verity_uuid, id)) @@ -1386,7 +1388,7 @@ int dissect_image( /* If we found a verity setup, then the root partition is necessarily read-only. */ m->partitions[PARTITION_ROOT].rw = false; - m->verity = true; + m->verity_ready = true; } if (verity->designator == PARTITION_USR) { @@ -1394,7 +1396,7 @@ int dissect_image( return -EADDRNOTAVAIL; m->partitions[PARTITION_USR].rw = false; - m->verity = true; + m->verity_ready = true; } } @@ -2253,7 +2255,7 @@ int dissected_image_decrypt( if (verity && verity->root_hash && verity->root_hash_size < sizeof(sd_id128_t)) return -EINVAL; - if (!m->encrypted && !m->verity) { + if (!m->encrypted && !m->verity_ready) { *ret = NULL; return 0; } @@ -2840,7 +2842,7 @@ int dissect_image_and_warn( bool dissected_image_can_do_verity(const DissectedImage *image, PartitionDesignator partition_designator) { if (image->single_file_system) - return partition_designator == PARTITION_ROOT && image->can_verity; + return partition_designator == PARTITION_ROOT && image->has_verity; return PARTITION_VERITY_OF(partition_designator) >= 0; } @@ -2849,7 +2851,7 @@ bool dissected_image_has_verity(const DissectedImage *image, PartitionDesignator int k; if (image->single_file_system) - return partition_designator == PARTITION_ROOT && image->verity; + return partition_designator == PARTITION_ROOT && image->verity_ready; k = PARTITION_VERITY_OF(partition_designator); return k >= 0 && image->partitions[k].found; diff --git a/src/shared/dissect-image.h b/src/shared/dissect-image.h index 4c4f5ff585d..fe364474aa4 100644 --- a/src/shared/dissect-image.h +++ b/src/shared/dissect-image.h @@ -118,8 +118,8 @@ typedef enum DissectImageFlags { struct DissectedImage { bool encrypted:1; - bool verity:1; /* verity available and usable */ - bool can_verity:1; /* verity available, but not necessarily used */ + bool has_verity:1; /* verity available in image, but not necessarily used */ + bool verity_ready:1; /* verity available, fully specified and usable */ bool single_file_system:1; /* MBR/GPT or single file system */ DissectedPartition partitions[_PARTITION_DESIGNATOR_MAX];