Merge pull request #10 from kairos-io/local_encryption

🌱 Enable local encryption, remote now partially uses TPM
Small refactorings (renaming vars, create constants etc)
2025-09-05 08:42:33 +00:00 · 2023-01-19 16:27:52 +02:00 · 2023-01-19 16:24:39 +02:00 · 2023-01-19 16:06:53 +02:00 · 2023-01-19 15:46:35 +02:00 · 2023-01-19 14:24:33 +01:00
9 changed files with 397 additions and 402 deletions
--- a/cmd/discovery/client/client.go
+++ b/cmd/discovery/client/client.go
@@ -1,25 +1,24 @@
 package client

 import (
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"os"
 	"time"

 	"github.com/jaypipes/ghw/pkg/block"
-	"github.com/kairos-io/go-tpm"
+	"github.com/kairos-io/kairos-challenger/pkg/constants"
 	"github.com/kairos-io/kcrypt/pkg/bus"
-	kconfig "github.com/kairos-io/kcrypt/pkg/config"
+	"github.com/kairos-io/tpm-helpers"
 	"github.com/mudler/go-pluggable"
-	"github.com/pkg/errors"
+	"github.com/mudler/yip/pkg/utils"
 )

-type Client struct {
-	Config kconfig.Config
-}
+var errPartNotFound error = fmt.Errorf("pass for partition not found")

 func NewClient() (*Client, error) {
-	conf, err := kconfig.GetConfiguration(kconfig.ConfigScanDirs)
+	conf, err := unmarshalConfig()
 	if err != nil {
 		return nil, err
 	}
@@ -59,44 +58,72 @@ func (c *Client) Start() error {
 }

 func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err error) {
-	// TODO: Why are we retrying?
-	// We don't need to retry if there is no matching secret.
-	// TODO: Check if the request was successful and if the error was about
-	// non-matching sealed volume, let's not retry.
+	// IF we don't have any server configured, just do local
+	if c.Config.Kcrypt.Challenger.Server == "" {
+		return localPass(c.Config)
+	}
+
+	challengeEndpoint := fmt.Sprintf("%s/getPass", c.Config.Kcrypt.Challenger.Server)
+	postEndpoint := fmt.Sprintf("%s/postPass", c.Config.Kcrypt.Challenger.Server)
+
+	// IF server doesn't have a pass for us, then we generate one and we set it
+	if _, _, err := getPass(challengeEndpoint, p); err == errPartNotFound {
+		rand := utils.RandomString(32)
+		pass, err := tpm.EncryptBlob([]byte(rand))
+		if err != nil {
+			return "", err
+		}
+		bpass := base64.RawURLEncoding.EncodeToString(pass)
+
+		opts := []tpm.Option{
+			tpm.WithAdditionalHeader("label", p.Label),
+			tpm.WithAdditionalHeader("name", p.Name),
+			tpm.WithAdditionalHeader("uuid", p.UUID),
+		}
+		conn, err := tpm.Connection(postEndpoint, opts...)
+		if err != nil {
+			return "", err
+		}
+		err = conn.WriteJSON(map[string]string{"passphrase": bpass, constants.GeneratedByKey: constants.TPMSecret})
+		if err != nil {
+			return rand, err
+		}
+	}
+
 	for tries := 0; tries < attempts; tries++ {
-		if c.Config.Kcrypt.Server == "" {
-			err = fmt.Errorf("no server configured")
-			continue
+		var generated bool
+		pass, generated, err = getPass(challengeEndpoint, p)
+		if generated { // passphrase is encrypted
+			return c.decryptPassphrase(pass)
 		}

-		pass, err = c.getPass(c.Config.Kcrypt.Server, p)
-		if pass != "" || err == nil {
+		if err == nil || err == errPartNotFound { // passphrase not encrypted or not available
 			return
 		}
-		if err != nil {
-			return
-		}
-		time.Sleep(1 * time.Second)
+
+		time.Sleep(1 * time.Second) // network errors? retry
 	}
+
 	return
 }

-func (c *Client) getPass(server string, partition *block.Partition) (string, error) {
-	msg, err := tpm.Get(server,
-		tpm.WithAdditionalHeader("label", partition.Label),
-		tpm.WithAdditionalHeader("name", partition.Name),
-		tpm.WithAdditionalHeader("uuid", partition.UUID))
+// decryptPassphrase decodes (base64) and decrypts the passphrase returned
+// by the challenger server.
+func (c *Client) decryptPassphrase(pass string) (string, error) {
+	blob, err := base64.RawURLEncoding.DecodeString(pass)
 	if err != nil {
 		return "", err
 	}
-	result := map[string]interface{}{}
-	err = json.Unmarshal(msg, &result)
-	if err != nil {
-		return "", errors.Wrap(err, string(msg))
+
+	// Decrypt and return it to unseal the LUKS volume
+	opts := []tpm.TPMOption{}
+	if c.Config.Kcrypt.Challenger.CIndex != "" {
+		opts = append(opts, tpm.WithIndex(c.Config.Kcrypt.Challenger.CIndex))
 	}
-	p, ok := result["passphrase"]
-	if ok {
-		return fmt.Sprint(p), nil
+	if c.Config.Kcrypt.Challenger.TPMDevice != "" {
+		opts = append(opts, tpm.WithDevice(c.Config.Kcrypt.Challenger.TPMDevice))
 	}
-	return "", fmt.Errorf("pass for partition not found")
+	passBytes, err := tpm.DecryptBlob(blob, opts...)
+
+	return string(passBytes), err
 }
--- a/cmd/discovery/client/config.go
+++ b/cmd/discovery/client/config.go
@@ -0,0 +1,38 @@
+package client
+
+import (
+	"github.com/kairos-io/kairos/pkg/config"
+	kconfig "github.com/kairos-io/kcrypt/pkg/config"
+)
+
+type Client struct {
+	Config Config
+}
+
+type Config struct {
+	Kcrypt struct {
+		Challenger struct {
+			Server string `yaml:"challenger_server,omitempty"`
+			// Non-volatile index memory: where we store the encrypted passphrase (offline mode)
+			NVIndex string `yaml:"nv_index,omitempty"`
+			// Certificate index: this is where the rsa pair that decrypts the passphrase lives
+			CIndex    string `yaml:"c_index,omitempty"`
+			TPMDevice string `yaml:"tpm_device,omitempty"`
+		}
+	}
+}
+
+func unmarshalConfig() (Config, error) {
+	var result Config
+
+	c, err := config.Scan(config.Directories(kconfig.ConfigScanDirs...), config.NoLogs)
+	if err != nil {
+		return result, err
+	}
+
+	if err = c.Unmarshal(&result); err != nil {
+		return result, err
+	}
+
+	return result, nil
+}
--- a/cmd/discovery/client/enc.go
+++ b/cmd/discovery/client/enc.go
@@ -0,0 +1,86 @@
+package client
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/kairos-io/kairos-challenger/pkg/constants"
+
+	"github.com/jaypipes/ghw/pkg/block"
+	"github.com/kairos-io/tpm-helpers"
+	"github.com/mudler/yip/pkg/utils"
+	"github.com/pkg/errors"
+)
+
+const DefaultNVIndex = "0x1500000"
+
+func getPass(server string, partition *block.Partition) (string, bool, error) {
+	msg, err := tpm.Get(server,
+		tpm.WithAdditionalHeader("label", partition.Label),
+		tpm.WithAdditionalHeader("name", partition.Name),
+		tpm.WithAdditionalHeader("uuid", partition.UUID))
+	if err != nil {
+		return "", false, err
+	}
+	result := map[string]interface{}{}
+	err = json.Unmarshal(msg, &result)
+	if err != nil {
+		return "", false, errors.Wrap(err, string(msg))
+	}
+	generatedBy, generated := result[constants.GeneratedByKey]
+	p, ok := result["passphrase"]
+	if ok {
+		return fmt.Sprint(p), generated && generatedBy == constants.TPMSecret, nil
+	}
+	return "", false, errPartNotFound
+}
+
+func genAndStore(k Config) (string, error) {
+	opts := []tpm.TPMOption{}
+	if k.Kcrypt.Challenger.TPMDevice != "" {
+		opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice))
+	}
+	if k.Kcrypt.Challenger.CIndex != "" {
+		opts = append(opts, tpm.WithIndex(k.Kcrypt.Challenger.CIndex))
+	}
+
+	// Generate a new one, and return it to luks
+	rand := utils.RandomString(32)
+	blob, err := tpm.EncryptBlob([]byte(rand))
+	if err != nil {
+		return "", err
+	}
+	nvindex := DefaultNVIndex
+	if k.Kcrypt.Challenger.NVIndex != "" {
+		nvindex = k.Kcrypt.Challenger.NVIndex
+	}
+	opts = append(opts, tpm.WithIndex(nvindex))
+	return rand, tpm.StoreBlob(blob, opts...)
+}
+
+func localPass(k Config) (string, error) {
+	index := DefaultNVIndex
+	if k.Kcrypt.Challenger.NVIndex != "" {
+		index = k.Kcrypt.Challenger.NVIndex
+	}
+	opts := []tpm.TPMOption{tpm.WithIndex(index)}
+	if k.Kcrypt.Challenger.TPMDevice != "" {
+		opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice))
+	}
+	encodedPass, err := tpm.ReadBlob(opts...)
+	if err != nil {
+		// Generate if we fail to read from the assigned blob
+		return genAndStore(k)
+	}
+
+	// Decode and give it back
+	opts = []tpm.TPMOption{}
+	if k.Kcrypt.Challenger.CIndex != "" {
+		opts = append(opts, tpm.WithIndex(k.Kcrypt.Challenger.CIndex))
+	}
+	if k.Kcrypt.Challenger.TPMDevice != "" {
+		opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice))
+	}
+	pass, err := tpm.DecryptBlob(encodedPass, opts...)
+	return string(pass), err
+}
--- a/cmd/discovery/main.go
+++ b/cmd/discovery/main.go
@@ -4,9 +4,9 @@ import (
 	"fmt"
 	"os"

-	"github.com/kairos-io/go-tpm"
 	"github.com/kairos-io/kairos-challenger/cmd/discovery/client"
 	"github.com/kairos-io/kcrypt/pkg/bus"
+	"github.com/kairos-io/tpm-helpers"
 )

 func main() {
--- a/go.mod
+++ b/go.mod
@@ -5,13 +5,16 @@ go 1.18
 require (
 	github.com/gorilla/websocket v1.5.0
 	github.com/jaypipes/ghw v0.9.0
-	github.com/kairos-io/go-tpm v0.0.0-20221013145523-cc421fc8c33d
+	github.com/kairos-io/kairos v1.24.3-56.0.20230118103822-e3dbd41dddd1
 	github.com/kairos-io/kcrypt v0.4.5-0.20230118125949-27183fbce7ea
+	github.com/kairos-io/tpm-helpers v0.0.0-20230119140150-3fa97128ef6b
 	github.com/mudler/go-pluggable v0.0.0-20220716112424-189d463e3ff3
+	github.com/mudler/yip v0.11.4
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/ginkgo/v2 v2.7.0
 	github.com/onsi/gomega v1.25.0
 	github.com/pkg/errors v0.9.1
+	k8s.io/api v0.24.2
 	k8s.io/apimachinery v0.24.2
 	k8s.io/client-go v0.24.2
 	sigs.k8s.io/controller-runtime v0.12.2
@@ -27,6 +30,9 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.1.1 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/StackExchange/wmi v1.2.1 // indirect
@@ -40,7 +46,8 @@ require (
 	github.com/denisbrodbeck/machineid v1.0.1 // indirect
 	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
-	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
+	github.com/folbricht/tpmk v0.1.2-0.20230104073416-f20b20c289d7 // indirect
+	github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
@@ -52,44 +59,47 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/certificate-transparency-go v1.1.2 // indirect
+	github.com/google/certificate-transparency-go v1.1.4 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/go-attestation v0.4.3 // indirect
+	github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-tpm v0.3.3 // indirect
-	github.com/google/go-tpm-tools v0.3.2 // indirect
-	github.com/google/go-tspi v0.2.1-0.20190423175329-115dea689aad // indirect
+	github.com/google/go-tpm-tools v0.3.10 // indirect
+	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gookit/color v1.5.2 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/itchyny/gojq v0.12.11 // indirect
 	github.com/itchyny/timefmt-go v0.1.5 // indirect
 	github.com/joho/godotenv v1.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kairos-io/kairos v1.24.3-56.0.20230118103822-e3dbd41dddd1 // indirect
 	github.com/lithammer/fuzzysearch v1.1.5 // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/mudler/yip v0.11.4 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
-	github.com/prometheus/client_golang v1.12.1 // indirect
+	github.com/prometheus/client_golang v1.13.0 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.32.1 // indirect
-	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/prometheus/common v0.37.0 // indirect
+	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/pterm/pterm v0.12.53 // indirect
 	github.com/qeesung/image2ascii v1.0.1 // indirect
 	github.com/rivo/uniseg v0.4.3 // indirect
+	github.com/shopspring/decimal v1.3.1 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/twpayne/go-vfs v1.7.2 // indirect
 	github.com/wayneashleyberry/terminal-dimensions v1.1.0 // indirect
@@ -103,7 +113,7 @@ require (
 	golang.org/x/sys v0.4.0 // indirect
 	golang.org/x/term v0.4.0 // indirect
 	golang.org/x/text v0.6.0 // indirect
-	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
+	golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
@@ -113,10 +123,9 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect
-	k8s.io/api v0.24.2 // indirect
 	k8s.io/apiextensions-apiserver v0.24.2 // indirect
 	k8s.io/component-base v0.24.2 // indirect
-	k8s.io/klog/v2 v2.60.1 // indirect
+	k8s.io/klog/v2 v2.80.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect
 	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
 	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
--- a/go.sum
+++ b/go.sum
--- a/pkg/challenger/challenger.go
+++ b/pkg/challenger/challenger.go
@@ -9,10 +9,13 @@ import (
 	"time"

 	keyserverv1alpha1 "github.com/kairos-io/kairos-challenger/api/v1alpha1"
+	"github.com/kairos-io/kairos-challenger/pkg/constants"
 	"sigs.k8s.io/controller-runtime/pkg/client"

-	tpm "github.com/kairos-io/go-tpm"
 	"github.com/kairos-io/kairos-challenger/controllers"
+	tpm "github.com/kairos-io/tpm-helpers"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"

@@ -32,6 +35,9 @@ type SealedVolumeData struct {
 	Quarantined bool
 	SecretName  string
 	SecretPath  string
+
+	PartitionLabel string
+	VolumeName     string
 }

 var upgrader = websocket.Upgrader{
@@ -61,6 +67,15 @@ func writeRead(conn *websocket.Conn, input []byte) ([]byte, error) {
 	return ioutil.ReadAll(reader)
 }

+func getPubHash(token string) (string, error) {
+	ek, _, err := tpm.GetAttestationData(token)
+	if err != nil {
+		return "", err
+	}
+
+	return tpm.DecodePubHash(ek)
+}
+
 func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *controllers.SealedVolumeReconciler, namespace, address string) {
 	fmt.Println("Challenger started at", address)
 	s := http.Server{
@@ -71,7 +86,98 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr

 	m := http.NewServeMux()

-	m.HandleFunc("/challenge", func(w http.ResponseWriter, r *http.Request) {
+	m.HandleFunc("/postPass", func(w http.ResponseWriter, r *http.Request) {
+		conn, _ := upgrader.Upgrade(w, r, nil) // error ignored for sake of simplicity
+		for {
+			if err := tpm.AuthRequest(r, conn); err != nil {
+				fmt.Println("error", err.Error())
+				return
+			}
+			defer conn.Close()
+			token := r.Header.Get("Authorization")
+
+			hashEncoded, err := getPubHash(token)
+			if err != nil {
+				fmt.Println("error decoding pubhash", err.Error())
+				return
+			}
+
+			label := r.Header.Get("label")
+			name := r.Header.Get("name")
+			uuid := r.Header.Get("uuid")
+			v := map[string]string{}
+
+			volumeList := &keyserverv1alpha1.SealedVolumeList{}
+			if err := reconciler.List(ctx, volumeList, &client.ListOptions{Namespace: namespace}); err != nil {
+				fmt.Println("Failed listing volumes")
+				fmt.Println(err)
+				continue
+			}
+
+			sealedVolumeData := findVolumeFor(PassphraseRequestData{
+				TPMHash:    hashEncoded,
+				Label:      label,
+				DeviceName: name,
+				UUID:       uuid,
+			}, volumeList)
+
+			if sealedVolumeData == nil {
+				fmt.Println("No TPM Hash found for", hashEncoded)
+				conn.Close()
+				return
+			}
+
+			if err := conn.ReadJSON(&v); err != nil {
+				fmt.Println("error", err.Error())
+				return
+			}
+
+			pass, ok := v["passphrase"]
+			if ok {
+				secretName := fmt.Sprintf("%s-%s", sealedVolumeData.VolumeName, sealedVolumeData.PartitionLabel)
+				secretPath := "passphrase"
+				if sealedVolumeData.SecretName != "" {
+					secretName = sealedVolumeData.SecretName
+				}
+				if sealedVolumeData.SecretPath != "" {
+					secretPath = sealedVolumeData.SecretPath
+				}
+				_, err := kclient.CoreV1().Secrets(namespace).Get(ctx, secretName, v1.GetOptions{})
+				if err != nil {
+					if !apierrors.IsNotFound(err) {
+						fmt.Printf("Failed getting secret: %s\n", err.Error())
+						continue
+					}
+
+					secret := corev1.Secret{
+						TypeMeta: v1.TypeMeta{
+							Kind:       "Secret",
+							APIVersion: "apps/v1",
+						},
+						ObjectMeta: v1.ObjectMeta{
+							Name:      secretName,
+							Namespace: namespace,
+						},
+						Data: map[string][]byte{
+							secretPath:               []byte(pass),
+							constants.GeneratedByKey: []byte(v[constants.GeneratedByKey]),
+						},
+						Type: "Opaque",
+					}
+					_, err := kclient.CoreV1().Secrets(namespace).Create(ctx, &secret, v1.CreateOptions{})
+					if err != nil {
+						fmt.Println("failed during secret creation")
+					}
+				} else {
+					fmt.Println("Posted for already existing secret - ignoring")
+				}
+			} else {
+				fmt.Println("Invalid answer from client: doesn't contain any passphrase")
+			}
+		}
+	})
+
+	m.HandleFunc("/getPass", func(w http.ResponseWriter, r *http.Request) {
 		conn, _ := upgrader.Upgrade(w, r, nil) // error ignored for sake of simplicity

 		for {
@@ -87,21 +193,19 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 			label := r.Header.Get("label")
 			name := r.Header.Get("name")
 			uuid := r.Header.Get("uuid")
-			ek, at, err := tpm.GetAttestationData(token)
-			if err != nil {
-				fmt.Println("Failed getting tpm token")

-				fmt.Println("error", err.Error())
+			if err := tpm.AuthRequest(r, conn); err != nil {
+				fmt.Println("error validating challenge", err.Error())
 				return
 			}

-			hashEncoded, err := tpm.DecodePubHash(ek)
+			hashEncoded, err := getPubHash(token)
 			if err != nil {
 				fmt.Println("error decoding pubhash", err.Error())
 				return
 			}

-			sealedVolumeData := findSecretFor(PassphraseRequestData{
+			sealedVolumeData := findVolumeFor(PassphraseRequestData{
 				TPMHash:    hashEncoded,
 				Label:      label,
 				DeviceName: name,
@@ -113,28 +217,31 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 				conn.Close()
 				return
 			}
-
-			secret, challenge, err := tpm.GenerateChallenge(ek, at)
-			if err != nil {
-				fmt.Println("error", err.Error())
-				return
-			}
-
-			resp, _ := writeRead(conn, challenge)
-
-			if err := tpm.ValidateChallenge(secret, resp); err != nil {
-				fmt.Println("error validating challenge", err.Error(), string(resp))
-				return
-			}
-			fmt.Println("challenge done")
-
 			writer, _ := conn.NextWriter(websocket.BinaryMessage)
-
 			if !sealedVolumeData.Quarantined {
-				secret, err := kclient.CoreV1().Secrets(namespace).Get(ctx, sealedVolumeData.SecretName, v1.GetOptions{})
+				secretName := fmt.Sprintf("%s-%s", sealedVolumeData.VolumeName, sealedVolumeData.PartitionLabel)
+				secretPath := "passphrase"
+				if sealedVolumeData.SecretName != "" {
+					secretName = sealedVolumeData.SecretName
+				}
+				if sealedVolumeData.SecretPath != "" {
+					secretPath = sealedVolumeData.SecretPath
+				}
+
+				// 1. The admin sets a specific cleartext password from Kube manager
+				//      SealedVolume -> with a secret .
+				// 2. The admin just adds a SealedVolume associated with a TPM Hash ( you don't provide any passphrase )
+				// 3. There is no challenger server at all (offline mode)
+				//
+				secret, err := kclient.CoreV1().Secrets(namespace).Get(ctx, secretName, v1.GetOptions{})
 				if err == nil {
-					passphrase := secret.Data[sealedVolumeData.SecretPath]
-					err = json.NewEncoder(writer).Encode(map[string]string{"passphrase": string(passphrase)})
+					passphrase := secret.Data[secretPath]
+					generatedBy, generated := secret.Data[constants.GeneratedByKey]
+					result := map[string]string{"passphrase": string(passphrase)}
+					if generated {
+						result[constants.GeneratedByKey] = string(generatedBy)
+					}
+					err = json.NewEncoder(writer).Encode(result)
 					if err != nil {
 						fmt.Println("error encoding the passphrase to json", err.Error(), string(passphrase))
 					}
@@ -176,7 +283,7 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 	}()
 }

-func findSecretFor(requestData PassphraseRequestData, volumeList *keyserverv1alpha1.SealedVolumeList) *SealedVolumeData {
+func findVolumeFor(requestData PassphraseRequestData, volumeList *keyserverv1alpha1.SealedVolumeList) *SealedVolumeData {
 	for _, v := range volumeList.Items {
 		if requestData.TPMHash == v.Spec.TPMHash {
 			for _, p := range v.Spec.Partitions {
@@ -186,9 +293,11 @@ func findSecretFor(requestData PassphraseRequestData, volumeList *keyserverv1alp

 				if labelMatches || uuidMatches || deviceNameMatches {
 					return &SealedVolumeData{
-						Quarantined: v.Spec.Quarantined,
-						SecretName:  p.Secret.Name,
-						SecretPath:  p.Secret.Path,
+						Quarantined:    v.Spec.Quarantined,
+						SecretName:     p.Secret.Name,
+						SecretPath:     p.Secret.Path,
+						VolumeName:     v.Name,
+						PartitionLabel: p.Label,
 					}
 				}
 			}
--- a/pkg/challenger/challenger_test.go
+++ b/pkg/challenger/challenger_test.go
@@ -38,7 +38,7 @@ var _ = Describe("challenger", func() {
 			})

 			It("returns the sealed volume data", func() {
-				volumeData := findSecretFor(requestData, volumeList)
+				volumeData := findVolumeFor(requestData, volumeList)
 				Expect(volumeData).ToNot(BeNil())
 				Expect(volumeData.Quarantined).To(BeFalse())
 				Expect(volumeData.SecretName).To(Equal("the_secret"))
@@ -67,7 +67,7 @@ var _ = Describe("challenger", func() {
 			})

 			It("doesn't match a request with an empty field", func() {
-				volumeData := findSecretFor(requestData, volumeList)
+				volumeData := findVolumeFor(requestData, volumeList)
 				Expect(volumeData).To(BeNil())
 			})
 		})
@@ -86,7 +86,7 @@ var _ = Describe("challenger", func() {
 			})

 			It("returns the sealed volume data", func() {
-				volumeData := findSecretFor(requestData, volumeList)
+				volumeData := findVolumeFor(requestData, volumeList)
 				Expect(volumeData).ToNot(BeNil())
 				Expect(volumeData.Quarantined).To(BeFalse())
 				Expect(volumeData.SecretName).To(Equal("the_secret"))
@@ -108,7 +108,7 @@ var _ = Describe("challenger", func() {
 			})

 			It("returns the sealed volume data", func() {
-				volumeData := findSecretFor(requestData, volumeList)
+				volumeData := findVolumeFor(requestData, volumeList)
 				Expect(volumeData).ToNot(BeNil())
 				Expect(volumeData.Quarantined).To(BeFalse())
 				Expect(volumeData.SecretName).To(Equal("the_secret"))
@@ -130,7 +130,7 @@ var _ = Describe("challenger", func() {
 			})

 			It("returns nil sealedVolumeData", func() {
-				volumeData := findSecretFor(requestData, volumeList)
+				volumeData := findVolumeFor(requestData, volumeList)
 				Expect(volumeData).To(BeNil())
 			})
 		})
--- a/pkg/constants/secret.go
+++ b/pkg/constants/secret.go
@@ -0,0 +1,4 @@
+package constants
+
+const TPMSecret = "tpm"
+const GeneratedByKey = "generated_by"
Author	SHA1	Message	Date
Dimitris Karakasilis	317c6d87b4	Merge pull request #10 from kairos-io/local_encryption 🌱 Enable local encryption, remote now partially uses TPM	2023-01-19 16:27:52 +02:00
Dimitris Karakasilis	8898eb8ae9	Small refactorings (renaming vars, create constants etc) Signed-off-by: Ettore Di Giacinto <ettore@spectrocloud.com>	2023-01-19 16:24:39 +02:00
Ettore Di Giacinto	91c24586ea	Improve naming of functions and add comments Signed-off-by: Dimitris Karakasilis <dimitris@spectrocloud.com>	2023-01-19 16:06:53 +02:00
Dimitris Karakasilis	eefd5f2c2c	Extract method and simplify "if" logic Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>	2023-01-19 15:46:35 +02:00
mudler	83f529b53d	🌱 Small fixups Signed-off-by: mudler <mudler@c3os.io>	2023-01-19 14:24:33 +01:00
mudler	2c8a589906	Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io>	2023-01-18 23:32:27 +01:00
Dimitris Karakasilis	9f7abe321a	Merge pull request #9 from kairos-io/use_tpm_helpers Use tpm helpers	2023-01-18 17:26:15 +02:00
mudler	2603757f2c	Simplify challenge Signed-off-by: mudler <mudler@c3os.io>	2023-01-18 16:09:52 +01:00
mudler	df0fb4a341	⬆️ Point to tpm-helpers Signed-off-by: mudler <mudler@c3os.io>	2023-01-18 16:02:17 +01:00