mirror of
https://github.com/systemd/systemd.git
synced 2024-11-23 10:13:34 +08:00
shared: make libcryptsetup dep dlopen
Let's make libcryptsetup a dlopen() style dep for PID 1 (i.e. for RootImage= and stuff), systemd-growfs and systemd-repart. (But leave to be a regulra dep in systemd-cryptsetup, systemd-veritysetup and systemd-homed since for them the libcryptsetup support is not auxiliary but pretty much at the core of what they do.) This should be useful for container images that want systemd in the payload but don't care for the cryptsetup logic since dm-crypt and stuff isn't available in containers anyway. Fixes: #8249
This commit is contained in:
parent
1e2f32305c
commit
0d12936d9a
@ -2297,7 +2297,6 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
|
||||
'src/cryptsetup/cryptsetup-generator.c',
|
||||
include_directories : includes,
|
||||
link_with : [libshared],
|
||||
dependencies : [libcryptsetup],
|
||||
install_rpath : rootlibexecdir,
|
||||
install : true,
|
||||
install_dir : systemgeneratordir)
|
||||
@ -2317,7 +2316,6 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
|
||||
'src/veritysetup/veritysetup-generator.c',
|
||||
include_directories : includes,
|
||||
link_with : [libshared],
|
||||
dependencies : [libcryptsetup],
|
||||
install_rpath : rootlibexecdir,
|
||||
install : true,
|
||||
install_dir : systemgeneratordir)
|
||||
@ -2672,7 +2670,6 @@ if conf.get('ENABLE_REPART') == 1
|
||||
include_directories : includes,
|
||||
link_with : [libshared],
|
||||
dependencies : [threads,
|
||||
libcryptsetup,
|
||||
libblkid,
|
||||
libfdisk,
|
||||
libopenssl],
|
||||
@ -2755,7 +2752,6 @@ executable('systemd-growfs',
|
||||
'src/partition/growfs.c',
|
||||
include_directories : includes,
|
||||
link_with : [libshared],
|
||||
dependencies : [libcryptsetup],
|
||||
install_rpath : rootlibexecdir,
|
||||
install : true,
|
||||
install_dir : rootlibexecdir)
|
||||
|
@ -30,11 +30,15 @@ static bool arg_dry_run = false;
|
||||
#if HAVE_LIBCRYPTSETUP
|
||||
static int resize_crypt_luks_device(dev_t devno, const char *fstype, dev_t main_devno) {
|
||||
_cleanup_free_ char *devpath = NULL, *main_devpath = NULL;
|
||||
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
|
||||
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
|
||||
_cleanup_close_ int main_devfd = -1;
|
||||
uint64_t size;
|
||||
int r;
|
||||
|
||||
r = dlopen_cryptsetup();
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Cannot resize LUKS device: %m");
|
||||
|
||||
r = device_path_make_major_minor(S_IFBLK, main_devno, &main_devpath);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to format device major/minor path: %m");
|
||||
@ -52,20 +56,20 @@ static int resize_crypt_luks_device(dev_t devno, const char *fstype, dev_t main_
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to format major/minor path: %m");
|
||||
|
||||
r = crypt_init(&cd, devpath);
|
||||
r = sym_crypt_init(&cd, devpath);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "crypt_init(\"%s\") failed: %m", devpath);
|
||||
|
||||
cryptsetup_enable_logging(cd);
|
||||
|
||||
r = crypt_load(cd, CRYPT_LUKS, NULL);
|
||||
r = sym_crypt_load(cd, CRYPT_LUKS, NULL);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to load LUKS metadata for %s: %m", devpath);
|
||||
|
||||
if (arg_dry_run)
|
||||
return 0;
|
||||
|
||||
r = crypt_resize(cd, main_devpath, 0);
|
||||
r = sym_crypt_resize(cd, main_devpath, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "crypt_resize() of %s failed: %m", devpath);
|
||||
|
||||
|
@ -2370,7 +2370,7 @@ static int partition_encrypt(
|
||||
char **ret_volume,
|
||||
int *ret_fd) {
|
||||
|
||||
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
|
||||
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
|
||||
_cleanup_(erase_and_freep) void *volume_key = NULL;
|
||||
_cleanup_free_ char *dm_name = NULL, *vol = NULL;
|
||||
char suuid[ID128_UUID_STRING_MAX];
|
||||
@ -2381,6 +2381,10 @@ static int partition_encrypt(
|
||||
assert(p);
|
||||
assert(p->encrypt);
|
||||
|
||||
r = dlopen_cryptsetup();
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "libcryptsetup not found, cannot encrypt: %m");
|
||||
|
||||
if (asprintf(&dm_name, "luks-repart-%08" PRIx64, random_u64()) < 0)
|
||||
return log_oom();
|
||||
|
||||
@ -2404,13 +2408,13 @@ static int partition_encrypt(
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to generate volume key: %m");
|
||||
|
||||
r = crypt_init(&cd, node);
|
||||
r = sym_crypt_init(&cd, node);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to allocate libcryptsetup context: %m");
|
||||
|
||||
cryptsetup_enable_logging(cd);
|
||||
|
||||
r = crypt_format(cd,
|
||||
r = sym_crypt_format(cd,
|
||||
CRYPT_LUKS2,
|
||||
"aes",
|
||||
"xts-plain64",
|
||||
@ -2424,7 +2428,7 @@ static int partition_encrypt(
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to LUKS2 format future partition: %m");
|
||||
|
||||
r = crypt_keyslot_add_by_volume_key(
|
||||
r = sym_crypt_keyslot_add_by_volume_key(
|
||||
cd,
|
||||
CRYPT_ANY_SLOT,
|
||||
volume_key,
|
||||
@ -2434,7 +2438,7 @@ static int partition_encrypt(
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to add LUKS2 key: %m");
|
||||
|
||||
r = crypt_activate_by_volume_key(
|
||||
r = sym_crypt_activate_by_volume_key(
|
||||
cd,
|
||||
dm_name,
|
||||
volume_key,
|
||||
@ -2474,7 +2478,7 @@ static int deactivate_luks(struct crypt_device *cd, const char *node) {
|
||||
/* udev or so might access out block device in the background while we are done. Let's hence force
|
||||
* detach the volume. We sync'ed before, hence this should be safe. */
|
||||
|
||||
r = crypt_deactivate_by_name(cd, basename(node), CRYPT_DEACTIVATE_FORCE);
|
||||
r = sym_crypt_deactivate_by_name(cd, basename(node), CRYPT_DEACTIVATE_FORCE);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to deactivate LUKS device: %m");
|
||||
|
||||
@ -2490,7 +2494,7 @@ static int context_copy_blocks(Context *context) {
|
||||
/* Copy in file systems on the block level */
|
||||
|
||||
LIST_FOREACH(partitions, p, context->partitions) {
|
||||
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
|
||||
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
|
||||
_cleanup_(loop_device_unrefp) LoopDevice *d = NULL;
|
||||
_cleanup_free_ char *encrypted = NULL;
|
||||
_cleanup_close_ int encrypted_dev_fd = -1;
|
||||
@ -2553,7 +2557,7 @@ static int context_copy_blocks(Context *context) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
crypt_free(cd);
|
||||
sym_crypt_free(cd);
|
||||
cd = NULL;
|
||||
|
||||
r = loop_device_sync(d);
|
||||
@ -2694,7 +2698,7 @@ static int context_mkfs(Context *context) {
|
||||
/* Make a file system */
|
||||
|
||||
LIST_FOREACH(partitions, p, context->partitions) {
|
||||
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
|
||||
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
|
||||
_cleanup_(loop_device_unrefp) LoopDevice *d = NULL;
|
||||
_cleanup_free_ char *encrypted = NULL;
|
||||
_cleanup_close_ int encrypted_dev_fd = -1;
|
||||
@ -2781,7 +2785,7 @@ static int context_mkfs(Context *context) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
crypt_free(cd);
|
||||
sym_crypt_free(cd);
|
||||
cd = NULL;
|
||||
}
|
||||
|
||||
|
@ -1,10 +1,79 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1+ */
|
||||
|
||||
#if HAVE_LIBCRYPTSETUP
|
||||
#include "alloc-util.h"
|
||||
#include "cryptsetup-util.h"
|
||||
#include "dlfcn-util.h"
|
||||
#include "log.h"
|
||||
|
||||
static void *cryptsetup_dl = NULL;
|
||||
|
||||
int (*sym_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags);
|
||||
#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
|
||||
int (*sym_crypt_activate_by_signed_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags);
|
||||
#endif
|
||||
int (*sym_crypt_activate_by_volume_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, uint32_t flags);
|
||||
int (*sym_crypt_deactivate_by_name)(struct crypt_device *cd, const char *name, uint32_t flags);
|
||||
int (*sym_crypt_format)(struct crypt_device *cd, const char *type, const char *cipher, const char *cipher_mode, const char *uuid, const char *volume_key, size_t volume_key_size, void *params);
|
||||
void (*sym_crypt_free)(struct crypt_device *cd);
|
||||
const char *(*sym_crypt_get_dir)(void);
|
||||
int (*sym_crypt_get_verity_info)(struct crypt_device *cd, struct crypt_params_verity *vp);
|
||||
int (*sym_crypt_init)(struct crypt_device **cd, const char *device);
|
||||
int (*sym_crypt_init_by_name)(struct crypt_device **cd, const char *name);
|
||||
int (*sym_crypt_keyslot_add_by_volume_key)(struct crypt_device *cd, int keyslot, const char *volume_key, size_t volume_key_size, const char *passphrase, size_t passphrase_size);
|
||||
int (*sym_crypt_load)(struct crypt_device *cd, const char *requested_type, void *params);
|
||||
int (*sym_crypt_resize)(struct crypt_device *cd, const char *name, uint64_t new_size);
|
||||
int (*sym_crypt_set_data_device)(struct crypt_device *cd, const char *device);
|
||||
void (*sym_crypt_set_debug_level)(int level);
|
||||
void (*sym_crypt_set_log_callback)(struct crypt_device *cd, void (*log)(int level, const char *msg, void *usrptr), void *usrptr);
|
||||
int (*sym_crypt_volume_key_get)(struct crypt_device *cd, int keyslot, char *volume_key, size_t *volume_key_size, const char *passphrase, size_t passphrase_size);
|
||||
|
||||
int dlopen_cryptsetup(void) {
|
||||
_cleanup_(dlclosep) void *dl = NULL;
|
||||
int r;
|
||||
|
||||
if (cryptsetup_dl)
|
||||
return 0; /* Already loaded */
|
||||
|
||||
dl = dlopen("libcryptsetup.so.12", RTLD_LAZY);
|
||||
if (!dl)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
||||
"libcryptsetup support is not installed: %s", dlerror());
|
||||
|
||||
r = dlsym_many_and_warn(
|
||||
dl,
|
||||
LOG_DEBUG,
|
||||
&sym_crypt_activate_by_passphrase, "crypt_activate_by_passphrase",
|
||||
#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
|
||||
&sym_crypt_activate_by_signed_key, "crypt_activate_by_signed_key",
|
||||
#endif
|
||||
&sym_crypt_activate_by_volume_key, "crypt_activate_by_volume_key",
|
||||
&sym_crypt_deactivate_by_name, "crypt_deactivate_by_name",
|
||||
&sym_crypt_format, "crypt_format",
|
||||
&sym_crypt_free, "crypt_free",
|
||||
&sym_crypt_get_dir, "crypt_get_dir",
|
||||
&sym_crypt_get_verity_info, "crypt_get_verity_info",
|
||||
&sym_crypt_init, "crypt_init",
|
||||
&sym_crypt_init_by_name, "crypt_init_by_name",
|
||||
&sym_crypt_keyslot_add_by_volume_key, "crypt_keyslot_add_by_volume_key",
|
||||
&sym_crypt_load, "crypt_load",
|
||||
&sym_crypt_resize, "crypt_resize",
|
||||
&sym_crypt_set_data_device, "crypt_set_data_device",
|
||||
&sym_crypt_set_debug_level, "crypt_set_debug_level",
|
||||
&sym_crypt_set_log_callback, "crypt_set_log_callback",
|
||||
&sym_crypt_volume_key_get, "crypt_volume_key_get",
|
||||
NULL);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
/* Note that we never release the reference here, because there's no real reason to, after all this
|
||||
* was traditionally a regular shared library dependency which lives forever too. */
|
||||
cryptsetup_dl = TAKE_PTR(dl);
|
||||
return 1;
|
||||
}
|
||||
|
||||
static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) {
|
||||
|
||||
switch (level) {
|
||||
case CRYPT_LOG_NORMAL:
|
||||
level = LOG_NOTICE;
|
||||
@ -27,8 +96,16 @@ static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) {
|
||||
}
|
||||
|
||||
void cryptsetup_enable_logging(struct crypt_device *cd) {
|
||||
crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
|
||||
crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
|
||||
if (!cd)
|
||||
return;
|
||||
|
||||
if (dlopen_cryptsetup() < 0) /* If this fails, let's gracefully ignore the issue, this is just debug
|
||||
* logging after all, and if this failed we already generated a debug
|
||||
* log message that should help to track things down. */
|
||||
return;
|
||||
|
||||
sym_crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
|
||||
sym_crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
|
||||
}
|
||||
|
||||
#endif
|
||||
|
@ -1,12 +1,36 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1+ */
|
||||
#pragma once
|
||||
|
||||
#include "macro.h"
|
||||
|
||||
#if HAVE_LIBCRYPTSETUP
|
||||
#include <libcryptsetup.h>
|
||||
|
||||
#include "macro.h"
|
||||
extern int (*sym_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags);
|
||||
#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
|
||||
extern int (*sym_crypt_activate_by_signed_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags);
|
||||
#endif
|
||||
extern int (*sym_crypt_activate_by_volume_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, uint32_t flags);
|
||||
extern int (*sym_crypt_deactivate_by_name)(struct crypt_device *cd, const char *name, uint32_t flags);
|
||||
extern int (*sym_crypt_format)(struct crypt_device *cd, const char *type, const char *cipher, const char *cipher_mode, const char *uuid, const char *volume_key, size_t volume_key_size, void *params);
|
||||
extern void (*sym_crypt_free)(struct crypt_device *cd);
|
||||
extern const char *(*sym_crypt_get_dir)(void);
|
||||
extern int (*sym_crypt_get_verity_info)(struct crypt_device *cd, struct crypt_params_verity *vp);
|
||||
extern int (*sym_crypt_init)(struct crypt_device **cd, const char *device);
|
||||
extern int (*sym_crypt_init_by_name)(struct crypt_device **cd, const char *name);
|
||||
extern int (*sym_crypt_keyslot_add_by_volume_key)(struct crypt_device *cd, int keyslot, const char *volume_key, size_t volume_key_size, const char *passphrase, size_t passphrase_size);
|
||||
extern int (*sym_crypt_load)(struct crypt_device *cd, const char *requested_type, void *params);
|
||||
extern int (*sym_crypt_resize)(struct crypt_device *cd, const char *name, uint64_t new_size);
|
||||
extern int (*sym_crypt_set_data_device)(struct crypt_device *cd, const char *device);
|
||||
extern void (*sym_crypt_set_debug_level)(int level);
|
||||
extern void (*sym_crypt_set_log_callback)(struct crypt_device *cd, void (*log)(int level, const char *msg, void *usrptr), void *usrptr);
|
||||
extern int (*sym_crypt_volume_key_get)(struct crypt_device *cd, int keyslot, char *volume_key, size_t *volume_key_size, const char *passphrase, size_t passphrase_size);
|
||||
|
||||
int dlopen_cryptsetup(void);
|
||||
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(struct crypt_device *, crypt_free);
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(struct crypt_device *, sym_crypt_free);
|
||||
|
||||
void cryptsetup_enable_logging(struct crypt_device *cd);
|
||||
|
||||
#endif
|
||||
|
@ -1225,13 +1225,13 @@ DecryptedImage* decrypted_image_unref(DecryptedImage* d) {
|
||||
DecryptedPartition *p = d->decrypted + i;
|
||||
|
||||
if (p->device && p->name && !p->relinquished) {
|
||||
r = crypt_deactivate(p->device, p->name);
|
||||
r = sym_crypt_deactivate_by_name(p->device, p->name, 0);
|
||||
if (r < 0)
|
||||
log_debug_errno(r, "Failed to deactivate encrypted partition %s", p->name);
|
||||
}
|
||||
|
||||
if (p->device)
|
||||
crypt_free(p->device);
|
||||
sym_crypt_free(p->device);
|
||||
free(p->name);
|
||||
}
|
||||
|
||||
@ -1265,7 +1265,7 @@ static int make_dm_name_and_node(const void *original_node, const char *suffix,
|
||||
if (!filename_is_valid(name))
|
||||
return -EINVAL;
|
||||
|
||||
node = path_join(crypt_get_dir(), name);
|
||||
node = path_join(sym_crypt_get_dir(), name);
|
||||
if (!node)
|
||||
return -ENOMEM;
|
||||
|
||||
@ -1282,7 +1282,7 @@ static int decrypt_partition(
|
||||
DecryptedImage *d) {
|
||||
|
||||
_cleanup_free_ char *node = NULL, *name = NULL;
|
||||
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
|
||||
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
|
||||
int r;
|
||||
|
||||
assert(m);
|
||||
@ -1297,6 +1297,10 @@ static int decrypt_partition(
|
||||
if (!passphrase)
|
||||
return -ENOKEY;
|
||||
|
||||
r = dlopen_cryptsetup();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = make_dm_name_and_node(m->node, "-decrypted", &name, &node);
|
||||
if (r < 0)
|
||||
return r;
|
||||
@ -1304,19 +1308,19 @@ static int decrypt_partition(
|
||||
if (!GREEDY_REALLOC0(d->decrypted, d->n_allocated, d->n_decrypted + 1))
|
||||
return -ENOMEM;
|
||||
|
||||
r = crypt_init(&cd, m->node);
|
||||
r = sym_crypt_init(&cd, m->node);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to initialize dm-crypt: %m");
|
||||
|
||||
cryptsetup_enable_logging(cd);
|
||||
|
||||
r = crypt_load(cd, CRYPT_LUKS, NULL);
|
||||
r = sym_crypt_load(cd, CRYPT_LUKS, NULL);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to load LUKS metadata: %m");
|
||||
|
||||
r = crypt_activate_by_passphrase(cd, name, CRYPT_ANY_SLOT, passphrase, strlen(passphrase),
|
||||
((flags & DISSECT_IMAGE_READ_ONLY) ? CRYPT_ACTIVATE_READONLY : 0) |
|
||||
((flags & DISSECT_IMAGE_DISCARD_ON_CRYPTO) ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0));
|
||||
r = sym_crypt_activate_by_passphrase(cd, name, CRYPT_ANY_SLOT, passphrase, strlen(passphrase),
|
||||
((flags & DISSECT_IMAGE_READ_ONLY) ? CRYPT_ACTIVATE_READONLY : 0) |
|
||||
((flags & DISSECT_IMAGE_DISCARD_ON_CRYPTO) ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0));
|
||||
if (r < 0) {
|
||||
log_debug_errno(r, "Failed to activate LUKS device: %m");
|
||||
return r == -EPERM ? -EKEYREJECTED : r;
|
||||
@ -1334,23 +1338,26 @@ static int decrypt_partition(
|
||||
static int verity_can_reuse(const void *root_hash, size_t root_hash_size, bool has_sig, const char *name, struct crypt_device **ret_cd) {
|
||||
/* If the same volume was already open, check that the root hashes match, and reuse it if they do */
|
||||
_cleanup_free_ char *root_hash_existing = NULL;
|
||||
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
|
||||
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
|
||||
struct crypt_params_verity crypt_params = {};
|
||||
size_t root_hash_existing_size = root_hash_size;
|
||||
int r;
|
||||
|
||||
assert(ret_cd);
|
||||
|
||||
r = crypt_init_by_name(&cd, name);
|
||||
r = sym_crypt_init_by_name(&cd, name);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Error opening verity device, crypt_init_by_name failed: %m");
|
||||
r = crypt_get_verity_info(cd, &crypt_params);
|
||||
|
||||
r = sym_crypt_get_verity_info(cd, &crypt_params);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Error opening verity device, crypt_get_verity_info failed: %m");
|
||||
|
||||
root_hash_existing = malloc0(root_hash_size);
|
||||
if (!root_hash_existing)
|
||||
return -ENOMEM;
|
||||
r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, root_hash_existing, &root_hash_existing_size, NULL, 0);
|
||||
|
||||
r = sym_crypt_volume_key_get(cd, CRYPT_ANY_SLOT, root_hash_existing, &root_hash_existing_size, NULL, 0);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Error opening verity device, crypt_volume_key_get failed: %m");
|
||||
if (root_hash_size != root_hash_existing_size || memcmp(root_hash_existing, root_hash, root_hash_size) != 0)
|
||||
@ -1370,7 +1377,8 @@ static int verity_can_reuse(const void *root_hash, size_t root_hash_size, bool h
|
||||
static inline void dm_deferred_remove_clean(char *name) {
|
||||
if (!name)
|
||||
return;
|
||||
(void) crypt_deactivate_by_name(NULL, name, CRYPT_DEACTIVATE_DEFERRED);
|
||||
|
||||
(void) sym_crypt_deactivate_by_name(NULL, name, CRYPT_DEACTIVATE_DEFERRED);
|
||||
free(name);
|
||||
}
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean);
|
||||
@ -1388,7 +1396,7 @@ static int verity_partition(
|
||||
DecryptedImage *d) {
|
||||
|
||||
_cleanup_free_ char *node = NULL, *name = NULL, *hash_sig_from_file = NULL;
|
||||
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
|
||||
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
|
||||
_cleanup_(dm_deferred_remove_cleanp) char *restore_deferred_remove = NULL;
|
||||
int r;
|
||||
|
||||
@ -1408,11 +1416,17 @@ static int verity_partition(
|
||||
return 0;
|
||||
}
|
||||
|
||||
r = dlopen_cryptsetup();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
if (FLAGS_SET(flags, DISSECT_IMAGE_VERITY_SHARE)) {
|
||||
/* Use the roothash, which is unique per volume, as the device node name, so that it can be reused */
|
||||
_cleanup_free_ char *root_hash_encoded = NULL;
|
||||
|
||||
root_hash_encoded = hexmem(root_hash, root_hash_size);
|
||||
if (!root_hash_encoded)
|
||||
|
||||
return -ENOMEM;
|
||||
r = make_dm_name_and_node(root_hash_encoded, "-verity", &name, &node);
|
||||
} else
|
||||
@ -1426,17 +1440,17 @@ static int verity_partition(
|
||||
return r;
|
||||
}
|
||||
|
||||
r = crypt_init(&cd, verity_data ?: v->node);
|
||||
r = sym_crypt_init(&cd, verity_data ?: v->node);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
cryptsetup_enable_logging(cd);
|
||||
|
||||
r = crypt_load(cd, CRYPT_VERITY, NULL);
|
||||
r = sym_crypt_load(cd, CRYPT_VERITY, NULL);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = crypt_set_data_device(cd, m->node);
|
||||
r = sym_crypt_set_data_device(cd, m->node);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
@ -1449,12 +1463,12 @@ static int verity_partition(
|
||||
for (unsigned i = 0; i < N_DEVICE_NODE_LIST_ATTEMPTS; i++) {
|
||||
if (root_hash_sig || hash_sig_from_file) {
|
||||
#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
|
||||
r = crypt_activate_by_signed_key(cd, name, root_hash, root_hash_size, root_hash_sig ?: hash_sig_from_file, root_hash_sig_size, CRYPT_ACTIVATE_READONLY);
|
||||
r = sym_crypt_activate_by_signed_key(cd, name, root_hash, root_hash_size, root_hash_sig ?: hash_sig_from_file, root_hash_sig_size, CRYPT_ACTIVATE_READONLY);
|
||||
#else
|
||||
r = log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "activation of verity device with signature requested, but not supported by cryptsetup due to missing crypt_activate_by_signed_key()");
|
||||
#endif
|
||||
} else
|
||||
r = crypt_activate_by_volume_key(cd, name, root_hash, root_hash_size, CRYPT_ACTIVATE_READONLY);
|
||||
r = sym_crypt_activate_by_volume_key(cd, name, root_hash, root_hash_size, CRYPT_ACTIVATE_READONLY);
|
||||
/* libdevmapper can return EINVAL when the device is already in the activation stage.
|
||||
* There's no way to distinguish this situation from a genuine error due to invalid
|
||||
* parameters, so immediately fall back to activating the device with a unique name.
|
||||
@ -1500,7 +1514,7 @@ static int verity_partition(
|
||||
return r;
|
||||
|
||||
if (cd)
|
||||
crypt_free(cd);
|
||||
sym_crypt_free(cd);
|
||||
cd = existing_cd;
|
||||
}
|
||||
}
|
||||
@ -1664,7 +1678,7 @@ int decrypted_image_relinquish(DecryptedImage *d) {
|
||||
if (p->relinquished)
|
||||
continue;
|
||||
|
||||
r = crypt_deactivate_by_name(NULL, p->name, CRYPT_DEACTIVATE_DEFERRED);
|
||||
r = sym_crypt_deactivate_by_name(NULL, p->name, CRYPT_DEACTIVATE_DEFERRED);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to mark %s for auto-removal: %m", p->name);
|
||||
|
||||
|
@ -354,7 +354,6 @@ libshared_deps = [threads,
|
||||
libblkid,
|
||||
libcap,
|
||||
libcrypt,
|
||||
libcryptsetup,
|
||||
libgcrypt,
|
||||
libidn,
|
||||
libiptc,
|
||||
|
Loading…
Reference in New Issue
Block a user