fix(systemd-veritysetup): validate dm-verity signatures in userspace

Since [1], if the validation against the kernel does not work, systemd searches
for PKCS#7 certificates in `/{etc,usr/lib}/verity.d` as a fallback mechanism to
validate dm-verity signatures.

[1] https://github.com/systemd/systemd/commit/c2fa92e7e8907d9658646595261fa2d3433e6e4b

diff --git a/modules.d/11systemd-veritysetup/module-setup.sh b/modules.d/11systemd-veritysetup/module-setup.sh
index 112e998d48ef94fa992f0c750fa51b10d0e3eb65..856926f6eac6198d1601c8924797f49423cd0946 100755 (executable)
--- a/modules.d/11systemd-veritysetup/module-setup.sh
+++ b/modules.d/11systemd-veritysetup/module-setup.sh
@@ -40,6 +40,7 @@ installkernel() {
 install() {
 
     inst_multiple -o \
+        "/usr/lib/verity.d/*.conf" \
         "$systemdutildir"/systemd-veritysetup \
         "$systemdutildir"/system-generators/systemd-veritysetup-generator \
         "$systemdsystemunitdir"/remote-veritysetup.target \
@@ -52,6 +53,7 @@ install() {
     if [[ $hostonly ]]; then
         inst_multiple -H -o \
             /etc/veritytab \
+            "/etc/verity.d/*.conf" \
             "$systemdsystemconfdir"/veritysetup.target \
             "$systemdsystemconfdir/veritysetup.target.wants/*.target" \
             "$systemdsystemconfdir"/veritysetup-pre.target \