summaryrefslogtreecommitdiffstats
path: root/upstream/fedora-40/man7/systemd.image-policy.7
blob: 8927360adff394ac760b9ae8a86ace5ed86822c5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
'\" t
.TH "SYSTEMD\&.IMAGE\-POLICY" "7" "" "systemd 255" "systemd.image-policy"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
systemd.image-policy \- Disk Image Dissection Policy
.SH "DESCRIPTION"
.PP
In systemd, whenever a disk image (DDI) implementing the
\m[blue]\fBDiscoverable Partitions Specification\fR\m[]\&\s-2\u[1]\d\s+2
is activated, a policy may be specified controlling which partitions to mount and what kind of cryptographic protection to require\&. Such a disk image dissection policy is a string that contains per\-partition\-type rules, separated by colons (":")\&. The individual rules consist of a partition identifier, an equal sign ("="), and one or more flags which may be set per partition\&. If multiple flags are specified per partition they are separated by a plus sign ("+")\&.
.PP
The partition identifiers currently defined are:
\fBroot\fR,
\fBusr\fR,
\fBhome\fR,
\fBsrv\fR,
\fBesp\fR,
\fBxbootldr\fR,
\fBswap\fR,
\fBroot\-verity\fR,
\fBroot\-verity\-sig\fR,
\fBusr\-verity\fR,
\fBusr\-verity\-sig\fR,
\fBtmp\fR,
\fBvar\fR\&. These identifiers match the relevant partition types in the Discoverable Partitions Specification, but are agnostic to CPU architectures\&. If the partition identifier is left empty it defines the
\fIdefault\fR
policy for partitions defined in the Discoverable Partitions Specification for which no policy flags are explicitly listed in the policy string\&.
.PP
The following partition policy flags are defined that dictate the existence/absence, the use, and the protection level of partitions:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBunprotected\fR
for partitions that shall exist and be used, but shall come without cryptographic protection, lacking both Verity authentication and LUKS encryption\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBverity\fR
for partitions that shall exist and be used, with Verity authentication\&. (Note: if a DDI image carries a data partition, along with a Verity partition and a signature partition for it, and only the
\fBverity\fR
flag is set (\fBsigned\fR
is not), then the image will be set up with Verity, but the signature data will not be used\&. Or in other words: any DDI with a set of partitions that qualify for
\fBsignature\fR
also implicitly qualifies for
\fBverity\fR, and in fact also
\fBunprotected\fR)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBsigned\fR
for partitions that shall exist and be used, with Verity authentication, which are also accompanied by a PKCS#7 signature of the Verity root hash\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBencrypted\fR
for partitions which shall exist and be used and are encrypted with LUKS\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBunused\fR
for partitions that shall exist but shall not be used\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBabsent\fR
for partitions that shall not exist on the image\&.
.RE
.PP
By setting a combination of the flags above, alternatives can be declared\&. For example the combination
"unused+absent"
means: the partition may exist (in which case it shall not be used) or may be absent\&. The combination of
"unprotected+verity+signed+encrypted+unused+absent"
may be specified via the special shortcut
"open", and indicates that the partition may exist or may be absent, but if it exists is used, regardless of the protection level\&.
.PP
As special rule: if none of the flags above are set for a listed partition identifier, the default policy of
\fBopen\fR
is implied, i\&.e\&. setting none of these flags listed above means effectively all flags listed above will be set\&.
.PP
The following partition policy flags are defined that dictate the state of specific GPT partition flags:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBread\-only\-off\fR,
\fBread\-only\-on\fR
to require that the partitions have the read\-only partition flag off or on\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBgrowfs\-off\fR,
\fBgrowfs\-on\fR
to require that the partitions have the growfs partition flag off or on\&.
.RE
.PP
If both
\fBread\-only\-off\fR
and
\fBread\-only\-on\fR
are set for a partition, then the state of the read\-only flag on the partition is not dictated by the policy\&. Setting neither flag is equivalent to setting both, i\&.e\&. setting neither of these two flags means effectively both will be set\&. A similar logic applies to
\fBgrowfs\-off\fR/\fBgrowfs\-on\fR\&.
.PP
If partitions are not listed within an image policy string, the default policy flags are applied (configurable via an empty partition identifier, see above)\&. If no default policy flags are configured in the policy string, it is implied to be
"absent+unused", except for the Verity partition and their signature partitions where the policy is automatically derived from minimal protection level of the data partition they protect, as encoded in the policy\&.
.SH "SPECIAL POLICIES"
.PP
The special image policy string
"*"
is short for "use everything", i\&.e\&. is equivalent to:
.sp
.if n \{\
.RS 4
.\}
.nf
=verity+signed+encrypted+unprotected+unused+absent
.fi
.if n \{\
.RE
.\}
.PP
The special image policy string
"\-"
is short for "use nothing", i\&.e\&. is equivalent to:
.sp
.if n \{\
.RS 4
.\}
.nf
=unused+absent
.fi
.if n \{\
.RE
.\}
.PP
The special image policy string
"~"
is short for "everything must be absent", i\&.e\&. is equivalent to:
.sp
.if n \{\
.RS 4
.\}
.nf
=absent
.fi
.if n \{\
.RE
.\}
.SH "USE"
.PP
Most systemd components that support operating with disk images support a
\fB\-\-image\-policy=\fR
command line option to specify the image policy to use, and default to relatively open policies (typically the
"*"
policy, as described above), under the assumption that trust in disk images is established before the images are passed to the program in question\&.
.PP
For the host image itself
\fBsystemd-gpt-auto-generator\fR(8)
is responsible for processing the GPT partition table and making use of the included discoverable partitions\&. It accepts an image policy via the kernel command line option
\fBsystemd\&.image\-policy=\fR\&.
.PP
Note that image policies do not dictate how the components will mount and use disk images \(em they only dictate which parts to avoid and which protection level and arrangement to require while mounting/using them\&. For example,
\fBsystemd-sysext\fR(8)
only cares for the
/usr/
and
/opt/
trees inside a disk image, and thus ignores any
/home/
partitions (and similar) in all cases, which might be included in the image, regardless whether the configured image policy would allow access to it or not\&. Similar,
\fBsystemd-nspawn\fR(1)
is not going to make use of any discovered swap device, regardless if the policy would allow that or not\&.
.PP
Use the
\fBimage\-policy\fR
command of the
\fBsystemd-analyze\fR(8)
tool to analyze image policy strings, and determine what a specific policy string means for a specific partition\&.
.SH "EXAMPLES"
.PP
The following image policy string dictates one read\-only Verity\-enabled
/usr/
partition must exist, plus encrypted root and swap partitions\&. All other partitions are ignored:
.sp
.if n \{\
.RS 4
.\}
.nf
usr=verity+read\-only\-on:root=encrypted:swap=encrypted
.fi
.if n \{\
.RE
.\}
.PP
The following image policy string dictates an encrypted, writable root file system, and optional
/srv/
file system that must be encrypted if it exists and no swap partition may exist:
.sp
.if n \{\
.RS 4
.\}
.nf
root=encrypted+read\-only\-off:srv=encrypted+absent:swap=absent
.fi
.if n \{\
.RE
.\}
.PP
The following image policy string dictates a single root partition that may be encrypted, but doesn\*(Aqt have to be, and ignores swap partitions, and uses all other partitions if they are available, possibly with encryption\&.
.sp
.if n \{\
.RS 4
.\}
.nf
root=unprotected+encrypted:swap=absent+unused:=unprotected+encrypted+absent
.fi
.if n \{\
.RE
.\}
.SH "SEE ALSO"
.PP
\fBsystemd\fR(1),
\fBsystemd-dissect\fR(1),
\fBsystemd-gpt-auto-generator\fR(8),
\fBsystemd-sysext\fR(8),
\fBsystemd-analyze\fR(8)
.SH "NOTES"
.IP " 1." 4
Discoverable Partitions Specification
.RS 4
\%https://uapi-group.org/specifications/specs/discoverable_partitions_specification
.RE