rancher/kcrypt
1
0
Fork 0
mirror of https://github.com/kairos-io/kcrypt.git synced 2025-09-02 07:25:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add more logging and debug for cryptenroll

Browse Source 
Signed-off-by: Itxaka <itxaka@kairos.io>
This commit is contained in:
Itxaka
2024-05-22 14:40:47 +02:00
parent 0bb8c72097
commit 3ebf55a2d8
2 changed files with 18 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
pkg/lib/lock.go
View File

@@ -1,6 +1,7 @@
package lib package lib
import ( import (
"bytes"
"fmt" "fmt"
"github.com/gofrs/uuid" "github.com/gofrs/uuid"
"github.com/jaypipes/ghw" "github.com/jaypipes/ghw"
@@ -52,25 +53,29 @@ func Luksify(label string, logger zerolog.Logger) (string, error) {
part, b, err := FindPartition(label) part, b, err := FindPartition(label)
if err != nil { if err != nil {
logger.Err(err).Msg("find partition")
return "", err return "", err
} }
pass, err = GetPassword(b) pass, err = GetPassword(b)
if err != nil { if err != nil {
logger.Err(err).Msg("get password")
return "", err return "", err
} }
mapper := fmt.Sprintf("/dev/mapper/%s", b.Name)
device := fmt.Sprintf("/dev/%s", part) device := fmt.Sprintf("/dev/%s", part)
partUUID := uuid.NewV5(uuid.NamespaceURL, label) partUUID := uuid.NewV5(uuid.NamespaceURL, label)
extraArgs := []string{"--uuid", partUUID.String()} extraArgs := []string{"--uuid", partUUID.String()}
if err := CreateLuks(device, pass, extraArgs...); err != nil { if err := CreateLuks(device, pass, extraArgs...); err != nil {
logger.Err(err).Msg("create luks")
return "", err return "", err
} }
mapper := fmt.Sprintf("/dev/mapper/%s", b.Name)
err = formatLuks(device, b.Name, mapper, label, pass, logger) err = formatLuks(device, b.Name, mapper, label, pass, logger)
if err != nil { if err != nil {
logger.Err(err).Msg("format luks")
return "", err return "", err
} }
@@ -100,13 +105,13 @@ func LuksifyMeasurements(label string, publicKeyPcrs []string, pcrs []string, lo
// On TPM locking we generate a random password that will only be used here then discarded. // On TPM locking we generate a random password that will only be used here then discarded.
// only unlocking method will be PCR values // only unlocking method will be PCR values
pass := getRandomString(32) pass := getRandomString(32)
mapper := fmt.Sprintf("/dev/mapper/%s", b.Name)
part = fmt.Sprintf("/dev/%s", part) device := fmt.Sprintf("/dev/%s", part)
partUUID := uuid.NewV5(uuid.NamespaceURL, label) partUUID := uuid.NewV5(uuid.NamespaceURL, label)
extraArgs := []string{"--uuid", partUUID.String()} extraArgs := []string{"--uuid", partUUID.String()}
if err := CreateLuks(part, pass, extraArgs...); err != nil { if err := CreateLuks(device, pass, extraArgs...); err != nil {
return err return err
} }
@@ -132,25 +137,26 @@ func LuksifyMeasurements(label string, publicKeyPcrs []string, pcrs []string, lo
logger.Debug().Str("args", strings.Join(args, " ")).Msg("running command") logger.Debug().Str("args", strings.Join(args, " ")).Msg("running command")
cmd := exec.Command("systemd-cryptenroll", args...) cmd := exec.Command("systemd-cryptenroll", args...)
cmd.Env = append(cmd.Env, fmt.Sprintf("PASSWORD=%s", pass), "SYSTEMD_LOG_LEVEL=debug") // cannot pass it via stdin cmd.Env = append(cmd.Env, fmt.Sprintf("PASSWORD=%s", pass), "SYSTEMD_LOG_LEVEL=debug") // cannot pass it via stdin
// Store the output into a buffer to log it in case we need it
cmd.Stdout = os.Stdout // debug output goes to stderr for some reason?
cmd.Stderr = os.Stderr stdOut := bytes.Buffer{}
cmd.Stdout = &stdOut
cmd.Stderr = &stdOut
err = cmd.Run() err = cmd.Run()
if err != nil { if err != nil {
logger.Debug().Str("output", stdOut.String()).Msg("debug from cryptenroll")
logger.Err(err).Msg("Enrolling measurements") logger.Err(err).Msg("Enrolling measurements")
return err return err
} }
mapper := fmt.Sprintf("/dev/mapper/%s", b.Name) err = formatLuks(device, b.Name, mapper, label, pass, logger)
err = formatLuks(part, b.Name, mapper, label, pass, logger)
if err != nil { if err != nil {
logger.Err(err).Msg("format luks") logger.Err(err).Msg("format luks")
return err return err
} }
// Delete password slot from luks device // Delete password slot from luks device
out, err := SH(fmt.Sprintf("systemd-cryptenroll --wipe-slot=password %s", part)) out, err := SH(fmt.Sprintf("systemd-cryptenroll --wipe-slot=password %s", device))
if err != nil { if err != nil {
logger.Err(err).Str("out", out).Msg("Removing password") logger.Err(err).Str("out", out).Msg("Removing password")
return err return err
@@ -203,5 +209,5 @@ func FindPartition(label string) (string, *block.Partition, error) {
return "", nil, err return "", nil, err
} }
return "", nil, fmt.Errorf("not found") return "", nil, fmt.Errorf("not found label %s", label)
} }

3
pkg/lib/unlock.go
View File

@@ -119,15 +119,12 @@ func LuksUnlock(device, mapper, password string) error {
dev, err := luks.Open(device) dev, err := luks.Open(device)
if err != nil { if err != nil {
// handle error // handle error
fmt.Println("on open")
return err return err
} }
defer dev.Close() defer dev.Close()
err = dev.Unlock(0, []byte(password), mapper) err = dev.Unlock(0, []byte(password), mapper)
if err != nil { if err != nil {
fmt.Println("on unlock")
fmt.Printf("device: %s\nmapper: %s\n", device, mapper)
return err return err
} }
return nil return nil