From c4ad991e0c658713c502c5ae5eae9bb47b88e0a8 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Thu, 30 Nov 2023 22:19:47 +0100 Subject: [PATCH] unlock partitions with UKI TPM values (#191) --- go.mod | 5 ++++- go.sum | 16 ++++++++++++++++ internal/constants/constants.go | 1 + pkg/mount/dag_steps.go | 14 +++++++++++++- pkg/mount/dag_uki_boot.go | 7 +++++-- 5 files changed, 39 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index d367364..9dcc741 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/jaypipes/ghw v0.12.0 github.com/joho/godotenv v1.5.1 github.com/kairos-io/kairos-sdk v0.0.16 - github.com/kairos-io/kcrypt v0.7.0 + github.com/kairos-io/kcrypt v0.7.1-0.20231130171015-554e350fb7c1 github.com/moby/sys/mountinfo v0.6.2 github.com/mudler/go-kdetect v0.0.0-20210802130128-dd92e121bed8 github.com/mudler/yip v1.4.5 @@ -101,6 +101,7 @@ require ( github.com/nxadm/tail v1.4.8 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0-rc3 // indirect + github.com/otiai10/copy v1.9.0 // indirect github.com/packethost/packngo v0.29.0 // indirect github.com/phayes/permbits v0.0.0-20190612203442-39d7c581d2ee // indirect github.com/pierrec/lz4 v2.6.1+incompatible // indirect @@ -122,6 +123,7 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/tredoe/osutil/v2 v2.0.0-rc.16 // indirect github.com/ulikunitz/xz v0.5.11 // indirect + github.com/urfave/cli v1.22.14 // indirect github.com/vbatts/tar-split v0.11.3 // indirect github.com/vishvananda/netlink v1.2.1-beta.2 // indirect github.com/vishvananda/netns v0.0.4 // indirect @@ -151,6 +153,7 @@ require ( gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect howett.net/plist v1.0.0 // indirect + k8s.io/apimachinery v0.26.2 // indirect pault.ag/go/modprobe v0.1.2 // indirect pault.ag/go/topsort v0.1.1 // indirect ) diff --git a/go.sum b/go.sum index d0535b7..ce4773d 100644 --- a/go.sum +++ b/go.sum @@ -9,6 +9,7 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/MarvinJWendt/testza v0.1.0/go.mod h1:7AxNvlfeHP7Z/hDQ5JtE3OKYT3XFUeLCDE2DQninSqs= github.com/MarvinJWendt/testza v0.2.1/go.mod h1:God7bhG8n6uQxwdScay+gjm9/LnO4D3kkcZX4hv9Rp8= github.com/MarvinJWendt/testza v0.2.8/go.mod h1:nwIcjmr0Zz+Rcwfh3/4UhBp7ePKVhuBExvZqnKYWlII= @@ -276,6 +277,10 @@ github.com/kairos-io/kairos-sdk v0.0.16 h1:Zq+ALQTpv6T8wghkNpFGWzeeGvzcAf/i5m89V github.com/kairos-io/kairos-sdk v0.0.16/go.mod h1:6Y9RGvKU/B99euFE32OYrabLLsSVjjemCfyRgiEHuKE= github.com/kairos-io/kcrypt v0.7.0 h1:ESmCBIFbBBv7mJf0/f6ugqwSvz63M5oP9sUIdHiDlLc= github.com/kairos-io/kcrypt v0.7.0/go.mod h1:a9eI+vPVIQHPRtqEV/O/yIfDOdMWd9epVrq1p94gccM= +github.com/kairos-io/kcrypt v0.7.1-0.20231130134511-e86d8e559545 h1:+DeOP4IVO9p9jKhPXZDJz4WodWAlH8Y9ObM6yCeQc6o= +github.com/kairos-io/kcrypt v0.7.1-0.20231130134511-e86d8e559545/go.mod h1:PPZzzuBGr1g+QZ/CcInMlQIlgXELeDG1WBiC/csDEd0= +github.com/kairos-io/kcrypt v0.7.1-0.20231130171015-554e350fb7c1 h1:8fOgYQWBobEOxLDYfXNpOrNrq+LGl+aw13VL9Z+aoOA= +github.com/kairos-io/kcrypt v0.7.1-0.20231130171015-554e350fb7c1/go.mod h1:PPZzzuBGr1g+QZ/CcInMlQIlgXELeDG1WBiC/csDEd0= github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs= github.com/kendru/darwin/go/depgraph v0.0.0-20221105232959-877d6a81060c h1:eKb4PqwAMhlqwXw0W3atpKaYaPGlXE/Fwh+xpCEYaPk= github.com/kendru/darwin/go/depgraph v0.0.0-20221105232959-877d6a81060c/go.mod h1:VOfm8h1NySetVlpHDSnbpCMsvCgYaU+YDn4XezUy2+4= @@ -391,6 +396,12 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8= github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8= +github.com/otiai10/copy v1.9.0 h1:7KFNiCgZ91Ru4qW4CWPf/7jqtxLagGRmIxWldPP9VY4= +github.com/otiai10/copy v1.9.0/go.mod h1:hsfX19wcn0UWIHUQ3/4fHuehhk2UyArQ9dVFAn3FczI= +github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= +github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs= +github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo= +github.com/otiai10/mint v1.4.0/go.mod h1:gifjb2MYOoULtKLqUAEILUG/9KONW6f7YsJ6vQLTlFI= github.com/packethost/packngo v0.29.0 h1:gRIhciVZQ/zLNrIdIdbOUyB/Tw5IgoaXyhP4bvE+D2s= github.com/packethost/packngo v0.29.0/go.mod h1:/UHguFdPs6Lf6FOkkSEPnRY5tgS0fsVM+Zv/bvBrmt0= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= @@ -502,6 +513,7 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/scp v0.0.0-20170824174625-f7b48647feef h1:7D6Nm4D6f0ci9yttWaKjM1TMAXrH5Su72dojqYGntFY= github.com/tredoe/osutil/v2 v2.0.0-rc.16 h1:5A2SKvyB2c3lhPYUIHyFtu6jbaXlaA3Hu5gWIam8Pik= @@ -513,6 +525,8 @@ github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0o github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8= +github.com/urfave/cli v1.22.14 h1:ebbhrRiGK2i4naQJr+1Xj92HXZCrK7MsyTS/ob3HnAk= +github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA= github.com/urfave/cli/v2 v2.25.7 h1:VAzn5oq403l5pHjc4OhD54+XGO9cdKVL/7lDjF+iKUs= github.com/urfave/cli/v2 v2.25.7/go.mod h1:8qnjx1vcq5s2/wpsqoZFndg2CE5tNFyrTvS6SinrnYQ= github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck= @@ -784,6 +798,8 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM= howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g= +k8s.io/apimachinery v0.26.2 h1:da1u3D5wfR5u2RpLhE/ZtZS2P7QvDgLZTi9wrNZl/tQ= +k8s.io/apimachinery v0.26.2/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I= pault.ag/go/modprobe v0.1.2 h1:bblunaPhqpTxGDJ5TVFW/4gheohBPleF2dIV6j6sWkI= pault.ag/go/modprobe v0.1.2/go.mod h1:afr2STC/2Maz/qi4+Bma1s0dszZgO/PcM8AKar9DWhM= pault.ag/go/topsort v0.0.0-20160530003732-f98d2ad46e1a/go.mod h1:INqx0ClF7kmPAMk2zVTX8DRnhZ/yaA/Mg52g8KFKE7k= diff --git a/internal/constants/constants.go b/internal/constants/constants.go index 6cf05cb..028c1cf 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -44,6 +44,7 @@ const ( OpLvmActivate = "lvm-activation" OpKcryptUnlock = "unlock-all" OpKcryptUpgrade = "upgrade-kcrypt" + OpUkiKcrypt = "uki-unlock" PersistentStateTarget = "/usr/local/.state" LogDir = "/run/immucore" LinuxFs = "ext4" diff --git a/pkg/mount/dag_steps.go b/pkg/mount/dag_steps.go index a55c709..d49efaa 100644 --- a/pkg/mount/dag_steps.go +++ b/pkg/mount/dag_steps.go @@ -615,7 +615,7 @@ func (s *State) LVMActivation(g *herd.Graph) error { // RunKcrypt will run the UnlockAll method of kcrypt to unlock the encrypted partitions // Requires sysroot to be mounted as the kcrypt-challenger binary is not injected in the initramfs. func (s *State) RunKcrypt(g *herd.Graph, opts ...herd.OpOption) error { - return g.Add(cnst.OpKcryptUnlock, append(opts, herd.WithCallback(func(ctx context.Context) error { return kcrypt.UnlockAll() }))...) + return g.Add(cnst.OpKcryptUnlock, append(opts, herd.WithCallback(func(ctx context.Context) error { return kcrypt.UnlockAll(false) }))...) } // RunKcryptUpgrade will upgrade encrypted partitions created with 1.x to the new 2.x format, where @@ -682,3 +682,15 @@ func (s *State) MountESPPartition(g *herd.Graph, opts ...herd.OpOption) error { return nil }))...) } + +func (s *State) UKIUnlock(g *herd.Graph, opts ...herd.OpOption) error { + return g.Add(cnst.OpUkiKcrypt, append(opts, herd.WithCallback(func(ctx context.Context) error { + // Set full path on uki to get all the binaries + if !internalUtils.EfiBootFromInstall() { + internalUtils.Log.Debug().Msg("Not unlocking disks as we think we are booting from removable media") + return nil + } + os.Setenv("PATH", "/usr/bin:/usr/sbin:/bin:/sbin") + return kcrypt.UnlockAll(true) + }))...) +} diff --git a/pkg/mount/dag_uki_boot.go b/pkg/mount/dag_uki_boot.go index 54668cb..50c5673 100644 --- a/pkg/mount/dag_uki_boot.go +++ b/pkg/mount/dag_uki_boot.go @@ -24,13 +24,16 @@ func (s *State) RegisterUKI(g *herd.Graph) error { // Mount ESP partition under efi if it exists s.LogIfError(s.MountESPPartition(g, herd.WithDeps(cnst.OpSentinel, cnst.OpUkiUdev)), "mount ESP partition") - // Run rootfs stage + // Run rootfs stage (doesnt this need to be run after mounting OEM??? s.LogIfError(s.RootfsStageDagStep(g, herd.WithDeps(cnst.OpSentinel, cnst.OpUkiUdev)), "uki rootfs") // Remount root RO s.LogIfError(s.UKIRemountRootRODagStep(g), "remount root") - s.LogIfError(s.MountOemDagStep(g, herd.WithDeps(cnst.OpRemountRootRO), herd.WeakDeps), "oem mount") + // Unlock partitions if needed with TPM + s.LogIfError(s.UKIUnlock(g, herd.WithDeps(cnst.OpSentinel, cnst.OpRemountRootRO)), "uki unlock") + + s.LogIfError(s.MountOemDagStep(g, herd.WithDeps(cnst.OpRemountRootRO, cnst.OpUkiKcrypt), herd.WeakDeps), "oem mount") // Populate state bind mounts, overlay mounts, custom-mounts from /run/cos/cos-layout.env // Requires stage rootfs to have run, which usually creates the cos-layout.env file