kairos/kcrypt-challenger
1
0
Fork 0
mirror of https://github.com/kairos-io/kcrypt-challenger.git synced 2025-09-25 22:24:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

[WIP] Send more data over to the escrow server

Browse Source 
in order to identify the partition. The label is not available before
the filesystem is descrypted (post-install). In that case the server can
look up the partition in the configuration using the name or the
mountpoint.

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
This commit is contained in:
Dimitris Karakasilis
2022-11-08 16:57:19 +02:00
parent 9e8249c730
commit a3df62df03
2 changed files with 15 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
cmd/discovery/main.go
View File

@@ -48,7 +48,7 @@ func readServer() string {
return server return server
} }
func waitPass(label string, attempts int) (pass string, err error) { func waitPass(p *block.Partition, attempts int) (pass string, err error) {
for tries := 0; tries < attempts; tries++ { for tries := 0; tries < attempts; tries++ {
server := readServer() server := readServer()
if server == "" { if server == "" {
@@ -56,7 +56,7 @@ func waitPass(label string, attempts int) (pass string, err error) {
continue continue
} }
pass, err = getPass(server, label) pass, err = getPass(server, p)
if pass != "" || err == nil { if pass != "" || err == nil {
return pass, err return pass, err
} }
@@ -65,8 +65,11 @@ func waitPass(label string, attempts int) (pass string, err error) {
return return
} }
func getPass(server, label string) (string, error) { func getPass(server string, partition *block.Partition) (string, error) {
msg, err := tpm.Get(server, tpm.WithAdditionalHeader("label", label)) msg, err := tpm.Get(server,
tpm.WithAdditionalHeader("label", partition.Label),
tpm.WithAdditionalHeader("name", partition.Name),
tpm.WithAdditionalHeader("uuid", partition.UUID))
if err != nil { if err != nil {
return "", err return "", err
} }
@@ -79,7 +82,7 @@ func getPass(server, label string) (string, error) {
if ok { if ok {
return fmt.Sprint(p), nil return fmt.Sprint(p), nil
} }
return "", fmt.Errorf("pass for label not found") return "", fmt.Errorf("pass for partition not found")
} }
type config struct { type config struct {
@@ -102,14 +105,10 @@ func start() error {
} }
} }
// TODO: This should be 1 call, send both name and label to controller pass, err := waitPass(b, 30)
pass, err := waitPass(b.Label, 30) if err != nil {
if err != nil || pass == "" { return pluggable.EventResponse{
pass, err = waitPass(b.Name, 30) Error: fmt.Sprintf("failed getting pass: %s", err.Error()),
if err != nil {
return pluggable.EventResponse{
Error: fmt.Sprintf("failed getting pass: %s", err.Error()),
}
} }
} }

3
pkg/challenger/challenger.go
View File

@@ -71,6 +71,8 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
token := r.Header.Get("Authorization") token := r.Header.Get("Authorization")
label := r.Header.Get("label") label := r.Header.Get("label")
name := r.Header.Get("name")
uuid := r.Header.Get("uuid")
ek, at, err := tpm.GetAttestationData(token) ek, at, err := tpm.GetAttestationData(token)
if err != nil { if err != nil {
fmt.Println("Failed getting tpm token") fmt.Println("Failed getting tpm token")
@@ -91,6 +93,7 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
for _, v := range volumeList.Items { for _, v := range volumeList.Items {
if hashEncoded == v.Spec.TPMHash { if hashEncoded == v.Spec.TPMHash {
for l, secretRef := range v.Spec.Passphrase { for l, secretRef := range v.Spec.Passphrase {
// TODO: Try the rest of the data (name, mountpoint) if label is not found
if l == label { if l == label {
found = true found = true
volume = v volume = v