mirror of
https://github.com/kairos-io/kairos-agent.git
synced 2025-08-22 18:19:32 +00:00
82 lines
2.2 KiB
Go
82 lines
2.2 KiB
Go
package hook
|
|
|
|
import (
|
|
"github.com/kairos-io/kairos-agent/v2/pkg/config"
|
|
"github.com/kairos-io/kairos-agent/v2/pkg/constants"
|
|
v1 "github.com/kairos-io/kairos-agent/v2/pkg/types/v1"
|
|
internalutils "github.com/kairos-io/kairos-agent/v2/pkg/utils"
|
|
fsutils "github.com/kairos-io/kairos-agent/v2/pkg/utils/fs"
|
|
"github.com/kairos-io/kairos-sdk/machine"
|
|
"github.com/kairos-io/kairos-sdk/utils"
|
|
kcrypt "github.com/kairos-io/kcrypt/pkg/lib"
|
|
"time"
|
|
)
|
|
|
|
type KcryptUKI struct{}
|
|
|
|
func (k KcryptUKI) Run(c config.Config, _ v1.Spec) error {
|
|
|
|
// We always encrypt OEM and PERSISTENT under UKI
|
|
// If mounted, unmount it
|
|
_ = machine.Umount(constants.OEMDir) //nolint:errcheck
|
|
_ = machine.Umount(constants.PersistentDir) //nolint:errcheck
|
|
|
|
// Backup oem as we already copied files on there and on luksify it will be wiped
|
|
err := machine.Mount("COS_OEM", constants.OEMDir)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
tmpDir, err := fsutils.TempDir(c.Fs, "", "oem-backup-xxxx")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Remove everything when we finish
|
|
defer c.Fs.RemoveAll(tmpDir) //nolint:errcheck
|
|
|
|
err = internalutils.SyncData(c.Logger, c.Runner, c.Fs, constants.OEMDir, tmpDir, []string{}...)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
err = machine.Umount(constants.OEMDir) //nolint:errcheck
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
for _, p := range []string{"COS_OEM", "COS_PERSISTENT"} {
|
|
c.Logger.Infof("Encrypting %s", p)
|
|
utils.SH("udevadm settle") //nolint:errcheck
|
|
utils.SH("sync") //nolint:errcheck
|
|
_, err := kcrypt.Luksify(p, "luks2", true)
|
|
if err != nil {
|
|
c.Logger.Errorf("could not encrypt partition: %s", err)
|
|
if c.FailOnBundleErrors {
|
|
return err
|
|
}
|
|
// Give time to show the error
|
|
time.Sleep(10 * time.Second)
|
|
return nil // do not error out
|
|
}
|
|
c.Logger.Infof("Done encrypting %s", p)
|
|
}
|
|
|
|
// Restore OEM
|
|
err = kcrypt.UnlockAll(true)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
err = machine.Mount("COS_OEM", constants.OEMDir)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
err = internalutils.SyncData(c.Logger, c.Runner, c.Fs, tmpDir, constants.OEMDir, []string{}...)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
err = machine.Umount(constants.OEMDir) //nolint:errcheck
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|