2 This file is part of systemd.
4 Copyright 2016 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include "alloc-util.h"
28 #include "fstab-util.h"
29 #include "hexdecoct.h"
30 #include "id128-util.h"
32 #include "parse-util.h"
33 #include "proc-cmdline.h"
34 #include "string-util.h"
35 #include "unit-name.h"
37 static char *arg_dest
= NULL
;
38 static bool arg_enabled
= true;
39 static char *arg_root_hash
= NULL
;
40 static char *arg_data_what
= NULL
;
41 static char *arg_hash_what
= NULL
;
43 static int create_device(void) {
44 _cleanup_free_
char *u
= NULL
, *v
= NULL
, *d
= NULL
, *e
= NULL
;
45 _cleanup_fclose_
FILE *f
= NULL
;
49 /* If all three pieces of information are missing, then verity is turned off */
50 if (!arg_root_hash
&& !arg_data_what
&& !arg_hash_what
)
53 /* if one of them is missing however, the data is simply incomplete and this is an error */
55 log_error("Verity information incomplete, root hash unspecified.");
57 log_error("Verity information incomplete, root data device unspecified.");
59 log_error("Verity information incomplete, root hash device unspecified.");
61 if (!arg_root_hash
|| !arg_data_what
|| !arg_hash_what
)
64 log_debug("Using root verity data device %s,\n"
66 " and root hash %s.", arg_data_what
, arg_hash_what
, arg_root_hash
);
68 p
= strjoina(arg_dest
, "/systemd-veritysetup@root.service");
70 u
= fstab_node_to_udev_node(arg_data_what
);
73 v
= fstab_node_to_udev_node(arg_hash_what
);
77 r
= unit_name_from_path(u
, ".device", &d
);
79 return log_error_errno(r
, "Failed to to generate unit name: %m");
80 r
= unit_name_from_path(v
, ".device", &e
);
82 return log_error_errno(r
, "Failed to to generate unit name: %m");
86 return log_error_errno(errno
, "Failed to create unit file %s: %m", p
);
89 "# Automatically generated by systemd-veritysetup-generator\n\n"
91 "Description=Integrity Protection Setup for %%I\n"
92 "Documentation=man:systemd-veritysetup-generator(8) man:systemd-veritysetup@.service(8)\n"
93 "SourcePath=/proc/cmdline\n"
94 "DefaultDependencies=no\n"
95 "Conflicts=umount.target\n"
97 "IgnoreOnIsolate=true\n"
98 "After=cryptsetup-pre.target %s %s\n"
99 "Before=cryptsetup.target umount.target\n"
102 "RemainAfterExit=yes\n"
103 "ExecStart=" ROOTLIBEXECDIR
"/systemd-veritysetup attach root '%s' '%s' '%s'\n"
104 "ExecStop=" ROOTLIBEXECDIR
"/systemd-veritysetup detach root\n",
107 u
, v
, arg_root_hash
);
109 r
= fflush_and_check(f
);
111 return log_error_errno(r
, "Failed to write file %s: %m", p
);
113 to
= strjoina(arg_dest
, "/cryptsetup.target.requires/systemd-veritysetup@root.service");
115 (void) mkdir_parents(to
, 0755);
116 if (symlink("../systemd-veritysetup@root.service", to
) < 0)
117 return log_error_errno(errno
, "Failed to create symlink %s: %m", to
);
122 static int parse_proc_cmdline_item(const char *key
, const char *value
, void *data
) {
125 if (streq(key
, "systemd.verity")) {
127 r
= value
? parse_boolean(value
) : 1;
129 log_warning("Failed to parse verity= kernel command line switch %s. Ignoring.", value
);
133 } else if (streq(key
, "roothash")) {
135 if (proc_cmdline_value_missing(key
, value
))
138 r
= free_and_strdup(&arg_root_hash
, value
);
142 } else if (streq(key
, "systemd.verity_root_data")) {
144 if (proc_cmdline_value_missing(key
, value
))
147 r
= free_and_strdup(&arg_data_what
, value
);
151 } else if (streq(key
, "systemd.verity_root_hash")) {
153 if (proc_cmdline_value_missing(key
, value
))
156 r
= free_and_strdup(&arg_hash_what
, value
);
164 static int determine_devices(void) {
165 _cleanup_free_
void *m
= NULL
;
166 sd_id128_t root_uuid
, verity_uuid
;
171 /* Try to automatically derive the root data and hash device paths from the root hash */
176 if (arg_data_what
&& arg_hash_what
)
179 r
= unhexmem(arg_root_hash
, strlen(arg_root_hash
), &m
, &l
);
181 return log_error_errno(r
, "Failed to parse root hash: %s", arg_root_hash
);
182 if (l
< sizeof(sd_id128_t
)) {
183 log_debug("Root hash is shorter than 128 bits (32 characters), ignoring for discovering verity partition.");
187 if (!arg_data_what
) {
188 memcpy(&root_uuid
, m
, sizeof(root_uuid
));
190 arg_data_what
= strjoin("/dev/disk/by-partuuid/", id128_to_uuid_string(root_uuid
, ids
));
195 if (!arg_hash_what
) {
196 memcpy(&verity_uuid
, (uint8_t*) m
+ l
- sizeof(verity_uuid
), sizeof(verity_uuid
));
198 arg_hash_what
= strjoin("/dev/disk/by-partuuid/", id128_to_uuid_string(verity_uuid
, ids
));
206 int main(int argc
, char *argv
[]) {
209 if (argc
> 1 && argc
!= 4) {
210 log_error("This program takes three or no arguments.");
217 log_set_target(LOG_TARGET_SAFE
);
218 log_parse_environment();
223 r
= proc_cmdline_parse(parse_proc_cmdline_item
, NULL
, PROC_CMDLINE_STRIP_RD_PREFIX
);
225 log_warning_errno(r
, "Failed to parse kernel command line: %m");
229 /* For now we only support the root device on verity. Later on we might want to add support for /etc/veritytab
230 * or similar to define additional mappings */
237 r
= determine_devices();
252 return r
< 0 ? EXIT_FAILURE
: EXIT_SUCCESS
;