1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
// SPDX-License-Identifier: MIT
/*
* The 'fsverity enable' command
*
* Copyright 2018 Google LLC
*
* Use of this source code is governed by an MIT-style
* license that can be found in the LICENSE file or at
* https://opensource.org/licenses/MIT.
*/
#include "fsverity.h"
#include <fcntl.h>
#include <getopt.h>
#include <limits.h>
static bool read_signature(const char *filename, u8 **sig_ret,
u32 *sig_size_ret)
{
struct filedes file = { .fd = -1 };
u64 file_size;
u8 *sig = NULL;
bool ok = false;
if (!open_file(&file, filename, O_RDONLY, 0))
goto out;
if (!get_file_size(&file, &file_size))
goto out;
if (file_size <= 0) {
error_msg("signature file '%s' is empty", filename);
goto out;
}
if (file_size > 1000000) {
error_msg("signature file '%s' is too large", filename);
goto out;
}
sig = xmalloc(file_size);
if (!full_read(&file, sig, file_size))
goto out;
*sig_ret = sig;
*sig_size_ret = file_size;
sig = NULL;
ok = true;
out:
filedes_close(&file);
free(sig);
return ok;
}
static const struct option longopts[] = {
{"hash-alg", required_argument, NULL, OPT_HASH_ALG},
{"block-size", required_argument, NULL, OPT_BLOCK_SIZE},
{"salt", required_argument, NULL, OPT_SALT},
{"signature", required_argument, NULL, OPT_SIGNATURE},
{NULL, 0, NULL, 0}
};
/* Enable fs-verity on a file. */
int fsverity_cmd_enable(const struct fsverity_command *cmd,
int argc, char *argv[])
{
struct libfsverity_merkle_tree_params tree_params = { .version = 1 };
u8 *sig = NULL;
u32 sig_size = 0;
struct filedes file;
int status;
int c;
while ((c = getopt_long(argc, argv, "", longopts, NULL)) != -1) {
switch (c) {
case OPT_HASH_ALG:
case OPT_BLOCK_SIZE:
case OPT_SALT:
if (!parse_tree_param(c, optarg, &tree_params))
goto out_usage;
break;
case OPT_SIGNATURE:
if (sig != NULL) {
error_msg("--signature can only be specified once");
goto out_usage;
}
if (!read_signature(optarg, &sig, &sig_size))
goto out_err;
break;
default:
goto out_usage;
}
}
argv += optind;
argc -= optind;
if (argc != 1)
goto out_usage;
if (!open_file(&file, argv[0], O_RDONLY, 0))
goto out_err;
if (libfsverity_enable_with_sig(file.fd, &tree_params, sig, sig_size)) {
error_msg_errno("FS_IOC_ENABLE_VERITY failed on '%s'",
file.name);
filedes_close(&file);
goto out_err;
}
if (!filedes_close(&file))
goto out_err;
status = 0;
out:
destroy_tree_params(&tree_params);
free(sig);
return status;
out_err:
status = 1;
goto out;
out_usage:
usage(cmd, stderr);
status = 2;
goto out;
}
|
