mirror of
https://github.com/xcat2/confluent.git
synced 2024-11-25 02:52:07 +00:00
Amend cryptboot implementation for Ubuntu 22/24, EL8/EL9
Provide mechanism for administrator to place a custom key for potential interactive recovery into /var/lib/confluent/private/os/<profile>/pending/luks.key If not provided, generate a unique one for each install. Either way, persist the key in /etc/confluent/luks.key, to facilitate later resealing if the user wants (clevis nor systemd prior to 256 supports unlock via TPM2, so keyfile is required for now). Migrating to otherwise escrowed passphrases and/or sealing to specific TPMs will be left to operators and/or third parties.
This commit is contained in:
parent
bee9f18197
commit
329f2b4485
@ -90,8 +90,14 @@ touch /tmp/cryptpkglist
|
||||
touch /tmp/pkglist
|
||||
touch /tmp/addonpackages
|
||||
if [ "$cryptboot" == "tpm2" ]; then
|
||||
LUKSPARTY="--encrypted --passphrase=$(cat /etc/confluent/confluent.apikey)"
|
||||
echo $cryptboot >> /tmp/cryptboot
|
||||
lukspass=$(python3 /opt/confluent/bin/apiclient /confluent-api/self/profileprivate/pending/luks.key 2> /dev/null)
|
||||
if [ -z "$lukspass" ]; then
|
||||
lukspass=$(python3 -c 'import os;import base64;print(base64.b64encode(os.urandom(66)).decode())')
|
||||
fi
|
||||
echo $lukspass > /etc/confluent/luks.key
|
||||
chmod 000 /etc/confluent/luks.key
|
||||
LUKSPARTY="--encrypted --passphrase=$lukspass"
|
||||
echo $cryptboot >> /tmp/cryptboot
|
||||
echo clevis-dracut >> /tmp/cryptpkglist
|
||||
fi
|
||||
|
||||
|
@ -1,4 +1,5 @@
|
||||
#!/bin/sh
|
||||
cryptdisk=$(blkid -t TYPE="crypto_LUKS"|sed -e s/:.*//)
|
||||
clevis luks bind -f -d $cryptdisk -k - tpm2 '{}' < /etc/confluent/confluent.apikey
|
||||
cryptsetup luksRemoveKey $cryptdisk < /etc/confluent/confluent.apikey
|
||||
clevis luks bind -f -d $cryptdisk -k /etc/cofluent/luks.key tpm2 '{}'
|
||||
chmod 000 /etc/confluent/luks.key
|
||||
#cryptsetup luksRemoveKey $cryptdisk < /etc/confluent/confluent.apikey
|
||||
|
@ -105,6 +105,8 @@ if [ -f /etc/confluent_lukspass ]; then
|
||||
wall "Unable to find $CRYPTTAB_SOURCE, halting install"
|
||||
while :; do sleep 86400; done
|
||||
fi
|
||||
cp /etc/confluent_lukspass /target/etc/confluent/luks.key
|
||||
chmod 000 /target/etc/confluent/luks.key
|
||||
lukspass=$(cat /etc/confluent_lukspass)
|
||||
chroot /target apt install libtss2-rc0
|
||||
PASSWORD=$lukspass chroot /target systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="" $CRYPTTAB_SOURCE
|
||||
|
@ -41,7 +41,10 @@ if [ ! -e /tmp/installdisk ]; then
|
||||
fi
|
||||
sed -i s!%%INSTALLDISK%%!/dev/$(cat /tmp/installdisk)! /autoinstall.yaml
|
||||
if [ "$cryptboot" != "" ] && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "null" ]; then
|
||||
lukspass=$(head -c 66 < /dev/urandom |base64 -w0)
|
||||
lukspass=$(python3 /opt/confluent/bin/apiclient /confluent-api/self/profileprivate/pending/luks.key 2> /dev/null)
|
||||
if [ -z "$lukspass" ]; then
|
||||
lukspass=$(head -c 66 < /dev/urandom |base64 -w0)
|
||||
fi
|
||||
export lukspass
|
||||
run_remote_python addcrypt
|
||||
if ! grep 'password:' /autoinstall.yaml > /dev/null; then
|
||||
@ -52,7 +55,7 @@ if [ "$cryptboot" != "" ] && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "n
|
||||
sed -i s!%%CRYPTPASS%%!$lukspass! /autoinstall.yaml
|
||||
sed -i s!'#CRYPTBOOT'!! /autoinstall.yaml
|
||||
echo -n $lukspass > /etc/confluent_lukspass
|
||||
|
||||
chmod 000 /etc/confluent_lukspass
|
||||
fi
|
||||
) &
|
||||
tail --pid $! -n 0 -F /var/log/confluent/confluent-pre.log > /dev/console
|
||||
|
Loading…
Reference in New Issue
Block a user