morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 00:14:32 +09:00
Code Issues Packages Projects Releases Wiki Activity

dissect: check that roothash in signature matches before selecting partition

Browse Source 
If there are multiple verity sig partitions (e.g.: sysupdate and A/B
scheme), dissection will simply pick the last sig partition it encounters,
as no checks are done on the content (like for the usr/root and verity data).

Check that the JSON content matches the requested roothash, if any.

Before:

sda: /usr/lib/udev/rules.d/90-image-dissect.rules:34 IMPORT{builtin}="dissect_image probe": Importing properties from results of builtin command "dissect_image probe".
Dissecting esp partition with label esp and UUID b80070bd-ea4f-49ea-94ab-41a4e4125f80.
Dissecting usr-verity-sig partition with label ParticleOS_27.178_verity_sig and UUID a6d47959-39f7-4686-99b0-660b301d1488.
Dissecting usr-verity partition with label ParticleOS_27.178_verity and UUID d7acad57-995d-297d-bf6c-a58821dcd28a.
Dissecting usr partition with label ParticleOS_27.178 and UUID f5b6aff5-945d-946e-faf4-d482c07f9968.
Dissecting usr-verity-sig partition with label ParticleOS_118.26_verity_sig and UUID c9151ec9-3264-434a-8f42-7b125432d676.
Dissecting usr-verity partition with label ParticleOS_118.26_verity and UUID 88fa8c85-8161-ea32-bf4a-fc8df18d27ae.
Partition UUID '88fa8c85-8161-ea32-bf4a-fc8df18d27ae' does not match expected UUID 'f5b6aff5-945d-946e-faf4-d482c07f9968' derived from usr verity hash, ignoring.
Dissecting usr partition with label ParticleOS_118.26 and UUID 52df1859-e144-348d-2cb1-8d6440254719.
Partition UUID '52df1859-e144-348d-2cb1-8d6440254719' does not match expected UUID 'f5b6aff5-945d-946e-faf4-d482c07f9968' derived from usr verity hash, ignoring.
Dissecting swap partition with label ParticleOS-swap and UUID 7fe77f77-32fb-4957-8c1e-6c04bd2e435f.
Dissecting root partition with label ParticleOS-root and UUID a5c89fc4-e92c-4e83-913f-8c866b94592e.
Dissecting home partition with label ParticleOS-home and UUID 25885d07-baa2-4992-b6aa-56813aa70cef.
Found for designator root: encrypted+unprotected+unused.
Found for designator usr: verity+signed+encrypted+unprotected+unused.
Found for designator home: encrypted+unprotected+unused.
Found for designator srv: absent.
Found for designator esp: encrypted+unprotected+unused.
Found for designator xbootldr: absent.
Found for designator swap: encrypted+unprotected+unused.
Found for designator root-verity: absent.
Found for designator usr-verity: encrypted+unprotected+unused.
Found for designator root-verity-sig: absent.
Found for designator usr-verity-sig: encrypted+unprotected+unused.
Found for designator tmp: absent.
Found for designator var: absent.
Probed fstype 'btrfs' on partition /dev/sda9.
Probed fstype 'erofs' on partition /dev/sda4.
Probed fstype 'btrfs' on partition /dev/sda10.
Probed fstype 'swap' on partition /dev/sda8.
Root hash in signature JSON data (52df1859e144348d2cb18d644025471988fa8c858161ea32bf4afc8df18d27ae) doesn't match configured hash (f5b6aff5945d946efaf4d482c07f9968d7acad57995d297dbf6ca58821dcd28a).
sda: Failed to load verity signature data from image: Invalid argument

After:

Dissecting usr-verity-sig partition with label ParticleOS_27.178_verity_sig and UUID a6d47959-39f7-4686-99b0-660b301d1488.
Dissecting usr-verity partition with label ParticleOS_27.178_verity and UUID d7acad57-995d-297d-bf6c-a58821dcd28a.
Dissecting usr partition with label ParticleOS_27.178 and UUID f5b6aff5-945d-946e-faf4-d482c07f9968.
Dissecting usr-verity-sig partition with label ParticleOS_118.26_verity_sig and UUID c9151ec9-3264-434a-8f42-7b125432d676.
Root hash in signature JSON data (52df1859e144348d2cb18d644025471988fa8c858161ea32bf4afc8df18d27ae) doesn't match configured hash (f5b6aff5945d946efaf4d482c07f9968d7acad57995d297dbf6ca58821dcd28a).
Dissecting usr-verity partition with label ParticleOS_118.26_verity and UUID 88fa8c85-8161-ea32-bf4a-fc8df18d27ae.
Partition UUID '88fa8c85-8161-ea32-bf4a-fc8df18d27ae' does not match expected UUID 'f5b6aff5-945d-946e-faf4-d482c07f9968' derived from usr verity hash, ignoring.
Dissecting usr partition with label ParticleOS_118.26 and UUID 52df1859-e144-348d-2cb1-8d6440254719.
Partition UUID '52df1859-e144-348d-2cb1-8d6440254719' does not match expected UUID 'f5b6aff5-945d-946e-faf4-d482c07f9968' derived from usr verity hash, ignoring.
<...>
  ID_DISSECT_PART2_DESIGNATOR=usr-verity-sig
  ID_DISSECT_PART3_ARCHITECTURE=x86-64
  ID_DISSECT_PART3_DESIGNATOR=usr-verity
  ID_DISSECT_PART4_ARCHITECTURE=x86-64
  ID_DISSECT_PART4_DESIGNATOR=usr
  ID_DISSECT_PART4_HAS_VERITY=1
  ID_DISSECT_PART4_HAS_VERITY_SIG=1
  ID_DISSECT_PART4_ROOTHASH=f5b6aff5945d946efaf4d482c07f9968d7acad57995d297dbf6ca58821dcd28a
  ID_DISSECT_PART4_ROOTHASH_SIG=<...>
  ID_DISSECT_PART4_VERITY_DEVICE=/dev/disk/by-diskseq/9-part3
  ID_DISSECT_PART4_VERITY_SIG_DEVICE=/dev/disk/by-diskseq/9-part2

Fixes https://github.com/systemd/systemd/issues/39655
This commit is contained in:
Luca Boccassi
2025-11-10 02:01:57 +00:00
parent d560cbc0d9
commit 98ca65c36a
1 changed files with 133 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

178
src/shared/dissect-image.c
View File

@@ -568,6 +568,83 @@ static void dissected_partition_done(DissectedPartition *p) {
*p = DISSECTED_PARTITION_NULL;
}
static int acquire_sig_for_roothash(
int fd,
uint64_t partition_offset,
uint64_t partition_size,
void **ret_root_hash,
size_t *ret_root_hash_size,
void **ret_root_hash_sig,
size_t *ret_root_hash_sig_size) {
int r;
assert(fd >= 0);
assert(!!ret_root_hash == !!ret_root_hash_size);
assert(!!ret_root_hash_sig == !!ret_root_hash_sig_size);
if (partition_offset == UINT64_MAX || partition_size == UINT64_MAX)
return -EINVAL;
if (partition_size > 4*1024*1024) /* Signature data cannot possible be larger than 4M, refuse that */
return log_debug_errno(SYNTHETIC_ERRNO(EFBIG), "Verity signature partition is larger than 4M, refusing.");
_cleanup_free_ char *buf = new(char, partition_size+1);
if (!buf)
return -ENOMEM;
ssize_t n = pread(fd, buf, partition_size, partition_offset);
if (n < 0)
return -ENOMEM;
if ((uint64_t) n != partition_size)
return -EIO;
const char *e = memchr(buf, 0, partition_size);
if (e) {
/* If we found a NUL byte then the rest of the data must be NUL too */
if (!memeqzero(e, partition_size - (e - buf)))
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Signature data contains embedded NUL byte.");
} else
buf[partition_size] = 0;
_cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
r = sd_json_parse(buf, 0, &v, /* reterr_line= */ NULL, /* reterr_column= */ NULL);
if (r < 0)
return log_debug_errno(r, "Failed to parse signature JSON data: %m");
sd_json_variant *rh = sd_json_variant_by_key(v, "rootHash");
if (!rh)
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Signature JSON object lacks 'rootHash' field.");
_cleanup_free_ void *root_hash = NULL;
size_t root_hash_size;
r = sd_json_variant_unhex(rh, &root_hash, &root_hash_size);
if (r < 0)
return log_debug_errno(r, "Failed to parse root hash field: %m");
sd_json_variant *sig = sd_json_variant_by_key(v, "signature");
if (!sig)
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Signature JSON object lacks 'signature' field.");
_cleanup_free_ void *root_hash_sig = NULL;
size_t root_hash_sig_size;
r = sd_json_variant_unbase64(sig, &root_hash_sig, &root_hash_sig_size);
if (r < 0)
return log_debug_errno(r, "Failed to parse signature field: %m");
if (ret_root_hash) {
*ret_root_hash = TAKE_PTR(root_hash);
*ret_root_hash_size = root_hash_size;
}
if (ret_root_hash_sig) {
*ret_root_hash_sig = TAKE_PTR(root_hash_sig);
*ret_root_hash_sig_size = root_hash_sig_size;
}
return 0;
}
#if HAVE_BLKID
static int diskseq_should_be_used(
const char *whole_devname,
@@ -1159,6 +1236,32 @@ static int dissect_image(
rw = false;
} else if (type.designator == PARTITION_ROOT_VERITY_SIG) {
if (verity && verity->root_hash) {
_cleanup_free_ void *root_hash = NULL;
size_t root_hash_size;
r = acquire_sig_for_roothash(
fd,
start * 512,
size * 512,
&root_hash,
&root_hash_size,
/* ret_root_hash_sig= */ NULL,
/* ret_root_hash_sig_size= */ NULL);
if (r < 0)
return r;
if (memcmp_nn(verity->root_hash, verity->root_hash_size, root_hash, root_hash_size) != 0) {
if (DEBUG_LOGGING) {
_cleanup_free_ char *found = NULL, *expected = NULL;
found = hexmem(root_hash, root_hash_size);
expected = hexmem(verity->root_hash, verity->root_hash_size);
log_debug("Root hash in signature JSON data (%s) doesn't match configured hash (%s).", strna(found), strna(expected));
}
continue;
}
}
check_partition_flags(node, pflags,
SD_GPT_FLAG_NO_AUTO | SD_GPT_FLAG_READ_ONLY);
@@ -1202,6 +1305,32 @@ static int dissect_image(
rw = false;
} else if (type.designator == PARTITION_USR_VERITY_SIG) {
if (verity && verity->root_hash) {
_cleanup_free_ void *root_hash = NULL;
size_t root_hash_size;
r = acquire_sig_for_roothash(
fd,
start * 512,
size * 512,
&root_hash,
&root_hash_size,
/* ret_root_hash_sig= */ NULL,
/* ret_root_hash_sig_size= */ NULL);
if (r < 0)
return r;
if (memcmp_nn(verity->root_hash, verity->root_hash_size, root_hash, root_hash_size) != 0) {
if (DEBUG_LOGGING) {
_cleanup_free_ char *found = NULL, *expected = NULL;
found = hexmem(root_hash, root_hash_size);
expected = hexmem(verity->root_hash, verity->root_hash_size);
log_debug("Root hash in signature JSON data (%s) doesn't match configured hash (%s).", strna(found), strna(expected));
}
continue;
}
}
check_partition_flags(node, pflags,
SD_GPT_FLAG_NO_AUTO | SD_GPT_FLAG_READ_ONLY);
@@ -3661,44 +3790,13 @@ int dissected_image_load_verity_sig_partition(
DissectedPartition *p = m->partitions + ds;
if (!p->found)
return 0;
if (p->offset == UINT64_MAX || p->size == UINT64_MAX)
return -EINVAL;
if (p->size > 4*1024*1024) /* Signature data cannot possible be larger than 4M, refuse that */
return log_debug_errno(SYNTHETIC_ERRNO(EFBIG), "Verity signature partition is larger than 4M, refusing.");
_cleanup_free_ void *root_hash = NULL, *root_hash_sig = NULL;
size_t root_hash_size, root_hash_sig_size;
_cleanup_free_ char *buf = new(char, p->size+1);
if (!buf)
return -ENOMEM;
ssize_t n = pread(fd, buf, p->size, p->offset);
if (n < 0)
return -ENOMEM;
if ((uint64_t) n != p->size)
return -EIO;
const char *e = memchr(buf, 0, p->size);
if (e) {
/* If we found a NUL byte then the rest of the data must be NUL too */
if (!memeqzero(e, p->size - (e - buf)))
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Signature data contains embedded NUL byte.");
} else
buf[p->size] = 0;
_cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
r = sd_json_parse(buf, 0, &v, /* reterr_line= */ NULL, /* reterr_column= */ NULL);
r = acquire_sig_for_roothash(fd, p->offset, p->size, &root_hash, &root_hash_size, &root_hash_sig, &root_hash_sig_size);
if (r < 0)
return log_debug_errno(r, "Failed to parse signature JSON data: %m");
sd_json_variant *rh = sd_json_variant_by_key(v, "rootHash");
if (!rh)
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Signature JSON object lacks 'rootHash' field.");
_cleanup_free_ void *root_hash = NULL;
size_t root_hash_size;
r = sd_json_variant_unhex(rh, &root_hash, &root_hash_size);
if (r < 0)
return log_debug_errno(r, "Failed to parse root hash field: %m");
return r;
/* Check if specified root hash matches if it is specified */
if (verity->root_hash &&
@@ -3711,16 +3809,6 @@ int dissected_image_load_verity_sig_partition(
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Root hash in signature JSON data (%s) doesn't match configured hash (%s).", strna(a), strna(b));
}
sd_json_variant *sig = sd_json_variant_by_key(v, "signature");
if (!sig)
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Signature JSON object lacks 'signature' field.");
_cleanup_free_ void *root_hash_sig = NULL;
size_t root_hash_sig_size;
r = sd_json_variant_unbase64(sig, &root_hash_sig, &root_hash_sig_size);
if (r < 0)
return log_debug_errno(r, "Failed to parse signature field: %m");
free_and_replace(verity->root_hash, root_hash);
verity->root_hash_size = root_hash_size;