deploy: Install detached signatures if present

kjbracey · kjbracey · commit 984213fd23b2 · 2021-12-08T12:23:11.000+02:00
When installing a kernel, initramfs or device tree, also install a
detached signature (.sig) file if present.

Intended to support GRUB GPG signature enforcement.

This does not currently lead to a fully-functional secure solution, due
to GRUB's pubkey verifier also checking config files, but it allows the
`verify_detached` command to work, and could be part of a future
solution coordinating a lockdown verifier (to determine which file types
must be verified) with a relaxed pubkey verifier that does not immediately
reject unsigned files.
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
@@ -101,14 +101,14 @@ sysroot_flags_to_copy_flags (GLnxFileCopyFlags defaults,
  * hardlink if we're on the same partition.
  */
 static gboolean
-install_into_boot (OstreeRepo *repo,
-                   OstreeSePolicy *sepolicy,
-                   int         src_dfd,
-                   const char *src_subpath,
-                   int         dest_dfd,
-                   const char *dest_subpath,
-                   GCancellable  *cancellable,
-                   GError       **error)
+install_into_boot_alone (OstreeRepo *repo,
+                         OstreeSePolicy *sepolicy,
+                         int         src_dfd,
+                         const char *src_subpath,
+                         int         dest_dfd,
+                         const char *dest_subpath,
+                         GCancellable  *cancellable,
+                         GError       **error)
 {
   if (linkat (src_dfd, src_subpath, dest_dfd, dest_subpath, 0) == 0)
     return TRUE; /* Note early return */
@@ -175,6 +175,36 @@ install_into_boot (OstreeRepo *repo,
   return TRUE;
 }
 
+/* As install_into_boot_alone, but also copies a detached signature if any */
+static gboolean
+install_into_boot (OstreeRepo *repo,
+                   OstreeSePolicy *sepolicy,
+                   int         src_dfd,
+                   const char *src_subpath,
+                   int         dest_dfd,
+                   const char *dest_subpath,
+                   GCancellable  *cancellable,
+                   GError       **error)
+{
+  if (!install_into_boot_alone (repo, sepolicy, src_dfd, src_subpath,
+                                dest_dfd, dest_subpath, cancellable, error))
+    return FALSE;
+
+  /* If the source file has a detached signature, install it too */
+  g_autofree char *src_sig_subpath = g_strdup_printf("%s.sig", src_subpath);
+  if (!glnx_fstatat_allow_noent (src_dfd, src_sig_subpath, NULL, AT_SYMLINK_NOFOLLOW, error))
+    return FALSE;
+  if (errno != ENOENT)
+    {
+      g_autofree char *dest_sig_subpath = g_strdup_printf("%s.sig", dest_subpath);
+      if (!install_into_boot_alone (repo, sepolicy, src_dfd, src_sig_subpath,
+                                    dest_dfd, dest_sig_subpath, cancellable, error))
+        return FALSE;
+    }
+
+  return TRUE;
+}
+
 /* Copy ownership, mode, and xattrs from source directory to destination */
 static gboolean
 dirfd_copy_attributes_and_xattrs (int            src_parent_dfd,
