2 * veritysetup - setup cryptographic volumes for dm-verity
4 * Copyright (C) 2012, Red Hat, Inc. All rights reserved.
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * version 2 as published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 * - support device without superblock
23 * - audit alloc errors / error path
24 * - change command names (cryptsetup style)
25 * - extend superblock (UUID)
35 #include "cryptsetup.h"
37 #define PACKAGE_VERITY "veritysetup"
41 #define MODE_ACTIVATE 2
45 static int use_superblock = 1; /* FIXME: no superblock not supported */
47 static const char *dm_device = NULL;
48 static const char *data_device = NULL;
49 static const char *hash_device = NULL;
50 static const char *hash_algorithm = NULL;
51 static const char *root_hash = NULL;
53 static int version = 1;
54 static int data_block_size = DEFAULT_VERITY_DATA_BLOCK;
55 static int hash_block_size = DEFAULT_VERITY_HASH_BLOCK;
56 static char *data_blocks_string = NULL;
57 static uint64_t data_blocks = 0;
58 static char *hash_start_string = NULL;
59 static const char *salt_string = NULL;
60 static unsigned salt_size = DEFAULT_VERITY_SALT_SIZE;
61 static uint64_t hash_start = 0;
63 static int opt_verbose = 0;
64 static int opt_debug = 0;
65 static int opt_version_mode = 0;
67 static int hex_to_bytes(const char *hex, char *result)
69 char buf[3] = "xx\0", *endp;
72 len = strlen(hex) / 2;
73 for (i = 0; i < len; i++) {
74 memcpy(buf, &hex[i * 2], 2);
75 result[i] = strtoul(buf, &endp, 16);
82 __attribute__((format(printf, 5, 6)))
83 static void clogger(struct crypt_device *cd, int level, const char *file,
84 int line, const char *format, ...)
89 va_start(argp, format);
91 if (vasprintf(&target, format, argp) > 0) {
93 crypt_log(cd, level, target);
96 printf("# %s:%d %s\n", file ?: "?", line, target);
99 printf("# %s\n", target);
107 static void _log(int level, const char *msg, void *usrptr __attribute__((unused)))
111 case CRYPT_LOG_NORMAL:
114 case CRYPT_LOG_VERBOSE:
118 case CRYPT_LOG_ERROR:
121 case CRYPT_LOG_DEBUG:
123 printf("# %s\n", msg);
126 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
131 static int action_dump(void)
133 struct crypt_device *cd = NULL;
134 struct crypt_params_verity params = {};
137 if ((r = crypt_init(&cd, hash_device)))
140 params.hash_area_offset = hash_start;
141 r = crypt_load(cd, CRYPT_VERITY, ¶ms);
148 static int action_activate(int verify)
150 struct crypt_device *cd = NULL;
151 struct crypt_params_verity params = {};
152 uint32_t activate_flags = CRYPT_ACTIVATE_READONLY;
153 char root_hash_bytes[128];
156 if ((r = crypt_init(&cd, hash_device)))
160 params.flags |= CRYPT_VERITY_CHECK_HASH;
162 if (use_superblock) {
163 params.hash_area_offset = hash_start;
164 r = crypt_load(cd, CRYPT_VERITY, ¶ms);
166 params.hash_name = hash_algorithm;
167 params.salt = salt_bytes;
168 params.salt_size = salt_size;
169 params.data_block_size = data_block_size;
170 params.hash_block_size = hash_block_size;
172 params.data_size = data_blocks * data_block_size / 512;
173 params.version = version;
174 params.flags |= CRYPT_VERITY_NO_HEADER;
175 r = crypt_load(cd, CRYPT_VERITY, ¶ms);
182 r = crypt_set_data_device(cd, data_device);
186 if (hex_to_bytes(root_hash, root_hash_bytes) !=
187 crypt_get_volume_key_size(cd)) {
191 r = crypt_activate_by_volume_key(cd, dm_device, root_hash_bytes,
192 crypt_get_volume_key_size(cd),
201 static int action_create(void)
203 struct crypt_device *cd = NULL;
204 struct crypt_params_verity params = {};
205 char salt_bytes[512];
208 if ((r = crypt_init(&cd, hash_device)))
211 params.hash_name = hash_algorithm ?: DEFAULT_VERITY_HASH;
212 params.data_device = data_device;
215 if (hex_to_bytes(salt_string, salt_bytes) != salt_size) {
219 params.salt = salt_bytes;
222 params.salt_size = salt_size;
223 params.data_block_size = data_block_size;
224 params.hash_block_size = hash_block_size;
225 params.data_size = data_blocks;
226 params.hash_area_offset = hash_start;
227 params.version = version;
228 params.flags = CRYPT_VERITY_CREATE_HASH;
230 params.flags |= CRYPT_VERITY_NO_HEADER;
232 r = crypt_format(cd, CRYPT_VERITY, NULL, NULL, NULL, NULL, 0, ¶ms);
240 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
241 int exitcode, const char *error,
244 poptPrintUsage(popt_context, stderr, 0);
246 log_err("%s: %s\n", more, error);
247 poptFreeContext(popt_context);
251 static void help(poptContext popt_context,
252 enum poptCallbackReason reason __attribute__((unused)),
253 struct poptOption *key,
254 const char *arg __attribute__((unused)),
255 void *data __attribute__((unused)))
257 if (key->shortName == '?') {
258 log_std("%s %s\n", PACKAGE_VERITY, PACKAGE_VERSION);
259 poptPrintHelp(popt_context, stdout, 0);
262 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
265 static void _dbg_version_and_cmd(int argc, const char **argv)
269 log_std("# %s %s processing \"", PACKAGE_VERITY, PACKAGE_VERSION);
270 for (i = 0; i < argc; i++) {
273 log_std("%s", argv[i]);
278 int main(int argc, const char **argv)
280 static struct poptOption popt_help_options[] = {
281 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
282 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
283 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
286 static struct poptOption popt_options[] = {
287 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
288 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
289 { "verbose", 0 /*v*/, POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
290 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
291 { "create", 'c', POPT_ARG_VAL, &mode, MODE_CREATE, "Create hash", NULL },
292 { "verify", 'v', POPT_ARG_VAL, &mode, MODE_VERIFY, "Verify integrity", NULL },
293 { "activate", 'a', POPT_ARG_VAL, &mode, MODE_ACTIVATE, "Activate the device", NULL },
294 { "dump", 'd', POPT_ARG_VAL, &mode, MODE_DUMP, "Dump the device", NULL },
295 { "no-superblock", 0, POPT_ARG_VAL, &use_superblock, 0, "Do not create/use superblock" },
296 { "format", 0, POPT_ARG_INT, &version, 0, "Format version (1 - normal format, 0 - original Chromium OS format)", "number" },
297 { "data-block-size", 0, POPT_ARG_INT, &data_block_size, 0, "Block size on the data device", "bytes" },
298 { "hash-block-size", 0, POPT_ARG_INT, &hash_block_size, 0, "Block size on the hash device", "bytes" },
299 { "data-blocks", 0, POPT_ARG_STRING, &data_blocks_string, 0, "The number of blocks in the data file", "blocks" },
300 { "hash-start", 0, POPT_ARG_STRING, &hash_start_string, 0, "Starting block on the hash device", "512-byte sectors" },
301 { "algorithm", 0, POPT_ARG_STRING, &hash_algorithm, 0, "Hash algorithm (default sha256)", "string" },
302 { "salt", 0, POPT_ARG_STRING, &salt_string, 0, "Salt", "hex string" },
305 poptContext popt_context;
309 crypt_set_log_callback(NULL, _log, NULL);
311 setlocale(LC_ALL, "");
312 bindtextdomain(PACKAGE, LOCALEDIR);
315 popt_context = poptGetContext("verity", argc, argv, popt_options, 0);
317 poptSetOtherOptionHelp(popt_context, "[-c|-v|-a|-d] [<device name> if activating] <data device> <hash device> [<root hash> if activating or verifying] [OPTION...]");
320 poptPrintHelp(popt_context, stdout, 0);
324 r = poptGetNextOpt(popt_context);
326 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
327 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
328 if (opt_version_mode) {
329 log_std("%s %s\n", PACKAGE_VERITY, PACKAGE_VERSION);
330 poptFreeContext(popt_context);
335 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
336 poptGetInvocationName(popt_context));
338 if (mode == MODE_ACTIVATE) {
339 dm_device = poptGetArg(popt_context);
340 if (!dm_device || !*dm_device)
341 usage(popt_context, EXIT_FAILURE,
342 _("Missing activation device name."),
343 poptGetInvocationName(popt_context));
346 data_device = poptGetArg(popt_context);
348 usage(popt_context, EXIT_FAILURE, _("Missing data device name."),
349 poptGetInvocationName(popt_context));
351 hash_device = poptGetArg(popt_context);
353 usage(popt_context, EXIT_FAILURE, _("Missing hash device name."),
354 poptGetInvocationName(popt_context));
356 if (mode == MODE_ACTIVATE || mode == MODE_VERIFY) {
357 root_hash = poptGetArg(popt_context);
359 usage(popt_context, EXIT_FAILURE, _("Root hash not specified."),
360 poptGetInvocationName(popt_context));
363 if (data_blocks_string) {
364 data_blocks = strtoll(data_blocks_string, &end, 10);
365 if (!*data_blocks_string || *end)
366 usage(popt_context, EXIT_FAILURE,
367 _("Invalid number of data blocks."),
368 poptGetInvocationName(popt_context));
372 if (hash_start_string) {
373 hash_start = strtoll(hash_start_string, &end, 10);
374 if (!*hash_start_string || *end)
375 usage(popt_context, EXIT_FAILURE,
376 _("Invalid hash device offset."),
377 poptGetInvocationName(popt_context));
381 if (salt_string || !use_superblock) {
382 if (!salt_string || !strcmp(salt_string, "-"))
384 salt_size = strlen(salt_string) / 2;
389 crypt_set_debug_level(-1);
390 _dbg_version_and_cmd(argc, argv);
395 r = action_activate(0);
398 r = action_activate(1);
408 poptFreeContext(popt_context);