| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The verity fec_* parameters allows to use Forward Error Correction to
recover from corruption if hash verification fails.
This adds the options fec_device, fec_offset and fec_roots (sixth
argument) which are the equivalent of the options --fec-device,
--fec-offset and --fec-roots in the veritysetup world.
- fec-device=FILE
- fec-offset=BYTES
- fec-roots=UINT64
See `veritysetup(8)` for more details.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The verity parameter no_superblock allows to format/open an hash device
without the superblock. However, the superblock data must be set to open
the data-device.
This adds the option superblocks (sixth argument) and all the underlying
options which are implied to set the superblock manually if hash device
has no superblock:
- superblock=BOOL
- format=NUMBER (hash version type, 0 for original ChromeOS, 1 for
modern)
- data-block-size=BYTES (max page-size, multiple of 512)
- hash-block-size=BYTES (max page-size, multiple of 512)
- data-blocks=BLOCKS (size of data-device in blocks)
- salt=HEXSTR (salt used at format, max 256 bytes)
- uuid=UUID
- hash=STR (algorithm name for dm-verity used at format, default is
sha256)
See `veritysetup(8)` for more details.
|
| |
|
|
|
|
|
|
|
|
|
| |
The verity parameter hash_area_offset allows to locate the superblock in
the hash device. It can be used to have a single device which contains
both data and hashes.
This adds the option hash-offset=BYTES (sixth argument) which is the
equivalent of the option --hash-offset in the veritysetup world.
See `veritysetup(8)` for more details.
|
| |
|
|
|
|
|
|
|
| |
We must copy the option string, since in one case we are called with a
pointer into dynamic memory that will be freed by the caller.
As discussed here: https://github.com/systemd/systemd/pull/22908/files#r839394490
Follow-up for: #22908
|
| | |
|
| |
|
|
| |
cryptsetup does this too, so let's better be safe here, too.
|
| | |
|
| |
|
|
|
|
|
|
| |
Accessing the various arguments always through argv[] is nasty, since
it's not obvious what we are talking about here. Let's give things nice
names.
We did the same in cryptsetup a while back.
|
| |
|
|
|
|
|
|
|
|
| |
The function was named confusingly and we managed to confused ourselves. The
parameter was assigned incorrectly and then reassigned correctly in the caller.
Let's simplify the whole thing by just saving the optarg param.
I considered moving the unhexmemming and/or reading of the file to the parse
function, but decided against it. I think it's nicer to parse all options
before opening external files.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
We expose various other forms of UUID helpers already, i.e.
SD_ID128_UUID_FORMAT_STR and SD_ID128_MAKE_UUID_STR(), and we parse
UUIDs, hence add a high-level helper for formatting UUIDs too.
This doesn't add any new code, it just moves some helpers
id128-util.[ch] → sd-id128.[ch], to make them public.
|
| |
|
|
|
|
| |
If 'usrhash' is present as a kernel command line parameter, generate a
veritysetup service for usr.
Also recognize systemd.verity_usr_* parameters.
|
| |
|
|
|
|
| |
There is a difference between dm-verity and dm-integrity. Remove
usage of integrity from verity documentation in man pages and
target files.
|
| | |
|
| |
|
|
| |
It makes it easier to diagnose what the generated units actually do.
|
| |
|
|
|
| |
In general our commands print help on --help, but here this would trigger
the error that two arguments are needed. Let's make this more user-friendly.
|
| |
|
|
|
|
|
| |
Code using libcryptsetup already sets the global log function if it uses
dlopen_cryptsetup(). Make sure we do the same for the three programs
that explicitly link against libcryptsetup and hence to not use
dlopen_cryptsetup().
|
| |
|
|
| |
Another batch of fixes (mostly) generated by Coccinelle.
|
| |
|
|
| |
It may be useful when debugging daemons.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
I think this formatting was originally used because it simplified
adding new options to the help messages. However, these days, most
tools their help message end with "\nSee the %s for details.\n" so
the final line almost never has to be edited which eliminates the
benefit of the custom formatting used for printf() help messages.
Let's make things more consistent and use the same formatting for
printf() help messages that we use everywhere else.
Prompted by https://github.com/systemd/systemd/pull/18355#discussion_r567241580
|
| |
|
|
|
|
|
|
| |
Follow-ups for 08b04ec7e72b7327b4803809732b1b8fce8dd069.
This also drops unnecessary inclusion.
Fixes CID#1443889.
|
| |
|
|
|
|
| |
This removes the three global variables arg_root_hash, arg_data_what and
arg_hash_what which were presents since the beginning but were never
being used.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the support for veritytab.
The veritytab file contains at most five fields, the first four are
mandatory, the last one is optional:
- The first field contains the name of the resulting verity volume; its
block device is set up /dev/mapper/</filename>.
- The second field contains a path to the underlying block data device,
or a specification of a block device via UUID= followed by the UUID.
- The third field contains a path to the underlying block hash device,
or a specification of a block device via UUID= followed by the UUID.
- The fourth field is the roothash in hexadecimal.
- The fifth field, if present, is a comma-delimited list of options.
The following options are recognized only: ignore-corruption,
restart-on-corruption, panic-on-corruption, ignore-zero-blocks,
check-at-most-once and root-hash-signature. The others options will
be implemented later.
Also, this adds support for the new kernel verity command line boolean
option "veritytab" which enables the read for veritytab, and the new
environment variable SYSTEMD_VERITYTAB which sets the path to the file
veritytab to read.
|
| |
|
|
|
|
|
|
| |
This adds support for a new kernel root verity command line option
"verity_root_options=" which controls the behaviour of dm-verity by
forwarding options directly to systemd-veritysetup.
See `veritysetup(8)` for more details.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows controlling the behaviour of dm-verity by reusing the
fifth argument that was used to set the roothash signature.
That argument is now a comma-separated list of dm-verity options in the
given format: option[=value]. The option is the name of the long option
in the world of veritysetup.
See `veritysetup(8)` for more details.
Note: The former ROOTHASHSIG the positional argument is now deprecated
in favour of the option root-hash-signature=(base64:SIG|FILE). However,
the previous format is maintained and a warning is logged.
|
| |
|
|
|
| |
In light of #17848, also place udev socket dep in veritysetup, it's the
same issue after all.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
name
This beefs up the READ_FULL_FILE_CONNECT_SOCKET logic of
read_full_file_full() a bit: when used a sender socket name may be
specified. If specified as NULL behaviour is as before: the client
socket name is picked by the kernel. But if specified as non-NULL the
client can pick a socket name to use when connecting. This is useful to
communicate a minimal amount of metainformation from client to server,
outside of the transport payload.
Specifically, these beefs up the service credential logic to pass an
abstract AF_UNIX socket name as client socket name when connecting via
READ_FULL_FILE_CONNECT_SOCKET, that includes the requesting unit name
and the eventual credential name. This allows servers implementing the
trivial credential socket logic to distinguish clients: via a simple
getpeername() it can be determined which unit is requesting a
credential, and which credential specifically.
Example: with this patch in place, in a unit file "waldo.service" a
configuration line like the following:
LoadCredential=foo:/run/quux/creds.sock
will result in a connection to the AF_UNIX socket /run/quux/creds.sock,
originating from an abstract namespace AF_UNIX socket:
@$RANDOM/unit/waldo.service/foo
(The $RANDOM is replaced by some randomized string. This is included in
the socket name order to avoid namespace squatting issues: the abstract
socket namespace is open to unprivileged users after all, and care needs
to be taken not to use guessable names)
The services listening on the /run/quux/creds.sock socket may thus
easily retrieve the name of the unit the credential is requested for
plus the credential name, via a simpler getpeername(), discarding the
random preifx and the /unit/ string.
This logic uses "/" as separator between the fields, since both unit
names and credential names appear in the file system, and thus are
designed to use "/" as outer separators. Given that it's a good safe
choice to use as separators here, too avoid any conflicts.
This is a minimal patch only: the new logic is used only for the unit
file credential logic. For other places where we use
READ_FULL_FILE_CONNECT_SOCKET it is probably a good idea to use this
scheme too, but this should be done carefully in later patches, since
the socket names become API that way, and we should determine the right
amount of info to pass over.
|
| |
|
|
|
|
|
|
|
|
|
| |
"crypt-util.c" is such a generic name, let's avoid that, in particular
as libc's/libcrypt's crypt() function is so generically named too that
one might thing this is about that. Let's hence be more precise, and
make clear that this is about cryptsetup, and nothing else.
We already had cryptsetup-util.[ch] in src/cryptsetup/ doing keyfile
management. To avoid the needless confusion, let's rename that file to
cryptsetup-keyfile.[ch].
|
| |
|
|
|
| |
Avoid always setting to debug, as it will incur in many more callbacks from
libcrypsetup that then get discarded, wasting resources.
|
| |
|
|
|
|
|
|
|
|
|
| |
Let's use the new flag wherever we read key material/passphrases/hashes
off disk, so that people can plug in their own IPC service as backend if
they like, easily.
(My main goal was actually to support this for crypttab key files — i.e.
that you can specify AF_UNIX sockets as third column in crypttab — but
that's harder to implement, since the keys are read via libcryptsetup's
API, not ours.)
|
| |
|
|
|
|
|
| |
Since cryptsetup 2.3.0 a new API to verify dm-verity volumes by a
pkcs7 signature, with the public key in the kernel keyring,
is available. Use it if libcryptsetup supports it in the
veritysetup helper binary.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
There should be no functional difference, except that the error message
is changd from "three or no arguments" to "zero or three arguments". Somehow
the inverted form always seemed strange.
umask() call is also dropped from run-generator. I think it wasn't dropped in
053254e3cb215df3b8c905bc39b920f8817e1c7d because the run generator was merged
around the same time.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This also changes the return value when crypt_init_by_name() fails in 'detach'.
|
| |
|
|
|
|
|
|
|
| |
systemd already sets the umask (see e3b8d0637dd755b3426f3363b2cdad63f738116c). When
running under systemd, we don't need to set it. And when *not* running under
systemd, for example during development, there is no reason to override the user
config. Let's just drop those calls.
$ git grep -e 'umask\(' -l 'src/*generator*' |xargs perl -i -0pe 's|^[^\n]*umask\([^\n]+\n\n||gms'
|
| |
|
|
|
| |
This is high-level functionality, and fits better in shared/ (which is for
our executables), than in basic/ (which is also for libraries).
|
| |\
| |
| | |
reduce some logging boilerplate
|
| | |
| |
| |
| |
| | |
Let's reduce the common boilerplate and have a single setup function
used by all service code to setup logging.
|
| | | |
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
| |
This is a bit like the info link in most of GNU's --help texts, but we
don't do info but man pages, and we make them properly clickable on
terminal supporting that, because awesome.
I think it's generally advisable to link up our (brief) --help texts and
our (more comprehensive) man pages a bit, so this should be an easy and
straight-forward way to do it.
|
| |
|
|
|
|
|
|
|
|
|
| |
These lines are generally out-of-date, incomplete and unnecessary. With
SPDX and git repository much more accurate and fine grained information
about licensing and authorship is available, hence let's drop the
per-file copyright notice. Of course, removing copyright lines of others
is problematic, hence this commit only removes my own lines and leaves
all others untouched. It might be nicer if sooner or later those could
go away too, making git the only and accurate source of authorship
information.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This part of the copyright blurb stems from the GPL use recommendations:
https://www.gnu.org/licenses/gpl-howto.en.html
The concept appears to originate in times where version control was per
file, instead of per tree, and was a way to glue the files together.
Ultimately, we nowadays don't live in that world anymore, and this
information is entirely useless anyway, as people are very welcome to
copy these files into any projects they like, and they shouldn't have to
change bits that are part of our copyright header for that.
hence, let's just get rid of this old cruft, and shorten our codebase a
bit.
|
