From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sat, 15 Feb 2025 23:24:52 +0000 (+0100)
Subject: repart: Delay private key and certificate check until actual use
X-Git-Tag: v258-rc1~1330
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=eba51a9dbdf00b8c9d7828b0de46cff21593d8a0;p=thirdparty%2Fsystemd.git

repart: Delay private key and certificate check until actual use

For many reasons, we might not actually sign a verity signature
partition, even if ope is specified in the partition definition files.
It might already exist, it might be deferred, it might be excluded, ...

Since we cannot check if partition already exists when reading the
configuration, let's delay the check for whether a certificate and
key have been provided until we're actually about to sign a roothash.
---

diff --git a/src/repart/repart.c b/src/repart/repart.c
index fe98893f397..f2bc5bc80ec 100644
--- a/src/repart/repart.c
+++ b/src/repart/repart.c
@@ -2487,14 +2487,6 @@ static int partition_read_definition(Partition *p, const char *path, const char
                 return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
                                   "Encrypting verity hash/data partitions is not supported.");
 
-        if (p->verity == VERITY_SIG && !arg_private_key && !partition_type_defer(&p->type))
-                return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
-                                  "Verity signature partition requested but no private key provided (--private-key=).");
-
-        if (p->verity == VERITY_SIG && !arg_certificate && !partition_type_defer(&p->type))
-                return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
-                                  "Verity signature partition requested but no PEM certificate provided (--certificate=).");
-
         if (p->verity == VERITY_SIG && (p->size_min != UINT64_MAX || p->size_max != UINT64_MAX))
                 return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
                                   "SizeMinBytes=/SizeMaxBytes= cannot be used with Verity=%s.",
@@ -5062,6 +5054,14 @@ static int partition_format_verity_sig(Context *context, Partition *p) {
         if (PARTITION_EXISTS(p))
                 return 0;
 
+        if (!context->private_key)
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                       "Verity signature partition signing requested but no private key provided (--private-key=).");
+
+        if (!context->certificate)
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                       "Verity signature partition signing requested but no PEM certificate provided (--certificate=).");
+
         (void) partition_hint(p, context->node, &hint);
 
         assert_se(hp = p->siblings[VERITY_HASH]);