From f0ecff8506a69a3b9c4afa66652028b8cbffbcf0 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 28 Feb 2024 16:16:30 +0100 Subject: [PATCH] dissect: condition usespace verity keyring via kernel cmdline option + env var --- docs/ENVIRONMENT.md | 6 ++++++ man/kernel-command-line.xml | 11 +++++++++++ src/shared/dissect-image.c | 24 +++++++++++++++++++++++- 3 files changed, 40 insertions(+), 1 deletion(-) diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md index eab1ce23e46..1af6f569ded 100644 --- a/docs/ENVIRONMENT.md +++ b/docs/ENVIRONMENT.md @@ -488,6 +488,12 @@ disk images with `--image=` or similar: devices when opening them. Defaults to on, set this to "0" to disable this feature. +* `$SYSTEMD_ALLOW_USERSPACE_VERITY` — takes a boolean, which controls whether + to consider the userspace Verity public key store in `/etc/verity.d/` (and + related directories) to authenticate signatures on Verity hashes of disk + images. Defaults to true, i.e. userspace signature validation is allowed. If + false, authentication can be done only via the kernel's internal keyring. + `systemd-cryptsetup`: * `$SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE` – takes a boolean, which controls diff --git a/man/kernel-command-line.xml b/man/kernel-command-line.xml index d4b005f8769..47ec00a794d 100644 --- a/man/kernel-command-line.xml +++ b/man/kernel-command-line.xml @@ -676,6 +676,17 @@ + + systemd.allow_userspace_verity= + + Takes a boolean argument. Controls whether disk images that are Verity protected may + be authenticated in userspace signature checks via /etc/verity.d/ (and related + directories) public key drop-ins, or whether in-kernel signature checking only. Defaults to + on. + + + + systemd.hostname= diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index 443cf53f528..af42cd4dcc4 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -60,6 +60,7 @@ #include "openssl-util.h" #include "os-util.h" #include "path-util.h" +#include "proc-cmdline.h" #include "process-util.h" #include "raw-clone.h" #include "resize-fs.h" @@ -2538,12 +2539,34 @@ static char* dm_deferred_remove_clean(char *name) { DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean); static int validate_signature_userspace(const VeritySettings *verity, DissectImageFlags flags) { + int r; if (!FLAGS_SET(flags, DISSECT_IMAGE_ALLOW_USERSPACE_VERITY)) { log_debug("Userspace dm-verity signature authentication disabled via flag."); return 0; } + r = getenv_bool_secure("SYSTEMD_ALLOW_USERSPACE_VERITY"); + if (r < 0 && r != -ENXIO) { + log_debug_errno(r, "Failed to parse $SYSTEMD_ALLOW_USERSPACE_VERITY environment variable, refusing userspace dm-verity signature authentication."); + return 0; + } + if (!r) { + log_debug("Userspace dm-verity signature authentication disabled via $SYSTEMD_ALLOW_USERSPACE_VERITY environment variable."); + return 0; + } + + bool b; + r = proc_cmdline_get_bool("systemd.allow_userspace_verity", PROC_CMDLINE_TRUE_WHEN_MISSING, &b); + if (r < 0) { + log_debug_errno(r, "Failed to parse systemd.allow_userspace_verity= kernel command line option, refusing userspace dm-verity signature authentication."); + return 0; + } + if (!b) { + log_debug("Userspace dm-verity signature authentication disabled via systemd.allow_userspace_verity= kernel command line variable."); + return 0; + } + #if HAVE_OPENSSL _cleanup_(sk_X509_free_allp) STACK_OF(X509) *sk = NULL; _cleanup_strv_free_ char **certs = NULL; @@ -2552,7 +2575,6 @@ static int validate_signature_userspace(const VeritySettings *verity, DissectIma _cleanup_(BIO_freep) BIO *bio = NULL; /* 'bio' must be freed first, 's' second, hence keep this order * of declaration in place, please */ const unsigned char *d; - int r; assert(verity); assert(verity->root_hash); -- 2.39.2