programs/fsverity: Add digest subcommand

Add a 'fsverity digest' subcommand that prints the hex-encoded digest of
the specified file(s), ready to be signed offline.  By default the
output is like 'fsverity measure', but if the --for-builtin-sig option
is given, the output is the hex-encoded "struct fsverity_signed_digest"
that the kernel expects to be signed for builtin signatures.

This subcommand is useful in case the integrated signing mechanism with
local cert/key cannot be used.

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Link: https://lore.kernel.org/r/20201026191839.3329948-1-luca.boccassi@gmail.com
[EB: commit message, comment, and whitespace tweaks]
Signed-off-by: Eric Biggers <ebiggers@google.com>
This commit is contained in:
Luca Boccassi
2020-10-26 19:18:39 +00:00
committed by Eric Biggers
parent 28c86c20a8
commit 97bc1aa377
8 changed files with 190 additions and 8 deletions
+161
View File
@@ -0,0 +1,161 @@
// SPDX-License-Identifier: MIT
/*
* The 'fsverity digest' command
*
* Copyright 2020 Microsoft
*
* Use of this source code is governed by an MIT-style
* license that can be found in the LICENSE file or at
* https://opensource.org/licenses/MIT.
*/
#include "fsverity.h"
#include <fcntl.h>
#include <getopt.h>
enum {
OPT_HASH_ALG,
OPT_BLOCK_SIZE,
OPT_SALT,
OPT_COMPACT,
OPT_FOR_BUILTIN_SIG,
};
static const struct option longopts[] = {
{"hash-alg", required_argument, NULL, OPT_HASH_ALG},
{"block-size", required_argument, NULL, OPT_BLOCK_SIZE},
{"salt", required_argument, NULL, OPT_SALT},
{"compact", no_argument, NULL, OPT_COMPACT},
{"for-builtin-sig", no_argument, NULL, OPT_FOR_BUILTIN_SIG},
{NULL, 0, NULL, 0}
};
struct fsverity_signed_digest {
char magic[8]; /* must be "FSVerity" */
__le16 digest_algorithm;
__le16 digest_size;
__u8 digest[];
};
/*
* Compute the fs-verity measurement of the given file(s), for offline signing.
*/
int fsverity_cmd_digest(const struct fsverity_command *cmd,
int argc, char *argv[])
{
u8 *salt = NULL;
struct filedes file = { .fd = -1 };
struct libfsverity_merkle_tree_params tree_params = { .version = 1 };
bool compact = false, for_builtin_sig = false;
int status;
int c;
while ((c = getopt_long(argc, argv, "", longopts, NULL)) != -1) {
switch (c) {
case OPT_HASH_ALG:
if (!parse_hash_alg_option(optarg,
&tree_params.hash_algorithm))
goto out_usage;
break;
case OPT_BLOCK_SIZE:
if (!parse_block_size_option(optarg,
&tree_params.block_size))
goto out_usage;
break;
case OPT_SALT:
if (!parse_salt_option(optarg, &salt,
&tree_params.salt_size))
goto out_usage;
tree_params.salt = salt;
break;
case OPT_COMPACT:
compact = true;
break;
case OPT_FOR_BUILTIN_SIG:
for_builtin_sig = true;
break;
default:
goto out_usage;
}
}
argv += optind;
argc -= optind;
if (argc < 1)
goto out_usage;
if (tree_params.hash_algorithm == 0)
tree_params.hash_algorithm = FS_VERITY_HASH_ALG_DEFAULT;
if (tree_params.block_size == 0)
tree_params.block_size = get_default_block_size();
for (int i = 0; i < argc; i++) {
struct fsverity_signed_digest *d = NULL;
struct libfsverity_digest *digest = NULL;
char digest_hex[FS_VERITY_MAX_DIGEST_SIZE * 2 +
sizeof(struct fsverity_signed_digest) * 2 + 1];
if (!open_file(&file, argv[i], O_RDONLY, 0))
goto out_err;
if (!get_file_size(&file, &tree_params.file_size))
goto out_err;
if (libfsverity_compute_digest(&file, read_callback,
&tree_params, &digest) != 0) {
error_msg("failed to compute digest");
goto out_err;
}
ASSERT(digest->digest_size <= FS_VERITY_MAX_DIGEST_SIZE);
if (for_builtin_sig) {
/*
* Format the digest for use with the built-in signature
* support.
*/
d = xzalloc(sizeof(*d) + digest->digest_size);
memcpy(d->magic, "FSVerity", 8);
d->digest_algorithm =
cpu_to_le16(digest->digest_algorithm);
d->digest_size = cpu_to_le16(digest->digest_size);
memcpy(d->digest, digest->digest, digest->digest_size);
bin2hex((const u8 *)d, sizeof(*d) + digest->digest_size,
digest_hex);
} else {
bin2hex(digest->digest, digest->digest_size,
digest_hex);
}
if (compact)
printf("%s\n", digest_hex);
else if (for_builtin_sig)
printf("%s %s\n", digest_hex, argv[i]);
else
printf("%s:%s %s\n",
libfsverity_get_hash_name(tree_params.hash_algorithm),
digest_hex, argv[i]);
filedes_close(&file);
free(digest);
free(d);
}
status = 0;
out:
free(salt);
return status;
out_err:
filedes_close(&file);
status = 1;
goto out;
out_usage:
usage(cmd, stderr);
status = 2;
goto out;
}
-8
View File
@@ -43,14 +43,6 @@ static const struct option longopts[] = {
{NULL, 0, NULL, 0}
};
static int read_callback(void *file, void *buf, size_t count)
{
errno = 0;
if (!full_read(file, buf, count))
return errno ? -errno : -EIO;
return 0;
}
/* Sign a file for fs-verity by computing its measurement, then signing it. */
int fsverity_cmd_sign(const struct fsverity_command *cmd,
int argc, char *argv[])
+9
View File
@@ -21,6 +21,15 @@ static const struct fsverity_command {
const char *usage_str;
} fsverity_commands[] = {
{
.name = "digest",
.func = fsverity_cmd_digest,
.short_desc =
"Compute the fs-verity measurement of the given file(s), for offline signing",
.usage_str =
" fsverity digest FILE...\n"
" [--hash-alg=HASH_ALG] [--block-size=BLOCK_SIZE] [--salt=SALT]\n"
" [--compact] [--for-builtin-sig]\n"
}, {
.name = "enable",
.func = fsverity_cmd_enable,
.short_desc = "Enable fs-verity on a file",
+4
View File
@@ -25,6 +25,10 @@
struct fsverity_command;
/* cmd_digest.c */
int fsverity_cmd_digest(const struct fsverity_command *cmd,
int argc, char *argv[]);
/* cmd_enable.c */
int fsverity_cmd_enable(const struct fsverity_command *cmd,
int argc, char *argv[]);
+8
View File
@@ -175,6 +175,14 @@ bool filedes_close(struct filedes *file)
return res == 0;
}
int read_callback(void *file, void *buf, size_t count)
{
errno = 0;
if (!full_read(file, buf, count))
return errno ? -errno : -EIO;
return 0;
}
/* ========== String utilities ========== */
static int hex2bin_char(char c)
+1
View File
@@ -43,6 +43,7 @@ bool get_file_size(struct filedes *file, u64 *size_ret);
bool full_read(struct filedes *file, void *buf, size_t count);
bool full_write(struct filedes *file, const void *buf, size_t count);
bool filedes_close(struct filedes *file);
int read_callback(void *file, void *buf, size_t count);
bool hex2bin(const char *hex, u8 *bin, size_t bin_len);
void bin2hex(const u8 *bin, size_t bin_len, char *hex);