dissect: try to read roothash value off user.verity.roothash xattr of image file

This slightly extends the roothash loading logic to first check for a
user.verity.roothash extended attribute on the image file. If it exists,
it is used as Verity root hash and the ".roothash" file is not used.

This should improve the chance that the roothash is retained when the
file is moved around, as the data snippet is attached directly to the
image file. The field is still detached from the file payload however,
in order to make sure it may be trusted independently.

This does not replace the ".roothash" file loading, it simply adds a
second way to retrieve the data.

Extended attributes are often a poor choice for storing metadata like
this as it is usually difficult to discover for admins and users, and
hard to fix if it ever gets out of sync.  However, in this case I think
it's safe as verity implies read-only access, and thus there's little
chance of it to get out of sync.

1 files changed, 22 insertions, 14 deletions

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index f3cd663602..66ddf3a872 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -40,6 +40,7 @@
 #include "string-util.h"
 #include "strv.h"
 #include "udev-util.h"
+#include "xattr-util.h"
 
 static int probe_filesystem(const char *node, char **ret_fstype) {
 #ifdef HAVE_BLKID
@@ -1092,7 +1093,6 @@ int decrypted_image_relinquish(DecryptedImage *d) {
 int root_hash_load(const char *image, void **ret, size_t *ret_size) {
         _cleanup_free_ char *text = NULL;
         _cleanup_free_ void *k = NULL;
-        char *fn, *e, *n;
         size_t l;
         int r;
 
@@ -1107,22 +1107,30 @@ int root_hash_load(const char *image, void **ret, size_t *ret_size) {
                 return 0;
         }
 
-        fn = newa(char, strlen(image) + strlen(".roothash") + 1);
-        n = stpcpy(fn, image);
-        e = endswith(fn, ".raw");
-        if (e)
-                n = e;
+        r = getxattr_malloc(image, "user.verity.roothash", &text, true);
+        if (r < 0) {
+                char *fn, *e, *n;
 
-        strcpy(n, ".roothash");
+                if (!IN_SET(r, -ENODATA, -EOPNOTSUPP, -ENOENT))
+                        return r;
 
-        r = read_one_line_file(fn, &text);
-        if (r == -ENOENT) {
-                *ret = NULL;
-                *ret_size = 0;
-                return 0;
+                fn = newa(char, strlen(image) + strlen(".roothash") + 1);
+                n = stpcpy(fn, image);
+                e = endswith(fn, ".raw");
+                if (e)
+                        n = e;
+
+                strcpy(n, ".roothash");
+
+                r = read_one_line_file(fn, &text);
+                if (r == -ENOENT) {
+                        *ret = NULL;
+                        *ret_size = 0;
+                        return 0;
+                }
+                if (r < 0)
+                        return r;
         }
-        if (r < 0)
-                return r;
 
         r = unhexmem(text, strlen(text), &k, &l);
         if (r < 0)