kairos/kcrypt-challenger
1
0
Fork 0
mirror of https://github.com/kairos-io/kcrypt-challenger.git synced 2025-09-25 06:12:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

[WIP] Send more data over to the escrow server

Browse Source 
in order to identify the partition. The label is not available before
the filesystem is descrypted (post-install). In that case the server can
look up the partition in the configuration using the name or the
mountpoint.

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
This commit is contained in:
Dimitris Karakasilis
2022-11-08 16:57:19 +02:00
parent 9e8249c730
commit a3df62df03
2 changed files with 15 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
cmd/discovery/main.go
View File

@@ -48,7 +48,7 @@ func readServer() string {
return server
}
func waitPass(label string, attempts int) (pass string, err error) {
func waitPass(p *block.Partition, attempts int) (pass string, err error) {
for tries := 0; tries < attempts; tries++ {
server := readServer()
if server == "" {
@@ -56,7 +56,7 @@ func waitPass(label string, attempts int) (pass string, err error) {
continue
}
pass, err = getPass(server, label)
pass, err = getPass(server, p)
if pass != "" || err == nil {
return pass, err
}
@@ -65,8 +65,11 @@ func waitPass(label string, attempts int) (pass string, err error) {
return
}
func getPass(server, label string) (string, error) {
msg, err := tpm.Get(server, tpm.WithAdditionalHeader("label", label))
func getPass(server string, partition *block.Partition) (string, error) {
msg, err := tpm.Get(server,
tpm.WithAdditionalHeader("label", partition.Label),
tpm.WithAdditionalHeader("name", partition.Name),
tpm.WithAdditionalHeader("uuid", partition.UUID))
if err != nil {
return "", err
}
@@ -79,7 +82,7 @@ func getPass(server, label string) (string, error) {
if ok {
return fmt.Sprint(p), nil
}
return "", fmt.Errorf("pass for label not found")
return "", fmt.Errorf("pass for partition not found")
}
type config struct {
@@ -102,16 +105,12 @@ func start() error {
}
}
// TODO: This should be 1 call, send both name and label to controller
pass, err := waitPass(b.Label, 30)
if err != nil || pass == "" {
pass, err = waitPass(b.Name, 30)
pass, err := waitPass(b, 30)
if err != nil {
return pluggable.EventResponse{
Error: fmt.Sprintf("failed getting pass: %s", err.Error()),
}
}
}
return pluggable.EventResponse{
Data: pass,

3
pkg/challenger/challenger.go
View File

@@ -71,6 +71,8 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
token := r.Header.Get("Authorization")
label := r.Header.Get("label")
name := r.Header.Get("name")
uuid := r.Header.Get("uuid")
ek, at, err := tpm.GetAttestationData(token)
if err != nil {
fmt.Println("Failed getting tpm token")
@@ -91,6 +93,7 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
for _, v := range volumeList.Items {
if hashEncoded == v.Spec.TPMHash {
for l, secretRef := range v.Spec.Passphrase {
// TODO: Try the rest of the data (name, mountpoint) if label is not found
if l == label {
found = true
volume = v