diff --git a/Makefile-libostree.am b/Makefile-libostree.am index c9511fe3..02ae9c6a 100644 --- a/Makefile-libostree.am +++ b/Makefile-libostree.am @@ -184,7 +184,8 @@ EXTRA_DIST += \ libostree_1_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/bsdiff -I$(srcdir)/libglnx -I$(srcdir)/src/libotutil -I$(srcdir)/src/libostree -I$(builddir)/src/libostree \ $(OT_INTERNAL_GIO_UNIX_CFLAGS) $(OT_INTERNAL_GPGME_CFLAGS) $(OT_DEP_LZMA_CFLAGS) $(OT_DEP_ZLIB_CFLAGS) $(OT_DEP_CRYPTO_CFLAGS) \ - -fvisibility=hidden '-D_OSTREE_PUBLIC=__attribute__((visibility("default"))) extern' + -fvisibility=hidden '-D_OSTREE_PUBLIC=__attribute__((visibility("default"))) extern' \ + -DPKGLIBEXECDIR=\"$(pkglibexecdir)\" libostree_1_la_LDFLAGS = -version-number 1:0:0 -Bsymbolic-functions $(addprefix $(wl_versionscript_arg),$(symbol_files)) libostree_1_la_LIBADD = libotutil.la libglnx.la libbsdiff.la $(OT_INTERNAL_GIO_UNIX_LIBS) $(OT_INTERNAL_GPGME_LIBS) \ $(OT_DEP_LZMA_LIBS) $(OT_DEP_ZLIB_LIBS) $(OT_DEP_CRYPTO_LIBS) @@ -292,8 +293,12 @@ EXTRA_DIST += src/libostree/README-gpg src/libostree/bupsplit.h \ src/libostree/ostree-enumtypes.c.template \ src/libostree/ostree-deployment-private.h \ src/libostree/ostree-repo-deprecated.h \ - src/libostree/ostree-version.h + src/libostree/ostree-version.h \ + src/libostree/s390x-se-luks-gencpio install-mkdir-remotes-d-hook: mkdir -p $(DESTDIR)$(sysconfdir)/ostree/remotes.d INSTALL_DATA_HOOKS += install-mkdir-remotes-d-hook + +# Secure Execution: script for creating new initramdisk with LUKS key and config +pkglibexec_SCRIPTS += src/libostree/s390x-se-luks-gencpio diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c index a7078aea..14c2762e 100644 --- a/src/libostree/ostree-bootloader-zipl.c +++ b/src/libostree/ostree-bootloader-zipl.c @@ -19,10 +19,18 @@ #include "ostree-sysroot-private.h" #include "ostree-bootloader-zipl.h" +#include "ostree-deployment-private.h" #include "otutil.h" - +#include #include +#define SECURE_EXECUTION_BOOT_IMAGE "/boot/sd-boot" +#define SECURE_EXECUTION_HOSTKEY_PATH "/etc/se-hostkeys/" +#define SECURE_EXECUTION_HOSTKEY_PREFIX "ibm-z-hostkey" +#define SECURE_EXECUTION_LUKS_ROOT_KEY "/etc/luks/root" +#define SECURE_EXECUTION_LUKS_CONFIG "/etc/crypttab" +#define SECURE_EXECUTION_RAMDISK_TOOL PKGLIBEXECDIR "/s390x-se-luks-gencpio" + /* This is specific to zipl today, but in the future we could also * use it for the grub2-mkconfig case. */ @@ -78,8 +86,206 @@ _ostree_bootloader_zipl_write_config (OstreeBootloader *bootloader, return TRUE; } +static gboolean +_ostree_secure_execution_get_keys (GPtrArray **keys, + GCancellable *cancellable, + GError **error) +{ + g_auto (GLnxDirFdIterator) it = { 0,}; + if ( !glnx_dirfd_iterator_init_at (-1, SECURE_EXECUTION_HOSTKEY_PATH, TRUE, &it, error)) + return glnx_prefix_error (error, "s390x SE: looking for SE keys"); + + g_autoptr(GPtrArray) ret_keys = g_ptr_array_new_with_free_func (g_free); + while (TRUE) + { + struct dirent *dent = NULL; + if (!glnx_dirfd_iterator_next_dent (&it, &dent, cancellable, error)) + return FALSE; + + if (!dent) + break; + + if (g_str_has_prefix (dent->d_name, SECURE_EXECUTION_HOSTKEY_PREFIX)) + g_ptr_array_add (ret_keys, g_build_filename (SECURE_EXECUTION_HOSTKEY_PATH, dent->d_name, NULL)); + } + + *keys = g_steal_pointer (&ret_keys); + return TRUE; +} + +static gboolean +_ostree_secure_execution_get_bls_config (OstreeBootloaderZipl *self, + int bootversion, + gchar **vmlinuz, + gchar **initramfs, + gchar **options, + GCancellable *cancellable, + GError **error) +{ + g_autoptr (GPtrArray) configs = NULL; + if ( !_ostree_sysroot_read_boot_loader_configs (self->sysroot, bootversion, &configs, cancellable, error)) + return glnx_prefix_error (error, "s390x SE: loading bls configs"); + + if (!configs || configs->len == 0) + return glnx_throw (error, "s390x SE: no bls config"); + + OstreeBootconfigParser *parser = (OstreeBootconfigParser *) g_ptr_array_index (configs, 0); + const gchar *val = NULL; + + val = ostree_bootconfig_parser_get (parser, "linux"); + if (!val) + return glnx_throw (error, "s390x SE: no \"linux\" key in bootloader config"); + *vmlinuz = g_build_filename ("/boot", val, NULL); + + val = ostree_bootconfig_parser_get (parser, "initrd"); + if (!val) + return glnx_throw (error, "s390x SE: no \"initrd\" key in bootloader config"); + *initramfs = g_build_filename ("/boot", val, NULL); + + val = ostree_bootconfig_parser_get (parser, "options"); + if (!val) + return glnx_throw (error, "s390x SE: no \"options\" key in bootloader config"); + *options = g_strdup(val); + + return TRUE; +} + +static gboolean +_ostree_secure_execution_luks_key_exists (void) +{ + return (access(SECURE_EXECUTION_LUKS_ROOT_KEY, F_OK) == 0 && + access(SECURE_EXECUTION_LUKS_CONFIG, F_OK) == 0); +} + +static gboolean +_ostree_secure_execution_enable_luks(const gchar *oldramfs, + const gchar *newramfs, + GError **error) +{ + const char *const argv[] = {SECURE_EXECUTION_RAMDISK_TOOL, oldramfs, newramfs, NULL}; + g_autofree gchar *out = NULL; + g_autofree gchar *err = NULL; + int status = 0; + if (!g_spawn_sync (NULL, (char**)argv, NULL, G_SPAWN_SEARCH_PATH, + NULL, NULL, &out, &err, &status, error)) + return glnx_prefix_error(error, "s390x SE: spawning %s", SECURE_EXECUTION_RAMDISK_TOOL); + + if (!g_spawn_check_exit_status (status, error)) + { + g_printerr("s390x SE: `%s` stdout: %s\n", SECURE_EXECUTION_RAMDISK_TOOL, out); + g_printerr("s390x SE: `%s` stderr: %s\n", SECURE_EXECUTION_RAMDISK_TOOL, err); + return glnx_prefix_error(error, "s390x SE: `%s` failed", SECURE_EXECUTION_RAMDISK_TOOL); + } + + sd_journal_print(LOG_INFO, "s390x SE: luks key added to initrd"); + return TRUE; +} + +static gboolean +_ostree_secure_execution_generate_sdboot (gchar *vmlinuz, + gchar *initramfs, + gchar *options, + GPtrArray *keys, + GError **error) +{ + g_assert (vmlinuz && initramfs && options && keys && keys->len); + sd_journal_print(LOG_INFO, "s390x SE: kernel: %s", vmlinuz); + sd_journal_print(LOG_INFO, "s390x SE: initrd: %s", initramfs); + sd_journal_print(LOG_INFO, "s390x SE: kargs: %s", options); + + pid_t self = getpid(); + + // Store kernel options to temp file, so `genprotimg` can later embed it + g_auto(GLnxTmpfile) cmdline = { 0, }; + if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, &cmdline, error)) + return glnx_prefix_error(error, "s390x SE: opening cmdline file"); + if (glnx_loop_write (cmdline.fd, options, strlen (options)) < 0) + return glnx_throw_errno_prefix (error, "s390x SE: writting cmdline file"); + g_autofree gchar *cmdline_filename = g_strdup_printf ("/proc/%d/fd/%d", self, cmdline.fd); + + // Copy initramfs to temp file and embed LUKS key and config into it + g_auto(GLnxTmpfile) ramdisk = { 0, }; + g_autofree gchar *ramdisk_filename = NULL; + if (_ostree_secure_execution_luks_key_exists ()) + { + if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, &ramdisk, error)) + return glnx_prefix_error(error, "s390x SE: creating new ramdisk"); + ramdisk_filename = g_strdup_printf ("/proc/%d/fd/%d", self, ramdisk.fd); + if (!_ostree_secure_execution_enable_luks (initramfs, ramdisk_filename, error)) + return FALSE; + } + + g_autoptr(GPtrArray) argv = g_ptr_array_new (); + g_ptr_array_add (argv, "genprotimg"); + g_ptr_array_add (argv, "-i"); + g_ptr_array_add (argv, vmlinuz); + g_ptr_array_add (argv, "-r"); + g_ptr_array_add (argv, (ramdisk_filename == NULL) ? initramfs: ramdisk_filename); + g_ptr_array_add (argv, "-p"); + g_ptr_array_add (argv, cmdline_filename); + for (guint i = 0; i < keys->len; ++i) + { + gchar *key = g_ptr_array_index (keys, i); + g_ptr_array_add (argv, "-k"); + g_ptr_array_add (argv, key); + sd_journal_print(LOG_INFO, "s390x SE: key[%d]: %s", i + 1, key); + } + g_ptr_array_add (argv, "--no-verify"); + g_ptr_array_add (argv, "-o"); + g_ptr_array_add (argv, SECURE_EXECUTION_BOOT_IMAGE); + g_ptr_array_add (argv, NULL); + + gint status = 0; + if (!g_spawn_sync (NULL, (char**)argv->pdata, NULL, G_SPAWN_SEARCH_PATH, + NULL, NULL, NULL, NULL, &status, error)) + return glnx_prefix_error(error, "s390x SE: spawning genprotimg"); + + if (!g_spawn_check_exit_status (status, error)) + return glnx_prefix_error(error, "s390x SE: `genprotimg` failed"); + + sd_journal_print(LOG_INFO, "s390x SE: `%s` generated", SECURE_EXECUTION_BOOT_IMAGE); + return TRUE; +} + +static gboolean +_ostree_secure_execution_call_zipl (GError **error) +{ + int status = 0; + const char *const zipl_argv[] = {"zipl", "-V", "-t", "/boot", "-i", SECURE_EXECUTION_BOOT_IMAGE, NULL}; + if (!g_spawn_sync (NULL, (char**)zipl_argv, NULL, G_SPAWN_SEARCH_PATH, + NULL, NULL, NULL, NULL, &status, error)) + return glnx_prefix_error(error, "s390x SE: spawning zipl"); + + if (!g_spawn_check_exit_status (status, error)) + return glnx_prefix_error(error, "s390x SE: `zipl` failed"); + + sd_journal_print(LOG_INFO, "s390x SE: `sd-boot` zipled"); + return TRUE; +} + +static gboolean +_ostree_secure_execution_enable (OstreeBootloaderZipl *self, + int bootversion, + GPtrArray *keys, + GCancellable *cancellable, + GError **error) +{ + g_autofree gchar* vmlinuz = NULL; + g_autofree gchar* initramfs = NULL; + g_autofree gchar* options = NULL; + + gboolean rc = + _ostree_secure_execution_get_bls_config (self, bootversion, &vmlinuz, &initramfs, &options, cancellable, error) && + _ostree_secure_execution_generate_sdboot (vmlinuz, initramfs, options, keys, error) && + _ostree_secure_execution_call_zipl (error); + + return rc; +} + + static gboolean _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader, + int bootversion, GCancellable *cancellable, GError **error) { @@ -97,6 +303,14 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader, if (errno == ENOENT) return TRUE; + /* Try with Secure Execution */ + g_autoptr(GPtrArray) keys = NULL; + if (!_ostree_secure_execution_get_keys (&keys, cancellable, error)) + return FALSE; + if (keys && keys->len) + return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error); + + /* Fallback to non-SE setup */ const char *const zipl_argv[] = {"zipl", NULL}; int estatus; if (!g_spawn_sync (NULL, (char**)zipl_argv, NULL, G_SPAWN_SEARCH_PATH, diff --git a/src/libostree/ostree-bootloader-zipl.h b/src/libostree/ostree-bootloader-zipl.h index 3584feb2..e3f0b2b3 100644 --- a/src/libostree/ostree-bootloader-zipl.h +++ b/src/libostree/ostree-bootloader-zipl.h @@ -30,5 +30,4 @@ typedef struct _OstreeBootloaderZipl OstreeBootloaderZipl; GType _ostree_bootloader_zipl_get_type (void) G_GNUC_CONST; OstreeBootloaderZipl * _ostree_bootloader_zipl_new (OstreeSysroot *sysroot); - G_END_DECLS diff --git a/src/libostree/ostree-bootloader.c b/src/libostree/ostree-bootloader.c index f221b608..785fd233 100644 --- a/src/libostree/ostree-bootloader.c +++ b/src/libostree/ostree-bootloader.c @@ -65,13 +65,14 @@ _ostree_bootloader_write_config (OstreeBootloader *self, gboolean _ostree_bootloader_post_bls_sync (OstreeBootloader *self, + int bootversion, GCancellable *cancellable, GError **error) { g_return_val_if_fail (OSTREE_IS_BOOTLOADER (self), FALSE); if (OSTREE_BOOTLOADER_GET_IFACE (self)->post_bls_sync) - return OSTREE_BOOTLOADER_GET_IFACE (self)->post_bls_sync (self, cancellable, error); + return OSTREE_BOOTLOADER_GET_IFACE (self)->post_bls_sync (self, bootversion, cancellable, error); return TRUE; } diff --git a/src/libostree/ostree-bootloader.h b/src/libostree/ostree-bootloader.h index 6e0f6f88..ca1b453e 100644 --- a/src/libostree/ostree-bootloader.h +++ b/src/libostree/ostree-bootloader.h @@ -46,6 +46,7 @@ struct _OstreeBootloaderInterface GCancellable *cancellable, GError **error); gboolean (* post_bls_sync) (OstreeBootloader *self, + int bootversion, GCancellable *cancellable, GError **error); gboolean (* is_atomic) (OstreeBootloader *self); @@ -68,6 +69,7 @@ gboolean _ostree_bootloader_write_config (OstreeBootloader *self, GError **error); gboolean _ostree_bootloader_post_bls_sync (OstreeBootloader *self, + int bootversion, GCancellable *cancellable, GError **error); diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c index d3f277a7..b7cc232f 100644 --- a/src/libostree/ostree-sysroot-deploy.c +++ b/src/libostree/ostree-sysroot-deploy.c @@ -2166,7 +2166,7 @@ swap_bootloader (OstreeSysroot *sysroot, **/ if (bootloader) { - if (!_ostree_bootloader_post_bls_sync (bootloader, cancellable, error)) + if (!_ostree_bootloader_post_bls_sync (bootloader, new_bootversion, cancellable, error)) return FALSE; } diff --git a/src/libostree/s390x-se-luks-gencpio b/src/libostree/s390x-se-luks-gencpio new file mode 100755 index 00000000..f0ad24eb --- /dev/null +++ b/src/libostree/s390x-se-luks-gencpio @@ -0,0 +1,22 @@ + #!/usr/bin/bash + # This script creates new initramdisk with LUKS config within +set -euo pipefail + +old_initrd=$1 +new_initrd=$2 + +# Unpacking existing initramdisk +workdir=$(mktemp -d -p /tmp se-initramfs-XXXXXX) +cd ${workdir} +gzip -cd ${old_initrd} | cpio -imd --quiet + +# Adding LUKS root key and crypttab config +mkdir -p etc/luks +cp -f /etc/luks/root etc/luks/ +cp -f /etc/crypttab etc/ + +# Creating new initramdisk image +find . | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd} + +# Cleanup +rm -rf ${workdir}