heads/verity-sign
Philipp Deppenwiese 30cc83e1be
Replace gnupg with signify
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
2016-11-30 03:30:51 +01:00

105 lines
2.5 KiB
Perl
Executable File

#!/usr/bin/perl
# Generate dm-verity hashes and sign the root hash
#
# Output looks like
#
# VERITY header information for hdd.img
# UUID: 73532888-a3e9-4f16-a50a-1d03a265b94f
# Hash type: 1
# Data blocks: 7680
# Data block size: 4096
# Hash block size: 4096
# Hash algorithm: sha256
# Salt: 3d0cd593d29715005794c4e1cd5164c14ba6456c3dbd2c6d8a26007c01ca9937
# Root hash: 91beda90d7fa1ab92463344966eb56ec9706f4f26063933a86d701a02a961a10
#
my $usage = <<"";
Usage:
size=32
dd if=/dev/zero of=hdd.img bs=1M count=$size
mkfs.ext4 -b 4096 ./hdd.img
mkdir /tmp/loop
sudo mount -o loop hdd.img /tmp/loop
(populate /tmp/loop)
sudo umount /tmp/loop
veritysetup \
--hash-offset $[$size*1024*1024] \
--data-blocks $[$size*1024*1024/4096] \
format hdd.img hdd.img \
| ./verity-sign /dev/sda1 \
| tee hdd.table.tmp
signify -Se -s root.sec -m hdd.table.tmp -x hdd.table
rm hdd.table.tmp
use warnings;
use strict;
my $dev = shift;
local $_ = <STDIN>;
chomp;
my ($orig_device) = /^VERITY header information for (.*)/
or die "Missing VERITY header\n";
my %params;
$dev ||= $orig_device;
while(<>)
{
chomp;
my ($key,$value) = split /:\s+/;
$params{$key} = $value;
}
my @missing;
# All the necessary parameters were in the header, generate
# the command to mount the filesystem
my $data_blocks = $params{'Data blocks'}
or push @missing, 'Data blocks';
my $data_block_size = $params{'Data block size'}
or push @missing, 'Data block size';
my $hash_block_size = $params{'Hash block size'}
or push @missing, 'Hash block size';
my $salt = $params{'Salt'}
or push @missing, 'Salt';
my $root_hash = $params{'Root hash'}
or push @missing, 'Root hash';
my $hash_type = $params{'Hash type'}
or push @missing, 'Hash type';
my $hash_algorithm = $params{'Hash algorithm'}
or push @missing, 'Hash algorithm';
# Check for any missing parameters
die "Missing parameter: ", join(', ', @missing), "\n"
if @missing;
# Compute the derived parameters
my $data_size = $data_blocks * $data_block_size;
my $data_size_512b = $data_size / 512;
my $first_hash_block = $data_blocks + 1;
# The table must be on a single line
my $table = sprintf "0 %d verity %d %s %s %d %d %d %d %s %s %s",
$data_size_512b,
$hash_type,
$dev,
$dev,
$data_block_size,
$hash_block_size,
$data_blocks,
$first_hash_block,
$hash_algorithm,
$root_hash,
$salt,
;
print "dmsetup create --readonly boot --table '$table'\n";
print "dmsetup mknodes boot\n";
print "mount -o ro /dev/mapper/boot /boot\n";
__END__