Enable local encryption, remote now partially uses TPM

Signed-off-by: mudler <mudler@c3os.io>

cmd/discovery/client/client.go

@@ -1,25 +1,24 @@
 package client
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"os"
 	"time"
 
 	"github.com/jaypipes/ghw/pkg/block"
+	"github.com/kairos-io/kairos-challenger/pkg/constants"
 	"github.com/kairos-io/kcrypt/pkg/bus"
-	kconfig "github.com/kairos-io/kcrypt/pkg/config"
 	"github.com/kairos-io/tpm-helpers"
 	"github.com/mudler/go-pluggable"
-	"github.com/pkg/errors"
+	"github.com/mudler/yip/pkg/utils"
 )
 
-type Client struct {
+var partNotFound error = fmt.Errorf("pass for partition not found")
-	Config kconfig.Config
-}
 
 func NewClient() (*Client, error) {
-	conf, err := kconfig.GetConfiguration(kconfig.ConfigScanDirs)
+	conf, err := unmarshalConfig()
 	if err != nil {
 		return nil, err
 	}
@@ -59,44 +58,64 @@ func (c *Client) Start() error {
 }
 
 func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err error) {
-	// TODO: Why are we retrying?
+	// IF we don't have any server configured, just do local
-	// We don't need to retry if there is no matching secret.
+	if c.Config.Kcrypt.Server == "" {
-	// TODO: Check if the request was successful and if the error was about
+		return localPass(c.Config)
-	// non-matching sealed volume, let's not retry.
+	}
+
+	challengeEndpoint := fmt.Sprintf("%s/getPass", c.Config.Kcrypt.Server)
+	postEndpoint := fmt.Sprintf("%s/postPass", c.Config.Kcrypt.Server)
+
+	// IF server doesn't have a pass for us, then we generate one and we set it
+	if _, _, err := getPass(challengeEndpoint, p); err == partNotFound {
+		rand := utils.RandomString(32)
+		pass, err := tpm.EncodeBlob([]byte(rand))
+		if err != nil {
+			return "", err
+		}
+		bpass := base64.RawURLEncoding.EncodeToString(pass)
+
+		opts := []tpm.Option{tpm.WithAdditionalHeader("label", p.Label),
+			tpm.WithAdditionalHeader("name", p.Name),
+			tpm.WithAdditionalHeader("uuid", p.UUID),
+		}
+		conn, err := tpm.Connection(postEndpoint, opts...)
+		if err != nil {
+			return "", err
+		}
+		err = conn.WriteJSON(map[string]string{"passphrase": bpass, "generated": constants.TPMSecret})
+		if err != nil {
+			return rand, err
+		}
+	}
 	for tries := 0; tries < attempts; tries++ {
-		if c.Config.Kcrypt.Server == "" {
+		var generated bool
-			err = fmt.Errorf("no server configured")
+		pass, generated, err = getPass(challengeEndpoint, p)
-			continue
+		if generated {
+			blob, err := base64.RawURLEncoding.DecodeString(pass)
+			if err != nil {
+				return "", err
+			}
+			// Decode and give it back
+			opts := []tpm.TPMOption{}
+			if c.Config.Kcrypt.CIndex != "" {
+				opts = append(opts, tpm.WithIndex(c.Config.Kcrypt.CIndex))
+			}
+			if c.Config.Kcrypt.TPMDevice != "" {
+				opts = append(opts, tpm.WithDevice(c.Config.Kcrypt.TPMDevice))
+			}
+			pass, err := tpm.DecodeBlob(blob, opts...)
+			return string(pass), err
 		}
 
-		pass, err = c.getPass(c.Config.Kcrypt.Server, p)
 		if pass != "" || err == nil {
 			return
 		}
-		if err != nil {
+		if err == partNotFound {
 			return
 		}
+		// Otherwise, we might have a generic network error and we retry
 		time.Sleep(1 * time.Second)
 	}
 	return
 }
-
-func (c *Client) getPass(server string, partition *block.Partition) (string, error) {
-	msg, err := tpm.Get(server,
-		tpm.WithAdditionalHeader("label", partition.Label),
-		tpm.WithAdditionalHeader("name", partition.Name),
-		tpm.WithAdditionalHeader("uuid", partition.UUID))
-	if err != nil {
-		return "", err
-	}
-	result := map[string]interface{}{}
-	err = json.Unmarshal(msg, &result)
-	if err != nil {
-		return "", errors.Wrap(err, string(msg))
-	}
-	p, ok := result["passphrase"]
-	if ok {
-		return fmt.Sprint(p), nil
-	}
-	return "", fmt.Errorf("pass for partition not found")
-}

cmd/discovery/client/config.go

@@ -0,0 +1,34 @@
+package client
+
+import (
+	"github.com/kairos-io/kairos/pkg/config"
+	kconfig "github.com/kairos-io/kcrypt/pkg/config"
+)
+
+type Client struct {
+	Config Config
+}
+
+type Config struct {
+	Kcrypt struct {
+		Server    string `yaml:"challenger_server,omitempty"`
+		NVIndex   string `yaml:"nv_index,omitempty"`
+		CIndex    string `yaml:"c_index,omitempty"`
+		TPMDevice string `yaml:"tpm_device,omitempty"`
+	}
+}
+
+func unmarshalConfig() (Config, error) {
+	var result Config
+
+	c, err := config.Scan(config.Directories(kconfig.ConfigScanDirs...), config.NoLogs)
+	if err != nil {
+		return result, err
+	}
+
+	if err = c.Unmarshal(&result); err != nil {
+		return result, err
+	}
+
+	return result, nil
+}

cmd/discovery/client/enc.go

@@ -0,0 +1,84 @@
+package client
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/kairos-io/kairos-challenger/pkg/constants"
+
+	"github.com/jaypipes/ghw/pkg/block"
+	"github.com/kairos-io/tpm-helpers"
+	"github.com/mudler/yip/pkg/utils"
+	"github.com/pkg/errors"
+)
+
+func getPass(server string, partition *block.Partition) (string, bool, error) {
+	msg, err := tpm.Get(server,
+		tpm.WithAdditionalHeader("label", partition.Label),
+		tpm.WithAdditionalHeader("name", partition.Name),
+		tpm.WithAdditionalHeader("uuid", partition.UUID))
+	if err != nil {
+		return "", false, err
+	}
+	result := map[string]interface{}{}
+	err = json.Unmarshal(msg, &result)
+	if err != nil {
+		return "", false, errors.Wrap(err, string(msg))
+	}
+	gen, generated := result["generated"]
+	p, ok := result["passphrase"]
+	if ok {
+		return fmt.Sprint(p), generated && gen == constants.TPMSecret, nil
+	}
+	return "", false, partNotFound
+}
+
+func genAndStore(k Config) (string, error) {
+	opts := []tpm.TPMOption{}
+	if k.Kcrypt.TPMDevice != "" {
+		opts = append(opts, tpm.WithDevice(k.Kcrypt.TPMDevice))
+	}
+	if k.Kcrypt.CIndex != "" {
+		opts = append(opts, tpm.WithIndex(k.Kcrypt.CIndex))
+	}
+
+	// Generate a new one, and return it to luks
+	rand := utils.RandomString(32)
+	blob, err := tpm.EncodeBlob([]byte(rand))
+	if err != nil {
+		return "", err
+	}
+	nvindex := "0x1500000"
+	if k.Kcrypt.NVIndex != "" {
+		nvindex = k.Kcrypt.NVIndex
+	}
+	opts = append(opts, tpm.WithIndex(nvindex))
+	return rand, tpm.StoreBlob(blob, opts...)
+}
+
+func localPass(k Config) (string, error) {
+	index := "0x1500000"
+	if k.Kcrypt.NVIndex != "" {
+		index = k.Kcrypt.NVIndex
+	}
+	opts := []tpm.TPMOption{tpm.WithIndex(index)}
+	if k.Kcrypt.TPMDevice != "" {
+		opts = append(opts, tpm.WithDevice(k.Kcrypt.TPMDevice))
+	}
+	encodedPass, err := tpm.ReadBlob(opts...)
+	if err != nil {
+		// Generate if we fail to read from the assigned blob
+		return genAndStore(k)
+	}
+
+	// Decode and give it back
+	opts = []tpm.TPMOption{}
+	if k.Kcrypt.CIndex != "" {
+		opts = append(opts, tpm.WithIndex(k.Kcrypt.CIndex))
+	}
+	if k.Kcrypt.TPMDevice != "" {
+		opts = append(opts, tpm.WithDevice(k.Kcrypt.TPMDevice))
+	}
+	pass, err := tpm.DecodeBlob(encodedPass, opts...)
+	return string(pass), err
+}

go.mod

@@ -5,9 +5,11 @@ go 1.18
 require (
 	github.com/gorilla/websocket v1.5.0
 	github.com/jaypipes/ghw v0.9.0
+	github.com/kairos-io/kairos v1.24.3-56.0.20230118103822-e3dbd41dddd1
 	github.com/kairos-io/kcrypt v0.4.5-0.20230118125949-27183fbce7ea
 	github.com/kairos-io/tpm-helpers v0.0.0-20230118150816-18d63f3a8c83
 	github.com/mudler/go-pluggable v0.0.0-20220716112424-189d463e3ff3
+	github.com/mudler/yip v0.11.4
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/ginkgo/v2 v2.7.0
 	github.com/onsi/gomega v1.25.0
@@ -27,6 +29,9 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.1.1 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/StackExchange/wmi v1.2.1 // indirect
@@ -66,21 +71,22 @@ require (
 	github.com/gookit/color v1.5.2 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/itchyny/gojq v0.12.11 // indirect
 	github.com/itchyny/timefmt-go v0.1.5 // indirect
 	github.com/joho/godotenv v1.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kairos-io/kairos v1.24.3-56.0.20230118103822-e3dbd41dddd1 // indirect
 	github.com/lithammer/fuzzysearch v1.1.5 // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/mudler/yip v0.11.4 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
@@ -91,6 +97,8 @@ require (
 	github.com/pterm/pterm v0.12.53 // indirect
 	github.com/qeesung/image2ascii v1.0.1 // indirect
 	github.com/rivo/uniseg v0.4.3 // indirect
+	github.com/shopspring/decimal v1.3.1 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/twpayne/go-vfs v1.7.2 // indirect
 	github.com/wayneashleyberry/terminal-dimensions v1.1.0 // indirect

go.sum

@@ -79,12 +79,15 @@ github.com/MarvinJWendt/testza v0.3.0/go.mod h1:eFcL4I0idjtIx8P9C6KkAuLgATNKpX4/
 github.com/MarvinJWendt/testza v0.4.2/go.mod h1:mSdhXiKH8sg/gQehJ63bINcCKp7RtYewEjXsvsVUPbE=
 github.com/MarvinJWendt/testza v0.5.1 h1:a9Fqx6vQrHQ4CyiaLhktfTTelwGotmFWy8MNhyaohw8=
 github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
+github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
+github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
 github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
 github.com/Masterminds/sprig v2.15.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
 github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
+github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmyxvxX8=
 github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk=
 github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
 github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
@@ -230,6 +233,7 @@ github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoD
 github.com/form3tech-oss/jwt-go v3.2.5+incompatible h1:/l4kBbb4/vGSsdtB5nUe8L7B9mImVMaBPw9L/0TBHU8=
 github.com/form3tech-oss/jwt-go v3.2.5+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU=
+github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
 github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
@@ -453,6 +457,7 @@ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpO
 github.com/huandu/xstrings v1.0.0/go.mod h1:4qWG/gcEcfX4z/mBDHJ++3ReCw9ibxbsNJbcucJdbSo=
 github.com/huandu/xstrings v1.2.0/go.mod h1:DvyZB1rfVYsBIigL8HwpZgxHwXozlTgGqn63UyNX5k4=
 github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw=
 github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@@ -504,8 +509,6 @@ github.com/kairos-io/kairos v1.24.3-56.0.20230118103822-e3dbd41dddd1 h1:CRLvgZ5/
 github.com/kairos-io/kairos v1.24.3-56.0.20230118103822-e3dbd41dddd1/go.mod h1:YAqNNHoJyWknQQtWFmYDgvchClhhuMCrsdZdSVhIegc=
 github.com/kairos-io/kcrypt v0.4.5-0.20230118125949-27183fbce7ea h1:1gnZW0HJt1YeU7Vul/xQpC8msBPUR43iqJNwc+Z+D48=
 github.com/kairos-io/kcrypt v0.4.5-0.20230118125949-27183fbce7ea/go.mod h1:w8k7pDYjFVvt/qsEDNN/nt9qw4URg70cEKLPHGhnNgU=
-github.com/kairos-io/tpm-helpers v0.0.0-20230118144616-3f28d1857da9 h1:tFaUS+aflMccC47F7njJBGzi9epZvUjwj+026qGE4Es=
-github.com/kairos-io/tpm-helpers v0.0.0-20230118144616-3f28d1857da9/go.mod h1:6YGebKVrPoJGBd9QE+x4zyuo3vPw1y33iQkNChjlBo8=
 github.com/kairos-io/tpm-helpers v0.0.0-20230118150816-18d63f3a8c83 h1:iMkcVgFwK943ssSyuHK2/iPzOqNnz496TMbdPx/WP6A=
 github.com/kairos-io/tpm-helpers v0.0.0-20230118150816-18d63f3a8c83/go.mod h1:6YGebKVrPoJGBd9QE+x4zyuo3vPw1y33iQkNChjlBo8=
 github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
@@ -572,6 +575,7 @@ github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WT
 github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
+github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
 github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
@@ -583,6 +587,7 @@ github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh
 github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
+github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/moby/libnetwork v0.8.0-dev.2.0.20200612180813-9e99af28df21/go.mod h1:RQTqDxGZChsPHosY8R3ZL2THYWUuW8X5SRhiBNoTY5I=
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
@@ -731,6 +736,7 @@ github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNX
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
+github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
 github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.0.3/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
@@ -753,6 +759,7 @@ github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTd
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
 github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=

pkg/challenger/challenger.go

@@ -11,9 +11,9 @@ import (
 	keyserverv1alpha1 "github.com/kairos-io/kairos-challenger/api/v1alpha1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	tpm "github.com/kairos-io/tpm-helpers"
-
 	"github.com/kairos-io/kairos-challenger/controllers"
+	tpm "github.com/kairos-io/tpm-helpers"
+	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 
@@ -33,6 +33,9 @@ type SealedVolumeData struct {
 	Quarantined bool
 	SecretName  string
 	SecretPath  string
+
+	PartitionLabel string
+	VolumeName     string
 }
 
 var upgrader = websocket.Upgrader{
@@ -62,6 +65,15 @@ func writeRead(conn *websocket.Conn, input []byte) ([]byte, error) {
 	return ioutil.ReadAll(reader)
 }
 
+func getPubHash(token string) (string, error) {
+	ek, _, err := tpm.GetAttestationData(token)
+	if err != nil {
+		return "", err
+	}
+
+	return tpm.DecodePubHash(ek)
+}
+
 func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *controllers.SealedVolumeReconciler, namespace, address string) {
 	fmt.Println("Challenger started at", address)
 	s := http.Server{
@@ -72,7 +84,93 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 
 	m := http.NewServeMux()
 
-	m.HandleFunc("/challenge", func(w http.ResponseWriter, r *http.Request) {
+	m.HandleFunc("/postPass", func(w http.ResponseWriter, r *http.Request) {
+		conn, _ := upgrader.Upgrade(w, r, nil) // error ignored for sake of simplicity
+		for {
+			if err := tpm.AuthRequest(r, conn); err != nil {
+				fmt.Println("error", err.Error())
+				return
+			}
+			defer conn.Close()
+			token := r.Header.Get("Authorization")
+
+			hashEncoded, err := getPubHash(token)
+			if err != nil {
+				fmt.Println("error decoding pubhash", err.Error())
+				return
+			}
+
+			label := r.Header.Get("label")
+			name := r.Header.Get("name")
+			uuid := r.Header.Get("uuid")
+			v := map[string]string{}
+
+			volumeList := &keyserverv1alpha1.SealedVolumeList{}
+			if err := reconciler.List(ctx, volumeList, &client.ListOptions{Namespace: namespace}); err != nil {
+				fmt.Println("Failed listing volumes")
+				fmt.Println(err)
+				continue
+			}
+
+			sealedVolumeData := findSecretFor(PassphraseRequestData{
+				TPMHash:    hashEncoded,
+				Label:      label,
+				DeviceName: name,
+				UUID:       uuid,
+			}, volumeList)
+
+			if sealedVolumeData == nil {
+				fmt.Println("No TPM Hash found for", hashEncoded)
+				conn.Close()
+				return
+			}
+
+			if err := conn.ReadJSON(&v); err != nil {
+				fmt.Println("error", err.Error())
+				return
+			}
+
+			pass, ok := v["passphrase"]
+			if ok {
+				secretName := fmt.Sprintf("%s-%s", sealedVolumeData.VolumeName, sealedVolumeData.PartitionLabel)
+				secretPath := "passphrase"
+				if sealedVolumeData.SecretName != "" {
+					secretName = sealedVolumeData.SecretName
+				}
+				if sealedVolumeData.SecretPath != "" {
+					secretPath = sealedVolumeData.SecretPath
+				}
+				_, err := kclient.CoreV1().Secrets(namespace).Get(ctx, secretName, v1.GetOptions{})
+				if err != nil {
+					secret := corev1.Secret{
+						TypeMeta: v1.TypeMeta{
+							Kind:       "Secret",
+							APIVersion: "apps/v1",
+						},
+						ObjectMeta: v1.ObjectMeta{
+							Name:      secretName,
+							Namespace: namespace,
+						},
+						Data: map[string][]byte{
+							secretPath:  []byte(pass),
+							"generated": []byte(v["generated"]),
+						},
+						Type: "Opaque",
+					}
+					_, err := kclient.CoreV1().Secrets(namespace).Create(ctx, &secret, v1.CreateOptions{})
+					if err != nil {
+						fmt.Println("failed during secret creation")
+					}
+				} else {
+					fmt.Println("Posted for already existing secret - ignoring")
+				}
+			} else {
+				fmt.Println("Invalid answer from client: doesn't contain any passphrase")
+			}
+		}
+	})
+
+	m.HandleFunc("/getPass", func(w http.ResponseWriter, r *http.Request) {
 		conn, _ := upgrader.Upgrade(w, r, nil) // error ignored for sake of simplicity
 
 		for {
@@ -94,15 +192,7 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 				return
 			}
 
-			ek, _, err := tpm.GetAttestationData(token)
+			hashEncoded, err := getPubHash(token)
-			if err != nil {
-				fmt.Println("Failed getting tpm token")
-
-				fmt.Println("error", err.Error())
-				return
-			}
-
-			hashEncoded, err := tpm.DecodePubHash(ek)
 			if err != nil {
 				fmt.Println("error decoding pubhash", err.Error())
 				return
@@ -120,13 +210,26 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 				conn.Close()
 				return
 			}
-
 			writer, _ := conn.NextWriter(websocket.BinaryMessage)
 			if !sealedVolumeData.Quarantined {
-				secret, err := kclient.CoreV1().Secrets(namespace).Get(ctx, sealedVolumeData.SecretName, v1.GetOptions{})
+				secretName := fmt.Sprintf("%s-%s", sealedVolumeData.VolumeName, sealedVolumeData.PartitionLabel)
+				secretPath := "passphrase"
+				if sealedVolumeData.SecretName != "" {
+					secretName = sealedVolumeData.SecretName
+				}
+				if sealedVolumeData.SecretPath != "" {
+					secretPath = sealedVolumeData.SecretPath
+				}
+
+				secret, err := kclient.CoreV1().Secrets(namespace).Get(ctx, secretName, v1.GetOptions{})
 				if err == nil {
-					passphrase := secret.Data[sealedVolumeData.SecretPath]
+					passphrase := secret.Data[secretPath]
-					err = json.NewEncoder(writer).Encode(map[string]string{"passphrase": string(passphrase)})
+					gen, generated := secret.Data["generated"]
+					result := map[string]string{"passphrase": string(passphrase)}
+					if generated {
+						result["generated"] = string(gen)
+					}
+					err = json.NewEncoder(writer).Encode(result)
 					if err != nil {
 						fmt.Println("error encoding the passphrase to json", err.Error(), string(passphrase))
 					}
@@ -178,9 +281,11 @@ func findSecretFor(requestData PassphraseRequestData, volumeList *keyserverv1alp
 
 				if labelMatches || uuidMatches || deviceNameMatches {
 					return &SealedVolumeData{
-						Quarantined: v.Spec.Quarantined,
+						Quarantined:    v.Spec.Quarantined,
-						SecretName:  p.Secret.Name,
+						SecretName:     p.Secret.Name,
-						SecretPath:  p.Secret.Path,
+						SecretPath:     p.Secret.Path,
+						VolumeName:     v.Name,
+						PartitionLabel: p.Label,
 					}
 				}
 			}

pkg/constants/secret.go

@@ -0,0 +1,3 @@
+package constants
+
+const TPMSecret = "tpm"