diff options
Diffstat (limited to 'tools/verity')
-rw-r--r-- | tools/verity/BUILD | 15 | ||||
-rw-r--r-- | tools/verity/measure_tool.go | 117 | ||||
-rw-r--r-- | tools/verity/measure_tool_unsafe.go | 39 |
3 files changed, 0 insertions, 171 deletions
diff --git a/tools/verity/BUILD b/tools/verity/BUILD deleted file mode 100644 index 77d16359c..000000000 --- a/tools/verity/BUILD +++ /dev/null @@ -1,15 +0,0 @@ -load("//tools:defs.bzl", "go_binary") - -licenses(["notice"]) - -go_binary( - name = "measure_tool", - srcs = [ - "measure_tool.go", - "measure_tool_unsafe.go", - ], - pure = True, - deps = [ - "//pkg/abi/linux", - ], -) diff --git a/tools/verity/measure_tool.go b/tools/verity/measure_tool.go deleted file mode 100644 index 4a0bc497a..000000000 --- a/tools/verity/measure_tool.go +++ /dev/null @@ -1,117 +0,0 @@ -// Copyright 2021 The gVisor Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// This binary can be used to run a measurement of the verity file system, -// generate the corresponding Merkle tree files, and return the root hash. -package main - -import ( - "flag" - "io/ioutil" - "log" - "os" - "strings" - "syscall" - - "gvisor.dev/gvisor/pkg/abi/linux" -) - -var path = flag.String("path", "", "path to the verity file system.") -var rawpath = flag.String("rawpath", "", "path to the raw file system.") - -const maxDigestSize = 64 - -type digest struct { - metadata linux.DigestMetadata - digest [maxDigestSize]byte -} - -func main() { - flag.Parse() - if *path == "" { - log.Fatalf("no path provided") - } - if *rawpath == "" { - log.Fatalf("no rawpath provided") - } - // TODO(b/182315468): Optimize the Merkle tree generate process to - // allow only updating certain files/directories. - if err := clearMerkle(*rawpath); err != nil { - log.Fatalf("Failed to clear merkle files in %s: %v", *rawpath, err) - } - if err := enableDir(*path); err != nil { - log.Fatalf("Failed to enable file system %s: %v", *path, err) - } - // Print the root hash of the file system to stdout. - if err := measure(*path); err != nil { - log.Fatalf("Failed to measure file system %s: %v", *path, err) - } -} - -func clearMerkle(path string) error { - files, err := ioutil.ReadDir(path) - if err != nil { - return err - } - - for _, file := range files { - if file.IsDir() { - if err := clearMerkle(path + "/" + file.Name()); err != nil { - return err - } - } else if strings.HasPrefix(file.Name(), ".merkle.verity") { - if err := os.Remove(path + "/" + file.Name()); err != nil { - return err - } - } - } - return nil -} - -// enableDir enables verity features on all the files and sub-directories within -// path. -func enableDir(path string) error { - files, err := ioutil.ReadDir(path) - if err != nil { - return err - } - for _, file := range files { - if file.IsDir() { - // For directories, first enable its children. - if err := enableDir(path + "/" + file.Name()); err != nil { - return err - } - } else if file.Mode().IsRegular() { - // For regular files, open and enable verity feature. - f, err := os.Open(path + "/" + file.Name()) - if err != nil { - return err - } - var p uintptr - if _, _, err := syscall.Syscall(syscall.SYS_IOCTL, uintptr(f.Fd()), uintptr(linux.FS_IOC_ENABLE_VERITY), p); err != 0 { - return err - } - } - } - // Once all children are enabled, enable the parent directory. - f, err := os.Open(path) - if err != nil { - return err - } - var p uintptr - if _, _, err := syscall.Syscall(syscall.SYS_IOCTL, uintptr(f.Fd()), uintptr(linux.FS_IOC_ENABLE_VERITY), p); err != 0 { - return err - } - return nil -} diff --git a/tools/verity/measure_tool_unsafe.go b/tools/verity/measure_tool_unsafe.go deleted file mode 100644 index d4079be9e..000000000 --- a/tools/verity/measure_tool_unsafe.go +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright 2021 The gVisor Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -package main - -import ( - "encoding/hex" - "fmt" - "os" - "syscall" - "unsafe" - - "gvisor.dev/gvisor/pkg/abi/linux" -) - -// measure prints the hash of path to stdout. -func measure(path string) error { - f, err := os.Open(path) - if err != nil { - return err - } - var digest digest - digest.metadata.DigestSize = maxDigestSize - if _, _, err := syscall.Syscall(syscall.SYS_IOCTL, uintptr(f.Fd()), uintptr(linux.FS_IOC_MEASURE_VERITY), uintptr(unsafe.Pointer(&digest))); err != 0 { - return err - } - fmt.Fprintf(os.Stdout, "%s\n", hex.EncodeToString(digest.digest[:digest.metadata.DigestSize])) - return err -} |