packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #2708 from nikita-dubrovskii/sh_to_c 

s390x: drop shell code for `initrd` modification in SE case
This commit is contained in:
Colin Walters 2022-09-08 07:45:04 -04:00 committed by GitHub
parent dc0a5152c7 c6a53ef6e8
commit 6873a2511b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 91 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Makefile-libostree.am
View File

@ -284,12 +284,8 @@ EXTRA_DIST += src/libostree/README-gpg src/libostree/bupsplit.h \
src/libostree/ostree-enumtypes.c.template \
src/libostree/ostree-deployment-private.h \
src/libostree/ostree-repo-deprecated.h \
src/libostree/ostree-version.h \
src/libostree/s390x-se-luks-gencpio
src/libostree/ostree-version.h
install-mkdir-remotes-d-hook:
mkdir -p $(DESTDIR)$(sysconfdir)/ostree/remotes.d
INSTALL_DATA_HOOKS += install-mkdir-remotes-d-hook
# Secure Execution: script for creating new initramdisk with LUKS key and config
pkglibexec_SCRIPTS += src/libostree/s390x-se-luks-gencpio

122
src/libostree/ostree-bootloader-zipl.c
View File

@ -20,6 +20,7 @@
#include "ostree-sysroot-private.h"
#include "ostree-bootloader-zipl.h"
#include "ostree-deployment-private.h"
#include "ostree-libarchive-private.h"
#include "otutil.h"
#include <sys/mount.h>
#include <sys/stat.h>
@ -34,7 +35,10 @@
#define SECURE_EXECUTION_LUKS_ROOT_KEY "/etc/luks/root"
#define SECURE_EXECUTION_LUKS_BOOT_KEY "/etc/luks/boot"
#define SECURE_EXECUTION_LUKS_CONFIG "/etc/crypttab"
#define SECURE_EXECUTION_RAMDISK_TOOL PKGLIBEXECDIR "/s390x-se-luks-gencpio"
#if !(defined HAVE_LIBARCHIVE) && defined(__s390x__)
#error libarchive is required for s390x
#endif
/* This is specific to zipl today, but in the future we could also
* use it for the grub2-mkconfig case.
@ -195,31 +199,86 @@ static gboolean
_ostree_secure_execution_luks_key_exists (void)
{
return (access(SECURE_EXECUTION_LUKS_CONFIG, F_OK) == 0 &&
(access(SECURE_EXECUTION_LUKS_ROOT_KEY, F_OK) == 0 || access(SECURE_EXECUTION_LUKS_BOOT_KEY, F_OK) == 0));
access(SECURE_EXECUTION_LUKS_ROOT_KEY, F_OK) == 0 &&
access(SECURE_EXECUTION_LUKS_BOOT_KEY, F_OK) == 0);
}
static gboolean
_ostree_secure_execution_enable_luks(const gchar *oldramfs,
const gchar *newramfs,
GError **error)
_ostree_secure_execution_append_luks_keys (int initrd_fd,
GCancellable *cancellable,
GError **error)
{
const char *const argv[] = {SECURE_EXECUTION_RAMDISK_TOOL, oldramfs, newramfs, NULL};
g_autofree gchar *out = NULL;
g_autofree gchar *err = NULL;
int status = 0;
if (!g_spawn_sync (NULL, (char**)argv, NULL, G_SPAWN_SEARCH_PATH,
NULL, NULL, &out, &err, &status, error))
return glnx_prefix_error(error, "s390x SE: spawning %s", SECURE_EXECUTION_RAMDISK_TOOL);
#ifdef HAVE_LIBARCHIVE
// appending cpio gzip archive with LUKS keys
g_autoptr(OtAutoArchiveWrite) a = archive_write_new ();
g_assert (a != NULL);
if (!g_spawn_check_exit_status (status, error))
if (archive_write_set_format_cpio_newc (a) != 0 ||
archive_write_add_filter_gzip (a) != 0 ||
archive_write_open_fd(a, initrd_fd) != 0)
return glnx_prefix_error (error, "s390x SE: initing cpio: %s", archive_error_string (a));
const char *files[] = {"/etc", "/etc/luks", SECURE_EXECUTION_LUKS_CONFIG, SECURE_EXECUTION_LUKS_BOOT_KEY, SECURE_EXECUTION_LUKS_ROOT_KEY};
for (uint i = 0; i != G_N_ELEMENTS (files); ++i)
{
g_printerr("s390x SE: `%s` stdout: %s\n", SECURE_EXECUTION_RAMDISK_TOOL, out);
g_printerr("s390x SE: `%s` stderr: %s\n", SECURE_EXECUTION_RAMDISK_TOOL, err);
return glnx_prefix_error(error, "s390x SE: `%s` failed", SECURE_EXECUTION_RAMDISK_TOOL);
}
const char *path = files[i];
struct stat st;
if (stat(path, &st) != 0)
glnx_throw_errno_prefix (error, "s390x SE: stat(%s) failed", path);
ot_journal_print(LOG_INFO, "s390x SE: luks key added to initrd");
g_autoptr(OtArchiveEntry) ae = archive_entry_new ();
g_assert (ae != NULL);
archive_entry_copy_stat (ae, &st);
archive_entry_set_pathname (ae, path);
if (archive_write_header (a, ae) != 0)
glnx_prefix_error (error, "s390x SE: writing cpio header: %s", archive_error_string (a));
if (S_ISREG (st.st_mode))
{
ot_journal_print(LOG_INFO, "s390x SE: appending %s to initrd", path);
glnx_autofd int fd = -1;
if (!glnx_openat_rdonly (AT_FDCWD, path, TRUE, &fd, error))
return glnx_prefix_error (error, "s390x SE: opening %s", path);
g_autoptr(GBytes) data = glnx_fd_readall_bytes (fd, cancellable, error);
if (!data)
return glnx_prefix_error (error, "s390x SE: reading %s", path);
gsize size = 0;
const char *ptr = (const char *) g_bytes_get_data (data, &size);
ssize_t written = archive_write_data (a, ptr, size);
if (written == -1)
return glnx_prefix_error (error, "s390x SE: writing cpio entry: %s", archive_error_string (a));
if (written != size)
return glnx_prefix_error (error, "s390x SE: writing cpio entry %zd != %zu", written, size);
}
}
ot_journal_print(LOG_INFO, "s390x SE: luks keys added to initrd");
return TRUE;
#else
return glnx_throw (error, "'libarchive' is required for s390x");
#endif
}
static gboolean
_ostree_secure_execution_generate_initrd (const gchar *initrd,
GLnxTmpfile *out_initrd,
GCancellable *cancellable,
GError **error)
{
if (!_ostree_secure_execution_luks_key_exists ())
return glnx_throw (error, "s390x SE: missing luks keys and config");
if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, out_initrd, error))
return glnx_prefix_error (error, "s390x SE: opening new ramdisk");
{
glnx_autofd int fd = -1;
glnx_openat_rdonly (AT_FDCWD, initrd, TRUE, &fd, error);
if (glnx_regfile_copy_bytes (fd, out_initrd->fd, (off_t) -1) < 0)
return glnx_throw_errno_prefix (error, "s390x SE: copying ramdisk");
}
return _ostree_secure_execution_append_luks_keys (out_initrd->fd, cancellable, error);
}
static gboolean
@ -227,6 +286,7 @@ _ostree_secure_execution_generate_sdboot (gchar *vmlinuz,
gchar *initramfs,
gchar *options,
GPtrArray *keys,
GCancellable *cancellable,
GError **error)
{
g_assert (vmlinuz && initramfs && options && keys && keys->len);
@ -234,34 +294,28 @@ _ostree_secure_execution_generate_sdboot (gchar *vmlinuz,
ot_journal_print(LOG_INFO, "s390x SE: initrd: %s", initramfs);
ot_journal_print(LOG_INFO, "s390x SE: kargs: %s", options);
pid_t self = getpid();
pid_t self = getpid ();
// Store kernel options to temp file, so `genprotimg` can later embed it
g_auto(GLnxTmpfile) cmdline = { 0, };
if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, &cmdline, error))
return glnx_prefix_error(error, "s390x SE: opening cmdline file");
return glnx_prefix_error (error, "s390x SE: opening cmdline file");
if (glnx_loop_write (cmdline.fd, options, strlen (options)) < 0)
return glnx_throw_errno_prefix (error, "s390x SE: writting cmdline file");
return glnx_throw_errno_prefix (error, "s390x SE: writing cmdline file");
g_autofree gchar *cmdline_filename = g_strdup_printf ("/proc/%d/fd/%d", self, cmdline.fd);
// Copy initramfs to temp file and embed LUKS key and config into it
// Copy initramfs to temp file and embed LUKS keys & config into it
g_auto(GLnxTmpfile) ramdisk = { 0, };
g_autofree gchar *ramdisk_filename = NULL;
if (_ostree_secure_execution_luks_key_exists ())
{
if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, &ramdisk, error))
return glnx_prefix_error(error, "s390x SE: creating new ramdisk");
ramdisk_filename = g_strdup_printf ("/proc/%d/fd/%d", self, ramdisk.fd);
if (!_ostree_secure_execution_enable_luks (initramfs, ramdisk_filename, error))
return FALSE;
}
if (!_ostree_secure_execution_generate_initrd (initramfs, &ramdisk, cancellable, error))
return FALSE;
g_autofree gchar *ramdisk_filename = g_strdup_printf ("/proc/%d/fd/%d", self, ramdisk.fd);
g_autoptr(GPtrArray) argv = g_ptr_array_new ();
g_ptr_array_add (argv, "genprotimg");
g_ptr_array_add (argv, "-i");
g_ptr_array_add (argv, vmlinuz);
g_ptr_array_add (argv, "-r");
g_ptr_array_add (argv, (ramdisk_filename == NULL) ? initramfs: ramdisk_filename);
g_ptr_array_add (argv, ramdisk_filename);
g_ptr_array_add (argv, "-p");
g_ptr_array_add (argv, cmdline_filename);
for (guint i = 0; i < keys->len; ++i)
@ -300,7 +354,7 @@ _ostree_secure_execution_call_zipl (GError **error)
if (!g_spawn_check_exit_status (status, error))
return glnx_prefix_error(error, "s390x SE: `zipl` failed");
ot_journal_print(LOG_INFO, "s390x SE: `sd-boot` zipled");
ot_journal_print(LOG_INFO, "s390x SE: `sdboot` zipled");
return TRUE;
}
@ -318,7 +372,7 @@ _ostree_secure_execution_enable (OstreeBootloaderZipl *self,
gboolean rc =
_ostree_secure_execution_mount (error) &&
_ostree_secure_execution_get_bls_config (self, bootversion, &vmlinuz, &initramfs, &options, cancellable, error) &&
_ostree_secure_execution_generate_sdboot (vmlinuz, initramfs, options, keys, error) &&
_ostree_secure_execution_generate_sdboot (vmlinuz, initramfs, options, keys, cancellable, error) &&
_ostree_secure_execution_call_zipl (error) &&
_ostree_secure_execution_umount (error);

2
src/libostree/ostree-libarchive-private.h
View File

@ -38,6 +38,8 @@ G_BEGIN_DECLS
#ifdef HAVE_LIBARCHIVE
typedef struct archive OtAutoArchiveWrite;
G_DEFINE_AUTOPTR_CLEANUP_FUNC(OtAutoArchiveWrite, archive_write_free)
typedef struct archive_entry OtArchiveEntry;
G_DEFINE_AUTOPTR_CLEANUP_FUNC(OtArchiveEntry, archive_entry_free)
typedef struct archive OtAutoArchiveRead;
G_DEFINE_AUTOPTR_CLEANUP_FUNC(OtAutoArchiveRead, archive_read_free)

22
src/libostree/s390x-se-luks-gencpio
View File

@ -1,22 +0,0 @@
#!/bin/bash
# This script creates new initramdisk with LUKS config within
set -euo pipefail
old_initrd=$1
new_initrd=$2
currdir=$PWD
# Copying existing initramdisk
cp ${old_initrd} ${new_initrd}
# Appending LUKS root keys and crypttab config to the end of initrd
workdir=$(mktemp -d -p /tmp se-initramfs-XXXXXX)
cd ${workdir}
mkdir -p etc/luks
cp -f /etc/luks/* etc/luks/
cp -f /etc/crypttab etc/
find . -mindepth 1 | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
# Cleanup
cd ${currdir}
rm -rf ${workdir}