diff options
| author | Lennart Poettering <lennart@poettering.net> | 2021-09-09 11:43:13 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-09-28 17:02:27 +0200 |
| commit | 8ee9615e10f449dcabbd5e27c960c26857943832 (patch) | |
| tree | a05a03b7b1e87fc16cdc37ca56bb24ddb10f8f26 /src/shared/dissect-image.h | |
| parent | 1420cfb4b407b3258fd47614a820b246d1f0163a (diff) | |
| download | systemd-8ee9615e10f449dcabbd5e27c960c26857943832.tar.gz | |
dissect-image: discover verity signature partitions
This doesn't make use of the discovered partitions yet, but it finds
them at least.
Diffstat (limited to 'src/shared/dissect-image.h')
| -rw-r--r-- | src/shared/dissect-image.h | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/src/shared/dissect-image.h b/src/shared/dissect-image.h index 55c8f29c28..84b14cae80 100644 --- a/src/shared/dissect-image.h +++ b/src/shared/dissect-image.h @@ -44,6 +44,10 @@ typedef enum PartitionDesignator { PARTITION_ROOT_SECONDARY_VERITY, /* verity data for the PARTITION_ROOT_SECONDARY partition */ PARTITION_USR_VERITY, PARTITION_USR_SECONDARY_VERITY, + PARTITION_ROOT_VERITY_SIG, /* PKCS#7 signature for root hash for the PARTITION_ROOT partition */ + PARTITION_ROOT_SECONDARY_VERITY_SIG, /* ditto for the PARTITION_ROOT_SECONDARY partition */ + PARTITION_USR_VERITY_SIG, + PARTITION_USR_SECONDARY_VERITY_SIG, PARTITION_TMP, PARTITION_VAR, _PARTITION_DESIGNATOR_MAX, @@ -64,7 +68,11 @@ static inline bool PARTITION_DESIGNATOR_VERSIONED(PartitionDesignator d) { PARTITION_ROOT_VERITY, PARTITION_ROOT_SECONDARY_VERITY, PARTITION_USR_VERITY, - PARTITION_USR_SECONDARY_VERITY); + PARTITION_USR_SECONDARY_VERITY, + PARTITION_ROOT_VERITY_SIG, + PARTITION_ROOT_SECONDARY_VERITY_SIG, + PARTITION_USR_VERITY_SIG, + PARTITION_USR_SECONDARY_VERITY_SIG); } static inline PartitionDesignator PARTITION_VERITY_OF(PartitionDesignator p) { @@ -87,6 +95,26 @@ static inline PartitionDesignator PARTITION_VERITY_OF(PartitionDesignator p) { } } +static inline PartitionDesignator PARTITION_VERITY_SIG_OF(PartitionDesignator p) { + switch (p) { + + case PARTITION_ROOT: + return PARTITION_ROOT_VERITY_SIG; + + case PARTITION_ROOT_SECONDARY: + return PARTITION_ROOT_SECONDARY_VERITY_SIG; + + case PARTITION_USR: + return PARTITION_USR_VERITY_SIG; + + case PARTITION_USR_SECONDARY: + return PARTITION_USR_SECONDARY_VERITY_SIG; + + default: + return _PARTITION_DESIGNATOR_INVALID; + } +} + typedef enum DissectImageFlags { DISSECT_IMAGE_DEVICE_READ_ONLY = 1 << 0, /* Make device read-only */ DISSECT_IMAGE_DISCARD_ON_LOOP = 1 << 1, /* Turn on "discard" if on a loop device and file system supports it */ @@ -119,11 +147,14 @@ typedef enum DissectImageFlags { struct DissectedImage { bool encrypted:1; bool has_verity:1; /* verity available in image, but not necessarily used */ + bool has_verity_sig:1; /* pkcs#7 signature embedded in image */ bool verity_ready:1; /* verity available, fully specified and usable */ + bool verity_sig_ready:1; /* verity signature logic, fully specified and usable */ bool single_file_system:1; /* MBR/GPT or single file system */ DissectedPartition partitions[_PARTITION_DESIGNATOR_MAX]; + /* Meta information extracted from /etc/os-release and similar */ char *image_name; char *hostname; sd_id128_t machine_id; @@ -188,6 +219,7 @@ void verity_settings_done(VeritySettings *verity); bool dissected_image_verity_candidate(const DissectedImage *image, PartitionDesignator d); bool dissected_image_verity_ready(const DissectedImage *image, PartitionDesignator d); +bool dissected_image_verity_sig_ready(const DissectedImage *image, PartitionDesignator d); int mount_image_privately_interactively(const char *path, DissectImageFlags flags, char **ret_directory, LoopDevice **ret_loop_device, DecryptedImage **ret_decrypted_image); |