s390x: simplify 's390x-se-luks-gencpio' script
This commit is contained in:
Nikita Dubrovskii
parent
49ce9b0289
commit
769ac686f1
|
|
@ -200,11 +200,28 @@ _ostree_secure_execution_luks_key_exists (void)
|
||||||
}
|
}
|
||||||
|
|
||||||
static gboolean
|
static gboolean
|
||||||
_ostree_secure_execution_enable_luks(const gchar *oldramfs,
|
_ostree_secure_execution_generate_initrd (const gchar *initrd,
|
||||||
const gchar *newramfs,
|
GLnxTmpfile *out_initrd,
|
||||||
GError **error)
|
gchar **out_initrdname,
|
||||||
|
GError **error)
|
||||||
{
|
{
|
||||||
const char *const argv[] = {SECURE_EXECUTION_RAMDISK_TOOL, oldramfs, newramfs, NULL};
|
if (!_ostree_secure_execution_luks_key_exists ())
|
||||||
|
return glnx_throw (error, "s390x SE: missing luks keys and config");
|
||||||
|
|
||||||
|
|
||||||
|
if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, out_initrd, error))
|
||||||
|
return glnx_prefix_error (error, "s390x SE: opening new ramdisk");
|
||||||
|
{
|
||||||
|
glnx_autofd int fd = -1;
|
||||||
|
glnx_openat_rdonly (AT_FDCWD, initrd, TRUE, &fd, error);
|
||||||
|
if (glnx_regfile_copy_bytes (fd, out_initrd->fd, (off_t) -1) < 0)
|
||||||
|
return glnx_throw_errno_prefix (error, "s390x SE: copying ramdisk");
|
||||||
|
}
|
||||||
|
|
||||||
|
g_autofree gchar *tmpdir = g_mkdtemp (g_strdup ("/var/tmp/se-initramfs-XXXXXX"));
|
||||||
|
|
||||||
|
*out_initrdname = g_strdup_printf ("/proc/%d/fd/%d", getpid (), out_initrd->fd);
|
||||||
|
const char *const argv[] = {SECURE_EXECUTION_RAMDISK_TOOL, *out_initrdname, tmpdir, NULL};
|
||||||
g_autofree gchar *out = NULL;
|
g_autofree gchar *out = NULL;
|
||||||
g_autofree gchar *err = NULL;
|
g_autofree gchar *err = NULL;
|
||||||
int status = 0;
|
int status = 0;
|
||||||
|
|
@ -219,7 +236,7 @@ _ostree_secure_execution_enable_luks(const gchar *oldramfs,
|
||||||
return glnx_prefix_error(error, "s390x SE: `%s` failed", SECURE_EXECUTION_RAMDISK_TOOL);
|
return glnx_prefix_error(error, "s390x SE: `%s` failed", SECURE_EXECUTION_RAMDISK_TOOL);
|
||||||
}
|
}
|
||||||
|
|
||||||
ot_journal_print(LOG_INFO, "s390x SE: luks key added to initrd");
|
ot_journal_print(LOG_INFO, "s390x SE: luks keys added to initrd");
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -235,24 +252,18 @@ _ostree_secure_execution_generate_sdboot (gchar *vmlinuz,
|
||||||
ot_journal_print(LOG_INFO, "s390x SE: initrd: %s", initramfs);
|
ot_journal_print(LOG_INFO, "s390x SE: initrd: %s", initramfs);
|
||||||
ot_journal_print(LOG_INFO, "s390x SE: kargs: %s", options);
|
ot_journal_print(LOG_INFO, "s390x SE: kargs: %s", options);
|
||||||
|
|
||||||
pid_t self = getpid();
|
|
||||||
|
|
||||||
// Store kernel options to temp file, so `genprotimg` can later embed it
|
// Store kernel options to temp file, so `genprotimg` can later embed it
|
||||||
g_auto(GLnxTmpfile) cmdline = { 0, };
|
g_auto(GLnxTmpfile) cmdline = { 0, };
|
||||||
if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, &cmdline, error))
|
if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, &cmdline, error))
|
||||||
return glnx_prefix_error(error, "s390x SE: opening cmdline file");
|
return glnx_prefix_error (error, "s390x SE: opening cmdline file");
|
||||||
if (glnx_loop_write (cmdline.fd, options, strlen (options)) < 0)
|
if (glnx_loop_write (cmdline.fd, options, strlen (options)) < 0)
|
||||||
return glnx_throw_errno_prefix (error, "s390x SE: writting cmdline file");
|
return glnx_throw_errno_prefix (error, "s390x SE: writting cmdline file");
|
||||||
g_autofree gchar *cmdline_filename = g_strdup_printf ("/proc/%d/fd/%d", self, cmdline.fd);
|
g_autofree gchar *cmdline_filename = g_strdup_printf ("/proc/%d/fd/%d", getpid (), cmdline.fd);
|
||||||
|
|
||||||
// Copy initramfs to temp file and embed LUKS key and config into it
|
// Copy initramfs to temp file and embed LUKS keys & config into it
|
||||||
if (!_ostree_secure_execution_luks_key_exists ())
|
|
||||||
return glnx_throw(error, "s390x SE: missing luks keys and config");
|
|
||||||
g_auto(GLnxTmpfile) ramdisk = { 0, };
|
g_auto(GLnxTmpfile) ramdisk = { 0, };
|
||||||
if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, &ramdisk, error))
|
g_autofree gchar *ramdisk_filename = NULL;
|
||||||
return glnx_prefix_error(error, "s390x SE: creating new ramdisk");
|
if (!_ostree_secure_execution_generate_initrd (initramfs, &ramdisk, &ramdisk_filename, error))
|
||||||
g_autofree gchar *ramdisk_filename = g_strdup_printf ("/proc/%d/fd/%d", self, ramdisk.fd);
|
|
||||||
if (!_ostree_secure_execution_enable_luks (initramfs, ramdisk_filename, error))
|
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
g_autoptr(GPtrArray) argv = g_ptr_array_new ();
|
g_autoptr(GPtrArray) argv = g_ptr_array_new ();
|
||||||
|
|
|
||||||
|
|
@ -1,22 +1,16 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
# This script creates new initramdisk with LUKS config within
|
# This script appends LUKS keys and config to initrd
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
old_initrd=$1
|
initrd=$1
|
||||||
new_initrd=$2
|
tmpdir=$2
|
||||||
currdir=$PWD
|
|
||||||
|
|
||||||
# Copying existing initramdisk
|
|
||||||
cp ${old_initrd} ${new_initrd}
|
|
||||||
|
|
||||||
# Appending LUKS root keys and crypttab config to the end of initrd
|
# Appending LUKS root keys and crypttab config to the end of initrd
|
||||||
workdir=$(mktemp -d -p /tmp se-initramfs-XXXXXX)
|
cd ${tmpdir}
|
||||||
cd ${workdir}
|
|
||||||
mkdir -p etc/luks
|
mkdir -p etc/luks
|
||||||
cp -f /etc/luks/* etc/luks/
|
cp -f /etc/luks/* etc/luks/
|
||||||
cp -f /etc/crypttab etc/
|
cp -f /etc/crypttab etc/
|
||||||
find . -mindepth 1 | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
|
find . -mindepth 1 | cpio --quiet -H newc -o | gzip -9 -n >> ${initrd}
|
||||||
|
|
||||||
# Cleanup
|
# Cleanup
|
||||||
cd ${currdir}
|
rm -rf etc/
|
||||||
rm -rf ${workdir}
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue