veritysetup: add support for hash-offset option

The verity parameter hash_area_offset allows to locate the superblock in
the hash device. It can be used to have a single device which contains
both data and hashes.

This adds the option hash-offset=BYTES (sixth argument) which is the
equivalent of the option --hash-offset in the veritysetup world.

See `veritysetup(8)` for more details.

3 files changed, 26 insertions, 3 deletions

diff --git a/man/systemd-veritysetup-generator.xml b/man/systemd-veritysetup-generator.xml
index 37ded91a93..6098895f55 100644
--- a/man/systemd-veritysetup-generator.xml
+++ b/man/systemd-veritysetup-generator.xml
@@ -85,7 +85,8 @@
         <term><varname>systemd.verity_root_options=</varname></term>
 
         <listitem><para>Takes a comma-separated list of dm-verity options. Expects the following options
-        <option>ignore-corruption</option>, <option>restart-on-corruption</option>, <option>ignore-zero-blocks</option>,
+        <option>hash-offset=<replaceable>BYTES</replaceable></option>, <option>ignore-corruption</option>,
+        <option>restart-on-corruption</option>, <option>ignore-zero-blocks</option>,
         <option>check-at-most-once</option>, <option>panic-on-corruption</option> and
         <option>root-hash-signature=<replaceable>PATH</replaceable>|base64:<replaceable>HEX</replaceable></option>. See
         <citerefentry project='die-net'><refentrytitle>veritysetup</refentrytitle><manvolnum>8</manvolnum></citerefentry> for more
diff --git a/man/veritytab.xml b/man/veritytab.xml
index dc2f11c31e..ec5d0f45a1 100644
--- a/man/veritytab.xml
+++ b/man/veritytab.xml
@@ -61,6 +61,13 @@ This is based on crypttab(5).
     <variablelist class='fstab-options'>
 
       <varlistentry>
+        <term><option>hash-offset=<replaceable>BYTES</replaceable></option></term>
+
+        <listitem><para>Offset of hash area/superblock on <literal>hash-device</literal>. (Multiples of 512 bytes.)
+        </para></listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><option>ignore-corruption</option></term>
         <term><option>restart-on-corruption</option></term>
         <term><option>panic-on-corruption</option></term>
diff --git a/src/veritysetup/veritysetup.c b/src/veritysetup/veritysetup.c
index ae497b02ee..e1b0e00e42 100644
--- a/src/veritysetup/veritysetup.c
+++ b/src/veritysetup/veritysetup.c
@@ -10,12 +10,14 @@
 #include "hexdecoct.h"
 #include "log.h"
 #include "main-func.h"
+#include "parse-util.h"
 #include "path-util.h"
 #include "pretty-print.h"
 #include "process-util.h"
 #include "string-util.h"
 #include "terminal-util.h"
 
+static uint64_t arg_hash_offset = 0;
 static uint32_t arg_activate_flags = CRYPT_ACTIVATE_READONLY;
 static char *arg_root_hash_signature = NULL;
 
@@ -104,7 +106,17 @@ static int parse_options(const char *options) {
                 else if (streq(word, "panic-on-corruption"))
                         arg_activate_flags |= CRYPT_ACTIVATE_PANIC_ON_CORRUPTION;
 #endif
-                else if ((val = startswith(word, "root-hash-signature="))) {
+                else if ((val = startswith(word, "hash-offset="))) {
+                        uint64_t off;
+
+                        r = parse_size(val, 1024, &off);
+                        if (r < 0)
+                                return log_error_errno(r, "Failed to parse offset '%s': %m", word);
+                        if (off % 512 != 0)
+                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "hash-offset= expects a 512-byte aligned value.");
+
+                        arg_hash_offset = off;
+                } else if ((val = startswith(word, "root-hash-signature="))) {
                         r = save_roothashsig_option(val, /* strict= */ true);
                         if (r < 0)
                                 return r;
@@ -138,6 +150,7 @@ static int run(int argc, char *argv[]) {
         if (streq(verb, "attach")) {
                 const char *volume, *data_device, *verity_device, *root_hash, *options;
                 _cleanup_free_ void *m = NULL;
+                struct crypt_params_verity p = {};
                 crypt_status_info status;
                 size_t l;
 
@@ -173,9 +186,11 @@ static int run(int argc, char *argv[]) {
                         r = parse_options(options);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to parse options: %m");
+
+                        p.hash_area_offset = arg_hash_offset;
                 }
 
-                r = crypt_load(cd, CRYPT_VERITY, NULL);
+                r = crypt_load(cd, CRYPT_VERITY, &p);
                 if (r < 0)
                         return log_error_errno(r, "Failed to load verity superblock: %m");