crypt_reboot 0.1.0

data/lib/crypt_reboot/config.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'singleton'
+
+module CryptReboot
+  # Global configuration singleton
+  class Config < InstantiableConfig
+    include Singleton
+
+    class << self
+      def method_missing(method_name, *args, **kwargs, &block)
+        instance.respond_to?(method_name) ? instance.send(method_name, *args, **kwargs, &block) : super
+      end
+
+      def respond_to_missing?(name, *_, **_)
+        instance.respond_to?(name)
+      end
+    end
+  end
+end

data/lib/crypt_reboot/crypt_tab/deserializer.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module CryptTab
+    # Load crypttab file and return array with deserialized entries
+    class Deserializer
+      def call(filename = nil, content: File.read(filename))
+        split_to_important_lines(content).map do |line|
+          entry_deserializer.call line
+        end
+      end
+
+      private
+
+      def split_to_important_lines(content)
+        content.split(/\n+|\r+/)
+               .reject(&:empty?)
+               .reject { |line| line.start_with? '#' }
+      end
+
+      attr_reader :entry_deserializer
+
+      def initialize(entry_deserializer: EntryDeserializer.new)
+        @entry_deserializer = entry_deserializer
+      end
+    end
+  end
+end

data/lib/crypt_reboot/crypt_tab/entry.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module CryptTab
+    # Value-object describing entry in crypttab file
+    class Entry
+      attr_reader :target, :source, :key_file, :options, :flags
+
+      def ==(other)
+        target == other.target && source == other.source && key_file == other.key_file &&
+          options == other.options && flags.sort == other.flags.sort
+      end
+
+      def headevice(header_prefix: nil)
+        if header_prefix && header_path
+          File.join(header_prefix, header_path)
+        elsif header_path
+          header_path
+        else
+          source
+        end
+      end
+
+      private
+
+      def header_path
+        options[:header]
+      end
+
+      def initialize(target:, source:, key_file:, options:, flags:)
+        @target = target
+        @source = source
+        @key_file = key_file
+        @options = options
+        @flags = flags
+      end
+    end
+  end
+end

data/lib/crypt_reboot/crypt_tab/entry_deserializer.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module CryptTab
+    # Deserialize crypttab line into value object
+    class EntryDeserializer
+      InvalidFormat = Class.new StandardError
+
+      def call(line)
+        target, source, key_file, raw_floptions = columns = line.split
+        raise InvalidFormat if columns.size < 3
+
+        floptions = raw_floptions.to_s.split(',')
+        flags = extract_flags(floptions)
+        options = extract_options(floptions)
+        entry_class.new(
+          target: target, source: source, key_file: key_file,
+          options: options, flags: flags
+        )
+      end
+
+      private
+
+      def extract_flags(floptions)
+        floptions.reject do |floption|
+          floption.include?('=')
+        end.map(&:to_sym)
+      end
+
+      def extract_options(floptions)
+        options = floptions.select do |floption|
+          floption.include?('=')
+        end
+        options.to_h do |option|
+          parse_option(option)
+        end
+      end
+
+      def parse_option(option)
+        name, value = option.split('=')
+        [name.to_sym, value.to_i.to_s == value ? value.to_i : value]
+      end
+
+      attr_reader :entry_class
+
+      def initialize(entry_class: Entry)
+        @entry_class = entry_class
+      end
+    end
+  end
+end

data/lib/crypt_reboot/crypt_tab/entry_serializer.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module CryptTab
+    # Serialize crypttab entry into one line of text
+    class EntrySerializer
+      def call(entry)
+        floptions = (entry.flags + serialize_options(entry.options)).join(',')
+        [entry.target, entry.source, entry.key_file, floptions].join(' ')
+      end
+
+      private
+
+      def serialize_options(options)
+        options.map do |option, value|
+          [option, value].join('=')
+        end
+      end
+    end
+  end
+end

data/lib/crypt_reboot/crypt_tab/keyfile_locator.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module CryptTab
+    # Return path of keyfile for given target
+    class KeyfileLocator
+      def call(target)
+        File.join(base_dir, target + extension)
+      end
+
+      private
+
+      attr_reader :base_dir, :extension
+
+      def initialize(base_dir: '/cryptreboot', extension: '.key')
+        @base_dir = base_dir
+        @extension = extension
+      end
+    end
+  end
+end

data/lib/crypt_reboot/crypt_tab/luks_to_plain_converter.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module CryptTab
+    # Convert given crypttab entry from LUKS to plain mode
+    class LuksToPlainConverter
+      def call(entry, data, keyfile)
+        entry_class.new(
+          target: entry.target,
+          source: entry.source,
+          key_file: keyfile,
+          options: convert_options(entry.options, data),
+          flags: entry.flags - [:luks] + [:plain]
+        )
+      end
+
+      private
+
+      # According to cryptsetup manual, offset is specified in 512-byte sectors.
+      # Therefore sector size of the actual device shouldn't be used.
+      OFFSET_SECTOR_SIZE = 512
+      private_constant :OFFSET_SECTOR_SIZE
+
+      def convert_options(options, data)
+        options = options.reject do |option, _|
+          %i[keyfile-size keyslot key-slot header keyscript].include? option
+        end
+        options[:'sector-size'] ||= data.sector_size # allow user to set it explicitly
+        options.merge({ cipher: data.cipher, size: data.key_bits, offset: data.offset / OFFSET_SECTOR_SIZE })
+      end
+
+      attr_reader :entry_class
+
+      def initialize(entry_class: Entry)
+        @entry_class = entry_class
+      end
+    end
+  end
+end

data/lib/crypt_reboot/crypt_tab/serializer.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module CryptTab
+    # Serialize entries and return crypttab file content as a string
+    class Serializer
+      def call(entries)
+        body = serialize(entries).join("\n")
+        "#{header}\n#{body}\n"
+      end
+
+      private
+
+      def serialize(entries)
+        entries.map do |entry|
+          entry_serializer.call(entry)
+        end
+      end
+
+      attr_reader :entry_serializer, :header
+
+      def initialize(entry_serializer: EntrySerializer.new,
+                     header: '# This file has been patched by cryptreboot')
+        @entry_serializer = entry_serializer
+        @header = header
+      end
+    end
+  end
+end

data/lib/crypt_reboot/files_generator.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  # Generate a hash with file names as keys and file contents as values
+  class FilesGenerator
+    def call(entries, base_dir)
+      files = {}
+      modified_entries = entries.map do |entry|
+        headevice = entry.headevice(header_prefix: base_dir)
+        next entry unless luks?(headevice)
+
+        data = luks_data_fetcher.call(headevice)
+        keyfile = keyfile_locator.call(entry.target)
+        files[keyfile] = data.key
+        entry_converter.call(entry, data, keyfile)
+      end
+      files.merge(CRYPTAB_PATH => serializer.call(modified_entries))
+    end
+
+    private
+
+    CRYPTAB_PATH = '/cryptroot/crypttab'
+    private_constant :CRYPTAB_PATH
+
+    def luks?(headevice)
+      luks_checker.call(headevice)
+    end
+
+    attr_reader :keyfile_locator, :entry_converter, :serializer,
+                :luks_data_fetcher, :luks_checker
+
+    def initialize(keyfile_locator: CryptTab::KeyfileLocator.new,
+                   entry_converter: CryptTab::LuksToPlainConverter.new,
+                   serializer: CryptTab::Serializer.new,
+                   luks_data_fetcher: Luks::DataFetcher.new,
+                   luks_checker: Luks::Checker.new)
+      @keyfile_locator = keyfile_locator
+      @entry_converter = entry_converter
+      @serializer = serializer
+      @luks_data_fetcher = luks_data_fetcher
+      @luks_checker = luks_checker
+    end
+  end
+end

data/lib/crypt_reboot/files_writer.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'fileutils'
+
+module CryptReboot
+  # Writes files from hash to specified directory
+  class FilesWriter
+    def call(files, target_dir)
+      files.each do |relative_path, content|
+        path = File.join(target_dir, relative_path)
+        dir = File.dirname(path)
+        FileUtils.mkdir_p(dir) unless File.directory?(dir)
+        File.binwrite(path, content)
+      end
+    end
+  end
+end

data/lib/crypt_reboot/gziper.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'zlib'
+
+module CryptReboot
+  # Gzip data and save it to file
+  class Gziper
+    def call(archive_path, data)
+      writer.call(archive_path) do |gz|
+        gz.write data
+      end
+    end
+
+    private
+
+    attr_reader :writer
+
+    def initialize(writer: Zlib::GzipWriter.method(:open))
+      @writer = writer
+    end
+  end
+end

data/lib/crypt_reboot/initramfs/archiver.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'find'
+
+module CryptReboot
+  module Initramfs
+    # Create compressed CPIO archive from files in a given directory
+    class Archiver
+      def call(dir, archive)
+        Dir.chdir(dir) do
+          uncompressed = runner.call(cpio, '-oH', 'newc', '--reproducible', input: finder.call)
+          gziper.call(archive, uncompressed)
+        end
+      end
+
+      private
+
+      def cpio
+        lazy_cpio.call
+      end
+
+      attr_reader :runner, :finder, :lazy_cpio, :gziper
+
+      def initialize(runner: Runner::Binary.new,
+                     finder: -> { Find.find('.').to_a.join("\n") },
+                     lazy_cpio: LazyConfig.cpio_path,
+                     gziper: Gziper.new)
+        @runner = runner
+        @finder = finder
+        @lazy_cpio = lazy_cpio
+        @gziper = gziper
+      end
+    end
+  end
+end

data/lib/crypt_reboot/initramfs/decompressor/intolerant_decompressor.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'shellwords'
+
+module CryptReboot
+  module Initramfs
+    # Extract initramfs in strace to check if compression is supported
+    class Decompressor
+      class IntolerantDecompressor
+        Lz4NotAllowed = Class.new StandardError
+
+        def call(filename, dir)
+          command_line = prepare_command_line(filename, dir)
+          lines = runner.call(command_line)
+          raise_exception if intolerable_tool_used?(lines)
+        end
+
+        private
+
+        def prepare_command_line(filename, dir)
+          options = '-f --trace=execve -z -qq --signal=\!all'
+          args = "#{filename.shellescape} #{dir.shellescape}"
+          strace_command_line = "#{strace.shellescape} #{options} #{unmkinitramfs.shellescape} #{args}"
+          grep_command_line = "#{grep.shellescape} --line-buffered lz4"
+          # guarantee at least 1 line of grep output, otherwise grep will return non-zero status
+          grep_fixer = 'echo lz4 \"-t\"'
+          "(#{grep_fixer}; #{strace_command_line}) 2>&1 | #{grep_command_line}"
+        end
+
+        def intolerable_tool_used?(lines)
+          !!lines.find { |line| line !~ /"-t"/ && line !~ /"--test"/ }
+        end
+
+        def raise_exception
+          raise Lz4NotAllowed, 'LZ4 compression is not allowed, change the compression ' \
+                               'algorithm in initramfs.conf and regenerate the initramfs image'
+        end
+
+        def unmkinitramfs
+          lazy_unmkinitramfs.call
+        end
+
+        def strace
+          lazy_strace.call
+        end
+
+        def grep
+          lazy_grep.call
+        end
+
+        attr_reader :lazy_unmkinitramfs, :lazy_strace, :lazy_grep, :runner
+
+        def initialize(lazy_unmkinitramfs: LazyConfig.unmkinitramfs_path,
+                       lazy_strace: LazyConfig.strace_path,
+                       lazy_grep: LazyConfig.grep_path,
+                       runner: Runner::Lines.new)
+          @lazy_unmkinitramfs = lazy_unmkinitramfs
+          @lazy_strace = lazy_strace
+          @lazy_grep = lazy_grep
+          @runner = runner
+        end
+      end
+    end
+  end
+end

data/lib/crypt_reboot/initramfs/decompressor/tolerant_decompressor.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Initramfs
+    class Decompressor
+      # Simply extract initramfs
+      class TolerantDecompressor
+        def call(filename, dir)
+          runner.call(unmkinitramfs, filename, dir)
+        end
+
+        private
+
+        attr_reader :lazy_unmkinitramfs, :runner
+
+        def unmkinitramfs
+          lazy_unmkinitramfs.call
+        end
+
+        def initialize(lazy_unmkinitramfs: LazyConfig.unmkinitramfs_path,
+                       runner: Runner::NoResult.new)
+          @lazy_unmkinitramfs = lazy_unmkinitramfs
+          @runner = runner
+        end
+      end
+    end
+  end
+end

data/lib/crypt_reboot/initramfs/decompressor.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Initramfs
+    # Instantiates appropriate decompressor
+    class Decompressor
+      def call(skip_lz4_check: Config.skip_lz4_check)
+        skip_lz4_check ? TolerantDecompressor.new : IntolerantDecompressor.new
+      end
+    end
+  end
+end

data/lib/crypt_reboot/initramfs/extractor.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require 'tmpdir'
+
+module CryptReboot
+  module Initramfs
+    # Create temporary directory, extract initramfs there and yield, cleaning afterwards
+    class Extractor
+      def call(filename)
+        tmp_maker.call do |dir|
+          logger.call message
+          decompressor.call(filename, dir)
+          yield dir
+        end
+      end
+
+      private
+
+      def decompressor
+        decompressor_factory.call
+      end
+
+      attr_reader :tmp_maker, :decompressor_factory, :message, :logger
+
+      def initialize(tmp_maker: Dir.method(:mktmpdir),
+                     decompressor_factory: Decompressor.new,
+                     message: 'Extracting initramfs... To speed things up, future versions will employ cache.',
+                     logger: ->(msg) { warn msg })
+        @tmp_maker = tmp_maker
+        @decompressor_factory = decompressor_factory
+        @message = message
+        @logger = logger
+      end
+    end
+  end
+end

data/lib/crypt_reboot/initramfs/patcher.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'fileutils'
+
+module CryptReboot
+  module Initramfs
+    # Yield path to initramfs patched with files_spec.
+    # Patched initramfs will be removed afterwards if user doesn't want to save it
+    class Patcher
+      def call(initramfs_path, files_spec)
+        temp_provider.call do |base_dir|
+          files_dir, patch_path, patched_path = prefix('files', 'patch', 'result', with: base_dir)
+          writer.call(files_spec, files_dir)
+          archiver.call(files_dir, patch_path)
+          saver.call(patch_path)
+          concatenator.call(initramfs_path, patch_path, to: patched_path)
+          yield patched_path
+        end
+      end
+
+      private
+
+      def prefix(*file_names, with:)
+        file_names.map do |file_name|
+          File.join(with, file_name)
+        end
+      end
+
+      attr_reader :temp_provider, :writer, :archiver, :concatenator, :saver
+
+      def initialize(temp_provider: SafeTemp::Directory.new,
+                     writer: FilesWriter.new,
+                     archiver: Archiver.new,
+                     concatenator: Concatenator.new,
+                     saver: lambda { |file|
+                              dir = Config.patch_save_path
+                              FileUtils.cp(file, dir) if dir
+                            })
+        @temp_provider = temp_provider
+        @writer = writer
+        @archiver = archiver
+        @concatenator = concatenator
+        @saver = saver
+      end
+    end
+  end
+end

data/lib/crypt_reboot/initramfs_patch_squeezer.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  # Transform initramfs image into a patch (files hash)
+  class InitramfsPatchSqueezer
+    def call(initramfs_path)
+      extractor.call(initramfs_path) do |tmp_dir|
+        crypttab_path = File.join(tmp_dir, crypttab_relative_path)
+        crypttab_entries = deserializer.call(crypttab_path)
+        files_generator.call(crypttab_entries, tmp_dir)
+      end
+    end
+
+    private
+
+    attr_reader :crypttab_relative_path, :extractor, :deserializer, :files_generator
+
+    def initialize(crypttab_relative_path = 'main/cryptroot/crypttab',
+                   extractor: Initramfs::Extractor.new,
+                   deserializer: CryptTab::Deserializer.new,
+                   files_generator: FilesGenerator.new)
+      @crypttab_relative_path = crypttab_relative_path
+      @extractor = extractor
+      @deserializer = deserializer
+      @files_generator = files_generator
+    end
+  end
+end

data/lib/crypt_reboot/instantiable_config.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  # Configuration object
+  class InstantiableConfig
+    UnrecognizedSetting = Class.new StandardError
+
+    attr_reader :initramfs, :cmdline, :kernel, :patch_save_path, :cat_path, :cpio_path,
+                :unmkinitramfs_path, :kexec_path, :cryptsetup_path, :reboot_path,
+                :mount_path, :umount_path, :strace_path, :grep_path,
+                :debug, :prepare_only, :skip_lz4_check
+
+    def update!(**settings)
+      settings.each do |name, value|
+        set!(name, value)
+      end
+    end
+
+    private
+
+    def set!(name, value)
+      raise UnrecognizedSetting, "Unrecognized setting `#{name}`" unless instance_variable_defined?(:"@#{name}")
+
+      instance_variable_set(:"@#{name}", value)
+    end
+
+    # rubocop:disable Metrics/MethodLength
+    def initialize
+      # Options
+      @initramfs = '/boot/initrd.img'
+      @cmdline = nil
+      @kernel = '/boot/vmlinuz'
+      @patch_save_path = nil
+      @cat_path = 'cat'
+      @cpio_path = 'cpio'
+      @unmkinitramfs_path = 'unmkinitramfs'
+      @kexec_path = 'kexec'
+      @cryptsetup_path = 'cryptsetup'
+      @reboot_path = 'reboot'
+      @mount_path = 'mount'
+      @umount_path = 'umount'
+      @strace_path = 'strace'
+      @grep_path = 'grep'
+
+      # Flags
+      @debug = false
+      @prepare_only = false
+      @skip_lz4_check = false
+    end
+    # rubocop:enable Metrics/MethodLength
+  end
+end

data/lib/crypt_reboot/kexec/loader.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Kexec
+    # Load new kernel and initramfs into memory, making then ready for later execution
+    class Loader
+      def call(boot_config)
+        args = [tool, '-al', boot_config.kernel]
+        args += ['--initrd', boot_config.initramfs] if boot_config.initramfs
+        args += boot_config.cmdline ? ['--append', boot_config.cmdline] : ['--reuse-cmdline']
+
+        runner.call(*args)
+      end
+
+      private
+
+      def tool
+        lazy_tool.call
+      end
+
+      attr_reader :lazy_tool, :runner
+
+      def initialize(lazy_tool: LazyConfig.kexec_path,
+                     runner: Runner::NoResult.new)
+        @lazy_tool = lazy_tool
+        @runner = runner
+      end
+    end
+  end
+end