eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-05 16:00:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix veritysetup exit code for bad root hash with FEC enabled.

Browse Source 
If FEC was enabled, the error for bad root hash was replaced
by error correction (datga were ok, only root hash was wrong).

Do not run recovery test if root hash is incorrect.
This commit is contained in:
Milan Broz
2021-02-13 18:51:14 +01:00
parent d733e4d0e8
commit 3ebbceaef2
2 changed files with 27 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/verity/verity_hash.c
View File

@@ -373,7 +373,7 @@ out:
log_err(cd, _("Verification of data area failed."));
else {
log_dbg(cd, "Verification of data area succeeded.");
r = memcmp(root_hash, calculated_digest, digest_size) ? -EPERM : 0;
r = memcmp(root_hash, calculated_digest, digest_size) ? -EINVAL : 0;
if (r)
log_err(cd, _("Verification of root hash failed."));
else

26
tests/verity-compat-test
View File

@@ -84,6 +84,30 @@ function compare_out() # $1 what, $2 expected
[ $OPT != $2 ] && fail "$1 differs ($2)"
}
function check_root_hash_fail()
{
echo -n "Root hash check "
ARR=(`$VERITYSETUP format $IMG $IMG_HASH --fec-device $FEC_DEV --fec-roots 2 -h sha256`)
ROOT_HASH=${ARR[28]}
ROOT_HASH_BAD=abcdef0000000000000000000000000000000000000000000000000000000000
$VERITYSETUP verify $IMG $IMG_HASH $ROOT_HASH || fail
$VERITYSETUP verify $IMG $IMG_HASH $ROOT_HASH_BAD >/dev/null 2>&1 && fail
$VERITYSETUP verify $IMG $IMG_HASH $ROOT_HASH_BAD --fec-device $FEC_DEV --fec-roots 2 >/dev/null 2>&1 && fail
$VERITYSETUP open $IMG $DEV_NAME $IMG_HASH $ROOT_HASH || fail
check_exists
dmsetup status $DEV_NAME | grep "verity V" >/dev/null || fail
$VERITYSETUP close $DEV_NAME >/dev/null 2>&1 || fail
$VERITYSETUP open $IMG $DEV_NAME $IMG_HASH $ROOT_HASH_BAD >/dev/null 2>&1 || fail
check_exists
dmsetup status $DEV_NAME | grep "verity C" >/dev/null || fail
$VERITYSETUP close $DEV_NAME >/dev/null 2>&1 || fail
echo "[OK]"
}
function check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6 offset]
{
if [ -z "$LOOPDEV2" ] ; then
@@ -363,6 +387,8 @@ SALT=e48da609055204e89ae53b655ca2216dd983cf3cb829f34f63a297d106d53e2d
echo "Verity tests [separate devices]"
prepare 8192 1024
check_root_hash_fail
check_root_hash 512 9de18652fe74edfb9b805aaed72ae2aa48f94333f1ba5c452ac33b1c39325174 $SALT 1 sha256
check_root_hash 1024 54d92778750495d1f80832b486ebd007617d746271511bbf0e295e143da2b3df $SALT 1 sha256
check_root_hash 4096 e522df0f97da4febb882ac40f30b37dc0b444bf6df418929463fa25280f09d5c $SALT 1 sha256