From: Luca Boccassi Date: Tue, 10 Dec 2019 12:26:07 +0000 (+0000) Subject: verity: add support for Forward Error Correction options X-Git-Tag: v2.35-rc1~2^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9835a4b6a110643dad14015bad5c6b391e011b92;p=thirdparty%2Futil-linux.git verity: add support for Forward Error Correction options Requires kernel built with CONFIG_DM_VERITY_FEC. --- diff --git a/libmount/docs/libmount-sections.txt b/libmount/docs/libmount-sections.txt index 82cbedd886..baba1093f5 100644 --- a/libmount/docs/libmount-sections.txt +++ b/libmount/docs/libmount-sections.txt @@ -161,6 +161,9 @@ MNT_MS_HASH_DEVICE MNT_MS_ROOT_HASH MNT_MS_HASH_OFFSET MNT_MS_ROOT_HASH_FILE +MNT_MS_FEC_DEVICE +MNT_MS_FEC_OFFSET +MNT_MS_FEC_ROOTS MS_BIND MS_DIRSYNC diff --git a/libmount/python/pylibmount.c b/libmount/python/pylibmount.c index a572c68e4b..b7c39e502b 100644 --- a/libmount/python/pylibmount.c +++ b/libmount/python/pylibmount.c @@ -255,6 +255,9 @@ PyMODINIT_FUNC initpylibmount(void) PyModule_AddIntConstant(m, "MNT_MS_ROOT_HASH", MNT_MS_ROOT_HASH); PyModule_AddIntConstant(m, "MNT_MS_HASH_OFFSET", MNT_MS_HASH_OFFSET); PyModule_AddIntConstant(m, "MNT_MS_ROOT_HASH_FILE", MNT_MS_ROOT_HASH_FILE); + PyModule_AddIntConstant(m, "MNT_MS_FEC_DEVICE", MNT_MS_FEC_DEVICE); + PyModule_AddIntConstant(m, "MNT_MS_FEC_OFFSET", MNT_MS_FEC_OFFSET); + PyModule_AddIntConstant(m, "MNT_MS_FEC_ROOTS", MNT_MS_FEC_ROOTS); /* * mount(2) MS_* masks (MNT_MAP_LINUX map) diff --git a/libmount/src/context_veritydev.c b/libmount/src/context_veritydev.c index 3fbe2f343a..2ef437642c 100644 --- a/libmount/src/context_veritydev.c +++ b/libmount/src/context_veritydev.c @@ -50,12 +50,13 @@ int mnt_context_setup_veritydev(struct libmnt_context *cxt) const char *backing_file, *optstr; char *val = NULL, *key = NULL, *root_hash_binary = NULL, *mapper_device = NULL, *mapper_device_full = NULL, *backing_file_basename = NULL, *root_hash = NULL, - *hash_device = NULL, *root_hash_file = NULL; + *hash_device = NULL, *root_hash_file = NULL, *fec_device = NULL; size_t len, hash_size, keysize = 0; struct crypt_params_verity crypt_params = {}; struct crypt_device *crypt_dev = NULL; int rc = 0; - uint64_t offset = 0; + /* Use the same default for FEC parity bytes as cryptsetup uses */ + uint64_t offset = 0, fec_offset = 0, fec_roots = 2; assert(cxt); assert(cxt->fs); @@ -119,6 +120,39 @@ int mnt_context_setup_veritydev(struct libmnt_context *cxt) rc = root_hash_file ? 0 : -ENOMEM; } + /* + * verity.fecdevice= + */ + if (rc == 0 && (cxt->user_mountflags & MNT_MS_FEC_DEVICE) && + mnt_optstr_get_option(optstr, "verity.fecdevice", &val, &len) == 0 && val) { + fec_device = strndup(val, len); + rc = fec_device ? 0 : -ENOMEM; + } + + /* + * verity.fecoffset= + */ + if (rc == 0 && (cxt->user_mountflags & MNT_MS_FEC_OFFSET) && + mnt_optstr_get_option(optstr, "verity.fecoffset", &val, &len) == 0) { + rc = mnt_parse_offset(val, len, &fec_offset); + if (rc) { + DBG(VERITY, ul_debugobj(cxt, "failed to parse verity.fecoffset=")); + rc = -MNT_ERR_MOUNTOPT; + } + } + + /* + * verity.fecroots= + */ + if (rc == 0 && (cxt->user_mountflags & MNT_MS_FEC_ROOTS) && + mnt_optstr_get_option(optstr, "verity.fecroots", &val, &len) == 0) { + rc = mnt_parse_offset(val, len, &fec_roots); + if (rc) { + DBG(VERITY, ul_debugobj(cxt, "failed to parse verity.fecroots=")); + rc = -MNT_ERR_MOUNTOPT; + } + } + if (root_hash && root_hash_file) { DBG(VERITY, ul_debugobj(cxt, "verity.roothash and verity.roothashfile are mutually exclusive")); rc = -EINVAL; @@ -141,9 +175,9 @@ int mnt_context_setup_veritydev(struct libmnt_context *cxt) memset(&crypt_params, 0, sizeof(struct crypt_params_verity)); crypt_params.hash_area_offset = offset; - crypt_params.fec_area_offset = 0; - crypt_params.fec_roots = 0; - crypt_params.fec_device = NULL; + crypt_params.fec_area_offset = fec_offset; + crypt_params.fec_roots = fec_roots; + crypt_params.fec_device = fec_device; crypt_params.flags = 0; rc = crypt_load(crypt_dev, CRYPT_VERITY, &crypt_params); if (rc < 0) @@ -222,6 +256,7 @@ done: free(hash_device); free(root_hash); free(root_hash_file); + free(fec_device); free(key); return rc; } diff --git a/libmount/src/libmount.h.in b/libmount/src/libmount.h.in index 704da08269..e686b0fc73 100644 --- a/libmount/src/libmount.h.in +++ b/libmount/src/libmount.h.in @@ -909,6 +909,9 @@ extern int mnt_context_set_syscall_status(struct libmnt_context *cxt, int status #define MNT_MS_ROOT_HASH (1 << 19) #define MNT_MS_HASH_OFFSET (1 << 20) #define MNT_MS_ROOT_HASH_FILE (1 << 21) +#define MNT_MS_FEC_DEVICE (1 << 22) +#define MNT_MS_FEC_OFFSET (1 << 23) +#define MNT_MS_FEC_ROOTS (1 << 24) /* * mount(2) MS_* masks (MNT_MAP_LINUX map) diff --git a/libmount/src/optmap.c b/libmount/src/optmap.c index 4d4e777072..63f4f2564f 100644 --- a/libmount/src/optmap.c +++ b/libmount/src/optmap.c @@ -183,6 +183,9 @@ static const struct libmnt_optmap userspace_opts_map[] = { "verity.roothash=", MNT_MS_ROOT_HASH, MNT_NOHLPS | MNT_NOMTAB }, /* verity device root hash */ { "verity.hashoffset=", MNT_MS_HASH_OFFSET, MNT_NOHLPS | MNT_NOMTAB }, /* verity device hash offset */ { "verity.roothashfile=", MNT_MS_ROOT_HASH_FILE, MNT_NOHLPS | MNT_NOMTAB },/* verity device root hash (read from file) */ + { "verity.fecdevice=", MNT_MS_FEC_DEVICE, MNT_NOHLPS | MNT_NOMTAB }, /* verity FEC device */ + { "verity.fecoffset=", MNT_MS_FEC_OFFSET, MNT_NOHLPS | MNT_NOMTAB }, /* verity FEC area offset */ + { "verity.fecroots=", MNT_MS_FEC_ROOTS, MNT_NOHLPS | MNT_NOMTAB }, /* verity FEC roots */ { NULL, 0, 0 } }; diff --git a/sys-utils/mount.8 b/sys-utils/mount.8 index 2969570011..1101981268 100644 --- a/sys-utils/mount.8 +++ b/sys-utils/mount.8 @@ -2401,6 +2401,18 @@ Mutually exclusive with If the hash tree device is embedded in the source volume, .I offset (default: 0) is used by dm-verity to get to the tree. +.TP +\fBverity.fecdevice=\fP\,\fIpath\fP +Path to the Forward Error Correction (FEC) device associated with the source volume to pass to dm-verity. +Optional. Requires kernel built with CONFIG_DM_VERITY_FEC. +.TP +\fBverity.fecoffset=\fP\,\fIoffset\fP +If the FEC device is embedded in the source volume, +.I offset +(default: 0) is used by dm-verity to get to the FEC area. Optional. +.TP +\fBverity.fecroots=\fP\,\fIvalue\fP +Parity bytes for FEC (default: 2). Optional. .RE .PP Supported since util-linux v2.35.