eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-13 11:50:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add --root-hash-signature parameter to veritysetup

Browse Source 
Optional parameter root hash signature is added that can be added to
veritysetup.

The signature file is opened and the signature is added to the keyring.

The kernel will use the signature to validate the roothash.

Usage: veritysetup open <data_device> name <hash_device> <root_hash> --root-hash-signature=<roothash_p7_sig_file>

Signed-off-by: Jaskaran Khurana <jaskarankhurana@linux.microsoft.com>
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>

[Original patch rewritten by Milan Broz]
This commit is contained in:
Jaskaran Khurana
2019-05-16 18:04:38 -07:00
committed by Milan Broz
parent d7667e9e6e
commit f247038e65
10 changed files with 198 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
lib/verity/verity.c
View File

@@ -235,6 +235,7 @@ int VERITY_activate(struct crypt_device *cd,
const char *name,
const char *root_hash,
size_t root_hash_size,
const char *signature_description,
struct device *fec_device,
struct crypt_params_verity *verity_hdr,
uint32_t activation_flags)
@@ -252,6 +253,11 @@ int VERITY_activate(struct crypt_device *cd,
name ?: "[none]", verity_hdr->hash_name);
if (verity_hdr->flags & CRYPT_VERITY_CHECK_HASH) {
if (signature_description) {
log_err(cd, _("Root hash signature verification is not supported."));
return -EINVAL;
}
log_dbg(cd, "Verification of data in userspace required.");
r = VERITY_verify(cd, verity_hdr, root_hash, root_hash_size);
@@ -291,7 +297,8 @@ int VERITY_activate(struct crypt_device *cd,
r = dm_verity_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
crypt_metadata_device(cd), fec_device, root_hash,
root_hash_size, VERITY_hash_offset_block(verity_hdr),
root_hash_size, signature_description,
VERITY_hash_offset_block(verity_hdr),
VERITY_hash_blocks(cd, verity_hdr), verity_hdr);
if (r)
@@ -302,6 +309,10 @@ int VERITY_activate(struct crypt_device *cd,
log_err(cd, _("Kernel doesn't support dm-verity mapping."));
r = -ENOTSUP;
}
if (r < 0 && signature_description && !(dmv_flags & DM_VERITY_SIGNATURE_SUPPORTED)) {
log_err(cd, _("Kernel doesn't support dm-verity signature option."));
r = -ENOTSUP;
}
if (r < 0)
goto out;