Commit fdc28f07 authored by lemmarathon's avatar lemmarathon Committed by Natanael Copa
Browse files

Add support for keyfiles

The "cryptkey" boot parameter enables keyfile decryption. By default,
init will look for a keyfile named "/crypto_keyfile.bin". Another file
may be specified like so: "cryptkey=/path/to/keyfile.bin". If keyfile
decryption fails, init will fall back to passphrase mode.
parent 7e7fed4f
......@@ -16,6 +16,7 @@ CONF_FILES := mkinitfs.conf \
features.d/btrfs.modules \
features.d/cdrom.modules \
features.d/cramfs.modules \
features.d/cryptkey.files \
features.d/cryptsetup.files \
features.d/cryptsetup.modules \
features.d/ena.modules \
......
/crypto_keyfile.bin
......@@ -274,9 +274,9 @@ setup_nbd() {
set -- $(cat /proc/cmdline)
myopts="alpine_dev autodetect autoraid chart cryptroot cryptdm cryptheader cryptoffset
cryptdiscards debug_init dma init_args keep_apk_new modules ovl_dev pkgs quiet
root_size root usbdelay ip alpine_repo apkovl alpine_start splash blacklist
overlaytmpfs rootfstype rootflags nbd resume s390x_net dasd ssh_key"
cryptdiscards cryptkey debug_init dma init_args keep_apk_new modules ovl_dev
pkgs quiet root_size root usbdelay ip alpine_repo apkovl alpine_start splash
blacklist overlaytmpfs rootfstype rootflags nbd resume s390x_net dasd ssh_key"
for opt; do
case "$opt" in
......@@ -397,6 +397,11 @@ if [ -n "$KOPT_cryptroot" ]; then
if [ -n "$KOPT_cryptoffset" ]; then
cryptopts="$cryptopts -o ${KOPT_cryptoffset}"
fi
if [ "$KOPT_cryptkey" = "yes" ]; then
cryptopts="$cryptopts -k /crypto_keyfile.bin"
elif [ -n "$KOPT_cryptkey" ]; then
cryptopts="$cryptopts -k ${KOPT_cryptkey}"
fi
fi
if [ -n "$KOPT_nbd" ]; then
......
......@@ -309,6 +309,7 @@ static int spawn_active(struct spawn_manager *mgr)
struct cryptdev {
char *device;
char *name;
char *key;
char devnode[256];
};
......@@ -594,6 +595,18 @@ static void *cryptsetup_thread(void *data)
goto free_out;
}
struct stat st;
if (!stat(c->crypt.data.key, &st)) {
pthread_mutex_lock(&c->crypt.mutex);
r = crypt_activate_by_keyfile(cd, c->crypt.data.name,
CRYPT_ANY_SLOT,
c->crypt.data.key, st.st_size,
c->crypt.flags);
pthread_mutex_unlock(&c->crypt.mutex);
if (r >= 0)
goto free_out;
}
while (passwd_tries > 0) {
char pass[1024];
......@@ -1173,6 +1186,7 @@ static void usage(int rc)
" -c CRYPTDEVICE run cryptsetup luksOpen when CRYPTDEVICE is found\n"
" -h show this help\n"
" -H HEADERDEVICE use HEADERDEVICE as the LUKS header\n"
" -k CRYPTKEY path to keyfile\n"
" -m CRYPTNAME use CRYPTNAME name for crypto device mapping\n"
" -o OFFSET cryptsetup payload offset\n"
" -D allow discards on crypto device\n"
......@@ -1238,6 +1252,9 @@ int main(int argc, char *argv[])
case 'h':
usage(0);
break;
case 'k':
conf.crypt.data.key = EARGF(usage(1));
break;
case 'm':
conf.crypt.data.name = EARGF(usage(1));
break;
......
......@@ -76,6 +76,13 @@ then
[ "$operation" = "header" ] && echo "> Formatting '$block' with header '$header' and passphrase '$passphrase'."
[ "$operation" != "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksFormat -q $block - 2>&1 | sed 's/^/\t/g'
[ "$operation" = "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksFormat -q --header $header $block - 2>&1 | sed 's/^/\t/g'
echo "> Creating keyfile"
dd if=/dev/urandom of=keyfile count=1 bs=512 2>&1 | sed 's/^/\t/g'
echo "> Adding keyfile to device"
[ "$operation" != "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksAddKey -q $block keyfile - 2>&1 | sed 's/^/\t/g'
[ "$operation" = "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksAddKey -q --header $header $block keyfile - 2>&1 | sed 's/^/\t/g'
echo "> Opening the device '$block' as /dev/mapper/temp-test"
[ "$operation" != "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksOpen -q $block temp-test - 2>&1 | sed 's/^/\t/g'
[ "$operation" = "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksOpen -q --header $header $block temp-test - 2>&1 | sed 's/^/\t/g'
......@@ -92,6 +99,27 @@ then
echo "> Closing the device '/dev/mapper/temp-test'"
sudo cryptsetup luksClose temp-test
echo "> Testing nlplug-findfs on $block using keyfile"
[ "$operation" != "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -c $block -k keyfile -m 'test-device' /dev/mapper/test-device || retcode=1; }
[ "$operation" = "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -H $header -c $block -k keyfile -m 'test-device' /dev/mapper/test-device || retcode=1; }
if [ $retcode -eq 0 ]; then
echo "> Mounting the device"
sudo mount /dev/mapper/test-device local-mount
echo "> Getting proof"
check=$(cat local-mount/proof)
echo "Retrieved proof is: $check"
if [ "$check" != "$proof" ]; then
retcode=1
fi
fi
[ $retcode -eq 0 ] && echo "Operation succeeded, proofs match" || echo "Operation failed, proofs don't match"
echo "> Unmounting the fs"
mountpoint local-mount && sudo umount local-mount
echo "> Closing the device '/dev/mapper/test-device'"
[ -b /dev/mapper/test-device ] && sudo cryptsetup luksClose test-device
echo "> Testing nlplug-findfs on $block (passphrase was '$passphrase')"
[ "$operation" != "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -c $block -m 'test-device' /dev/mapper/test-device || retcode=1; }
[ "$operation" = "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -H $header -c $block -m 'test-device' /dev/mapper/test-device || retcode=1; }
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment