diff options
author | Gaël PORTAY <gael.portay@collabora.com> | 2020-11-14 09:21:39 -0500 |
---|---|---|
committer | Gaël PORTAY <gael.portay@collabora.com> | 2021-01-15 11:06:11 -0500 |
commit | 08b04ec7e72b7327b4803809732b1b8fce8dd069 (patch) | |
tree | 178f69b3a8fcd6b85604ac1f92fe2add48be1fed /src/shared | |
parent | 0141102f104cbb2e469b0e8b946681887e2495f2 (diff) | |
download | systemd-08b04ec7e72b7327b4803809732b1b8fce8dd069.tar.gz |
veritysetup-generator: add support for veritytab
This adds the support for veritytab.
The veritytab file contains at most five fields, the first four are
mandatory, the last one is optional:
- The first field contains the name of the resulting verity volume; its
block device is set up /dev/mapper/</filename>.
- The second field contains a path to the underlying block data device,
or a specification of a block device via UUID= followed by the UUID.
- The third field contains a path to the underlying block hash device,
or a specification of a block device via UUID= followed by the UUID.
- The fourth field is the roothash in hexadecimal.
- The fifth field, if present, is a comma-delimited list of options.
The following options are recognized only: ignore-corruption,
restart-on-corruption, panic-on-corruption, ignore-zero-blocks,
check-at-most-once and root-hash-signature. The others options will
be implemented later.
Also, this adds support for the new kernel verity command line boolean
option "veritytab" which enables the read for veritytab, and the new
environment variable SYSTEMD_VERITYTAB which sets the path to the file
veritytab to read.
Diffstat (limited to 'src/shared')
-rw-r--r-- | src/shared/generator.c | 75 | ||||
-rw-r--r-- | src/shared/generator.h | 12 |
2 files changed, 87 insertions, 0 deletions
diff --git a/src/shared/generator.c b/src/shared/generator.c index 1eccc5a289..b8616cf1f2 100644 --- a/src/shared/generator.c +++ b/src/shared/generator.c @@ -620,6 +620,81 @@ int generator_write_cryptsetup_service_section( return 0; } +int generator_write_veritysetup_unit_section( + FILE *f, + const char *source) { + + assert(f); + + fprintf(f, + "[Unit]\n" + "Description=Integrity Protection Setup for %%I\n" + "Documentation=man:veritytab(5) man:systemd-veritysetup-generator(8) man:systemd-veritysetup@.service(8)\n"); + + if (source) + fprintf(f, "SourcePath=%s\n", source); + + fprintf(f, + "DefaultDependencies=no\n" + "IgnoreOnIsolate=true\n" + "After=cryptsetup-pre.target systemd-udevd-kernel.socket\n" + "Before=blockdev@dev-mapper-%%i.target\n" + "Wants=blockdev@dev-mapper-%%i.target\n"); + + return 0; +} + +int generator_write_veritysetup_service_section( + FILE *f, + const char *name, + const char *data_what, + const char *hash_what, + const char *roothash, + const char *options) { + + _cleanup_free_ char *name_escaped = NULL, *data_what_escaped = NULL, *hash_what_escaped, + *roothash_escaped = NULL, *options_escaped = NULL; + + assert(f); + assert(name); + assert(data_what); + assert(hash_what); + + name_escaped = specifier_escape(name); + if (!name_escaped) + return log_oom(); + + data_what_escaped = specifier_escape(data_what); + if (!data_what_escaped) + return log_oom(); + + hash_what_escaped = specifier_escape(hash_what); + if (!hash_what_escaped) + return log_oom(); + + roothash_escaped = specifier_escape(roothash); + if (!roothash_escaped) + return log_oom(); + + if (options) { + options_escaped = specifier_escape(options); + if (!options_escaped) + return log_oom(); + } + + fprintf(f, + "\n" + "[Service]\n" + "Type=oneshot\n" + "RemainAfterExit=yes\n" + "ExecStart=" SYSTEMD_VERITYSETUP_PATH " attach '%s' '%s' '%s' '%s' '%s'\n" + "ExecStop=" SYSTEMD_VERITYSETUP_PATH " detach '%s'\n", + name_escaped, data_what_escaped, hash_what_escaped, roothash_escaped, strempty(options_escaped), + name_escaped); + + return 0; +} + void log_setup_generator(void) { /* Disable talking to syslog/journal (i.e. the two IPC-based loggers) if we run in system context. */ if (cg_pid_get_owner_uid(0, NULL) == -ENXIO /* not running in a per-user slice */) diff --git a/src/shared/generator.h b/src/shared/generator.h index ff6072f53d..bd768daf49 100644 --- a/src/shared/generator.h +++ b/src/shared/generator.h @@ -42,6 +42,18 @@ int generator_write_cryptsetup_service_section( const char *password, const char *options); +int generator_write_veritysetup_unit_section( + FILE *f, + const char *source); + +int generator_write_veritysetup_service_section( + FILE *f, + const char *name, + const char *data_what, + const char *hash_what, + const char *roothash, + const char *options); + int generator_write_device_deps( const char *dir, const char *what, |