diff options
-rw-r--r-- | man/systemd-veritysetup-generator.xml | 3 | ||||
-rw-r--r-- | man/veritytab.xml | 7 | ||||
-rw-r--r-- | src/veritysetup/veritysetup.c | 19 |
3 files changed, 26 insertions, 3 deletions
diff --git a/man/systemd-veritysetup-generator.xml b/man/systemd-veritysetup-generator.xml index 37ded91a93..6098895f55 100644 --- a/man/systemd-veritysetup-generator.xml +++ b/man/systemd-veritysetup-generator.xml @@ -85,7 +85,8 @@ <term><varname>systemd.verity_root_options=</varname></term> <listitem><para>Takes a comma-separated list of dm-verity options. Expects the following options - <option>ignore-corruption</option>, <option>restart-on-corruption</option>, <option>ignore-zero-blocks</option>, + <option>hash-offset=<replaceable>BYTES</replaceable></option>, <option>ignore-corruption</option>, + <option>restart-on-corruption</option>, <option>ignore-zero-blocks</option>, <option>check-at-most-once</option>, <option>panic-on-corruption</option> and <option>root-hash-signature=<replaceable>PATH</replaceable>|base64:<replaceable>HEX</replaceable></option>. See <citerefentry project='die-net'><refentrytitle>veritysetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> for more diff --git a/man/veritytab.xml b/man/veritytab.xml index dc2f11c31e..ec5d0f45a1 100644 --- a/man/veritytab.xml +++ b/man/veritytab.xml @@ -61,6 +61,13 @@ This is based on crypttab(5). <variablelist class='fstab-options'> <varlistentry> + <term><option>hash-offset=<replaceable>BYTES</replaceable></option></term> + + <listitem><para>Offset of hash area/superblock on <literal>hash-device</literal>. (Multiples of 512 bytes.) + </para></listitem> + </varlistentry> + + <varlistentry> <term><option>ignore-corruption</option></term> <term><option>restart-on-corruption</option></term> <term><option>panic-on-corruption</option></term> diff --git a/src/veritysetup/veritysetup.c b/src/veritysetup/veritysetup.c index ae497b02ee..e1b0e00e42 100644 --- a/src/veritysetup/veritysetup.c +++ b/src/veritysetup/veritysetup.c @@ -10,12 +10,14 @@ #include "hexdecoct.h" #include "log.h" #include "main-func.h" +#include "parse-util.h" #include "path-util.h" #include "pretty-print.h" #include "process-util.h" #include "string-util.h" #include "terminal-util.h" +static uint64_t arg_hash_offset = 0; static uint32_t arg_activate_flags = CRYPT_ACTIVATE_READONLY; static char *arg_root_hash_signature = NULL; @@ -104,7 +106,17 @@ static int parse_options(const char *options) { else if (streq(word, "panic-on-corruption")) arg_activate_flags |= CRYPT_ACTIVATE_PANIC_ON_CORRUPTION; #endif - else if ((val = startswith(word, "root-hash-signature="))) { + else if ((val = startswith(word, "hash-offset="))) { + uint64_t off; + + r = parse_size(val, 1024, &off); + if (r < 0) + return log_error_errno(r, "Failed to parse offset '%s': %m", word); + if (off % 512 != 0) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "hash-offset= expects a 512-byte aligned value."); + + arg_hash_offset = off; + } else if ((val = startswith(word, "root-hash-signature="))) { r = save_roothashsig_option(val, /* strict= */ true); if (r < 0) return r; @@ -138,6 +150,7 @@ static int run(int argc, char *argv[]) { if (streq(verb, "attach")) { const char *volume, *data_device, *verity_device, *root_hash, *options; _cleanup_free_ void *m = NULL; + struct crypt_params_verity p = {}; crypt_status_info status; size_t l; @@ -173,9 +186,11 @@ static int run(int argc, char *argv[]) { r = parse_options(options); if (r < 0) return log_error_errno(r, "Failed to parse options: %m"); + + p.hash_area_offset = arg_hash_offset; } - r = crypt_load(cd, CRYPT_VERITY, NULL); + r = crypt_load(cd, CRYPT_VERITY, &p); if (r < 0) return log_error_errno(r, "Failed to load verity superblock: %m"); |