#include <time.h>
#include <getopt.h>
#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <linux/fs.h>
#include <systemd/sd-journal.h>
static const char *arg_directory = NULL;
static int arg_priorities = 0xFF;
static const char *arg_verify_key = NULL;
+#ifdef HAVE_GCRYPT
static usec_t arg_interval = DEFAULT_FSS_INTERVAL_USEC;
+#endif
static enum {
ACTION_SHOW,
"Commands:\n"
" --new-id128 Generate a new 128 Bit ID\n"
" --header Show journal header information\n"
+#ifdef HAVE_GCRYPT
" --setup-keys Generate new FSS key pair\n"
" --interval=TIME Time interval for changing the FSS sealing key\n"
" --verify Verify journal file consistency\n"
- " --verify-key=KEY Specify FSS verification key\n",
- program_invocation_short_name);
+ " --verify-key=KEY Specify FSS verification key\n"
+#endif
+ , program_invocation_short_name);
return 0;
}
arg_action = ACTION_PRINT_HEADER;
break;
+ case ARG_VERIFY:
+ arg_action = ACTION_VERIFY;
+ break;
+
+#ifdef HAVE_GCRYPT
case ARG_SETUP_KEYS:
arg_action = ACTION_SETUP_KEYS;
break;
- case ARG_VERIFY:
- arg_action = ACTION_VERIFY;
- break;
case ARG_VERIFY_KEY:
arg_action = ACTION_VERIFY;
return -EINVAL;
}
break;
+#else
+ case ARG_SETUP_KEYS:
+ case ARG_VERIFY_KEY:
+ case ARG_INTERVAL:
+ log_error("Forward-secure sealing not available.");
+ return -ENOTSUP;
+#endif
case 'p': {
const char *dots;
size_t mpk_size, seed_size, state_size, i;
uint8_t *mpk, *seed, *state;
ssize_t l;
- int fd = -1, r;
+ int fd = -1, r, attr = 0;
sd_id128_t machine, boot;
char *p = NULL, *k = NULL;
struct FSSHeader h;
return log_oom();
if (access(p, F_OK) >= 0) {
- log_error("Evolving key file %s exists already.", p);
+ log_error("Sealing key file %s exists already.", p);
r = -EEXIST;
goto finish;
}
goto finish;
}
+ /* Enable secure remove, exclusion from dump, synchronous
+ * writing and in-place updating */
+ if (ioctl(fd, FS_IOC_GETFLAGS, &attr) < 0)
+ log_warning("FS_IOC_GETFLAGS failed: %m");
+
+ attr |= FS_SECRM_FL|FS_NODUMP_FL|FS_SYNC_FL|FS_NOCOW_FL;
+
+ if (ioctl(fd, FS_IOC_SETFLAGS, &attr) < 0)
+ log_warning("FS_IOC_SETFLAGS failed: %m");
+
zero(h);
memcpy(h.signature, "KSHHRHLP", 8);
h.machine_id = machine;
return r;
#else
- log_error("Forward-secure journal verification not available.");
+ log_error("Forward-secure sealing not available.");
+ return -ENOTSUP;
#endif
}
HASHMAP_FOREACH(f, j->files, i) {
int k;
+ usec_t from, to, total;
#ifdef HAVE_GCRYPT
- if (!arg_verify_key && journal_file_fss_enabled(f))
+ if (!arg_verify_key && JOURNAL_HEADER_SEALED(f->header))
log_warning("Journal file %s has sealing enabled but verification key has not been passed using --verify-key=.", f->path);
#endif
- k = journal_file_verify(f, arg_verify_key);
+ k = journal_file_verify(f, arg_verify_key, &from, &to, &total, true);
if (k == -EINVAL) {
/* If the key was invalid give up right-away. */
return k;
} else if (k < 0) {
log_warning("FAIL: %s (%s)", f->path, strerror(-k));
r = k;
- } else
+ } else {
+ char a[FORMAT_TIMESTAMP_MAX], b[FORMAT_TIMESTAMP_MAX], c[FORMAT_TIMESPAN_MAX];
log_info("PASS: %s", f->path);
+
+ if (arg_verify_key && JOURNAL_HEADER_SEALED(f->header))
+ log_info("=> Validated from %s to %s, %s missing",
+ format_timestamp(a, sizeof(a), from),
+ format_timestamp(b, sizeof(b), to),
+ format_timespan(c, sizeof(c), total > to ? total - to : 0));
+ }
}
return r;