Sign uki tpm stuff with a policy (#39)

so we can use the same functions everywhere just with a flag

Signed-off-by: Itxaka <itxaka@kairos.io>

go.mod

@@ -6,22 +6,23 @@ require (
 	github.com/anatol/luks.go v0.0.0-20230125211543-ada2562d4206
 	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/jaypipes/ghw v0.10.0
-	github.com/kairos-io/kairos-sdk v0.0.8
+	github.com/kairos-io/kairos-sdk v0.0.18
 	github.com/mudler/go-pluggable v0.0.0-20230126220627-7710299a0ae5
-	github.com/onsi/ginkgo/v2 v2.9.5
-	github.com/onsi/gomega v1.27.7
+	github.com/onsi/ginkgo/v2 v2.11.0
+	github.com/onsi/gomega v1.27.8
 	github.com/otiai10/copy v1.9.0
 	github.com/pkg/errors v0.9.1
-	github.com/urfave/cli v1.22.12
+	github.com/urfave/cli v1.22.14
 	gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0
+	k8s.io/apimachinery v0.26.2
 )
 
 require (
-	atomicgo.dev/cursor v0.1.1 // indirect
+	atomicgo.dev/cursor v0.1.3 // indirect
 	atomicgo.dev/keyboard v0.2.9 // indirect
 	atomicgo.dev/schedule v0.0.2 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/Microsoft/hcsshim v0.10.0-rc.8 // indirect
+	github.com/Microsoft/hcsshim v0.11.1 // indirect
 	github.com/StackExchange/wmi v1.2.1 // indirect
 	github.com/anatol/devmapper.go v0.0.0-20220907161421-ba4de5fc0fd1 // indirect
 	github.com/avast/retry-go v3.0.0+incompatible // indirect
@@ -29,8 +30,9 @@ require (
 	github.com/chuckpreslar/emission v0.0.0-20170206194824-a7ddd980baf9 // indirect
 	github.com/containerd/cgroups v1.1.0 // indirect
 	github.com/containerd/console v1.0.3 // indirect
-	github.com/containerd/containerd v1.7.1 // indirect
-	github.com/containerd/continuity v0.3.0 // indirect
+	github.com/containerd/containerd v1.7.7 // indirect
+	github.com/containerd/continuity v0.4.2 // indirect
+	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/denisbrodbeck/machineid v1.0.1 // indirect
@@ -55,36 +57,36 @@ require (
 	github.com/gookit/color v1.5.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/itchyny/gojq v0.12.12 // indirect
+	github.com/itchyny/gojq v0.12.13 // indirect
 	github.com/itchyny/timefmt-go v0.1.5 // indirect
 	github.com/jaypipes/pcidb v1.0.0 // indirect
 	github.com/joho/godotenv v1.5.1 // indirect
 	github.com/klauspost/compress v1.16.5 // indirect
-	github.com/lithammer/fuzzysearch v1.1.7 // indirect
-	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/lithammer/fuzzysearch v1.1.8 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
-	github.com/pterm/pterm v0.12.61 // indirect
+	github.com/pterm/pterm v0.12.63 // indirect
 	github.com/qeesung/image2ascii v1.0.1 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/vbatts/tar-split v0.11.3 // indirect
 	github.com/wayneashleyberry/terminal-dimensions v1.1.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.opencensus.io v0.24.0 // indirect
-	golang.org/x/crypto v0.7.0 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
 	golang.org/x/mod v0.10.0 // indirect
-	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/net v0.13.0 // indirect
 	golang.org/x/sync v0.2.0 // indirect
-	golang.org/x/sys v0.8.0 // indirect
-	golang.org/x/term v0.8.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
-	golang.org/x/tools v0.9.1 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/term v0.10.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/tools v0.9.3 // indirect
 	google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
 	google.golang.org/grpc v1.53.0 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect

go.sum

@@ -1,6 +1,8 @@
 atomicgo.dev/assert v0.0.2 h1:FiKeMiZSgRrZsPo9qn/7vmr7mCsh5SZyXY4YGYiYwrg=
 atomicgo.dev/cursor v0.1.1 h1:0t9sxQomCTRh5ug+hAMCs59x/UmC9QL6Ci5uosINKD4=
 atomicgo.dev/cursor v0.1.1/go.mod h1:Lr4ZJB3U7DfPPOkbH7/6TOtJ4vFGHlgj1nc+n900IpU=
+atomicgo.dev/cursor v0.1.3 h1:w8GcylMdZRyFzvDiGm3wy3fhZYYT7BwaqNjUFHxo0NU=
+atomicgo.dev/cursor v0.1.3/go.mod h1:Lr4ZJB3U7DfPPOkbH7/6TOtJ4vFGHlgj1nc+n900IpU=
 atomicgo.dev/keyboard v0.2.9 h1:tOsIid3nlPLZ3lwgG8KZMp/SFmr7P0ssEN5JUsm78K8=
 atomicgo.dev/keyboard v0.2.9/go.mod h1:BC4w9g00XkxH/f1HXhW2sXmJFOCWbKn9xrOunSFtExQ=
 atomicgo.dev/schedule v0.0.2 h1:2e/4KY6t3wokja01Cyty6qgkQM8MotJzjtqCH70oX2Q=
@@ -9,6 +11,7 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/MarvinJWendt/testza v0.1.0/go.mod h1:7AxNvlfeHP7Z/hDQ5JtE3OKYT3XFUeLCDE2DQninSqs=
 github.com/MarvinJWendt/testza v0.2.1/go.mod h1:God7bhG8n6uQxwdScay+gjm9/LnO4D3kkcZX4hv9Rp8=
 github.com/MarvinJWendt/testza v0.2.8/go.mod h1:nwIcjmr0Zz+Rcwfh3/4UhBp7ePKVhuBExvZqnKYWlII=
@@ -21,6 +24,8 @@ github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migc
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/Microsoft/hcsshim v0.10.0-rc.8 h1:YSZVvlIIDD1UxQpJp0h+dnpLUw+TrY0cx8obKsp3bek=
 github.com/Microsoft/hcsshim v0.10.0-rc.8/go.mod h1:OEthFdQv/AD2RAdzR6Mm1N1KPCztGKDurW1Z8b8VGMM=
+github.com/Microsoft/hcsshim v0.11.1 h1:hJ3s7GbWlGK4YVV92sO88BQSyF4ZLVy7/awqOlPxFbA=
+github.com/Microsoft/hcsshim v0.11.1/go.mod h1:nFJmaO4Zr5Y7eADdFOpYswDDlNVbvcIJJNJLECr5JQg=
 github.com/StackExchange/wmi v1.2.1 h1:VIkavFPXSjcnS+O8yTq7NI32k0R5Aj+v39y29VYDOSA=
 github.com/StackExchange/wmi v1.2.1/go.mod h1:rcmrprowKIVzvc+NUiLncP2uuArMWLCbu9SBzvHz7e8=
 github.com/anatol/devmapper.go v0.0.0-20220907161421-ba4de5fc0fd1 h1:6ok4FQsJFooNYKiSmrVUv476cG/NYmbM0LxazuL4sZU=
@@ -44,8 +49,14 @@ github.com/containerd/console v1.0.3 h1:lIr7SlA5PxZyMV30bDW0MGbiOPXwc63yRuCP0ARu
 github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
 github.com/containerd/containerd v1.7.1 h1:k8DbDkSOwt5rgxQ3uCI4WMKIJxIndSCBUaGm5oRn+Go=
 github.com/containerd/containerd v1.7.1/go.mod h1:gA+nJUADRBm98QS5j5RPROnt0POQSMK+r7P7EGMC/Qc=
+github.com/containerd/containerd v1.7.7 h1:QOC2K4A42RQpcrZyptP6z9EJZnlHfHJUfZrAAHe15q4=
+github.com/containerd/containerd v1.7.7/go.mod h1:3c4XZv6VeT9qgf9GMTxNTMFxGJrGpI2vz1yk4ye+YY8=
 github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg=
 github.com/containerd/continuity v0.3.0/go.mod h1:wJEAIwKOm/pBZuBd0JmeTvnLquTB1Ag8espWhkykbPM=
+github.com/containerd/continuity v0.4.2 h1:v3y/4Yz5jwnvqPKJJ+7Wf93fyWoCB3F5EclWG023MDM=
+github.com/containerd/continuity v0.4.2/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ=
+github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
+github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o=
 github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
@@ -135,6 +146,8 @@ github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/itchyny/gojq v0.12.12 h1:x+xGI9BXqKoJQZkr95ibpe3cdrTbY8D9lonrK433rcA=
 github.com/itchyny/gojq v0.12.12/go.mod h1:j+3sVkjxwd7A7Z5jrbKibgOLn0ZfLWkV+Awxr/pyzJE=
+github.com/itchyny/gojq v0.12.13 h1:IxyYlHYIlspQHHTE0f3cJF0NKDMfajxViuhBLnHd/QU=
+github.com/itchyny/gojq v0.12.13/go.mod h1:JzwzAqenfhrPUuwbmEz3nu3JQmFLlQTQMUcOdnu/Sf4=
 github.com/itchyny/timefmt-go v0.1.5 h1:G0INE2la8S6ru/ZI5JecgyzbbJNs5lG1RcBqa7Jm6GE=
 github.com/itchyny/timefmt-go v0.1.5/go.mod h1:nEP7L+2YmAbT2kZ2HfSs1d8Xtw9LY8D2stDBckWakZ8=
 github.com/jaypipes/ghw v0.10.0 h1:UHu9UX08Py315iPojADFPOkmjTsNzHj4g4adsNKKteY=
@@ -146,6 +159,12 @@ github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
 github.com/kairos-io/kairos-sdk v0.0.8 h1:3yfxdmUuJoN7ePg+ogpH1PJvuMsLmLcxEXuWoiGdIrg=
 github.com/kairos-io/kairos-sdk v0.0.8/go.mod h1:Z+1CLqMZq97bzwX2XSIArr8EoniMth3mMYkOOb8L3QY=
+github.com/kairos-io/kairos-sdk v0.0.15 h1:1hcnRfKlBzDWcZ8z7UrUqJ2v6GafCHZknPqm90iTZdU=
+github.com/kairos-io/kairos-sdk v0.0.15/go.mod h1:Ew3NKFuXByu3Y3yGu8Q92M3oMqsXrg2VilouubdhYqA=
+github.com/kairos-io/kairos-sdk v0.0.16 h1:Zq+ALQTpv6T8wghkNpFGWzeeGvzcAf/i5m89Vlo+4vA=
+github.com/kairos-io/kairos-sdk v0.0.16/go.mod h1:6Y9RGvKU/B99euFE32OYrabLLsSVjjemCfyRgiEHuKE=
+github.com/kairos-io/kairos-sdk v0.0.18 h1:eV4pf91MTG1Kho1AiA+9C4JnV9g/yvpyLy1g4JRtOEI=
+github.com/kairos-io/kairos-sdk v0.0.18/go.mod h1:17dpFG2d3Q/TcT86DlLK5nNXEjlSrkYl7bsvO2cpYGE=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
@@ -162,8 +181,12 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/lithammer/fuzzysearch v1.1.7 h1:q8rZNmBIUkqxsxb/IlwsXVbCoPIH/0juxjFHY0UIwhU=
 github.com/lithammer/fuzzysearch v1.1.7/go.mod h1:ZhIlfRGxnD8qa9car/yplC6GmnM14CS07BYAKJJBK2I=
+github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4=
+github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
 github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
 github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-runewidth v0.0.14 h1:+xnbZSEeDbOIg5/mE6JF0w6n9duR1l3/WmbinWVwUuU=
 github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
@@ -186,11 +209,15 @@ github.com/onsi/ginkgo v1.14.2 h1:8mVmC9kjFFmA8H4pKMUhcblgifdkOIXPvbhN1T36q1M=
 github.com/onsi/ginkgo v1.14.2/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
 github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
 github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k=
+github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU=
+github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc=
 github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU=
 github.com/onsi/gomega v1.27.7/go.mod h1:1p8OOlwo2iUUDsHnOrjE5UKYJ+e3W8eQ3qSlRahPmr4=
+github.com/onsi/gomega v1.27.8 h1:gegWiwZjBsf2DgiSbf5hpokZ98JVDMcWkUiigk6/KXc=
+github.com/onsi/gomega v1.27.8/go.mod h1:2J8vzI/s+2shY9XHRApDkdgPo1TKT7P2u6fXeJKFnNQ=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8=
@@ -216,6 +243,8 @@ github.com/pterm/pterm v0.12.36/go.mod h1:NjiL09hFhT/vWjQHSj1athJpx6H8cjpHXNAK5b
 github.com/pterm/pterm v0.12.40/go.mod h1:ffwPLwlbXxP+rxT0GsgDTzS3y3rmpAO1NMjUkGTYf8s=
 github.com/pterm/pterm v0.12.61 h1:cZFweZ0C4zbBsusyThfgqg0KU0PTnq5xupnGN3Ytxzc=
 github.com/pterm/pterm v0.12.61/go.mod h1:07yyGZKQr8BpKKBaOZI1qKzzngqUisHdSYR4fQ9Nb4g=
+github.com/pterm/pterm v0.12.63 h1:fHlrpFiI9qLtEU0TWDWMU+tAt4qKJ/s157BEAPtGm8w=
+github.com/pterm/pterm v0.12.63/go.mod h1:Bq1eoUJ6BhUzzXG8WxA4l7T3s7d3Ogwg7v9VXlsVat0=
 github.com/qeesung/image2ascii v1.0.1 h1:Fe5zTnX/v/qNC3OC4P/cfASOXS501Xyw2UUcgrLgtp4=
 github.com/qeesung/image2ascii v1.0.1/go.mod h1:kZKhyX0h2g/YXa/zdJR3JnLnJ8avHjZ3LrvEKSYyAyU=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
@@ -227,6 +256,8 @@ github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
@@ -238,9 +269,12 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/tmc/scp v0.0.0-20170824174625-f7b48647feef h1:7D6Nm4D6f0ci9yttWaKjM1TMAXrH5Su72dojqYGntFY=
 github.com/urfave/cli v1.22.12 h1:igJgVw1JdKH+trcLWLeLwZjU9fEfPesQ+9/e4MQ44S8=
 github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8=
+github.com/urfave/cli v1.22.14 h1:ebbhrRiGK2i4naQJr+1Xj92HXZCrK7MsyTS/ob3HnAk=
+github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA=
 github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck=
 github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY=
 github.com/wayneashleyberry/terminal-dimensions v1.1.0 h1:EB7cIzBdsOzAgmhTUtTTQXBByuPheP/Zv1zL2BRPY6g=
@@ -259,6 +293,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
+golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20220916125017-b168a2c6b86b h1:SCE/18RnFsLrjydh/R/s5EVvHoZprqEQUuoxK8q2Pc4=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -287,6 +323,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.13.0 h1:Nvo8UFsZ8X3BhAC9699Z1j7XQ3rsZnUUm7jfBEk1ueY=
+golang.org/x/net v0.13.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -320,8 +358,11 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -329,6 +370,8 @@ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuX
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c=
+golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -337,6 +380,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
+golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -350,6 +395,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo=
 golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
+golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM=
+golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -403,3 +450,5 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
+k8s.io/apimachinery v0.26.2 h1:da1u3D5wfR5u2RpLhE/ZtZS2P7QvDgLZTi9wrNZl/tQ=
+k8s.io/apimachinery v0.26.2/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I=

main.go

@@ -3,230 +3,13 @@ package main
 import (
 	"fmt"
 	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
-	"time"
 
-	"github.com/gofrs/uuid"
-	"github.com/jaypipes/ghw"
-	"github.com/jaypipes/ghw/pkg/block"
-	configpkg "github.com/kairos-io/kcrypt/pkg/config"
 	"github.com/kairos-io/kcrypt/pkg/lib"
-	cp "github.com/otiai10/copy"
 	"github.com/urfave/cli"
 )
 
 var Version = "v0.0.0-dev"
 
-func waitdevice(device string, attempts int) error {
-	for tries := 0; tries < attempts; tries++ {
-		_, err := sh("udevadm settle")
-		if err != nil {
-			return err
-		}
-		_, err = os.Lstat(device)
-		if !os.IsNotExist(err) {
-			return nil
-		}
-		time.Sleep(1 * time.Second)
-	}
-	return fmt.Errorf("no device found")
-}
-
-func createLuks(dev, password, version string, cryptsetupArgs ...string) error {
-	if version == "" {
-		version = "luks2"
-	}
-	args := []string{"luksFormat", "--type", version, "--iter-time", "5", "-q", dev}
-	args = append(args, cryptsetupArgs...)
-	cmd := exec.Command("cryptsetup", args...)
-	cmd.Stdin = strings.NewReader(password)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	err := cmd.Run()
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// TODO: A crypt disk utility to call after install, that with discovery discoveries the password that should be used
-// this function should delete COS_PERSISTENT. delete the partition and create a luks+type in place.
-
-// Take a part label, and recreates it with LUKS. IT OVERWRITES DATA!
-// On success, it returns a machine parseable string with the partition information
-// (label:name:uuid) so that it can be stored by the caller for later use.
-// This is because the label of the encrypted partition is not accessible unless
-// the partition is decrypted first and the uuid changed after encryption so
-// any stored information needs to be updated (by the caller).
-func luksify(label string) (string, error) {
-	// blkid
-	persistent, b, err := findPartition(label)
-	if err != nil {
-		return "", err
-	}
-
-	pass, err := lib.GetPassword(b)
-	if err != nil {
-		return "", err
-	}
-
-	persistent = fmt.Sprintf("/dev/%s", persistent)
-	devMapper := fmt.Sprintf("/dev/mapper/%s", b.Name)
-	partUUID := uuid.NewV5(uuid.NamespaceURL, label)
-
-	if err := createLuks(persistent, pass, "luks1", []string{"--uuid", partUUID.String()}...); err != nil {
-		return "", err
-	}
-
-	if err := lib.LuksUnlock(persistent, b.Name, pass); err != nil {
-		return "", err
-	}
-
-	if err := waitdevice(devMapper, 10); err != nil {
-		return "", err
-	}
-
-	cmd := fmt.Sprintf("mkfs.ext4 -L %s %s", label, devMapper)
-	out, err := sh(cmd)
-	if err != nil {
-		return "", fmt.Errorf("err: %w, out: %s", err, out)
-	}
-
-	out2, err := sh(fmt.Sprintf("cryptsetup close %s", b.Name))
-	if err != nil {
-		return "", fmt.Errorf("err: %w, out: %s", err, out2)
-	}
-
-	return configpkg.PartitionToString(b), nil
-}
-
-func findPartition(label string) (string, *block.Partition, error) {
-	b, err := ghw.Block()
-	if err == nil {
-		for _, disk := range b.Disks {
-			for _, p := range disk.Partitions {
-				if p.FilesystemLabel == label {
-					return p.Name, p, nil
-				}
-
-			}
-		}
-	} else {
-		return "", nil, err
-	}
-
-	return "", nil, fmt.Errorf("not found")
-}
-
-func sh(c string) (string, error) {
-	o, err := exec.Command("/bin/sh", "-c", c).CombinedOutput()
-	return string(o), err
-}
-
-const (
-	GZType   = "gz"
-	XZType   = "xz"
-	LZMAType = "lzma"
-)
-
-// TODO: replace with golang native code
-func detect(archive string) (string, error) {
-	out, err := sh(fmt.Sprintf("file %s", archive))
-	if err != nil {
-		return "", err
-	}
-	out = strings.ToLower(out)
-	if strings.Contains(out, "xz") {
-		return XZType, nil
-
-	} else if strings.Contains(out, "lzma") {
-		return LZMAType, nil
-
-	} else if strings.Contains(out, "gz") {
-		return GZType, nil
-
-	}
-
-	return "", fmt.Errorf("Unknown")
-}
-
-// TODO: replace with golang native code
-func extractInitrd(initrd string, dst string) error {
-	var out string
-	var err error
-	err = os.MkdirAll(dst, os.ModePerm)
-	if err != nil {
-		return err
-	}
-
-	format, err := detect(initrd)
-	if err != nil {
-		return err
-	}
-	if format == XZType || format == LZMAType {
-		out, err = sh(fmt.Sprintf("cd %s && xz -dc <  %s | cpio -idmv", dst, initrd))
-	} else if format == GZType {
-		out, err = sh(fmt.Sprintf("cd %s && zcat %s | cpio -idmv", dst, initrd))
-	}
-	fmt.Println(out)
-
-	return err
-}
-
-func createInitrd(initrd string, src string, format string) error {
-	fmt.Printf("Creating '%s' from '%s' as '%s'\n", initrd, src, format)
-
-	if _, err := os.Stat(src); err != nil {
-		return err
-	}
-	var err error
-	var out string
-	if format == XZType {
-		out, err = sh(fmt.Sprintf("cd %s && find . 2>/dev/null | cpio -H newc --quiet --null -o -R root:root | xz -0 --check=crc32 > %s", src, initrd))
-	} else if format == GZType {
-		out, err = sh(fmt.Sprintf("cd %s && find . | cpio -H newc -o -R root:root | gzip -9 > %s", src, initrd))
-	} else if format == LZMAType {
-		out, err = sh(fmt.Sprintf("cd %s && find . 2>/dev/null | cpio -H newc -o -R root:root | xz -9 --format=lzma > %s", src, initrd))
-	}
-	fmt.Println(out)
-
-	return err
-}
-
-// TODO: A inject initramfs command to add the discovery e.g. to use inside Dockerfiles
-
-func injectInitrd(initrd string, file, dst string) error {
-
-	fmt.Printf("Injecting '%s' as '%s' into '%s'\n", file, dst, initrd)
-	format, err := detect(initrd)
-	if err != nil {
-		return err
-	}
-	tmp, err := os.MkdirTemp("", "kcrypt")
-	if err != nil {
-		return fmt.Errorf("cannot create tempdir, %s", err)
-	}
-	defer os.RemoveAll(tmp)
-
-	fmt.Printf("Extracting '%s' in '%s' ...\n", initrd, tmp)
-	if err := extractInitrd(initrd, tmp); err != nil {
-		return fmt.Errorf("cannot extract initrd, %s", err)
-	}
-
-	d := filepath.Join(tmp, dst)
-	fmt.Printf("Copying '%s' in '%s' ...\n", file, d)
-	if err := cp.Copy(file, d); err != nil {
-		return fmt.Errorf("cannot copy file, %s", err)
-	}
-
-	return createInitrd(initrd, tmp, format)
-}
-
-// TODO: a custom toolkit version, to build out initrd pre-built with this component
-
 func main() {
 	app := &cli.App{
 		Name:        "kairos-kcrypt",
@@ -237,25 +20,28 @@ func main() {
 		UsageText:   ``,
 		Copyright:   "Ettore Di Giacinto",
 		Commands: []cli.Command{
-			{
-
-				Name: "extract-initrd",
-				Action: func(c *cli.Context) error {
-					if c.NArg() != 2 {
-						return fmt.Errorf("requires 3 args. initrd,, dst")
-					}
-					return extractInitrd(c.Args()[0], c.Args()[1])
-				},
-			},
 			{
 
 				Name:        "encrypt",
 				Description: "Encrypts a partition",
+				Usage:       "Encrypts a partition",
+				ArgsUsage:   "kcrypt [--version VERSION] [--tpm] LABEL",
+				Flags: []cli.Flag{
+					&cli.StringFlag{
+						Name:  "version",
+						Value: "luks1",
+						Usage: "luks version to use",
+					},
+					&cli.BoolFlag{
+						Name:  "tpm",
+						Usage: "Use TPM to lock the partition",
+					},
+				},
 				Action: func(c *cli.Context) error {
 					if c.NArg() != 1 {
 						return fmt.Errorf("requires 1 arg, the partition label")
 					}
-					out, err := luksify(c.Args().First())
+					out, err := lib.Luksify(c.Args().First(), c.String("version"), c.Bool("tpm"))
 					if err != nil {
 						return err
 					}
@@ -263,30 +49,42 @@ func main() {
 					return nil
 				},
 			},
+
+			{
+				Name:        "unlock-all",
+				UsageText:   "unlock-all",
+				Usage:       "Try to unlock all LUKS partitions",
+				Description: "Typically run during initrd to unlock all the LUKS partitions found",
+				ArgsUsage:   "kcrypt [--tpm] unlock-all",
+				Flags: []cli.Flag{
+					&cli.BoolFlag{
+						Name:  "tpm",
+						Usage: "Use TPM to unlock the partition",
+					},
+				},
+				Action: func(c *cli.Context) error {
+					return lib.UnlockAll(c.Bool("tpm"))
+				},
+			},
 			{
 
-				Name: "inject-initrd",
+				Name:   "extract-initrd",
+				Hidden: true,
+				Action: func(c *cli.Context) error {
+					if c.NArg() != 2 {
+						return fmt.Errorf("requires 3 args. initrd,, dst")
+					}
+					return lib.ExtractInitrd(c.Args()[0], c.Args()[1])
+				},
+			},
+			{
+				Name:   "inject-initrd",
+				Hidden: true,
 				Action: func(c *cli.Context) error {
 					if c.NArg() != 3 {
 						return fmt.Errorf("requires 3 args. initrd, srcfile, dst")
 					}
-					return injectInitrd(c.Args()[0], c.Args()[1], c.Args()[2])
-				},
-			},
-			{
-				Name:      "unlock-all",
-				UsageText: "unlock-all",
-				Usage:     "Try to unlock all LUKS partitions",
-				Description: `
-Typically run during initrd to unlock all the LUKS partitions found
-		`,
-				ArgsUsage: "kcrypt unlock-all",
-				Flags: []cli.Flag{
-
-					&cli.StringFlag{},
-				},
-				Action: func(c *cli.Context) error {
-					return lib.UnlockAll()
+					return lib.InjectInitrd(c.Args()[0], c.Args()[1], c.Args()[2])
 				},
 			},
 		},

pkg/lib/initrd.go

@@ -0,0 +1,104 @@
+package lib
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	cp "github.com/otiai10/copy"
+)
+
+const (
+	GZType   = "gz"
+	XZType   = "xz"
+	LZMAType = "lzma"
+)
+
+func createInitrd(initrd string, src string, format string) error {
+	fmt.Printf("Creating '%s' from '%s' as '%s'\n", initrd, src, format)
+
+	if _, err := os.Stat(src); err != nil {
+		return err
+	}
+	var err error
+	var out string
+	if format == XZType {
+		out, err = SH(fmt.Sprintf("cd %s && find . 2>/dev/null | cpio -H newc --quiet --null -o -R root:root | xz -0 --check=crc32 > %s", src, initrd))
+	} else if format == GZType {
+		out, err = SH(fmt.Sprintf("cd %s && find . | cpio -H newc -o -R root:root | gzip -9 > %s", src, initrd))
+	} else if format == LZMAType {
+		out, err = SH(fmt.Sprintf("cd %s && find . 2>/dev/null | cpio -H newc -o -R root:root | xz -9 --format=lzma > %s", src, initrd))
+	}
+	fmt.Println(out)
+
+	return err
+}
+
+func InjectInitrd(initrd string, file, dst string) error {
+	fmt.Printf("Injecting '%s' as '%s' into '%s'\n", file, dst, initrd)
+	format, err := detect(initrd)
+	if err != nil {
+		return err
+	}
+	tmp, err := os.MkdirTemp("", "kcrypt")
+	if err != nil {
+		return fmt.Errorf("cannot create tempdir, %s", err)
+	}
+	defer os.RemoveAll(tmp)
+
+	fmt.Printf("Extracting '%s' in '%s' ...\n", initrd, tmp)
+	if err := ExtractInitrd(initrd, tmp); err != nil {
+		return fmt.Errorf("cannot extract initrd, %s", err)
+	}
+
+	d := filepath.Join(tmp, dst)
+	fmt.Printf("Copying '%s' in '%s' ...\n", file, d)
+	if err := cp.Copy(file, d); err != nil {
+		return fmt.Errorf("cannot copy file, %s", err)
+	}
+
+	return createInitrd(initrd, tmp, format)
+}
+
+func ExtractInitrd(initrd string, dst string) error {
+	var out string
+	var err error
+	err = os.MkdirAll(dst, os.ModePerm)
+	if err != nil {
+		return err
+	}
+
+	format, err := detect(initrd)
+	if err != nil {
+		return err
+	}
+	if format == XZType || format == LZMAType {
+		out, err = SH(fmt.Sprintf("cd %s && xz -dc <  %s | cpio -idmv", dst, initrd))
+	} else if format == GZType {
+		out, err = SH(fmt.Sprintf("cd %s && zcat %s | cpio -idmv", dst, initrd))
+	}
+	fmt.Println(out)
+
+	return err
+}
+
+func detect(archive string) (string, error) {
+	out, err := SH(fmt.Sprintf("file %s", archive))
+	if err != nil {
+		return "", err
+	}
+	out = strings.ToLower(out)
+	if strings.Contains(out, "xz") {
+		return XZType, nil
+
+	} else if strings.Contains(out, "lzma") {
+		return LZMAType, nil
+
+	} else if strings.Contains(out, "gz") {
+		return GZType, nil
+
+	}
+
+	return "", fmt.Errorf("Unknown")
+}

pkg/lib/lock.go

@@ -0,0 +1,137 @@
+package lib
+
+import (
+	"fmt"
+	"github.com/gofrs/uuid"
+	"github.com/jaypipes/ghw"
+	"github.com/jaypipes/ghw/pkg/block"
+	configpkg "github.com/kairos-io/kcrypt/pkg/config"
+	"k8s.io/apimachinery/pkg/util/rand"
+	"os"
+	"os/exec"
+	"strings"
+)
+
+func CreateLuks(dev, password, version string, cryptsetupArgs ...string) error {
+	if version == "" {
+		version = "luks2"
+	}
+	args := []string{"luksFormat", "--type", version, "--iter-time", "5", "-q", dev}
+	args = append(args, cryptsetupArgs...)
+	cmd := exec.Command("cryptsetup", args...)
+	cmd.Stdin = strings.NewReader(password)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	err := cmd.Run()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Luksify Take a part label, and recreates it with LUKS. IT OVERWRITES DATA!
+// On success, it returns a machine parseable string with the partition information
+// (label:name:uuid) so that it can be stored by the caller for later use.
+// This is because the label of the encrypted partition is not accessible unless
+// the partition is decrypted first and the uuid changed after encryption so
+// any stored information needs to be updated (by the caller).
+func Luksify(label, version string, tpm bool) (string, error) {
+	var pass string
+	if version == "" {
+		version = "luks1"
+	}
+	if version != "luks1" && version != "luks2" {
+		return "", fmt.Errorf("version must be luks1 or luks2")
+	}
+
+	part, b, err := FindPartition(label)
+	if err != nil {
+		return "", err
+	}
+
+	if tpm {
+		// On TPM locking we generate a random password that will only be used here then discarded.
+		// only unlocking method will be PCR values
+		pass = rand.String(32)
+	} else {
+		pass, err = GetPassword(b)
+		if err != nil {
+			return "", err
+		}
+	}
+
+	part = fmt.Sprintf("/dev/%s", part)
+	devMapper := fmt.Sprintf("/dev/mapper/%s", b.Name)
+	partUUID := uuid.NewV5(uuid.NamespaceURL, label)
+
+	extraArgs := []string{"--uuid", partUUID.String()}
+
+	if err := CreateLuks(part, pass, version, extraArgs...); err != nil {
+		return "", err
+	}
+	if tpm {
+		// Enroll PCR policy as a keyslot
+		// We pass the current signature of the booted system to confirm that we would be able to unlock with the current booted system
+		// That checks the policy against the signatures and fails if a UKI with those signatures wont be able to unlock the device
+		// Files are generated by systemd automatically and are extracted from the UKI binary directly
+		// public pem cert -> .pcrpkey section fo the elf file
+		// signatures -> .pcrsig section of the elf file
+		args := []string{"--tpm2-public-key=/run/systemd/tpm2-pcr-public-key.pem", "--tpm2-signature=/run/systemd/tpm2-pcr-signature.json", "--tpm2-device=auto", part}
+		cmd := exec.Command("systemd-cryptenroll", args...)
+		cmd.Env = append(cmd.Env, fmt.Sprintf("PASSWORD=%s", pass)) // cannot pass it via stdin
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		err := cmd.Run()
+		if err != nil {
+			return "", err
+		}
+	}
+
+	if err := LuksUnlock(part, b.Name, pass); err != nil {
+		return "", fmt.Errorf("unlock err: %w", err)
+	}
+
+	if err := Waitdevice(devMapper, 10); err != nil {
+		return "", fmt.Errorf("waitdevice err: %w", err)
+	}
+
+	cmd := fmt.Sprintf("mkfs.ext4 -L %s %s", label, devMapper)
+	out, err := SH(cmd)
+	if err != nil {
+		return "", fmt.Errorf("mkfs err: %w, out: %s", err, out)
+	}
+
+	out, err = SH(fmt.Sprintf("cryptsetup close %s", b.Name))
+	if err != nil {
+		return "", fmt.Errorf("lock err: %w, out: %s", err, out)
+	}
+
+	if tpm {
+		// Delete password slot from luks device
+		out, err := SH(fmt.Sprintf("systemd-cryptenroll --wipe-slot=password %s", part))
+		if err != nil {
+			return "", fmt.Errorf("err: %w, out: %s", err, out)
+		}
+	}
+
+	return configpkg.PartitionToString(b), nil
+}
+
+func FindPartition(label string) (string, *block.Partition, error) {
+	b, err := ghw.Block()
+	if err == nil {
+		for _, disk := range b.Disks {
+			for _, p := range disk.Partitions {
+				if p.FilesystemLabel == label {
+					return p.Name, p, nil
+				}
+
+			}
+		}
+	} else {
+		return "", nil, err
+	}
+
+	return "", nil, fmt.Errorf("not found")
+}

pkg/lib/unlock.go

@@ -15,7 +15,7 @@ import (
 )
 
 // UnlockAll Unlocks all encrypted devices found in the system
-func UnlockAll() error {
+func UnlockAll(tpm bool) error {
 	bus.Manager.Initialize()
 
 	config, err := configpkg.GetConfiguration(configpkg.ConfigScanDirs)
@@ -52,9 +52,17 @@ func UnlockAll() error {
 				// We mount it under /dev/mapper/DEVICE, so It's pretty easy to check
 				if !utils.Exists(filepath.Join("/dev", "mapper", p.Name)) {
 					fmt.Printf("Unmounted Luks found at '%s' LABEL '%s' \n", filepath.Join("/dev", p.Name), p.FilesystemLabel)
-					err = UnlockDisk(p)
-					if err != nil {
-						fmt.Printf("Unlocking failed: '%s'\n", err.Error())
+					if tpm {
+						out, err := utils.SH(fmt.Sprintf("/usr/lib/systemd/systemd-cryptsetup attach %s %s - tpm2-device=auto", p.Name, filepath.Join("/dev", p.Name)))
+						if err != nil {
+							fmt.Printf("Unlocking failed: '%s'\n", err.Error())
+							fmt.Printf("Unlocking failed, command output: '%s'\n", out)
+						}
+					} else {
+						err = UnlockDisk(p)
+						if err != nil {
+							fmt.Printf("Unlocking failed: '%s'\n", err.Error())
+						}
 					}
 				} else {
 					fmt.Printf("Device %s seems to be mounted at %s, skipping\n", filepath.Join("/dev", p.Name), filepath.Join("/dev", "mapper", p.Name))

pkg/lib/utils.go

@@ -0,0 +1,28 @@
+package lib
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"time"
+)
+
+func SH(c string) (string, error) {
+	o, err := exec.Command("/bin/sh", "-c", c).CombinedOutput()
+	return string(o), err
+}
+
+func Waitdevice(device string, attempts int) error {
+	for tries := 0; tries < attempts; tries++ {
+		_, err := SH("udevadm settle")
+		if err != nil {
+			return err
+		}
+		_, err = os.Lstat(device)
+		if !os.IsNotExist(err) {
+			return nil
+		}
+		time.Sleep(1 * time.Second)
+	}
+	return fmt.Errorf("no device found")
+}

renovate.json

@@ -2,5 +2,17 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:base"
+  ],
+  "schedule": [
+    "after 11pm every weekday",
+    "before 7am every weekday",
+    "every weekend"
+  ],
+  "timezone": "Europe/Brussels",
+  "packageRules": [
+    {
+      "matchUpdateTypes": ["patch"],
+      "automerge": true
+    }
   ]
 }