From 329f2b4485fc26005525bd11616cc95d1641e0d3 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Mon, 29 Jul 2024 10:17:14 -0400 Subject: [PATCH] Amend cryptboot implementation for Ubuntu 22/24, EL8/EL9 Provide mechanism for administrator to place a custom key for potential interactive recovery into /var/lib/confluent/private/os//pending/luks.key If not provided, generate a unique one for each install. Either way, persist the key in /etc/confluent/luks.key, to facilitate later resealing if the user wants (clevis nor systemd prior to 256 supports unlock via TPM2, so keyfile is required for now). Migrating to otherwise escrowed passphrases and/or sealing to specific TPMs will be left to operators and/or third parties. --- confluent_osdeploy/el8/profiles/default/scripts/pre.sh | 10 ++++++++-- .../el8/profiles/default/scripts/tpm_luks.sh | 5 +++-- .../ubuntu22.04/profiles/default/scripts/post.sh | 2 ++ .../ubuntu22.04/profiles/default/scripts/pre.sh | 7 +++++-- 4 files changed, 18 insertions(+), 6 deletions(-) diff --git a/confluent_osdeploy/el8/profiles/default/scripts/pre.sh b/confluent_osdeploy/el8/profiles/default/scripts/pre.sh index 4deff814..880d22ac 100644 --- a/confluent_osdeploy/el8/profiles/default/scripts/pre.sh +++ b/confluent_osdeploy/el8/profiles/default/scripts/pre.sh @@ -90,8 +90,14 @@ touch /tmp/cryptpkglist touch /tmp/pkglist touch /tmp/addonpackages if [ "$cryptboot" == "tpm2" ]; then - LUKSPARTY="--encrypted --passphrase=$(cat /etc/confluent/confluent.apikey)" - echo $cryptboot >> /tmp/cryptboot + lukspass=$(python3 /opt/confluent/bin/apiclient /confluent-api/self/profileprivate/pending/luks.key 2> /dev/null) + if [ -z "$lukspass" ]; then + lukspass=$(python3 -c 'import os;import base64;print(base64.b64encode(os.urandom(66)).decode())') + fi + echo $lukspass > /etc/confluent/luks.key + chmod 000 /etc/confluent/luks.key + LUKSPARTY="--encrypted --passphrase=$lukspass" + echo $cryptboot >> /tmp/cryptboot echo clevis-dracut >> /tmp/cryptpkglist fi diff --git a/confluent_osdeploy/el8/profiles/default/scripts/tpm_luks.sh b/confluent_osdeploy/el8/profiles/default/scripts/tpm_luks.sh index df9c857f..c457ffd4 100644 --- a/confluent_osdeploy/el8/profiles/default/scripts/tpm_luks.sh +++ b/confluent_osdeploy/el8/profiles/default/scripts/tpm_luks.sh @@ -1,4 +1,5 @@ #!/bin/sh cryptdisk=$(blkid -t TYPE="crypto_LUKS"|sed -e s/:.*//) -clevis luks bind -f -d $cryptdisk -k - tpm2 '{}' < /etc/confluent/confluent.apikey -cryptsetup luksRemoveKey $cryptdisk < /etc/confluent/confluent.apikey +clevis luks bind -f -d $cryptdisk -k /etc/cofluent/luks.key tpm2 '{}' +chmod 000 /etc/confluent/luks.key +#cryptsetup luksRemoveKey $cryptdisk < /etc/confluent/confluent.apikey diff --git a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/post.sh b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/post.sh index 4af3a01f..a86695ca 100755 --- a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/post.sh +++ b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/post.sh @@ -105,6 +105,8 @@ if [ -f /etc/confluent_lukspass ]; then wall "Unable to find $CRYPTTAB_SOURCE, halting install" while :; do sleep 86400; done fi + cp /etc/confluent_lukspass /target/etc/confluent/luks.key + chmod 000 /target/etc/confluent/luks.key lukspass=$(cat /etc/confluent_lukspass) chroot /target apt install libtss2-rc0 PASSWORD=$lukspass chroot /target systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="" $CRYPTTAB_SOURCE diff --git a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh index 4ec3f822..5b609565 100755 --- a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh +++ b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh @@ -41,7 +41,10 @@ if [ ! -e /tmp/installdisk ]; then fi sed -i s!%%INSTALLDISK%%!/dev/$(cat /tmp/installdisk)! /autoinstall.yaml if [ "$cryptboot" != "" ] && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "null" ]; then - lukspass=$(head -c 66 < /dev/urandom |base64 -w0) + lukspass=$(python3 /opt/confluent/bin/apiclient /confluent-api/self/profileprivate/pending/luks.key 2> /dev/null) + if [ -z "$lukspass" ]; then + lukspass=$(head -c 66 < /dev/urandom |base64 -w0) + fi export lukspass run_remote_python addcrypt if ! grep 'password:' /autoinstall.yaml > /dev/null; then @@ -52,7 +55,7 @@ if [ "$cryptboot" != "" ] && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "n sed -i s!%%CRYPTPASS%%!$lukspass! /autoinstall.yaml sed -i s!'#CRYPTBOOT'!! /autoinstall.yaml echo -n $lukspass > /etc/confluent_lukspass - + chmod 000 /etc/confluent_lukspass fi ) & tail --pid $! -n 0 -F /var/log/confluent/confluent-pre.log > /dev/console