From d056fb20fea6ccb32b05799cc8cb8bca2076d2ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@northflank.com>
Date: Fri, 22 Aug 2025 20:42:07 +0200
Subject: [PATCH 1/2] initramfs: Enforce --panic-on-corruption for veritysetup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Let's enforce an error on veritysetup in case there's any tampering with
the rootfs.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
---
 tools/packaging/static-build/initramfs/init.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/packaging/static-build/initramfs/init.sh b/tools/packaging/static-build/initramfs/init.sh
index 302ff475b2..6a55503a39 100755
--- a/tools/packaging/static-build/initramfs/init.sh
+++ b/tools/packaging/static-build/initramfs/init.sh
@@ -48,7 +48,7 @@ then
 		exit 1
 	fi
 
-	veritysetup open "${root_device}" root "${hash_device}" "${rootfs_hash}"
+	veritysetup open --panic-on-corruption "${root_device}" root "${hash_device}" "${rootfs_hash}"
 	mount /dev/mapper/root /mnt
 else
 	echo "No LUKS device found"

From 96108006f21f4bf2b6050cde8a24ce28b8ce8572 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@northflank.com>
Date: Fri, 22 Aug 2025 20:32:52 +0200
Subject: [PATCH 2/2] agent: Panic on errors accessing the attestation agent
 binary
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Let's make sure that whenever we try to access the attestation agent
binariy, we only proceed the startup in case:
* the binary is found (CoCo case)
* the binary is not present (non-CoCo case)

In case any error that's not `NotFound`, we should simply abort as that
could mean a potential tampering with the binary (which would be
reported as an EIO).

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
---
 src/agent/src/main.rs | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs
index 288c9a0d79..4a7d3828d9 100644
--- a/src/agent/src/main.rs
+++ b/src/agent/src/main.rs
@@ -30,6 +30,7 @@ use nix::unistd::{self, dup, sync, Pid};
 use std::env;
 use std::ffi::OsStr;
 use std::fs::{self, File};
+use std::io::ErrorKind;
 use std::os::unix::fs::{self as unixfs, FileTypeExt};
 use std::os::unix::io::AsRawFd;
 use std::path::Path;
@@ -465,8 +466,17 @@ fn attestation_binaries_available(logger: &Logger, procs: &GuestComponentsProcs)
         _ => vec![],
     };
     for binary in binaries.iter() {
-        if !Path::new(binary).exists() {
-            warn!(logger, "{} not found", binary);
+        let exists = Path::new(binary).try_exists().unwrap_or_else(|error| {
+            match error.kind() {
+                ErrorKind::NotFound => {
+                    warn!(logger, "{} not found", binary);
+                    false
+                },
+                _ => panic!("Path existence check failed for '{}': {}", binary, error)
+            }
+        });
+
+        if !exists {
             return false;
         }
     }