iPXE
image_trust_cmd.c
Go to the documentation of this file.
00001 /*
00002  * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
00003  *
00004  * This program is free software; you can redistribute it and/or
00005  * modify it under the terms of the GNU General Public License as
00006  * published by the Free Software Foundation; either version 2 of the
00007  * License, or any later version.
00008  *
00009  * This program is distributed in the hope that it will be useful, but
00010  * WITHOUT ANY WARRANTY; without even the implied warranty of
00011  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
00012  * General Public License for more details.
00013  *
00014  * You should have received a copy of the GNU General Public License
00015  * along with this program; if not, write to the Free Software
00016  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
00017  * 02110-1301, USA.
00018  *
00019  * You can also choose to distribute this program under the terms of
00020  * the Unmodified Binary Distribution Licence (as given in the file
00021  * COPYING.UBDL), provided that you have satisfied its requirements.
00022  */
00023 
00024 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
00025 
00026 #include <stdint.h>
00027 #include <stdio.h>
00028 #include <getopt.h>
00029 #include <ipxe/image.h>
00030 #include <ipxe/command.h>
00031 #include <ipxe/parseopt.h>
00032 #include <usr/imgmgmt.h>
00033 #include <usr/imgtrust.h>
00034 
00035 /** @file
00036  *
00037  * Image trust management commands
00038  *
00039  */
00040 
00041 /** "imgtrust" options */
00042 struct imgtrust_options {
00043         /** Allow trusted images */
00044         int allow;
00045         /** Make trust requirement permanent */
00046         int permanent;
00047 };
00048 
00049 /** "imgtrust" option list */
00050 static struct option_descriptor imgtrust_opts[] = {
00051         OPTION_DESC ( "allow", 'a', no_argument,
00052                       struct imgtrust_options, allow, parse_flag ),
00053         OPTION_DESC ( "permanent", 'p', no_argument,
00054                       struct imgtrust_options, permanent, parse_flag ),
00055 };
00056 
00057 /** "imgtrust" command descriptor */
00058 static struct command_descriptor imgtrust_cmd =
00059         COMMAND_DESC ( struct imgtrust_options, imgtrust_opts, 0, 0, NULL );
00060 
00061 /**
00062  * The "imgtrust" command
00063  *
00064  * @v argc              Argument count
00065  * @v argv              Argument list
00066  * @ret rc              Return status code
00067  */
00068 static int imgtrust_exec ( int argc, char **argv ) {
00069         struct imgtrust_options opts;
00070         int rc;
00071 
00072         /* Parse options */
00073         if ( ( rc = parse_options ( argc, argv, &imgtrust_cmd, &opts ) ) != 0 )
00074                 return rc;
00075 
00076         /* Set trust requirement */
00077         if ( ( rc = image_set_trust ( ( ! opts.allow ),
00078                                       opts.permanent ) ) != 0 ) {
00079                 printf ( "Could not set image trust requirement: %s\n",
00080                          strerror ( rc ) );
00081                 return rc;
00082         }
00083 
00084         return 0;
00085 }
00086 
00087 /** "imgverify" options */
00088 struct imgverify_options {
00089         /** Required signer common name */
00090         char *signer;
00091         /** Keep signature after verification */
00092         int keep;
00093         /** Download timeout */
00094         unsigned long timeout;
00095 };
00096 
00097 /** "imgverify" option list */
00098 static struct option_descriptor imgverify_opts[] = {
00099         OPTION_DESC ( "signer", 's', required_argument,
00100                       struct imgverify_options, signer, parse_string ),
00101         OPTION_DESC ( "keep", 'k', no_argument,
00102                       struct imgverify_options, keep, parse_flag ),
00103         OPTION_DESC ( "timeout", 't', required_argument,
00104                       struct imgverify_options, timeout, parse_timeout),
00105 };
00106 
00107 /** "imgverify" command descriptor */
00108 static struct command_descriptor imgverify_cmd =
00109         COMMAND_DESC ( struct imgverify_options, imgverify_opts, 2, 2,
00110                        "<uri|image> <signature uri|image>" );
00111 
00112 /**
00113  * The "imgverify" command
00114  *
00115  * @v argc              Argument count
00116  * @v argv              Argument list
00117  * @ret rc              Return status code
00118  */
00119 static int imgverify_exec ( int argc, char **argv ) {
00120         struct imgverify_options opts;
00121         const char *image_name_uri;
00122         const char *signature_name_uri;
00123         struct image *image;
00124         struct image *signature;
00125         int rc;
00126 
00127         /* Parse options */
00128         if ( ( rc = parse_options ( argc, argv, &imgverify_cmd, &opts ) ) != 0 )
00129                 return rc;
00130 
00131         /* Parse image name/URI string */
00132         image_name_uri = argv[optind];
00133 
00134         /* Parse signature name/URI string */
00135         signature_name_uri = argv[ optind + 1 ];
00136 
00137         /* Acquire the image */
00138         if ( ( rc = imgacquire ( image_name_uri, opts.timeout, &image ) ) != 0 )
00139                 goto err_acquire_image;
00140 
00141         /* Acquire the signature image */
00142         if ( ( rc = imgacquire ( signature_name_uri, opts.timeout,
00143                                  &signature ) ) != 0 )
00144                 goto err_acquire_signature;
00145 
00146         /* Verify image */
00147         if ( ( rc = imgverify ( image, signature, opts.signer ) ) != 0 ) {
00148                 printf ( "Could not verify: %s\n", strerror ( rc ) );
00149                 goto err_verify;
00150         }
00151 
00152         /* Success */
00153         rc = 0;
00154 
00155  err_verify:
00156         /* Discard signature unless --keep was specified */
00157         if ( ! opts.keep )
00158                 unregister_image ( signature );
00159  err_acquire_signature:
00160  err_acquire_image:
00161         return rc;
00162 }
00163 
00164 /** Image trust management commands */
00165 struct command image_trust_commands[] __command = {
00166         {
00167                 .name = "imgtrust",
00168                 .exec = imgtrust_exec,
00169         },
00170         {
00171                 .name = "imgverify",
00172                 .exec = imgverify_exec,
00173         },
00174 };