From 984213fd23b230c852e646f8d2d10a075ffb0366 Mon Sep 17 00:00:00 2001 From: Kevin Bracey Date: Tue, 7 Dec 2021 10:58:05 +0200 Subject: [PATCH] deploy: Install detached signatures if present When installing a kernel, initramfs or device tree, also install a detached signature (.sig) file if present. Intended to support GRUB GPG signature enforcement. This does not currently lead to a fully-functional secure solution, due to GRUB's pubkey verifier also checking config files, but it allows the `verify_detached` command to work, and could be part of a future solution coordinating a lockdown verifier (to determine which file types must be verified) with a relaxed pubkey verifier that does not immediately reject unsigned files. --- src/libostree/ostree-sysroot-deploy.c | 46 ++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 8 deletions(-) diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c index a8bf9f4485..2e1867787c 100644 --- a/src/libostree/ostree-sysroot-deploy.c +++ b/src/libostree/ostree-sysroot-deploy.c @@ -101,14 +101,14 @@ sysroot_flags_to_copy_flags (GLnxFileCopyFlags defaults, * hardlink if we're on the same partition. */ static gboolean -install_into_boot (OstreeRepo *repo, - OstreeSePolicy *sepolicy, - int src_dfd, - const char *src_subpath, - int dest_dfd, - const char *dest_subpath, - GCancellable *cancellable, - GError **error) +install_into_boot_alone (OstreeRepo *repo, + OstreeSePolicy *sepolicy, + int src_dfd, + const char *src_subpath, + int dest_dfd, + const char *dest_subpath, + GCancellable *cancellable, + GError **error) { if (linkat (src_dfd, src_subpath, dest_dfd, dest_subpath, 0) == 0) return TRUE; /* Note early return */ @@ -175,6 +175,36 @@ install_into_boot (OstreeRepo *repo, return TRUE; } +/* As install_into_boot_alone, but also copies a detached signature if any */ +static gboolean +install_into_boot (OstreeRepo *repo, + OstreeSePolicy *sepolicy, + int src_dfd, + const char *src_subpath, + int dest_dfd, + const char *dest_subpath, + GCancellable *cancellable, + GError **error) +{ + if (!install_into_boot_alone (repo, sepolicy, src_dfd, src_subpath, + dest_dfd, dest_subpath, cancellable, error)) + return FALSE; + + /* If the source file has a detached signature, install it too */ + g_autofree char *src_sig_subpath = g_strdup_printf("%s.sig", src_subpath); + if (!glnx_fstatat_allow_noent (src_dfd, src_sig_subpath, NULL, AT_SYMLINK_NOFOLLOW, error)) + return FALSE; + if (errno != ENOENT) + { + g_autofree char *dest_sig_subpath = g_strdup_printf("%s.sig", dest_subpath); + if (!install_into_boot_alone (repo, sepolicy, src_dfd, src_sig_subpath, + dest_dfd, dest_sig_subpath, cancellable, error)) + return FALSE; + } + + return TRUE; +} + /* Copy ownership, mode, and xattrs from source directory to destination */ static gboolean dirfd_copy_attributes_and_xattrs (int src_parent_dfd,