diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md index 065d78c6b43..47cdff317bf 100644 --- a/docs/ENVIRONMENT.md +++ b/docs/ENVIRONMENT.md @@ -49,6 +49,9 @@ All tools: * `$SYSTEMD_CRYPTTAB` — if set, use this path instead of /etc/crypttab. Only useful for debugging. Currently only supported by systemd-cryptsetup-generator. +* `$SYSTEMD_VERITYTAB` — if set, use this path instead of /etc/veritytab. Only + useful for debugging. Currently only supported by systemd-veritysetup-generator. + * `$SYSTEMD_EFI_OPTIONS` — if set, used instead of the string in the SystemdOptions EFI variable. Analogous to `$SYSTEMD_PROC_CMDLINE`. diff --git a/man/bootup.xml b/man/bootup.xml index 781e539191e..431d19a48e5 100644 --- a/man/bootup.xml +++ b/man/bootup.xml @@ -92,10 +92,10 @@ - cryptsetup-pre.target + cryptsetup-pre.target veritysetup-pre.target | (various low-level v - API VFS mounts: (various cryptsetup devices...) + API VFS mounts: (various cryptsetup/veritysetup devices...) mqueue, configfs, | | debugfs, ...) v | | cryptsetup.target | @@ -105,7 +105,7 @@ | v local-fs-pre.target | | | (network file systems) | swap.target | | v v | | | v | remote-cryptsetup.target | - | | (various low-level (various mounts and | | | + | | (various low-level (various mounts and | remote-veritysetup.target | | | services: udevd, fsck services...) | | remote-fs.target | | tmpfiles, random | | | / | | seed, sysctl, ...) v | | / @@ -303,7 +303,8 @@ emergency.service | | | (conflicts with (conflicts with all system all file system services) mounts, swaps, - | cryptsetup + | cryptsetup/ + | veritysetup | devices, ...) | | v v diff --git a/man/directives-template.xml b/man/directives-template.xml index addb0effdb3..34b103de404 100644 --- a/man/directives-template.xml +++ b/man/directives-template.xml @@ -94,7 +94,8 @@ - <filename>/etc/crypttab</filename> and + <title><filename>/etc/crypttab</filename>, + <filename>/etc/veritytab</filename> and <filename>/etc/fstab</filename> options Options which influence mounted filesystems and encrypted volumes. diff --git a/man/kernel-command-line.xml b/man/kernel-command-line.xml index 7a4109916c1..f546a1161a5 100644 --- a/man/kernel-command-line.xml +++ b/man/kernel-command-line.xml @@ -356,11 +356,14 @@ + veritytab= + rd.veritytab= roothash= systemd.verity= rd.systemd.verity= systemd.verity_root_data= systemd.verity_root_hash= + systemd.verity.root_options= Configures the integrity protection root hash for the root file system, and other related parameters. For details, see diff --git a/man/rules/meson.build b/man/rules/meson.build index 70ad30c837f..19238ec0333 100644 --- a/man/rules/meson.build +++ b/man/rules/meson.build @@ -9,6 +9,7 @@ manpages = [ ['coredump.conf', '5', ['coredump.conf.d'], 'ENABLE_COREDUMP'], ['coredumpctl', '1', [], 'ENABLE_COREDUMP'], ['crypttab', '5', [], 'HAVE_LIBCRYPTSETUP'], + ['veritytab', '5', [], 'HAVE_LIBCRYPTSETUP'], ['daemon', '7', [], ''], ['dnssec-trust-anchors.d', '5', diff --git a/man/systemd-veritysetup-generator.xml b/man/systemd-veritysetup-generator.xml index d2736a7fd51..b447301e6f7 100644 --- a/man/systemd-veritysetup-generator.xml +++ b/man/systemd-veritysetup-generator.xml @@ -54,7 +54,7 @@ Takes a boolean argument. Defaults to yes. If no, disables the generator entirely. rd.systemd.verity= is honored only by the initial RAM disk (initrd) while systemd.verity= is honored by both the host system and the - initrd. + initrd. @@ -81,6 +81,17 @@ (see above). + + systemd.verity_root_options= + + Takes a comma-separated list of dm-verity options. Expects the following options + , , , + , and + . See + veritysetup8 for more + details. + + diff --git a/man/systemd.special.xml b/man/systemd.special.xml index e731c9ced26..ce1e8655f56 100644 --- a/man/systemd.special.xml +++ b/man/systemd.special.xml @@ -25,6 +25,8 @@ bluetooth.target, cryptsetup-pre.target, cryptsetup.target, + veritysetup-pre.target, + veritysetup.target, ctrl-alt-del.target, blockdev@.target, boot-complete.target, @@ -60,6 +62,7 @@ printer.target, reboot.target, remote-cryptsetup.target, + remote-veritysetup.target, remote-fs-pre.target, remote-fs.target, rescue.target, @@ -186,6 +189,13 @@ encrypted block devices. + + veritysetup.target + + A target that pulls in setup services for all + verity integrity protected block devices. + + dbus.service @@ -552,6 +562,15 @@ entries marked with . + + remote-veritysetup.target + + Similar to veritysetup.target, but for verity + integrity protected devices which are accessed over the network. It is used for + veritytab8 + entries marked with . + + remote-fs.target @@ -855,7 +874,8 @@ This template unit is used to order mount units and other consumers of block devices after services that synthesize these block devices. In particular, this is intended to be used with storage services (such as - systemd-cryptsetup@.service5) + systemd-cryptsetup@.service5/ + systemd-veritysetup@.service5) that allocate and manage a virtual block device. Storage services are ordered before an instance of blockdev@.target, and the consumer units after it. The ordering is particularly relevant during shutdown, as it ensures that the mount is deactivated first and the @@ -879,6 +899,19 @@ stopped. + + veritysetup-pre.target + + This passive target unit may be pulled in by services + that want to run before any verity integrity protected block + device is set up. All verity integrity protected block + devices are set up after this target has been reached. Since + the shutdown order is implicitly the reverse start-up order + between units, this target is particularly useful to ensure + that a service is shut down only after all verity integrity + protected block devices are fully stopped. + + first-boot-complete.target @@ -972,7 +1005,7 @@ remote-fs-pre.target This target unit is automatically ordered before all - mount point units (see above) and cryptsetup devices + mount point units (see above) and cryptsetup/veritysetup devices marked with the . It can be used to run certain units before remote encrypted devices and mounts are established. Note that this unit is generally not part of the initial diff --git a/man/veritytab.xml b/man/veritytab.xml new file mode 100644 index 00000000000..d29e9f5f2d0 --- /dev/null +++ b/man/veritytab.xml @@ -0,0 +1,198 @@ + + + + + + + + veritytab + systemd + + + + veritytab + 5 + + + + veritytab + Configuration for verity block devices + + + + /etc/veritytab + + + + Description + + The /etc/veritytab file describes + verity integrity protected block devices that are set up during + system boot. + + Empty lines and lines starting with the # + character are ignored. Each of the remaining lines describes one + verity integrity protected block device. Fields are delimited by + white space. + + Each line is in the formvolume-name data-device hash-device roothash options + The first four fields are mandatory, the remaining one is optional. + + The first field contains the name of the resulting verity volume; its block device is set up + below /dev/mapper/. + + The second field contains a path to the underlying block data device, or a specification of a block device via + UUID= followed by the UUID. + + The third field contains a path to the underlying block hash device, or a specification of a block device via + UUID= followed by the UUID. + + The fourth field is the roothash in hexadecimal. + + The fifth field, if present, is a comma-delimited list of options. The following options are + recognized: + + + + + + + + + Defines what to do if data integrity problem is detected (data corruption). Without these + options kernel fails the IO operation with I/O error. With --ignore-corruption option the + corruption is only logged. With --restart-on-corruption or + --panic-on-corruption the kernel is restarted (panicked) immediately. + + (You have to provide way how to avoid restart loops.) + + + + + + Instruct kernel to not verify blocks that are expected to contain zeroes and always directly + return zeroes instead. + + WARNING: Use this option only in very specific cases. This option is available since Linux kernel version 4.5. + + + + + + + Instruct kernel to verify blocks only the first time they are read from the data device, rather + than every time. + + WARNING: It provides a reduced level of security because only offline tampering of the data device's content + will be detected, not online tampering. This option is available since Linux kernel version 4.17. + + + + + + + A base64 string encoding the root hash signature prefixed by base64: or a + path to roothash signature file used to verify the root hash (in kernel). This feature requires Linux kernel + version 5.4 or more recent. + + + + + + Marks this veritysetup device as requiring network. It will be + started after the network is available, similarly to + systemd.mount5 + units marked with . The service unit to set up this device + will be ordered between remote-fs-pre.target and + remote-veritysetup.target, instead of + veritysetup-pre.target and + veritysetup.target. + + Hint: if this device is used for a mount point that is specified in + fstab5, + the option should also be used for the mount + point. Otherwise, a dependency loop might be created where the mount point + will be pulled in by local-fs.target, while the + service to configure the network is usually only started after + the local file system has been mounted. + + + + + + + This device will not be added to veritysetup.target. + This means that it will not be automatically enabled on boot, unless something else pulls + it in. In particular, if the device is used for a mount point, it'll be enabled + automatically during boot, unless the mount point itself is also disabled with + . + + + + + + This device will not be a hard dependency of + veritysetup.target. It'll still be pulled in and started, but the system + will not wait for the device to show up and be enabled, and boot will not fail if this is + unsuccessful. Note that other units that depend on the enabled device may still fail. In + particular, if the device is used for a mount point, the mount point itself also needs to + have the option, or the boot will fail if the device is not enabled + successfully. + + + + + + Setup this verity integrity protected block device in the initramfs, similarly to + systemd.mount5 + units marked with . + + Although it's not necessary to mark the mount entry for the root file system with + , is still recommended with + the verity integrity protected block device containing the root file system as otherwise systemd + will attempt to detach the device during the regular system shutdown while it's still in + use. With this option the device will still be detached but later after the root file + system is unmounted. + + All other verity integrity protected block devices that contain file systems mounted in the + initramfs should use this option. + + + + + + At early boot and when the system manager configuration is + reloaded, this file is translated into native systemd units by + systemd-veritysetup-generator8. + + + + Examples + + /etc/veritytab example + Set up two verity integrity protected block devices. One using device blocks, another using files. + + usr PARTUUID=783e45ae-7aa3-484a-beef-a80ff9c19cbb PARTUUID=21dc1dfe-4c33-8b48-98a9-918a22eb3e37 36e3f740ad502e2c25e2a23d9c7c17bf0fdad2300b7580842d4b7ec1fb0fa263 auto +data /etc/data /etc/hash a5ee4b42f70ae1f46a08a7c92c2e0a20672ad2f514792730f5d49d7606ab8fdf auto + + + + + + See Also + + systemd1, + systemd-veritysetup@.service8, + systemd-veritysetup-generator8, + fstab5, + veritysetup8, + + + + diff --git a/meson.build b/meson.build index b400de8319f..e360ec95c9a 100644 --- a/meson.build +++ b/meson.build @@ -237,6 +237,7 @@ conf.set_quoted('ROOTPREFIX_NOSLASH', rootprefixdir_nosl conf.set_quoted('RANDOM_SEED_DIR', randomseeddir) conf.set_quoted('RANDOM_SEED', join_paths(randomseeddir, 'random-seed')) conf.set_quoted('SYSTEMD_CRYPTSETUP_PATH', join_paths(rootlibexecdir, 'systemd-cryptsetup')) +conf.set_quoted('SYSTEMD_VERITYSETUP_PATH', join_paths(rootlibexecdir, 'systemd-veritysetup')) conf.set_quoted('SYSTEM_GENERATOR_DIR', systemgeneratordir) conf.set_quoted('USER_GENERATOR_DIR', usergeneratordir) conf.set_quoted('SYSTEM_ENV_GENERATOR_DIR', systemenvgeneratordir) diff --git a/src/shared/generator.c b/src/shared/generator.c index 1eccc5a2895..b8616cf1f2b 100644 --- a/src/shared/generator.c +++ b/src/shared/generator.c @@ -620,6 +620,81 @@ int generator_write_cryptsetup_service_section( return 0; } +int generator_write_veritysetup_unit_section( + FILE *f, + const char *source) { + + assert(f); + + fprintf(f, + "[Unit]\n" + "Description=Integrity Protection Setup for %%I\n" + "Documentation=man:veritytab(5) man:systemd-veritysetup-generator(8) man:systemd-veritysetup@.service(8)\n"); + + if (source) + fprintf(f, "SourcePath=%s\n", source); + + fprintf(f, + "DefaultDependencies=no\n" + "IgnoreOnIsolate=true\n" + "After=cryptsetup-pre.target systemd-udevd-kernel.socket\n" + "Before=blockdev@dev-mapper-%%i.target\n" + "Wants=blockdev@dev-mapper-%%i.target\n"); + + return 0; +} + +int generator_write_veritysetup_service_section( + FILE *f, + const char *name, + const char *data_what, + const char *hash_what, + const char *roothash, + const char *options) { + + _cleanup_free_ char *name_escaped = NULL, *data_what_escaped = NULL, *hash_what_escaped, + *roothash_escaped = NULL, *options_escaped = NULL; + + assert(f); + assert(name); + assert(data_what); + assert(hash_what); + + name_escaped = specifier_escape(name); + if (!name_escaped) + return log_oom(); + + data_what_escaped = specifier_escape(data_what); + if (!data_what_escaped) + return log_oom(); + + hash_what_escaped = specifier_escape(hash_what); + if (!hash_what_escaped) + return log_oom(); + + roothash_escaped = specifier_escape(roothash); + if (!roothash_escaped) + return log_oom(); + + if (options) { + options_escaped = specifier_escape(options); + if (!options_escaped) + return log_oom(); + } + + fprintf(f, + "\n" + "[Service]\n" + "Type=oneshot\n" + "RemainAfterExit=yes\n" + "ExecStart=" SYSTEMD_VERITYSETUP_PATH " attach '%s' '%s' '%s' '%s' '%s'\n" + "ExecStop=" SYSTEMD_VERITYSETUP_PATH " detach '%s'\n", + name_escaped, data_what_escaped, hash_what_escaped, roothash_escaped, strempty(options_escaped), + name_escaped); + + return 0; +} + void log_setup_generator(void) { /* Disable talking to syslog/journal (i.e. the two IPC-based loggers) if we run in system context. */ if (cg_pid_get_owner_uid(0, NULL) == -ENXIO /* not running in a per-user slice */) diff --git a/src/shared/generator.h b/src/shared/generator.h index ff6072f53d8..bd768daf491 100644 --- a/src/shared/generator.h +++ b/src/shared/generator.h @@ -42,6 +42,18 @@ int generator_write_cryptsetup_service_section( const char *password, const char *options); +int generator_write_veritysetup_unit_section( + FILE *f, + const char *source); + +int generator_write_veritysetup_service_section( + FILE *f, + const char *name, + const char *data_what, + const char *hash_what, + const char *roothash, + const char *options); + int generator_write_device_deps( const char *dir, const char *what, diff --git a/src/veritysetup/veritysetup-generator.c b/src/veritysetup/veritysetup-generator.c index 7c807c874ae..9f47a0515a0 100644 --- a/src/veritysetup/veritysetup-generator.c +++ b/src/veritysetup/veritysetup-generator.c @@ -7,6 +7,7 @@ #include #include "alloc-util.h" +#include "dropin.h" #include "fd-util.h" #include "fileio.h" #include "fstab-util.h" @@ -24,18 +25,33 @@ #define SYSTEMD_VERITYSETUP_SERVICE "systemd-veritysetup@root.service" +typedef struct verity_device { + char *uuid; + char *datadev; + char *hashdev; + char *roothash; + char *name; + char *options; + bool create; +} verity_device; + static const char *arg_dest = NULL; static bool arg_enabled = true; +static bool arg_read_veritytab = true; +static const char *arg_veritytab = NULL; static char *arg_root_hash = NULL; static char *arg_data_what = NULL; static char *arg_hash_what = NULL; +static char *arg_options = NULL; STATIC_DESTRUCTOR_REGISTER(arg_root_hash, freep); STATIC_DESTRUCTOR_REGISTER(arg_data_what, freep); STATIC_DESTRUCTOR_REGISTER(arg_hash_what, freep); +STATIC_DESTRUCTOR_REGISTER(arg_options, freep); static int create_device(void) { - _cleanup_free_ char *u = NULL, *v = NULL, *d = NULL, *e = NULL, *u_escaped = NULL, *v_escaped = NULL, *root_hash_escaped = NULL; + _cleanup_free_ char *u = NULL, *v = NULL, *d = NULL, *e = NULL, *u_escaped = NULL, *v_escaped = NULL, + *root_hash_escaped = NULL, *options_escaped = NULL; _cleanup_fclose_ FILE *f = NULL; const char *to; int r; @@ -57,7 +73,8 @@ static int create_device(void) { log_debug("Using root verity data device %s,\n" " hash device %s,\n" - " and root hash %s.", arg_data_what, arg_hash_what, arg_root_hash); + " options %s,\n" + " and root hash %s.", arg_data_what, arg_hash_what, arg_options, arg_root_hash); u = fstab_node_to_udev_node(arg_data_what); if (!u) @@ -80,6 +97,10 @@ static int create_device(void) { if (r < 0) return log_error_errno(r, "Failed to generate unit name: %m"); + options_escaped = specifier_escape(arg_options ?: ""); + if (!options_escaped) + return log_oom(); + root_hash_escaped = specifier_escape(arg_root_hash); if (!root_hash_escaped) return log_oom(); @@ -97,22 +118,22 @@ static int create_device(void) { "Conflicts=umount.target\n" "BindsTo=%s %s\n" "IgnoreOnIsolate=true\n" - "After=cryptsetup-pre.target systemd-udevd-kernel.socket %s %s\n" - "Before=cryptsetup.target umount.target\n" + "After=veritysetup-pre.target systemd-udevd-kernel.socket %s %s\n" + "Before=veritysetup.target umount.target\n" "\n[Service]\n" "Type=oneshot\n" "RemainAfterExit=yes\n" - "ExecStart=" ROOTLIBEXECDIR "/systemd-veritysetup attach root '%s' '%s' '%s'\n" + "ExecStart=" ROOTLIBEXECDIR "/systemd-veritysetup attach root '%s' '%s' '%s' '%s'\n" "ExecStop=" ROOTLIBEXECDIR "/systemd-veritysetup detach root\n", d, e, d, e, - u_escaped, v_escaped, root_hash_escaped); + u_escaped, v_escaped, root_hash_escaped, options_escaped); r = fflush_and_check(f); if (r < 0) return log_error_errno(r, "Failed to write file unit "SYSTEMD_VERITYSETUP_SERVICE": %m"); - to = strjoina(arg_dest, "/cryptsetup.target.requires/" SYSTEMD_VERITYSETUP_SERVICE); + to = strjoina(arg_dest, "/veritysetup.target.requires/" SYSTEMD_VERITYSETUP_SERVICE); (void) mkdir_parents(to, 0755); if (symlink("../" SYSTEMD_VERITYSETUP_SERVICE, to) < 0) @@ -132,6 +153,14 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat else arg_enabled = r; + } else if (streq(key, "veritytab")) { + + r = value ? parse_boolean(value) : 1; + if (r < 0) + log_warning("Failed to parse veritytab= kernel command line switch %s. Ignoring.", value); + else + arg_read_veritytab = r; + } else if (proc_cmdline_key_streq(key, "roothash")) { if (proc_cmdline_value_missing(key, value)) @@ -158,6 +187,16 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat r = free_and_strdup(&arg_hash_what, value); if (r < 0) return log_oom(); + + } else if (proc_cmdline_key_streq(key, "systemd.verity_root_options")) { + + if (proc_cmdline_value_missing(key, value)) + return 0; + + r = free_and_strdup(&arg_options, value); + if (r < 0) + return log_oom(); + } return 0; @@ -205,21 +244,221 @@ static int determine_devices(void) { return 1; } +static int create_disk( + const char *name, + const char *data_device, + const char *hash_device, + const char *roothash, + const char *options, + const char *source) { + + _cleanup_free_ char *n = NULL, *dd = NULL, *du = NULL, *hd = NULL, *hu = NULL, *e = NULL, + *du_escaped = NULL, *hu_escaped = NULL, *name_escaped = NULL; + _cleanup_fclose_ FILE *f = NULL; + const char *dmname; + bool noauto, nofail, netdev, attach_in_initrd; + int r; + + assert(name); + assert(data_device); + assert(hash_device); + assert(roothash); + + noauto = fstab_test_yes_no_option(options, "noauto\0" "auto\0"); + nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0"); + netdev = fstab_test_option(options, "_netdev\0"); + attach_in_initrd = fstab_test_option(options, "x-initrd.attach\0"); + + name_escaped = specifier_escape(name); + if (!name_escaped) + return log_oom(); + + e = unit_name_escape(name); + if (!e) + return log_oom(); + + du = fstab_node_to_udev_node(data_device); + if (!du) + return log_oom(); + + hu = fstab_node_to_udev_node(hash_device); + if (!hu) + return log_oom(); + + r = unit_name_build("systemd-veritysetup", e, ".service", &n); + if (r < 0) + return log_error_errno(r, "Failed to generate unit name: %m"); + + du_escaped = specifier_escape(du); + if (!du_escaped) + return log_oom(); + + hu_escaped = specifier_escape(hu); + if (!hu_escaped) + return log_oom(); + + r = unit_name_from_path(du, ".device", &dd); + if (r < 0) + return log_error_errno(r, "Failed to generate unit name: %m"); + + r = unit_name_from_path(hu, ".device", &hd); + if (r < 0) + return log_error_errno(r, "Failed to generate unit name: %m"); + + r = generator_open_unit_file(arg_dest, NULL, n, &f); + if (r < 0) + return r; + + r = generator_write_veritysetup_unit_section(f, source); + if (r < 0) + return r; + + if (netdev) + fprintf(f, "After=remote-fs-pre.target\n"); + + /* If initrd takes care of attaching the disk then it should also detach it during shutdown. */ + if (!attach_in_initrd) + fprintf(f, "Conflicts=umount.target\n"); + + if (!nofail) + fprintf(f, + "Before=%s\n", + netdev ? "remote-veritysetup.target" : "veritysetup.target"); + + if (path_startswith(du, "/dev/")) + fprintf(f, + "BindsTo=%s\n" + "After=%s\n" + "Before=umount.target\n", + dd, dd); + else + /* For loopback devices, add systemd-tmpfiles-setup-dev.service + dependency to ensure that loopback support is available in + the kernel (/dev/loop-control needs to exist) */ + fprintf(f, + "RequiresMountsFor=%s\n" + "Requires=systemd-tmpfiles-setup-dev.service\n" + "After=systemd-tmpfiles-setup-dev.service\n", + du_escaped); + + if (path_startswith(hu, "/dev/")) + fprintf(f, + "BindsTo=%s\n" + "After=%s\n" + "Before=umount.target\n", + hd, hd); + else + /* For loopback devices, add systemd-tmpfiles-setup-dev.service + dependency to ensure that loopback support is available in + the kernel (/dev/loop-control needs to exist) */ + fprintf(f, + "RequiresMountsFor=%s\n" + "Requires=systemd-tmpfiles-setup-dev.service\n" + "After=systemd-tmpfiles-setup-dev.service\n", + hu_escaped); + + r = generator_write_veritysetup_service_section(f, name, du_escaped, hu_escaped, roothash, options); + if (r < 0) + return r; + + r = fflush_and_check(f); + if (r < 0) + return log_error_errno(r, "Failed to write unit file %s: %m", n); + + if (!noauto) { + r = generator_add_symlink(arg_dest, + netdev ? "remote-veritysetup.target" : "veritysetup.target", + nofail ? "wants" : "requires", n); + if (r < 0) + return r; + } + + dmname = strjoina("dev-mapper-", e, ".device"); + return generator_add_symlink(arg_dest, dmname, "requires", n); +} + +static int add_veritytab_devices(void) { + _cleanup_fclose_ FILE *f = NULL; + unsigned veritytab_line = 0; + int r; + + if (!arg_read_veritytab) + return 0; + + r = fopen_unlocked(arg_veritytab, "re", &f); + if (r < 0) { + if (errno != ENOENT) + log_error_errno(errno, "Failed to open %s: %m", arg_veritytab); + return 0; + } + + for (;;) { + _cleanup_free_ char *line = NULL, *name = NULL, *data_device = NULL, *hash_device = NULL, + *roothash = NULL, *options = NULL; + verity_device *d = NULL; + char *l, *data_uuid, *hash_uuid; + int k; + + r = read_line(f, LONG_LINE_MAX, &line); + if (r < 0) + return log_error_errno(r, "Failed to read %s: %m", arg_veritytab); + if (r == 0) + break; + + veritytab_line++; + + l = strstrip(line); + if (IN_SET(l[0], 0, '#')) + continue; + + k = sscanf(l, "%ms %ms %ms %ms %ms", &name, &data_device, &hash_device, &roothash, &options); + if (k < 4 || k > 5) { + log_error("Failed to parse %s:%u, ignoring.", arg_veritytab, veritytab_line); + continue; + } + + data_uuid = startswith(data_device, "UUID="); + if (!data_uuid) + data_uuid = path_startswith(data_device, "/dev/disk/by-uuid/"); + + hash_uuid = startswith(hash_device, "UUID="); + if (!hash_uuid) + hash_uuid = path_startswith(hash_device, "/dev/disk/by-uuid/"); + + r = create_disk(name, + data_device, + hash_device, + roothash, + options, + arg_veritytab); + if (r < 0) + return r; + + if (d) + d->create = false; + } + + return 0; +} + static int run(const char *dest, const char *dest_early, const char *dest_late) { int r; assert_se(arg_dest = dest); + arg_veritytab = getenv("SYSTEMD_VERITYTAB") ?: "/etc/veritytab"; + r = proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_STRIP_RD_PREFIX); if (r < 0) return log_warning_errno(r, "Failed to parse kernel command line: %m"); - /* For now we only support the root device on verity. Later on we might want to add support for /etc/veritytab - * or similar to define additional mappings */ - if (!arg_enabled) return 0; + r = add_veritytab_devices(); + if (r < 0) + return r; + r = determine_devices(); if (r < 0) return r; diff --git a/src/veritysetup/veritysetup.c b/src/veritysetup/veritysetup.c index 9b8bca11f2c..cd9f0e7f64b 100644 --- a/src/veritysetup/veritysetup.c +++ b/src/veritysetup/veritysetup.c @@ -15,13 +15,10 @@ #include "string-util.h" #include "terminal-util.h" -static char *arg_root_hash = NULL; -static char *arg_data_what = NULL; -static char *arg_hash_what = NULL; +static uint32_t arg_activate_flags = CRYPT_ACTIVATE_READONLY; +static char *arg_root_hash_signature = NULL; -STATIC_DESTRUCTOR_REGISTER(arg_root_hash, freep); -STATIC_DESTRUCTOR_REGISTER(arg_data_what, freep); -STATIC_DESTRUCTOR_REGISTER(arg_hash_what, freep); +STATIC_DESTRUCTOR_REGISTER(arg_root_hash_signature, freep); static int help(void) { _cleanup_free_ char *link = NULL; @@ -31,7 +28,7 @@ static int help(void) { if (r < 0) return log_oom(); - printf("%s attach VOLUME DATADEVICE HASHDEVICE ROOTHASH [ROOTHASHSIG]\n" + printf("%s attach VOLUME DATADEVICE HASHDEVICE ROOTHASH [OPTIONS]\n" "%s detach VOLUME\n\n" "Attaches or detaches an integrity protected block device.\n" "\nSee the %s for details.\n" @@ -43,6 +40,93 @@ static int help(void) { return 0; } +static int looks_like_roothashsig(const char *option) { + const char *val; + int r; + + if (path_is_absolute(option)) { + + r = free_and_strdup(&arg_root_hash_signature, option); + if (r < 0) + return log_oom(); + + return 1; + } + + val = startswith(option, "base64:"); + if (val) { + + r = free_and_strdup(&arg_root_hash_signature, val); + if (r < 0) + return log_oom(); + + return 1; + } + + return 0; +} + +static int parse_options(const char *options) { + int r; + + /* backward compatibility with the obsolete ROOTHASHSIG positional argument */ + r = looks_like_roothashsig(options); + if (r < 0) + return r; + if (r == 1) { + log_warning("Usage of ROOTHASHSIG positional argument is deprecated. " + "Please use the option root-hash-signature=%s instead.", options); + return 0; + } + + for (;;) { + _cleanup_free_ char *word = NULL; + char *val; + + r = extract_first_word(&options, &word, ",", EXTRACT_DONT_COALESCE_SEPARATORS | EXTRACT_UNESCAPE_SEPARATORS); + if (r < 0) + return log_error_errno(r, "Failed to parse options: %m"); + if (r == 0) + break; + + if (STR_IN_SET(word, "noauto", "auto", "nofail", "fail", "_netdev")) + continue; + + if (isempty(word)) + continue; + else if (streq(word, "ignore-corruption")) + arg_activate_flags |= CRYPT_ACTIVATE_IGNORE_CORRUPTION; + else if (streq(word, "restart-on-corruption")) + arg_activate_flags |= CRYPT_ACTIVATE_RESTART_ON_CORRUPTION; + else if (streq(word, "ignore-zero-blocks")) + arg_activate_flags |= CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS; +#ifdef CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE + else if (streq(word, "check-at-most-once")) + arg_activate_flags |= CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE; +#endif +#ifdef CRYPT_ACTIVATE_PANIC_ON_CORRUPTION + else if (streq(word, "panic-on-corruption")) + arg_activate_flags |= CRYPT_ACTIVATE_PANIC_ON_CORRUPTION; +#endif + else if ((val = startswith(word, "root-hash-signature="))) { + + r = looks_like_roothashsig(val); + if (r < 0) + return r; + if (r == 0) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "root-hash-signature expects either full path to signature file or " + "base64 string encoding signature prefixed by base64:."); + + r = free_and_strdup(&arg_root_hash_signature, val); + if (r < 0) + return log_oom(); + } else + log_warning("Encountered unknown option '%s', ignoring.", word); + } + + return r; +} + static int run(int argc, char *argv[]) { _cleanup_(crypt_freep) struct crypt_device *cd = NULL; int r; @@ -81,6 +165,12 @@ static int run(int argc, char *argv[]) { return 0; } + if (argc > 6) { + r = parse_options(argv[6]); + if (r < 0) + return log_error_errno(r, "Failed to parse options: %m"); + } + r = crypt_load(cd, CRYPT_VERITY, NULL); if (r < 0) return log_error_errno(r, "Failed to load verity superblock: %m"); @@ -89,19 +179,19 @@ static int run(int argc, char *argv[]) { if (r < 0) return log_error_errno(r, "Failed to configure data device: %m"); - if (argc > 6) { + if (arg_root_hash_signature && *arg_root_hash_signature) { #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY _cleanup_free_ char *hash_sig = NULL; size_t hash_sig_size; char *value; - if ((value = startswith(argv[6], "base64:"))) { + if ((value = startswith(arg_root_hash_signature, "base64:"))) { r = unbase64mem(value, strlen(value), (void *)&hash_sig, &hash_sig_size); if (r < 0) - return log_error_errno(r, "Failed to parse root hash signature '%s': %m", argv[6]); + return log_error_errno(r, "Failed to parse root hash signature '%s': %m", arg_root_hash_signature); } else { r = read_full_file_full( - AT_FDCWD, argv[6], UINT64_MAX, SIZE_MAX, + AT_FDCWD, arg_root_hash_signature, UINT64_MAX, SIZE_MAX, READ_FULL_FILE_CONNECT_SOCKET, NULL, &hash_sig, &hash_sig_size); @@ -109,12 +199,12 @@ static int run(int argc, char *argv[]) { return log_error_errno(r, "Failed to read root hash signature: %m"); } - r = crypt_activate_by_signed_key(cd, argv[2], m, l, hash_sig, hash_sig_size, CRYPT_ACTIVATE_READONLY); + r = crypt_activate_by_signed_key(cd, argv[2], m, l, hash_sig, hash_sig_size, arg_activate_flags); #else return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "activation of verity device with signature %s requested, but not supported by cryptsetup due to missing crypt_activate_by_signed_key()", argv[6]); #endif } else - r = crypt_activate_by_volume_key(cd, argv[2], m, l, CRYPT_ACTIVATE_READONLY); + r = crypt_activate_by_volume_key(cd, argv[2], m, l, arg_activate_flags); if (r < 0) return log_error_errno(r, "Failed to set up verity device: %m"); diff --git a/test/fuzz/fuzz-unit-file/directives.service b/test/fuzz/fuzz-unit-file/directives.service index 464496e2575..2ea00ae52c0 100644 --- a/test/fuzz/fuzz-unit-file/directives.service +++ b/test/fuzz/fuzz-unit-file/directives.service @@ -326,6 +326,7 @@ systemd.unit= systemd.verity= systemd.verity_root_data= systemd.verity_root_hash= +systemd.verity_root_options= systemd.volatile= systemd.wants= systemd.watchdog_device= diff --git a/units/meson.build b/units/meson.build index 8b8fd1173f1..7b18f1bfea0 100644 --- a/units/meson.build +++ b/units/meson.build @@ -10,6 +10,9 @@ units = [ ['cryptsetup-pre.target', 'HAVE_LIBCRYPTSETUP'], ['cryptsetup.target', 'HAVE_LIBCRYPTSETUP', 'sysinit.target.wants/'], + ['veritysetup-pre.target', 'HAVE_LIBCRYPTSETUP'], + ['veritysetup.target', 'HAVE_LIBCRYPTSETUP', + 'sysinit.target.wants/'], ['dev-hugepages.mount', '', 'sysinit.target.wants/'], ['dev-mqueue.mount', '', @@ -62,6 +65,8 @@ units = [ 'ctrl-alt-del.target' + (with_runlevels ? ' runlevel6.target' : '')], ['remote-cryptsetup.target', 'HAVE_LIBCRYPTSETUP', 'initrd-root-device.target.wants/'], + ['remote-veritysetup.target', 'HAVE_LIBCRYPTSETUP', + 'initrd-root-device.target.wants/'], ['remote-fs-pre.target', ''], ['remote-fs.target', ''], ['rescue.target', '', diff --git a/units/remote-veritysetup.target b/units/remote-veritysetup.target new file mode 100644 index 00000000000..bd9f71acefa --- /dev/null +++ b/units/remote-veritysetup.target @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Remote Verity Integrity Protected Volumes +Documentation=man:systemd.special(7) +After=remote-fs-pre.target veritysetup-pre.target +DefaultDependencies=no +Conflicts=shutdown.target + +[Install] +WantedBy=multi-user.target diff --git a/units/veritysetup-pre.target b/units/veritysetup-pre.target new file mode 100644 index 00000000000..be065f335fb --- /dev/null +++ b/units/veritysetup-pre.target @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Local Verity Integrity Protected Volumes (Pre) +Documentation=man:systemd.special(7) +RefuseManualStart=yes +Before=veritysetup.target diff --git a/units/veritysetup.target b/units/veritysetup.target new file mode 100644 index 00000000000..0ac3ad3bd06 --- /dev/null +++ b/units/veritysetup.target @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Local Verity Integrity Protected Volumes +Documentation=man:systemd.special(7)