mirror of
https://github.com/ostreedev/ostree.git
synced 2025-03-16 10:50:43 +03:00
Merge pull request #2491 from nikita-dubrovskii/secure-execution
s390x: add secure-execution support
This commit is contained in:
commit
5f2ab097d5
@ -184,7 +184,8 @@ EXTRA_DIST += \
|
||||
|
||||
libostree_1_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/bsdiff -I$(srcdir)/libglnx -I$(srcdir)/src/libotutil -I$(srcdir)/src/libostree -I$(builddir)/src/libostree \
|
||||
$(OT_INTERNAL_GIO_UNIX_CFLAGS) $(OT_INTERNAL_GPGME_CFLAGS) $(OT_DEP_LZMA_CFLAGS) $(OT_DEP_ZLIB_CFLAGS) $(OT_DEP_CRYPTO_CFLAGS) \
|
||||
-fvisibility=hidden '-D_OSTREE_PUBLIC=__attribute__((visibility("default"))) extern'
|
||||
-fvisibility=hidden '-D_OSTREE_PUBLIC=__attribute__((visibility("default"))) extern' \
|
||||
-DPKGLIBEXECDIR=\"$(pkglibexecdir)\"
|
||||
libostree_1_la_LDFLAGS = -version-number 1:0:0 -Bsymbolic-functions $(addprefix $(wl_versionscript_arg),$(symbol_files))
|
||||
libostree_1_la_LIBADD = libotutil.la libglnx.la libbsdiff.la $(OT_INTERNAL_GIO_UNIX_LIBS) $(OT_INTERNAL_GPGME_LIBS) \
|
||||
$(OT_DEP_LZMA_LIBS) $(OT_DEP_ZLIB_LIBS) $(OT_DEP_CRYPTO_LIBS)
|
||||
@ -292,8 +293,12 @@ EXTRA_DIST += src/libostree/README-gpg src/libostree/bupsplit.h \
|
||||
src/libostree/ostree-enumtypes.c.template \
|
||||
src/libostree/ostree-deployment-private.h \
|
||||
src/libostree/ostree-repo-deprecated.h \
|
||||
src/libostree/ostree-version.h
|
||||
src/libostree/ostree-version.h \
|
||||
src/libostree/s390x-se-luks-gencpio
|
||||
|
||||
install-mkdir-remotes-d-hook:
|
||||
mkdir -p $(DESTDIR)$(sysconfdir)/ostree/remotes.d
|
||||
INSTALL_DATA_HOOKS += install-mkdir-remotes-d-hook
|
||||
|
||||
# Secure Execution: script for creating new initramdisk with LUKS key and config
|
||||
pkglibexec_SCRIPTS += src/libostree/s390x-se-luks-gencpio
|
||||
|
@ -19,10 +19,18 @@
|
||||
|
||||
#include "ostree-sysroot-private.h"
|
||||
#include "ostree-bootloader-zipl.h"
|
||||
#include "ostree-deployment-private.h"
|
||||
#include "otutil.h"
|
||||
|
||||
#include <systemd/sd-journal.h>
|
||||
#include <string.h>
|
||||
|
||||
#define SECURE_EXECUTION_BOOT_IMAGE "/boot/sd-boot"
|
||||
#define SECURE_EXECUTION_HOSTKEY_PATH "/etc/se-hostkeys/"
|
||||
#define SECURE_EXECUTION_HOSTKEY_PREFIX "ibm-z-hostkey"
|
||||
#define SECURE_EXECUTION_LUKS_ROOT_KEY "/etc/luks/root"
|
||||
#define SECURE_EXECUTION_LUKS_CONFIG "/etc/crypttab"
|
||||
#define SECURE_EXECUTION_RAMDISK_TOOL PKGLIBEXECDIR "/s390x-se-luks-gencpio"
|
||||
|
||||
/* This is specific to zipl today, but in the future we could also
|
||||
* use it for the grub2-mkconfig case.
|
||||
*/
|
||||
@ -78,8 +86,206 @@ _ostree_bootloader_zipl_write_config (OstreeBootloader *bootloader,
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
static gboolean
|
||||
_ostree_secure_execution_get_keys (GPtrArray **keys,
|
||||
GCancellable *cancellable,
|
||||
GError **error)
|
||||
{
|
||||
g_auto (GLnxDirFdIterator) it = { 0,};
|
||||
if ( !glnx_dirfd_iterator_init_at (-1, SECURE_EXECUTION_HOSTKEY_PATH, TRUE, &it, error))
|
||||
return glnx_prefix_error (error, "s390x SE: looking for SE keys");
|
||||
|
||||
g_autoptr(GPtrArray) ret_keys = g_ptr_array_new_with_free_func (g_free);
|
||||
while (TRUE)
|
||||
{
|
||||
struct dirent *dent = NULL;
|
||||
if (!glnx_dirfd_iterator_next_dent (&it, &dent, cancellable, error))
|
||||
return FALSE;
|
||||
|
||||
if (!dent)
|
||||
break;
|
||||
|
||||
if (g_str_has_prefix (dent->d_name, SECURE_EXECUTION_HOSTKEY_PREFIX))
|
||||
g_ptr_array_add (ret_keys, g_build_filename (SECURE_EXECUTION_HOSTKEY_PATH, dent->d_name, NULL));
|
||||
}
|
||||
|
||||
*keys = g_steal_pointer (&ret_keys);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
static gboolean
|
||||
_ostree_secure_execution_get_bls_config (OstreeBootloaderZipl *self,
|
||||
int bootversion,
|
||||
gchar **vmlinuz,
|
||||
gchar **initramfs,
|
||||
gchar **options,
|
||||
GCancellable *cancellable,
|
||||
GError **error)
|
||||
{
|
||||
g_autoptr (GPtrArray) configs = NULL;
|
||||
if ( !_ostree_sysroot_read_boot_loader_configs (self->sysroot, bootversion, &configs, cancellable, error))
|
||||
return glnx_prefix_error (error, "s390x SE: loading bls configs");
|
||||
|
||||
if (!configs || configs->len == 0)
|
||||
return glnx_throw (error, "s390x SE: no bls config");
|
||||
|
||||
OstreeBootconfigParser *parser = (OstreeBootconfigParser *) g_ptr_array_index (configs, 0);
|
||||
const gchar *val = NULL;
|
||||
|
||||
val = ostree_bootconfig_parser_get (parser, "linux");
|
||||
if (!val)
|
||||
return glnx_throw (error, "s390x SE: no \"linux\" key in bootloader config");
|
||||
*vmlinuz = g_build_filename ("/boot", val, NULL);
|
||||
|
||||
val = ostree_bootconfig_parser_get (parser, "initrd");
|
||||
if (!val)
|
||||
return glnx_throw (error, "s390x SE: no \"initrd\" key in bootloader config");
|
||||
*initramfs = g_build_filename ("/boot", val, NULL);
|
||||
|
||||
val = ostree_bootconfig_parser_get (parser, "options");
|
||||
if (!val)
|
||||
return glnx_throw (error, "s390x SE: no \"options\" key in bootloader config");
|
||||
*options = g_strdup(val);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
static gboolean
|
||||
_ostree_secure_execution_luks_key_exists (void)
|
||||
{
|
||||
return (access(SECURE_EXECUTION_LUKS_ROOT_KEY, F_OK) == 0 &&
|
||||
access(SECURE_EXECUTION_LUKS_CONFIG, F_OK) == 0);
|
||||
}
|
||||
|
||||
static gboolean
|
||||
_ostree_secure_execution_enable_luks(const gchar *oldramfs,
|
||||
const gchar *newramfs,
|
||||
GError **error)
|
||||
{
|
||||
const char *const argv[] = {SECURE_EXECUTION_RAMDISK_TOOL, oldramfs, newramfs, NULL};
|
||||
g_autofree gchar *out = NULL;
|
||||
g_autofree gchar *err = NULL;
|
||||
int status = 0;
|
||||
if (!g_spawn_sync (NULL, (char**)argv, NULL, G_SPAWN_SEARCH_PATH,
|
||||
NULL, NULL, &out, &err, &status, error))
|
||||
return glnx_prefix_error(error, "s390x SE: spawning %s", SECURE_EXECUTION_RAMDISK_TOOL);
|
||||
|
||||
if (!g_spawn_check_exit_status (status, error))
|
||||
{
|
||||
g_printerr("s390x SE: `%s` stdout: %s\n", SECURE_EXECUTION_RAMDISK_TOOL, out);
|
||||
g_printerr("s390x SE: `%s` stderr: %s\n", SECURE_EXECUTION_RAMDISK_TOOL, err);
|
||||
return glnx_prefix_error(error, "s390x SE: `%s` failed", SECURE_EXECUTION_RAMDISK_TOOL);
|
||||
}
|
||||
|
||||
sd_journal_print(LOG_INFO, "s390x SE: luks key added to initrd");
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
static gboolean
|
||||
_ostree_secure_execution_generate_sdboot (gchar *vmlinuz,
|
||||
gchar *initramfs,
|
||||
gchar *options,
|
||||
GPtrArray *keys,
|
||||
GError **error)
|
||||
{
|
||||
g_assert (vmlinuz && initramfs && options && keys && keys->len);
|
||||
sd_journal_print(LOG_INFO, "s390x SE: kernel: %s", vmlinuz);
|
||||
sd_journal_print(LOG_INFO, "s390x SE: initrd: %s", initramfs);
|
||||
sd_journal_print(LOG_INFO, "s390x SE: kargs: %s", options);
|
||||
|
||||
pid_t self = getpid();
|
||||
|
||||
// Store kernel options to temp file, so `genprotimg` can later embed it
|
||||
g_auto(GLnxTmpfile) cmdline = { 0, };
|
||||
if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, &cmdline, error))
|
||||
return glnx_prefix_error(error, "s390x SE: opening cmdline file");
|
||||
if (glnx_loop_write (cmdline.fd, options, strlen (options)) < 0)
|
||||
return glnx_throw_errno_prefix (error, "s390x SE: writting cmdline file");
|
||||
g_autofree gchar *cmdline_filename = g_strdup_printf ("/proc/%d/fd/%d", self, cmdline.fd);
|
||||
|
||||
// Copy initramfs to temp file and embed LUKS key and config into it
|
||||
g_auto(GLnxTmpfile) ramdisk = { 0, };
|
||||
g_autofree gchar *ramdisk_filename = NULL;
|
||||
if (_ostree_secure_execution_luks_key_exists ())
|
||||
{
|
||||
if (!glnx_open_anonymous_tmpfile (O_RDWR | O_CLOEXEC, &ramdisk, error))
|
||||
return glnx_prefix_error(error, "s390x SE: creating new ramdisk");
|
||||
ramdisk_filename = g_strdup_printf ("/proc/%d/fd/%d", self, ramdisk.fd);
|
||||
if (!_ostree_secure_execution_enable_luks (initramfs, ramdisk_filename, error))
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
g_autoptr(GPtrArray) argv = g_ptr_array_new ();
|
||||
g_ptr_array_add (argv, "genprotimg");
|
||||
g_ptr_array_add (argv, "-i");
|
||||
g_ptr_array_add (argv, vmlinuz);
|
||||
g_ptr_array_add (argv, "-r");
|
||||
g_ptr_array_add (argv, (ramdisk_filename == NULL) ? initramfs: ramdisk_filename);
|
||||
g_ptr_array_add (argv, "-p");
|
||||
g_ptr_array_add (argv, cmdline_filename);
|
||||
for (guint i = 0; i < keys->len; ++i)
|
||||
{
|
||||
gchar *key = g_ptr_array_index (keys, i);
|
||||
g_ptr_array_add (argv, "-k");
|
||||
g_ptr_array_add (argv, key);
|
||||
sd_journal_print(LOG_INFO, "s390x SE: key[%d]: %s", i + 1, key);
|
||||
}
|
||||
g_ptr_array_add (argv, "--no-verify");
|
||||
g_ptr_array_add (argv, "-o");
|
||||
g_ptr_array_add (argv, SECURE_EXECUTION_BOOT_IMAGE);
|
||||
g_ptr_array_add (argv, NULL);
|
||||
|
||||
gint status = 0;
|
||||
if (!g_spawn_sync (NULL, (char**)argv->pdata, NULL, G_SPAWN_SEARCH_PATH,
|
||||
NULL, NULL, NULL, NULL, &status, error))
|
||||
return glnx_prefix_error(error, "s390x SE: spawning genprotimg");
|
||||
|
||||
if (!g_spawn_check_exit_status (status, error))
|
||||
return glnx_prefix_error(error, "s390x SE: `genprotimg` failed");
|
||||
|
||||
sd_journal_print(LOG_INFO, "s390x SE: `%s` generated", SECURE_EXECUTION_BOOT_IMAGE);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
static gboolean
|
||||
_ostree_secure_execution_call_zipl (GError **error)
|
||||
{
|
||||
int status = 0;
|
||||
const char *const zipl_argv[] = {"zipl", "-V", "-t", "/boot", "-i", SECURE_EXECUTION_BOOT_IMAGE, NULL};
|
||||
if (!g_spawn_sync (NULL, (char**)zipl_argv, NULL, G_SPAWN_SEARCH_PATH,
|
||||
NULL, NULL, NULL, NULL, &status, error))
|
||||
return glnx_prefix_error(error, "s390x SE: spawning zipl");
|
||||
|
||||
if (!g_spawn_check_exit_status (status, error))
|
||||
return glnx_prefix_error(error, "s390x SE: `zipl` failed");
|
||||
|
||||
sd_journal_print(LOG_INFO, "s390x SE: `sd-boot` zipled");
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
static gboolean
|
||||
_ostree_secure_execution_enable (OstreeBootloaderZipl *self,
|
||||
int bootversion,
|
||||
GPtrArray *keys,
|
||||
GCancellable *cancellable,
|
||||
GError **error)
|
||||
{
|
||||
g_autofree gchar* vmlinuz = NULL;
|
||||
g_autofree gchar* initramfs = NULL;
|
||||
g_autofree gchar* options = NULL;
|
||||
|
||||
gboolean rc =
|
||||
_ostree_secure_execution_get_bls_config (self, bootversion, &vmlinuz, &initramfs, &options, cancellable, error) &&
|
||||
_ostree_secure_execution_generate_sdboot (vmlinuz, initramfs, options, keys, error) &&
|
||||
_ostree_secure_execution_call_zipl (error);
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
||||
|
||||
static gboolean
|
||||
_ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader,
|
||||
int bootversion,
|
||||
GCancellable *cancellable,
|
||||
GError **error)
|
||||
{
|
||||
@ -97,6 +303,14 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader,
|
||||
if (errno == ENOENT)
|
||||
return TRUE;
|
||||
|
||||
/* Try with Secure Execution */
|
||||
g_autoptr(GPtrArray) keys = NULL;
|
||||
if (!_ostree_secure_execution_get_keys (&keys, cancellable, error))
|
||||
return FALSE;
|
||||
if (keys && keys->len)
|
||||
return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error);
|
||||
|
||||
/* Fallback to non-SE setup */
|
||||
const char *const zipl_argv[] = {"zipl", NULL};
|
||||
int estatus;
|
||||
if (!g_spawn_sync (NULL, (char**)zipl_argv, NULL, G_SPAWN_SEARCH_PATH,
|
||||
|
@ -30,5 +30,4 @@ typedef struct _OstreeBootloaderZipl OstreeBootloaderZipl;
|
||||
GType _ostree_bootloader_zipl_get_type (void) G_GNUC_CONST;
|
||||
|
||||
OstreeBootloaderZipl * _ostree_bootloader_zipl_new (OstreeSysroot *sysroot);
|
||||
|
||||
G_END_DECLS
|
||||
|
@ -65,13 +65,14 @@ _ostree_bootloader_write_config (OstreeBootloader *self,
|
||||
|
||||
gboolean
|
||||
_ostree_bootloader_post_bls_sync (OstreeBootloader *self,
|
||||
int bootversion,
|
||||
GCancellable *cancellable,
|
||||
GError **error)
|
||||
{
|
||||
g_return_val_if_fail (OSTREE_IS_BOOTLOADER (self), FALSE);
|
||||
|
||||
if (OSTREE_BOOTLOADER_GET_IFACE (self)->post_bls_sync)
|
||||
return OSTREE_BOOTLOADER_GET_IFACE (self)->post_bls_sync (self, cancellable, error);
|
||||
return OSTREE_BOOTLOADER_GET_IFACE (self)->post_bls_sync (self, bootversion, cancellable, error);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
@ -46,6 +46,7 @@ struct _OstreeBootloaderInterface
|
||||
GCancellable *cancellable,
|
||||
GError **error);
|
||||
gboolean (* post_bls_sync) (OstreeBootloader *self,
|
||||
int bootversion,
|
||||
GCancellable *cancellable,
|
||||
GError **error);
|
||||
gboolean (* is_atomic) (OstreeBootloader *self);
|
||||
@ -68,6 +69,7 @@ gboolean _ostree_bootloader_write_config (OstreeBootloader *self,
|
||||
GError **error);
|
||||
|
||||
gboolean _ostree_bootloader_post_bls_sync (OstreeBootloader *self,
|
||||
int bootversion,
|
||||
GCancellable *cancellable,
|
||||
GError **error);
|
||||
|
||||
|
@ -2166,7 +2166,7 @@ swap_bootloader (OstreeSysroot *sysroot,
|
||||
**/
|
||||
if (bootloader)
|
||||
{
|
||||
if (!_ostree_bootloader_post_bls_sync (bootloader, cancellable, error))
|
||||
if (!_ostree_bootloader_post_bls_sync (bootloader, new_bootversion, cancellable, error))
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
|
22
src/libostree/s390x-se-luks-gencpio
Executable file
22
src/libostree/s390x-se-luks-gencpio
Executable file
@ -0,0 +1,22 @@
|
||||
#!/usr/bin/bash
|
||||
# This script creates new initramdisk with LUKS config within
|
||||
set -euo pipefail
|
||||
|
||||
old_initrd=$1
|
||||
new_initrd=$2
|
||||
|
||||
# Unpacking existing initramdisk
|
||||
workdir=$(mktemp -d -p /tmp se-initramfs-XXXXXX)
|
||||
cd ${workdir}
|
||||
gzip -cd ${old_initrd} | cpio -imd --quiet
|
||||
|
||||
# Adding LUKS root key and crypttab config
|
||||
mkdir -p etc/luks
|
||||
cp -f /etc/luks/root etc/luks/
|
||||
cp -f /etc/crypttab etc/
|
||||
|
||||
# Creating new initramdisk image
|
||||
find . | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
|
||||
|
||||
# Cleanup
|
||||
rm -rf ${workdir}
|
Loading…
x
Reference in New Issue
Block a user