shared: make libcryptsetup dep dlopen

Let's make libcryptsetup a dlopen() style dep for PID 1 (i.e. for
RootImage= and stuff), systemd-growfs and systemd-repart. (But leave to
be a regulra dep in systemd-cryptsetup, systemd-veritysetup and
systemd-homed since for them the libcryptsetup support is not auxiliary
but pretty much at the core of what they do.)

This should be useful for container images that want systemd in the
payload but don't care for the cryptsetup logic since dm-crypt and stuff
isn't available in containers anyway.

Fixes: #8249
This commit is contained in:
Lennart Poettering 2020-08-28 21:27:45 +02:00
parent 1e2f32305c
commit 0d12936d9a
7 changed files with 162 additions and 44 deletions

View File

@ -2297,7 +2297,6 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
'src/cryptsetup/cryptsetup-generator.c',
include_directories : includes,
link_with : [libshared],
dependencies : [libcryptsetup],
install_rpath : rootlibexecdir,
install : true,
install_dir : systemgeneratordir)
@ -2317,7 +2316,6 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
'src/veritysetup/veritysetup-generator.c',
include_directories : includes,
link_with : [libshared],
dependencies : [libcryptsetup],
install_rpath : rootlibexecdir,
install : true,
install_dir : systemgeneratordir)
@ -2672,7 +2670,6 @@ if conf.get('ENABLE_REPART') == 1
include_directories : includes,
link_with : [libshared],
dependencies : [threads,
libcryptsetup,
libblkid,
libfdisk,
libopenssl],
@ -2755,7 +2752,6 @@ executable('systemd-growfs',
'src/partition/growfs.c',
include_directories : includes,
link_with : [libshared],
dependencies : [libcryptsetup],
install_rpath : rootlibexecdir,
install : true,
install_dir : rootlibexecdir)

View File

@ -30,11 +30,15 @@ static bool arg_dry_run = false;
#if HAVE_LIBCRYPTSETUP
static int resize_crypt_luks_device(dev_t devno, const char *fstype, dev_t main_devno) {
_cleanup_free_ char *devpath = NULL, *main_devpath = NULL;
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
_cleanup_close_ int main_devfd = -1;
uint64_t size;
int r;
r = dlopen_cryptsetup();
if (r < 0)
return log_error_errno(r, "Cannot resize LUKS device: %m");
r = device_path_make_major_minor(S_IFBLK, main_devno, &main_devpath);
if (r < 0)
return log_error_errno(r, "Failed to format device major/minor path: %m");
@ -52,20 +56,20 @@ static int resize_crypt_luks_device(dev_t devno, const char *fstype, dev_t main_
if (r < 0)
return log_error_errno(r, "Failed to format major/minor path: %m");
r = crypt_init(&cd, devpath);
r = sym_crypt_init(&cd, devpath);
if (r < 0)
return log_error_errno(r, "crypt_init(\"%s\") failed: %m", devpath);
cryptsetup_enable_logging(cd);
r = crypt_load(cd, CRYPT_LUKS, NULL);
r = sym_crypt_load(cd, CRYPT_LUKS, NULL);
if (r < 0)
return log_debug_errno(r, "Failed to load LUKS metadata for %s: %m", devpath);
if (arg_dry_run)
return 0;
r = crypt_resize(cd, main_devpath, 0);
r = sym_crypt_resize(cd, main_devpath, 0);
if (r < 0)
return log_error_errno(r, "crypt_resize() of %s failed: %m", devpath);

View File

@ -2370,7 +2370,7 @@ static int partition_encrypt(
char **ret_volume,
int *ret_fd) {
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(erase_and_freep) void *volume_key = NULL;
_cleanup_free_ char *dm_name = NULL, *vol = NULL;
char suuid[ID128_UUID_STRING_MAX];
@ -2381,6 +2381,10 @@ static int partition_encrypt(
assert(p);
assert(p->encrypt);
r = dlopen_cryptsetup();
if (r < 0)
return log_error_errno(r, "libcryptsetup not found, cannot encrypt: %m");
if (asprintf(&dm_name, "luks-repart-%08" PRIx64, random_u64()) < 0)
return log_oom();
@ -2404,13 +2408,13 @@ static int partition_encrypt(
if (r < 0)
return log_error_errno(r, "Failed to generate volume key: %m");
r = crypt_init(&cd, node);
r = sym_crypt_init(&cd, node);
if (r < 0)
return log_error_errno(r, "Failed to allocate libcryptsetup context: %m");
cryptsetup_enable_logging(cd);
r = crypt_format(cd,
r = sym_crypt_format(cd,
CRYPT_LUKS2,
"aes",
"xts-plain64",
@ -2424,7 +2428,7 @@ static int partition_encrypt(
if (r < 0)
return log_error_errno(r, "Failed to LUKS2 format future partition: %m");
r = crypt_keyslot_add_by_volume_key(
r = sym_crypt_keyslot_add_by_volume_key(
cd,
CRYPT_ANY_SLOT,
volume_key,
@ -2434,7 +2438,7 @@ static int partition_encrypt(
if (r < 0)
return log_error_errno(r, "Failed to add LUKS2 key: %m");
r = crypt_activate_by_volume_key(
r = sym_crypt_activate_by_volume_key(
cd,
dm_name,
volume_key,
@ -2474,7 +2478,7 @@ static int deactivate_luks(struct crypt_device *cd, const char *node) {
/* udev or so might access out block device in the background while we are done. Let's hence force
* detach the volume. We sync'ed before, hence this should be safe. */
r = crypt_deactivate_by_name(cd, basename(node), CRYPT_DEACTIVATE_FORCE);
r = sym_crypt_deactivate_by_name(cd, basename(node), CRYPT_DEACTIVATE_FORCE);
if (r < 0)
return log_error_errno(r, "Failed to deactivate LUKS device: %m");
@ -2490,7 +2494,7 @@ static int context_copy_blocks(Context *context) {
/* Copy in file systems on the block level */
LIST_FOREACH(partitions, p, context->partitions) {
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(loop_device_unrefp) LoopDevice *d = NULL;
_cleanup_free_ char *encrypted = NULL;
_cleanup_close_ int encrypted_dev_fd = -1;
@ -2553,7 +2557,7 @@ static int context_copy_blocks(Context *context) {
if (r < 0)
return r;
crypt_free(cd);
sym_crypt_free(cd);
cd = NULL;
r = loop_device_sync(d);
@ -2694,7 +2698,7 @@ static int context_mkfs(Context *context) {
/* Make a file system */
LIST_FOREACH(partitions, p, context->partitions) {
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(loop_device_unrefp) LoopDevice *d = NULL;
_cleanup_free_ char *encrypted = NULL;
_cleanup_close_ int encrypted_dev_fd = -1;
@ -2781,7 +2785,7 @@ static int context_mkfs(Context *context) {
if (r < 0)
return r;
crypt_free(cd);
sym_crypt_free(cd);
cd = NULL;
}

View File

@ -1,10 +1,79 @@
/* SPDX-License-Identifier: LGPL-2.1+ */
#if HAVE_LIBCRYPTSETUP
#include "alloc-util.h"
#include "cryptsetup-util.h"
#include "dlfcn-util.h"
#include "log.h"
static void *cryptsetup_dl = NULL;
int (*sym_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags);
#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
int (*sym_crypt_activate_by_signed_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags);
#endif
int (*sym_crypt_activate_by_volume_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, uint32_t flags);
int (*sym_crypt_deactivate_by_name)(struct crypt_device *cd, const char *name, uint32_t flags);
int (*sym_crypt_format)(struct crypt_device *cd, const char *type, const char *cipher, const char *cipher_mode, const char *uuid, const char *volume_key, size_t volume_key_size, void *params);
void (*sym_crypt_free)(struct crypt_device *cd);
const char *(*sym_crypt_get_dir)(void);
int (*sym_crypt_get_verity_info)(struct crypt_device *cd, struct crypt_params_verity *vp);
int (*sym_crypt_init)(struct crypt_device **cd, const char *device);
int (*sym_crypt_init_by_name)(struct crypt_device **cd, const char *name);
int (*sym_crypt_keyslot_add_by_volume_key)(struct crypt_device *cd, int keyslot, const char *volume_key, size_t volume_key_size, const char *passphrase, size_t passphrase_size);
int (*sym_crypt_load)(struct crypt_device *cd, const char *requested_type, void *params);
int (*sym_crypt_resize)(struct crypt_device *cd, const char *name, uint64_t new_size);
int (*sym_crypt_set_data_device)(struct crypt_device *cd, const char *device);
void (*sym_crypt_set_debug_level)(int level);
void (*sym_crypt_set_log_callback)(struct crypt_device *cd, void (*log)(int level, const char *msg, void *usrptr), void *usrptr);
int (*sym_crypt_volume_key_get)(struct crypt_device *cd, int keyslot, char *volume_key, size_t *volume_key_size, const char *passphrase, size_t passphrase_size);
int dlopen_cryptsetup(void) {
_cleanup_(dlclosep) void *dl = NULL;
int r;
if (cryptsetup_dl)
return 0; /* Already loaded */
dl = dlopen("libcryptsetup.so.12", RTLD_LAZY);
if (!dl)
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"libcryptsetup support is not installed: %s", dlerror());
r = dlsym_many_and_warn(
dl,
LOG_DEBUG,
&sym_crypt_activate_by_passphrase, "crypt_activate_by_passphrase",
#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
&sym_crypt_activate_by_signed_key, "crypt_activate_by_signed_key",
#endif
&sym_crypt_activate_by_volume_key, "crypt_activate_by_volume_key",
&sym_crypt_deactivate_by_name, "crypt_deactivate_by_name",
&sym_crypt_format, "crypt_format",
&sym_crypt_free, "crypt_free",
&sym_crypt_get_dir, "crypt_get_dir",
&sym_crypt_get_verity_info, "crypt_get_verity_info",
&sym_crypt_init, "crypt_init",
&sym_crypt_init_by_name, "crypt_init_by_name",
&sym_crypt_keyslot_add_by_volume_key, "crypt_keyslot_add_by_volume_key",
&sym_crypt_load, "crypt_load",
&sym_crypt_resize, "crypt_resize",
&sym_crypt_set_data_device, "crypt_set_data_device",
&sym_crypt_set_debug_level, "crypt_set_debug_level",
&sym_crypt_set_log_callback, "crypt_set_log_callback",
&sym_crypt_volume_key_get, "crypt_volume_key_get",
NULL);
if (r < 0)
return r;
/* Note that we never release the reference here, because there's no real reason to, after all this
* was traditionally a regular shared library dependency which lives forever too. */
cryptsetup_dl = TAKE_PTR(dl);
return 1;
}
static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) {
switch (level) {
case CRYPT_LOG_NORMAL:
level = LOG_NOTICE;
@ -27,8 +96,16 @@ static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) {
}
void cryptsetup_enable_logging(struct crypt_device *cd) {
crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
if (!cd)
return;
if (dlopen_cryptsetup() < 0) /* If this fails, let's gracefully ignore the issue, this is just debug
* logging after all, and if this failed we already generated a debug
* log message that should help to track things down. */
return;
sym_crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
sym_crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
}
#endif

View File

@ -1,12 +1,36 @@
/* SPDX-License-Identifier: LGPL-2.1+ */
#pragma once
#include "macro.h"
#if HAVE_LIBCRYPTSETUP
#include <libcryptsetup.h>
#include "macro.h"
extern int (*sym_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags);
#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
extern int (*sym_crypt_activate_by_signed_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags);
#endif
extern int (*sym_crypt_activate_by_volume_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, uint32_t flags);
extern int (*sym_crypt_deactivate_by_name)(struct crypt_device *cd, const char *name, uint32_t flags);
extern int (*sym_crypt_format)(struct crypt_device *cd, const char *type, const char *cipher, const char *cipher_mode, const char *uuid, const char *volume_key, size_t volume_key_size, void *params);
extern void (*sym_crypt_free)(struct crypt_device *cd);
extern const char *(*sym_crypt_get_dir)(void);
extern int (*sym_crypt_get_verity_info)(struct crypt_device *cd, struct crypt_params_verity *vp);
extern int (*sym_crypt_init)(struct crypt_device **cd, const char *device);
extern int (*sym_crypt_init_by_name)(struct crypt_device **cd, const char *name);
extern int (*sym_crypt_keyslot_add_by_volume_key)(struct crypt_device *cd, int keyslot, const char *volume_key, size_t volume_key_size, const char *passphrase, size_t passphrase_size);
extern int (*sym_crypt_load)(struct crypt_device *cd, const char *requested_type, void *params);
extern int (*sym_crypt_resize)(struct crypt_device *cd, const char *name, uint64_t new_size);
extern int (*sym_crypt_set_data_device)(struct crypt_device *cd, const char *device);
extern void (*sym_crypt_set_debug_level)(int level);
extern void (*sym_crypt_set_log_callback)(struct crypt_device *cd, void (*log)(int level, const char *msg, void *usrptr), void *usrptr);
extern int (*sym_crypt_volume_key_get)(struct crypt_device *cd, int keyslot, char *volume_key, size_t *volume_key_size, const char *passphrase, size_t passphrase_size);
int dlopen_cryptsetup(void);
DEFINE_TRIVIAL_CLEANUP_FUNC(struct crypt_device *, crypt_free);
DEFINE_TRIVIAL_CLEANUP_FUNC(struct crypt_device *, sym_crypt_free);
void cryptsetup_enable_logging(struct crypt_device *cd);
#endif

View File

@ -1225,13 +1225,13 @@ DecryptedImage* decrypted_image_unref(DecryptedImage* d) {
DecryptedPartition *p = d->decrypted + i;
if (p->device && p->name && !p->relinquished) {
r = crypt_deactivate(p->device, p->name);
r = sym_crypt_deactivate_by_name(p->device, p->name, 0);
if (r < 0)
log_debug_errno(r, "Failed to deactivate encrypted partition %s", p->name);
}
if (p->device)
crypt_free(p->device);
sym_crypt_free(p->device);
free(p->name);
}
@ -1265,7 +1265,7 @@ static int make_dm_name_and_node(const void *original_node, const char *suffix,
if (!filename_is_valid(name))
return -EINVAL;
node = path_join(crypt_get_dir(), name);
node = path_join(sym_crypt_get_dir(), name);
if (!node)
return -ENOMEM;
@ -1282,7 +1282,7 @@ static int decrypt_partition(
DecryptedImage *d) {
_cleanup_free_ char *node = NULL, *name = NULL;
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
int r;
assert(m);
@ -1297,6 +1297,10 @@ static int decrypt_partition(
if (!passphrase)
return -ENOKEY;
r = dlopen_cryptsetup();
if (r < 0)
return r;
r = make_dm_name_and_node(m->node, "-decrypted", &name, &node);
if (r < 0)
return r;
@ -1304,17 +1308,17 @@ static int decrypt_partition(
if (!GREEDY_REALLOC0(d->decrypted, d->n_allocated, d->n_decrypted + 1))
return -ENOMEM;
r = crypt_init(&cd, m->node);
r = sym_crypt_init(&cd, m->node);
if (r < 0)
return log_debug_errno(r, "Failed to initialize dm-crypt: %m");
cryptsetup_enable_logging(cd);
r = crypt_load(cd, CRYPT_LUKS, NULL);
r = sym_crypt_load(cd, CRYPT_LUKS, NULL);
if (r < 0)
return log_debug_errno(r, "Failed to load LUKS metadata: %m");
r = crypt_activate_by_passphrase(cd, name, CRYPT_ANY_SLOT, passphrase, strlen(passphrase),
r = sym_crypt_activate_by_passphrase(cd, name, CRYPT_ANY_SLOT, passphrase, strlen(passphrase),
((flags & DISSECT_IMAGE_READ_ONLY) ? CRYPT_ACTIVATE_READONLY : 0) |
((flags & DISSECT_IMAGE_DISCARD_ON_CRYPTO) ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0));
if (r < 0) {
@ -1334,23 +1338,26 @@ static int decrypt_partition(
static int verity_can_reuse(const void *root_hash, size_t root_hash_size, bool has_sig, const char *name, struct crypt_device **ret_cd) {
/* If the same volume was already open, check that the root hashes match, and reuse it if they do */
_cleanup_free_ char *root_hash_existing = NULL;
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
struct crypt_params_verity crypt_params = {};
size_t root_hash_existing_size = root_hash_size;
int r;
assert(ret_cd);
r = crypt_init_by_name(&cd, name);
r = sym_crypt_init_by_name(&cd, name);
if (r < 0)
return log_debug_errno(r, "Error opening verity device, crypt_init_by_name failed: %m");
r = crypt_get_verity_info(cd, &crypt_params);
r = sym_crypt_get_verity_info(cd, &crypt_params);
if (r < 0)
return log_debug_errno(r, "Error opening verity device, crypt_get_verity_info failed: %m");
root_hash_existing = malloc0(root_hash_size);
if (!root_hash_existing)
return -ENOMEM;
r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, root_hash_existing, &root_hash_existing_size, NULL, 0);
r = sym_crypt_volume_key_get(cd, CRYPT_ANY_SLOT, root_hash_existing, &root_hash_existing_size, NULL, 0);
if (r < 0)
return log_debug_errno(r, "Error opening verity device, crypt_volume_key_get failed: %m");
if (root_hash_size != root_hash_existing_size || memcmp(root_hash_existing, root_hash, root_hash_size) != 0)
@ -1370,7 +1377,8 @@ static int verity_can_reuse(const void *root_hash, size_t root_hash_size, bool h
static inline void dm_deferred_remove_clean(char *name) {
if (!name)
return;
(void) crypt_deactivate_by_name(NULL, name, CRYPT_DEACTIVATE_DEFERRED);
(void) sym_crypt_deactivate_by_name(NULL, name, CRYPT_DEACTIVATE_DEFERRED);
free(name);
}
DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean);
@ -1388,7 +1396,7 @@ static int verity_partition(
DecryptedImage *d) {
_cleanup_free_ char *node = NULL, *name = NULL, *hash_sig_from_file = NULL;
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(dm_deferred_remove_cleanp) char *restore_deferred_remove = NULL;
int r;
@ -1408,11 +1416,17 @@ static int verity_partition(
return 0;
}
r = dlopen_cryptsetup();
if (r < 0)
return r;
if (FLAGS_SET(flags, DISSECT_IMAGE_VERITY_SHARE)) {
/* Use the roothash, which is unique per volume, as the device node name, so that it can be reused */
_cleanup_free_ char *root_hash_encoded = NULL;
root_hash_encoded = hexmem(root_hash, root_hash_size);
if (!root_hash_encoded)
return -ENOMEM;
r = make_dm_name_and_node(root_hash_encoded, "-verity", &name, &node);
} else
@ -1426,17 +1440,17 @@ static int verity_partition(
return r;
}
r = crypt_init(&cd, verity_data ?: v->node);
r = sym_crypt_init(&cd, verity_data ?: v->node);
if (r < 0)
return r;
cryptsetup_enable_logging(cd);
r = crypt_load(cd, CRYPT_VERITY, NULL);
r = sym_crypt_load(cd, CRYPT_VERITY, NULL);
if (r < 0)
return r;
r = crypt_set_data_device(cd, m->node);
r = sym_crypt_set_data_device(cd, m->node);
if (r < 0)
return r;
@ -1449,12 +1463,12 @@ static int verity_partition(
for (unsigned i = 0; i < N_DEVICE_NODE_LIST_ATTEMPTS; i++) {
if (root_hash_sig || hash_sig_from_file) {
#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
r = crypt_activate_by_signed_key(cd, name, root_hash, root_hash_size, root_hash_sig ?: hash_sig_from_file, root_hash_sig_size, CRYPT_ACTIVATE_READONLY);
r = sym_crypt_activate_by_signed_key(cd, name, root_hash, root_hash_size, root_hash_sig ?: hash_sig_from_file, root_hash_sig_size, CRYPT_ACTIVATE_READONLY);
#else
r = log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "activation of verity device with signature requested, but not supported by cryptsetup due to missing crypt_activate_by_signed_key()");
#endif
} else
r = crypt_activate_by_volume_key(cd, name, root_hash, root_hash_size, CRYPT_ACTIVATE_READONLY);
r = sym_crypt_activate_by_volume_key(cd, name, root_hash, root_hash_size, CRYPT_ACTIVATE_READONLY);
/* libdevmapper can return EINVAL when the device is already in the activation stage.
* There's no way to distinguish this situation from a genuine error due to invalid
* parameters, so immediately fall back to activating the device with a unique name.
@ -1500,7 +1514,7 @@ static int verity_partition(
return r;
if (cd)
crypt_free(cd);
sym_crypt_free(cd);
cd = existing_cd;
}
}
@ -1664,7 +1678,7 @@ int decrypted_image_relinquish(DecryptedImage *d) {
if (p->relinquished)
continue;
r = crypt_deactivate_by_name(NULL, p->name, CRYPT_DEACTIVATE_DEFERRED);
r = sym_crypt_deactivate_by_name(NULL, p->name, CRYPT_DEACTIVATE_DEFERRED);
if (r < 0)
return log_debug_errno(r, "Failed to mark %s for auto-removal: %m", p->name);

View File

@ -354,7 +354,6 @@ libshared_deps = [threads,
libblkid,
libcap,
libcrypt,
libcryptsetup,
libgcrypt,
libidn,
libiptc,