From 8f948e28dd82421da601a16de03ee6f6f97c8b60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@northflank.com>
Date: Fri, 22 Aug 2025 20:42:07 +0200
Subject: [PATCH] initramfs: Enforce --panic-on-corruption for veritysetup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Let's enforce an error on veritysetup in case there's any tampering with
the rootfs.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
---
 tools/packaging/static-build/initramfs/init.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/packaging/static-build/initramfs/init.sh b/tools/packaging/static-build/initramfs/init.sh
index 302ff475b2..6a55503a39 100755
--- a/tools/packaging/static-build/initramfs/init.sh
+++ b/tools/packaging/static-build/initramfs/init.sh
@@ -48,7 +48,7 @@ then
 		exit 1
 	fi
 
-	veritysetup open "${root_device}" root "${hash_device}" "${rootfs_hash}"
+	veritysetup open --panic-on-corruption "${root_device}" root "${hash_device}" "${rootfs_hash}"
 	mount /dev/mapper/root /mnt
 else
 	echo "No LUKS device found"