From 7025fa8b1ae84064714ccf42d58f3ea504f7cd9a Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@microsoft.com>
Date: Tue, 22 Sep 2020 13:19:19 +0100
Subject: [PATCH 1/2] dissect-image: use correct path variable when reading
 verity signatures

Copypasta slipped in via https://github.com/systemd/systemd/pull/17101
---
 src/shared/dissect-image.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index e24740d449..8947da8102 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -1964,7 +1964,7 @@ int verity_settings_load(
                                 if (!p)
                                         return -ENOMEM;
 
-                                r = read_full_file_full(AT_FDCWD, root_hash_sig_path, 0, (char**) &root_hash_sig, &root_hash_sig_size);
+                                r = read_full_file_full(AT_FDCWD, p, 0, (char**) &root_hash_sig, &root_hash_sig_size);
                                 if (r < 0 && r != -ENOENT)
                                         return r;
                                 if (r >= 0)
@@ -1978,7 +1978,7 @@ int verity_settings_load(
                                 if (!p)
                                         return -ENOMEM;
 
-                                r = read_full_file_full(AT_FDCWD, root_hash_sig_path, 0, (char**) &root_hash_sig, &root_hash_sig_size);
+                                r = read_full_file_full(AT_FDCWD, p, 0, (char**) &root_hash_sig, &root_hash_sig_size);
                                 if (r < 0 && r != -ENOENT)
                                         return r;
                                 if (r >= 0)

From c848516f3f3356d52cbc10eb270f531d48820648 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@microsoft.com>
Date: Tue, 22 Sep 2020 15:24:59 +0100
Subject: [PATCH 2/2] dissect-image: do not refuse verity GPT without /usr
 partition

Only enforce that /usr verity partition is present if a /usr
partition is there
---
 src/shared/dissect-image.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 8947da8102..3a2200f91e 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -956,7 +956,7 @@ int dissect_image(
                 return -EADDRNOTAVAIL;
 
         /* Combinations of verity /usr with verity-less root is OK, but the reverse is not */
-        if (m->partitions[PARTITION_ROOT_VERITY].found && !m->partitions[PARTITION_USR_VERITY].found)
+        if (m->partitions[PARTITION_ROOT_VERITY].found && m->partitions[PARTITION_USR].found && !m->partitions[PARTITION_USR_VERITY].found)
                 return -EADDRNOTAVAIL;
 
         if (verity && verity->root_hash) {