crypt_reboot 0.1.2 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 90456cf783f95d79186882a7fce00b153b4ff1928a68efd4609fb7e8859d3b04
-  data.tar.gz: d5fd15cb6705793a7e357666158eaa4f95f5c14d41b22b1d82d087a921fa512c
+  metadata.gz: ee0a1d8c466f902cc47c84b3310c899046ae2d2cacc952f184baa76463add807
+  data.tar.gz: 6fc17834b241d0822848b84e36fa2277b47a998c77659740a82d0e49d83a16e6
 SHA512:
-  metadata.gz: 5c99c3e114727a1236ef3dd9f536a56b1a89639c4447f6387ec5bcd1bd25234f2655a75f306ace56dd78c36a0aadf77da4321ed6626c36c63e38c9852fefefea
-  data.tar.gz: 37acfc427190670ad362cfb60a8a18ed29bcab338d24ac728ac23f4e3934c6669175db7872836ac46211d09dd16cba861259ec8e99c829050c1a8a3b875b9724
+  metadata.gz: 030a74f06349d21c91b05a7ac297ffb927309faad863689a8cd632521587e47059c38995b377e199e5337819f447999796f65aa6dfa17345f7aaca0821458a23
+  data.tar.gz: 2f16596ee0b871ecec49b9687da65d3086c66daa41b48e3090d43317452755752443996f5ef5887ac4a73f50f31bd4307ab08254b2869e3219970117ddfcbeee

data/README.md

@@ -65,12 +65,24 @@ If you use Debian-based distribution, use this command to install required packa
 When asked if kexec should handle reboots, answer `yes` (however the answer probably
 doesn't matter for cryptreboot to work).
 
+## Recommendations
+
+To protects against saving sensitive data (passphrase, encryption keys) to swap space on a disk, it is recommended to use `memory_locker` ([Rubygems](https://rubygems.org/gems/memory_locker), [Github](https://github.com/phantom-node/memory_locker)).
+
+    $ sudo gem install memory_locker
+
+If you don't want to install it, you will have to specify `--insecure-memory` flag when running cryptreboot.
+
 ## Installation
 
 Make sure the required software is installed, then install the gem system-wide by executing:
 
     $ sudo gem install crypt_reboot
 
+To upgrade run:
+
+    $ sudo gem update crypt_reboot
+
 ## Usage
 
 Cryptreboot performs operations normally only available to the root user,
@@ -84,7 +96,7 @@ To see the usage, run:
 
     $ cryptreboot --help
 
-## Resolutions for common issues
+## Troubleshooting
 
 ### LZ4 initramfs compression
 
@@ -140,9 +152,9 @@ To cancel the change, remove the file:
 
     $ sudo rm /etc/systemd/system/systemd-kexec.service.d/override.conf
 
-### No symlinks to most recent kernel and initramfs
+### No symlinks to the most recent kernel and initramfs
 
-By default cryptreboot looks for kernel in `/boot/vmlinuz` and for initramfs
+By default, cryptreboot looks for kernel in `/boot/vmlinuz` and for initramfs
 in `/boot/initrd.img`. If those files are missing in your Linux distribution,
 cryptreboot will fail, unless you use `--kernel` and `--initramfs` command line
 options.
@@ -160,6 +172,20 @@ Unfortunately, you need to rerun it after each kernel upgrade, otherwise,
 cryptreboot is going to boot the old kernel.
 Upcoming versions of cryptreboot will offer better solutions.
 
+### Problems with memory locking
+
+If you get:
+
+> Locking error: Failed to lock memory
+
+it means there was an error while locking memory to prevent a risk of sensitive data ending in a swap space.
+
+The best solution is to install `memory_locker` (see [requirements](#requirements) section).
+If it still doesn't help, make sure you have permission to lock memory. Root users do.
+If the problem persists, then please report a bug describing your setup.
+
+The solution of last resort is to use `--insecure-memory` flag, which disables memory locking completely.
+
 ## Development
 
 After checking out the repo, run `bundle install` to install

data/lib/basic_loader.rb

@@ -8,13 +8,13 @@ require 'crypt_reboot/cli'
 require 'crypt_reboot/concatenator'
 require 'crypt_reboot/instantiable_config'
 require 'crypt_reboot/config'
+require 'crypt_reboot/elastic_memory_locker'
 require 'crypt_reboot/files_generator'
 require 'crypt_reboot/files_writer'
 require 'crypt_reboot/gziper'
 require 'crypt_reboot/initramfs_patch_squeezer'
 require 'crypt_reboot/kexec_patching_loader'
 require 'crypt_reboot/lazy_config'
-require 'crypt_reboot/memory_locker'
 require 'crypt_reboot/passphrase_asker'
 require 'crypt_reboot/patched_initramfs_generator'
 require 'crypt_reboot/rebooter'

data/lib/crypt_reboot/cli/params/definition.rb

@@ -90,6 +90,12 @@ module CryptReboot
                'algorithm to a more robust one.'
         end
 
+        flag :insecure_memory do
+          short '-s'
+          long '--insecure-memory'
+          desc 'Do not lock memory. WARNING: there is a risk your secrets will leak to swap.'
+        end
+
         flag :debug do
           short '-d'
           long '--debug'

data/lib/crypt_reboot/cli/params_parsing_executor.rb

@@ -5,7 +5,6 @@ module CryptReboot
     # Interprets parameters, executes everything and returns callable object
     class ParamsParsingExecutor
       def call(raw_params)
-        locker.call
         params = parser.call(raw_params)
         handle_action_params!(params) or configure_and_exec(params)
       rescue StandardError, Interrupt => e
@@ -22,6 +21,7 @@ module CryptReboot
 
       def configure_and_exec(params)
         config_updater.call(**params)
+        locker.call
         loader.call
         rebooter
       end
@@ -58,7 +58,7 @@ module CryptReboot
                      rebooter: Rebooter.new,
                      happy_exiter_class: HappyExiter,
                      sad_exiter_class: SadExiter,
-                     locker: MemoryLocker.new)
+                     locker: ElasticMemoryLocker.new)
         @parser = parser
         @config_updater = config_updater
         @loader = loader

data/lib/crypt_reboot/elastic_memory_locker.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  # Try to lock memory if configuration allows it
+  class ElasticMemoryLocker
+    LockingError = Class.new StandardError
+
+    def call
+      return if skip_locking?
+
+      loader.call
+      locker.call
+      nil
+    rescue load_error, locking_error => e
+      raise LockingError, 'Failed to lock memory', cause: e
+    end
+
+    private
+
+    def skip_locking?
+      insecure_memory_checker.call
+    end
+
+    def locking_error
+      lazy_locking_error.call
+    end
+
+    attr_reader :insecure_memory_checker, :loader, :load_error, :locker, :lazy_locking_error
+
+    def initialize(insecure_memory_checker: LazyConfig.insecure_memory,
+                   loader: -> { require 'memory_locker' },
+                   load_error: LoadError,
+                   locker: -> { MemoryLocker.call },
+                   lazy_locking_error: -> { MemoryLocker::Error })
+      @insecure_memory_checker = insecure_memory_checker
+      @loader = loader
+      @load_error = load_error
+      @locker = locker
+      @lazy_locking_error = lazy_locking_error
+    end
+  end
+end

data/lib/crypt_reboot/instantiable_config.rb

@@ -8,7 +8,7 @@ module CryptReboot
     attr_reader :initramfs, :cmdline, :kernel, :patch_save_path, :cat_path, :cpio_path,
                 :unmkinitramfs_path, :kexec_path, :cryptsetup_path, :reboot_path,
                 :mount_path, :umount_path, :strace_path, :grep_path,
-                :debug, :prepare_only, :skip_lz4_check
+                :debug, :prepare_only, :skip_lz4_check, :insecure_memory
 
     def update!(**settings)
       settings.each do |name, value|
@@ -25,6 +25,7 @@ module CryptReboot
     end
 
     # rubocop:disable Metrics/MethodLength
+    # rubocop:disable Metrics/AbcSize
     def initialize
       # Options
       @initramfs = '/boot/initrd.img'
@@ -46,7 +47,9 @@ module CryptReboot
       @debug = false
       @prepare_only = false
       @skip_lz4_check = false
+      @insecure_memory = false
     end
+    # rubocop:enable Metrics/AbcSize
     # rubocop:enable Metrics/MethodLength
   end
 end

data/lib/crypt_reboot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module CryptReboot
-  VERSION = '0.1.2'
+  VERSION = '0.2.0'
 end

data/lib/crypt_reboot.rb

@@ -7,6 +7,7 @@ rescue LoadError => e
 
   require 'zeitwerk'
   loader = Zeitwerk::Loader.for_gem
+  loader.ignore("#{__dir__}/memory_locker.rb") # stub has to be loaded manually
   loader.setup
 end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: crypt_reboot
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.2.0
 platform: ruby
 authors:
 - Paweł Pokrywka
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-07-22 00:00:00.000000000 Z
+date: 2023-07-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tty-command
@@ -38,20 +38,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.3'
-- !ruby/object:Gem::Dependency
-  name: ffi
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.0.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.0.0
 description: 
 email:
 - pepawel@users.noreply.github.com
@@ -85,6 +71,7 @@ files:
 - lib/crypt_reboot/crypt_tab/keyfile_locator.rb
 - lib/crypt_reboot/crypt_tab/luks_to_plain_converter.rb
 - lib/crypt_reboot/crypt_tab/serializer.rb
+- lib/crypt_reboot/elastic_memory_locker.rb
 - lib/crypt_reboot/files_generator.rb
 - lib/crypt_reboot/files_writer.rb
 - lib/crypt_reboot/gziper.rb
@@ -107,7 +94,6 @@ files:
 - lib/crypt_reboot/luks/dumper/luks_v2_parser.rb
 - lib/crypt_reboot/luks/key_fetcher.rb
 - lib/crypt_reboot/luks/version_detector.rb
-- lib/crypt_reboot/memory_locker.rb
 - lib/crypt_reboot/passphrase_asker.rb
 - lib/crypt_reboot/patched_initramfs_generator.rb
 - lib/crypt_reboot/rebooter.rb

data/lib/crypt_reboot/memory_locker.rb

@@ -1,33 +0,0 @@
-# frozen_string_literal: true
-
-require 'ffi'
-
-module CryptReboot
-  # Lock process memory, so it won't be swapped by the kernel.
-  # It is implemented as a one-way operation: there is no unlock.
-  # That's because it's hard to properly clean memory in Ruby.
-  class MemoryLocker
-    Error = Class.new StandardError
-
-    def call
-      return if Libc.mlockall(Libc::MCL_CURRENT | Libc::MCL_FUTURE).zero?
-
-      raise Error, "Failed to lock memory: #{FFI.errno}"
-    end
-
-    # Low level interface to libc
-    module Libc
-      extend FFI::Library
-      ffi_lib 'libc.so.6'
-
-      # define mlockall constants
-      MCL_CURRENT = 1
-      MCL_FUTURE = 2
-      MCL_ONFAULT = 4
-
-      # declare mlockall function
-      attach_function :mlockall, [:int], :int
-    end
-    private_constant :Libc
-  end
-end