From 58ee85f39ebe558f11108942f18c8966e2cae896 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Fri, 26 Jul 2024 11:33:01 -0400
Subject: [PATCH] Rework Ubuntu addcrypt support

The comment based hook is destroyed during early install process.

Use python to manipulate the autoinstall file in a more sophisticated way.

Also refactor the initramfs hook material to be standalone files.
---
 .../profiles/default/autoinstall/user-data    |  1 -
 .../profiles/default/scripts/addcrypt         | 12 +++++
 .../profiles/default/scripts/post.sh          | 49 ++-----------------
 .../profiles/default/scripts/pre.sh           |  3 +-
 .../profiles/default/scripts/systemdecrypt    | 17 +++++++
 .../default/scripts/systemdecrypt-hook        | 22 +++++++++
 6 files changed, 58 insertions(+), 46 deletions(-)
 create mode 100644 confluent_osdeploy/ubuntu22.04/profiles/default/scripts/addcrypt
 create mode 100644 confluent_osdeploy/ubuntu22.04/profiles/default/scripts/systemdecrypt
 create mode 100644 confluent_osdeploy/ubuntu22.04/profiles/default/scripts/systemdecrypt-hook

diff --git a/confluent_osdeploy/ubuntu22.04/profiles/default/autoinstall/user-data b/confluent_osdeploy/ubuntu22.04/profiles/default/autoinstall/user-data
index 7c4181d4..5b6c9894 100644
--- a/confluent_osdeploy/ubuntu22.04/profiles/default/autoinstall/user-data
+++ b/confluent_osdeploy/ubuntu22.04/profiles/default/autoinstall/user-data
@@ -10,7 +10,6 @@ autoinstall:
   storage:
     layout:
       name: lvm
-#CRYPTBOOT      password: %%CRYPTPASS%%
       match:
         path: "%%INSTALLDISK%%"
   user-data:
diff --git a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/addcrypt b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/addcrypt
new file mode 100644
index 00000000..4f2ae905
--- /dev/null
+++ b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/addcrypt
@@ -0,0 +1,12 @@
+import yaml
+import sys
+
+ainst = {}
+with open('/autoinstall.yaml', 'r') as allin:
+    ainst = yaml.safe_load(allin)
+
+ainst['storage']['layout']['password'] = sys.argv[1]
+
+with open('/autoinstall.yaml', 'w') as allout:
+    yaml.safe_dump(ainst, allout)
+
diff --git a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/post.sh b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/post.sh
index 2c8be0c0..998f7bda 100755
--- a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/post.sh
+++ b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/post.sh
@@ -108,50 +108,11 @@ if [ -f /etc/confluent_lukspass ]; then
     $lukspass=$(cat /etc/confluent_lukspass)
     chroot /target apt install libtss2-rc0
     PASSWORD=$(lukspass) chroot /target  systemd-cryptenroll --tpm2-device=auto $CRYPTTAB_SOURCE
-    cat >/target/etc/initramfs-tools/scripts/local-top/systemdecrypt << EOS
-#!/bin/sh
-case \$1 in
-prereqs)
-        echo
-        exit 0
-        ;;
-esac
-
-systemdecryptnow() {
-. /usr/lib/cryptsetup/functions
-local CRYPTTAB_SOURCE=\$(awk '{print \$2}' /systemdecrypt/crypttab)
-local CRYPTTAB_NAME=\$(awk '{print \$1}' /systemdecrypt/crypttab)
-crypttab_resolve_source
-/lib/systemd/systemd-cryptsetup attach "\${CRYPTTAB_NAME}" "\${CRYPTTAB_SOURCE}" none tpm2-device=auto
-}
-
-systemdecryptnow
-EOS
-    chmod 755 /target/etc/initramfs-tools/scripts/local-top/systemdecrypt
-    cat > /target/etc/initramfs-tools/hooks/systemdecrypt <<EOF
-#!/bin/sh
-case "\$1" in
-    prereqs)
-        echo
-        exit 0
-        ;;
-esac
-
-. /usr/share/initramfs-tools/hook-functions
-mkdir -p \$DESTDIR/systemdecrypt
-copy_exec /lib/systemd/systemd-cryptsetup /lib/systemd
-for i in /lib/x86_64-linux-gnu/libtss2*
-do
-        copy_exec \${i} /lib/x86_64-linux-gnu
-done
-mkdir -p \$DESTDIR/scripts/local-top
-
-echo /scripts/local-top/systemdecrypt >> \$DESTDIR/scripts/local-top/ORDER
-
-if [ -f \$DESTDIR/cryptroot/crypttab ]; then
-    mv \$DESTDIR/cryptroot/crypttab \$DESTDIR/systemdecrypt/crypttab
-fi
-EOF
+    fetch_remote  systemdecrypt
+    mv systemdecrypt /target/etc/initramfs-tools/scripts/local-top/systemdecrypt
+    fetch_remote systemdecrypt-hook
+    mv systemdecrypt-hook /target/etc/initramfs-tools/hooks/systemdecrypt
+    chmod 755 /target/etc/initramfs-tools/scripts/local-top/systemdecrypt /target/etc/initramfs-tools/hooks/systemdecrypt
     chroot /target update-initramfs -u
 fi
 python3 /opt/confluent/bin/apiclient /confluent-api/self/updatestatus  -d 'status: staged'
diff --git a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh
index bfe1c7db..db0e967d 100755
--- a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh
+++ b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh
@@ -41,12 +41,13 @@ if [ ! -e /tmp/installdisk ]; then
 fi
 sed -i s!%%INSTALLDISK%%!/dev/$(cat /tmp/installdisk)! /autoinstall.yaml
 if [ "$cryptboot" != "" ]  && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "null" ]; then
+    lukspass=$(head -c 66 < /dev/urandom |base64 -w0)
+    run_remote_python addcrypt
     if ! grep '#CRYPTBOOT' /autoinstall.yaml > /dev/null; then
         echo "****Encrypted boot requested, but the user-data does not have a hook to enable,halting install" > /dev/console
         [ -f '/tmp/autoconsdev' ] && (echo "****Encryptod boot requested, but the user-data does not have a hook to enable,halting install" >> $(cat /tmp/autoconsdev))
         while :; do sleep 86400; done
     fi
-    lukspass=$(head -c 66 < /dev/urandom |base64 -w0)
     sed -i s!%%CRYPTPASS%%!$lukspass! /autoinstall.yaml
     sed -i s!'#CRYPTBOOT'!! /autoinstall.yaml
     echo -n $lukspass > /etc/confluent_lukspass
diff --git a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/systemdecrypt b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/systemdecrypt
new file mode 100644
index 00000000..6f0cbaed
--- /dev/null
+++ b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/systemdecrypt
@@ -0,0 +1,17 @@
+#!/bin/sh
+case $1 in
+prereqs)
+        echo
+        exit 0
+        ;;
+esac
+
+systemdecryptnow() {
+. /usr/lib/cryptsetup/functions
+local CRYPTTAB_SOURCE=$(awk '{print $2}' /systemdecrypt/crypttab)
+local CRYPTTAB_NAME=$(awk '{print $1}' /systemdecrypt/crypttab)
+crypttab_resolve_source
+/lib/systemd/systemd-cryptsetup attach "${CRYPTTAB_NAME}" "${CRYPTTAB_SOURCE}" none tpm2-device=auto
+}
+
+systemdecryptnow
diff --git a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/systemdecrypt-hook b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/systemdecrypt-hook
new file mode 100644
index 00000000..48c9d16d
--- /dev/null
+++ b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/systemdecrypt-hook
@@ -0,0 +1,22 @@
+#!/bin/sh
+case "$1" in
+    prereqs)
+        echo
+        exit 0
+        ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+mkdir -p $DESTDIR/systemdecrypt
+copy_exec /lib/systemd/systemd-cryptsetup /lib/systemd
+for i in /lib/x86_64-linux-gnu/libtss2*
+do
+        copy_exec ${i} /lib/x86_64-linux-gnu
+done
+mkdir -p $DESTDIR/scripts/local-top
+
+echo /scripts/local-top/systemdecrypt >> $DESTDIR/scripts/local-top/ORDER
+
+if [ -f $DESTDIR/cryptroot/crypttab ]; then
+    mv $DESTDIR/cryptroot/crypttab $DESTDIR/systemdecrypt/crypttab
+fi