veritysetup-generator: add support for verity root options

This adds support for a new kernel root verity command line option "verity_root_options=" which controls the behaviour of dm-verity by forwarding options directly to systemd-veritysetup. See `veritysetup(8)` for more details.
2024-07-22 02:34:54 +00:00 · 2020-11-13 06:00:25 -05:00 · 2020-11-13 06:00:25 -05:00 · 0141102f10
parent cb0198a13c
commit 0141102f10
4 changed files with 35 additions and 4 deletions
--- a/man/kernel-command-line.xml
+++ b/man/kernel-command-line.xml
@ -361,6 +361,7 @@
        <term><varname>rd.systemd.verity=</varname></term>
        <term><varname>systemd.verity_root_data=</varname></term>
        <term><varname>systemd.verity_root_hash=</varname></term>
+        <term><varname>systemd.verity.root_options=</varname></term>
        <listitem>
          <para>Configures the integrity protection root hash for the root file system, and other related
          parameters. For details, see
--- a/man/systemd-veritysetup-generator.xml
+++ b/man/systemd-veritysetup-generator.xml
@ -81,6 +81,17 @@
        (see above).</para></listitem>
      </varlistentry>

+      <varlistentry>
+        <term><varname>systemd.verity_root_options=</varname></term>
+
+        <listitem><para>Takes a comma-separated list of dm-verity options. Expects the following options
+        <option>ignore-corruption</option>, <option>restart-on-corruption</option>, <option>ignore-zero-blocks</option>,
+        <option>check-at-most-once</option>, <option>panic-on-corruption</option> and
+        <option>root-hash-signature</option>. See
+        <citerefentry><refentrytitle>veritysetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> for more
+        details.</para></listitem>
+      </varlistentry>
+
    </variablelist>
  </refsect1>

--- a/src/veritysetup/veritysetup-generator.c
+++ b/src/veritysetup/veritysetup-generator.c
@ -29,13 +29,16 @@ static bool arg_enabled = true;
 static char *arg_root_hash = NULL;
 static char *arg_data_what = NULL;
 static char *arg_hash_what = NULL;
+static char *arg_options = NULL;

 STATIC_DESTRUCTOR_REGISTER(arg_root_hash, freep);
 STATIC_DESTRUCTOR_REGISTER(arg_data_what, freep);
 STATIC_DESTRUCTOR_REGISTER(arg_hash_what, freep);
+STATIC_DESTRUCTOR_REGISTER(arg_options, freep);

 static int create_device(void) {
-        _cleanup_free_ char *u = NULL, *v = NULL, *d = NULL, *e = NULL, *u_escaped = NULL, *v_escaped = NULL, *root_hash_escaped = NULL;
+        _cleanup_free_ char *u = NULL, *v = NULL, *d = NULL, *e = NULL, *u_escaped = NULL, *v_escaped = NULL,
+                            *root_hash_escaped = NULL, *options_escaped = NULL;
        _cleanup_fclose_ FILE *f = NULL;
        const char *to;
        int r;
@ -57,7 +60,8 @@ static int create_device(void) {

        log_debug("Using root verity data device %s,\n"
                  "                  hash device %s,\n"
-                  "                and root hash %s.", arg_data_what, arg_hash_what, arg_root_hash);
+                  "                      options %s,\n"
+                  "                and root hash %s.", arg_data_what, arg_hash_what, arg_options, arg_root_hash);

        u = fstab_node_to_udev_node(arg_data_what);
        if (!u)
@ -80,6 +84,10 @@ static int create_device(void) {
        if (r < 0)
                return log_error_errno(r, "Failed to generate unit name: %m");

+        options_escaped = specifier_escape(arg_options ?: "");
+        if (!options_escaped)
+                return log_oom();
+
        root_hash_escaped = specifier_escape(arg_root_hash);
        if (!root_hash_escaped)
                return log_oom();
@ -102,11 +110,11 @@ static int create_device(void) {
                "\n[Service]\n"
                "Type=oneshot\n"
                "RemainAfterExit=yes\n"
-                "ExecStart=" ROOTLIBEXECDIR "/systemd-veritysetup attach root '%s' '%s' '%s'\n"
+                "ExecStart=" ROOTLIBEXECDIR "/systemd-veritysetup attach root '%s' '%s' '%s' '%s'\n"
                "ExecStop=" ROOTLIBEXECDIR "/systemd-veritysetup detach root\n",
                d, e,
                d, e,
-                u_escaped, v_escaped, root_hash_escaped);
+                u_escaped, v_escaped, root_hash_escaped, options_escaped);

        r = fflush_and_check(f);
        if (r < 0)
@ -158,6 +166,16 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
                r = free_and_strdup(&arg_hash_what, value);
                if (r < 0)
                        return log_oom();
+
+        } else if (proc_cmdline_key_streq(key, "systemd.verity_root_options")) {
+
+                if (proc_cmdline_value_missing(key, value))
+                        return 0;
+
+                r = free_and_strdup(&arg_options, value);
+                if (r < 0)
+                        return log_oom();
+
        }

        return 0;
--- a/test/fuzz/fuzz-unit-file/directives.service
+++ b/test/fuzz/fuzz-unit-file/directives.service
@ -326,6 +326,7 @@ systemd.unit=
 systemd.verity=
 systemd.verity_root_data=
 systemd.verity_root_hash=
+systemd.verity_root_options=
 systemd.volatile=
 systemd.wants=
 systemd.watchdog_device=