From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 12 Nov 2025 15:48:26 +0000 (+0100)
Subject: discover-image: support reading metadata from verity enabled DDI images, too
X-Git-Tag: v259-rc1~16
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d3c6a172a0b027edf9c6c2d59408faa30ca924c3;p=thirdparty%2Fsystemd.git

discover-image: support reading metadata from verity enabled DDI images, too
---

diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c
index 7bb017bafe1..52e1036a6b1 100644
--- a/src/shared/discover-image.c
+++ b/src/shared/discover-image.c
@@ -1997,6 +1997,7 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy, RuntimeScope
 
         case IMAGE_RAW:
         case IMAGE_BLOCK: {
+                _cleanup_(verity_settings_done) VeritySettings verity = VERITY_SETTINGS_DEFAULT;
                 _cleanup_(loop_device_unrefp) LoopDevice *d = NULL;
                 _cleanup_(dissected_image_unrefp) DissectedImage *m = NULL;
                 DissectImageFlags flags =
@@ -2019,25 +2020,47 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy, RuntimeScope
                                 LOCK_SH,
                                 &d);
                 if (r < 0)
-                        return r;
+                        return log_debug_errno(r, "Failed to create loopback device of '%s': %m", i->path);
 
                 r = dissect_loop_device(
                                 d,
-                                /* verity= */ NULL,
+                                &verity,
                                 /* mount_options= */ NULL,
                                 image_policy,
                                 /* image_filter= */ NULL,
                                 flags,
                                 &m);
                 if (r < 0)
-                        return r;
+                        return log_debug_errno(r, "Failed to dissect image '%s': %m", i->path);
+
+                r = dissected_image_load_verity_sig_partition(
+                                m,
+                                d->fd,
+                                &verity);
+                if (r < 0)
+                        return log_debug_errno(r, "Failed to load Verity signature partition of '%s': %m", i->path);
+
+                r = dissected_image_guess_verity_roothash(
+                                m,
+                                &verity);
+                if (r < 0)
+                        return log_debug_errno(r, "Failed to guess Verity root hash of '%s': %m", i->path);
+
+                r = dissected_image_decrypt(
+                                m,
+                                /* passphrase= */ NULL,
+                                &verity,
+                                image_policy,
+                                flags);
+                if (r < 0)
+                        return log_debug_errno(r, "Failed to decrypt image '%s': %m", i->path);
 
                 r = dissected_image_acquire_metadata(
                                 m,
                                 /* userns_fd= */ -EBADF,
                                 flags);
                 if (r < 0)
-                        return r;
+                        return log_debug_errno(r, "Failed to acquire medata from image '%s': %m", i->path);
 
                 free_and_replace(i->hostname, m->hostname);
                 i->machine_id = m->machine_id;
@@ -2045,7 +2068,6 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy, RuntimeScope
                 strv_free_and_replace(i->os_release, m->os_release);
                 strv_free_and_replace(i->sysext_release, m->sysext_release);
                 strv_free_and_replace(i->confext_release, m->confext_release);
-
                 break;
         }