mirror of
https://github.com/systemd/systemd.git
synced 2025-01-11 09:18:07 +03:00
dissect: condition usespace verity keyring via kernel cmdline option + env var
This commit is contained in:
parent
f4a63ce25f
commit
f0ecff8506
@ -488,6 +488,12 @@ disk images with `--image=` or similar:
|
||||
devices when opening them. Defaults to on, set this to "0" to disable this
|
||||
feature.
|
||||
|
||||
* `$SYSTEMD_ALLOW_USERSPACE_VERITY` — takes a boolean, which controls whether
|
||||
to consider the userspace Verity public key store in `/etc/verity.d/` (and
|
||||
related directories) to authenticate signatures on Verity hashes of disk
|
||||
images. Defaults to true, i.e. userspace signature validation is allowed. If
|
||||
false, authentication can be done only via the kernel's internal keyring.
|
||||
|
||||
`systemd-cryptsetup`:
|
||||
|
||||
* `$SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE` – takes a boolean, which controls
|
||||
|
@ -676,6 +676,17 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>systemd.allow_userspace_verity=</varname></term>
|
||||
|
||||
<listitem><para>Takes a boolean argument. Controls whether disk images that are Verity protected may
|
||||
be authenticated in userspace signature checks via <filename>/etc/verity.d/</filename> (and related
|
||||
directories) public key drop-ins, or whether in-kernel signature checking only. Defaults to
|
||||
on.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>systemd.hostname=</varname></term>
|
||||
|
||||
|
@ -60,6 +60,7 @@
|
||||
#include "openssl-util.h"
|
||||
#include "os-util.h"
|
||||
#include "path-util.h"
|
||||
#include "proc-cmdline.h"
|
||||
#include "process-util.h"
|
||||
#include "raw-clone.h"
|
||||
#include "resize-fs.h"
|
||||
@ -2538,12 +2539,34 @@ static char* dm_deferred_remove_clean(char *name) {
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean);
|
||||
|
||||
static int validate_signature_userspace(const VeritySettings *verity, DissectImageFlags flags) {
|
||||
int r;
|
||||
|
||||
if (!FLAGS_SET(flags, DISSECT_IMAGE_ALLOW_USERSPACE_VERITY)) {
|
||||
log_debug("Userspace dm-verity signature authentication disabled via flag.");
|
||||
return 0;
|
||||
}
|
||||
|
||||
r = getenv_bool_secure("SYSTEMD_ALLOW_USERSPACE_VERITY");
|
||||
if (r < 0 && r != -ENXIO) {
|
||||
log_debug_errno(r, "Failed to parse $SYSTEMD_ALLOW_USERSPACE_VERITY environment variable, refusing userspace dm-verity signature authentication.");
|
||||
return 0;
|
||||
}
|
||||
if (!r) {
|
||||
log_debug("Userspace dm-verity signature authentication disabled via $SYSTEMD_ALLOW_USERSPACE_VERITY environment variable.");
|
||||
return 0;
|
||||
}
|
||||
|
||||
bool b;
|
||||
r = proc_cmdline_get_bool("systemd.allow_userspace_verity", PROC_CMDLINE_TRUE_WHEN_MISSING, &b);
|
||||
if (r < 0) {
|
||||
log_debug_errno(r, "Failed to parse systemd.allow_userspace_verity= kernel command line option, refusing userspace dm-verity signature authentication.");
|
||||
return 0;
|
||||
}
|
||||
if (!b) {
|
||||
log_debug("Userspace dm-verity signature authentication disabled via systemd.allow_userspace_verity= kernel command line variable.");
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if HAVE_OPENSSL
|
||||
_cleanup_(sk_X509_free_allp) STACK_OF(X509) *sk = NULL;
|
||||
_cleanup_strv_free_ char **certs = NULL;
|
||||
@ -2552,7 +2575,6 @@ static int validate_signature_userspace(const VeritySettings *verity, DissectIma
|
||||
_cleanup_(BIO_freep) BIO *bio = NULL; /* 'bio' must be freed first, 's' second, hence keep this order
|
||||
* of declaration in place, please */
|
||||
const unsigned char *d;
|
||||
int r;
|
||||
|
||||
assert(verity);
|
||||
assert(verity->root_hash);
|
||||
|
Loading…
Reference in New Issue
Block a user