1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

dissect: condition usespace verity keyring via kernel cmdline option + env var

This commit is contained in:
Lennart Poettering 2024-02-28 16:16:30 +01:00
parent f4a63ce25f
commit f0ecff8506
3 changed files with 40 additions and 1 deletions

View File

@ -488,6 +488,12 @@ disk images with `--image=` or similar:
devices when opening them. Defaults to on, set this to "0" to disable this
feature.
* `$SYSTEMD_ALLOW_USERSPACE_VERITY` — takes a boolean, which controls whether
to consider the userspace Verity public key store in `/etc/verity.d/` (and
related directories) to authenticate signatures on Verity hashes of disk
images. Defaults to true, i.e. userspace signature validation is allowed. If
false, authentication can be done only via the kernel's internal keyring.
`systemd-cryptsetup`:
* `$SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE` takes a boolean, which controls

View File

@ -676,6 +676,17 @@
</listitem>
</varlistentry>
<varlistentry>
<term><varname>systemd.allow_userspace_verity=</varname></term>
<listitem><para>Takes a boolean argument. Controls whether disk images that are Verity protected may
be authenticated in userspace signature checks via <filename>/etc/verity.d/</filename> (and related
directories) public key drop-ins, or whether in-kernel signature checking only. Defaults to
on.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>systemd.hostname=</varname></term>

View File

@ -60,6 +60,7 @@
#include "openssl-util.h"
#include "os-util.h"
#include "path-util.h"
#include "proc-cmdline.h"
#include "process-util.h"
#include "raw-clone.h"
#include "resize-fs.h"
@ -2538,12 +2539,34 @@ static char* dm_deferred_remove_clean(char *name) {
DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean);
static int validate_signature_userspace(const VeritySettings *verity, DissectImageFlags flags) {
int r;
if (!FLAGS_SET(flags, DISSECT_IMAGE_ALLOW_USERSPACE_VERITY)) {
log_debug("Userspace dm-verity signature authentication disabled via flag.");
return 0;
}
r = getenv_bool_secure("SYSTEMD_ALLOW_USERSPACE_VERITY");
if (r < 0 && r != -ENXIO) {
log_debug_errno(r, "Failed to parse $SYSTEMD_ALLOW_USERSPACE_VERITY environment variable, refusing userspace dm-verity signature authentication.");
return 0;
}
if (!r) {
log_debug("Userspace dm-verity signature authentication disabled via $SYSTEMD_ALLOW_USERSPACE_VERITY environment variable.");
return 0;
}
bool b;
r = proc_cmdline_get_bool("systemd.allow_userspace_verity", PROC_CMDLINE_TRUE_WHEN_MISSING, &b);
if (r < 0) {
log_debug_errno(r, "Failed to parse systemd.allow_userspace_verity= kernel command line option, refusing userspace dm-verity signature authentication.");
return 0;
}
if (!b) {
log_debug("Userspace dm-verity signature authentication disabled via systemd.allow_userspace_verity= kernel command line variable.");
return 0;
}
#if HAVE_OPENSSL
_cleanup_(sk_X509_free_allp) STACK_OF(X509) *sk = NULL;
_cleanup_strv_free_ char **certs = NULL;
@ -2552,7 +2575,6 @@ static int validate_signature_userspace(const VeritySettings *verity, DissectIma
_cleanup_(BIO_freep) BIO *bio = NULL; /* 'bio' must be freed first, 's' second, hence keep this order
* of declaration in place, please */
const unsigned char *d;
int r;
assert(verity);
assert(verity->root_hash);