crypt_reboot 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ca95c9301674a1698f766dbfa5dfd06adc99e91a286c32b7eaa77d8611e21762
-  data.tar.gz: 5403a4ed739f8b5901451e3e413598e85acfee1765266a66d85257c708904399
+  metadata.gz: ee0a1d8c466f902cc47c84b3310c899046ae2d2cacc952f184baa76463add807
+  data.tar.gz: 6fc17834b241d0822848b84e36fa2277b47a998c77659740a82d0e49d83a16e6
 SHA512:
-  metadata.gz: d633a85afa5dc298f39c144d700347cb20ae4bc03e5865ba3a92c2a1ae0ec9bc679393b612f7c18838d35578f583db8f791aab223f896a1ed3fce8bcfd78c6e8
-  data.tar.gz: 59442b7e7106a5d2892def87930503472315dbc45da8d9bf8919d29fc7fc998edcb2dfe69b3bc4ea0306c173bc1dc305fa5be42954bb706eb35f4104531933a3
+  metadata.gz: 030a74f06349d21c91b05a7ac297ffb927309faad863689a8cd632521587e47059c38995b377e199e5337819f447999796f65aa6dfa17345f7aaca0821458a23
+  data.tar.gz: 2f16596ee0b871ecec49b9687da65d3086c66daa41b48e3090d43317452755752443996f5ef5887ac4a73f50f31bd4307ab08254b2869e3219970117ddfcbeee

data/CHANGELOG.md

@@ -1,3 +1,12 @@
+## [0.1.2] - 2023-07-22
+
+- Lock memory to prevent secrets leaking to swap
+- Use `ramfs` instead of `tmpfs` for the same reason
+
+## [0.1.1] - 2023-07-13
+
+- Standardize passphrase prompt
+
 ## [0.1.0] - 2023-07-09
 
 - Initial release

data/README.md

@@ -28,13 +28,16 @@ Debian, Ubuntu, Linux Mint, Pop!_OS, etc.
 On the other hand, do not expect it to work on other distributions now.
 But support for them may come in upcoming versions.
 
-Following distributions were tested by the author:
+Following distributions were tested by the author on the AMD64 machine:
+- DappNode 0.2.75 is based on Debian 12, see below
+- Debian 12 needs [symlinks for kernel and initramfs](#no-symlinks-to-most-recent-kernel-and-initramfs)
+- Pop!_OS 22.04 LTS
+- Ubuntu 23.04
 - Ubuntu 22.04 LTS
 - Ubuntu 20.04 LTS needs tiny adjustments to system settings,
   specifically [changing compression](#lz4-initramfs-compression) and
   [fixing systemd kexec support](#staged-kernel-not-being-executed-by-systemd)
 - ~~Ubuntu 18.04 LTS~~ is not supported (initramfs uses *pre-crypttab* format)
-- Pop!_OS 22.04 LTS
 
 If you have successfully run cryptreboot on another distribution,
 please contact me and I will update the list.
@@ -50,17 +53,36 @@ You need to ensure those are installed:
 If you use recent, mainstream Linux distribution, other requirements are
 probably already met:
 - `kexec` support in the kernel
-- `tmpfs` filesystem support in kernel
+- `ramfs` filesystem support in kernel
 - `cryptsetup` (if you use disk encryption, it should be installed)
 - `systemd` or another way to guarantee staged kernel is executed on reboot
 - `strace` (not required if `--skip-lz4-check` flag is specified)
 
+If you use Debian-based distribution, use this command to install required packages:
+
+    $ sudo apt install --no-install-recommends cryptsetup-initramfs kexec-tools ruby strace systemd
+
+When asked if kexec should handle reboots, answer `yes` (however the answer probably
+doesn't matter for cryptreboot to work).
+
+## Recommendations
+
+To protects against saving sensitive data (passphrase, encryption keys) to swap space on a disk, it is recommended to use `memory_locker` ([Rubygems](https://rubygems.org/gems/memory_locker), [Github](https://github.com/phantom-node/memory_locker)).
+
+    $ sudo gem install memory_locker
+
+If you don't want to install it, you will have to specify `--insecure-memory` flag when running cryptreboot.
+
 ## Installation
 
 Make sure the required software is installed, then install the gem system-wide by executing:
 
     $ sudo gem install crypt_reboot
 
+To upgrade run:
+
+    $ sudo gem update crypt_reboot
+
 ## Usage
 
 Cryptreboot performs operations normally only available to the root user,
@@ -74,7 +96,7 @@ To see the usage, run:
 
     $ cryptreboot --help
 
-## Resolutions for common issues
+## Troubleshooting
 
 ### LZ4 initramfs compression
 
@@ -130,6 +152,40 @@ To cancel the change, remove the file:
 
     $ sudo rm /etc/systemd/system/systemd-kexec.service.d/override.conf
 
+### No symlinks to the most recent kernel and initramfs
+
+By default, cryptreboot looks for kernel in `/boot/vmlinuz` and for initramfs
+in `/boot/initrd.img`. If those files are missing in your Linux distribution,
+cryptreboot will fail, unless you use `--kernel` and `--initramfs` command line
+options.
+
+    $ sudo cryptreboot --kernel /boot/vmlinuz-`uname -r` --initramfs /boot/initrd.img-`uname -r`
+
+If you don't want to specify options every time you reboot, add symlinks to
+the currently running kernel and initramfs:
+
+    $ cd /boot
+    $ sudo ln -sf vmlinuz-`uname -r` vmlinuz
+    $ sudo ln -sf initrd.img-`uname -r` initrd.img
+
+Unfortunately, you need to rerun it after each kernel upgrade, otherwise,
+cryptreboot is going to boot the old kernel.
+Upcoming versions of cryptreboot will offer better solutions.
+
+### Problems with memory locking
+
+If you get:
+
+> Locking error: Failed to lock memory
+
+it means there was an error while locking memory to prevent a risk of sensitive data ending in a swap space.
+
+The best solution is to install `memory_locker` (see [requirements](#requirements) section).
+If it still doesn't help, make sure you have permission to lock memory. Root users do.
+If the problem persists, then please report a bug describing your setup.
+
+The solution of last resort is to use `--insecure-memory` flag, which disables memory locking completely.
+
 ## Development
 
 After checking out the repo, run `bundle install` to install

data/lib/basic_loader.rb

@@ -8,6 +8,7 @@ require 'crypt_reboot/cli'
 require 'crypt_reboot/concatenator'
 require 'crypt_reboot/instantiable_config'
 require 'crypt_reboot/config'
+require 'crypt_reboot/elastic_memory_locker'
 require 'crypt_reboot/files_generator'
 require 'crypt_reboot/files_writer'
 require 'crypt_reboot/gziper'

data/lib/crypt_reboot/cli/params/definition.rb

@@ -90,6 +90,12 @@ module CryptReboot
                'algorithm to a more robust one.'
         end
 
+        flag :insecure_memory do
+          short '-s'
+          long '--insecure-memory'
+          desc 'Do not lock memory. WARNING: there is a risk your secrets will leak to swap.'
+        end
+
         flag :debug do
           short '-d'
           long '--debug'

data/lib/crypt_reboot/cli/params_parsing_executor.rb

@@ -7,7 +7,7 @@ module CryptReboot
       def call(raw_params)
         params = parser.call(raw_params)
         handle_action_params!(params) or configure_and_exec(params)
-      rescue StandardError => e
+      rescue StandardError, Interrupt => e
         raise if debug?
 
         sad_exiter_class.new(error_message(e))
@@ -21,6 +21,7 @@ module CryptReboot
 
       def configure_and_exec(params)
         config_updater.call(**params)
+        locker.call
         loader.call
         rebooter
       end
@@ -45,7 +46,7 @@ module CryptReboot
 
       attr_reader :parser, :config_updater, :loader, :help_generator,
                   :version_string, :debug_checker, :rebooter,
-                  :happy_exiter_class, :sad_exiter_class
+                  :happy_exiter_class, :sad_exiter_class, :locker
 
       # rubocop:disable Metrics/ParameterLists
       def initialize(parser: Params::Parser.new,
@@ -56,7 +57,8 @@ module CryptReboot
                      debug_checker: LazyConfig.debug,
                      rebooter: Rebooter.new,
                      happy_exiter_class: HappyExiter,
-                     sad_exiter_class: SadExiter)
+                     sad_exiter_class: SadExiter,
+                     locker: ElasticMemoryLocker.new)
         @parser = parser
         @config_updater = config_updater
         @loader = loader
@@ -66,6 +68,7 @@ module CryptReboot
         @rebooter = rebooter
         @happy_exiter_class = happy_exiter_class
         @sad_exiter_class = sad_exiter_class
+        @locker = locker
       end
       # rubocop:enable Metrics/ParameterLists
     end

data/lib/crypt_reboot/elastic_memory_locker.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  # Try to lock memory if configuration allows it
+  class ElasticMemoryLocker
+    LockingError = Class.new StandardError
+
+    def call
+      return if skip_locking?
+
+      loader.call
+      locker.call
+      nil
+    rescue load_error, locking_error => e
+      raise LockingError, 'Failed to lock memory', cause: e
+    end
+
+    private
+
+    def skip_locking?
+      insecure_memory_checker.call
+    end
+
+    def locking_error
+      lazy_locking_error.call
+    end
+
+    attr_reader :insecure_memory_checker, :loader, :load_error, :locker, :lazy_locking_error
+
+    def initialize(insecure_memory_checker: LazyConfig.insecure_memory,
+                   loader: -> { require 'memory_locker' },
+                   load_error: LoadError,
+                   locker: -> { MemoryLocker.call },
+                   lazy_locking_error: -> { MemoryLocker::Error })
+      @insecure_memory_checker = insecure_memory_checker
+      @loader = loader
+      @load_error = load_error
+      @locker = locker
+      @lazy_locking_error = lazy_locking_error
+    end
+  end
+end

data/lib/crypt_reboot/instantiable_config.rb

@@ -8,7 +8,7 @@ module CryptReboot
     attr_reader :initramfs, :cmdline, :kernel, :patch_save_path, :cat_path, :cpio_path,
                 :unmkinitramfs_path, :kexec_path, :cryptsetup_path, :reboot_path,
                 :mount_path, :umount_path, :strace_path, :grep_path,
-                :debug, :prepare_only, :skip_lz4_check
+                :debug, :prepare_only, :skip_lz4_check, :insecure_memory
 
     def update!(**settings)
       settings.each do |name, value|
@@ -25,6 +25,7 @@ module CryptReboot
     end
 
     # rubocop:disable Metrics/MethodLength
+    # rubocop:disable Metrics/AbcSize
     def initialize
       # Options
       @initramfs = '/boot/initrd.img'
@@ -46,7 +47,9 @@ module CryptReboot
       @debug = false
       @prepare_only = false
       @skip_lz4_check = false
+      @insecure_memory = false
     end
+    # rubocop:enable Metrics/AbcSize
     # rubocop:enable Metrics/MethodLength
   end
 end

data/lib/crypt_reboot/safe_temp/directory.rb

@@ -4,7 +4,7 @@ require 'tmpdir'
 
 module CryptReboot
   module SafeTemp
-    # Create temporary directory, mounts tmpfs and yields tmp dir location.
+    # Create temporary directory, mounts ramfs and yields tmp dir location.
     # Make sure to cleanup afterwards.
     class Directory
       def call

data/lib/crypt_reboot/safe_temp/mounter.rb

@@ -2,7 +2,9 @@
 
 module CryptReboot
   module SafeTemp
-    # Mount tmpfs at the given mount point, yield and unmount
+    # Mount ramfs at the given mount point, yield and unmount.
+    # We don't want the contents of directory to be swapped,
+    # therefore ramfs is used instead of tmpfs.
     class Mounter
       def call(dir, &block)
         mounter.call(dir)
@@ -21,7 +23,7 @@ module CryptReboot
 
       def initialize(runner: Runner::NoResult.new,
                      mounter: lambda { |dir|
-                                runner.call(Config.mount_path, '-t', 'tmpfs', '-o', 'mode=700', 'none', dir)
+                                runner.call(Config.mount_path, '-t', 'ramfs', '-o', 'mode=700', 'none', dir)
                               },
                      umounter: ->(dir) { runner.call(Config.umount_path, dir) })
         @runner = runner

data/lib/crypt_reboot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module CryptReboot
-  VERSION = '0.1.1'
+  VERSION = '0.2.0'
 end

data/lib/crypt_reboot.rb

@@ -7,6 +7,7 @@ rescue LoadError => e
 
   require 'zeitwerk'
   loader = Zeitwerk::Loader.for_gem
+  loader.ignore("#{__dir__}/memory_locker.rb") # stub has to be loaded manually
   loader.setup
 end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: crypt_reboot
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Paweł Pokrywka
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-07-13 00:00:00.000000000 Z
+date: 2023-07-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tty-command
@@ -71,6 +71,7 @@ files:
 - lib/crypt_reboot/crypt_tab/keyfile_locator.rb
 - lib/crypt_reboot/crypt_tab/luks_to_plain_converter.rb
 - lib/crypt_reboot/crypt_tab/serializer.rb
+- lib/crypt_reboot/elastic_memory_locker.rb
 - lib/crypt_reboot/files_generator.rb
 - lib/crypt_reboot/files_writer.rb
 - lib/crypt_reboot/gziper.rb