crypt_reboot 0.1.2 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 90456cf783f95d79186882a7fce00b153b4ff1928a68efd4609fb7e8859d3b04
-  data.tar.gz: d5fd15cb6705793a7e357666158eaa4f95f5c14d41b22b1d82d087a921fa512c
+  metadata.gz: 6ec1b79f3b99fddc49e170693df471d0eebc44af064787cb29b2694985a91418
+  data.tar.gz: e3fa5ac025fc7ea7544a6e4c6d9db1f5894a0da44b6c39d07689a7594c0fc714
 SHA512:
-  metadata.gz: 5c99c3e114727a1236ef3dd9f536a56b1a89639c4447f6387ec5bcd1bd25234f2655a75f306ace56dd78c36a0aadf77da4321ed6626c36c63e38c9852fefefea
-  data.tar.gz: 37acfc427190670ad362cfb60a8a18ed29bcab338d24ac728ac23f4e3934c6669175db7872836ac46211d09dd16cba861259ec8e99c829050c1a8a3b875b9724
+  metadata.gz: 8aebba8307469fc4cba898f0c3427b4c6242e7f90dea985b33a72e89e13ee7e0854b232870b1afaea518c92eee03dca8c32d4c1f956a6da2e6cd55adae67f07e
+  data.tar.gz: 56d86831971b547b4d1856b426dafac2a77bffa23fd8ced861908902ce969186be52710e92dd50ec01242c77133d77439a088a651626dd9e8ce2977ce136483a

data/CHANGELOG.md

@@ -1,3 +1,12 @@
+## [0.2.1] - 2023-11-12
+
+- use new MemoryLocker without a need for FFI compilation step
+
+## [0.2.0] - 2023-07-29
+
+- Make memory locking optional with `--insecure-memory` command line option
+- Remove FFI gem dependency
+
 ## [0.1.2] - 2023-07-22
 
 - Lock memory to prevent secrets leaking to swap

data/README.md

@@ -7,7 +7,8 @@ Convenient reboot for Linux systems with encrypted root partition.
 > Just type `cryptreboot` instead of `reboot`.
 
 It asks for a passphrase and reboots the system afterward, automatically
-unlocking the drive on startup using in-memory initramfs patching and kexec.
+unlocking the drive on startup using
+[in-memory initramfs patching and kexec](https://blog.pawelpokrywka.com/p/rebooting-linux-with-encrypted-disk).
 Without explicit consent, no secrets are stored on disk, even temporarily.
 
 Useful when unlocking the drive at startup is difficult, such as on headless
@@ -36,7 +37,8 @@ Following distributions were tested by the author on the AMD64 machine:
 - Ubuntu 22.04 LTS
 - Ubuntu 20.04 LTS needs tiny adjustments to system settings,
   specifically [changing compression](#lz4-initramfs-compression) and
-  [fixing systemd kexec support](#staged-kernel-not-being-executed-by-systemd)
+  [fixing systemd kexec support](#staged-kernel-not-being-executed-by-systemd), but still
+  [sometimes](#unable-to-kexec-on-reboot-using-old-systemd) reboot experience may be suboptimal
 - ~~Ubuntu 18.04 LTS~~ is not supported (initramfs uses *pre-crypttab* format)
 
 If you have successfully run cryptreboot on another distribution,
@@ -71,6 +73,10 @@ Make sure the required software is installed, then install the gem system-wide b
 
     $ sudo gem install crypt_reboot
 
+To upgrade run:
+
+    $ sudo gem update crypt_reboot
+
 ## Usage
 
 Cryptreboot performs operations normally only available to the root user,
@@ -84,7 +90,7 @@ To see the usage, run:
 
     $ cryptreboot --help
 
-## Resolutions for common issues
+## Troubleshooting
 
 ### LZ4 initramfs compression
 
@@ -140,9 +146,9 @@ To cancel the change, remove the file:
 
     $ sudo rm /etc/systemd/system/systemd-kexec.service.d/override.conf
 
-### No symlinks to most recent kernel and initramfs
+### No symlinks to the most recent kernel and initramfs
 
-By default cryptreboot looks for kernel in `/boot/vmlinuz` and for initramfs
+By default, cryptreboot looks for kernel in `/boot/vmlinuz` and for initramfs
 in `/boot/initrd.img`. If those files are missing in your Linux distribution,
 cryptreboot will fail, unless you use `--kernel` and `--initramfs` command line
 options.
@@ -160,6 +166,42 @@ Unfortunately, you need to rerun it after each kernel upgrade, otherwise,
 cryptreboot is going to boot the old kernel.
 Upcoming versions of cryptreboot will offer better solutions.
 
+### Problems with memory locking
+
+If you get:
+
+> Locking error: Failed to lock memory
+
+it means there was an error while locking memory to prevent a risk of sensitive data ending in a swap space.
+
+Make sure you have permission to lock memory. Root users have.
+If permissions are ok, then please report a bug describing your setup.
+
+The solution of last resort is to use `--insecure-memory` flag, which disables memory locking completely.
+
+### Unable to kexec on reboot using old systemd
+
+Ubuntu 20.04 ships with `systemd` which may fall back to standard reboot instead of using `kexec`, because this utility
+is located on a filesystem being unmounted during the shutdown sequence.
+
+As a result, using cryptreboot would feel like using normal reboot.
+
+To tell if your system is affected, you have to check messages printed to the console after you run cryptreboot.
+This message happens just before reboot, so you will have just a few milliseconds to notice it on screen:
+
+> shutdown[1]: (sd-kexec) failed with exit status 1
+
+[There is a fix](https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1969365) waiting to be included in
+a stable release update to `systemd` since 2023-07-21.
+
+In the meantime, as a workaround, you can use `kexec` directly. **Warning: it will skip the standard shutdown procedure. Filesystems won't be unmounted, services won't be stopped, etc. It is like hitting `reset` button**.
+However, when you use a decent filesystem with journalling the risk of things going bad should not be high.
+
+Given the above warning, to reboot skipping the shutdown procedure, run:
+
+    $ sudo cryptreboot -p
+    $ sudo kexec -e # will skip proper shutdown sequence
+
 ## Development
 
 After checking out the repo, run `bundle install` to install

data/lib/basic_loader.rb

@@ -8,13 +8,13 @@ require 'crypt_reboot/cli'
 require 'crypt_reboot/concatenator'
 require 'crypt_reboot/instantiable_config'
 require 'crypt_reboot/config'
+require 'crypt_reboot/elastic_memory_locker'
 require 'crypt_reboot/files_generator'
 require 'crypt_reboot/files_writer'
 require 'crypt_reboot/gziper'
 require 'crypt_reboot/initramfs_patch_squeezer'
 require 'crypt_reboot/kexec_patching_loader'
 require 'crypt_reboot/lazy_config'
-require 'crypt_reboot/memory_locker'
 require 'crypt_reboot/passphrase_asker'
 require 'crypt_reboot/patched_initramfs_generator'
 require 'crypt_reboot/rebooter'

data/lib/crypt_reboot/cli/params/definition.rb

@@ -90,6 +90,12 @@ module CryptReboot
                'algorithm to a more robust one.'
         end
 
+        flag :insecure_memory do
+          short '-s'
+          long '--insecure-memory'
+          desc 'Do not lock memory. WARNING: there is a risk your secrets will leak to swap.'
+        end
+
         flag :debug do
           short '-d'
           long '--debug'

data/lib/crypt_reboot/cli/params_parsing_executor.rb

@@ -5,7 +5,6 @@ module CryptReboot
     # Interprets parameters, executes everything and returns callable object
     class ParamsParsingExecutor
       def call(raw_params)
-        locker.call
         params = parser.call(raw_params)
         handle_action_params!(params) or configure_and_exec(params)
       rescue StandardError, Interrupt => e
@@ -22,6 +21,7 @@ module CryptReboot
 
       def configure_and_exec(params)
         config_updater.call(**params)
+        locker.call
         loader.call
         rebooter
       end
@@ -58,7 +58,7 @@ module CryptReboot
                      rebooter: Rebooter.new,
                      happy_exiter_class: HappyExiter,
                      sad_exiter_class: SadExiter,
-                     locker: MemoryLocker.new)
+                     locker: ElasticMemoryLocker.new)
         @parser = parser
         @config_updater = config_updater
         @loader = loader

data/lib/crypt_reboot/elastic_memory_locker.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'memory_locker' unless defined? MemoryLocker # MemoryLocker is mocked in tests
+
+module CryptReboot
+  # Try to lock memory if configuration allows it
+  class ElasticMemoryLocker
+    LockingError = Class.new StandardError
+
+    def call
+      return if skip_locking?
+
+      locker.call
+      nil
+    rescue locking_error => e
+      raise LockingError, 'Failed to lock memory', cause: e
+    end
+
+    private
+
+    def skip_locking?
+      insecure_memory_checker.call
+    end
+
+    attr_reader :insecure_memory_checker, :locker, :locking_error
+
+    def initialize(insecure_memory_checker: LazyConfig.insecure_memory,
+                   locker: MemoryLocker,
+                   locking_error: MemoryLocker::Error)
+      @insecure_memory_checker = insecure_memory_checker
+      @locker = locker
+      @locking_error = locking_error
+    end
+  end
+end

data/lib/crypt_reboot/instantiable_config.rb

@@ -8,7 +8,7 @@ module CryptReboot
     attr_reader :initramfs, :cmdline, :kernel, :patch_save_path, :cat_path, :cpio_path,
                 :unmkinitramfs_path, :kexec_path, :cryptsetup_path, :reboot_path,
                 :mount_path, :umount_path, :strace_path, :grep_path,
-                :debug, :prepare_only, :skip_lz4_check
+                :debug, :prepare_only, :skip_lz4_check, :insecure_memory
 
     def update!(**settings)
       settings.each do |name, value|
@@ -25,6 +25,7 @@ module CryptReboot
     end
 
     # rubocop:disable Metrics/MethodLength
+    # rubocop:disable Metrics/AbcSize
     def initialize
       # Options
       @initramfs = '/boot/initrd.img'
@@ -46,7 +47,9 @@ module CryptReboot
       @debug = false
       @prepare_only = false
       @skip_lz4_check = false
+      @insecure_memory = false
     end
+    # rubocop:enable Metrics/AbcSize
     # rubocop:enable Metrics/MethodLength
   end
 end

data/lib/crypt_reboot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module CryptReboot
-  VERSION = '0.1.2'
+  VERSION = '0.2.1'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: crypt_reboot
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.2.1
 platform: ruby
 authors:
 - Paweł Pokrywka
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-07-22 00:00:00.000000000 Z
+date: 2023-11-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tty-command
@@ -39,20 +39,20 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0.3'
 - !ruby/object:Gem::Dependency
-  name: ffi
+  name: memory_locker
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.0.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
-description: 
+        version: 1.0.3
+description:
 email:
 - pepawel@users.noreply.github.com
 executables:
@@ -85,6 +85,7 @@ files:
 - lib/crypt_reboot/crypt_tab/keyfile_locator.rb
 - lib/crypt_reboot/crypt_tab/luks_to_plain_converter.rb
 - lib/crypt_reboot/crypt_tab/serializer.rb
+- lib/crypt_reboot/elastic_memory_locker.rb
 - lib/crypt_reboot/files_generator.rb
 - lib/crypt_reboot/files_writer.rb
 - lib/crypt_reboot/gziper.rb
@@ -107,7 +108,6 @@ files:
 - lib/crypt_reboot/luks/dumper/luks_v2_parser.rb
 - lib/crypt_reboot/luks/key_fetcher.rb
 - lib/crypt_reboot/luks/version_detector.rb
-- lib/crypt_reboot/memory_locker.rb
 - lib/crypt_reboot/passphrase_asker.rb
 - lib/crypt_reboot/patched_initramfs_generator.rb
 - lib/crypt_reboot/rebooter.rb
@@ -131,7 +131,7 @@ metadata:
   source_code_uri: https://github.com/phantom-node/cryptreboot
   changelog_uri: https://github.com/phantom-node/cryptreboot/blob/master/CHANGELOG.md
   rubygems_mfa_required: 'true'
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -146,8 +146,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
-signing_key: 
+rubygems_version: 3.2.22
+signing_key:
 specification_version: 4
 summary: Linux utility for automatic and secure unlocking of encrypted disks on reboot
 test_files: []

data/lib/crypt_reboot/memory_locker.rb

@@ -1,33 +0,0 @@
-# frozen_string_literal: true
-
-require 'ffi'
-
-module CryptReboot
-  # Lock process memory, so it won't be swapped by the kernel.
-  # It is implemented as a one-way operation: there is no unlock.
-  # That's because it's hard to properly clean memory in Ruby.
-  class MemoryLocker
-    Error = Class.new StandardError
-
-    def call
-      return if Libc.mlockall(Libc::MCL_CURRENT | Libc::MCL_FUTURE).zero?
-
-      raise Error, "Failed to lock memory: #{FFI.errno}"
-    end
-
-    # Low level interface to libc
-    module Libc
-      extend FFI::Library
-      ffi_lib 'libc.so.6'
-
-      # define mlockall constants
-      MCL_CURRENT = 1
-      MCL_FUTURE = 2
-      MCL_ONFAULT = 4
-
-      # declare mlockall function
-      attach_function :mlockall, [:int], :int
-    end
-    private_constant :Libc
-  end
-end