src/veritysetup/veritysetup.c

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2
   3 #include <errno.h>
   4 #include <stdio.h>
   5 #include <sys/stat.h>
   6
   7 #include "alloc-util.h"
   8 #include "crypt-util.h"
   9 #include "fileio.h"
  10 #include "hexdecoct.h"
  11 #include "log.h"
  12 #include "main-func.h"
  13 #include "path-util.h"
  14 #include "pretty-print.h"
  15 #include "string-util.h"
  16 #include "terminal-util.h"
  17
  18 static char *arg_root_hash = NULL;
  19 static char *arg_data_what = NULL;
  20 static char *arg_hash_what = NULL;
  21
  22 STATIC_DESTRUCTOR_REGISTER(arg_root_hash, freep);
  23 STATIC_DESTRUCTOR_REGISTER(arg_data_what, freep);
  24 STATIC_DESTRUCTOR_REGISTER(arg_hash_what, freep);
  25
  26 static int help(void) {
  27         _cleanup_free_ char *link = NULL;
  28         int r;
  29
  30         r = terminal_urlify_man("systemd-veritysetup@.service", "8", &link);
  31         if (r < 0)
  32                 return log_oom();
  33
  34         printf("%s attach VOLUME DATADEVICE HASHDEVICE ROOTHASH [ROOTHASHSIG]\n"
  35                "%s detach VOLUME\n\n"
  36                "Attaches or detaches an integrity protected block device.\n"
  37                "\nSee the %s for details.\n"
  38                , program_invocation_short_name
  39                , program_invocation_short_name
  40                , link
  41         );
  42
  43         return 0;
  44 }
  45
  46 static int run(int argc, char *argv[]) {
  47         _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
  48         int r;
  49
  50         if (argc <= 1)
  51                 return help();
  52
  53         if (argc < 3)
  54                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "This program requires at least two arguments.");
  55
  56         log_setup_service();
  57
  58         umask(0022);
  59
  60         if (streq(argv[1], "attach")) {
  61                 _cleanup_free_ void *m = NULL;
  62                 crypt_status_info status;
  63                 size_t l;
  64
  65                 if (argc < 6)
  66                         return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "attach requires at least two arguments.");
  67
  68                 r = unhexmem(argv[5], strlen(argv[5]), &m, &l);
  69                 if (r < 0)
  70                         return log_error_errno(r, "Failed to parse root hash: %m");
  71
  72                 r = crypt_init(&cd, argv[4]);
  73                 if (r < 0)
  74                         return log_error_errno(r, "Failed to open verity device %s: %m", argv[4]);
  75
  76                 crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
  77
  78                 status = crypt_status(cd, argv[2]);
  79                 if (IN_SET(status, CRYPT_ACTIVE, CRYPT_BUSY)) {
  80                         log_info("Volume %s already active.", argv[2]);
  81                         return 0;
  82                 }
  83
  84                 r = crypt_load(cd, CRYPT_VERITY, NULL);
  85                 if (r < 0)
  86                         return log_error_errno(r, "Failed to load verity superblock: %m");
  87
  88                 r = crypt_set_data_device(cd, argv[3]);
  89                 if (r < 0)
  90                         return log_error_errno(r, "Failed to configure data device: %m");
  91
  92                 if (argc > 6) {
  93 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
  94                         _cleanup_free_ char *hash_sig = NULL;
  95                         size_t hash_sig_size;
  96                         char *value;
  97
  98                         if ((value = startswith(argv[6], "base64:"))) {
  99                                 r = unbase64mem(value, strlen(value), (void *)&hash_sig, &hash_sig_size);
 100                                 if (r < 0)
 101                                         return log_error_errno(r, "Failed to parse root hash signature '%s': %m", argv[6]);
 102                         } else {
 103                                 r = read_full_file_full(AT_FDCWD, argv[6], READ_FULL_FILE_CONNECT_SOCKET, &hash_sig, &hash_sig_size);
 104                                 if (r < 0)
 105                                         return log_error_errno(r, "Failed to read root hash signature: %m");
 106                         }
 107
 108                         r = crypt_activate_by_signed_key(cd, argv[2], m, l, hash_sig, hash_sig_size, CRYPT_ACTIVATE_READONLY);
 109 #else
 110                         return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "activation of verity device with signature %s requested, but not supported by cryptsetup due to missing crypt_activate_by_signed_key()", argv[6]);
 111 #endif
 112                 } else
 113                         r = crypt_activate_by_volume_key(cd, argv[2], m, l, CRYPT_ACTIVATE_READONLY);
 114                 if (r < 0)
 115                         return log_error_errno(r, "Failed to set up verity device: %m");
 116
 117         } else if (streq(argv[1], "detach")) {
 118
 119                 r = crypt_init_by_name(&cd, argv[2]);
 120                 if (r == -ENODEV) {
 121                         log_info("Volume %s already inactive.", argv[2]);
 122                         return 0;
 123                 }
 124                 if (r < 0)
 125                         return log_error_errno(r, "crypt_init_by_name() failed: %m");
 126
 127                 crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
 128
 129                 r = crypt_deactivate(cd, argv[2]);
 130                 if (r < 0)
 131                         return log_error_errno(r, "Failed to deactivate: %m");
 132
 133         } else
 134                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown verb %s.", argv[1]);
 135
 136         return 0;
 137 }
 138
 139 DEFINE_MAIN_FUNCTION(run);