mirror of
https://github.com/kairos-io/kcrypt.git
synced 2025-11-10 23:40:22 +00:00
Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
f6ed18cd18 | ||
|
|
c936f74913 | ||
|
|
7de640988f |
2
.github/workflows/dependabot_auto.yml
vendored
2
.github/workflows/dependabot_auto.yml
vendored
@@ -14,7 +14,7 @@ jobs:
|
||||
steps:
|
||||
- name: Dependabot metadata
|
||||
id: metadata
|
||||
uses: dependabot/fetch-metadata@v2.1.0
|
||||
uses: dependabot/fetch-metadata@v2.0.0
|
||||
with:
|
||||
github-token: "${{ secrets.GITHUB_TOKEN }}"
|
||||
skip-commit-verification: true
|
||||
|
||||
11
go.mod
11
go.mod
@@ -11,16 +11,15 @@ require (
|
||||
github.com/anatol/luks.go v0.0.0-20230423170605-fb3724ed7db7
|
||||
github.com/gofrs/uuid v4.4.0+incompatible
|
||||
github.com/jaypipes/ghw v0.12.0
|
||||
github.com/kairos-io/kairos-sdk v0.1.8
|
||||
github.com/kairos-io/kairos-sdk v0.1.1
|
||||
github.com/mudler/go-pluggable v0.0.0-20230126220627-7710299a0ae5
|
||||
github.com/onsi/ginkgo/v2 v2.17.1
|
||||
github.com/onsi/gomega v1.33.0
|
||||
github.com/otiai10/copy v1.14.0
|
||||
github.com/pkg/errors v0.9.1
|
||||
github.com/rs/zerolog v1.33.0
|
||||
github.com/urfave/cli/v2 v2.27.2
|
||||
github.com/rs/zerolog v1.32.0
|
||||
github.com/urfave/cli v1.22.14
|
||||
gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0
|
||||
gopkg.in/yaml.v3 v3.0.1
|
||||
)
|
||||
|
||||
require (
|
||||
@@ -40,7 +39,7 @@ require (
|
||||
github.com/containerd/continuity v0.4.2 // indirect
|
||||
github.com/containerd/log v0.1.0 // indirect
|
||||
github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
|
||||
github.com/denisbrodbeck/machineid v1.0.1 // indirect
|
||||
github.com/dgryski/go-camellia v0.0.0-20191119043421-69a8a13fb23d // indirect
|
||||
github.com/docker/cli v24.0.0+incompatible // indirect
|
||||
@@ -86,7 +85,6 @@ require (
|
||||
github.com/vbatts/tar-split v0.11.3 // indirect
|
||||
github.com/wayneashleyberry/terminal-dimensions v1.1.0 // indirect
|
||||
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
|
||||
github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect
|
||||
go.opencensus.io v0.24.0 // indirect
|
||||
golang.org/x/crypto v0.22.0 // indirect
|
||||
golang.org/x/mod v0.15.0 // indirect
|
||||
@@ -100,5 +98,6 @@ require (
|
||||
google.golang.org/grpc v1.58.3 // indirect
|
||||
google.golang.org/protobuf v1.33.0 // indirect
|
||||
gopkg.in/yaml.v2 v2.4.0 // indirect
|
||||
gopkg.in/yaml.v3 v3.0.1 // indirect
|
||||
howett.net/plist v1.0.0 // indirect
|
||||
)
|
||||
|
||||
46
go.sum
46
go.sum
@@ -34,13 +34,11 @@ github.com/avast/retry-go v3.0.0+incompatible h1:4SOWQ7Qs+oroOTQOYnAHqelpCO0biHS
|
||||
github.com/avast/retry-go v3.0.0+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevBhOOCWBLXXy3hyiqqBrY=
|
||||
github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59 h1:WWB576BN5zNSZc/M9d/10pqEx5VHNhaQ/yOVAkmj5Yo=
|
||||
github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
|
||||
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
|
||||
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
|
||||
github.com/chuckpreslar/emission v0.0.0-20170206194824-a7ddd980baf9 h1:xz6Nv3zcwO2Lila35hcb0QloCQsc38Al13RNEzWRpX4=
|
||||
github.com/chuckpreslar/emission v0.0.0-20170206194824-a7ddd980baf9/go.mod h1:2wSM9zJkl1UQEFZgSd68NfCgRz1VL1jzy/RjCg+ULrs=
|
||||
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
|
||||
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
|
||||
github.com/containerd/aufs v1.0.0/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU=
|
||||
github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
|
||||
github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw=
|
||||
github.com/containerd/console v1.0.3 h1:lIr7SlA5PxZyMV30bDW0MGbiOPXwc63yRuCP0ARubLw=
|
||||
@@ -49,17 +47,13 @@ github.com/containerd/containerd v1.7.11 h1:lfGKw3eU35sjV0aG2eYZTiwFEY1pCzxdzicH
|
||||
github.com/containerd/containerd v1.7.11/go.mod h1:5UluHxHTX2rdvYuZ5OJTC5m/KJNs0Zs9wVoJm9zf5ZE=
|
||||
github.com/containerd/continuity v0.4.2 h1:v3y/4Yz5jwnvqPKJJ+7Wf93fyWoCB3F5EclWG023MDM=
|
||||
github.com/containerd/continuity v0.4.2/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ=
|
||||
github.com/containerd/go-runc v1.0.0/go.mod h1:cNU0ZbCgCQVZK4lgG3P+9tn9/PaJNmoDXPpoJhDR+Ok=
|
||||
github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
|
||||
github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
|
||||
github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k=
|
||||
github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o=
|
||||
github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s=
|
||||
github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
|
||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
@@ -77,8 +71,6 @@ github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryef
|
||||
github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
|
||||
github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
|
||||
github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
|
||||
github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
|
||||
github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
|
||||
github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
|
||||
github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
|
||||
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
|
||||
@@ -107,7 +99,6 @@ github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4er
|
||||
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
|
||||
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
|
||||
github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
|
||||
github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
|
||||
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
|
||||
@@ -139,7 +130,6 @@ github.com/gookit/color v1.4.2/go.mod h1:fqRyamkC1W8uxl+lxCQxOT09l/vYfZ+QeiX3rKQ
|
||||
github.com/gookit/color v1.5.0/go.mod h1:43aQb+Zerm/BWh2GnrgOQm7ffz7tvQXEKV6BFMl7wAo=
|
||||
github.com/gookit/color v1.5.3 h1:twfIhZs4QLCtimkP7MOxlF3A0U/5cDPseRT9M/+2SCE=
|
||||
github.com/gookit/color v1.5.3/go.mod h1:NUzwzeehUfl7GIb36pqId+UGmRfQcU/WiiyTTeNjHtE=
|
||||
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
|
||||
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
|
||||
github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
|
||||
github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
|
||||
@@ -161,16 +151,6 @@ github.com/jzelinskie/whirlpool v0.0.0-20201016144138-0675e54bb004 h1:G+9t9cEtnC
|
||||
github.com/jzelinskie/whirlpool v0.0.0-20201016144138-0675e54bb004/go.mod h1:KmHnJWQrgEvbuy0vcvj00gtMqbvNn1L+3YUZLK/B92c=
|
||||
github.com/kairos-io/kairos-sdk v0.1.1 h1:A9/bweW+Oy0Tmp3l7R4kL4NZXTJcKPXpp1/7u/tAluE=
|
||||
github.com/kairos-io/kairos-sdk v0.1.1/go.mod h1:sR1X4B3F1nkaECQ1vdsJ78OIkfLfyB22/aIpdRQJ/Mo=
|
||||
github.com/kairos-io/kairos-sdk v0.1.2 h1:veA06dQR4zddrWSxaZNq+5lSZQH0EHlU6OnR5fdkQ2Q=
|
||||
github.com/kairos-io/kairos-sdk v0.1.2/go.mod h1:sR1X4B3F1nkaECQ1vdsJ78OIkfLfyB22/aIpdRQJ/Mo=
|
||||
github.com/kairos-io/kairos-sdk v0.1.3 h1:mdGdr5mWQ6FXZkXPsDRBvCdZDIKbFpub40idtsSTN8k=
|
||||
github.com/kairos-io/kairos-sdk v0.1.3/go.mod h1:sR1X4B3F1nkaECQ1vdsJ78OIkfLfyB22/aIpdRQJ/Mo=
|
||||
github.com/kairos-io/kairos-sdk v0.1.5 h1:dk33F9naiHiZlzLTioCz7XQcR8Y6CVRbwE5rxtz5ha0=
|
||||
github.com/kairos-io/kairos-sdk v0.1.5/go.mod h1:sR1X4B3F1nkaECQ1vdsJ78OIkfLfyB22/aIpdRQJ/Mo=
|
||||
github.com/kairos-io/kairos-sdk v0.1.6 h1:x+oqSvyRgexiJeTbYXpM0ZcJnDbnbRSG4lGNVqDCZc0=
|
||||
github.com/kairos-io/kairos-sdk v0.1.6/go.mod h1:sR1X4B3F1nkaECQ1vdsJ78OIkfLfyB22/aIpdRQJ/Mo=
|
||||
github.com/kairos-io/kairos-sdk v0.1.8 h1:TKigA+3Nmzn/NLztbLVBLacpx0cK1oJl1AoZarohU98=
|
||||
github.com/kairos-io/kairos-sdk v0.1.8/go.mod h1:asSOyJanH10Cnxl9zx5RzyYNMhEworaiMh/7uRnS4GA=
|
||||
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
|
||||
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
|
||||
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
|
||||
@@ -182,12 +162,9 @@ github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuOb
|
||||
github.com/klauspost/cpuid/v2 v2.2.3 h1:sxCkb+qR91z4vsqw4vGGZlDgPz3G7gjaLyK3V8y70BU=
|
||||
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
|
||||
github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
|
||||
github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
|
||||
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
|
||||
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
|
||||
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
|
||||
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
|
||||
github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo=
|
||||
github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4=
|
||||
github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
|
||||
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
|
||||
@@ -201,14 +178,11 @@ github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZ
|
||||
github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
|
||||
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
|
||||
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
|
||||
github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
|
||||
github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78=
|
||||
github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
|
||||
github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
|
||||
github.com/moby/term v0.0.0-20221205130635-1aeaba878587 h1:HfkjXDfhgVaN5rmueG8cL8KKeFNecRCXFhaJ2qZ5SKA=
|
||||
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
|
||||
github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
|
||||
github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
|
||||
github.com/mudler/go-pluggable v0.0.0-20230126220627-7710299a0ae5 h1:FaZD86+A9mVt7lh9glAryzQblMsbJYU2VnrdZ8yHlTs=
|
||||
github.com/mudler/go-pluggable v0.0.0-20230126220627-7710299a0ae5/go.mod h1:WmKcT8ONmhDQIqQ+HxU+tkGWjzBEyY/KFO8LTGCu4AI=
|
||||
github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
|
||||
@@ -255,8 +229,6 @@ github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUc
|
||||
github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
|
||||
github.com/rs/zerolog v1.32.0 h1:keLypqrlIjaFsbmJOBdB/qvyF8KEtCWHwobLp5l/mQ0=
|
||||
github.com/rs/zerolog v1.32.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
|
||||
github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
|
||||
github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
|
||||
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
|
||||
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
|
||||
github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
|
||||
@@ -264,13 +236,10 @@ github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNX
|
||||
github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
|
||||
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
|
||||
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
|
||||
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
|
||||
github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8=
|
||||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
|
||||
github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
|
||||
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
|
||||
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
|
||||
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
|
||||
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
|
||||
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
|
||||
@@ -279,35 +248,22 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
|
||||
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
|
||||
github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
|
||||
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
|
||||
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
|
||||
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
|
||||
github.com/tmc/scp v0.0.0-20170824174625-f7b48647feef h1:7D6Nm4D6f0ci9yttWaKjM1TMAXrH5Su72dojqYGntFY=
|
||||
github.com/urfave/cli v1.22.12 h1:igJgVw1JdKH+trcLWLeLwZjU9fEfPesQ+9/e4MQ44S8=
|
||||
github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8=
|
||||
github.com/urfave/cli v1.22.14 h1:ebbhrRiGK2i4naQJr+1Xj92HXZCrK7MsyTS/ob3HnAk=
|
||||
github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA=
|
||||
github.com/urfave/cli v1.22.15 h1:nuqt+pdC/KqswQKhETJjo7pvn/k4xMUxgW6liI7XpnM=
|
||||
github.com/urfave/cli v1.22.15/go.mod h1:wSan1hmo5zeyLGBjRJbzRTNk8gwoYa2B9n4q9dmRIc0=
|
||||
github.com/urfave/cli/v2 v2.27.1/go.mod h1:8qnjx1vcq5s2/wpsqoZFndg2CE5tNFyrTvS6SinrnYQ=
|
||||
github.com/urfave/cli/v2 v2.27.2 h1:6e0H+AkS+zDckwPCUrZkKX38mRaau4nL2uipkJpbkcI=
|
||||
github.com/urfave/cli/v2 v2.27.2/go.mod h1:g0+79LmHHATl7DAcHO99smiR/T7uGLw84w8Y42x+4eM=
|
||||
github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck=
|
||||
github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY=
|
||||
github.com/wayneashleyberry/terminal-dimensions v1.1.0 h1:EB7cIzBdsOzAgmhTUtTTQXBByuPheP/Zv1zL2BRPY6g=
|
||||
github.com/wayneashleyberry/terminal-dimensions v1.1.0/go.mod h1:2lc/0eWCObmhRczn2SdGSQtgBooLUzIotkkEGXqghyg=
|
||||
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
|
||||
github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778/go.mod h1:2MuV+tbUrU1zIOPMxZ5EncGwgmMJsa+9ucAQZXxsObs=
|
||||
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
|
||||
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
|
||||
github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 h1:+qGGcbkzsfDQNPPe9UDgpxAWQrhbbBXOYJFQDq/dtJw=
|
||||
github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913/go.mod h1:4aEEwZQutDLsQv2Deui4iYQ6DWTxR14g6m8Wv88+Xqk=
|
||||
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
|
||||
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
|
||||
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
|
||||
go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
|
||||
go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
|
||||
go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
|
||||
go.uber.org/goleak v1.1.12/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||
@@ -440,8 +396,6 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
|
||||
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
|
||||
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
|
||||
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
|
||||
gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
|
||||
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
|
||||
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
|
||||
gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 h1:POO/ycCATvegFmVuPpQzZFJ+pGZeX22Ufu6fibxDVjU=
|
||||
|
||||
42
main.go
42
main.go
@@ -4,10 +4,8 @@ import (
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"github.com/rs/zerolog"
|
||||
|
||||
"github.com/kairos-io/kcrypt/pkg/lib"
|
||||
"github.com/urfave/cli/v2"
|
||||
"github.com/urfave/cli"
|
||||
)
|
||||
|
||||
var Version = "v0.0.0-dev"
|
||||
@@ -16,50 +14,38 @@ func main() {
|
||||
app := &cli.App{
|
||||
Name: "kairos-kcrypt",
|
||||
Version: Version,
|
||||
Authors: []*cli.Author{&cli.Author{Name: "Ettore Di Giacinto"}},
|
||||
Author: "Ettore Di Giacinto",
|
||||
Usage: "kairos escrow key agent component",
|
||||
Description: ``,
|
||||
UsageText: ``,
|
||||
Copyright: "Ettore Di Giacinto",
|
||||
Commands: []*cli.Command{
|
||||
Commands: []cli.Command{
|
||||
{
|
||||
|
||||
Name: "encrypt",
|
||||
Description: "Encrypts a partition",
|
||||
Usage: "Encrypts a partition",
|
||||
ArgsUsage: "kcrypt [--tpm] [--tpm-pcrs] [--public-key-pcrs] LABEL",
|
||||
ArgsUsage: "kcrypt [--version VERSION] [--tpm] LABEL",
|
||||
Flags: []cli.Flag{
|
||||
&cli.StringFlag{
|
||||
Name: "version",
|
||||
Value: "luks1",
|
||||
Usage: "luks version to use",
|
||||
},
|
||||
&cli.BoolFlag{
|
||||
Name: "tpm",
|
||||
Usage: "Use TPM measurements to lock the partition",
|
||||
},
|
||||
&cli.StringSliceFlag{
|
||||
Name: "tpm-pcrs",
|
||||
Usage: "tpm pcrs to bind to (single measurement) . Only applies when --tpm is also set.",
|
||||
},
|
||||
&cli.StringSliceFlag{
|
||||
Name: "public-key-pcrs",
|
||||
Usage: "public key pcrs to bind to (policy). Only applies when --tpm is also set.",
|
||||
Value: cli.NewStringSlice("11"),
|
||||
Usage: "Use TPM to lock the partition",
|
||||
},
|
||||
},
|
||||
Action: func(c *cli.Context) error {
|
||||
var err error
|
||||
var out string
|
||||
if c.NArg() != 1 {
|
||||
return fmt.Errorf("requires 1 arg, the partition label")
|
||||
}
|
||||
log := zerolog.New(os.Stdout).With().Timestamp().Logger()
|
||||
if c.Bool("tpm") {
|
||||
err = lib.LuksifyMeasurements(c.Args().First(), c.StringSlice("tpm-pcrs"), c.StringSlice("public-key-pcrs"), log)
|
||||
} else {
|
||||
out, err = lib.Luksify(c.Args().First(), log)
|
||||
fmt.Println(out)
|
||||
}
|
||||
out, err := lib.Luksify(c.Args().First(), c.String("version"), c.Bool("tpm"))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
fmt.Println(out)
|
||||
return nil
|
||||
},
|
||||
},
|
||||
@@ -88,7 +74,7 @@ func main() {
|
||||
if c.NArg() != 2 {
|
||||
return fmt.Errorf("requires 3 args. initrd,, dst")
|
||||
}
|
||||
return lib.ExtractInitrd(c.Args().First(), c.Args().Get(1))
|
||||
return lib.ExtractInitrd(c.Args()[0], c.Args()[1])
|
||||
},
|
||||
},
|
||||
{
|
||||
@@ -98,7 +84,7 @@ func main() {
|
||||
if c.NArg() != 3 {
|
||||
return fmt.Errorf("requires 3 args. initrd, srcfile, dst")
|
||||
}
|
||||
return lib.InjectInitrd(c.Args().First(), c.Args().Get(1), c.Args().Get(2))
|
||||
return lib.InjectInitrd(c.Args()[0], c.Args()[1], c.Args()[2])
|
||||
},
|
||||
},
|
||||
},
|
||||
|
||||
215
pkg/lib/lock.go
215
pkg/lib/lock.go
@@ -1,24 +1,24 @@
|
||||
package lib
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"math/rand"
|
||||
"os"
|
||||
"os/exec"
|
||||
"strings"
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"github.com/gofrs/uuid"
|
||||
"github.com/jaypipes/ghw"
|
||||
"github.com/jaypipes/ghw/pkg/block"
|
||||
configpkg "github.com/kairos-io/kcrypt/pkg/config"
|
||||
"github.com/rs/zerolog"
|
||||
)
|
||||
|
||||
func CreateLuks(dev, password string, cryptsetupArgs ...string) error {
|
||||
args := []string{"luksFormat", "--type", "luks2", "--iter-time", "5", "-q", dev}
|
||||
func CreateLuks(dev, password, version string, cryptsetupArgs ...string) error {
|
||||
if version == "" {
|
||||
version = "luks2"
|
||||
}
|
||||
args := []string{"luksFormat", "--type", version, "--iter-time", "5", "-q", dev}
|
||||
args = append(args, cryptsetupArgs...)
|
||||
cmd := exec.Command("cryptsetup", args...)
|
||||
cmd.Stdin = strings.NewReader(password)
|
||||
@@ -49,170 +49,97 @@ func getRandomString(length int) string {
|
||||
// This is because the label of the encrypted partition is not accessible unless
|
||||
// the partition is decrypted first and the uuid changed after encryption so
|
||||
// any stored information needs to be updated (by the caller).
|
||||
func Luksify(label string, logger zerolog.Logger) (string, error) {
|
||||
func Luksify(label, version string, tpm bool) (string, error) {
|
||||
var pass string
|
||||
if version == "" {
|
||||
version = "luks1"
|
||||
}
|
||||
if version != "luks1" && version != "luks2" {
|
||||
return "", fmt.Errorf("version must be luks1 or luks2")
|
||||
}
|
||||
|
||||
// Make sure ghw will see all partitions correctly.
|
||||
// older versions don't have --type=all. Try the simpler version then.
|
||||
out, err := SH("udevadm trigger --type=all || udevadm trigger")
|
||||
// Some versions of udevadm don't support --settle (e.g. alpine)
|
||||
// and older versions don't have --type=all. Try the simpler version then.
|
||||
out, err := SH("udevadm trigger --settle -v --type=all || udevadm trigger -v")
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("udevadm trigger failed: %w, out: %s", err, out)
|
||||
}
|
||||
syscall.Sync()
|
||||
SH("sync") //nolint:errcheck
|
||||
|
||||
part, b, err := FindPartition(label)
|
||||
if err != nil {
|
||||
logger.Err(err).Msg("find partition")
|
||||
return "", err
|
||||
}
|
||||
|
||||
pass, err = GetPassword(b)
|
||||
if err != nil {
|
||||
logger.Err(err).Msg("get password")
|
||||
return "", err
|
||||
if tpm {
|
||||
// On TPM locking we generate a random password that will only be used here then discarded.
|
||||
// only unlocking method will be PCR values
|
||||
pass = getRandomString(32)
|
||||
} else {
|
||||
pass, err = GetPassword(b)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
}
|
||||
|
||||
mapper := fmt.Sprintf("/dev/mapper/%s", b.Name)
|
||||
device := fmt.Sprintf("/dev/%s", part)
|
||||
part = fmt.Sprintf("/dev/%s", part)
|
||||
devMapper := fmt.Sprintf("/dev/mapper/%s", b.Name)
|
||||
partUUID := uuid.NewV5(uuid.NamespaceURL, label)
|
||||
|
||||
extraArgs := []string{"--uuid", partUUID.String()}
|
||||
|
||||
if err := CreateLuks(device, pass, extraArgs...); err != nil {
|
||||
logger.Err(err).Msg("create luks")
|
||||
if err := CreateLuks(part, pass, version, extraArgs...); err != nil {
|
||||
return "", err
|
||||
}
|
||||
if tpm {
|
||||
// Enroll PCR policy as a keyslot
|
||||
// We pass the current signature of the booted system to confirm that we would be able to unlock with the current booted system
|
||||
// That checks the policy against the signatures and fails if a UKI with those signatures wont be able to unlock the device
|
||||
// Files are generated by systemd automatically and are extracted from the UKI binary directly
|
||||
// public pem cert -> .pcrpkey section fo the elf file
|
||||
// signatures -> .pcrsig section of the elf file
|
||||
args := []string{"--tpm2-public-key=/run/systemd/tpm2-pcr-public-key.pem", "--tpm2-signature=/run/systemd/tpm2-pcr-signature.json", "--tpm2-device=auto", part}
|
||||
cmd := exec.Command("systemd-cryptenroll", args...)
|
||||
cmd.Env = append(cmd.Env, fmt.Sprintf("PASSWORD=%s", pass)) // cannot pass it via stdin
|
||||
cmd.Stdout = os.Stdout
|
||||
cmd.Stderr = os.Stderr
|
||||
err := cmd.Run()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
}
|
||||
|
||||
err = formatLuks(device, b.Name, mapper, label, pass, logger)
|
||||
if err := LuksUnlock(part, b.Name, pass); err != nil {
|
||||
return "", fmt.Errorf("unlock err: %w", err)
|
||||
}
|
||||
|
||||
if err := Waitdevice(devMapper, 10); err != nil {
|
||||
return "", fmt.Errorf("waitdevice err: %w", err)
|
||||
}
|
||||
|
||||
cmd := fmt.Sprintf("mkfs.ext4 -L %s %s", label, devMapper)
|
||||
out, err = SH(cmd)
|
||||
if err != nil {
|
||||
logger.Err(err).Msg("format luks")
|
||||
return "", err
|
||||
return "", fmt.Errorf("mkfs err: %w, out: %s", err, out)
|
||||
}
|
||||
|
||||
out, err = SH(fmt.Sprintf("cryptsetup close %s", b.Name))
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("lock err: %w, out: %s", err, out)
|
||||
}
|
||||
|
||||
if tpm {
|
||||
// Delete password slot from luks device
|
||||
out, err := SH(fmt.Sprintf("systemd-cryptenroll --wipe-slot=password %s", part))
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("err: %w, out: %s", err, out)
|
||||
}
|
||||
}
|
||||
|
||||
return configpkg.PartitionToString(b), nil
|
||||
}
|
||||
|
||||
// LuksifyMeasurements takes a label and a list if public-keys and pcrs to bind and uses the measurements
|
||||
// in the current node to encrypt the partition with those and bind those to the given pcrs
|
||||
// this expects systemd 255 as it needs the SRK public key that systemd extracts
|
||||
// Sets a random password, enrolls the policy, unlocks and formats the partition, closes it and tfinally removes the random password from it
|
||||
// Note that there is a diff between the publicKeyPcrs and normal Pcrs
|
||||
// The former links to a policy type that allows anything signed by that policy to unlcok the partitions so its
|
||||
// really useful for binding to PCR11 which is the UKI measurements in order to be able to upgrade the system and still be able
|
||||
// to unlock the partitions.
|
||||
// The later binds to a SINGLE measurement, so if that changes, it will not unlock anything.
|
||||
// This is useful for things like PCR7 which measures the secureboot state and certificates if you dont expect those to change during
|
||||
// the whole lifetime of a machine
|
||||
// It can also be used to bind to things like the firmware code or efi drivers that we dont expect to change
|
||||
// default for publicKeyPcrs is 11
|
||||
// default for pcrs is nothing, so it doesn't bind as we want to expand things like DBX and be able to blacklist certs and such
|
||||
func LuksifyMeasurements(label string, publicKeyPcrs []string, pcrs []string, logger zerolog.Logger) error {
|
||||
// Make sure ghw will see all partitions correctly.
|
||||
// older versions don't have --type=all. Try the simpler version then.
|
||||
out, err := SH("udevadm trigger --type=all || udevadm trigger")
|
||||
if err != nil {
|
||||
return fmt.Errorf("udevadm trigger failed: %w, out: %s", err, out)
|
||||
}
|
||||
syscall.Sync()
|
||||
|
||||
part, b, err := FindPartition(label)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// On TPM locking we generate a random password that will only be used here then discarded.
|
||||
// only unlocking method will be PCR values
|
||||
pass := getRandomString(32)
|
||||
mapper := fmt.Sprintf("/dev/mapper/%s", b.Name)
|
||||
device := fmt.Sprintf("/dev/%s", part)
|
||||
partUUID := uuid.NewV5(uuid.NamespaceURL, label)
|
||||
|
||||
extraArgs := []string{"--uuid", partUUID.String()}
|
||||
|
||||
if err := CreateLuks(device, pass, extraArgs...); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if len(publicKeyPcrs) == 0 {
|
||||
publicKeyPcrs = []string{"11"}
|
||||
}
|
||||
|
||||
syscall.Sync()
|
||||
|
||||
// Enroll PCR policy as a keyslot
|
||||
// We pass the current signature of the booted system to confirm that we would be able to unlock with the current booted system
|
||||
// That checks the policy against the signatures and fails if a UKI with those signatures wont be able to unlock the device
|
||||
// Files are generated by systemd automatically and are extracted from the UKI binary directly
|
||||
// public pem cert -> .pcrpkey section fo the elf file
|
||||
// signatures -> .pcrsig section of the elf file
|
||||
args := []string{
|
||||
"--tpm2-public-key=/run/systemd/tpm2-pcr-public-key.pem",
|
||||
fmt.Sprintf("--tpm2-public-key-pcrs=%s", strings.Join(publicKeyPcrs, "+")),
|
||||
fmt.Sprintf("--tpm2-pcrs=%s", strings.Join(pcrs, "+")),
|
||||
"--tpm2-signature=/run/systemd/tpm2-pcr-signature.json",
|
||||
"--tpm2-device-key=/run/systemd/tpm2-srk-public-key.tpm2b_public",
|
||||
device}
|
||||
logger.Debug().Str("args", strings.Join(args, " ")).Msg("running command")
|
||||
cmd := exec.Command("systemd-cryptenroll", args...)
|
||||
cmd.Env = append(cmd.Env, fmt.Sprintf("PASSWORD=%s", pass), "SYSTEMD_LOG_LEVEL=debug") // cannot pass it via stdin
|
||||
// Store the output into a buffer to log it in case we need it
|
||||
// debug output goes to stderr for some reason?
|
||||
stdOut := bytes.Buffer{}
|
||||
cmd.Stdout = &stdOut
|
||||
cmd.Stderr = &stdOut
|
||||
err = cmd.Run()
|
||||
if err != nil {
|
||||
logger.Debug().Str("output", stdOut.String()).Msg("debug from cryptenroll")
|
||||
logger.Err(err).Msg("Enrolling measurements")
|
||||
return err
|
||||
}
|
||||
|
||||
logger.Debug().Str("output", stdOut.String()).Msg("debug from cryptenroll")
|
||||
|
||||
err = formatLuks(device, b.Name, mapper, label, pass, logger)
|
||||
if err != nil {
|
||||
logger.Err(err).Msg("format luks")
|
||||
return err
|
||||
}
|
||||
|
||||
// Delete password slot from luks device
|
||||
out, err = SH(fmt.Sprintf("systemd-cryptenroll --wipe-slot=password %s", device))
|
||||
if err != nil {
|
||||
logger.Err(err).Str("out", out).Msg("Removing password")
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// format luks will unlock the device, wait for it and then format it
|
||||
// device is the actual /dev/X luks device
|
||||
// label is the label we will set to the formatted partition
|
||||
// password is the pass to unlock the device to be able to format the underlying mapper
|
||||
func formatLuks(device, name, mapper, label, pass string, logger zerolog.Logger) error {
|
||||
l := logger.With().Str("device", device).Str("name", name).Str("mapper", mapper).Logger()
|
||||
l.Debug().Msg("unlock")
|
||||
if err := LuksUnlock(device, name, pass); err != nil {
|
||||
return fmt.Errorf("unlock err: %w", err)
|
||||
}
|
||||
|
||||
l.Debug().Msg("wait device")
|
||||
if err := Waitdevice(mapper, 10); err != nil {
|
||||
return fmt.Errorf("waitdevice err: %w", err)
|
||||
}
|
||||
|
||||
l.Debug().Msg("format")
|
||||
cmdFormat := fmt.Sprintf("mkfs.ext4 -L %s %s", label, mapper)
|
||||
out, err := SH(cmdFormat)
|
||||
if err != nil {
|
||||
return fmt.Errorf("mkfs err: %w, out: %s", err, out)
|
||||
}
|
||||
l.Debug().Msg("close")
|
||||
out, err = SH(fmt.Sprintf("cryptsetup close %s", mapper))
|
||||
if err != nil {
|
||||
return fmt.Errorf("lock err: %w, out: %s", err, out)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func FindPartition(label string) (string, *block.Partition, error) {
|
||||
b, err := ghw.Block()
|
||||
if err == nil {
|
||||
@@ -228,5 +155,5 @@ func FindPartition(label string) (string, *block.Partition, error) {
|
||||
return "", nil, err
|
||||
}
|
||||
|
||||
return "", nil, fmt.Errorf("not found label %s", label)
|
||||
return "", nil, fmt.Errorf("not found")
|
||||
}
|
||||
|
||||
@@ -41,7 +41,7 @@ func UnlockAllWithLogger(tpm bool, logger zerolog.Logger) error {
|
||||
// Some versions of udevadm don't support --settle (e.g. alpine)
|
||||
// and older versions don't have --type=all. Try the simpler version then.
|
||||
logger.Info().Msgf("triggering udev to populate disk info")
|
||||
_, err = utils.SH("udevadm trigger --type=all || udevadm trigger")
|
||||
_, err = utils.SH("udevadm trigger --settle -v --type=all || udevadm trigger -v")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -24,5 +24,5 @@ func Waitdevice(device string, attempts int) error {
|
||||
}
|
||||
time.Sleep(1 * time.Second)
|
||||
}
|
||||
return fmt.Errorf("no device found %s", device)
|
||||
return fmt.Errorf("no device found")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user