1 /* SPDX-License-Identifier: LGPL-2.1+ */
7 #include "alloc-util.h"
8 #include "crypt-util.h"
10 #include "hexdecoct.h"
12 #include "main-func.h"
13 #include "path-util.h"
14 #include "pretty-print.h"
15 #include "string-util.h"
16 #include "terminal-util.h"
18 static char *arg_root_hash
= NULL
;
19 static char *arg_data_what
= NULL
;
20 static char *arg_hash_what
= NULL
;
22 STATIC_DESTRUCTOR_REGISTER(arg_root_hash
, freep
);
23 STATIC_DESTRUCTOR_REGISTER(arg_data_what
, freep
);
24 STATIC_DESTRUCTOR_REGISTER(arg_hash_what
, freep
);
26 static int help(void) {
27 _cleanup_free_
char *link
= NULL
;
30 r
= terminal_urlify_man("systemd-veritysetup@.service", "8", &link
);
34 printf("%s attach VOLUME DATADEVICE HASHDEVICE ROOTHASH [ROOTHASHSIG]\n"
35 "%s detach VOLUME\n\n"
36 "Attaches or detaches an integrity protected block device.\n"
37 "\nSee the %s for details.\n"
38 , program_invocation_short_name
39 , program_invocation_short_name
46 static int run(int argc
, char *argv
[]) {
47 _cleanup_(crypt_freep
) struct crypt_device
*cd
= NULL
;
54 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "This program requires at least two arguments.");
60 if (streq(argv
[1], "attach")) {
61 _cleanup_free_
void *m
= NULL
;
62 crypt_status_info status
;
66 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "attach requires at least two arguments.");
68 r
= unhexmem(argv
[5], strlen(argv
[5]), &m
, &l
);
70 return log_error_errno(r
, "Failed to parse root hash: %m");
72 r
= crypt_init(&cd
, argv
[4]);
74 return log_error_errno(r
, "Failed to open verity device %s: %m", argv
[4]);
76 crypt_set_log_callback(cd
, cryptsetup_log_glue
, NULL
);
78 status
= crypt_status(cd
, argv
[2]);
79 if (IN_SET(status
, CRYPT_ACTIVE
, CRYPT_BUSY
)) {
80 log_info("Volume %s already active.", argv
[2]);
84 r
= crypt_load(cd
, CRYPT_VERITY
, NULL
);
86 return log_error_errno(r
, "Failed to load verity superblock: %m");
88 r
= crypt_set_data_device(cd
, argv
[3]);
90 return log_error_errno(r
, "Failed to configure data device: %m");
93 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
94 _cleanup_free_
char *hash_sig
= NULL
;
98 if ((value
= startswith(argv
[6], "base64:"))) {
99 r
= unbase64mem(value
, strlen(value
), (void *)&hash_sig
, &hash_sig_size
);
101 return log_error_errno(r
, "Failed to parse root hash signature '%s': %m", argv
[6]);
103 r
= read_full_file_full(AT_FDCWD
, argv
[6], READ_FULL_FILE_CONNECT_SOCKET
, &hash_sig
, &hash_sig_size
);
105 return log_error_errno(r
, "Failed to read root hash signature: %m");
108 r
= crypt_activate_by_signed_key(cd
, argv
[2], m
, l
, hash_sig
, hash_sig_size
, CRYPT_ACTIVATE_READONLY
);
110 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "activation of verity device with signature %s requested, but not supported by cryptsetup due to missing crypt_activate_by_signed_key()", argv
[6]);
113 r
= crypt_activate_by_volume_key(cd
, argv
[2], m
, l
, CRYPT_ACTIVATE_READONLY
);
115 return log_error_errno(r
, "Failed to set up verity device: %m");
117 } else if (streq(argv
[1], "detach")) {
119 r
= crypt_init_by_name(&cd
, argv
[2]);
121 log_info("Volume %s already inactive.", argv
[2]);
125 return log_error_errno(r
, "crypt_init_by_name() failed: %m");
127 crypt_set_log_callback(cd
, cryptsetup_log_glue
, NULL
);
129 r
= crypt_deactivate(cd
, argv
[2]);
131 return log_error_errno(r
, "Failed to deactivate: %m");
134 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Unknown verb %s.", argv
[1]);
139 DEFINE_MAIN_FUNCTION(run
);