dissect: condition usespace verity keyring via kernel cmdline option + env var

2024-07-21 10:17:21 +00:00 · 2024-02-28 16:16:30 +01:00 · 2024-02-28 16:16:30 +01:00 · f0ecff8506
parent f4a63ce25f
commit f0ecff8506
3 changed files with 40 additions and 1 deletions
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@ -488,6 +488,12 @@ disk images with `--image=` or similar:
  devices when opening them. Defaults to on, set this to "0" to disable this
  feature.

+* `$SYSTEMD_ALLOW_USERSPACE_VERITY` — takes a boolean, which controls whether
+  to consider the userspace Verity public key store in `/etc/verity.d/` (and
+  related directories) to authenticate signatures on Verity hashes of disk
+  images. Defaults to true, i.e. userspace signature validation is allowed. If
+  false, authentication can be done only via the kernel's internal keyring.
+
 `systemd-cryptsetup`:

 * `$SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE` – takes a boolean, which controls
--- a/man/kernel-command-line.xml
+++ b/man/kernel-command-line.xml
@ -676,6 +676,17 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><varname>systemd.allow_userspace_verity=</varname></term>
+
+        <listitem><para>Takes a boolean argument. Controls whether disk images that are Verity protected may
+        be authenticated in userspace signature checks via <filename>/etc/verity.d/</filename> (and related
+        directories) public key drop-ins, or whether in-kernel signature checking only. Defaults to
+        on.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><varname>systemd.hostname=</varname></term>

--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@ -60,6 +60,7 @@
 #include "openssl-util.h"
 #include "os-util.h"
 #include "path-util.h"
+#include "proc-cmdline.h"
 #include "process-util.h"
 #include "raw-clone.h"
 #include "resize-fs.h"
@ -2538,12 +2539,34 @@ static char* dm_deferred_remove_clean(char *name) {
 DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean);

 static int validate_signature_userspace(const VeritySettings *verity, DissectImageFlags flags) {
+        int r;

        if (!FLAGS_SET(flags, DISSECT_IMAGE_ALLOW_USERSPACE_VERITY)) {
                log_debug("Userspace dm-verity signature authentication disabled via flag.");
                return 0;
        }

+        r = getenv_bool_secure("SYSTEMD_ALLOW_USERSPACE_VERITY");
+        if (r < 0 && r != -ENXIO) {
+                log_debug_errno(r, "Failed to parse $SYSTEMD_ALLOW_USERSPACE_VERITY environment variable, refusing userspace dm-verity signature authentication.");
+                return 0;
+        }
+        if (!r) {
+                log_debug("Userspace dm-verity signature authentication disabled via $SYSTEMD_ALLOW_USERSPACE_VERITY environment variable.");
+                return 0;
+        }
+
+        bool b;
+        r = proc_cmdline_get_bool("systemd.allow_userspace_verity", PROC_CMDLINE_TRUE_WHEN_MISSING, &b);
+        if (r < 0) {
+                log_debug_errno(r, "Failed to parse systemd.allow_userspace_verity= kernel command line option, refusing userspace dm-verity signature authentication.");
+                return 0;
+        }
+        if (!b) {
+                log_debug("Userspace dm-verity signature authentication disabled via systemd.allow_userspace_verity= kernel command line variable.");
+                return 0;
+        }
+
 #if HAVE_OPENSSL
        _cleanup_(sk_X509_free_allp) STACK_OF(X509) *sk = NULL;
        _cleanup_strv_free_ char **certs = NULL;
@ -2552,7 +2575,6 @@ static int validate_signature_userspace(const VeritySettings *verity, DissectIma
        _cleanup_(BIO_freep) BIO *bio = NULL; /* 'bio' must be freed first, 's' second, hence keep this order
                                               * of declaration in place, please */
        const unsigned char *d;
-        int r;

        assert(verity);
        assert(verity->root_hash);