kairos/kairos-agent
1
0
Fork 0
mirror of https://github.com/kairos-io/kairos-agent.git synced 2025-09-18 16:06:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix hooks under encrypted partitions (#702)

Browse Source 
* Fix hooks under encrypted partitions

We had a mess of mounting and unmounting things around when we try to
copy things to persistent.

Part of the changes (using the by-label to mount the persistent) are due
to the change in kcrypt. As we set the same label to the encrypted fs
and unencrypted fs, our utils.Mount could get mistaken and return the
first hit, which usually its the encrypted one, and we cannot mount that
one.

This patch brings it up to date.

 - Makes bundles and logs hooks work when we have encrypted persistent.
   It didnt work before.
 - Makes both workflows the same.
 - Locks everything once its over, to not leave encrypted parts around
 - Mounts OEM so kcrypt can read the config if we are using a remote
   server for encryption
 - Mounts by label so there is not a change of getting the wrong device
 - Uses the mount syscall directly. The util can mistake and return the
   actual encrypted part if they both have the same label and finds it
   first

---------

Signed-off-by: Itxaka <itxaka@kairos.io>
This commit is contained in:
Itxaka
2025-03-13 11:22:26 +01:00
committed by GitHub
parent e8e05379a5
commit b5869b4017
7 changed files with 98 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
internal/agent/hooks/kcrypt_uki.go
View File

@@ -92,7 +92,7 @@ func (k KcryptUKI) Run(c config.Config, spec v1.Spec) error {
for _, p := range append([]string{constants.OEMLabel, constants.PersistentLabel}, c.Install.Encrypt...) {
c.Logger.Infof("Encrypting %s", p)
_ = os.Setenv("SYSTEMD_LOG_LEVEL", "debug")
err := kcrypt.LuksifyMeasurements(p, c.BindPublicPCRs, c.BindPCRs, c.Logger.Logger)
err := kcrypt.LuksifyMeasurements(p, c.BindPublicPCRs, c.BindPCRs, c.Logger)
_ = os.Unsetenv("SYSTEMD_LOG_LEVEL")
if err != nil {
c.Logger.Errorf("could not encrypt partition: %s", err)
@@ -109,7 +109,7 @@ func (k KcryptUKI) Run(c config.Config, spec v1.Spec) error {
_, _ = utils.SH("sync")
_ = os.Setenv("SYSTEMD_LOG_LEVEL", "debug")
err = kcrypt.UnlockAllWithLogger(true, c.Logger.Logger)
err = kcrypt.UnlockAllWithLogger(true, c.Logger)
_ = os.Unsetenv("SYSTEMD_LOG_LEVEL")
if err != nil {
@@ -143,7 +143,7 @@ func (k KcryptUKI) Run(c config.Config, spec v1.Spec) error {
time.Sleep(time.Duration(i) * time.Second)
// Retry the unlock as well, because maybe the partition was not refreshed on time for unlock to unlock it
// So no matter how many tries we do, it will still be locked and will never appear
err := kcrypt.UnlockAllWithLogger(true, c.Logger.Logger)
err := kcrypt.UnlockAllWithLogger(true, c.Logger)
if err != nil {
c.Logger.Debugf("UnlockAll returned: %s", err)
}