diff options
author | Lennart Poettering <lennart@poettering.net> | 2021-09-09 17:55:36 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2021-09-28 17:03:31 +0200 |
commit | c2fa92e7e8907d9658646595261fa2d3433e6e4b (patch) | |
tree | 770cf1806ec34eea966caf8c7a3a1c8f628b07f6 /src/shared/openssl-util.h | |
parent | d5fcc5b0532269d2450ed15a2bddca937f123ea9 (diff) | |
download | systemd-c2fa92e7e8907d9658646595261fa2d3433e6e4b.tar.gz |
dissect-image: optionally, validate dm-verity signatures in userspace
Getting certificates for dm-verity roothash signing into the trusted
kernel keychain is a royal PITA (means recompiling or rebooting with
shim), hence let's add a minimal userspace PKCS7 validation as well.
The mechanism is really simple and compatible with the verification the
kernel does. The only difference is that the certificates are searched
in /etc/verity.d/*.crt (and similar dirs in /usr/lib/, …).
We'll first try validation by passing the PKCS#7 data to the kernel, but
if that doesn't work we'll see if one of the certificates found that way
works and then attempt to attach the image without passing the PKCS#7
data to the kernel.
This makes it very easy to have fully validated GPT disk images. For
example, just copy the 'mkosi.secure-boot.crt' file you have in your
mkosi build dir to /etc/verity.d/ and things should just work.
Diffstat (limited to 'src/shared/openssl-util.h')
-rw-r--r-- | src/shared/openssl-util.h | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h index e6c2bd9310..66441c232c 100644 --- a/src/shared/openssl-util.h +++ b/src/shared/openssl-util.h @@ -4,13 +4,26 @@ #include "macro.h" #if HAVE_OPENSSL +# include <openssl/bio.h> # include <openssl/evp.h> -# include <openssl/x509.h> +# include <openssl/pkcs7.h> +# include <openssl/ssl.h> +# include <openssl/x509v3.h> DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509*, X509_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509_NAME*, X509_NAME_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY_CTX*, EVP_PKEY_CTX_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7*, PKCS7_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL); +DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL); + +static inline void sk_X509_free_allp(STACK_OF(X509) **sk) { + if (!sk || !*sk) + return; + + sk_X509_pop_free(*sk, X509_free); +} int rsa_encrypt_bytes(EVP_PKEY *pkey, const void *decrypted_key, size_t decrypted_key_size, void **ret_encrypt_key, size_t *ret_encrypt_key_size); |