diff options
Diffstat (limited to 'src/partition/repart.c')
-rw-r--r-- | src/partition/repart.c | 55 |
1 files changed, 34 insertions, 21 deletions
diff --git a/src/partition/repart.c b/src/partition/repart.c index 44a785a7ed..adf1f0e696 100644 --- a/src/partition/repart.c +++ b/src/partition/repart.c @@ -146,6 +146,8 @@ static bool arg_legend = true; static void *arg_key = NULL; static size_t arg_key_size = 0; static EVP_PKEY *arg_private_key = NULL; +static KeySourceType arg_private_key_source_type = OPENSSL_KEY_SOURCE_FILE; +static char *arg_private_key_source = NULL; static X509 *arg_certificate = NULL; static char *arg_tpm2_device = NULL; static uint32_t arg_tpm2_seal_key_handle = 0; @@ -177,6 +179,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_image, freep); STATIC_DESTRUCTOR_REGISTER(arg_definitions, strv_freep); STATIC_DESTRUCTOR_REGISTER(arg_key, erase_and_freep); STATIC_DESTRUCTOR_REGISTER(arg_private_key, EVP_PKEY_freep); +STATIC_DESTRUCTOR_REGISTER(arg_private_key_source, freep); STATIC_DESTRUCTOR_REGISTER(arg_certificate, X509_freep); STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device, freep); STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device_key, freep); @@ -1755,7 +1758,7 @@ static int config_parse_mountpoint( const char *q = rvalue; r = extract_many_words(&q, ":", EXTRACT_CUNESCAPE|EXTRACT_DONT_COALESCE_SEPARATORS|EXTRACT_UNQUOTE, - &where, &options, NULL); + &where, &options); if (r == -ENOMEM) return log_oom(); if (r < 0) { @@ -1812,7 +1815,7 @@ static int config_parse_encrypted_volume( const char *q = rvalue; r = extract_many_words(&q, ":", EXTRACT_CUNESCAPE|EXTRACT_DONT_COALESCE_SEPARATORS|EXTRACT_UNQUOTE, - &volume, &keyfile, &options, NULL); + &volume, &keyfile, &options); if (r == -ENOMEM) return log_oom(); if (r < 0) { @@ -6806,8 +6809,14 @@ static int help(void) { " Specify disk image dissection policy\n" " --definitions=DIR Find partition definitions in specified directory\n" " --key-file=PATH Key to use when encrypting partitions\n" - " --private-key=PATH Private key to use when generating verity roothash\n" - " signatures\n" + " --private-key=PATH|URI\n" + " Private key to use when generating verity roothash\n" + " signatures, or an engine or provider specific\n" + " designation if --private-key-source= is used.\n" + " --private-key-source=file|provider:PROVIDER|engine:ENGINE\n" + " Specify how to use the --private-key=. Allows to use\n" + " an OpenSSL engine/provider when generating verity\n" + " roothash signatures\n" " --certificate=PATH PEM certificate to use when generating verity\n" " roothash signatures\n" " --tpm2-device=PATH Path to TPM2 device node to use\n" @@ -6857,7 +6866,7 @@ static int help(void) { } static int parse_argv(int argc, char *argv[]) { - _cleanup_free_ char *private_key = NULL, *private_key_uri = NULL; + _cleanup_free_ char *private_key = NULL; enum { ARG_VERSION = 0x100, @@ -6878,7 +6887,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_JSON, ARG_KEY_FILE, ARG_PRIVATE_KEY, - ARG_PRIVATE_KEY_URI, + ARG_PRIVATE_KEY_SOURCE, ARG_CERTIFICATE, ARG_TPM2_DEVICE, ARG_TPM2_DEVICE_KEY, @@ -6921,7 +6930,7 @@ static int parse_argv(int argc, char *argv[]) { { "json", required_argument, NULL, ARG_JSON }, { "key-file", required_argument, NULL, ARG_KEY_FILE }, { "private-key", required_argument, NULL, ARG_PRIVATE_KEY }, - { "private-key-uri", required_argument, NULL, ARG_PRIVATE_KEY_URI }, + { "private-key-source", required_argument, NULL, ARG_PRIVATE_KEY_SOURCE }, { "certificate", required_argument, NULL, ARG_CERTIFICATE }, { "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE }, { "tpm2-device-key", required_argument, NULL, ARG_TPM2_DEVICE_KEY }, @@ -7115,12 +7124,14 @@ static int parse_argv(int argc, char *argv[]) { break; } - case ARG_PRIVATE_KEY_URI: { - r = free_and_strdup_warn(&private_key_uri, optarg); + case ARG_PRIVATE_KEY_SOURCE: + r = parse_openssl_key_source_argument( + optarg, + &arg_private_key_source, + &arg_private_key_source_type); if (r < 0) return r; break; - } case ARG_CERTIFICATE: { _cleanup_free_ char *cert = NULL; @@ -7465,12 +7476,7 @@ static int parse_argv(int argc, char *argv[]) { *p = gpt_partition_type_override_architecture(*p, arg_architecture); } - if (private_key && private_key_uri) - return log_error_errno( - SYNTHETIC_ERRNO(EINVAL), - "Cannot specify both --private-key= and --private-key-uri=."); - - if (private_key) { + if (private_key && arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) { _cleanup_(erase_and_freep) char *k = NULL; size_t n = 0; @@ -7485,16 +7491,22 @@ static int parse_argv(int argc, char *argv[]) { r = parse_private_key(k, n, &arg_private_key); if (r < 0) return r; - } else if (private_key_uri) { + } else if (private_key && + IN_SET(arg_private_key_source_type, OPENSSL_KEY_SOURCE_ENGINE, OPENSSL_KEY_SOURCE_PROVIDER)) { /* This must happen after parse_x509_certificate() is called above, otherwise * signing later will get stuck as the parsed private key won't have the * certificate, so this block cannot be inline in ARG_PRIVATE_KEY. */ - r = openssl_load_key_from_token(private_key_uri, &arg_private_key); + r = openssl_load_key_from_token( + arg_private_key_source_type, + arg_private_key_source, + private_key, + &arg_private_key); if (r < 0) return log_error_errno( r, - "Failed to load key '%s' from OpenSSL provider: %m", - private_key); + "Failed to load key '%s' from OpenSSL private key source %s: %m", + private_key, + arg_private_key_source); } return 1; @@ -7952,7 +7964,8 @@ static int run(int argc, char *argv[]) { DISSECT_IMAGE_GPT_ONLY | DISSECT_IMAGE_RELAX_VAR_CHECK | DISSECT_IMAGE_USR_NO_ROOT | - DISSECT_IMAGE_REQUIRE_ROOT, + DISSECT_IMAGE_REQUIRE_ROOT | + DISSECT_IMAGE_ALLOW_USERSPACE_VERITY, &mounted_dir, /* ret_dir_fd= */ NULL, &loop_device); |