diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md
index eab1ce23e4..1af6f569de 100644
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@@ -488,6 +488,12 @@ disk images with `--image=` or similar:
devices when opening them. Defaults to on, set this to "0" to disable this
feature.
+* `$SYSTEMD_ALLOW_USERSPACE_VERITY` — takes a boolean, which controls whether
+ to consider the userspace Verity public key store in `/etc/verity.d/` (and
+ related directories) to authenticate signatures on Verity hashes of disk
+ images. Defaults to true, i.e. userspace signature validation is allowed. If
+ false, authentication can be done only via the kernel's internal keyring.
+
`systemd-cryptsetup`:
* `$SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE` – takes a boolean, which controls
diff --git a/man/kernel-command-line.xml b/man/kernel-command-line.xml
index d4b005f876..47ec00a794 100644
--- a/man/kernel-command-line.xml
+++ b/man/kernel-command-line.xml
@@ -676,6 +676,17 @@
+
+ systemd.allow_userspace_verity=
+
+ Takes a boolean argument. Controls whether disk images that are Verity protected may
+ be authenticated in userspace signature checks via /etc/verity.d/ (and related
+ directories) public key drop-ins, or whether in-kernel signature checking only. Defaults to
+ on.
+
+
+
+
systemd.hostname=
diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 443cf53f52..af42cd4dcc 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -60,6 +60,7 @@
#include "openssl-util.h"
#include "os-util.h"
#include "path-util.h"
+#include "proc-cmdline.h"
#include "process-util.h"
#include "raw-clone.h"
#include "resize-fs.h"
@@ -2538,12 +2539,34 @@ static char* dm_deferred_remove_clean(char *name) {
DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean);
static int validate_signature_userspace(const VeritySettings *verity, DissectImageFlags flags) {
+ int r;
if (!FLAGS_SET(flags, DISSECT_IMAGE_ALLOW_USERSPACE_VERITY)) {
log_debug("Userspace dm-verity signature authentication disabled via flag.");
return 0;
}
+ r = getenv_bool_secure("SYSTEMD_ALLOW_USERSPACE_VERITY");
+ if (r < 0 && r != -ENXIO) {
+ log_debug_errno(r, "Failed to parse $SYSTEMD_ALLOW_USERSPACE_VERITY environment variable, refusing userspace dm-verity signature authentication.");
+ return 0;
+ }
+ if (!r) {
+ log_debug("Userspace dm-verity signature authentication disabled via $SYSTEMD_ALLOW_USERSPACE_VERITY environment variable.");
+ return 0;
+ }
+
+ bool b;
+ r = proc_cmdline_get_bool("systemd.allow_userspace_verity", PROC_CMDLINE_TRUE_WHEN_MISSING, &b);
+ if (r < 0) {
+ log_debug_errno(r, "Failed to parse systemd.allow_userspace_verity= kernel command line option, refusing userspace dm-verity signature authentication.");
+ return 0;
+ }
+ if (!b) {
+ log_debug("Userspace dm-verity signature authentication disabled via systemd.allow_userspace_verity= kernel command line variable.");
+ return 0;
+ }
+
#if HAVE_OPENSSL
_cleanup_(sk_X509_free_allp) STACK_OF(X509) *sk = NULL;
_cleanup_strv_free_ char **certs = NULL;
@@ -2552,7 +2575,6 @@ static int validate_signature_userspace(const VeritySettings *verity, DissectIma
_cleanup_(BIO_freep) BIO *bio = NULL; /* 'bio' must be freed first, 's' second, hence keep this order
* of declaration in place, please */
const unsigned char *d;
- int r;
assert(verity);
assert(verity->root_hash);