14255132001

Committed 03 Apr 2025 10:15PM UTC coverage: 71.907% (-0.05%) from 71.955%

Build # 14255132001

Build Type

push

github

Committed by

bluca

Commit Message

mkosi: Fix arch build script version sed expression

Yours truly got rid of the _tag variable in the Arch Linux PKGBUILD
a while ago, so actually adapt the build script to that by changing
the pkgver= variable instead.

Coverage Stats

297094 of 413162 relevant lines covered (71.91%)

653278.23 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/src/veritysetup/veritysetup.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <errno.h>
#include <stdio.h>
#include <sys/stat.h>

#include "sd-device.h"

#include "alloc-util.h"
#include "cryptsetup-util.h"
#include "fileio.h"
#include "fstab-util.h"
#include "hexdecoct.h"
#include "log.h"
#include "main-func.h"
#include "parse-util.h"
#include "path-util.h"
#include "pretty-print.h"
#include "process-util.h"
#include "string-util.h"
#include "terminal-util.h"
#include "verbs.h"

static char *arg_hash = NULL; /* the hash algorithm */
static bool arg_superblock = true;
static int arg_format = 1;
static uint64_t arg_data_block_size = 4096;
static uint64_t arg_hash_block_size = 4096;
static uint64_t arg_data_blocks = 0;
static uint64_t arg_hash_offset = 0;
static void *arg_salt = NULL;
static uint64_t arg_salt_size = 32;
static char *arg_uuid = NULL;
static uint32_t arg_activate_flags = CRYPT_ACTIVATE_READONLY;
static char *arg_fec_what = NULL;
static uint64_t arg_fec_offset = 0;
static uint64_t arg_fec_roots = 2;
static void *arg_root_hash_signature = NULL;
static size_t arg_root_hash_signature_size = 0;
static bool arg_root_hash_signature_auto = false;

STATIC_DESTRUCTOR_REGISTER(arg_hash, freep);
STATIC_DESTRUCTOR_REGISTER(arg_salt, freep);
STATIC_DESTRUCTOR_REGISTER(arg_uuid, freep);
STATIC_DESTRUCTOR_REGISTER(arg_fec_what, freep);
STATIC_DESTRUCTOR_REGISTER(arg_root_hash_signature, freep);

static int help(void) {
        _cleanup_free_ char *link = NULL;
        int r;

        r = terminal_urlify_man("systemd-veritysetup@.service", "8", &link);
        if (r < 0)
                return log_oom();

        printf("%s attach VOLUME DATADEVICE HASHDEVICE ROOTHASH [OPTIONS]\n"
               "%s detach VOLUME\n\n"
               "Attach or detach a verity protected block device.\n"
               "\nSee the %s for details.\n",
               program_invocation_short_name,
               program_invocation_short_name,
               link);

        return 0;
}

static int parse_roothashsig_option(const char *option, bool strict) {
        _cleanup_free_ void *rhs = NULL;
        size_t rhss = 0;
        bool set_auto = false;
        int r;

        assert(option);

        const char *value = startswith(option, "base64:");
        if (value) {
                r = unbase64mem(value, &rhs, &rhss);
                if (r < 0)
                        return log_error_errno(r, "Failed to parse root hash signature '%s': %m", option);

        } else if (path_is_absolute(option)) {
                r = read_full_file_full(
                                AT_FDCWD,
                                option,
                                /* offset= */ UINT64_MAX,
                                /* size= */ SIZE_MAX,
                                READ_FULL_FILE_CONNECT_SOCKET,
                                /* bind_name= */ NULL,
                                (char**) &rhs,
                                &rhss);
                if (r < 0)
                        return log_error_errno(r, "Failed to read root hash signature: %m");

        } else if (streq(option, "auto"))
                /* auto → Derive signature from udev property ID_DISSECT_PART_ROOTHASH_SIG */
                set_auto = true;
        else if (strict)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "root-hash-signature= expects either full path to signature file or "
                                       "base64 string encoding signature prefixed by base64:.");
        else
                return false;

        if (!HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY)
                return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                       "Activation of verity device with signature requested, but cryptsetup does not support crypt_activate_by_signed_key().");

        free_and_replace(arg_root_hash_signature, rhs);
        arg_root_hash_signature_size = rhss;
        arg_root_hash_signature_auto = set_auto;

        return true;
}

static int parse_block_size(const char *t, uint64_t *size) {
        uint64_t u;
        int r;

        r = parse_size(t, 1024, &u);
        if (r < 0)
                return r;

        if (u < 512 || u > (512 * 1024))
                return -ERANGE;

        if ((u % 512) != 0 || !ISPOWEROF2(u))
                return -EINVAL;

        *size = u;

        return 0;
}

static int parse_options(const char *options) {
        int r;

        /* backward compatibility with the obsolete ROOTHASHSIG positional argument */
        r = parse_roothashsig_option(options, /* strict= */ false);
        if (r < 0)
                return r;
        if (r > 0) {
                log_warning("Usage of ROOTHASHSIG positional argument is deprecated. "
                            "Please use the option root-hash-signature=%s instead.", options);
                return 0;
        }

        for (;;) {
                _cleanup_free_ char *word = NULL;
                char *val;

                r = extract_first_word(&options, &word, ",", EXTRACT_DONT_COALESCE_SEPARATORS | EXTRACT_UNESCAPE_SEPARATORS);
                if (r < 0)
                        return log_error_errno(r, "Failed to parse options: %m");
                if (r == 0)
                        break;

                if (STR_IN_SET(word, "noauto", "auto", "nofail", "fail", "_netdev"))
                        continue;

                if (isempty(word))
                        continue;
                else if (streq(word, "ignore-corruption"))
                        arg_activate_flags |= CRYPT_ACTIVATE_IGNORE_CORRUPTION;
                else if (streq(word, "restart-on-corruption"))
                        arg_activate_flags |= CRYPT_ACTIVATE_RESTART_ON_CORRUPTION;
                else if (streq(word, "ignore-zero-blocks"))
                        arg_activate_flags |= CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS;
#ifdef CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE
                else if (streq(word, "check-at-most-once"))
                        arg_activate_flags |= CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE;
#endif
#ifdef CRYPT_ACTIVATE_PANIC_ON_CORRUPTION
                else if (streq(word, "panic-on-corruption"))
                        arg_activate_flags |= CRYPT_ACTIVATE_PANIC_ON_CORRUPTION;
#endif
                else if ((val = startswith(word, "superblock="))) {

                        r = parse_boolean(val);
                        if (r < 0)
                                return log_error_errno(r, "Failed to parse boolean '%s': %m", word);

                        arg_superblock = r;
                } else if ((val = startswith(word, "format="))) {

                        if (!STR_IN_SET(val, "0", "1"))
                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "format= expects either 0 (original Chrome OS version) or "
                                                                                "1 (modern version).");

                        arg_format = val[0] - '0';
                } else if ((val = startswith(word, "data-block-size="))) {
                        uint64_t sz;

                        r = parse_block_size(val, &sz);
                        if (r < 0)
                                return log_error_errno(r, "Failed to parse size '%s': %m", word);

                        arg_data_block_size = sz;
                } else if ((val = startswith(word, "hash-block-size="))) {
                        uint64_t sz;

                        r = parse_block_size(val, &sz);
                        if (r < 0)
                                return log_error_errno(r, "Failed to parse size '%s': %m", word);

                        arg_hash_block_size = sz;
                } else if ((val = startswith(word, "data-blocks="))) {
                        uint64_t u;

                        r = safe_atou64(val, &u);
                        if (r < 0)
                                return log_error_errno(r, "Failed to parse number '%s': %m", word);

                        arg_data_blocks = u;
                } else if ((val = startswith(word, "hash-offset="))) {
                        uint64_t off;

                        r = parse_size(val, 1024, &off);
                        if (r < 0)
                                return log_error_errno(r, "Failed to parse offset '%s': %m", word);
                        if (off % 512 != 0)
                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "hash-offset= expects a 512-byte aligned value.");

                        arg_hash_offset = off;
                } else if ((val = startswith(word, "salt="))) {

                        if (!string_is_safe(val))
                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "salt= is not valid.");

                        if (isempty(val)) {
                                arg_salt = mfree(arg_salt);
                                arg_salt_size = 32;
                        } else if (streq(val, "-")) {
                                arg_salt = mfree(arg_salt);
                                arg_salt_size = 0;
                        } else {
                                size_t l;
                                void *m;

                                r = unhexmem(val, &m, &l);
                                if (r < 0)
                                        return log_error_errno(r, "Failed to parse salt '%s': %m", word);

                                free_and_replace(arg_salt, m);
                                arg_salt_size = l;
                        }
                } else if ((val = startswith(word, "uuid="))) {

                        r = sd_id128_from_string(val, NULL);
                        if (r < 0)
                                return log_error_errno(r, "Failed to parse UUID '%s': %m", word);

                        r = free_and_strdup(&arg_uuid, val);
                        if (r < 0)
                                return log_oom();
                } else if ((val = startswith(word, "hash="))) {

                        r = free_and_strdup(&arg_hash, val);
                        if (r < 0)
                                return log_oom();
                } else if ((val = startswith(word, "fec-device="))) {
                        _cleanup_free_ char *what = NULL;

                        what = fstab_node_to_udev_node(val);
                        if (!what)
                                return log_oom();

                        if (!path_is_absolute(what))
                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "fec-device= expects an absolute path.");

                        if (!path_is_normalized(what))
                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "fec-device= expects an normalized path.");

                        r = free_and_strdup(&arg_fec_what, what);
                        if (r < 0)
                                return log_oom();
                } else if ((val = startswith(word, "fec-offset="))) {
                        uint64_t off;

                        r = parse_size(val, 1024, &off);
                        if (r < 0)
                                return log_error_errno(r, "Failed to parse offset '%s': %m", word);
                        if (off % 512 != 0)
                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "fec-offset= expects a 512-byte aligned value.");

                        arg_fec_offset = off;
                } else if ((val = startswith(word, "fec-roots="))) {
                        uint64_t u;

                        r = safe_atou64(val, &u);
                        if (r < 0)
                                return log_error_errno(r, "Failed to parse number '%s', ignoring: %m", word);
                        if (u < 2 || u > 24)
                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "fec-rootfs= expects a value between 2 and 24 (including).");

                        arg_fec_roots = u;
                } else if ((val = startswith(word, "root-hash-signature="))) {
                        r = parse_roothashsig_option(val, /* strict= */ true);
                        if (r < 0)
                                return r;

                } else
                        log_warning("Encountered unknown option '%s', ignoring.", word);
        }

        return r;
}

static int verb_attach(int argc, char *argv[], void *userdata) {
        _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
        _cleanup_free_ void *rh = NULL;
        struct crypt_params_verity p = {};
        crypt_status_info status;
        size_t rh_size = 0;
        int r;

        assert(argc >= 5);

        const char *volume = argv[1],
                *data_device = argv[2],
                *verity_device = argv[3],
                *root_hash = argv[4],
                *options = mangle_none(argc > 5 ? argv[5] : NULL);

        if (!filename_is_valid(volume))
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Volume name '%s' is not valid.", volume);

        if (options) {
                r = parse_options(options);
                if (r < 0)
                        return log_error_errno(r, "Failed to parse options: %m");
        }

        if (empty_or_dash(root_hash) || streq_ptr(root_hash, "auto"))
                root_hash = NULL;

        _cleanup_(sd_device_unrefp) sd_device *datadev = NULL;
        if (!root_hash || arg_root_hash_signature_auto) {
                r = sd_device_new_from_path(&datadev, data_device);
                if (r < 0)
                        return log_error_errno(r, "Failed to acquire udev object for data device '%s': %m", data_device);
        }

        if (!root_hash) {
                /* If no literal root hash is specified try to determine it automatically from the
                 * ID_DISSECT_PART_ROOTHASH udev property. */
                r = sd_device_get_property_value(ASSERT_PTR(datadev), "ID_DISSECT_PART_ROOTHASH", &root_hash);
                if (r < 0)
                        return log_error_errno(r, "No root hash specified, and device doesn't carry ID_DISSECT_PART_ROOTHASH property, cannot determine root hash.");
        }

        r = unhexmem(root_hash, &rh, &rh_size);
        if (r < 0)
                return log_error_errno(r, "Failed to parse root hash: %m");

        if (arg_root_hash_signature_auto) {
                assert(!arg_root_hash_signature);
                assert(arg_root_hash_signature_size == 0);

                const char *t;
                r = sd_device_get_property_value(ASSERT_PTR(datadev), "ID_DISSECT_PART_ROOTHASH_SIG", &t);
                if (r < 0)
                        return log_error_errno(r, "Automatic root hash signature pick up requested, and device doesn't carry ID_DISSECT_PART_ROOTHASH_SIG property, cannot determine root hash signature.");

                r = unbase64mem(t, &arg_root_hash_signature, &arg_root_hash_signature_size);
                if (r < 0)
                        return log_error_errno(r, "Failed to decode root hash signature data from udev data device: %m");
        }

        r = crypt_init(&cd, verity_device);
        if (r < 0)
                return log_error_errno(r, "Failed to open verity device %s: %m", verity_device);

        cryptsetup_enable_logging(cd);

        status = crypt_status(cd, volume);
        if (IN_SET(status, CRYPT_ACTIVE, CRYPT_BUSY)) {
                log_info("Volume %s already active.", volume);
                return 0;
        }

        if (arg_superblock) {
                p = (struct crypt_params_verity) {
                        .fec_device = arg_fec_what,
                        .hash_area_offset = arg_hash_offset,
                        .fec_area_offset = arg_fec_offset,
                        .fec_roots = arg_fec_roots,
                };

                r = crypt_load(cd, CRYPT_VERITY, &p);
                if (r < 0)
                        return log_error_errno(r, "Failed to load verity superblock: %m");
        } else {
                p = (struct crypt_params_verity) {
                        .hash_name = arg_hash,
                        .data_device = data_device,
                        .fec_device = arg_fec_what,
                        .salt = arg_salt,
                        .salt_size = arg_salt_size,
                        .hash_type = arg_format,
                        .data_block_size = arg_data_block_size,
                        .hash_block_size = arg_hash_block_size,
                        .data_size = arg_data_blocks,
                        .hash_area_offset = arg_hash_offset,
                        .fec_area_offset = arg_fec_offset,
                        .fec_roots = arg_fec_roots,
                        .flags = CRYPT_VERITY_NO_HEADER,
                };

                r = crypt_format(cd, CRYPT_VERITY, NULL, NULL, arg_uuid, NULL, 0, &p);
                if (r < 0)
                        return log_error_errno(r, "Failed to format verity superblock: %m");
        }

        r = crypt_set_data_device(cd, data_device);
        if (r < 0)
                return log_error_errno(r, "Failed to configure data device: %m");

        if (arg_root_hash_signature_size > 0) {
#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
                r = crypt_activate_by_signed_key(cd, volume, rh, rh_size, arg_root_hash_signature, arg_root_hash_signature_size, arg_activate_flags);
                if (r < 0) {
                        log_info_errno(r, "Unable to activate verity device '%s' with root hash signature (%m), retrying without.", volume);

                        r = crypt_activate_by_volume_key(cd, volume, rh, rh_size, arg_activate_flags);
                        if (r < 0)
                                return log_error_errno(r, "Failed to activate verity device '%s' both with and without root hash signature: %m", volume);

                        log_info("Activation of verity device '%s' succeeded without root hash signature.", volume);
                }
#else
                assert_not_reached();
#endif
        } else
                r = crypt_activate_by_volume_key(cd, volume, rh, rh_size, arg_activate_flags);
        if (r < 0)
                return log_error_errno(r, "Failed to set up verity device '%s': %m", volume);

        return 0;
}

static int verb_detach(int argc, char *argv[], void *userdata) {
        _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
        int r;

        assert(argc == 2);

        const char *volume = argv[1];

        if (!filename_is_valid(volume))
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Volume name '%s' is not valid.", volume);

        r = crypt_init_by_name(&cd, volume);
        if (r == -ENODEV) {
                log_info("Volume %s 'already' inactive.", volume);
                return 0;
        }
        if (r < 0)
                return log_error_errno(r, "crypt_init_by_name() for volume '%s' failed: %m", volume);

        cryptsetup_enable_logging(cd);

        r = crypt_deactivate(cd, volume);
        if (r < 0)
                return log_error_errno(r, "Failed to deactivate volume '%s': %m", volume);

        return 0;
}

static int run(int argc, char *argv[]) {
        if (argv_looks_like_help(argc, argv))
                return help();

        log_setup();

        cryptsetup_enable_logging(NULL);

        umask(0022);

        static const Verb verbs[] = {
                { "attach", 5, 6, 0, verb_attach },
                { "detach", 2, 2, 0, verb_detach },
                {}
        };

        return dispatch_verb(argc, argv, verbs, NULL);
}

DEFINE_MAIN_FUNCTION(run);

1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3	#include <errno.h>
4	#include <stdio.h>
5	#include <sys/stat.h>
6
7	#include "sd-device.h"
8
9	#include "alloc-util.h"
10	#include "cryptsetup-util.h"
11	#include "fileio.h"
12	#include "fstab-util.h"
13	#include "hexdecoct.h"
14	#include "log.h"
15	#include "main-func.h"
16	#include "parse-util.h"
17	#include "path-util.h"
18	#include "pretty-print.h"
19	#include "process-util.h"
20	#include "string-util.h"
21	#include "terminal-util.h"
22	#include "verbs.h"
23
24	static char arg_hash = NULL; / the hash algorithm */
25	static bool arg_superblock = true;
26	static int arg_format = 1;
27	static uint64_t arg_data_block_size = 4096;
28	static uint64_t arg_hash_block_size = 4096;
29	static uint64_t arg_data_blocks = 0;
30	static uint64_t arg_hash_offset = 0;
31	static void *arg_salt = NULL;
32	static uint64_t arg_salt_size = 32;
33	static char *arg_uuid = NULL;
34	static uint32_t arg_activate_flags = CRYPT_ACTIVATE_READONLY;
35	static char *arg_fec_what = NULL;
36	static uint64_t arg_fec_offset = 0;
37	static uint64_t arg_fec_roots = 2;
38	static void *arg_root_hash_signature = NULL;
39	static size_t arg_root_hash_signature_size = 0;
40	static bool arg_root_hash_signature_auto = false;
41
42	STATIC_DESTRUCTOR_REGISTER(arg_hash, freep);	×
43	STATIC_DESTRUCTOR_REGISTER(arg_salt, freep);	×
44	STATIC_DESTRUCTOR_REGISTER(arg_uuid, freep);	×
45	STATIC_DESTRUCTOR_REGISTER(arg_fec_what, freep);	×
46	STATIC_DESTRUCTOR_REGISTER(arg_root_hash_signature, freep);	×
47
48	static int help(void) {	×
49	_cleanup_free_ char *link = NULL;	×
50	int r;	×
51
52	r = terminal_urlify_man("systemd-veritysetup@.service", "8", &link);	×
53	if (r < 0)	×
54	return log_oom();	×
55
56	printf("%s attach VOLUME DATADEVICE HASHDEVICE ROOTHASH [OPTIONS]\n"	×
57	"%s detach VOLUME\n\n"
58	"Attach or detach a verity protected block device.\n"
59	"\nSee the %s for details.\n",
60	program_invocation_short_name,
61	program_invocation_short_name,
62	link);
63
64	return 0;
65	}
66
67	static int parse_roothashsig_option(const char *option, bool strict) {	×
68	_cleanup_free_ void *rhs = NULL;	×
69	size_t rhss = 0;	×
70	bool set_auto = false;	×
71	int r;	×
72
73	assert(option);	×
74
75	const char *value = startswith(option, "base64:");	×
76	if (value) {	×
77	r = unbase64mem(value, &rhs, &rhss);	×
78	if (r < 0)	×
79	return log_error_errno(r, "Failed to parse root hash signature '%s': %m", option);	×
80
81	} else if (path_is_absolute(option)) {	×
82	r = read_full_file_full(	×
83	AT_FDCWD,
84	option,
85	/* offset= */ UINT64_MAX,
86	/* size= */ SIZE_MAX,
87	READ_FULL_FILE_CONNECT_SOCKET,
88	/* bind_name= */ NULL,
89	(char**) &rhs,
90	&rhss);
91	if (r < 0)	×
92	return log_error_errno(r, "Failed to read root hash signature: %m");	×
93
94	} else if (streq(option, "auto"))	×
95	/* auto → Derive signature from udev property ID_DISSECT_PART_ROOTHASH_SIG */
96	set_auto = true;
97	else if (strict)	×
98	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),	×
99	"root-hash-signature= expects either full path to signature file or "
100	"base64 string encoding signature prefixed by base64:.");
101	else
102	return false;
103
104	if (!HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY)	×
105	return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
106	"Activation of verity device with signature requested, but cryptsetup does not support crypt_activate_by_signed_key().");
107
108	free_and_replace(arg_root_hash_signature, rhs);	×
109	arg_root_hash_signature_size = rhss;	×
110	arg_root_hash_signature_auto = set_auto;	×
111
112	return true;	×
113	}
114
115	static int parse_block_size(const char t, uint64_t size) {	×
116	uint64_t u;	×
117	int r;	×
118
119	r = parse_size(t, 1024, &u);	×
120	if (r < 0)	×
121	return r;	×
122
123	if (u < 512 \|\| u > (512 * 1024))	×
124	return -ERANGE;
125
126	if ((u % 512) != 0 \|\| !ISPOWEROF2(u))	×
127	return -EINVAL;
128
129	*size = u;	×
130
131	return 0;	×
132	}
133
134	static int parse_options(const char *options) {	×
135	int r;	×
136
137	/* backward compatibility with the obsolete ROOTHASHSIG positional argument */
138	r = parse_roothashsig_option(options, /* strict= */ false);	×
139	if (r < 0)	×
140	return r;
141	if (r > 0) {	×
142	log_warning("Usage of ROOTHASHSIG positional argument is deprecated. "	×
143	"Please use the option root-hash-signature=%s instead.", options);
144	return 0;	×
145	}
146
147	for (;;) {	×
148	_cleanup_free_ char *word = NULL;	×
149	char *val;	×
150
151	r = extract_first_word(&options, &word, ",", EXTRACT_DONT_COALESCE_SEPARATORS \| EXTRACT_UNESCAPE_SEPARATORS);	×
152	if (r < 0)	×
153	return log_error_errno(r, "Failed to parse options: %m");	×
154	if (r == 0)	×
155	break;
156
157	if (STR_IN_SET(word, "noauto", "auto", "nofail", "fail", "_netdev"))	×
158	continue;	×
159
160	if (isempty(word))	×
161	continue;	×
162	else if (streq(word, "ignore-corruption"))	×
163	arg_activate_flags \|= CRYPT_ACTIVATE_IGNORE_CORRUPTION;	×
164	else if (streq(word, "restart-on-corruption"))	×
165	arg_activate_flags \|= CRYPT_ACTIVATE_RESTART_ON_CORRUPTION;	×
166	else if (streq(word, "ignore-zero-blocks"))	×
167	arg_activate_flags \|= CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS;	×
168	#ifdef CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE
169	else if (streq(word, "check-at-most-once"))	×
170	arg_activate_flags \|= CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE;	×
171	#endif
172	#ifdef CRYPT_ACTIVATE_PANIC_ON_CORRUPTION
173	else if (streq(word, "panic-on-corruption"))	×
174	arg_activate_flags \|= CRYPT_ACTIVATE_PANIC_ON_CORRUPTION;	×
175	#endif
176	else if ((val = startswith(word, "superblock="))) {	×
177
178	r = parse_boolean(val);	×
179	if (r < 0)	×
180	return log_error_errno(r, "Failed to parse boolean '%s': %m", word);	×
181
182	arg_superblock = r;	×
183	} else if ((val = startswith(word, "format="))) {	×
184
185	if (!STR_IN_SET(val, "0", "1"))	×
186	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "format= expects either 0 (original Chrome OS version) or "	×
187	"1 (modern version).");
188
189	arg_format = val[0] - '0';	×
190	} else if ((val = startswith(word, "data-block-size="))) {	×
191	uint64_t sz;	×
192
193	r = parse_block_size(val, &sz);	×
194	if (r < 0)	×
195	return log_error_errno(r, "Failed to parse size '%s': %m", word);	×
196
197	arg_data_block_size = sz;	×
198	} else if ((val = startswith(word, "hash-block-size="))) {	×
199	uint64_t sz;	×
200
201	r = parse_block_size(val, &sz);	×
202	if (r < 0)	×
203	return log_error_errno(r, "Failed to parse size '%s': %m", word);	×
204
205	arg_hash_block_size = sz;	×
206	} else if ((val = startswith(word, "data-blocks="))) {	×
207	uint64_t u;	×
208
209	r = safe_atou64(val, &u);	×
210	if (r < 0)	×
211	return log_error_errno(r, "Failed to parse number '%s': %m", word);	×
212
213	arg_data_blocks = u;	×
214	} else if ((val = startswith(word, "hash-offset="))) {	×
215	uint64_t off;	×
216
217	r = parse_size(val, 1024, &off);	×
218	if (r < 0)	×
219	return log_error_errno(r, "Failed to parse offset '%s': %m", word);	×
220	if (off % 512 != 0)	×
221	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "hash-offset= expects a 512-byte aligned value.");	×
222
223	arg_hash_offset = off;	×
224	} else if ((val = startswith(word, "salt="))) {	×
225
226	if (!string_is_safe(val))	×
227	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "salt= is not valid.");	×
228
229	if (isempty(val)) {	×
230	arg_salt = mfree(arg_salt);	×
231	arg_salt_size = 32;	×
232	} else if (streq(val, "-")) {	×
233	arg_salt = mfree(arg_salt);	×
234	arg_salt_size = 0;	×
235	} else {
236	size_t l;	×
237	void *m;	×
238
239	r = unhexmem(val, &m, &l);	×
240	if (r < 0)	×
241	return log_error_errno(r, "Failed to parse salt '%s': %m", word);	×
242
243	free_and_replace(arg_salt, m);	×
244	arg_salt_size = l;	×
245	}
246	} else if ((val = startswith(word, "uuid="))) {	×
247
248	r = sd_id128_from_string(val, NULL);	×
249	if (r < 0)	×
250	return log_error_errno(r, "Failed to parse UUID '%s': %m", word);	×
251
252	r = free_and_strdup(&arg_uuid, val);	×
253	if (r < 0)	×
254	return log_oom();	×
255	} else if ((val = startswith(word, "hash="))) {	×
256
257	r = free_and_strdup(&arg_hash, val);	×
258	if (r < 0)	×
259	return log_oom();	×
260	} else if ((val = startswith(word, "fec-device="))) {	×
261	_cleanup_free_ char *what = NULL;	×
262
263	what = fstab_node_to_udev_node(val);	×
264	if (!what)	×
265	return log_oom();	×
266
267	if (!path_is_absolute(what))	×
268	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "fec-device= expects an absolute path.");	×
269
270	if (!path_is_normalized(what))	×
271	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "fec-device= expects an normalized path.");	×
272
273	r = free_and_strdup(&arg_fec_what, what);	×
274	if (r < 0)	×
275	return log_oom();	×
276	} else if ((val = startswith(word, "fec-offset="))) {	×
277	uint64_t off;	×
278
279	r = parse_size(val, 1024, &off);	×
280	if (r < 0)	×
281	return log_error_errno(r, "Failed to parse offset '%s': %m", word);	×
282	if (off % 512 != 0)	×
283	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "fec-offset= expects a 512-byte aligned value.");	×
284
285	arg_fec_offset = off;	×
286	} else if ((val = startswith(word, "fec-roots="))) {	×
287	uint64_t u;	×
288
289	r = safe_atou64(val, &u);	×
290	if (r < 0)	×
291	return log_error_errno(r, "Failed to parse number '%s', ignoring: %m", word);	×
292	if (u < 2 \|\| u > 24)	×
293	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "fec-rootfs= expects a value between 2 and 24 (including).");	×
294
295	arg_fec_roots = u;	×
296	} else if ((val = startswith(word, "root-hash-signature="))) {	×
297	r = parse_roothashsig_option(val, /* strict= */ true);	×
298	if (r < 0)	×
299	return r;
300
301	} else
302	log_warning("Encountered unknown option '%s', ignoring.", word);	×
303	}
304
305	return r;	×
306	}
307
308	static int verb_attach(int argc, char argv[], void userdata) {	×
309	_cleanup_(crypt_freep) struct crypt_device *cd = NULL;	×
310	_cleanup_free_ void *rh = NULL;	×
311	struct crypt_params_verity p = {};	×
312	crypt_status_info status;	×
313	size_t rh_size = 0;	×
314	int r;	×
315
316	assert(argc >= 5);	×
317
318	const char *volume = argv[1],	×
319	*data_device = argv[2],	×
320	*verity_device = argv[3],	×
321	*root_hash = argv[4],	×
322	*options = mangle_none(argc > 5 ? argv[5] : NULL);	×
323
324	if (!filename_is_valid(volume))	×
325	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Volume name '%s' is not valid.", volume);	×
326
327	if (options) {	×
328	r = parse_options(options);	×
329	if (r < 0)	×
330	return log_error_errno(r, "Failed to parse options: %m");	×
331	}
332
333	if (empty_or_dash(root_hash) \|\| streq_ptr(root_hash, "auto"))	×
334	root_hash = NULL;	×
335
336	_cleanup_(sd_device_unrefp) sd_device *datadev = NULL;	×
337	if (!root_hash \|\| arg_root_hash_signature_auto) {	×
338	r = sd_device_new_from_path(&datadev, data_device);	×
339	if (r < 0)	×
340	return log_error_errno(r, "Failed to acquire udev object for data device '%s': %m", data_device);	×
341	}
342
343	if (!root_hash) {	×
344	/* If no literal root hash is specified try to determine it automatically from the
345	* ID_DISSECT_PART_ROOTHASH udev property. */
346	r = sd_device_get_property_value(ASSERT_PTR(datadev), "ID_DISSECT_PART_ROOTHASH", &root_hash);	×
347	if (r < 0)	×
348	return log_error_errno(r, "No root hash specified, and device doesn't carry ID_DISSECT_PART_ROOTHASH property, cannot determine root hash.");	×
349	}
350
351	r = unhexmem(root_hash, &rh, &rh_size);	×
352	if (r < 0)	×
353	return log_error_errno(r, "Failed to parse root hash: %m");	×
354
355	if (arg_root_hash_signature_auto) {	×
356	assert(!arg_root_hash_signature);	×
357	assert(arg_root_hash_signature_size == 0);	×
358
359	const char *t;	×
360	r = sd_device_get_property_value(ASSERT_PTR(datadev), "ID_DISSECT_PART_ROOTHASH_SIG", &t);	×
361	if (r < 0)	×
362	return log_error_errno(r, "Automatic root hash signature pick up requested, and device doesn't carry ID_DISSECT_PART_ROOTHASH_SIG property, cannot determine root hash signature.");	×
363
364	r = unbase64mem(t, &arg_root_hash_signature, &arg_root_hash_signature_size);	×
365	if (r < 0)	×
366	return log_error_errno(r, "Failed to decode root hash signature data from udev data device: %m");	×
367	}
368
369	r = crypt_init(&cd, verity_device);	×
370	if (r < 0)	×
371	return log_error_errno(r, "Failed to open verity device %s: %m", verity_device);	×
372
373	cryptsetup_enable_logging(cd);	×
374
375	status = crypt_status(cd, volume);	×
376	if (IN_SET(status, CRYPT_ACTIVE, CRYPT_BUSY)) {	×
377	log_info("Volume %s already active.", volume);	×
378	return 0;	×
379	}
380
381	if (arg_superblock) {	×
382	p = (struct crypt_params_verity) {	×
383	.fec_device = arg_fec_what,
384	.hash_area_offset = arg_hash_offset,
385	.fec_area_offset = arg_fec_offset,
386	.fec_roots = arg_fec_roots,
387	};
388
389	r = crypt_load(cd, CRYPT_VERITY, &p);	×
390	if (r < 0)	×
391	return log_error_errno(r, "Failed to load verity superblock: %m");	×
392	} else {
393	p = (struct crypt_params_verity) {	×
394	.hash_name = arg_hash,
395	.data_device = data_device,
396	.fec_device = arg_fec_what,
397	.salt = arg_salt,
398	.salt_size = arg_salt_size,
399	.hash_type = arg_format,
400	.data_block_size = arg_data_block_size,
401	.hash_block_size = arg_hash_block_size,
402	.data_size = arg_data_blocks,
403	.hash_area_offset = arg_hash_offset,
404	.fec_area_offset = arg_fec_offset,
405	.fec_roots = arg_fec_roots,
406	.flags = CRYPT_VERITY_NO_HEADER,
407	};
408
409	r = crypt_format(cd, CRYPT_VERITY, NULL, NULL, arg_uuid, NULL, 0, &p);	×
410	if (r < 0)	×
411	return log_error_errno(r, "Failed to format verity superblock: %m");	×
412	}
413
414	r = crypt_set_data_device(cd, data_device);	×
415	if (r < 0)	×
416	return log_error_errno(r, "Failed to configure data device: %m");	×
417
418	if (arg_root_hash_signature_size > 0) {	×
419	#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
420	r = crypt_activate_by_signed_key(cd, volume, rh, rh_size, arg_root_hash_signature, arg_root_hash_signature_size, arg_activate_flags);	×
421	if (r < 0) {	×
422	log_info_errno(r, "Unable to activate verity device '%s' with root hash signature (%m), retrying without.", volume);	×
423
424	r = crypt_activate_by_volume_key(cd, volume, rh, rh_size, arg_activate_flags);	×
425	if (r < 0)	×
426	return log_error_errno(r, "Failed to activate verity device '%s' both with and without root hash signature: %m", volume);	×
427
428	log_info("Activation of verity device '%s' succeeded without root hash signature.", volume);	×
429	}
430	#else
431	assert_not_reached();
432	#endif
433	} else
434	r = crypt_activate_by_volume_key(cd, volume, rh, rh_size, arg_activate_flags);	×
435	if (r < 0)	×
436	return log_error_errno(r, "Failed to set up verity device '%s': %m", volume);	×
437
438	return 0;
439	}
440
441	static int verb_detach(int argc, char argv[], void userdata) {	×
442	_cleanup_(crypt_freep) struct crypt_device *cd = NULL;	×
443	int r;	×
444
445	assert(argc == 2);	×
446
447	const char *volume = argv[1];	×
448
449	if (!filename_is_valid(volume))	×
450	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Volume name '%s' is not valid.", volume);	×
451
452	r = crypt_init_by_name(&cd, volume);	×
453	if (r == -ENODEV) {	×
454	log_info("Volume %s 'already' inactive.", volume);	×
455	return 0;	×
456	}
457	if (r < 0)	×
458	return log_error_errno(r, "crypt_init_by_name() for volume '%s' failed: %m", volume);	×
459
460	cryptsetup_enable_logging(cd);	×
461
462	r = crypt_deactivate(cd, volume);	×
463	if (r < 0)	×
464	return log_error_errno(r, "Failed to deactivate volume '%s': %m", volume);	×
465
466	return 0;
467	}
468
469	static int run(int argc, char *argv[]) {	×
470	if (argv_looks_like_help(argc, argv))	×
471	return help();	×
472
473	log_setup();	×
474
475	cryptsetup_enable_logging(NULL);	×
476
477	umask(0022);	×
478
479	static const Verb verbs[] = {	×
480	{ "attach", 5, 6, 0, verb_attach },
481	{ "detach", 2, 2, 0, verb_detach },
482	{}
483	};
484
485	return dispatch_verb(argc, argv, verbs, NULL);	×
486	}
487
488	DEFINE_MAIN_FUNCTION(run);	×

systemd / systemd / 14255132001

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous