diff --git a/confluent_osdeploy/el8-diskless/initramfs/usr/lib/dracut/hooks/cmdline/10-confluentdiskless.sh b/confluent_osdeploy/el8-diskless/initramfs/usr/lib/dracut/hooks/cmdline/10-confluentdiskless.sh index 3e35d683..68a03f53 100644 --- a/confluent_osdeploy/el8-diskless/initramfs/usr/lib/dracut/hooks/cmdline/10-confluentdiskless.sh +++ b/confluent_osdeploy/el8-diskless/initramfs/usr/lib/dracut/hooks/cmdline/10-confluentdiskless.sh @@ -9,7 +9,7 @@ get_remote_apikey() { if [ -z "$confluent_apikey" ]; then echo "Unable to acquire node api key, set deployment.apiarmed=once on node '$nodename', retrying..." sleep 10 - else + elif [ -c /dev/tpm0 ]; then tmpdir=$(mktemp -d) cd $tmpdir tpm2_startauthsession --session=session.ctx @@ -72,20 +72,22 @@ umask 0077 tpmdir=$(mktemp -d) cd $tpmdir lasthdl="" -for hdl in $(tpm2_getcap handles-persistent|awk '{print $2}'); do - tpm2_startauthsession --policy-session --session=session.ctx - tpm2_policypcr -Q --session=session.ctx --pcr-list="sha256:15" --policy=pcr15.sha256.policy - unsealeddata=$(tpm2_unseal --auth=session:session.ctx -Q -c $hdl 2>/dev/null) - tpm2_flushcontext session.ctx - if [[ $unsealeddata == "CONFLUENT_APIKEY:"* ]]; then - confluent_apikey=${unsealeddata#CONFLUENT_APIKEY:} - echo $confluent_apikey > /etc/confluent/confluent.apikey - if [ -n "$lasthdl" ]; then - tpm2_evictcontrol -c $lasthdl +if [ -c /dev/tpm0 ]; then + for hdl in $(tpm2_getcap handles-persistent|awk '{print $2}'); do + tpm2_startauthsession --policy-session --session=session.ctx + tpm2_policypcr -Q --session=session.ctx --pcr-list="sha256:15" --policy=pcr15.sha256.policy + unsealeddata=$(tpm2_unseal --auth=session:session.ctx -Q -c $hdl 2>/dev/null) + tpm2_flushcontext session.ctx + if [[ $unsealeddata == "CONFLUENT_APIKEY:"* ]]; then + confluent_apikey=${unsealeddata#CONFLUENT_APIKEY:} + echo $confluent_apikey > /etc/confluent/confluent.apikey + if [ -n "$lasthdl" ]; then + tpm2_evictcontrol -c $lasthdl + fi + lasthdl=$hdl fi - lasthdl=$hdl - fi -done + done +fi cd - > /dev/null rm -rf $tpmdir touch /etc/confluent/confluent.info @@ -132,7 +134,9 @@ while [ $ready = "0" ]; do fi rm $tmperr done -tpm2_pcrextend 15:sha256=2fbe96c50dde38ce9cd2764ddb79c216cfbcd3499568b1125450e60c45dd19f2 +if [ -c /dev/tpm0 ]; then + tpm2_pcrextend 15:sha256=2fbe96c50dde38ce9cd2764ddb79c216cfbcd3499568b1125450e60c45dd19f2 +fi umask $oldumask autoconfigmethod=$(grep ^ipv4_method: /etc/confluent/confluent.deploycfg |awk '{print $2}') if [ "$autoconfigmethod" = "dhcp" ]; then diff --git a/confluent_osdeploy/el8-diskless/profiles/default/scripts/imageboot.sh b/confluent_osdeploy/el8-diskless/profiles/default/scripts/imageboot.sh index b58b9f74..b0cfe3b7 100644 --- a/confluent_osdeploy/el8-diskless/profiles/default/scripts/imageboot.sh +++ b/confluent_osdeploy/el8-diskless/profiles/default/scripts/imageboot.sh @@ -12,7 +12,10 @@ loopdev=$(losetup -f) export mountsrc=$loopdev losetup -r $loopdev /mnt/remoteimg/rootimg.sfs if grep '^Format: confluent_crypted' /tmp/rootimg.info > /dev/null; then - curl -sf -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /etc/confluent/confluent.apikey)" https://$confluent_mgr/confluent-api/self/profileprivate/pending/rootimg.key > /tmp/rootimg.key + while ! curl -sf -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /etc/confluent/confluent.apikey)" https://$confluent_mgr/confluent-api/self/profileprivate/pending/rootimg.key > /tmp/rootimg.key; do + echo "Unable to retrieve private key from $conflunt_mgr (verify that confluent can access /var/lib/confluent/private/$confluent_profile/pending/rootimg.key)" + sleep 1 + done cipher=$(head -n 1 /tmp/rootimg.key) key=$(tail -n 1 /tmp/rootimg.key) len=$(wc -c /mnt/remoteimg/rootimg.sfs | awk '{print $1}')