2 * veritysetup - setup cryptographic volumes for dm-verity
4 * Copyright (C) 2012, Red Hat, Inc. All rights reserved.
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * version 2 as published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 * - support device without superblock
23 * - audit alloc errors / error path
24 * - change command names (cryptsetup style)
25 * - extend superblock (UUID)
26 * - configure.in/config.h defaults
36 #include "cryptsetup.h"
38 #define PACKAGE_VERITY "veritysetup"
42 #define MODE_ACTIVATE 2
46 static int use_superblock = 1; /* FIXME: no superblock not supported */
48 static const char *dm_device = NULL;
49 static const char *data_device = NULL;
50 static const char *hash_device = NULL;
51 static const char *hash_algorithm = NULL;
52 static const char *root_hash = NULL;
54 static int version = 1;
55 static int data_block_size = 4096;
56 static int hash_block_size = 4096;
57 static char *data_blocks_string = NULL;
58 static uint64_t data_blocks = 0;
59 static char *hash_start_string = NULL;
60 static const char *salt_string = NULL;
61 static unsigned salt_size = 32;
62 static uint64_t hash_start = 0;
64 static int opt_verbose = 0;
65 static int opt_debug = 0;
66 static int opt_version_mode = 0;
68 static int hex_to_bytes(const char *hex, char *result)
70 char buf[3] = "xx\0", *endp;
73 len = strlen(hex) / 2;
74 for (i = 0; i < len; i++) {
75 memcpy(buf, &hex[i * 2], 2);
76 result[i] = strtoul(buf, &endp, 16);
83 __attribute__((format(printf, 5, 6)))
84 static void clogger(struct crypt_device *cd, int level, const char *file,
85 int line, const char *format, ...)
90 va_start(argp, format);
92 if (vasprintf(&target, format, argp) > 0) {
94 crypt_log(cd, level, target);
97 printf("# %s:%d %s\n", file ?: "?", line, target);
100 printf("# %s\n", target);
108 static void _log(int level, const char *msg, void *usrptr __attribute__((unused)))
112 case CRYPT_LOG_NORMAL:
115 case CRYPT_LOG_VERBOSE:
119 case CRYPT_LOG_ERROR:
122 case CRYPT_LOG_DEBUG:
124 printf("# %s\n", msg);
127 fprintf(stderr, "Internal error on logging class for msg: %s", msg);
132 static int action_dump(void)
134 struct crypt_device *cd = NULL;
135 struct crypt_params_verity params = {};
138 if ((r = crypt_init(&cd, hash_device)))
141 params.hash_area_offset = hash_start;
142 r = crypt_load(cd, CRYPT_VERITY, ¶ms);
149 static int action_activate(int verify)
151 struct crypt_device *cd = NULL;
152 struct crypt_params_verity params = {};
153 uint32_t activate_flags = CRYPT_ACTIVATE_READONLY;
154 char root_hash_bytes[128];
157 if ((r = crypt_init(&cd, hash_device)))
161 params.flags |= CRYPT_VERITY_CHECK_HASH;
163 if (use_superblock) {
164 params.hash_area_offset = hash_start;
165 r = crypt_load(cd, CRYPT_VERITY, ¶ms);
167 params.hash_name = hash_algorithm;
168 params.salt = salt_bytes;
169 params.salt_size = salt_size;
170 params.data_block_size = data_block_size;
171 params.hash_block_size = hash_block_size;
173 params.data_size = data_blocks * data_block_size / 512;
174 params.version = version;
175 params.flags |= CRYPT_VERITY_NO_HEADER;
176 r = crypt_load(cd, CRYPT_VERITY, ¶ms);
183 r = crypt_set_data_device(cd, data_device);
187 if (hex_to_bytes(root_hash, root_hash_bytes) !=
188 crypt_get_volume_key_size(cd)) {
192 r = crypt_activate_by_volume_key(cd, dm_device, root_hash_bytes,
193 crypt_get_volume_key_size(cd),
202 static int action_create(void)
204 struct crypt_device *cd = NULL;
205 struct crypt_params_verity params = {};
206 char salt_bytes[512];
209 if ((r = crypt_init(&cd, hash_device)))
212 params.hash_name = hash_algorithm ?: "sha256";
213 params.data_device = data_device;
216 if (hex_to_bytes(salt_string, salt_bytes) != salt_size) {
220 params.salt = salt_bytes;
223 params.salt_size = salt_size;
224 params.data_block_size = data_block_size;
225 params.hash_block_size = hash_block_size;
226 params.data_size = data_blocks;
227 params.hash_area_offset = hash_start;
228 params.version = version;
229 params.flags = CRYPT_VERITY_CREATE_HASH;
231 params.flags |= CRYPT_VERITY_NO_HEADER;
233 r = crypt_format(cd, CRYPT_VERITY, NULL, NULL, NULL, NULL, 0, ¶ms);
241 static __attribute__ ((noreturn)) void usage(poptContext popt_context,
242 int exitcode, const char *error,
245 poptPrintUsage(popt_context, stderr, 0);
247 log_err("%s: %s\n", more, error);
248 poptFreeContext(popt_context);
252 static void help(poptContext popt_context,
253 enum poptCallbackReason reason __attribute__((unused)),
254 struct poptOption *key,
255 const char *arg __attribute__((unused)),
256 void *data __attribute__((unused)))
258 if (key->shortName == '?') {
259 log_std("%s %s\n", PACKAGE_VERITY, PACKAGE_VERSION);
260 poptPrintHelp(popt_context, stdout, 0);
263 usage(popt_context, EXIT_SUCCESS, NULL, NULL);
266 static void _dbg_version_and_cmd(int argc, const char **argv)
270 log_std("# %s %s processing \"", PACKAGE_VERITY, PACKAGE_VERSION);
271 for (i = 0; i < argc; i++) {
274 log_std("%s", argv[i]);
279 int main(int argc, const char **argv)
281 static struct poptOption popt_help_options[] = {
282 { NULL, '\0', POPT_ARG_CALLBACK, help, 0, NULL, NULL },
283 { "help", '?', POPT_ARG_NONE, NULL, 0, N_("Show this help message"), NULL },
284 { "usage", '\0', POPT_ARG_NONE, NULL, 0, N_("Display brief usage"), NULL },
287 static struct poptOption popt_options[] = {
288 { NULL, '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
289 { "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
290 { "verbose", 0 /*v*/, POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
291 { "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
292 { "create", 'c', POPT_ARG_VAL, &mode, MODE_CREATE, "Create hash", NULL },
293 { "verify", 'v', POPT_ARG_VAL, &mode, MODE_VERIFY, "Verify integrity", NULL },
294 { "activate", 'a', POPT_ARG_VAL, &mode, MODE_ACTIVATE, "Activate the device", NULL },
295 { "dump", 'd', POPT_ARG_VAL, &mode, MODE_DUMP, "Dump the device", NULL },
296 { "no-superblock", 0, POPT_ARG_VAL, &use_superblock, 0, "Do not create/use superblock" },
297 { "format", 0, POPT_ARG_INT, &version, 0, "Format version (1 - normal format, 0 - original Chromium OS format)", "number" },
298 { "data-block-size", 0, POPT_ARG_INT, &data_block_size, 0, "Block size on the data device", "bytes" },
299 { "hash-block-size", 0, POPT_ARG_INT, &hash_block_size, 0, "Block size on the hash device", "bytes" },
300 { "data-blocks", 0, POPT_ARG_STRING, &data_blocks_string, 0, "The number of blocks in the data file", "blocks" },
301 { "hash-start", 0, POPT_ARG_STRING, &hash_start_string, 0, "Starting block on the hash device", "512-byte sectors" },
302 { "algorithm", 0, POPT_ARG_STRING, &hash_algorithm, 0, "Hash algorithm (default sha256)", "string" },
303 { "salt", 0, POPT_ARG_STRING, &salt_string, 0, "Salt", "hex string" },
306 poptContext popt_context;
310 crypt_set_log_callback(NULL, _log, NULL);
312 setlocale(LC_ALL, "");
313 bindtextdomain(PACKAGE, LOCALEDIR);
316 popt_context = poptGetContext("verity", argc, argv, popt_options, 0);
318 poptSetOtherOptionHelp(popt_context, "[-c|-v|-a|-d] [<device name> if activating] <data device> <hash device> [<root hash> if activating or verifying] [OPTION...]");
321 poptPrintHelp(popt_context, stdout, 0);
325 r = poptGetNextOpt(popt_context);
327 usage(popt_context, EXIT_FAILURE, poptStrerror(r),
328 poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
329 if (opt_version_mode) {
330 log_std("%s %s\n", PACKAGE_VERITY, PACKAGE_VERSION);
331 poptFreeContext(popt_context);
336 usage(popt_context, EXIT_FAILURE, _("Unknown action."),
337 poptGetInvocationName(popt_context));
339 if (mode == MODE_ACTIVATE) {
340 dm_device = poptGetArg(popt_context);
341 if (!dm_device || !*dm_device)
342 usage(popt_context, EXIT_FAILURE,
343 _("Missing activation device name."),
344 poptGetInvocationName(popt_context));
347 data_device = poptGetArg(popt_context);
349 usage(popt_context, EXIT_FAILURE, _("Missing data device name."),
350 poptGetInvocationName(popt_context));
352 hash_device = poptGetArg(popt_context);
354 usage(popt_context, EXIT_FAILURE, _("Missing hash device name."),
355 poptGetInvocationName(popt_context));
357 if (mode == MODE_ACTIVATE || mode == MODE_VERIFY) {
358 root_hash = poptGetArg(popt_context);
360 usage(popt_context, EXIT_FAILURE, _("Root hash not specified."),
361 poptGetInvocationName(popt_context));
364 if (data_blocks_string) {
365 data_blocks = strtoll(data_blocks_string, &end, 10);
366 if (!*data_blocks_string || *end)
367 usage(popt_context, EXIT_FAILURE,
368 _("Invalid number of data blocks."),
369 poptGetInvocationName(popt_context));
373 if (hash_start_string) {
374 hash_start = strtoll(hash_start_string, &end, 10);
375 if (!*hash_start_string || *end)
376 usage(popt_context, EXIT_FAILURE,
377 _("Invalid hash device offset."),
378 poptGetInvocationName(popt_context));
382 if (salt_string || !use_superblock) {
383 if (!salt_string || !strcmp(salt_string, "-"))
385 salt_size = strlen(salt_string) / 2;
390 crypt_set_debug_level(-1);
391 _dbg_version_and_cmd(argc, argv);
396 r = action_activate(0);
399 r = action_activate(1);
409 poptFreeContext(popt_context);