From e3659eb2366ad30a89e7a3511d40f55a2a69e49a Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 29 Jul 2020 15:13:20 +0200
Subject: [PATCH] dissect: load verity metadata earlier

That way we can turn off kernel partition scanning if verity data is
available (as we don't support verity for full GPT images, only for
simple file system images).
---
 src/dissect/dissect.c | 37 ++++++++++++++++++++++++++++---------
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/src/dissect/dissect.c b/src/dissect/dissect.c
index f1f323b131..f44c8b3783 100644
--- a/src/dissect/dissect.c
+++ b/src/dissect/dissect.c
@@ -327,18 +327,37 @@ static int run(int argc, char *argv[]) {
         if (r <= 0)
                 return r;
 
-        r = loop_device_make_by_path(arg_image, (arg_flags & DISSECT_IMAGE_READ_ONLY) ? O_RDONLY : O_RDWR, LO_FLAGS_PARTSCAN, &d);
+        r = verity_metadata_load(
+                        arg_image, NULL,
+                        arg_root_hash ? NULL : &arg_root_hash,
+                        &arg_root_hash_size,
+                        arg_verity_data ? NULL : &arg_verity_data,
+                        arg_root_hash_sig_path || arg_root_hash_sig ? NULL : &arg_root_hash_sig_path);
+        if (r < 0)
+                return log_error_errno(r, "Failed to read verity artifacts for %s: %m", arg_image);
+
+        r = loop_device_make_by_path(
+                        arg_image,
+                        (arg_flags & DISSECT_IMAGE_READ_ONLY) ? O_RDONLY : O_RDWR,
+                        arg_verity_data ? 0 : LO_FLAGS_PARTSCAN,
+                        &d);
         if (r < 0)
                 return log_error_errno(r, "Failed to set up loopback device: %m");
 
-        r = verity_metadata_load(arg_image, NULL, arg_root_hash ? NULL : &arg_root_hash, &arg_root_hash_size,
-                           arg_verity_data ? NULL : &arg_verity_data,
-                           arg_root_hash_sig_path || arg_root_hash_sig ? NULL : &arg_root_hash_sig_path);
-        if (r < 0)
-                return log_error_errno(r, "Failed to read verity artefacts for %s: %m", arg_image);
-        arg_flags |= arg_verity_data ? DISSECT_IMAGE_NO_PARTITION_TABLE : 0;
-
-        r = dissect_image_and_warn(d->fd, arg_image, arg_root_hash, arg_root_hash_size, arg_verity_data, NULL, arg_flags, &m);
+        if (arg_verity_data)
+                arg_flags |= DISSECT_IMAGE_NO_PARTITION_TABLE; /* We only support Verity per file system,
+                                                                * hence if there's external Verity data
+                                                                * available we turn off partition table
+                                                                * support */
+        r = dissect_image_and_warn(
+                        d->fd,
+                        arg_image,
+                        arg_root_hash,
+                        arg_root_hash_size,
+                        arg_verity_data,
+                        NULL,
+                        arg_flags,
+                        &m);
         if (r < 0)
                 return r;