diff options
| author | Lennart Poettering <lennart@poettering.net> | 2020-08-28 21:27:45 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2020-09-02 15:04:06 +0200 |
| commit | 0d12936d9a351660ecaa94361b181d10f92d464f (patch) | |
| tree | 75fbc8e1fe4d58f99b46b7efad774b52924027c7 /src/shared | |
| parent | shared: rename crypt-util.c → cryptsetup-util.c (diff) | |
| download | systemd-0d12936d9a351660ecaa94361b181d10f92d464f.tar.xz systemd-0d12936d9a351660ecaa94361b181d10f92d464f.zip | |
shared: make libcryptsetup dep dlopen
Let's make libcryptsetup a dlopen() style dep for PID 1 (i.e. for
RootImage= and stuff), systemd-growfs and systemd-repart. (But leave to
be a regulra dep in systemd-cryptsetup, systemd-veritysetup and
systemd-homed since for them the libcryptsetup support is not auxiliary
but pretty much at the core of what they do.)
This should be useful for container images that want systemd in the
payload but don't care for the cryptsetup logic since dm-crypt and stuff
isn't available in containers anyway.
Fixes: #8249
Diffstat (limited to 'src/shared')
| -rw-r--r-- | src/shared/cryptsetup-util.c | 81 | ||||
| -rw-r--r-- | src/shared/cryptsetup-util.h | 26 | ||||
| -rw-r--r-- | src/shared/dissect-image.c | 58 | ||||
| -rw-r--r-- | src/shared/meson.build | 1 |
4 files changed, 140 insertions, 26 deletions
diff --git a/src/shared/cryptsetup-util.c b/src/shared/cryptsetup-util.c index 9bc85a1739..9d86478b06 100644 --- a/src/shared/cryptsetup-util.c +++ b/src/shared/cryptsetup-util.c @@ -1,10 +1,79 @@ /* SPDX-License-Identifier: LGPL-2.1+ */ #if HAVE_LIBCRYPTSETUP +#include "alloc-util.h" #include "cryptsetup-util.h" +#include "dlfcn-util.h" #include "log.h" +static void *cryptsetup_dl = NULL; + +int (*sym_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags); +#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY +int (*sym_crypt_activate_by_signed_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags); +#endif +int (*sym_crypt_activate_by_volume_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, uint32_t flags); +int (*sym_crypt_deactivate_by_name)(struct crypt_device *cd, const char *name, uint32_t flags); +int (*sym_crypt_format)(struct crypt_device *cd, const char *type, const char *cipher, const char *cipher_mode, const char *uuid, const char *volume_key, size_t volume_key_size, void *params); +void (*sym_crypt_free)(struct crypt_device *cd); +const char *(*sym_crypt_get_dir)(void); +int (*sym_crypt_get_verity_info)(struct crypt_device *cd, struct crypt_params_verity *vp); +int (*sym_crypt_init)(struct crypt_device **cd, const char *device); +int (*sym_crypt_init_by_name)(struct crypt_device **cd, const char *name); +int (*sym_crypt_keyslot_add_by_volume_key)(struct crypt_device *cd, int keyslot, const char *volume_key, size_t volume_key_size, const char *passphrase, size_t passphrase_size); +int (*sym_crypt_load)(struct crypt_device *cd, const char *requested_type, void *params); +int (*sym_crypt_resize)(struct crypt_device *cd, const char *name, uint64_t new_size); +int (*sym_crypt_set_data_device)(struct crypt_device *cd, const char *device); +void (*sym_crypt_set_debug_level)(int level); +void (*sym_crypt_set_log_callback)(struct crypt_device *cd, void (*log)(int level, const char *msg, void *usrptr), void *usrptr); +int (*sym_crypt_volume_key_get)(struct crypt_device *cd, int keyslot, char *volume_key, size_t *volume_key_size, const char *passphrase, size_t passphrase_size); + +int dlopen_cryptsetup(void) { + _cleanup_(dlclosep) void *dl = NULL; + int r; + + if (cryptsetup_dl) + return 0; /* Already loaded */ + + dl = dlopen("libcryptsetup.so.12", RTLD_LAZY); + if (!dl) + return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), + "libcryptsetup support is not installed: %s", dlerror()); + + r = dlsym_many_and_warn( + dl, + LOG_DEBUG, + &sym_crypt_activate_by_passphrase, "crypt_activate_by_passphrase", +#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY + &sym_crypt_activate_by_signed_key, "crypt_activate_by_signed_key", +#endif + &sym_crypt_activate_by_volume_key, "crypt_activate_by_volume_key", + &sym_crypt_deactivate_by_name, "crypt_deactivate_by_name", + &sym_crypt_format, "crypt_format", + &sym_crypt_free, "crypt_free", + &sym_crypt_get_dir, "crypt_get_dir", + &sym_crypt_get_verity_info, "crypt_get_verity_info", + &sym_crypt_init, "crypt_init", + &sym_crypt_init_by_name, "crypt_init_by_name", + &sym_crypt_keyslot_add_by_volume_key, "crypt_keyslot_add_by_volume_key", + &sym_crypt_load, "crypt_load", + &sym_crypt_resize, "crypt_resize", + &sym_crypt_set_data_device, "crypt_set_data_device", + &sym_crypt_set_debug_level, "crypt_set_debug_level", + &sym_crypt_set_log_callback, "crypt_set_log_callback", + &sym_crypt_volume_key_get, "crypt_volume_key_get", + NULL); + if (r < 0) + return r; + + /* Note that we never release the reference here, because there's no real reason to, after all this + * was traditionally a regular shared library dependency which lives forever too. */ + cryptsetup_dl = TAKE_PTR(dl); + return 1; +} + static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) { + switch (level) { case CRYPT_LOG_NORMAL: level = LOG_NOTICE; @@ -27,8 +96,16 @@ static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) { } void cryptsetup_enable_logging(struct crypt_device *cd) { - crypt_set_log_callback(cd, cryptsetup_log_glue, NULL); - crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE); + if (!cd) + return; + + if (dlopen_cryptsetup() < 0) /* If this fails, let's gracefully ignore the issue, this is just debug + * logging after all, and if this failed we already generated a debug + * log message that should help to track things down. */ + return; + + sym_crypt_set_log_callback(cd, cryptsetup_log_glue, NULL); + sym_crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE); } #endif diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h index b9f465fbc1..046953b8cc 100644 --- a/src/shared/cryptsetup-util.h +++ b/src/shared/cryptsetup-util.h @@ -1,12 +1,36 @@ /* SPDX-License-Identifier: LGPL-2.1+ */ #pragma once +#include "macro.h" + #if HAVE_LIBCRYPTSETUP #include <libcryptsetup.h> -#include "macro.h" +extern int (*sym_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags); +#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY +extern int (*sym_crypt_activate_by_signed_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags); +#endif +extern int (*sym_crypt_activate_by_volume_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, uint32_t flags); +extern int (*sym_crypt_deactivate_by_name)(struct crypt_device *cd, const char *name, uint32_t flags); +extern int (*sym_crypt_format)(struct crypt_device *cd, const char *type, const char *cipher, const char *cipher_mode, const char *uuid, const char *volume_key, size_t volume_key_size, void *params); +extern void (*sym_crypt_free)(struct crypt_device *cd); +extern const char *(*sym_crypt_get_dir)(void); +extern int (*sym_crypt_get_verity_info)(struct crypt_device *cd, struct crypt_params_verity *vp); +extern int (*sym_crypt_init)(struct crypt_device **cd, const char *device); +extern int (*sym_crypt_init_by_name)(struct crypt_device **cd, const char *name); +extern int (*sym_crypt_keyslot_add_by_volume_key)(struct crypt_device *cd, int keyslot, const char *volume_key, size_t volume_key_size, const char *passphrase, size_t passphrase_size); +extern int (*sym_crypt_load)(struct crypt_device *cd, const char *requested_type, void *params); +extern int (*sym_crypt_resize)(struct crypt_device *cd, const char *name, uint64_t new_size); +extern int (*sym_crypt_set_data_device)(struct crypt_device *cd, const char *device); +extern void (*sym_crypt_set_debug_level)(int level); +extern void (*sym_crypt_set_log_callback)(struct crypt_device *cd, void (*log)(int level, const char *msg, void *usrptr), void *usrptr); +extern int (*sym_crypt_volume_key_get)(struct crypt_device *cd, int keyslot, char *volume_key, size_t *volume_key_size, const char *passphrase, size_t passphrase_size); + +int dlopen_cryptsetup(void); DEFINE_TRIVIAL_CLEANUP_FUNC(struct crypt_device *, crypt_free); +DEFINE_TRIVIAL_CLEANUP_FUNC(struct crypt_device *, sym_crypt_free); void cryptsetup_enable_logging(struct crypt_device *cd); + #endif diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index a035e8de5a..15c3f55de0 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -1225,13 +1225,13 @@ DecryptedImage* decrypted_image_unref(DecryptedImage* d) { DecryptedPartition *p = d->decrypted + i; if (p->device && p->name && !p->relinquished) { - r = crypt_deactivate(p->device, p->name); + r = sym_crypt_deactivate_by_name(p->device, p->name, 0); if (r < 0) log_debug_errno(r, "Failed to deactivate encrypted partition %s", p->name); } if (p->device) - crypt_free(p->device); + sym_crypt_free(p->device); free(p->name); } @@ -1265,7 +1265,7 @@ static int make_dm_name_and_node(const void *original_node, const char *suffix, if (!filename_is_valid(name)) return -EINVAL; - node = path_join(crypt_get_dir(), name); + node = path_join(sym_crypt_get_dir(), name); if (!node) return -ENOMEM; @@ -1282,7 +1282,7 @@ static int decrypt_partition( DecryptedImage *d) { _cleanup_free_ char *node = NULL, *name = NULL; - _cleanup_(crypt_freep) struct crypt_device *cd = NULL; + _cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL; int r; assert(m); @@ -1297,6 +1297,10 @@ static int decrypt_partition( if (!passphrase) return -ENOKEY; + r = dlopen_cryptsetup(); + if (r < 0) + return r; + r = make_dm_name_and_node(m->node, "-decrypted", &name, &node); if (r < 0) return r; @@ -1304,19 +1308,19 @@ static int decrypt_partition( if (!GREEDY_REALLOC0(d->decrypted, d->n_allocated, d->n_decrypted + 1)) return -ENOMEM; - r = crypt_init(&cd, m->node); + r = sym_crypt_init(&cd, m->node); if (r < 0) return log_debug_errno(r, "Failed to initialize dm-crypt: %m"); cryptsetup_enable_logging(cd); - r = crypt_load(cd, CRYPT_LUKS, NULL); + r = sym_crypt_load(cd, CRYPT_LUKS, NULL); if (r < 0) return log_debug_errno(r, "Failed to load LUKS metadata: %m"); - r = crypt_activate_by_passphrase(cd, name, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), - ((flags & DISSECT_IMAGE_READ_ONLY) ? CRYPT_ACTIVATE_READONLY : 0) | - ((flags & DISSECT_IMAGE_DISCARD_ON_CRYPTO) ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0)); + r = sym_crypt_activate_by_passphrase(cd, name, CRYPT_ANY_SLOT, passphrase, strlen(passphrase), + ((flags & DISSECT_IMAGE_READ_ONLY) ? CRYPT_ACTIVATE_READONLY : 0) | + ((flags & DISSECT_IMAGE_DISCARD_ON_CRYPTO) ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0)); if (r < 0) { log_debug_errno(r, "Failed to activate LUKS device: %m"); return r == -EPERM ? -EKEYREJECTED : r; @@ -1334,23 +1338,26 @@ static int decrypt_partition( static int verity_can_reuse(const void *root_hash, size_t root_hash_size, bool has_sig, const char *name, struct crypt_device **ret_cd) { /* If the same volume was already open, check that the root hashes match, and reuse it if they do */ _cleanup_free_ char *root_hash_existing = NULL; - _cleanup_(crypt_freep) struct crypt_device *cd = NULL; + _cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL; struct crypt_params_verity crypt_params = {}; size_t root_hash_existing_size = root_hash_size; int r; assert(ret_cd); - r = crypt_init_by_name(&cd, name); + r = sym_crypt_init_by_name(&cd, name); if (r < 0) return log_debug_errno(r, "Error opening verity device, crypt_init_by_name failed: %m"); - r = crypt_get_verity_info(cd, &crypt_params); + + r = sym_crypt_get_verity_info(cd, &crypt_params); if (r < 0) return log_debug_errno(r, "Error opening verity device, crypt_get_verity_info failed: %m"); + root_hash_existing = malloc0(root_hash_size); if (!root_hash_existing) return -ENOMEM; - r = crypt_volume_key_get(cd, CRYPT_ANY_SLOT, root_hash_existing, &root_hash_existing_size, NULL, 0); + + r = sym_crypt_volume_key_get(cd, CRYPT_ANY_SLOT, root_hash_existing, &root_hash_existing_size, NULL, 0); if (r < 0) return log_debug_errno(r, "Error opening verity device, crypt_volume_key_get failed: %m"); if (root_hash_size != root_hash_existing_size || memcmp(root_hash_existing, root_hash, root_hash_size) != 0) @@ -1370,7 +1377,8 @@ static int verity_can_reuse(const void *root_hash, size_t root_hash_size, bool h static inline void dm_deferred_remove_clean(char *name) { if (!name) return; - (void) crypt_deactivate_by_name(NULL, name, CRYPT_DEACTIVATE_DEFERRED); + + (void) sym_crypt_deactivate_by_name(NULL, name, CRYPT_DEACTIVATE_DEFERRED); free(name); } DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean); @@ -1388,7 +1396,7 @@ static int verity_partition( DecryptedImage *d) { _cleanup_free_ char *node = NULL, *name = NULL, *hash_sig_from_file = NULL; - _cleanup_(crypt_freep) struct crypt_device *cd = NULL; + _cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL; _cleanup_(dm_deferred_remove_cleanp) char *restore_deferred_remove = NULL; int r; @@ -1408,11 +1416,17 @@ static int verity_partition( return 0; } + r = dlopen_cryptsetup(); + if (r < 0) + return r; + if (FLAGS_SET(flags, DISSECT_IMAGE_VERITY_SHARE)) { /* Use the roothash, which is unique per volume, as the device node name, so that it can be reused */ _cleanup_free_ char *root_hash_encoded = NULL; + root_hash_encoded = hexmem(root_hash, root_hash_size); if (!root_hash_encoded) + return -ENOMEM; r = make_dm_name_and_node(root_hash_encoded, "-verity", &name, &node); } else @@ -1426,17 +1440,17 @@ static int verity_partition( return r; } - r = crypt_init(&cd, verity_data ?: v->node); + r = sym_crypt_init(&cd, verity_data ?: v->node); if (r < 0) return r; cryptsetup_enable_logging(cd); - r = crypt_load(cd, CRYPT_VERITY, NULL); + r = sym_crypt_load(cd, CRYPT_VERITY, NULL); if (r < 0) return r; - r = crypt_set_data_device(cd, m->node); + r = sym_crypt_set_data_device(cd, m->node); if (r < 0) return r; @@ -1449,12 +1463,12 @@ static int verity_partition( for (unsigned i = 0; i < N_DEVICE_NODE_LIST_ATTEMPTS; i++) { if (root_hash_sig || hash_sig_from_file) { #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY - r = crypt_activate_by_signed_key(cd, name, root_hash, root_hash_size, root_hash_sig ?: hash_sig_from_file, root_hash_sig_size, CRYPT_ACTIVATE_READONLY); + r = sym_crypt_activate_by_signed_key(cd, name, root_hash, root_hash_size, root_hash_sig ?: hash_sig_from_file, root_hash_sig_size, CRYPT_ACTIVATE_READONLY); #else r = log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "activation of verity device with signature requested, but not supported by cryptsetup due to missing crypt_activate_by_signed_key()"); #endif } else - r = crypt_activate_by_volume_key(cd, name, root_hash, root_hash_size, CRYPT_ACTIVATE_READONLY); + r = sym_crypt_activate_by_volume_key(cd, name, root_hash, root_hash_size, CRYPT_ACTIVATE_READONLY); /* libdevmapper can return EINVAL when the device is already in the activation stage. * There's no way to distinguish this situation from a genuine error due to invalid * parameters, so immediately fall back to activating the device with a unique name. @@ -1500,7 +1514,7 @@ static int verity_partition( return r; if (cd) - crypt_free(cd); + sym_crypt_free(cd); cd = existing_cd; } } @@ -1664,7 +1678,7 @@ int decrypted_image_relinquish(DecryptedImage *d) { if (p->relinquished) continue; - r = crypt_deactivate_by_name(NULL, p->name, CRYPT_DEACTIVATE_DEFERRED); + r = sym_crypt_deactivate_by_name(NULL, p->name, CRYPT_DEACTIVATE_DEFERRED); if (r < 0) return log_debug_errno(r, "Failed to mark %s for auto-removal: %m", p->name); diff --git a/src/shared/meson.build b/src/shared/meson.build index 5416c68bf5..723e00e437 100644 --- a/src/shared/meson.build +++ b/src/shared/meson.build @@ -354,7 +354,6 @@ libshared_deps = [threads, libblkid, libcap, libcrypt, - libcryptsetup, libgcrypt, libidn, libiptc, |