1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2016 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
26 #include "alloc-util.h"
29 #include "fstab-util.h"
30 #include "hexdecoct.h"
31 #include "id128-util.h"
33 #include "parse-util.h"
34 #include "proc-cmdline.h"
35 #include "string-util.h"
36 #include "unit-name.h"
38 static char *arg_dest
= NULL
;
39 static bool arg_enabled
= true;
40 static char *arg_root_hash
= NULL
;
41 static char *arg_data_what
= NULL
;
42 static char *arg_hash_what
= NULL
;
44 static int create_device(void) {
45 _cleanup_free_
char *u
= NULL
, *v
= NULL
, *d
= NULL
, *e
= NULL
;
46 _cleanup_fclose_
FILE *f
= NULL
;
50 /* If all three pieces of information are missing, then verity is turned off */
51 if (!arg_root_hash
&& !arg_data_what
&& !arg_hash_what
)
54 /* if one of them is missing however, the data is simply incomplete and this is an error */
56 log_error("Verity information incomplete, root hash unspecified.");
58 log_error("Verity information incomplete, root data device unspecified.");
60 log_error("Verity information incomplete, root hash device unspecified.");
62 if (!arg_root_hash
|| !arg_data_what
|| !arg_hash_what
)
65 log_debug("Using root verity data device %s,\n"
67 " and root hash %s.", arg_data_what
, arg_hash_what
, arg_root_hash
);
69 p
= strjoina(arg_dest
, "/systemd-veritysetup@root.service");
71 u
= fstab_node_to_udev_node(arg_data_what
);
74 v
= fstab_node_to_udev_node(arg_hash_what
);
78 r
= unit_name_from_path(u
, ".device", &d
);
80 return log_error_errno(r
, "Failed to generate unit name: %m");
81 r
= unit_name_from_path(v
, ".device", &e
);
83 return log_error_errno(r
, "Failed to generate unit name: %m");
87 return log_error_errno(errno
, "Failed to create unit file %s: %m", p
);
90 "# Automatically generated by systemd-veritysetup-generator\n\n"
92 "Description=Integrity Protection Setup for %%I\n"
93 "Documentation=man:systemd-veritysetup-generator(8) man:systemd-veritysetup@.service(8)\n"
94 "SourcePath=/proc/cmdline\n"
95 "DefaultDependencies=no\n"
96 "Conflicts=umount.target\n"
98 "IgnoreOnIsolate=true\n"
99 "After=cryptsetup-pre.target %s %s\n"
100 "Before=cryptsetup.target umount.target\n"
103 "RemainAfterExit=yes\n"
104 "ExecStart=" ROOTLIBEXECDIR
"/systemd-veritysetup attach root '%s' '%s' '%s'\n"
105 "ExecStop=" ROOTLIBEXECDIR
"/systemd-veritysetup detach root\n",
108 u
, v
, arg_root_hash
);
110 r
= fflush_and_check(f
);
112 return log_error_errno(r
, "Failed to write file %s: %m", p
);
114 to
= strjoina(arg_dest
, "/cryptsetup.target.requires/systemd-veritysetup@root.service");
116 (void) mkdir_parents(to
, 0755);
117 if (symlink("../systemd-veritysetup@root.service", to
) < 0)
118 return log_error_errno(errno
, "Failed to create symlink %s: %m", to
);
123 static int parse_proc_cmdline_item(const char *key
, const char *value
, void *data
) {
126 if (streq(key
, "systemd.verity")) {
128 r
= value
? parse_boolean(value
) : 1;
130 log_warning("Failed to parse verity= kernel command line switch %s. Ignoring.", value
);
134 } else if (streq(key
, "roothash")) {
136 if (proc_cmdline_value_missing(key
, value
))
139 r
= free_and_strdup(&arg_root_hash
, value
);
143 } else if (streq(key
, "systemd.verity_root_data")) {
145 if (proc_cmdline_value_missing(key
, value
))
148 r
= free_and_strdup(&arg_data_what
, value
);
152 } else if (streq(key
, "systemd.verity_root_hash")) {
154 if (proc_cmdline_value_missing(key
, value
))
157 r
= free_and_strdup(&arg_hash_what
, value
);
165 static int determine_devices(void) {
166 _cleanup_free_
void *m
= NULL
;
167 sd_id128_t root_uuid
, verity_uuid
;
172 /* Try to automatically derive the root data and hash device paths from the root hash */
177 if (arg_data_what
&& arg_hash_what
)
180 r
= unhexmem(arg_root_hash
, strlen(arg_root_hash
), &m
, &l
);
182 return log_error_errno(r
, "Failed to parse root hash: %s", arg_root_hash
);
183 if (l
< sizeof(sd_id128_t
)) {
184 log_debug("Root hash is shorter than 128 bits (32 characters), ignoring for discovering verity partition.");
188 if (!arg_data_what
) {
189 memcpy(&root_uuid
, m
, sizeof(root_uuid
));
191 arg_data_what
= strjoin("/dev/disk/by-partuuid/", id128_to_uuid_string(root_uuid
, ids
));
196 if (!arg_hash_what
) {
197 memcpy(&verity_uuid
, (uint8_t*) m
+ l
- sizeof(verity_uuid
), sizeof(verity_uuid
));
199 arg_hash_what
= strjoin("/dev/disk/by-partuuid/", id128_to_uuid_string(verity_uuid
, ids
));
207 int main(int argc
, char *argv
[]) {
210 if (argc
> 1 && argc
!= 4) {
211 log_error("This program takes three or no arguments.");
218 log_set_target(LOG_TARGET_SAFE
);
219 log_parse_environment();
224 r
= proc_cmdline_parse(parse_proc_cmdline_item
, NULL
, PROC_CMDLINE_STRIP_RD_PREFIX
);
226 log_warning_errno(r
, "Failed to parse kernel command line: %m");
230 /* For now we only support the root device on verity. Later on we might want to add support for /etc/veritytab
231 * or similar to define additional mappings */
238 r
= determine_devices();
253 return r
< 0 ? EXIT_FAILURE
: EXIT_SUCCESS
;