Create encrypted image and private profile data

Prepare for securing os profile witht custom images
2024-11-25 02:52:07 +00:00 · 2021-07-23 16:13:24 -04:00 · 2021-07-23 16:13:24 -04:00 · 54667570bd
commit 54667570bd
parent 364085801a
3 changed files with 65 additions and 8 deletions
--- a/confluent_osdeploy/utils/confluent_imginfo.c
+++ b/confluent_osdeploy/utils/confluent_imginfo.c
@ -60,11 +60,23 @@ int main(int argc, char* argv[]) {
        printf("Format: squashfs\n");
        exit(0);
    }
-    if (memcmp(buffer, "\x63\x7b\x9d\x26\xb7\xfd\x48\x30\x89\xf9\x11\xcf\x18\xfd\xff\xa1", 16) != 0) {
-        fprintf(stderr, "Unrecognized image format\n");
-        exit(1);
+    if (memcmp(buffer, "\x63\x7b\x9d\x26\xb7\xfd\x48\x30\x89\xf9\x11\xcf\x18\xfd\xff\xa1", 16) == 0) {
+        printf("Format: confluent_multisquash\nminsize\tdefsize\toffset\tsize\tfstype\torigdev\tmount\n");
+        fread(buffer, 1, 1, img);
+        fseek(img, buffer[0], SEEK_CUR);
+        while (read_part(img, imgsize));
+        exit(0);
    }
-    printf("Format: confluent_multisquash\nminsize\tdefsize\toffset\tsize\tfstype\torigdev\tmount\n");
-    fseek(img, 31, SEEK_SET);
-    while (read_part(img, imgsize));
+    if (memcmp(buffer, "\xaa\xd5\x0f\x7e\x5d\xfb\x4b\x7c\xa1\x2a\xf4\x0b\x6d\x94\xf7\xfc", 16) == 0) {
+        fread(buffer, 1, 1, img);
+        fseek(img, buffer[0], SEEK_CUR);
+        fread(buffer, 1, 1, img);
+        if (buffer[0] == 0) {
+            printf("Format: confluent_crypted\n");
+            exit(0);
+        }
+    }
+    fprintf(stderr, "Unrecognized image format\n");
+    exit(1);
+
 }
--- a/confluent_server/confluent/selfservice.py
+++ b/confluent_server/confluent/selfservice.py
@ -324,6 +324,27 @@ def handle_request(env, start_response):
        else:
            start_response('200 OK', ())
            yield ''
+    elif env['PATH_INFO'].startswith('/self/profileprivate/pending/'):
+        fname = env['PATH_INFO'].replace('/self/profileprivate/', '')
+        deployinfo = cfg.get_node_attributes(
+        nodename, ('deployment.*',))
+        deployinfo = deployinfo.get(nodename, {})
+        profile = deployinfo.get(
+            'deployment.pendingprofile', {}).get('value', '')
+        if not profile:
+            start_response('400 No pending profile', ())
+            yield 'No profile'
+            return
+        fname = '/var/lib/confluent/private/os/{}/{}'.format(profile, fname)
+        try:
+            with open(fname, 'rb') as privdata:
+                start_response('200 OK', ())
+                yield privdata.read()
+                return
+        except IOError:
+            start_response('404 Not Found', ())
+            yield 'Not found'
+            return
    else:
        start_response('404 Not Found', ())
        yield 'Not found'
--- a/imgutil/imgutil
+++ b/imgutil/imgutil
@ -212,9 +212,9 @@ def capture_system_back(args):
        pass
    i = 0
    todelete = []
-    with open('/run/imgutil/capout/rootimg.sfs', 'wb') as outimg:
+    with open('/run/imgutil/capout/rootimg.sfs.plain', 'wb') as outimg:
        # Signature
-        outimg.write(b'\x63\x7b\x9d\x26\xb7\xfd\x48\x30\x89\xf9\x11\xcf\x18\xfd\xff\xa1CONFLUENT_IMAGE')
+        outimg.write(b'\x63\x7b\x9d\x26\xb7\xfd\x48\x30\x89\xf9\x11\xcf\x18\xfd\xff\xa1\x0fCONFLUENT_IMAGE')
        for fs in get_partition_info():
            fname = '{0:03d}'.format(i)  + fs['mount']
            i += 1
@ -259,6 +259,30 @@ def capture_system_back(args):
                outimg.write(b'\x00' * pad)
    for fname in todelete:
        os.remove(fname)
+    imgsize = os.stat('/run/imgutil/capout/rootimg.sfs.plain').st_size
+    with open('/run/imgutil/capout/rootimg.sfs', 'wb') as outimg:
+        outimg.write(b'\xaa\xd5\x0f\x7e\x5d\xfb\x4b\x7c\xa1\x2a\xf4\x0b\x6d\x94\xf7\xfc\x14CONFLUENT_CRYPTIMAGE')
+        outimg.seek(imgsize + 4095)
+        outimg.write(b'\x00')
+    dmname = os.path.basename(tempfile.mktemp())
+    key = os.urandom(32).hex()
+    neededblocks = imgsize // 512
+    if imgsize % 512:
+        neededblocks += 1
+    loopdev = subprocess.check_output(['losetup', '-f']).decode('utf8').strip()
+    subprocess.check_call(['losetup', loopdev, '/run/imgutil/capout/rootimg.sfs'])
+    subprocess.check_call(['dmsetup', 'create', dmname, '--table', '0 {} crypt aes-xts-plain64 {} 0 {} 4096'.format(neededblocks, key, loopdev)])
+    with open('/dev/mapper/{}'.format(dmname), 'wb') as cryptout:
+        with open('/run/imgutil/capout/rootimg.sfs.plain', 'rb') as plainin:
+            chunk = plainin.read(65536)
+            while chunk:
+                cryptout.write(chunk)
+                chunk = plainin.read(65536)
+    os.remove('/run/imgutil/capout/rootimg.sfs.plain')
+    with open('/run/imgutil/private.key', 'w') as keyout:
+        keyout.write('aes-xts-plain64\n')
+        keyout.write(key + '\n')
+


 def create_yumconf(sourcedir):