dissect-image: Consolidate verity validation and setup

The verity consistency checks and verity setup code also have parallel
blocks for root and usr that do basically identical work. Let's
consolidate them and reduce the footprint for bugs or deviance to
manifest.

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index f4d45cfd20eaa44d2983662d7a7025036307f675..d68ea0bc9742a63257ff36c2d3598de41dede23f 100644 (file)
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -1698,31 +1698,25 @@ static int dissect_image(
                 }
         }
 
-        /* Verity found but no matching rootfs? Something is off, refuse. */
-        if (!m->partitions[PARTITION_ROOT].found &&
-                (m->partitions[PARTITION_ROOT_VERITY].found ||
-                 m->partitions[PARTITION_ROOT_VERITY_SIG].found))
+        /* Verity found but no matching data partition? Something is off, refuse. */
+        FOREACH_ELEMENT(dd, ((const PartitionDesignator[]) { PARTITION_ROOT, PARTITION_USR })) {
+                PartitionDesignator dv = partition_verity_hash_of(*dd);
+                PartitionDesignator ds = partition_verity_sig_of(*dd);
+
+                if (!m->partitions[*dd].found && (m->partitions[dv].found || m->partitions[ds].found))
                         return log_debug_errno(
                                         SYNTHETIC_ERRNO(EADDRNOTAVAIL),
-                                        "Found root verity hash partition without matching root data partition.");
-
-        /* Hmm, we found a signature partition but no Verity data? Something is off. */
-        if (m->partitions[PARTITION_ROOT_VERITY_SIG].found && !m->partitions[PARTITION_ROOT_VERITY].found)
-                return log_debug_errno(SYNTHETIC_ERRNO(EADDRNOTAVAIL),
-                                       "Found root verity signature partition without matching root verity hash partition.");
+                                        "Found %s verity hash partition without matching %s data partition.",
+                                        partition_designator_to_string(*dd),
+                                        partition_designator_to_string(*dd));
 
-        /* as above */
-        if (!m->partitions[PARTITION_USR].found &&
-                (m->partitions[PARTITION_USR_VERITY].found ||
-                 m->partitions[PARTITION_USR_VERITY_SIG].found))
+                if (m->partitions[ds].found && !m->partitions[dv].found)
                         return log_debug_errno(
                                         SYNTHETIC_ERRNO(EADDRNOTAVAIL),
-                                        "Found usr verity hash partition without matching usr data partition.");
-
-        /* as above */
-        if (m->partitions[PARTITION_USR_VERITY_SIG].found && !m->partitions[PARTITION_USR_VERITY].found)
-                return log_debug_errno(SYNTHETIC_ERRNO(EADDRNOTAVAIL),
-                                       "Found usr verity signature partition without matching usr verity hash partition.");
+                                        "Found %s verity signature partition without matching %s verity hash partition.",
+                                        partition_designator_to_string(*dd),
+                                        partition_designator_to_string(*dd));
+        }
 
         /* If root and /usr are combined then insist that the architecture matches */
         if (m->partitions[PARTITION_ROOT].found &&
@@ -1827,35 +1821,27 @@ static int dissect_image(
                         /* If we have an explicit root hash and found the partitions for it, then we are ready to use
                          * Verity, set things up for it */
 
-                        if (verity->designator < 0 || verity->designator == PARTITION_ROOT) {
-                                if (!m->partitions[PARTITION_ROOT].found)
-                                        return log_debug_errno(
-                                                        SYNTHETIC_ERRNO(EADDRNOTAVAIL),
-                                                        "Verity enabled root partition was requested but did not find a root data partition.");
-
-                                if (!m->partitions[PARTITION_ROOT_VERITY].found)
-                                        return log_debug_errno(
-                                                        SYNTHETIC_ERRNO(EADDRNOTAVAIL),
-                                                        "Verity enabled root partition was requested but did not find a root verity hash partition.");
-
-                                /* If we found a verity setup, then the root partition is necessarily read-only. */
-                                m->partitions[PARTITION_ROOT].rw = false;
-                        } else {
-                                assert(verity->designator == PARTITION_USR);
-
-                                if (!m->partitions[PARTITION_USR].found)
-                                        return log_debug_errno(
-                                                        SYNTHETIC_ERRNO(EADDRNOTAVAIL),
-                                                        "Verity enabled usr partition was requested but did not find a usr data partition.");
-
-                                if (!m->partitions[PARTITION_USR_VERITY].found)
-                                        return log_debug_errno(
-                                                        SYNTHETIC_ERRNO(EADDRNOTAVAIL),
-                                                        "Verity enabled usr partition was requested but did not find a usr verity hash partition.");
-
-
-                                m->partitions[PARTITION_USR].rw = false;
-                        }
+                        PartitionDesignator d = verity->designator < 0 || verity->designator == PARTITION_ROOT
+                                ? PARTITION_ROOT : PARTITION_USR;
+                        PartitionDesignator dv = partition_verity_hash_of(d);
+                        assert(dv >= 0);
+
+                        if (!m->partitions[d].found)
+                                return log_debug_errno(
+                                                SYNTHETIC_ERRNO(EADDRNOTAVAIL),
+                                                "Verity enabled %s partition was requested but did not find a %s data partition.",
+                                                partition_designator_to_string(d),
+                                                partition_designator_to_string(d));
+
+                        if (!m->partitions[dv].found)
+                                return log_debug_errno(
+                                                SYNTHETIC_ERRNO(EADDRNOTAVAIL),
+                                                "Verity enabled %s partition was requested but did not find a %s verity hash partition.",
+                                                partition_designator_to_string(d),
+                                                partition_designator_to_string(d));
+
+                        /* If we found a verity setup, then the data partition is necessarily read-only. */
+                        m->partitions[d].rw = false;
 
                         m->verity_ready = true;