From 7b32164f3c666ff00027f7061e677482bf270a9e Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 9 Sep 2021 11:33:03 +0200 Subject: [PATCH] dissect-image: tighten checks on root + /usr/ combinations Our code logic doesn't support images with two verity partitions at the moment, hence refuse this early (with ENOTUNIQ) Also, go even further and refuse any combinations of verity enabled root with verity-less /usr, simplify because that is unsafe and defeats the point of verity. (i.e. we want to give the guarantee that for auto-discovered verity magic we guarantee that the data afterwards available in /usr is safe). --- src/shared/dissect-image.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index 8a139d4f8c..9547dad808 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -1390,9 +1390,16 @@ int dissect_image( !(m->partitions[PARTITION_ROOT].found || (m->partitions[PARTITION_USR].found && FLAGS_SET(flags, DISSECT_IMAGE_USR_NO_ROOT)))) return -ENXIO; - /* Combinations of verity /usr with verity-less root is OK, but the reverse is not */ - if (m->partitions[PARTITION_ROOT_VERITY].found && m->partitions[PARTITION_USR].found && !m->partitions[PARTITION_USR_VERITY].found) - return -EADDRNOTAVAIL; + if (m->partitions[PARTITION_ROOT_VERITY].found) { + /* We only support one verity partition per image, i.e. can't do for both /usr and root fs */ + if (m->partitions[PARTITION_USR_VERITY].found) + return -ENOTUNIQ; + + /* We don't support verity enabled root with a split out /usr. Neither with nor without + * verity there. (Note that we do support verity-less root with verity-full /usr, though.) */ + if (m->partitions[PARTITION_USR].found) + return -EADDRNOTAVAIL; + } if (verity && verity->root_hash) { if (verity->designator < 0 || verity->designator == PARTITION_ROOT) { -- 2.25.1