s390x: add LUKS keyfile to 'sd-boot'

This allows to use Secure Execution with LUKS encrypted boot disk,
key and cryptab are stored only in 'sd-boot' encrypted image.

Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>

diff --git a/Makefile-libostree.am b/Makefile-libostree.am
index c9511fe3180b6a318fc048f4fa7e86776d4b197f..02ae9c6af65209efdc3cd86846236349186b075c 100644 (file)
--- a/Makefile-libostree.am
+++ b/Makefile-libostree.am
@@ -184,7 +184,8 @@ EXTRA_DIST += \
 
 libostree_1_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/bsdiff -I$(srcdir)/libglnx -I$(srcdir)/src/libotutil -I$(srcdir)/src/libostree -I$(builddir)/src/libostree \
        $(OT_INTERNAL_GIO_UNIX_CFLAGS) $(OT_INTERNAL_GPGME_CFLAGS) $(OT_DEP_LZMA_CFLAGS) $(OT_DEP_ZLIB_CFLAGS) $(OT_DEP_CRYPTO_CFLAGS) \
-       -fvisibility=hidden '-D_OSTREE_PUBLIC=__attribute__((visibility("default"))) extern'
+       -fvisibility=hidden '-D_OSTREE_PUBLIC=__attribute__((visibility("default"))) extern' \
+       -DPKGLIBEXECDIR=\"$(pkglibexecdir)\"
 libostree_1_la_LDFLAGS = -version-number 1:0:0 -Bsymbolic-functions $(addprefix $(wl_versionscript_arg),$(symbol_files))
 libostree_1_la_LIBADD = libotutil.la libglnx.la libbsdiff.la $(OT_INTERNAL_GIO_UNIX_LIBS) $(OT_INTERNAL_GPGME_LIBS) \
                         $(OT_DEP_LZMA_LIBS) $(OT_DEP_ZLIB_LIBS) $(OT_DEP_CRYPTO_LIBS)
@@ -292,8 +293,12 @@ EXTRA_DIST += src/libostree/README-gpg src/libostree/bupsplit.h \
                src/libostree/ostree-enumtypes.c.template \
                src/libostree/ostree-deployment-private.h \
                src/libostree/ostree-repo-deprecated.h \
-               src/libostree/ostree-version.h
+               src/libostree/ostree-version.h \
+               src/libostree/s390x-se-luks-gencpio
 
 install-mkdir-remotes-d-hook:
        mkdir -p $(DESTDIR)$(sysconfdir)/ostree/remotes.d
 INSTALL_DATA_HOOKS += install-mkdir-remotes-d-hook
+
+# Secure Execution: script for creating new initramdisk with LUKS key and config
+pkglibexec_SCRIPTS += src/libostree/s390x-se-luks-gencpio

diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c
index 7358671bfb079dc37071cb1093e26b1eceb1ffc4..14c2762eb7d10ccc601055ebb0712e41e3f09621 100644 (file)
--- a/src/libostree/ostree-bootloader-zipl.c
+++ b/src/libostree/ostree-bootloader-zipl.c
@@ -27,6 +27,9 @@
 #define SECURE_EXECUTION_BOOT_IMAGE     "/boot/sd-boot"
 #define SECURE_EXECUTION_HOSTKEY_PATH   "/etc/se-hostkeys/"
 #define SECURE_EXECUTION_HOSTKEY_PREFIX "ibm-z-hostkey"
+#define SECURE_EXECUTION_LUKS_ROOT_KEY  "/etc/luks/root"
+#define SECURE_EXECUTION_LUKS_CONFIG    "/etc/crypttab"
+#define SECURE_EXECUTION_RAMDISK_TOOL   PKGLIBEXECDIR "/s390x-se-luks-gencpio"
 
 /* This is specific to zipl today, but in the future we could also
  * use it for the grub2-mkconfig case.
@@ -147,6 +150,37 @@ _ostree_secure_execution_get_bls_config (OstreeBootloaderZipl *self,
   return TRUE;
 }
 
+static gboolean
+_ostree_secure_execution_luks_key_exists (void)
+{
+  return (access(SECURE_EXECUTION_LUKS_ROOT_KEY, F_OK) == 0 &&
+          access(SECURE_EXECUTION_LUKS_CONFIG, F_OK) == 0);
+}
+
+static gboolean
+_ostree_secure_execution_enable_luks(const gchar *oldramfs,
+                                     const gchar *newramfs,
+                                     GError **error)
+{
+  const char *const argv[] = {SECURE_EXECUTION_RAMDISK_TOOL, oldramfs, newramfs, NULL};
+  g_autofree gchar *out = NULL;
+  g_autofree gchar *err = NULL;
+  int status = 0;
+  if (!g_spawn_sync (NULL, (char**)argv, NULL, G_SPAWN_SEARCH_PATH,
+                     NULL, NULL, &out, &err, &status, error))
+    return glnx_prefix_error(error, "s390x SE: spawning %s", SECURE_EXECUTION_RAMDISK_TOOL);
+
+  if (!g_spawn_check_exit_status (status, error))
+    {
+      g_printerr("s390x SE: `%s` stdout: %s\n", SECURE_EXECUTION_RAMDISK_TOOL, out);
+      g_printerr("s390x SE: `%s` stderr: %s\n", SECURE_EXECUTION_RAMDISK_TOOL, err);
+      return glnx_prefix_error(error, "s390x SE: `%s` failed", SECURE_EXECUTION_RAMDISK_TOOL);
+    }
+
+  sd_journal_print(LOG_INFO, "s390x SE: luks key added to initrd");
+  return TRUE;
+}
+
 static gboolean
 _ostree_secure_execution_generate_sdboot (gchar *vmlinuz,
                                           gchar *initramfs,
@@ -169,12 +203,24 @@ _ostree_secure_execution_generate_sdboot (gchar *vmlinuz,
     return glnx_throw_errno_prefix (error, "s390x SE: writting cmdline file");
   g_autofree gchar *cmdline_filename = g_strdup_printf ("/proc/%d/fd/%d", self, cmdline.fd);
 
+  // Copy initramfs to temp file and embed LUKS key and config into it
+  g_auto(GLnxTmpfile) ramdisk = { 0, };
+  g_autofree gchar *ramdisk_filename = NULL;
+  if (_ostree_secure_execution_luks_key_exists ())
+    {
+      if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, &ramdisk, error))
+        return glnx_prefix_error(error, "s390x SE: creating new ramdisk");
+      ramdisk_filename = g_strdup_printf ("/proc/%d/fd/%d", self, ramdisk.fd);
+      if (!_ostree_secure_execution_enable_luks (initramfs, ramdisk_filename, error))
+        return FALSE;
+    }
+
   g_autoptr(GPtrArray) argv = g_ptr_array_new ();
   g_ptr_array_add (argv, "genprotimg");
   g_ptr_array_add (argv, "-i");
   g_ptr_array_add (argv, vmlinuz);
   g_ptr_array_add (argv, "-r");
-  g_ptr_array_add (argv, initramfs);
+  g_ptr_array_add (argv, (ramdisk_filename == NULL) ? initramfs: ramdisk_filename);
   g_ptr_array_add (argv, "-p");
   g_ptr_array_add (argv, cmdline_filename);
   for (guint i = 0; i < keys->len; ++i)
@@ -191,7 +237,7 @@ _ostree_secure_execution_generate_sdboot (gchar *vmlinuz,
 
   gint status = 0;
   if (!g_spawn_sync (NULL, (char**)argv->pdata, NULL, G_SPAWN_SEARCH_PATH,
-                       NULL, NULL, NULL, NULL, &status, error))
+                     NULL, NULL, NULL, NULL, &status, error))
     return glnx_prefix_error(error, "s390x SE: spawning genprotimg");
 
   if (!g_spawn_check_exit_status (status, error))

diff --git a/src/libostree/s390x-se-luks-gencpio b/src/libostree/s390x-se-luks-gencpio
new file mode 100755 (executable)
index 0000000..f0ad24e
--- /dev/null
+++ b/src/libostree/s390x-se-luks-gencpio
@@ -0,0 +1,22 @@
+ #!/usr/bin/bash
+ # This script creates new initramdisk with LUKS config within
+set -euo pipefail
+
+old_initrd=$1
+new_initrd=$2
+
+# Unpacking existing initramdisk
+workdir=$(mktemp -d -p /tmp se-initramfs-XXXXXX)
+cd ${workdir}
+gzip -cd ${old_initrd} | cpio -imd --quiet
+
+# Adding LUKS root key and crypttab config
+mkdir -p etc/luks
+cp -f /etc/luks/root etc/luks/
+cp -f /etc/crypttab etc/
+
+# Creating new initramdisk image
+find . | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
+
+# Cleanup
+rm -rf ${workdir}