mirror of
https://github.com/openharmony/third_party_fsverity-utils.git
synced 2026-07-01 10:05:35 -04:00
programs/fsverity: Add digest subcommand
Add a 'fsverity digest' subcommand that prints the hex-encoded digest of the specified file(s), ready to be signed offline. By default the output is like 'fsverity measure', but if the --for-builtin-sig option is given, the output is the hex-encoded "struct fsverity_signed_digest" that the kernel expects to be signed for builtin signatures. This subcommand is useful in case the integrated signing mechanism with local cert/key cannot be used. Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com> Link: https://lore.kernel.org/r/20201026191839.3329948-1-luca.boccassi@gmail.com [EB: commit message, comment, and whitespace tweaks] Signed-off-by: Eric Biggers <ebiggers@google.com>
This commit is contained in:
committed by
Eric Biggers
parent
28c86c20a8
commit
97bc1aa377
@@ -0,0 +1,161 @@
|
||||
// SPDX-License-Identifier: MIT
|
||||
/*
|
||||
* The 'fsverity digest' command
|
||||
*
|
||||
* Copyright 2020 Microsoft
|
||||
*
|
||||
* Use of this source code is governed by an MIT-style
|
||||
* license that can be found in the LICENSE file or at
|
||||
* https://opensource.org/licenses/MIT.
|
||||
*/
|
||||
|
||||
#include "fsverity.h"
|
||||
|
||||
#include <fcntl.h>
|
||||
#include <getopt.h>
|
||||
|
||||
enum {
|
||||
OPT_HASH_ALG,
|
||||
OPT_BLOCK_SIZE,
|
||||
OPT_SALT,
|
||||
OPT_COMPACT,
|
||||
OPT_FOR_BUILTIN_SIG,
|
||||
};
|
||||
|
||||
static const struct option longopts[] = {
|
||||
{"hash-alg", required_argument, NULL, OPT_HASH_ALG},
|
||||
{"block-size", required_argument, NULL, OPT_BLOCK_SIZE},
|
||||
{"salt", required_argument, NULL, OPT_SALT},
|
||||
{"compact", no_argument, NULL, OPT_COMPACT},
|
||||
{"for-builtin-sig", no_argument, NULL, OPT_FOR_BUILTIN_SIG},
|
||||
{NULL, 0, NULL, 0}
|
||||
};
|
||||
|
||||
struct fsverity_signed_digest {
|
||||
char magic[8]; /* must be "FSVerity" */
|
||||
__le16 digest_algorithm;
|
||||
__le16 digest_size;
|
||||
__u8 digest[];
|
||||
};
|
||||
|
||||
/*
|
||||
* Compute the fs-verity measurement of the given file(s), for offline signing.
|
||||
*/
|
||||
int fsverity_cmd_digest(const struct fsverity_command *cmd,
|
||||
int argc, char *argv[])
|
||||
{
|
||||
u8 *salt = NULL;
|
||||
struct filedes file = { .fd = -1 };
|
||||
struct libfsverity_merkle_tree_params tree_params = { .version = 1 };
|
||||
bool compact = false, for_builtin_sig = false;
|
||||
int status;
|
||||
int c;
|
||||
|
||||
while ((c = getopt_long(argc, argv, "", longopts, NULL)) != -1) {
|
||||
switch (c) {
|
||||
case OPT_HASH_ALG:
|
||||
if (!parse_hash_alg_option(optarg,
|
||||
&tree_params.hash_algorithm))
|
||||
goto out_usage;
|
||||
break;
|
||||
case OPT_BLOCK_SIZE:
|
||||
if (!parse_block_size_option(optarg,
|
||||
&tree_params.block_size))
|
||||
goto out_usage;
|
||||
break;
|
||||
case OPT_SALT:
|
||||
if (!parse_salt_option(optarg, &salt,
|
||||
&tree_params.salt_size))
|
||||
goto out_usage;
|
||||
tree_params.salt = salt;
|
||||
break;
|
||||
case OPT_COMPACT:
|
||||
compact = true;
|
||||
break;
|
||||
case OPT_FOR_BUILTIN_SIG:
|
||||
for_builtin_sig = true;
|
||||
break;
|
||||
default:
|
||||
goto out_usage;
|
||||
}
|
||||
}
|
||||
|
||||
argv += optind;
|
||||
argc -= optind;
|
||||
|
||||
if (argc < 1)
|
||||
goto out_usage;
|
||||
|
||||
if (tree_params.hash_algorithm == 0)
|
||||
tree_params.hash_algorithm = FS_VERITY_HASH_ALG_DEFAULT;
|
||||
|
||||
if (tree_params.block_size == 0)
|
||||
tree_params.block_size = get_default_block_size();
|
||||
|
||||
for (int i = 0; i < argc; i++) {
|
||||
struct fsverity_signed_digest *d = NULL;
|
||||
struct libfsverity_digest *digest = NULL;
|
||||
char digest_hex[FS_VERITY_MAX_DIGEST_SIZE * 2 +
|
||||
sizeof(struct fsverity_signed_digest) * 2 + 1];
|
||||
|
||||
if (!open_file(&file, argv[i], O_RDONLY, 0))
|
||||
goto out_err;
|
||||
|
||||
if (!get_file_size(&file, &tree_params.file_size))
|
||||
goto out_err;
|
||||
|
||||
if (libfsverity_compute_digest(&file, read_callback,
|
||||
&tree_params, &digest) != 0) {
|
||||
error_msg("failed to compute digest");
|
||||
goto out_err;
|
||||
}
|
||||
|
||||
ASSERT(digest->digest_size <= FS_VERITY_MAX_DIGEST_SIZE);
|
||||
|
||||
if (for_builtin_sig) {
|
||||
/*
|
||||
* Format the digest for use with the built-in signature
|
||||
* support.
|
||||
*/
|
||||
d = xzalloc(sizeof(*d) + digest->digest_size);
|
||||
memcpy(d->magic, "FSVerity", 8);
|
||||
d->digest_algorithm =
|
||||
cpu_to_le16(digest->digest_algorithm);
|
||||
d->digest_size = cpu_to_le16(digest->digest_size);
|
||||
memcpy(d->digest, digest->digest, digest->digest_size);
|
||||
|
||||
bin2hex((const u8 *)d, sizeof(*d) + digest->digest_size,
|
||||
digest_hex);
|
||||
} else {
|
||||
bin2hex(digest->digest, digest->digest_size,
|
||||
digest_hex);
|
||||
}
|
||||
|
||||
if (compact)
|
||||
printf("%s\n", digest_hex);
|
||||
else if (for_builtin_sig)
|
||||
printf("%s %s\n", digest_hex, argv[i]);
|
||||
else
|
||||
printf("%s:%s %s\n",
|
||||
libfsverity_get_hash_name(tree_params.hash_algorithm),
|
||||
digest_hex, argv[i]);
|
||||
|
||||
filedes_close(&file);
|
||||
free(digest);
|
||||
free(d);
|
||||
}
|
||||
status = 0;
|
||||
out:
|
||||
free(salt);
|
||||
return status;
|
||||
|
||||
out_err:
|
||||
filedes_close(&file);
|
||||
status = 1;
|
||||
goto out;
|
||||
|
||||
out_usage:
|
||||
usage(cmd, stderr);
|
||||
status = 2;
|
||||
goto out;
|
||||
}
|
||||
@@ -43,14 +43,6 @@ static const struct option longopts[] = {
|
||||
{NULL, 0, NULL, 0}
|
||||
};
|
||||
|
||||
static int read_callback(void *file, void *buf, size_t count)
|
||||
{
|
||||
errno = 0;
|
||||
if (!full_read(file, buf, count))
|
||||
return errno ? -errno : -EIO;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Sign a file for fs-verity by computing its measurement, then signing it. */
|
||||
int fsverity_cmd_sign(const struct fsverity_command *cmd,
|
||||
int argc, char *argv[])
|
||||
|
||||
@@ -21,6 +21,15 @@ static const struct fsverity_command {
|
||||
const char *usage_str;
|
||||
} fsverity_commands[] = {
|
||||
{
|
||||
.name = "digest",
|
||||
.func = fsverity_cmd_digest,
|
||||
.short_desc =
|
||||
"Compute the fs-verity measurement of the given file(s), for offline signing",
|
||||
.usage_str =
|
||||
" fsverity digest FILE...\n"
|
||||
" [--hash-alg=HASH_ALG] [--block-size=BLOCK_SIZE] [--salt=SALT]\n"
|
||||
" [--compact] [--for-builtin-sig]\n"
|
||||
}, {
|
||||
.name = "enable",
|
||||
.func = fsverity_cmd_enable,
|
||||
.short_desc = "Enable fs-verity on a file",
|
||||
|
||||
@@ -25,6 +25,10 @@
|
||||
|
||||
struct fsverity_command;
|
||||
|
||||
/* cmd_digest.c */
|
||||
int fsverity_cmd_digest(const struct fsverity_command *cmd,
|
||||
int argc, char *argv[]);
|
||||
|
||||
/* cmd_enable.c */
|
||||
int fsverity_cmd_enable(const struct fsverity_command *cmd,
|
||||
int argc, char *argv[]);
|
||||
|
||||
@@ -175,6 +175,14 @@ bool filedes_close(struct filedes *file)
|
||||
return res == 0;
|
||||
}
|
||||
|
||||
int read_callback(void *file, void *buf, size_t count)
|
||||
{
|
||||
errno = 0;
|
||||
if (!full_read(file, buf, count))
|
||||
return errno ? -errno : -EIO;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* ========== String utilities ========== */
|
||||
|
||||
static int hex2bin_char(char c)
|
||||
|
||||
@@ -43,6 +43,7 @@ bool get_file_size(struct filedes *file, u64 *size_ret);
|
||||
bool full_read(struct filedes *file, void *buf, size_t count);
|
||||
bool full_write(struct filedes *file, const void *buf, size_t count);
|
||||
bool filedes_close(struct filedes *file);
|
||||
int read_callback(void *file, void *buf, size_t count);
|
||||
|
||||
bool hex2bin(const char *hex, u8 *bin, size_t bin_len);
|
||||
void bin2hex(const u8 *bin, size_t bin_len, char *hex);
|
||||
|
||||
Reference in New Issue
Block a user