diff options
author | Gaël PORTAY <gael.portay@collabora.com> | 2020-11-14 15:21:39 +0100 |
---|---|---|
committer | Gaël PORTAY <gael.portay@collabora.com> | 2021-01-15 17:06:11 +0100 |
commit | 08b04ec7e72b7327b4803809732b1b8fce8dd069 (patch) | |
tree | 178f69b3a8fcd6b85604ac1f92fe2add48be1fed /units | |
parent | veritysetup-generator: add support for verity root options (diff) | |
download | systemd-08b04ec7e72b7327b4803809732b1b8fce8dd069.tar.xz systemd-08b04ec7e72b7327b4803809732b1b8fce8dd069.zip |
veritysetup-generator: add support for veritytab
This adds the support for veritytab.
The veritytab file contains at most five fields, the first four are
mandatory, the last one is optional:
- The first field contains the name of the resulting verity volume; its
block device is set up /dev/mapper/</filename>.
- The second field contains a path to the underlying block data device,
or a specification of a block device via UUID= followed by the UUID.
- The third field contains a path to the underlying block hash device,
or a specification of a block device via UUID= followed by the UUID.
- The fourth field is the roothash in hexadecimal.
- The fifth field, if present, is a comma-delimited list of options.
The following options are recognized only: ignore-corruption,
restart-on-corruption, panic-on-corruption, ignore-zero-blocks,
check-at-most-once and root-hash-signature. The others options will
be implemented later.
Also, this adds support for the new kernel verity command line boolean
option "veritytab" which enables the read for veritytab, and the new
environment variable SYSTEMD_VERITYTAB which sets the path to the file
veritytab to read.
Diffstat (limited to 'units')
-rw-r--r-- | units/meson.build | 5 | ||||
-rw-r--r-- | units/remote-veritysetup.target | 18 | ||||
-rw-r--r-- | units/veritysetup-pre.target | 14 | ||||
-rw-r--r-- | units/veritysetup.target | 12 |
4 files changed, 49 insertions, 0 deletions
diff --git a/units/meson.build b/units/meson.build index 8b8fd1173f..7b18f1bfea 100644 --- a/units/meson.build +++ b/units/meson.build @@ -10,6 +10,9 @@ units = [ ['cryptsetup-pre.target', 'HAVE_LIBCRYPTSETUP'], ['cryptsetup.target', 'HAVE_LIBCRYPTSETUP', 'sysinit.target.wants/'], + ['veritysetup-pre.target', 'HAVE_LIBCRYPTSETUP'], + ['veritysetup.target', 'HAVE_LIBCRYPTSETUP', + 'sysinit.target.wants/'], ['dev-hugepages.mount', '', 'sysinit.target.wants/'], ['dev-mqueue.mount', '', @@ -62,6 +65,8 @@ units = [ 'ctrl-alt-del.target' + (with_runlevels ? ' runlevel6.target' : '')], ['remote-cryptsetup.target', 'HAVE_LIBCRYPTSETUP', 'initrd-root-device.target.wants/'], + ['remote-veritysetup.target', 'HAVE_LIBCRYPTSETUP', + 'initrd-root-device.target.wants/'], ['remote-fs-pre.target', ''], ['remote-fs.target', ''], ['rescue.target', '', diff --git a/units/remote-veritysetup.target b/units/remote-veritysetup.target new file mode 100644 index 0000000000..bd9f71acef --- /dev/null +++ b/units/remote-veritysetup.target @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Remote Verity Integrity Protected Volumes +Documentation=man:systemd.special(7) +After=remote-fs-pre.target veritysetup-pre.target +DefaultDependencies=no +Conflicts=shutdown.target + +[Install] +WantedBy=multi-user.target diff --git a/units/veritysetup-pre.target b/units/veritysetup-pre.target new file mode 100644 index 0000000000..be065f335f --- /dev/null +++ b/units/veritysetup-pre.target @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Local Verity Integrity Protected Volumes (Pre) +Documentation=man:systemd.special(7) +RefuseManualStart=yes +Before=veritysetup.target diff --git a/units/veritysetup.target b/units/veritysetup.target new file mode 100644 index 0000000000..0ac3ad3bd0 --- /dev/null +++ b/units/veritysetup.target @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Local Verity Integrity Protected Volumes +Documentation=man:systemd.special(7) |