Added initial logic to detect dm-verity

Author: magerstam

internal/image/imageinspect/compare.go

@@ -39,13 +39,26 @@ type ImageDiff struct {
 	PartitionTable PartitionTableDiff `json:"partitionTable,omitempty"`
 	Partitions     PartitionDiff      `json:"partitions,omitempty"`
 	EFIBinaries    EFIBinaryDiff      `json:"efiBinaries,omitempty"`
+	Verity         *VerityDiff        `json:"verity,omitempty" yaml:"verity,omitempty"`
 }
 
 // MetaDiff represents differences in image-level metadata.
 type MetaDiff struct {
 	SizeBytes *ValueDiff[int64] `json:"sizeBytes,omitempty"`
 }
 
+// VerityDiff represents differences in dm-verity configuration.
+type VerityDiff struct {
+	Added   *VerityInfo `json:"added,omitempty" yaml:"added,omitempty"`
+	Removed *VerityInfo `json:"removed,omitempty" yaml:"removed,omitempty"`
+	Changed bool        `json:"changed,omitempty" yaml:"changed,omitempty"`
+
+	Enabled       *ValueDiff[bool]   `json:"enabled,omitempty" yaml:"enabled,omitempty"`
+	Method        *ValueDiff[string] `json:"method,omitempty" yaml:"method,omitempty"`
+	RootDevice    *ValueDiff[string] `json:"rootDevice,omitempty" yaml:"rootDevice,omitempty"`
+	HashPartition *ValueDiff[int]    `json:"hashPartition,omitempty" yaml:"hashPartition,omitempty"`
+}
+
 // PartitionTableDiff represents differences in partition table-level fields.
 type PartitionTableDiff struct {
 	DiskGUID           *ValueDiff[string]          `json:"diskGuid,omitempty"`
@@ -234,6 +247,12 @@ func CompareImages(from, to *ImageSummary) ImageCompareResult {
 		res.Summary.Changed = true
 	}
 
+	// --- dm-verity ---
+	res.Diff.Verity = compareVerity(from.Verity, to.Verity)
+	if res.Diff.Verity != nil && res.Diff.Verity.Changed {
+		res.Summary.Changed = true
+	}
+
 	// Deterministic ordering for stable JSON
 	normalizeCompareResult(&res)
 
@@ -284,6 +303,56 @@ func compareMeta(from, to ImageSummary) MetaDiff {
 	return out
 }
 
+func compareVerity(from, to *VerityInfo) *VerityDiff {
+	// Both nil = no difference
+	if from == nil && to == nil {
+		return nil
+	}
+
+	diff := &VerityDiff{}
+
+	// Added (to has verity, from doesn't)
+	if from == nil && to != nil {
+		diff.Added = to
+		diff.Changed = true
+		return diff
+	}
+
+	// Removed (from has verity, to doesn't)
+	if from != nil && to == nil {
+		diff.Removed = from
+		diff.Changed = true
+		return diff
+	}
+
+	// Both present
+	if from.Enabled != to.Enabled {
+		diff.Enabled = &ValueDiff[bool]{From: from.Enabled, To: to.Enabled}
+		diff.Changed = true
+	}
+
+	if from.Method != to.Method {
+		diff.Method = &ValueDiff[string]{From: from.Method, To: to.Method}
+		diff.Changed = true
+	}
+
+	if from.RootDevice != to.RootDevice {
+		diff.RootDevice = &ValueDiff[string]{From: from.RootDevice, To: to.RootDevice}
+		diff.Changed = true
+	}
+
+	if from.HashPartition != to.HashPartition {
+		diff.HashPartition = &ValueDiff[int]{From: from.HashPartition, To: to.HashPartition}
+		diff.Changed = true
+	}
+
+	if !diff.Changed {
+		return nil
+	}
+
+	return diff
+}
+
 // comparePartitionTable compares two PartitionTableSummary objects and returns a PartitionTableDiff.
 func comparePartitionTable(from, to PartitionTableSummary) PartitionTableDiff {
 	var d PartitionTableDiff
@@ -751,6 +820,29 @@ func tallyDiffs(d ImageDiff) diffTally {
 
 	tallyEFIBinaryDiff(&t, d.EFIBinaries)
 
+	// dm-verity changes are meaningful (security-critical)
+	if d.Verity != nil && d.Verity.Changed {
+		if d.Verity.Added != nil {
+			t.addMeaningful(1, "dm-verity enabled")
+		} else if d.Verity.Removed != nil {
+			t.addMeaningful(1, "dm-verity disabled")
+		} else {
+			// Field changes
+			if d.Verity.Enabled != nil {
+				t.addMeaningful(1, "dm-verity enabled status changed")
+			}
+			if d.Verity.Method != nil {
+				t.addMeaningful(1, "dm-verity method changed")
+			}
+			if d.Verity.RootDevice != nil {
+				t.addMeaningful(1, "dm-verity root device changed")
+			}
+			if d.Verity.HashPartition != nil {
+				t.addMeaningful(1, "dm-verity hash partition changed")
+			}
+		}
+	}
+
 	return t
 }
 

internal/image/imageinspect/imageinspect.go

@@ -27,9 +27,19 @@ type ImageSummary struct {
 	SHA256         string                `json:"sha256,omitempty"`
 	SizeBytes      int64                 `json:"sizeBytes,omitempty"`
 	PartitionTable PartitionTableSummary `json:"partitionTable,omitempty"`
+	Verity         *VerityInfo           `json:"verity,omitempty" yaml:"verity,omitempty"`
 	// SBOM           SBOMSummary 		   `json:"sbom,omitempty"`
 }
 
+// VerityInfo holds dm-verity detection information.
+type VerityInfo struct {
+	Enabled       bool     `json:"enabled" yaml:"enabled"`
+	Method        string   `json:"method,omitempty" yaml:"method,omitempty"` // "systemd-verity", "custom-initramfs", "unknown"
+	RootDevice    string   `json:"rootDevice,omitempty" yaml:"rootDevice,omitempty"`
+	HashPartition int      `json:"hashPartition,omitempty" yaml:"hashPartition,omitempty"` // partition index, 0 if none
+	Notes         []string `json:"notes,omitempty" yaml:"notes,omitempty"`
+}
+
 // PartitionTableSummary holds information about the partition table of the disk image.
 type PartitionTableSummary struct {
 	Type               string
@@ -299,11 +309,15 @@ func (d *DiskfsInspector) inspectCore(
 	}
 	ptSummary.Partitions = partitionsWithFS
 
+	// Detect dm-verity configuration
+	verityInfo := detectVerity(ptSummary)
+
 	return &ImageSummary{
 		File:           imagePath,
 		SizeBytes:      sizeBytes,
 		PartitionTable: ptSummary,
 		SHA256:         sha256sum,
+		Verity:         verityInfo,
 	}, nil
 }
 
@@ -554,3 +568,119 @@ func computeFileSHA256(f *os.File) (string, error) {
 
 	return hex.EncodeToString(h.Sum(nil)), nil
 }
+
+// detectVerity inspects the partition table and UKI cmdline to detect dm-verity configuration.
+func detectVerity(pt PartitionTableSummary) *VerityInfo {
+	info := &VerityInfo{}
+
+	// Look for hash partition (common names/types)
+	hashPartIdx := -1
+	for i, p := range pt.Partitions {
+		name := strings.ToLower(p.Name)
+		// Check for common hash partition names
+		if strings.Contains(name, "hash") || name == "roothashmap" {
+			hashPartIdx = i
+			info.HashPartition = p.Index
+			info.Notes = append(info.Notes, fmt.Sprintf("Hash partition found: %s (partition %d)", p.Name, p.Index))
+			break
+		}
+	}
+
+	// Extract cmdline from UKI if present
+	var cmdline string
+	for _, p := range pt.Partitions {
+		if p.Filesystem != nil && p.Filesystem.HasUKI {
+			for _, efi := range p.Filesystem.EFIBinaries {
+				if efi.IsUKI && efi.Cmdline != "" {
+					cmdline = efi.Cmdline
+					break
+				}
+			}
+		}
+		if cmdline != "" {
+			break
+		}
+	}
+
+	if cmdline == "" {
+		// No cmdline found, dm-verity not detected
+		if hashPartIdx >= 0 {
+			info.Notes = append(info.Notes, "Hash partition exists but no UKI cmdline found")
+		}
+		return nil
+	}
+
+	// Check for dm-verity indicators in cmdline
+	// 1. systemd.verity_* parameters (standard systemd-verity)
+	if strings.Contains(cmdline, "systemd.verity_name=") ||
+		strings.Contains(cmdline, "systemd.verity_root_data=") ||
+		strings.Contains(cmdline, "systemd.verity_root_hash=") {
+		info.Enabled = true
+		info.Method = "systemd-verity"
+		info.Notes = append(info.Notes, "systemd.verity_* parameters found in cmdline")
+
+		// Extract root device from cmdline
+		if strings.Contains(cmdline, "root=") {
+			for _, part := range strings.Fields(cmdline) {
+				if strings.HasPrefix(part, "root=") {
+					info.RootDevice = strings.TrimPrefix(part, "root=")
+					break
+				}
+			}
+		}
+
+		if hashPartIdx >= 0 {
+			info.Notes = append(info.Notes, fmt.Sprintf("Hash partition present at index %d", hashPartIdx))
+		} else {
+			info.Notes = append(info.Notes, "WARNING: systemd.verity_* found but no hash partition detected")
+		}
+		return info
+	}
+
+	// 2. root=/dev/mapper/*verity* pattern (custom initramfs, e.g., EMT/EMF tpm-cryptsetup)
+	if strings.Contains(cmdline, "root=/dev/mapper/") && strings.Contains(cmdline, "verity") {
+		info.Enabled = true
+		info.Method = "custom-initramfs"
+		info.Notes = append(info.Notes, "root=/dev/mapper/*verity* pattern found in cmdline")
+
+		// Extract the exact root device
+		for _, part := range strings.Fields(cmdline) {
+			if strings.HasPrefix(part, "root=") {
+				info.RootDevice = strings.TrimPrefix(part, "root=")
+				break
+			}
+		}
+
+		if hashPartIdx >= 0 {
+			info.Notes = append(info.Notes, fmt.Sprintf("Hash partition present at index %d", hashPartIdx))
+			info.Notes = append(info.Notes, "Likely using separate hash partition for dm-verity")
+		} else {
+			info.Notes = append(info.Notes, "No separate hash partition detected")
+			info.Notes = append(info.Notes, "Likely using custom initramfs (e.g., dracut tpm-cryptsetup module)")
+			info.Notes = append(info.Notes, "Hash data may be: appended to rootfs, embedded in FDE, or managed by initramfs")
+		}
+		return info
+	}
+
+	// 3. Check for roothash= parameter (direct hash specification)
+	if strings.Contains(cmdline, "roothash=") {
+		info.Enabled = true
+		info.Method = "roothash-parameter"
+		info.Notes = append(info.Notes, "roothash= parameter found in cmdline")
+
+		for _, part := range strings.Fields(cmdline) {
+			if strings.HasPrefix(part, "root=") {
+				info.RootDevice = strings.TrimPrefix(part, "root=")
+				break
+			}
+		}
+
+		if hashPartIdx >= 0 {
+			info.Notes = append(info.Notes, fmt.Sprintf("Hash partition present at index %d", hashPartIdx))
+		}
+		return info
+	}
+
+	// No dm-verity detected
+	return nil
+}

internal/image/imageinspect/renderer_text.go

@@ -141,6 +141,12 @@ func RenderCompareText(w io.Writer, r *ImageCompareResult, opts CompareTextOptio
 		renderEFIBinaryDiffText(w, r.Diff.EFIBinaries, "  ")
 	}
 
+	// dm-verity diff
+	if r.Diff.Verity != nil && r.Diff.Verity.Changed {
+		fmt.Fprintln(w)
+		renderVerityDiffText(w, r.Diff.Verity)
+	}
+
 	// Full mode: image metadata & volatile / meaningful remove reasons
 	if mode == "full" {
 		renderImagesBlock(w, r.From, r.To)
@@ -168,7 +174,11 @@ func RenderSummaryText(w io.Writer, summary *ImageSummary, opts TextOptions) err
 
 	// Partitions table (includes the “Partitions” header)
 	renderPartitionTable(w, summary.PartitionTable)
-
+	// dm-verity section
+	if summary.Verity != nil && summary.Verity.Enabled {
+		fmt.Fprintln(w)
+		renderVerityInfo(w, summary.Verity)
+	}
 	// Detailed per-partition filesystem blocks (ONLY ONCE)
 	for _, p := range summary.PartitionTable.Partitions {
 		if p.Filesystem == nil || isFilesystemEmpty(p.Filesystem) {
@@ -546,6 +556,69 @@ func renderPartitionTableHeader(w io.Writer, pt PartitionTableSummary) {
 	_ = tw.Flush()
 }
 
+func renderVerityInfo(w io.Writer, v *VerityInfo) {
+	fmt.Fprintln(w, "dm-verity Configuration")
+	fmt.Fprintln(w, "-----------------------")
+
+	tw := tabwriter.NewWriter(w, 0, 0, 3, ' ', 0)
+	fmt.Fprintf(tw, "Enabled:\t%t\n", v.Enabled)
+	if v.Method != "" {
+		fmt.Fprintf(tw, "Method:\t%s\n", v.Method)
+	}
+	if v.RootDevice != "" {
+		fmt.Fprintf(tw, "Root device:\t%s\n", v.RootDevice)
+	}
+	if v.HashPartition > 0 {
+		fmt.Fprintf(tw, "Hash partition:\t%d\n", v.HashPartition)
+	}
+	_ = tw.Flush()
+
+	if len(v.Notes) > 0 {
+		fmt.Fprintln(w, "Notes:")
+		for _, note := range v.Notes {
+			fmt.Fprintf(w, "  - %s\n", note)
+		}
+	}
+}
+
+func renderVerityDiffText(w io.Writer, d *VerityDiff) {
+	fmt.Fprintln(w, "dm-verity:")
+
+	if d.Added != nil {
+		fmt.Fprintln(w, "  dm-verity ENABLED:")
+		tw := tabwriter.NewWriter(w, 0, 0, 3, ' ', 0)
+		fmt.Fprintf(tw, "    Method:\t%s\n", d.Added.Method)
+		if d.Added.RootDevice != "" {
+			fmt.Fprintf(tw, "    Root device:\t%s\n", d.Added.RootDevice)
+		}
+		if d.Added.HashPartition > 0 {
+			fmt.Fprintf(tw, "    Hash partition:\t%d\n", d.Added.HashPartition)
+		}
+		_ = tw.Flush()
+		return
+	}
+
+	if d.Removed != nil {
+		fmt.Fprintln(w, "  dm-verity DISABLED")
+		fmt.Fprintf(w, "    Previous method: %s\n", d.Removed.Method)
+		return
+	}
+
+	// Field changes
+	if d.Enabled != nil {
+		fmt.Fprintf(w, "  Enabled: %t -> %t\n", d.Enabled.From, d.Enabled.To)
+	}
+	if d.Method != nil {
+		fmt.Fprintf(w, "  Method: %s -> %s\n", d.Method.From, d.Method.To)
+	}
+	if d.RootDevice != nil {
+		fmt.Fprintf(w, "  Root device: %s -> %s\n", d.RootDevice.From, d.RootDevice.To)
+	}
+	if d.HashPartition != nil {
+		fmt.Fprintf(w, "  Hash partition: %d -> %d\n", d.HashPartition.From, d.HashPartition.To)
+	}
+}
+
 func renderEFIArtifactsTable(w io.Writer, arts []EFIBinaryEvidence) {
 
 	fmt.Fprintln(w)