Begin work on a cryptboot support for ubuntu

Start implementing a tpm2-initramfs-tool based approach.

This requires a bit of an odd transition as the PCR 7 is likely
to change between the install phase and the boot phase, so
we have to select different PCRs, but that requires
an argument to pass that crypttab does not support.

confluent_osdeploy/ubuntu22.04/profiles/default/autoinstall/user-data

@@ -10,6 +10,7 @@ autoinstall:
   storage:
     layout:
       name: lvm
+#CRYPTBOOT      password: %%CRYPTPASS%%
       match:
         path: "%%INSTALLDISK%%"
   user-data:

confluent_osdeploy/ubuntu22.04/profiles/default/scripts/post.sh

@@ -60,10 +60,12 @@ cp /custom-installation/confluent/bin/apiclient /target/opt/confluent/bin
 mount -o bind /dev /target/dev
 mount -o bind /proc /target/proc
 mount -o bind /sys /target/sys
+mount -o bind /run /target/run
 mount -o bind /sys/firmware/efi/efivars /target/sys/firmware/efi/efivars
 if [ 1 = $updategrub ]; then
     chroot /target update-grub
 fi
+
 echo "Port 22" >> /etc/ssh/sshd_config
 echo "Port 2222" >> /etc/ssh/sshd_config
 echo "Match LocalPort 22" >> /etc/ssh/sshd_config
@@ -88,8 +90,30 @@ chroot /target bash -c "source /etc/confluent/functions; run_remote_parts post.d
 source /target/etc/confluent/functions
 
 run_remote_config post
+
+if [ -f /etc/confluent_lukspass ]; then
+    $lukspass=$(cat /etc/confluent_lukspass)
+    chroot /target apt install tpm2-initramfs-tool
+    chroot /target tpm2-initramfs-tool seal --data "$(lukspass)" > /dev/null
+    # The default PCR 7 mutates, and crypttab does not provide a way to pass args
+    cat > /target/usr/bin/tpm2-initramfs-tool.pcr0 << EOF
+#!/bin/sh
+tpm2-initramfs-tool -p 0 \$*
+EOF
+    chmod 755 /target/usr/bin/tpm2-initramfs-tool.pcr0
+    cat > /target/etc/initramfs-tools/hooks/tpm2-initramfs-tool <<EOF
+. /usr/share/initramfs-tools/hook-functions
+
+copy_exec /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0
+copy_exec /usr/bin/tpm2-initramfs-tool
+copy_exec /usr/bin/tpm2-initramfs-tool.pcr0
+EOF
+    chmod 755 /target/etc/initramfs-tools/hooks/tpm2-initramfs-tool
+    chroot /target update-initramfs -u
+fi
 python3 /opt/confluent/bin/apiclient /confluent-api/self/updatestatus  -d 'status: staged'
 
-umount /target/sys /target/dev /target/proc
+
+umount /target/sys /target/dev /target/proc /target/run
 ) &
 tail --pid $! -n 0 -F /target/var/log/confluent/confluent-post.log > /dev/console

confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh

@@ -13,11 +13,6 @@ exec 2>> /var/log/confluent/confluent-pre.log
 chmod 600 /var/log/confluent/confluent-pre.log
 
 cryptboot=$(grep encryptboot: $deploycfg|sed -e 's/^encryptboot: //')
-if [ "$cryptboot" != "" ]  && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "null" ]; then
-   echo "****Encrypted boot requested, but not implemented for this OS, halting install" > /dev/console
-   [ -f '/tmp/autoconsdev' ] && (echo "****Encryptod boot requested, but not implemented for this OS,halting install" >> $(cat /tmp/autoconsdev))
-   while :; do sleep 86400; done
-fi
 
 
 cat /custom-installation/ssh/*pubkey > /root/.ssh/authorized_keys
@@ -45,6 +40,13 @@ if [ ! -e /tmp/installdisk ]; then
     python3 /custom-installation/getinstalldisk
 fi
 sed -i s!%%INSTALLDISK%%!/dev/$(cat /tmp/installdisk)! /autoinstall.yaml
+if [ "$cryptboot" != "" ]  && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "null" ]; then
+    lukspass=$(head -c 64 < /dev/urandom |base64)
+    sed -i s!%%CRYPTPASS%%!$lukspass! /autoinstall.yaml
+    sed -i s!'#CRYPTBOOT'!! /autoinstall.yaml
+    echo $lukspass > /etc/confluent_lukspass
+
+fi
 ) &
 tail --pid $! -n 0 -F /var/log/confluent/confluent-pre.log > /dev/console