[WIP] Send more data over to the escrow server

in order to identify the partition. The label is not available before the filesystem is descrypted (post-install). In that case the server can look up the partition in the configuration using the name or the mountpoint. Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
2025-09-25 14:18:54 +00:00 · 2022-11-08 16:57:19 +02:00
parent 9e8249c730
commit a3df62df03
2 changed files with 15 additions and 13 deletions
--- a/cmd/discovery/main.go
+++ b/cmd/discovery/main.go
@@ -48,7 +48,7 @@ func readServer() string {
 	return server
 }

-func waitPass(label string, attempts int) (pass string, err error) {
+func waitPass(p *block.Partition, attempts int) (pass string, err error) {
 	for tries := 0; tries < attempts; tries++ {
 		server := readServer()
 		if server == "" {
@@ -56,7 +56,7 @@ func waitPass(label string, attempts int) (pass string, err error) {
 			continue
 		}

-		pass, err = getPass(server, label)
+		pass, err = getPass(server, p)
 		if pass != "" || err == nil {
 			return pass, err
 		}
@@ -65,8 +65,11 @@ func waitPass(label string, attempts int) (pass string, err error) {
 	return
 }

-func getPass(server, label string) (string, error) {
-	msg, err := tpm.Get(server, tpm.WithAdditionalHeader("label", label))
+func getPass(server string, partition *block.Partition) (string, error) {
+	msg, err := tpm.Get(server,
+		tpm.WithAdditionalHeader("label", partition.Label),
+		tpm.WithAdditionalHeader("name", partition.Name),
+		tpm.WithAdditionalHeader("uuid", partition.UUID))
 	if err != nil {
 		return "", err
 	}
@@ -79,7 +82,7 @@ func getPass(server, label string) (string, error) {
 	if ok {
 		return fmt.Sprint(p), nil
 	}
-	return "", fmt.Errorf("pass for label not found")
+	return "", fmt.Errorf("pass for partition not found")
 }

 type config struct {
@@ -102,14 +105,10 @@ func start() error {
 			}
 		}

-		// TODO: This should be 1 call, send both name and label to controller
-		pass, err := waitPass(b.Label, 30)
-		if err != nil || pass == "" {
-			pass, err = waitPass(b.Name, 30)
-			if err != nil {
-				return pluggable.EventResponse{
-					Error: fmt.Sprintf("failed getting pass: %s", err.Error()),
-				}
+		pass, err := waitPass(b, 30)
+		if err != nil {
+			return pluggable.EventResponse{
+				Error: fmt.Sprintf("failed getting pass: %s", err.Error()),
 			}
 		}

--- a/pkg/challenger/challenger.go
+++ b/pkg/challenger/challenger.go
@@ -71,6 +71,8 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr

 			token := r.Header.Get("Authorization")
 			label := r.Header.Get("label")
+			name := r.Header.Get("name")
+			uuid := r.Header.Get("uuid")
 			ek, at, err := tpm.GetAttestationData(token)
 			if err != nil {
 				fmt.Println("Failed getting tpm token")
@@ -91,6 +93,7 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 			for _, v := range volumeList.Items {
 				if hashEncoded == v.Spec.TPMHash {
 					for l, secretRef := range v.Spec.Passphrase {
+						// TODO: Try the rest of the data (name, mountpoint) if label is not found
 						if l == label {
 							found = true
 							volume = v