summaryrefslogtreecommitdiffstats
path: root/units
diff options
context:
space:
mode:
authorGaël PORTAY <gael.portay@collabora.com>2020-11-14 15:21:39 +0100
committerGaël PORTAY <gael.portay@collabora.com>2021-01-15 17:06:11 +0100
commit08b04ec7e72b7327b4803809732b1b8fce8dd069 (patch)
tree178f69b3a8fcd6b85604ac1f92fe2add48be1fed /units
parentveritysetup-generator: add support for verity root options (diff)
downloadsystemd-08b04ec7e72b7327b4803809732b1b8fce8dd069.tar.xz
systemd-08b04ec7e72b7327b4803809732b1b8fce8dd069.zip
veritysetup-generator: add support for veritytab
This adds the support for veritytab. The veritytab file contains at most five fields, the first four are mandatory, the last one is optional: - The first field contains the name of the resulting verity volume; its block device is set up /dev/mapper/</filename>. - The second field contains a path to the underlying block data device, or a specification of a block device via UUID= followed by the UUID. - The third field contains a path to the underlying block hash device, or a specification of a block device via UUID= followed by the UUID. - The fourth field is the roothash in hexadecimal. - The fifth field, if present, is a comma-delimited list of options. The following options are recognized only: ignore-corruption, restart-on-corruption, panic-on-corruption, ignore-zero-blocks, check-at-most-once and root-hash-signature. The others options will be implemented later. Also, this adds support for the new kernel verity command line boolean option "veritytab" which enables the read for veritytab, and the new environment variable SYSTEMD_VERITYTAB which sets the path to the file veritytab to read.
Diffstat (limited to 'units')
-rw-r--r--units/meson.build5
-rw-r--r--units/remote-veritysetup.target18
-rw-r--r--units/veritysetup-pre.target14
-rw-r--r--units/veritysetup.target12
4 files changed, 49 insertions, 0 deletions
diff --git a/units/meson.build b/units/meson.build
index 8b8fd1173f..7b18f1bfea 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -10,6 +10,9 @@ units = [
['cryptsetup-pre.target', 'HAVE_LIBCRYPTSETUP'],
['cryptsetup.target', 'HAVE_LIBCRYPTSETUP',
'sysinit.target.wants/'],
+ ['veritysetup-pre.target', 'HAVE_LIBCRYPTSETUP'],
+ ['veritysetup.target', 'HAVE_LIBCRYPTSETUP',
+ 'sysinit.target.wants/'],
['dev-hugepages.mount', '',
'sysinit.target.wants/'],
['dev-mqueue.mount', '',
@@ -62,6 +65,8 @@ units = [
'ctrl-alt-del.target' + (with_runlevels ? ' runlevel6.target' : '')],
['remote-cryptsetup.target', 'HAVE_LIBCRYPTSETUP',
'initrd-root-device.target.wants/'],
+ ['remote-veritysetup.target', 'HAVE_LIBCRYPTSETUP',
+ 'initrd-root-device.target.wants/'],
['remote-fs-pre.target', ''],
['remote-fs.target', ''],
['rescue.target', '',
diff --git a/units/remote-veritysetup.target b/units/remote-veritysetup.target
new file mode 100644
index 0000000000..bd9f71acef
--- /dev/null
+++ b/units/remote-veritysetup.target
@@ -0,0 +1,18 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Remote Verity Integrity Protected Volumes
+Documentation=man:systemd.special(7)
+After=remote-fs-pre.target veritysetup-pre.target
+DefaultDependencies=no
+Conflicts=shutdown.target
+
+[Install]
+WantedBy=multi-user.target
diff --git a/units/veritysetup-pre.target b/units/veritysetup-pre.target
new file mode 100644
index 0000000000..be065f335f
--- /dev/null
+++ b/units/veritysetup-pre.target
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Local Verity Integrity Protected Volumes (Pre)
+Documentation=man:systemd.special(7)
+RefuseManualStart=yes
+Before=veritysetup.target
diff --git a/units/veritysetup.target b/units/veritysetup.target
new file mode 100644
index 0000000000..0ac3ad3bd0
--- /dev/null
+++ b/units/veritysetup.target
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Local Verity Integrity Protected Volumes
+Documentation=man:systemd.special(7)