/* SPDX-License-Identifier: LGPL-2.1+ */
/***
This file is part of systemd.
Copyright 2016 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see .
***/
#include
#include
#include "crypt-util.h"
#include "log.h"
#include "hexdecoct.h"
#include "string-util.h"
#include "alloc-util.h"
static char *arg_root_hash = NULL;
static char *arg_data_what = NULL;
static char *arg_hash_what = NULL;
static int help(void) {
printf("%s attach VOLUME DATADEVICE HASHDEVICE ROOTHASH\n"
"%s detach VOLUME\n\n"
"Attaches or detaches an integrity protected block device.\n",
program_invocation_short_name,
program_invocation_short_name);
return 0;
}
int main(int argc, char *argv[]) {
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
int r;
if (argc <= 1) {
r = help();
goto finish;
}
if (argc < 3) {
log_error("This program requires at least two arguments.");
r = -EINVAL;
goto finish;
}
log_set_target(LOG_TARGET_AUTO);
log_parse_environment();
log_open();
umask(0022);
if (streq(argv[1], "attach")) {
_cleanup_free_ void *m = NULL;
crypt_status_info status;
size_t l;
if (argc < 6) {
log_error("attach requires at least two arguments.");
r = -EINVAL;
goto finish;
}
r = unhexmem(argv[5], strlen(argv[5]), &m, &l);
if (r < 0) {
log_error("Failed to parse root hash.");
goto finish;
}
r = crypt_init(&cd, argv[4]);
if (r < 0) {
log_error_errno(r, "Failed to open verity device %s: %m", argv[4]);
goto finish;
}
crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
status = crypt_status(cd, argv[2]);
if (IN_SET(status, CRYPT_ACTIVE, CRYPT_BUSY)) {
log_info("Volume %s already active.", argv[2]);
r = 0;
goto finish;
}
r = crypt_load(cd, CRYPT_VERITY, NULL);
if (r < 0) {
log_error_errno(r, "Failed to load verity superblock: %m");
goto finish;
}
r = crypt_set_data_device(cd, argv[3]);
if (r < 0) {
log_error_errno(r, "Failed to configure data device: %m");
goto finish;
}
r = crypt_activate_by_volume_key(cd, argv[2], m, l, CRYPT_ACTIVATE_READONLY);
if (r < 0) {
log_error_errno(r, "Failed to set up verity device: %m");
goto finish;
}
} else if (streq(argv[1], "detach")) {
r = crypt_init_by_name(&cd, argv[2]);
if (r == -ENODEV) {
log_info("Volume %s already inactive.", argv[2]);
goto finish;
} else if (r < 0) {
log_error_errno(r, "crypt_init_by_name() failed: %m");
goto finish;
}
crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
r = crypt_deactivate(cd, argv[2]);
if (r < 0) {
log_error_errno(r, "Failed to deactivate: %m");
goto finish;
}
} else {
log_error("Unknown verb %s.", argv[1]);
r = -EINVAL;
goto finish;
}
r = 0;
finish:
free(arg_root_hash);
free(arg_data_what);
free(arg_hash_what);
return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
}