2023-11-30 09:24:55 +00:00
|
|
|
package lib
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
2024-04-24 08:40:39 +00:00
|
|
|
"math/rand"
|
2023-11-30 09:24:55 +00:00
|
|
|
"os"
|
|
|
|
|
"os/exec"
|
|
|
|
|
"strings"
|
2024-04-24 08:40:39 +00:00
|
|
|
"time"
|
2024-05-23 12:11:00 +00:00
|
|
|
|
|
|
|
|
"github.com/gofrs/uuid"
|
|
|
|
|
"github.com/jaypipes/ghw"
|
|
|
|
|
"github.com/jaypipes/ghw/pkg/block"
|
|
|
|
|
configpkg "github.com/kairos-io/kcrypt/pkg/config"
|
2023-11-30 09:24:55 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func CreateLuks(dev, password, version string, cryptsetupArgs ...string) error {
|
|
|
|
|
if version == "" {
|
|
|
|
|
version = "luks2"
|
|
|
|
|
}
|
|
|
|
|
args := []string{"luksFormat", "--type", version, "--iter-time", "5", "-q", dev}
|
|
|
|
|
args = append(args, cryptsetupArgs...)
|
|
|
|
|
cmd := exec.Command("cryptsetup", args...)
|
|
|
|
|
cmd.Stdin = strings.NewReader(password)
|
|
|
|
|
cmd.Stdout = os.Stdout
|
|
|
|
|
cmd.Stderr = os.Stderr
|
|
|
|
|
err := cmd.Run()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-24 08:40:39 +00:00
|
|
|
var seededRand = rand.New(rand.NewSource(time.Now().UnixNano()))
|
|
|
|
|
|
|
|
|
|
func getRandomString(length int) string {
|
|
|
|
|
const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
|
|
|
|
|
b := make([]byte, length)
|
|
|
|
|
for i := range b {
|
|
|
|
|
b[i] = charset[seededRand.Intn(len(charset))]
|
|
|
|
|
}
|
|
|
|
|
return string(b)
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-30 10:01:39 +00:00
|
|
|
// Luksify Take a part label, and recreates it with LUKS. IT OVERWRITES DATA!
|
2023-11-30 09:24:55 +00:00
|
|
|
// On success, it returns a machine parseable string with the partition information
|
|
|
|
|
// (label:name:uuid) so that it can be stored by the caller for later use.
|
|
|
|
|
// This is because the label of the encrypted partition is not accessible unless
|
|
|
|
|
// the partition is decrypted first and the uuid changed after encryption so
|
|
|
|
|
// any stored information needs to be updated (by the caller).
|
2023-11-30 10:01:39 +00:00
|
|
|
func Luksify(label, version string, tpm bool) (string, error) {
|
|
|
|
|
var pass string
|
|
|
|
|
if version == "" {
|
|
|
|
|
version = "luks1"
|
|
|
|
|
}
|
|
|
|
|
if version != "luks1" && version != "luks2" {
|
|
|
|
|
return "", fmt.Errorf("version must be luks1 or luks2")
|
2023-11-30 09:24:55 +00:00
|
|
|
}
|
|
|
|
|
|
2024-05-27 06:29:52 +00:00
|
|
|
// Make sure ghw will see all partitions correctly.
|
|
|
|
|
// Some versions of udevadm don't support --settle (e.g. alpine)
|
|
|
|
|
// and older versions don't have --type=all. Try the simpler version then.
|
|
|
|
|
out, err := SH("udevadm trigger --settle -v --type=all || udevadm trigger -v")
|
2024-05-23 12:11:00 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("udevadm trigger failed: %w, out: %s", err, out)
|
|
|
|
|
}
|
|
|
|
|
SH("sync") //nolint:errcheck
|
|
|
|
|
|
2023-11-30 10:01:39 +00:00
|
|
|
part, b, err := FindPartition(label)
|
2023-11-30 09:24:55 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-30 10:01:39 +00:00
|
|
|
if tpm {
|
|
|
|
|
// On TPM locking we generate a random password that will only be used here then discarded.
|
|
|
|
|
// only unlocking method will be PCR values
|
2024-04-24 08:40:39 +00:00
|
|
|
pass = getRandomString(32)
|
2023-11-30 10:01:39 +00:00
|
|
|
} else {
|
|
|
|
|
pass, err = GetPassword(b)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
part = fmt.Sprintf("/dev/%s", part)
|
2023-11-30 09:24:55 +00:00
|
|
|
devMapper := fmt.Sprintf("/dev/mapper/%s", b.Name)
|
|
|
|
|
partUUID := uuid.NewV5(uuid.NamespaceURL, label)
|
|
|
|
|
|
2023-11-30 10:01:39 +00:00
|
|
|
extraArgs := []string{"--uuid", partUUID.String()}
|
|
|
|
|
|
|
|
|
|
if err := CreateLuks(part, pass, version, extraArgs...); err != nil {
|
2023-11-30 09:24:55 +00:00
|
|
|
return "", err
|
|
|
|
|
}
|
2023-11-30 10:01:39 +00:00
|
|
|
if tpm {
|
2023-12-15 15:47:56 +00:00
|
|
|
// Enroll PCR policy as a keyslot
|
|
|
|
|
// We pass the current signature of the booted system to confirm that we would be able to unlock with the current booted system
|
|
|
|
|
// That checks the policy against the signatures and fails if a UKI with those signatures wont be able to unlock the device
|
|
|
|
|
// Files are generated by systemd automatically and are extracted from the UKI binary directly
|
|
|
|
|
// public pem cert -> .pcrpkey section fo the elf file
|
|
|
|
|
// signatures -> .pcrsig section of the elf file
|
2024-05-21 11:13:50 +00:00
|
|
|
// leave --tpm2-pcrs= to an empty value so it doesnt bind to a single measure
|
|
|
|
|
args := []string{"--tpm2-public-key=/run/systemd/tpm2-pcr-public-key.pem", "--tpm2-public-key-pcrs=11", "--tpm2-pcrs=", "--tpm2-signature=/run/systemd/tpm2-pcr-signature.json", "--tpm2-device-key=/run/systemd/tpm2-srk-public-key.tpm2b_public", part}
|
2023-11-30 10:29:20 +00:00
|
|
|
cmd := exec.Command("systemd-cryptenroll", args...)
|
2023-11-30 17:10:15 +00:00
|
|
|
cmd.Env = append(cmd.Env, fmt.Sprintf("PASSWORD=%s", pass)) // cannot pass it via stdin
|
2023-11-30 10:29:20 +00:00
|
|
|
cmd.Stdout = os.Stdout
|
|
|
|
|
cmd.Stderr = os.Stderr
|
|
|
|
|
err := cmd.Run()
|
2023-11-30 10:01:39 +00:00
|
|
|
if err != nil {
|
2023-11-30 10:29:20 +00:00
|
|
|
return "", err
|
2023-11-30 10:01:39 +00:00
|
|
|
}
|
|
|
|
|
}
|
2023-11-30 09:24:55 +00:00
|
|
|
|
2023-11-30 10:01:39 +00:00
|
|
|
if err := LuksUnlock(part, b.Name, pass); err != nil {
|
2023-11-30 17:10:15 +00:00
|
|
|
return "", fmt.Errorf("unlock err: %w", err)
|
2023-11-30 09:24:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := Waitdevice(devMapper, 10); err != nil {
|
2023-11-30 17:10:15 +00:00
|
|
|
return "", fmt.Errorf("waitdevice err: %w", err)
|
2023-11-30 09:24:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cmd := fmt.Sprintf("mkfs.ext4 -L %s %s", label, devMapper)
|
2024-05-23 12:11:00 +00:00
|
|
|
out, err = SH(cmd)
|
2023-11-30 09:24:55 +00:00
|
|
|
if err != nil {
|
2023-11-30 17:10:15 +00:00
|
|
|
return "", fmt.Errorf("mkfs err: %w, out: %s", err, out)
|
2023-11-30 09:24:55 +00:00
|
|
|
}
|
|
|
|
|
|
2023-11-30 17:10:15 +00:00
|
|
|
out, err = SH(fmt.Sprintf("cryptsetup close %s", b.Name))
|
2023-11-30 09:24:55 +00:00
|
|
|
if err != nil {
|
2023-11-30 17:10:15 +00:00
|
|
|
return "", fmt.Errorf("lock err: %w, out: %s", err, out)
|
2023-11-30 09:24:55 +00:00
|
|
|
}
|
|
|
|
|
|
2023-11-30 10:29:20 +00:00
|
|
|
if tpm {
|
|
|
|
|
// Delete password slot from luks device
|
|
|
|
|
out, err := SH(fmt.Sprintf("systemd-cryptenroll --wipe-slot=password %s", part))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("err: %w, out: %s", err, out)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-30 09:24:55 +00:00
|
|
|
return configpkg.PartitionToString(b), nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func FindPartition(label string) (string, *block.Partition, error) {
|
|
|
|
|
b, err := ghw.Block()
|
|
|
|
|
if err == nil {
|
|
|
|
|
for _, disk := range b.Disks {
|
|
|
|
|
for _, p := range disk.Partitions {
|
|
|
|
|
if p.FilesystemLabel == label {
|
|
|
|
|
return p.Name, p, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
return "", nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return "", nil, fmt.Errorf("not found")
|
|
|
|
|
}
|
