PyModule_AddIntConstant(m, "MNT_MS_HASH_DEVICE", MNT_MS_HASH_DEVICE);
PyModule_AddIntConstant(m, "MNT_MS_ROOT_HASH", MNT_MS_ROOT_HASH);
PyModule_AddIntConstant(m, "MNT_MS_HASH_OFFSET", MNT_MS_HASH_OFFSET);
+ PyModule_AddIntConstant(m, "MNT_MS_ROOT_HASH_FILE", MNT_MS_ROOT_HASH_FILE);
/*
* mount(2) MS_* masks (MNT_MAP_LINUX map)
#if defined(HAVE_CRYPTSETUP)
#include <libcryptsetup.h>
+#include "path.h"
/* Taken from https://gitlab.com/cryptsetup/cryptsetup/blob/master/lib/utils_crypt.c#L225 */
static size_t crypt_hex_to_bytes(const char *hex, char **result)
const char *backing_file, *optstr;
char *val = NULL, *key = NULL, *root_hash_binary = NULL, *mapper_device = NULL,
*mapper_device_full = NULL, *backing_file_basename = NULL, *root_hash = NULL,
- *hash_device = NULL;
+ *hash_device = NULL, *root_hash_file = NULL;
size_t len, hash_size, keysize = 0;
struct crypt_params_verity crypt_params = {};
struct crypt_device *crypt_dev = NULL;
}
}
+ /*
+ * verity.roothashfile=
+ */
+ if (rc == 0 && (cxt->user_mountflags & MNT_MS_ROOT_HASH_FILE) &&
+ mnt_optstr_get_option(optstr, "verity.roothashfile", &val, &len) == 0 && val) {
+ root_hash_file = strndup(val, len);
+ rc = root_hash_file ? 0 : -ENOMEM;
+ }
+
+ if (root_hash && root_hash_file) {
+ DBG(VERITY, ul_debugobj(cxt, "verity.roothash and verity.roothashfile are mutually exclusive"));
+ rc = -EINVAL;
+ } else if (root_hash_file) {
+ rc = ul_path_read_string(NULL, &root_hash, root_hash_file);
+ rc = rc < 1 ? rc : 0;
+ }
+
if (rc)
goto done;
free(mapper_device);
free(hash_device);
free(root_hash);
+ free(root_hash_file);
free(key);
return rc;
}
{ "verity.hashdevice=", MNT_MS_HASH_DEVICE, MNT_NOHLPS | MNT_NOMTAB }, /* mount a verity device */
{ "verity.roothash=", MNT_MS_ROOT_HASH, MNT_NOHLPS | MNT_NOMTAB }, /* verity device root hash */
{ "verity.hashoffset=", MNT_MS_HASH_OFFSET, MNT_NOHLPS | MNT_NOMTAB }, /* verity device hash offset */
+ { "verity.roothashfile=", MNT_MS_ROOT_HASH_FILE, MNT_NOHLPS | MNT_NOMTAB },/* verity device root hash (read from file) */
{ NULL, 0, 0 }
};
\fBverity.roothash=\fP\,\fIhex\fP
Hex-encoded hash of the root of
.I verity.hashdevice
+Mutually exclusive with
+.I verity.roothashfile.
+.TP
+\fBverity.roothashfile=\fP\,\fIpath\fP
+Path to file containing the hex-encoded hash of the root of
+.I verity.hashdevice.
+Mutually exclusive with
+.I verity.roothash.
.TP
\fBverity.hashoffset=\fP\,\fIoffset\fP
If the hash tree device is embedded in the source volume,