picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Merge pull request #16915 from poettering/cryptsetup-dlopen

Browse source 
pid1,repart,growfs: make libcryptsetup a dlopen() style dep
This commit is contained in:
Lennart Poettering 2020-09-03 14:57:29 +02:00 committed by GitHub
parent 7cc60ea414 a52dc0b6f3
commit 86e443de2f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 218 additions and 101 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
TODO
View file

@ -91,8 +91,7 @@ Features:
- elfutils (always)
- p11-kit-trust (always)
- kmod-libs (only when called from PID 1)
- cryptsetup-libs (only in RootImage= handling in PID 1, but not in systemd-cryptsetup)
- similar: libblkid
- libblkid (only in RootImage= handling in PID 1, but not elsewhere)
- libpam (only when called from PID 1)
- bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are,
since they are so basic and our defaults)

8
meson.build
View file

@ -2272,8 +2272,8 @@ executable(
if conf.get('HAVE_LIBCRYPTSETUP') == 1
systemd_cryptsetup_sources = files('''
src/cryptsetup/cryptsetup-pkcs11.h
src/cryptsetup/cryptsetup-util.c
src/cryptsetup/cryptsetup-util.h
src/cryptsetup/cryptsetup-keyfile.c
src/cryptsetup/cryptsetup-keyfile.h
src/cryptsetup/cryptsetup.c
'''.split())
@ -2297,7 +2297,6 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
'src/cryptsetup/cryptsetup-generator.c',
include_directories : includes,
link_with : [libshared],
dependencies : [libcryptsetup],
install_rpath : rootlibexecdir,
install : true,
install_dir : systemgeneratordir)
@ -2317,7 +2316,6 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
'src/veritysetup/veritysetup-generator.c',
include_directories : includes,
link_with : [libshared],
dependencies : [libcryptsetup],
install_rpath : rootlibexecdir,
install : true,
install_dir : systemgeneratordir)
@ -2672,7 +2670,6 @@ if conf.get('ENABLE_REPART') == 1
include_directories : includes,
link_with : [libshared],
dependencies : [threads,
libcryptsetup,
libblkid,
libfdisk,
libopenssl],
@ -2755,7 +2752,6 @@ executable('systemd-growfs',
'src/partition/growfs.c',
include_directories : includes,
link_with : [libshared],
dependencies : [libcryptsetup],
install_rpath : rootlibexecdir,
install : true,
install_dir : rootlibexecdir)

2
src/cryptsetup/cryptsetup-util.c → src/cryptsetup/cryptsetup-keyfile.c
View file

@ -2,7 +2,7 @@
#include <unistd.h>
#include "cryptsetup-util.h"
#include "cryptsetup-keyfile.h"
#include "fd-util.h"
#include "format-util.h"
#include "memory-util.h"

0
src/cryptsetup/cryptsetup-util.h → src/cryptsetup/cryptsetup-keyfile.h
View file

2
src/cryptsetup/cryptsetup-pkcs11.c
View file

@ -10,7 +10,7 @@
#include "alloc-util.h"
#include "ask-password-api.h"
#include "cryptsetup-pkcs11.h"
#include "cryptsetup-util.h"
#include "cryptsetup-keyfile.h"
#include "escape.h"
#include "fd-util.h"
#include "format-util.h"

2
src/cryptsetup/cryptsetup.c
View file

@ -11,7 +11,7 @@
#include "alloc-util.h"
#include "ask-password-api.h"
#include "crypt-util.h"
#include "cryptsetup-keyfile.h"
#include "cryptsetup-pkcs11.h"
#include "cryptsetup-util.h"
#include "device-util.h"

2
src/home/homework-luks.h
View file

@ -1,7 +1,7 @@
/* SPDX-License-Identifier: LGPL-2.1+ */
#pragma once
#include "crypt-util.h"
#include "cryptsetup-util.h"
#include "homework.h"
#include "user-record.h"

14
src/partition/growfs.c
View file

@ -11,7 +11,7 @@
#include <sys/vfs.h>
#include "blockdev-util.h"
#include "crypt-util.h"
#include "cryptsetup-util.h"
#include "device-nodes.h"
#include "dissect-image.h"
#include "escape.h"
@ -30,11 +30,15 @@ static bool arg_dry_run = false;
#if HAVE_LIBCRYPTSETUP
static int resize_crypt_luks_device(dev_t devno, const char *fstype, dev_t main_devno) {
_cleanup_free_ char *devpath = NULL, *main_devpath = NULL;
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
_cleanup_close_ int main_devfd = -1;
uint64_t size;
int r;
r = dlopen_cryptsetup();
if (r < 0)
return log_error_errno(r, "Cannot resize LUKS device: %m");
r = device_path_make_major_minor(S_IFBLK, main_devno, &main_devpath);
if (r < 0)
return log_error_errno(r, "Failed to format device major/minor path: %m");
@ -52,20 +56,20 @@ static int resize_crypt_luks_device(dev_t devno, const char *fstype, dev_t main_
if (r < 0)
return log_error_errno(r, "Failed to format major/minor path: %m");
r = crypt_init(&cd, devpath);
r = sym_crypt_init(&cd, devpath);
if (r < 0)
return log_error_errno(r, "crypt_init(\"%s\") failed: %m", devpath);
cryptsetup_enable_logging(cd);
r = crypt_load(cd, CRYPT_LUKS, NULL);
r = sym_crypt_load(cd, CRYPT_LUKS, NULL);
if (r < 0)
return log_debug_errno(r, "Failed to load LUKS metadata for %s: %m", devpath);
if (arg_dry_run)
return 0;
r = crypt_resize(cd, main_devpath, 0);
r = sym_crypt_resize(cd, main_devpath, 0);
if (r < 0)
return log_error_errno(r, "crypt_resize() of %s failed: %m", devpath);

26
src/partition/repart.c
View file

@ -24,7 +24,7 @@
#include "btrfs-util.h"
#include "conf-files.h"
#include "conf-parser.h"
#include "crypt-util.h"
#include "cryptsetup-util.h"
#include "def.h"
#include "efivars.h"
#include "errno-util.h"
@ -2370,7 +2370,7 @@ static int partition_encrypt(
char **ret_volume,
int *ret_fd) {
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(erase_and_freep) void *volume_key = NULL;
_cleanup_free_ char *dm_name = NULL, *vol = NULL;
char suuid[ID128_UUID_STRING_MAX];
@ -2381,6 +2381,10 @@ static int partition_encrypt(
assert(p);
assert(p->encrypt);
r = dlopen_cryptsetup();
if (r < 0)
return log_error_errno(r, "libcryptsetup not found, cannot encrypt: %m");
if (asprintf(&dm_name, "luks-repart-%08" PRIx64, random_u64()) < 0)
return log_oom();
@ -2404,13 +2408,13 @@ static int partition_encrypt(
if (r < 0)
return log_error_errno(r, "Failed to generate volume key: %m");
r = crypt_init(&cd, node);
r = sym_crypt_init(&cd, node);
if (r < 0)
return log_error_errno(r, "Failed to allocate libcryptsetup context: %m");
cryptsetup_enable_logging(cd);
r = crypt_format(cd,
r = sym_crypt_format(cd,
CRYPT_LUKS2,
"aes",
"xts-plain64",
@ -2424,7 +2428,7 @@ static int partition_encrypt(
if (r < 0)
return log_error_errno(r, "Failed to LUKS2 format future partition: %m");
r = crypt_keyslot_add_by_volume_key(
r = sym_crypt_keyslot_add_by_volume_key(
cd,
CRYPT_ANY_SLOT,
volume_key,
@ -2434,7 +2438,7 @@ static int partition_encrypt(
if (r < 0)
return log_error_errno(r, "Failed to add LUKS2 key: %m");
r = crypt_activate_by_volume_key(
r = sym_crypt_activate_by_volume_key(
cd,
dm_name,
volume_key,
@ -2474,7 +2478,7 @@ static int deactivate_luks(struct crypt_device *cd, const char *node) {
/* udev or so might access out block device in the background while we are done. Let's hence force
* detach the volume. We sync'ed before, hence this should be safe. */
r = crypt_deactivate_by_name(cd, basename(node), CRYPT_DEACTIVATE_FORCE);
r = sym_crypt_deactivate_by_name(cd, basename(node), CRYPT_DEACTIVATE_FORCE);
if (r < 0)
return log_error_errno(r, "Failed to deactivate LUKS device: %m");
@ -2490,7 +2494,7 @@ static int context_copy_blocks(Context *context) {
/* Copy in file systems on the block level */
LIST_FOREACH(partitions, p, context->partitions) {
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(loop_device_unrefp) LoopDevice *d = NULL;
_cleanup_free_ char *encrypted = NULL;
_cleanup_close_ int encrypted_dev_fd = -1;
@ -2553,7 +2557,7 @@ static int context_copy_blocks(Context *context) {
if (r < 0)
return r;
crypt_free(cd);
sym_crypt_free(cd);
cd = NULL;
r = loop_device_sync(d);
@ -2694,7 +2698,7 @@ static int context_mkfs(Context *context) {
/* Make a file system */
LIST_FOREACH(partitions, p, context->partitions) {
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(loop_device_unrefp) LoopDevice *d = NULL;
_cleanup_free_ char *encrypted = NULL;
_cleanup_close_ int encrypted_dev_fd = -1;
@ -2781,7 +2785,7 @@ static int context_mkfs(Context *context) {
if (r < 0)
return r;
crypt_free(cd);
sym_crypt_free(cd);
cd = NULL;
}

34
src/shared/crypt-util.c
View file

@ -1,34 +0,0 @@
/* SPDX-License-Identifier: LGPL-2.1+ */
#if HAVE_LIBCRYPTSETUP
#include "crypt-util.h"
#include "log.h"
static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) {
switch (level) {
case CRYPT_LOG_NORMAL:
level = LOG_NOTICE;
break;
case CRYPT_LOG_ERROR:
level = LOG_ERR;
break;
case CRYPT_LOG_VERBOSE:
level = LOG_INFO;
break;
case CRYPT_LOG_DEBUG:
level = LOG_DEBUG;
break;
default:
log_error("Unknown libcryptsetup log level: %d", level);
level = LOG_ERR;
}
log_full(level, "%s", msg);
}
void cryptsetup_enable_logging(struct crypt_device *cd) {
crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
}
#endif

12
src/shared/crypt-util.h
View file

@ -1,12 +0,0 @@
/* SPDX-License-Identifier: LGPL-2.1+ */
#pragma once
#if HAVE_LIBCRYPTSETUP
#include <libcryptsetup.h>
#include "macro.h"
DEFINE_TRIVIAL_CLEANUP_FUNC(struct crypt_device *, crypt_free);
void cryptsetup_enable_logging(struct crypt_device *cd);
#endif

111
src/shared/cryptsetup-util.c Normal file
View file

@ -0,0 +1,111 @@
/* SPDX-License-Identifier: LGPL-2.1+ */
#if HAVE_LIBCRYPTSETUP
#include "alloc-util.h"
#include "cryptsetup-util.h"
#include "dlfcn-util.h"
#include "log.h"
static void *cryptsetup_dl = NULL;
int (*sym_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags);
#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
int (*sym_crypt_activate_by_signed_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags);
#endif
int (*sym_crypt_activate_by_volume_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, uint32_t flags);
int (*sym_crypt_deactivate_by_name)(struct crypt_device *cd, const char *name, uint32_t flags);
int (*sym_crypt_format)(struct crypt_device *cd, const char *type, const char *cipher, const char *cipher_mode, const char *uuid, const char *volume_key, size_t volume_key_size, void *params);
void (*sym_crypt_free)(struct crypt_device *cd);
const char *(*sym_crypt_get_dir)(void);
int (*sym_crypt_get_verity_info)(struct crypt_device *cd, struct crypt_params_verity *vp);
int (*sym_crypt_init)(struct crypt_device **cd, const char *device);
int (*sym_crypt_init_by_name)(struct crypt_device **cd, const char *name);
int (*sym_crypt_keyslot_add_by_volume_key)(struct crypt_device *cd, int keyslot, const char *volume_key, size_t volume_key_size, const char *passphrase, size_t passphrase_size);
int (*sym_crypt_load)(struct crypt_device *cd, const char *requested_type, void *params);
int (*sym_crypt_resize)(struct crypt_device *cd, const char *name, uint64_t new_size);
int (*sym_crypt_set_data_device)(struct crypt_device *cd, const char *device);
void (*sym_crypt_set_debug_level)(int level);
void (*sym_crypt_set_log_callback)(struct crypt_device *cd, void (*log)(int level, const char *msg, void *usrptr), void *usrptr);
int (*sym_crypt_volume_key_get)(struct crypt_device *cd, int keyslot, char *volume_key, size_t *volume_key_size, const char *passphrase, size_t passphrase_size);
int dlopen_cryptsetup(void) {
_cleanup_(dlclosep) void *dl = NULL;
int r;
if (cryptsetup_dl)
return 0; /* Already loaded */
dl = dlopen("libcryptsetup.so.12", RTLD_LAZY);
if (!dl)
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"libcryptsetup support is not installed: %s", dlerror());
r = dlsym_many_and_warn(
dl,
LOG_DEBUG,
&sym_crypt_activate_by_passphrase, "crypt_activate_by_passphrase",
#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
&sym_crypt_activate_by_signed_key, "crypt_activate_by_signed_key",
#endif
&sym_crypt_activate_by_volume_key, "crypt_activate_by_volume_key",
&sym_crypt_deactivate_by_name, "crypt_deactivate_by_name",
&sym_crypt_format, "crypt_format",
&sym_crypt_free, "crypt_free",
&sym_crypt_get_dir, "crypt_get_dir",
&sym_crypt_get_verity_info, "crypt_get_verity_info",
&sym_crypt_init, "crypt_init",
&sym_crypt_init_by_name, "crypt_init_by_name",
&sym_crypt_keyslot_add_by_volume_key, "crypt_keyslot_add_by_volume_key",
&sym_crypt_load, "crypt_load",
&sym_crypt_resize, "crypt_resize",
&sym_crypt_set_data_device, "crypt_set_data_device",
&sym_crypt_set_debug_level, "crypt_set_debug_level",
&sym_crypt_set_log_callback, "crypt_set_log_callback",
&sym_crypt_volume_key_get, "crypt_volume_key_get",
NULL);
if (r < 0)
return r;
/* Note that we never release the reference here, because there's no real reason to, after all this
* was traditionally a regular shared library dependency which lives forever too. */
cryptsetup_dl = TAKE_PTR(dl);
return 1;
}
static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) {
switch (level) {
case CRYPT_LOG_NORMAL:
level = LOG_NOTICE;
break;
case CRYPT_LOG_ERROR:
level = LOG_ERR;
break;
case CRYPT_LOG_VERBOSE:
level = LOG_INFO;
break;
case CRYPT_LOG_DEBUG:
level = LOG_DEBUG;
break;
default:
log_error("Unknown libcryptsetup log level: %d", level);
level = LOG_ERR;
}
log_full(level, "%s", msg);
}
void cryptsetup_enable_logging(struct crypt_device *cd) {
if (!cd)
return;
if (dlopen_cryptsetup() < 0) /* If this fails, let's gracefully ignore the issue, this is just debug
* logging after all, and if this failed we already generated a debug
* log message that should help to track things down. */
return;
sym_crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
sym_crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
}
#endif

36
src/shared/cryptsetup-util.h Normal file
View file

@ -0,0 +1,36 @@
/* SPDX-License-Identifier: LGPL-2.1+ */
#pragma once
#include "macro.h"
#if HAVE_LIBCRYPTSETUP
#include <libcryptsetup.h>
extern int (*sym_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags);
#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
extern int (*sym_crypt_activate_by_signed_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags);
#endif
extern int (*sym_crypt_activate_by_volume_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, uint32_t flags);
extern int (*sym_crypt_deactivate_by_name)(struct crypt_device *cd, const char *name, uint32_t flags);
extern int (*sym_crypt_format)(struct crypt_device *cd, const char *type, const char *cipher, const char *cipher_mode, const char *uuid, const char *volume_key, size_t volume_key_size, void *params);
extern void (*sym_crypt_free)(struct crypt_device *cd);
extern const char *(*sym_crypt_get_dir)(void);
extern int (*sym_crypt_get_verity_info)(struct crypt_device *cd, struct crypt_params_verity *vp);
extern int (*sym_crypt_init)(struct crypt_device **cd, const char *device);
extern int (*sym_crypt_init_by_name)(struct crypt_device **cd, const char *name);
extern int (*sym_crypt_keyslot_add_by_volume_key)(struct crypt_device *cd, int keyslot, const char *volume_key, size_t volume_key_size, const char *passphrase, size_t passphrase_size);
extern int (*sym_crypt_load)(struct crypt_device *cd, const char *requested_type, void *params);
extern int (*sym_crypt_resize)(struct crypt_device *cd, const char *name, uint64_t new_size);
extern int (*sym_crypt_set_data_device)(struct crypt_device *cd, const char *device);
extern void (*sym_crypt_set_debug_level)(int level);
extern void (*sym_crypt_set_log_callback)(struct crypt_device *cd, void (*log)(int level, const char *msg, void *usrptr), void *usrptr);
extern int (*sym_crypt_volume_key_get)(struct crypt_device *cd, int keyslot, char *volume_key, size_t *volume_key_size, const char *passphrase, size_t passphrase_size);
int dlopen_cryptsetup(void);
DEFINE_TRIVIAL_CLEANUP_FUNC(struct crypt_device *, crypt_free);
DEFINE_TRIVIAL_CLEANUP_FUNC(struct crypt_device *, sym_crypt_free);
void cryptsetup_enable_logging(struct crypt_device *cd);
#endif

60
src/shared/dissect-image.c
View file

@ -19,7 +19,7 @@
#include "blkid-util.h"
#include "blockdev-util.h"
#include "copy.h"
#include "crypt-util.h"
#include "cryptsetup-util.h"
#include "def.h"
#include "device-nodes.h"
#include "device-util.h"
@ -1225,13 +1225,13 @@ DecryptedImage* decrypted_image_unref(DecryptedImage* d) {
DecryptedPartition *p = d->decrypted + i;
if (p->device && p->name && !p->relinquished) {
r = crypt_deactivate(p->device, p->name);
r = sym_crypt_deactivate_by_name(p->device, p->name, 0);
if (r < 0)
log_debug_errno(r, "Failed to deactivate encrypted partition %s", p->name);
}
if (p->device)
crypt_free(p->device);
sym_crypt_free(p->device);
free(p->name);
}
@ -1265,7 +1265,7 @@ static int make_dm_name_and_node(const void *original_node, const char *suffix,
if (!filename_is_valid(name))
return -EINVAL;
node = path_join(crypt_get_dir(), name);
node = path_join(sym_crypt_get_dir(), name);
if (!node)
return -ENOMEM;
@ -1282,7 +1282,7 @@ static int decrypt_partition(
DecryptedImage *d) {
_cleanup_free_ char *node = NULL, *name = NULL;
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
int r;
assert(m);
@ -1297,6 +1297,10 @@ static int decrypt_partition(
if (!passphrase)
return -ENOKEY;
r = dlopen_cryptsetup();
if (r < 0)
return r;
r = make_dm_name_and_node(m->node, "-decrypted", &name, &node);
if (r < 0)
return r;
@ -1304,19 +1308,19 @@ static int decrypt_partition(
if (!GREEDY_REALLOC0(d->decrypted, d->n_allocated, d->n_decrypted + 1))
return -ENOMEM;
r = crypt_init(&cd, m->node);
r = sym_crypt_init(&cd, m->node);
if (r < 0)
return log_debug_errno(r, "Failed to initialize dm-crypt: %m");
cryptsetup_enable_logging(cd);
r = crypt_load(cd, CRYPT_LUKS, NULL);
r = sym_crypt_load(cd, CRYPT_LUKS, NULL);
if (r < 0)
return log_debug_errno(r, "Failed to load LUKS metadata: %m");
r = crypt_activate_by_passphrase(cd, name, CRYPT_ANY_SLOT, passphrase, strlen(passphrase),
((flags & DISSECT_IMAGE_READ_ONLY) ? CRYPT_ACTIVATE_READONLY : 0) |
((flags & DISSECT_IMAGE_DISCARD_ON_CRYPTO) ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0));
r = sym_crypt_activate_by_passphrase(cd, name, CRYPT_ANY_SLOT, passphrase, strlen(passphrase),
((flags & DISSECT_IMAGE_READ_ONLY) ? CRYPT_ACTIVATE_READONLY : 0) |
((flags & DISSECT_IMAGE_DISCARD_ON_CRYPTO) ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0));
if (r < 0) {
log_debug_errno(r, "Failed to activate LUKS device: %m");
return r == -EPERM ? -EKEYREJECTED : r;
@ -1334,23 +1338,26 @@ static int decrypt_partition(
static int verity_can_reuse(const void *root_hash, size_t root_hash_size, bool has_sig, const char *name, struct crypt_device **ret_cd) {
/* If the same volume was already open, check that the root hashes match, and reuse it if they do */
_cleanup_free_ char *root_hash_existing = NULL;
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
struct crypt_params_verity crypt_params = {};
size_t root_hash_existing_size = root_hash_size;
int r;
assert(ret_cd);
r = crypt_init_by_name(&cd, name);
r = sym_crypt_init_by_name(&cd, name);
if (r < 0)
return log_debug_errno(r, "Error opening verity device, crypt_init_by_name failed: %m");
r = crypt_get_verity_info(cd, &crypt_params);
r = sym_crypt_get_verity_info(cd, &crypt_params);
if (r < 0)
return log_debug_errno(r, "Error opening verity device, crypt_get_verity_info failed: %m");
root_hash_existing = malloc0(root_hash_size);
if (!root_hash_existing)
return -ENOMEM;
r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, root_hash_existing, &root_hash_existing_size, NULL, 0);
r = sym_crypt_volume_key_get(cd, CRYPT_ANY_SLOT, root_hash_existing, &root_hash_existing_size, NULL, 0);
if (r < 0)
return log_debug_errno(r, "Error opening verity device, crypt_volume_key_get failed: %m");
if (root_hash_size != root_hash_existing_size || memcmp(root_hash_existing, root_hash, root_hash_size) != 0)
@ -1370,7 +1377,8 @@ static int verity_can_reuse(const void *root_hash, size_t root_hash_size, bool h
static inline void dm_deferred_remove_clean(char *name) {
if (!name)
return;
(void) crypt_deactivate_by_name(NULL, name, CRYPT_DEACTIVATE_DEFERRED);
(void) sym_crypt_deactivate_by_name(NULL, name, CRYPT_DEACTIVATE_DEFERRED);
free(name);
}
DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean);
@ -1388,7 +1396,7 @@ static int verity_partition(
DecryptedImage *d) {
_cleanup_free_ char *node = NULL, *name = NULL, *hash_sig_from_file = NULL;
_cleanup_(crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
_cleanup_(dm_deferred_remove_cleanp) char *restore_deferred_remove = NULL;
int r;
@ -1408,11 +1416,17 @@ static int verity_partition(
return 0;
}
r = dlopen_cryptsetup();
if (r < 0)
return r;
if (FLAGS_SET(flags, DISSECT_IMAGE_VERITY_SHARE)) {
/* Use the roothash, which is unique per volume, as the device node name, so that it can be reused */
_cleanup_free_ char *root_hash_encoded = NULL;
root_hash_encoded = hexmem(root_hash, root_hash_size);
if (!root_hash_encoded)
return -ENOMEM;
r = make_dm_name_and_node(root_hash_encoded, "-verity", &name, &node);
} else
@ -1426,17 +1440,17 @@ static int verity_partition(
return r;
}
r = crypt_init(&cd, verity_data ?: v->node);
r = sym_crypt_init(&cd, verity_data ?: v->node);
if (r < 0)
return r;
cryptsetup_enable_logging(cd);
r = crypt_load(cd, CRYPT_VERITY, NULL);
r = sym_crypt_load(cd, CRYPT_VERITY, NULL);
if (r < 0)
return r;
r = crypt_set_data_device(cd, m->node);
r = sym_crypt_set_data_device(cd, m->node);
if (r < 0)
return r;
@ -1449,12 +1463,12 @@ static int verity_partition(
for (unsigned i = 0; i < N_DEVICE_NODE_LIST_ATTEMPTS; i++) {
if (root_hash_sig || hash_sig_from_file) {
#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
r = crypt_activate_by_signed_key(cd, name, root_hash, root_hash_size, root_hash_sig ?: hash_sig_from_file, root_hash_sig_size, CRYPT_ACTIVATE_READONLY);
r = sym_crypt_activate_by_signed_key(cd, name, root_hash, root_hash_size, root_hash_sig ?: hash_sig_from_file, root_hash_sig_size, CRYPT_ACTIVATE_READONLY);
#else
r = log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "activation of verity device with signature requested, but not supported by cryptsetup due to missing crypt_activate_by_signed_key()");
#endif
} else
r = crypt_activate_by_volume_key(cd, name, root_hash, root_hash_size, CRYPT_ACTIVATE_READONLY);
r = sym_crypt_activate_by_volume_key(cd, name, root_hash, root_hash_size, CRYPT_ACTIVATE_READONLY);
/* libdevmapper can return EINVAL when the device is already in the activation stage.
* There's no way to distinguish this situation from a genuine error due to invalid
* parameters, so immediately fall back to activating the device with a unique name.
@ -1500,7 +1514,7 @@ static int verity_partition(
return r;
if (cd)
crypt_free(cd);
sym_crypt_free(cd);
cd = existing_cd;
}
}
@ -1664,7 +1678,7 @@ int decrypted_image_relinquish(DecryptedImage *d) {
if (p->relinquished)
continue;
r = crypt_deactivate_by_name(NULL, p->name, CRYPT_DEACTIVATE_DEFERRED);
r = sym_crypt_deactivate_by_name(NULL, p->name, CRYPT_DEACTIVATE_DEFERRED);
if (r < 0)
return log_debug_errno(r, "Failed to mark %s for auto-removal: %m", p->name);

5
src/shared/meson.build
View file

@ -73,8 +73,8 @@ shared_sources = files('''
coredump-util.h
cpu-set-util.c
cpu-set-util.h
crypt-util.c
crypt-util.h
cryptsetup-util.c
cryptsetup-util.h
daemon-util.h
dev-setup.c
dev-setup.h
@ -354,7 +354,6 @@ libshared_deps = [threads,
libblkid,
libcap,
libcrypt,
libcryptsetup,
libgcrypt,
libidn,
libiptc,

2
src/veritysetup/veritysetup.c
View file

@ -5,7 +5,7 @@
#include <sys/stat.h>
#include "alloc-util.h"
#include "crypt-util.h"
#include "cryptsetup-util.h"
#include "fileio.h"
#include "hexdecoct.h"
#include "log.h"