diff --git a/cmd/discovery/client/client.go b/cmd/discovery/client/client.go index af609e4..c7ce2a7 100644 --- a/cmd/discovery/client/client.go +++ b/cmd/discovery/client/client.go @@ -15,7 +15,7 @@ import ( "github.com/mudler/yip/pkg/utils" ) -var partNotFound error = fmt.Errorf("pass for partition not found") +var errPartNotFound error = fmt.Errorf("pass for partition not found") func NewClient() (*Client, error) { conf, err := unmarshalConfig() @@ -59,15 +59,15 @@ func (c *Client) Start() error { func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err error) { // IF we don't have any server configured, just do local - if c.Config.Kcrypt.Server == "" { + if c.Config.Kcrypt.Challenger.Server == "" { return localPass(c.Config) } - challengeEndpoint := fmt.Sprintf("%s/getPass", c.Config.Kcrypt.Server) - postEndpoint := fmt.Sprintf("%s/postPass", c.Config.Kcrypt.Server) + challengeEndpoint := fmt.Sprintf("%s/getPass", c.Config.Kcrypt.Challenger.Server) + postEndpoint := fmt.Sprintf("%s/postPass", c.Config.Kcrypt.Challenger.Server) // IF server doesn't have a pass for us, then we generate one and we set it - if _, _, err := getPass(challengeEndpoint, p); err == partNotFound { + if _, _, err := getPass(challengeEndpoint, p); err == errPartNotFound { rand := utils.RandomString(32) pass, err := tpm.EncodeBlob([]byte(rand)) if err != nil { @@ -75,7 +75,8 @@ func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err er } bpass := base64.RawURLEncoding.EncodeToString(pass) - opts := []tpm.Option{tpm.WithAdditionalHeader("label", p.Label), + opts := []tpm.Option{ + tpm.WithAdditionalHeader("label", p.Label), tpm.WithAdditionalHeader("name", p.Name), tpm.WithAdditionalHeader("uuid", p.UUID), } @@ -83,7 +84,7 @@ func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err er if err != nil { return "", err } - err = conn.WriteJSON(map[string]string{"passphrase": bpass, "generated": constants.TPMSecret}) + err = conn.WriteJSON(map[string]string{"passphrase": bpass, constants.GeneratedByKey: constants.TPMSecret}) if err != nil { return rand, err } @@ -92,17 +93,19 @@ func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err er var generated bool pass, generated, err = getPass(challengeEndpoint, p) if generated { + // Decode what the challenger server gave us blob, err := base64.RawURLEncoding.DecodeString(pass) if err != nil { return "", err } - // Decode and give it back + + // Decrypt and return it to unseal the LUKS volume opts := []tpm.TPMOption{} - if c.Config.Kcrypt.CIndex != "" { - opts = append(opts, tpm.WithIndex(c.Config.Kcrypt.CIndex)) + if c.Config.Kcrypt.Challenger.CIndex != "" { + opts = append(opts, tpm.WithIndex(c.Config.Kcrypt.Challenger.CIndex)) } - if c.Config.Kcrypt.TPMDevice != "" { - opts = append(opts, tpm.WithDevice(c.Config.Kcrypt.TPMDevice)) + if c.Config.Kcrypt.Challenger.TPMDevice != "" { + opts = append(opts, tpm.WithDevice(c.Config.Kcrypt.Challenger.TPMDevice)) } pass, err := tpm.DecodeBlob(blob, opts...) return string(pass), err @@ -111,7 +114,7 @@ func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err er if pass != "" || err == nil { return } - if err == partNotFound { + if err == errPartNotFound { return } // Otherwise, we might have a generic network error and we retry diff --git a/cmd/discovery/client/config.go b/cmd/discovery/client/config.go index fdc1607..7428143 100644 --- a/cmd/discovery/client/config.go +++ b/cmd/discovery/client/config.go @@ -11,10 +11,12 @@ type Client struct { type Config struct { Kcrypt struct { - Server string `yaml:"challenger_server,omitempty"` - NVIndex string `yaml:"nv_index,omitempty"` - CIndex string `yaml:"c_index,omitempty"` - TPMDevice string `yaml:"tpm_device,omitempty"` + Challenger struct { + Server string `yaml:"challenger_server,omitempty"` + NVIndex string `yaml:"nv_index,omitempty"` + CIndex string `yaml:"c_index,omitempty"` + TPMDevice string `yaml:"tpm_device,omitempty"` + } } } diff --git a/cmd/discovery/client/enc.go b/cmd/discovery/client/enc.go index 094d467..74d1e3b 100644 --- a/cmd/discovery/client/enc.go +++ b/cmd/discovery/client/enc.go @@ -30,16 +30,16 @@ func getPass(server string, partition *block.Partition) (string, bool, error) { if ok { return fmt.Sprint(p), generated && gen == constants.TPMSecret, nil } - return "", false, partNotFound + return "", false, errPartNotFound } func genAndStore(k Config) (string, error) { opts := []tpm.TPMOption{} - if k.Kcrypt.TPMDevice != "" { - opts = append(opts, tpm.WithDevice(k.Kcrypt.TPMDevice)) + if k.Kcrypt.Challenger.TPMDevice != "" { + opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice)) } - if k.Kcrypt.CIndex != "" { - opts = append(opts, tpm.WithIndex(k.Kcrypt.CIndex)) + if k.Kcrypt.Challenger.CIndex != "" { + opts = append(opts, tpm.WithIndex(k.Kcrypt.Challenger.CIndex)) } // Generate a new one, and return it to luks @@ -49,8 +49,8 @@ func genAndStore(k Config) (string, error) { return "", err } nvindex := "0x1500000" - if k.Kcrypt.NVIndex != "" { - nvindex = k.Kcrypt.NVIndex + if k.Kcrypt.Challenger.NVIndex != "" { + nvindex = k.Kcrypt.Challenger.NVIndex } opts = append(opts, tpm.WithIndex(nvindex)) return rand, tpm.StoreBlob(blob, opts...) @@ -58,12 +58,12 @@ func genAndStore(k Config) (string, error) { func localPass(k Config) (string, error) { index := "0x1500000" - if k.Kcrypt.NVIndex != "" { - index = k.Kcrypt.NVIndex + if k.Kcrypt.Challenger.NVIndex != "" { + index = k.Kcrypt.Challenger.NVIndex } opts := []tpm.TPMOption{tpm.WithIndex(index)} - if k.Kcrypt.TPMDevice != "" { - opts = append(opts, tpm.WithDevice(k.Kcrypt.TPMDevice)) + if k.Kcrypt.Challenger.TPMDevice != "" { + opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice)) } encodedPass, err := tpm.ReadBlob(opts...) if err != nil { @@ -73,11 +73,11 @@ func localPass(k Config) (string, error) { // Decode and give it back opts = []tpm.TPMOption{} - if k.Kcrypt.CIndex != "" { - opts = append(opts, tpm.WithIndex(k.Kcrypt.CIndex)) + if k.Kcrypt.Challenger.CIndex != "" { + opts = append(opts, tpm.WithIndex(k.Kcrypt.Challenger.CIndex)) } - if k.Kcrypt.TPMDevice != "" { - opts = append(opts, tpm.WithDevice(k.Kcrypt.TPMDevice)) + if k.Kcrypt.Challenger.TPMDevice != "" { + opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice)) } pass, err := tpm.DecodeBlob(encodedPass, opts...) return string(pass), err diff --git a/pkg/challenger/challenger.go b/pkg/challenger/challenger.go index 69025f7..b051542 100644 --- a/pkg/challenger/challenger.go +++ b/pkg/challenger/challenger.go @@ -9,6 +9,7 @@ import ( "time" keyserverv1alpha1 "github.com/kairos-io/kairos-challenger/api/v1alpha1" + "github.com/kairos-io/kairos-challenger/pkg/constants" "sigs.k8s.io/controller-runtime/pkg/client" "github.com/kairos-io/kairos-challenger/controllers" @@ -152,8 +153,8 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr Namespace: namespace, }, Data: map[string][]byte{ - secretPath: []byte(pass), - "generated": []byte(v["generated"]), + secretPath: []byte(pass), + constants.GeneratedByKey: []byte(v[constants.GeneratedByKey]), }, Type: "Opaque", } @@ -221,13 +222,18 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr secretPath = sealedVolumeData.SecretPath } + // 1. The admin sets a specific cleartext password from Kube manager + // SealedVolume -> with a secret . + // 2. The admin just adds a SealedVolume associated with a TPM Hash ( you don't provide any passphrase ) + // 3. There is no challenger server at all (offline mode) + // secret, err := kclient.CoreV1().Secrets(namespace).Get(ctx, secretName, v1.GetOptions{}) if err == nil { passphrase := secret.Data[secretPath] - gen, generated := secret.Data["generated"] + gen, generated := secret.Data[constants.GeneratedByKey] result := map[string]string{"passphrase": string(passphrase)} if generated { - result["generated"] = string(gen) + result[constants.GeneratedByKey] = string(gen) } err = json.NewEncoder(writer).Encode(result) if err != nil { diff --git a/pkg/constants/secret.go b/pkg/constants/secret.go index 5d16a3e..60b67f4 100644 --- a/pkg/constants/secret.go +++ b/pkg/constants/secret.go @@ -1,3 +1,4 @@ package constants const TPMSecret = "tpm" +const GeneratedByKey = "generated_by"