diff options
| author | Luca Boccassi <luca.boccassi@microsoft.com> | 2020-06-04 17:41:28 +0100 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@microsoft.com> | 2020-06-25 08:44:49 +0100 |
| commit | 035e8e50d73a0e5427149bbe50a426dd84ece178 (patch) | |
| tree | 254df68cd1dd6c14a5f8a23b7192f5d43ae5734d /src/veritysetup | |
| parent | e60d3b13df2559d644e9ce44f5296b4cc3cc45f1 (diff) | |
| download | systemd-035e8e50d73a0e5427149bbe50a426dd84ece178.tar.gz | |
veritysetup: add support for dm-verity root hash signature
Since cryptsetup 2.3.0 a new API to verify dm-verity volumes by a
pkcs7 signature, with the public key in the kernel keyring,
is available. Use it if libcryptsetup supports it in the
veritysetup helper binary.
Diffstat (limited to 'src/veritysetup')
| -rw-r--r-- | src/veritysetup/veritysetup.c | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/src/veritysetup/veritysetup.c b/src/veritysetup/veritysetup.c index 9c2fe9a1b4..465d194b40 100644 --- a/src/veritysetup/veritysetup.c +++ b/src/veritysetup/veritysetup.c @@ -6,9 +6,11 @@ #include "alloc-util.h" #include "crypt-util.h" +#include "fileio.h" #include "hexdecoct.h" #include "log.h" #include "main-func.h" +#include "path-util.h" #include "pretty-print.h" #include "string-util.h" #include "terminal-util.h" @@ -29,7 +31,7 @@ static int help(void) { if (r < 0) return log_oom(); - printf("%s attach VOLUME DATADEVICE HASHDEVICE ROOTHASH\n" + printf("%s attach VOLUME DATADEVICE HASHDEVICE ROOTHASH [ROOTHASHSIG]\n" "%s detach VOLUME\n\n" "Attaches or detaches an integrity protected block device.\n" "\nSee the %s for details.\n" @@ -87,7 +89,28 @@ static int run(int argc, char *argv[]) { if (r < 0) return log_error_errno(r, "Failed to configure data device: %m"); - r = crypt_activate_by_volume_key(cd, argv[2], m, l, CRYPT_ACTIVATE_READONLY); + if (argc > 6) { +#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY + _cleanup_free_ char *hash_sig = NULL; + size_t hash_sig_size; + char *value; + + if ((value = startswith(argv[6], "base64:"))) { + r = unbase64mem(value, strlen(value), (void *)&hash_sig, &hash_sig_size); + if (r < 0) + return log_error_errno(r, "Failed to parse root hash signature '%s': %m", argv[6]); + } else { + r = read_full_file_full(AT_FDCWD, argv[6], 0, &hash_sig, &hash_sig_size); + if (r < 0) + return log_error_errno(r, "Failed to read root hash signature: %m"); + } + + r = crypt_activate_by_signed_key(cd, argv[2], m, l, hash_sig, hash_sig_size, CRYPT_ACTIVATE_READONLY); +#else + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "activation of verity device with signature %s requested, but not supported by cryptsetup due to missing crypt_activate_by_signed_key()", argv[6]); +#endif + } else + r = crypt_activate_by_volume_key(cd, argv[2], m, l, CRYPT_ACTIVATE_READONLY); if (r < 0) return log_error_errno(r, "Failed to set up verity device: %m"); |