shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-31 14:50:15 +03:00
Code

repart: Delay private key and certificate check until actual use

Browse Source 
For many reasons, we might not actually sign a verity signature
partition, even if ope is specified in the partition definition files.
It might already exist, it might be deferred, it might be excluded, ...

Since we cannot check if partition already exists when reading the
configuration, let's delay the check for whether a certificate and
key have been provided until we're actually about to sign a roothash.
This commit is contained in:
Daan De Meyer 2025-02-16 00:24:52 +01:00
parent 034f027be4
commit eba51a9dbd
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/repart/repart.c
View File

@ -2487,14 +2487,6 @@ static int partition_read_definition(Partition *p, const char *path, const char
return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
"Encrypting verity hash/data partitions is not supported.");
if (p->verity == VERITY_SIG && !arg_private_key && !partition_type_defer(&p->type))
return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
"Verity signature partition requested but no private key provided (--private-key=).");
if (p->verity == VERITY_SIG && !arg_certificate && !partition_type_defer(&p->type))
return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
"Verity signature partition requested but no PEM certificate provided (--certificate=).");
if (p->verity == VERITY_SIG && (p->size_min != UINT64_MAX || p->size_max != UINT64_MAX))
return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
"SizeMinBytes=/SizeMaxBytes= cannot be used with Verity=%s.",
@ -5062,6 +5054,14 @@ static int partition_format_verity_sig(Context *context, Partition *p) {
if (PARTITION_EXISTS(p))
return 0;
if (!context->private_key)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Verity signature partition signing requested but no private key provided (--private-key=).");
if (!context->certificate)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Verity signature partition signing requested but no PEM certificate provided (--certificate=).");
(void) partition_hint(p, context->node, &hint);
assert_se(hp = p->siblings[VERITY_HASH]);