crypt_reboot 0.1.0 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 449c9b12be881f213dffc9090686e7d73bb3f2523806c5edf41dc2e4d7d17c4b
-  data.tar.gz: ba391871d8d5f438ba2474a8a21d8738be020636ac8c4bfcd0fd8100d7e07aec
+  metadata.gz: 90456cf783f95d79186882a7fce00b153b4ff1928a68efd4609fb7e8859d3b04
+  data.tar.gz: d5fd15cb6705793a7e357666158eaa4f95f5c14d41b22b1d82d087a921fa512c
 SHA512:
-  metadata.gz: 466befee2a5027cae8be7cb036c87e8c779e64fb4725775111b112e53ff5bf2691bc543ac86e7c229e8e75642c0c3eb0168fed1bca14a2b0598b94bf3c5245c0
-  data.tar.gz: 68bef507bea7444722f3281b94d8ea5af0bda0d031871f82fc9ff0398614e7b83564f2b541a42d745d2eefecde9f0a409817dcd29332b01797cd13b434bd7db0
+  metadata.gz: 5c99c3e114727a1236ef3dd9f536a56b1a89639c4447f6387ec5bcd1bd25234f2655a75f306ace56dd78c36a0aadf77da4321ed6626c36c63e38c9852fefefea
+  data.tar.gz: 37acfc427190670ad362cfb60a8a18ed29bcab338d24ac728ac23f4e3934c6669175db7872836ac46211d09dd16cba861259ec8e99c829050c1a8a3b875b9724

data/CHANGELOG.md

@@ -1,3 +1,12 @@
+## [0.1.2] - 2023-07-22
+
+- Lock memory to prevent secrets leaking to swap
+- Use `ramfs` instead of `tmpfs` for the same reason
+
+## [0.1.1] - 2023-07-13
+
+- Standardize passphrase prompt
+
 ## [0.1.0] - 2023-07-09
 
 - Initial release

data/README.md

@@ -1,5 +1,7 @@
 # Cryptreboot
 
+[![Gem Version](https://badge.fury.io/rb/crypt_reboot.svg)](https://badge.fury.io/rb/crypt_reboot)
+
 Convenient reboot for Linux systems with encrypted root partition.
 
 > Just type `cryptreboot` instead of `reboot`.
@@ -26,13 +28,16 @@ Debian, Ubuntu, Linux Mint, Pop!_OS, etc.
 On the other hand, do not expect it to work on other distributions now.
 But support for them may come in upcoming versions.
 
-Following distributions were tested by the author:
+Following distributions were tested by the author on the AMD64 machine:
+- DappNode 0.2.75 is based on Debian 12, see below
+- Debian 12 needs [symlinks for kernel and initramfs](#no-symlinks-to-most-recent-kernel-and-initramfs)
+- Pop!_OS 22.04 LTS
+- Ubuntu 23.04
 - Ubuntu 22.04 LTS
 - Ubuntu 20.04 LTS needs tiny adjustments to system settings,
   specifically [changing compression](#lz4-initramfs-compression) and
   [fixing systemd kexec support](#staged-kernel-not-being-executed-by-systemd)
 - ~~Ubuntu 18.04 LTS~~ is not supported (initramfs uses *pre-crypttab* format)
-- Pop!_OS 22.04 LTS
 
 If you have successfully run cryptreboot on another distribution,
 please contact me and I will update the list.
@@ -48,16 +53,23 @@ You need to ensure those are installed:
 If you use recent, mainstream Linux distribution, other requirements are
 probably already met:
 - `kexec` support in the kernel
-- `tmpfs` filesystem support in kernel
+- `ramfs` filesystem support in kernel
 - `cryptsetup` (if you use disk encryption, it should be installed)
 - `systemd` or another way to guarantee staged kernel is executed on reboot
 - `strace` (not required if `--skip-lz4-check` flag is specified)
 
+If you use Debian-based distribution, use this command to install required packages:
+
+    $ sudo apt install --no-install-recommends cryptsetup-initramfs kexec-tools ruby strace systemd
+
+When asked if kexec should handle reboots, answer `yes` (however the answer probably
+doesn't matter for cryptreboot to work).
+
 ## Installation
 
-Make sure the required software is installed, then install the gem by executing:
+Make sure the required software is installed, then install the gem system-wide by executing:
 
-    $ gem install crypt_reboot
+    $ sudo gem install crypt_reboot
 
 ## Usage
 
@@ -128,6 +140,26 @@ To cancel the change, remove the file:
 
     $ sudo rm /etc/systemd/system/systemd-kexec.service.d/override.conf
 
+### No symlinks to most recent kernel and initramfs
+
+By default cryptreboot looks for kernel in `/boot/vmlinuz` and for initramfs
+in `/boot/initrd.img`. If those files are missing in your Linux distribution,
+cryptreboot will fail, unless you use `--kernel` and `--initramfs` command line
+options.
+
+    $ sudo cryptreboot --kernel /boot/vmlinuz-`uname -r` --initramfs /boot/initrd.img-`uname -r`
+
+If you don't want to specify options every time you reboot, add symlinks to
+the currently running kernel and initramfs:
+
+    $ cd /boot
+    $ sudo ln -sf vmlinuz-`uname -r` vmlinuz
+    $ sudo ln -sf initrd.img-`uname -r` initrd.img
+
+Unfortunately, you need to rerun it after each kernel upgrade, otherwise,
+cryptreboot is going to boot the old kernel.
+Upcoming versions of cryptreboot will offer better solutions.
+
 ## Development
 
 After checking out the repo, run `bundle install` to install

data/lib/basic_loader.rb

@@ -14,6 +14,7 @@ require 'crypt_reboot/gziper'
 require 'crypt_reboot/initramfs_patch_squeezer'
 require 'crypt_reboot/kexec_patching_loader'
 require 'crypt_reboot/lazy_config'
+require 'crypt_reboot/memory_locker'
 require 'crypt_reboot/passphrase_asker'
 require 'crypt_reboot/patched_initramfs_generator'
 require 'crypt_reboot/rebooter'

data/lib/crypt_reboot/cli/params_parsing_executor.rb

@@ -5,9 +5,10 @@ module CryptReboot
     # Interprets parameters, executes everything and returns callable object
     class ParamsParsingExecutor
       def call(raw_params)
+        locker.call
         params = parser.call(raw_params)
         handle_action_params!(params) or configure_and_exec(params)
-      rescue StandardError => e
+      rescue StandardError, Interrupt => e
         raise if debug?
 
         sad_exiter_class.new(error_message(e))
@@ -45,7 +46,7 @@ module CryptReboot
 
       attr_reader :parser, :config_updater, :loader, :help_generator,
                   :version_string, :debug_checker, :rebooter,
-                  :happy_exiter_class, :sad_exiter_class
+                  :happy_exiter_class, :sad_exiter_class, :locker
 
       # rubocop:disable Metrics/ParameterLists
       def initialize(parser: Params::Parser.new,
@@ -56,7 +57,8 @@ module CryptReboot
                      debug_checker: LazyConfig.debug,
                      rebooter: Rebooter.new,
                      happy_exiter_class: HappyExiter,
-                     sad_exiter_class: SadExiter)
+                     sad_exiter_class: SadExiter,
+                     locker: MemoryLocker.new)
         @parser = parser
         @config_updater = config_updater
         @loader = loader
@@ -66,6 +68,7 @@ module CryptReboot
         @rebooter = rebooter
         @happy_exiter_class = happy_exiter_class
         @sad_exiter_class = sad_exiter_class
+        @locker = locker
       end
       # rubocop:enable Metrics/ParameterLists
     end

data/lib/crypt_reboot/files_generator.rb

@@ -6,10 +6,9 @@ module CryptReboot
     def call(entries, base_dir)
       files = {}
       modified_entries = entries.map do |entry|
-        headevice = entry.headevice(header_prefix: base_dir)
-        next entry unless luks?(headevice)
+        next entry unless luks?(entry, base_dir)
 
-        data = luks_data_fetcher.call(headevice)
+        data = fetch_data(entry, base_dir)
         keyfile = keyfile_locator.call(entry.target)
         files[keyfile] = data.key
         entry_converter.call(entry, data, keyfile)
@@ -22,10 +21,16 @@ module CryptReboot
     CRYPTAB_PATH = '/cryptroot/crypttab'
     private_constant :CRYPTAB_PATH
 
-    def luks?(headevice)
+    def luks?(entry, base_dir)
+      headevice = entry.headevice(header_prefix: base_dir)
       luks_checker.call(headevice)
     end
 
+    def fetch_data(entry, base_dir)
+      headevice = entry.headevice(header_prefix: base_dir)
+      luks_data_fetcher.call(headevice, entry.target)
+    end
+
     attr_reader :keyfile_locator, :entry_converter, :serializer,
                 :luks_data_fetcher, :luks_checker
 

data/lib/crypt_reboot/luks/data_fetcher.rb

@@ -4,10 +4,10 @@ module CryptReboot
   module Luks
     # Fetch LUKS data including key (user will be asked for passphrase)
     class DataFetcher
-      def call(headevice)
+      def call(headevice, target)
         version = detector.call(headevice)
         data = dumper.call(headevice, version)
-        pass = asker.call("Enter passphrase to unlock #{headevice}: ")
+        pass = asker.call("Please unlock disk #{target}: ")
         key = key_fetcher.call(headevice, pass)
         data.with_key(key)
       end

data/lib/crypt_reboot/memory_locker.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'ffi'
+
+module CryptReboot
+  # Lock process memory, so it won't be swapped by the kernel.
+  # It is implemented as a one-way operation: there is no unlock.
+  # That's because it's hard to properly clean memory in Ruby.
+  class MemoryLocker
+    Error = Class.new StandardError
+
+    def call
+      return if Libc.mlockall(Libc::MCL_CURRENT | Libc::MCL_FUTURE).zero?
+
+      raise Error, "Failed to lock memory: #{FFI.errno}"
+    end
+
+    # Low level interface to libc
+    module Libc
+      extend FFI::Library
+      ffi_lib 'libc.so.6'
+
+      # define mlockall constants
+      MCL_CURRENT = 1
+      MCL_FUTURE = 2
+      MCL_ONFAULT = 4
+
+      # declare mlockall function
+      attach_function :mlockall, [:int], :int
+    end
+    private_constant :Libc
+  end
+end

data/lib/crypt_reboot/safe_temp/directory.rb

@@ -4,7 +4,7 @@ require 'tmpdir'
 
 module CryptReboot
   module SafeTemp
-    # Create temporary directory, mounts tmpfs and yields tmp dir location.
+    # Create temporary directory, mounts ramfs and yields tmp dir location.
     # Make sure to cleanup afterwards.
     class Directory
       def call

data/lib/crypt_reboot/safe_temp/mounter.rb

@@ -2,7 +2,9 @@
 
 module CryptReboot
   module SafeTemp
-    # Mount tmpfs at the given mount point, yield and unmount
+    # Mount ramfs at the given mount point, yield and unmount.
+    # We don't want the contents of directory to be swapped,
+    # therefore ramfs is used instead of tmpfs.
     class Mounter
       def call(dir, &block)
         mounter.call(dir)
@@ -21,7 +23,7 @@ module CryptReboot
 
       def initialize(runner: Runner::NoResult.new,
                      mounter: lambda { |dir|
-                                runner.call(Config.mount_path, '-t', 'tmpfs', '-o', 'mode=700', 'none', dir)
+                                runner.call(Config.mount_path, '-t', 'ramfs', '-o', 'mode=700', 'none', dir)
                               },
                      umounter: ->(dir) { runner.call(Config.umount_path, dir) })
         @runner = runner

data/lib/crypt_reboot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module CryptReboot
-  VERSION = '0.1.0'
+  VERSION = '0.1.2'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: crypt_reboot
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.2
 platform: ruby
 authors:
 - Paweł Pokrywka
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-07-09 00:00:00.000000000 Z
+date: 2023-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tty-command
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.3'
+- !ruby/object:Gem::Dependency
+  name: ffi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.0
 description: 
 email:
 - pepawel@users.noreply.github.com
@@ -93,6 +107,7 @@ files:
 - lib/crypt_reboot/luks/dumper/luks_v2_parser.rb
 - lib/crypt_reboot/luks/key_fetcher.rb
 - lib/crypt_reboot/luks/version_detector.rb
+- lib/crypt_reboot/memory_locker.rb
 - lib/crypt_reboot/passphrase_asker.rb
 - lib/crypt_reboot/patched_initramfs_generator.rb
 - lib/crypt_reboot/rebooter.rb