eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-05 16:00:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

verity: run FEC check even if root hash fails.

Browse Source 
The error correction can fix even problem with root hash.

For now, always return fail if initial check of root hash failed.

FIXME: The FEC verify code need to be rewritten to repair only
blocks where hash is wrong and the re-check hash after recovery,
inclkuding root hash.

Now we do not check hash after FEC recovery. The Reed-Solomon
decoder can then "repair" code wrongly if parity is too damaged.

For now, the information about FEC repaired errors is only
advisory, it does not mean device is fully repaireable.
This commit is contained in:
Milan Broz
2021-02-23 12:43:37 +01:00
parent 1534dc6c61
commit c9b727e9ea
2 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
lib/verity/verity.c
View File

@@ -261,7 +261,7 @@ int VERITY_activate(struct crypt_device *cd,
{
uint32_t dmv_flags;
unsigned int fec_errors = 0;
int r;
int r, v;
struct crypt_dm_active_device dmd = {
.size = verity_hdr->data_size * verity_hdr->data_block_size / 512,
.flags = activation_flags,
@@ -280,14 +280,19 @@ int VERITY_activate(struct crypt_device *cd,
log_dbg(cd, "Verification of data in userspace required.");
r = VERITY_verify(cd, verity_hdr, root_hash, root_hash_size);
if (r == -EPERM && fec_device) {
if ((r == -EPERM || r == -EFAULT) && fec_device) {
v = r;
log_dbg(cd, "Verification failed, trying to repair with FEC device.");
r = VERITY_FEC_process(cd, verity_hdr, fec_device, 1, &fec_errors);
if (r < 0)
log_err(cd, _("Errors cannot be repaired with FEC device."));
else if (fec_errors)
else if (fec_errors) {
log_err(cd, _("Found %u repairable errors with FEC device."),
fec_errors);
/* If root hash failed, we cannot be sure it was properly repaired */
}
if (v == -EFAULT)
r = -EPERM;
}
if (r < 0)

2
lib/verity/verity_hash.c
View File

@@ -380,7 +380,7 @@ out:
log_err(cd, _("Verification of data area failed."));
else {
log_dbg(cd, "Verification of data area succeeded.");
r = memcmp(root_hash, calculated_digest, digest_size) ? -EINVAL : 0;
r = memcmp(root_hash, calculated_digest, digest_size) ? -EFAULT : 0;
if (r)
log_err(cd, _("Verification of root hash failed."));
else