From 0f955cd068ca67182d668a693398bdace02d4b9b Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Thu, 25 Jul 2024 11:24:41 -0400
Subject: [PATCH] Begin work on a cryptboot support for ubuntu

Start implementing a tpm2-initramfs-tool based approach.

This requires a bit of an odd transition as the PCR 7 is likely
to change between the install phase and the boot phase, so
we have to select different PCRs, but that requires
an argument to pass that crypttab does not support.
---
 .../profiles/default/autoinstall/user-data    |  1 +
 .../profiles/default/scripts/post.sh          | 26 ++++++++++++++++++-
 .../profiles/default/scripts/pre.sh           | 12 +++++----
 3 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/confluent_osdeploy/ubuntu22.04/profiles/default/autoinstall/user-data b/confluent_osdeploy/ubuntu22.04/profiles/default/autoinstall/user-data
index 5b6c9894..7c4181d4 100644
--- a/confluent_osdeploy/ubuntu22.04/profiles/default/autoinstall/user-data
+++ b/confluent_osdeploy/ubuntu22.04/profiles/default/autoinstall/user-data
@@ -10,6 +10,7 @@ autoinstall:
   storage:
     layout:
       name: lvm
+#CRYPTBOOT      password: %%CRYPTPASS%%
       match:
         path: "%%INSTALLDISK%%"
   user-data:
diff --git a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/post.sh b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/post.sh
index d9730889..69e1593e 100755
--- a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/post.sh
+++ b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/post.sh
@@ -60,10 +60,12 @@ cp /custom-installation/confluent/bin/apiclient /target/opt/confluent/bin
 mount -o bind /dev /target/dev
 mount -o bind /proc /target/proc
 mount -o bind /sys /target/sys
+mount -o bind /run /target/run
 mount -o bind /sys/firmware/efi/efivars /target/sys/firmware/efi/efivars
 if [ 1 = $updategrub ]; then
     chroot /target update-grub
 fi
+
 echo "Port 22" >> /etc/ssh/sshd_config
 echo "Port 2222" >> /etc/ssh/sshd_config
 echo "Match LocalPort 22" >> /etc/ssh/sshd_config
@@ -88,8 +90,30 @@ chroot /target bash -c "source /etc/confluent/functions; run_remote_parts post.d
 source /target/etc/confluent/functions
 
 run_remote_config post
+
+if [ -f /etc/confluent_lukspass ]; then
+    $lukspass=$(cat /etc/confluent_lukspass)
+    chroot /target apt install tpm2-initramfs-tool
+    chroot /target tpm2-initramfs-tool seal --data "$(lukspass)" > /dev/null
+    # The default PCR 7 mutates, and crypttab does not provide a way to pass args
+    cat > /target/usr/bin/tpm2-initramfs-tool.pcr0 << EOF
+#!/bin/sh
+tpm2-initramfs-tool -p 0 \$*
+EOF
+    chmod 755 /target/usr/bin/tpm2-initramfs-tool.pcr0
+    cat > /target/etc/initramfs-tools/hooks/tpm2-initramfs-tool <<EOF
+. /usr/share/initramfs-tools/hook-functions
+
+copy_exec /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0
+copy_exec /usr/bin/tpm2-initramfs-tool
+copy_exec /usr/bin/tpm2-initramfs-tool.pcr0
+EOF
+    chmod 755 /target/etc/initramfs-tools/hooks/tpm2-initramfs-tool
+    chroot /target update-initramfs -u
+fi
 python3 /opt/confluent/bin/apiclient /confluent-api/self/updatestatus  -d 'status: staged'
 
-umount /target/sys /target/dev /target/proc
+
+umount /target/sys /target/dev /target/proc /target/run
 ) &
 tail --pid $! -n 0 -F /target/var/log/confluent/confluent-post.log > /dev/console
diff --git a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh
index 5db222a7..ee61ac26 100755
--- a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh
+++ b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh
@@ -13,11 +13,6 @@ exec 2>> /var/log/confluent/confluent-pre.log
 chmod 600 /var/log/confluent/confluent-pre.log
 
 cryptboot=$(grep encryptboot: $deploycfg|sed -e 's/^encryptboot: //')
-if [ "$cryptboot" != "" ]  && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "null" ]; then
-   echo "****Encrypted boot requested, but not implemented for this OS, halting install" > /dev/console
-   [ -f '/tmp/autoconsdev' ] && (echo "****Encryptod boot requested, but not implemented for this OS,halting install" >> $(cat /tmp/autoconsdev))
-   while :; do sleep 86400; done
-fi
 
 
 cat /custom-installation/ssh/*pubkey > /root/.ssh/authorized_keys
@@ -45,6 +40,13 @@ if [ ! -e /tmp/installdisk ]; then
     python3 /custom-installation/getinstalldisk
 fi
 sed -i s!%%INSTALLDISK%%!/dev/$(cat /tmp/installdisk)! /autoinstall.yaml
+if [ "$cryptboot" != "" ]  && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "null" ]; then
+    lukspass=$(head -c 64 < /dev/urandom |base64)
+    sed -i s!%%CRYPTPASS%%!$lukspass! /autoinstall.yaml
+    sed -i s!'#CRYPTBOOT'!! /autoinstall.yaml
+    echo $lukspass > /etc/confluent_lukspass
+
+fi
 ) &
 tail --pid $! -n 0 -F /var/log/confluent/confluent-pre.log > /dev/console