Bug#1104488: live-boot: Segmentation fault when trying to mount filesystem.squashfs with filesystem.squashfs.verity and filesystem.squashfs.roothash

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1104488: live-boot: Segmentation fault when trying to mount filesystem.squashfs with filesystem.squashfs.verity and filesystem.squashfs.roothash
From: Richard Ulrich <richi+debian@ulrichard.ch>
Date: Thu, 01 May 2025 09:59:55 +0200
Message-id: <[🔎] 174608639542.98213.5288447745402198783.reportbug@ulrichard.aminagroup.com>
Reply-to: Richard Ulrich <richi+debian@ulrichard.ch>, 1104488@bugs.debian.org

Package: live-boot
Version: 1:20250225
Severity: normal
X-Debbugs-Cc: richi+debian@ulrichard.ch

Dear Maintainer,

We have a live DVD based on Debian that we build inside a docker container
using mmdebstrap. The whole DVD builds reproducibly. Now we want to add secureboot
and dm-verity. Secureboot looks good, but we are strugling with dm-verity.

"veritysetup format" and "veritysetup verify" seem to work fine. But when
the system boots, I always get "segmentation faults" (for trixie) or "operation
not supported" (for bookworm) when it tries to mount the verity squashfs.

The full source can be found at https://github.com/AminaBank/livedeb/
To reproduce the error, just run:
git checkout feature/verity && make iso && make run

The error happens at:
https://salsa.debian.org/live-team/live-boot/-/blob/master/components/9990-overlay.sh?ref_type=heads#L179

I found the following in boot.log

Begin: Mounting "/run/live/medium/live/filesystem.squashfs" on "/run/live/rootfs/filesystem.squashfs" via "/dev/loop0" ... + return 0
+ mount -t squashfs -o ro,noatime -o 'verity.hashdevice=/dev/loop1' -o 'verity.roothashfile=/run/live/medium/live/filesystem.squashfs.roothash' -o 'verity.oncorruption=panic' /dev/loop0 /run/live/rootfs/filesystem.squashfs
Segmentation fault
+ panic 'Can not mount /dev/loop0 (/run/live/medium/live/filesystem.squashfs) on /run/live/rootfs/filesystem.squashfs'


-- Package-specific info:

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.22-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8), LANGUAGE=de_CH:de
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages live-boot depends on:
ii  live-boot-initramfs-tools [live-boot-backend]  1:20250225

Versions of packages live-boot recommends:
ii  live-boot-doc  1:20250225
ii  live-tools     1:20240525
ii  rsync          3.4.1+ds1-3
ii  uuid-runtime   2.41-4

Versions of packages live-boot suggests:
ii  cryptsetup  2:2.7.5-1
pn  curlftpfs   <none>
pn  httpfs2     <none>
ii  wget        1.25.0-2

-- no debconf information

Reply to:

Next by Date: Upcoming stable point release: 12.11
Next by thread: Upcoming stable point release: 12.11
Index(es):
- Date
- Thread