Amend cryptboot implementation for Ubuntu 22/24, EL8/EL9

Provide mechanism for administrator to place a custom
key for potential interactive recovery into
/var/lib/confluent/private/os/<profile>/pending/luks.key

If not provided, generate a unique one for each install.

Either way, persist the key in /etc/confluent/luks.key, to
facilitate later resealing if the user wants (clevis nor systemd
prior to 256 supports unlock via TPM2, so keyfile is required
for now).

Migrating to otherwise escrowed passphrases and/or sealing to
specific TPMs will be left to operators and/or third parties.

confluent_osdeploy/el8/profiles/default/scripts/pre.sh

@@ -90,8 +90,14 @@ touch /tmp/cryptpkglist
 touch /tmp/pkglist
 touch /tmp/addonpackages
 if [ "$cryptboot" == "tpm2" ]; then
-	LUKSPARTY="--encrypted --passphrase=$(cat /etc/confluent/confluent.apikey)"
-	echo $cryptboot >> /tmp/cryptboot
+    lukspass=$(python3 /opt/confluent/bin/apiclient /confluent-api/self/profileprivate/pending/luks.key 2> /dev/null)
+     if [ -z "$lukspass" ]; then
+        lukspass=$(python3 -c 'import os;import base64;print(base64.b64encode(os.urandom(66)).decode())')
+    fi
+    echo $lukspass > /etc/confluent/luks.key
+    chmod 000 /etc/confluent/luks.key
+    LUKSPARTY="--encrypted --passphrase=$lukspass"
+    echo $cryptboot >> /tmp/cryptboot
     echo clevis-dracut >> /tmp/cryptpkglist
 fi
 

confluent_osdeploy/el8/profiles/default/scripts/tpm_luks.sh

@@ -1,4 +1,5 @@
 #!/bin/sh
 cryptdisk=$(blkid -t TYPE="crypto_LUKS"|sed -e s/:.*//)
-clevis luks bind -f -d $cryptdisk -k - tpm2 '{}' < /etc/confluent/confluent.apikey
-cryptsetup luksRemoveKey $cryptdisk < /etc/confluent/confluent.apikey
+clevis luks bind -f -d $cryptdisk -k /etc/cofluent/luks.key tpm2 '{}'
+chmod 000 /etc/confluent/luks.key
+#cryptsetup luksRemoveKey $cryptdisk < /etc/confluent/confluent.apikey

confluent_osdeploy/ubuntu22.04/profiles/default/scripts/post.sh

@@ -105,6 +105,8 @@ if [ -f /etc/confluent_lukspass ]; then
         wall "Unable to find $CRYPTTAB_SOURCE, halting install"
         while :; do sleep 86400; done
     fi
+    cp /etc/confluent_lukspass /target/etc/confluent/luks.key
+    chmod 000 /target/etc/confluent/luks.key
     lukspass=$(cat /etc/confluent_lukspass)
     chroot /target apt install libtss2-rc0
     PASSWORD=$lukspass chroot /target  systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="" $CRYPTTAB_SOURCE

confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh

@@ -41,7 +41,10 @@ if [ ! -e /tmp/installdisk ]; then
 fi
 sed -i s!%%INSTALLDISK%%!/dev/$(cat /tmp/installdisk)! /autoinstall.yaml
 if [ "$cryptboot" != "" ]  && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "null" ]; then
-    lukspass=$(head -c 66 < /dev/urandom |base64 -w0)
+    lukspass=$(python3 /opt/confluent/bin/apiclient /confluent-api/self/profileprivate/pending/luks.key 2> /dev/null)
+    if [ -z "$lukspass" ]; then
+        lukspass=$(head -c 66 < /dev/urandom |base64 -w0)
+    fi
     export lukspass
     run_remote_python addcrypt
     if ! grep 'password:' /autoinstall.yaml > /dev/null; then
@@ -52,7 +55,7 @@ if [ "$cryptboot" != "" ]  && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "n
     sed -i s!%%CRYPTPASS%%!$lukspass! /autoinstall.yaml
     sed -i s!'#CRYPTBOOT'!! /autoinstall.yaml
     echo -n $lukspass > /etc/confluent_lukspass
-
+    chmod 000 /etc/confluent_lukspass
 fi
 ) &
 tail --pid $! -n 0 -F /var/log/confluent/confluent-pre.log > /dev/console