crypt_reboot 0.2.0 → 0.3.0.beta.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ee0a1d8c466f902cc47c84b3310c899046ae2d2cacc952f184baa76463add807
-  data.tar.gz: 6fc17834b241d0822848b84e36fa2277b47a998c77659740a82d0e49d83a16e6
+  metadata.gz: 01bc4b369ba12b4f4197e8935a0b89a2e6f4a95af950e3e1eb048a389ef7672e
+  data.tar.gz: 98e360717e15344ae14d41dd9557101c833efa75bcfcd01426096015a7faa2b4
 SHA512:
-  metadata.gz: 030a74f06349d21c91b05a7ac297ffb927309faad863689a8cd632521587e47059c38995b377e199e5337819f447999796f65aa6dfa17345f7aaca0821458a23
-  data.tar.gz: 2f16596ee0b871ecec49b9687da65d3086c66daa41b48e3090d43317452755752443996f5ef5887ac4a73f50f31bd4307ab08254b2869e3219970117ddfcbeee
+  metadata.gz: 19d4fe5d9a715a8cc8e6f55bea983f3a676b2af1f17fe4705cb68122e90b17ac378da756bb3f1dadcd02df75f578c89105c84b654d6dc5e6837a0eedc6efba9c
+  data.tar.gz: 9d9010da9c9177229345ce804491593aaa4336bdeda5e92becc268035b539f4387b6b89f0e2b13d769d4a8b6e932981fa9e2b4e1085da65b5c177166e15bf437

data/CHANGELOG.md

@@ -1,3 +1,16 @@
+## [0.3.0.beta.1] - 2024-09-26
+
+- Add preliminary support for LUKS-keystore-based ZFS encryption implemented by Ubuntu
+
+## [0.2.1] - 2023-11-12
+
+- Use new MemoryLocker without a need for FFI compilation step
+
+## [0.2.0] - 2023-07-29
+
+- Make memory locking optional with `--insecure-memory` command line option
+- Remove FFI gem dependency
+
 ## [0.1.2] - 2023-07-22
 
 - Lock memory to prevent secrets leaking to swap

data/README.md

@@ -7,7 +7,8 @@ Convenient reboot for Linux systems with encrypted root partition.
 > Just type `cryptreboot` instead of `reboot`.
 
 It asks for a passphrase and reboots the system afterward, automatically
-unlocking the drive on startup using in-memory initramfs patching and kexec.
+unlocking the drive on startup using
+[in-memory initramfs patching and kexec](https://blog.pawelpokrywka.com/p/rebooting-linux-with-encrypted-disk).
 Without explicit consent, no secrets are stored on disk, even temporarily.
 
 Useful when unlocking the drive at startup is difficult, such as on headless
@@ -36,12 +37,19 @@ Following distributions were tested by the author on the AMD64 machine:
 - Ubuntu 22.04 LTS
 - Ubuntu 20.04 LTS needs tiny adjustments to system settings,
   specifically [changing compression](#lz4-initramfs-compression) and
-  [fixing systemd kexec support](#staged-kernel-not-being-executed-by-systemd)
+  [fixing systemd kexec support](#staged-kernel-not-being-executed-by-systemd), but still
+  [sometimes](#unable-to-kexec-on-reboot-using-old-systemd) reboot experience may be suboptimal
 - ~~Ubuntu 18.04 LTS~~ is not supported (initramfs uses *pre-crypttab* format)
 
 If you have successfully run cryptreboot on another distribution,
 please contact me and I will update the list.
 
+## Disk encryption method
+
+Currently, only LUKS-based disk-encryption is supported.
+If you use ZFS native encryption, cryptreboot will [downgrade](https://github.com/phantom-node/cryptreboot/issues/2)
+to standard reboot (using kexec).
+
 ## Requirements
 
 You need to ensure those are installed:
@@ -65,14 +73,6 @@ If you use Debian-based distribution, use this command to install required packa
 When asked if kexec should handle reboots, answer `yes` (however the answer probably
 doesn't matter for cryptreboot to work).
 
-## Recommendations
-
-To protects against saving sensitive data (passphrase, encryption keys) to swap space on a disk, it is recommended to use `memory_locker` ([Rubygems](https://rubygems.org/gems/memory_locker), [Github](https://github.com/phantom-node/memory_locker)).
-
-    $ sudo gem install memory_locker
-
-If you don't want to install it, you will have to specify `--insecure-memory` flag when running cryptreboot.
-
 ## Installation
 
 Make sure the required software is installed, then install the gem system-wide by executing:
@@ -180,12 +180,34 @@ If you get:
 
 it means there was an error while locking memory to prevent a risk of sensitive data ending in a swap space.
 
-The best solution is to install `memory_locker` (see [requirements](#requirements) section).
-If it still doesn't help, make sure you have permission to lock memory. Root users do.
-If the problem persists, then please report a bug describing your setup.
+Make sure you have permission to lock memory. Root users have.
+If permissions are ok, then please report a bug describing your setup.
 
 The solution of last resort is to use `--insecure-memory` flag, which disables memory locking completely.
 
+### Unable to kexec on reboot using old systemd
+
+Ubuntu 20.04 ships with `systemd` which may fall back to standard reboot instead of using `kexec`, because this utility
+is located on a filesystem being unmounted during the shutdown sequence.
+
+As a result, using cryptreboot would feel like using normal reboot.
+
+To tell if your system is affected, you have to check messages printed to the console after you run cryptreboot.
+This message happens just before reboot, so you will have just a few milliseconds to notice it on screen:
+
+> shutdown[1]: (sd-kexec) failed with exit status 1
+
+[There is a fix](https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1969365) waiting to be included in
+a stable release update to `systemd` since 2023-07-21.
+
+In the meantime, as a workaround, you can use `kexec` directly. **Warning: it will skip the standard shutdown procedure. Filesystems won't be unmounted, services won't be stopped, etc. It is like hitting `reset` button**.
+However, when you use a decent filesystem with journalling the risk of things going bad should not be high.
+
+Given the above warning, to reboot skipping the shutdown procedure, run:
+
+    $ sudo cryptreboot -p
+    $ sudo kexec -e # will skip proper shutdown sequence
+
 ## Development
 
 After checking out the repo, run `bundle install` to install

data/lib/basic_loader.rb

@@ -31,6 +31,7 @@ require 'crypt_reboot/crypt_tab/entry_serializer'
 require 'crypt_reboot/crypt_tab/keyfile_locator'
 require 'crypt_reboot/crypt_tab/luks_to_plain_converter'
 require 'crypt_reboot/crypt_tab/serializer'
+require 'crypt_reboot/crypt_tab/zfs_keystore_entries_generator'
 require 'crypt_reboot/initramfs/archiver'
 require 'crypt_reboot/initramfs/decompressor'
 require 'crypt_reboot/initramfs/extractor'

data/lib/crypt_reboot/crypt_tab/deserializer.rb

@@ -4,7 +4,7 @@ module CryptReboot
   module CryptTab
     # Load crypttab file and return array with deserialized entries
     class Deserializer
-      def call(filename = nil, content: File.read(filename))
+      def call(filename = nil, content: read_tolerate_missing(filename))
         split_to_important_lines(content).map do |line|
           entry_deserializer.call line
         end
@@ -12,6 +12,12 @@ module CryptReboot
 
       private
 
+      def read_tolerate_missing(filename)
+        File.read(filename)
+      rescue Errno::ENOENT
+        ''
+      end
+
       def split_to_important_lines(content)
         content.split(/\n+|\r+/)
                .reject(&:empty?)

data/lib/crypt_reboot/crypt_tab/zfs_keystore_entries_generator.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module CryptTab
+    # Get a list of keystore zvols from a running system and return entries array
+    class ZfsKeystoreEntriesGenerator
+      def call
+        glob = File.join(zvol_dir, '**/*')
+        Dir.glob(glob)
+           .select { |path| path =~ %r{/keystore$} && exist?(path) }
+           .map { |path| generate_entry(path) }
+      end
+
+      private
+
+      def exist?(path)
+        File.exist? File.realpath(path)
+      end
+
+      def generate_entry(path)
+        pool = File.basename File.dirname(path)
+        target = "keystore-#{pool}"
+        entry_class.new target: target, source: path, key_file: 'none', options: {}, flags: %i[luks discard]
+      end
+
+      attr_reader :zvol_dir, :entry_class
+
+      def initialize(zvol_dir: '/dev/zvol', entry_class: Entry)
+        @zvol_dir = zvol_dir
+        @entry_class = entry_class
+      end
+    end
+  end
+end

data/lib/crypt_reboot/elastic_memory_locker.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'memory_locker' unless defined? MemoryLocker # MemoryLocker is mocked in tests
+
 module CryptReboot
   # Try to lock memory if configuration allows it
   class ElasticMemoryLocker
@@ -8,10 +10,9 @@ module CryptReboot
     def call
       return if skip_locking?
 
-      loader.call
       locker.call
       nil
-    rescue load_error, locking_error => e
+    rescue locking_error => e
       raise LockingError, 'Failed to lock memory', cause: e
     end
 
@@ -21,22 +22,14 @@ module CryptReboot
       insecure_memory_checker.call
     end
 
-    def locking_error
-      lazy_locking_error.call
-    end
-
-    attr_reader :insecure_memory_checker, :loader, :load_error, :locker, :lazy_locking_error
+    attr_reader :insecure_memory_checker, :locker, :locking_error
 
     def initialize(insecure_memory_checker: LazyConfig.insecure_memory,
-                   loader: -> { require 'memory_locker' },
-                   load_error: LoadError,
-                   locker: -> { MemoryLocker.call },
-                   lazy_locking_error: -> { MemoryLocker::Error })
+                   locker: MemoryLocker,
+                   locking_error: MemoryLocker::Error)
       @insecure_memory_checker = insecure_memory_checker
-      @loader = loader
-      @load_error = load_error
       @locker = locker
-      @lazy_locking_error = lazy_locking_error
+      @locking_error = locking_error
     end
   end
 end

data/lib/crypt_reboot/files_generator.rb

@@ -3,7 +3,7 @@
 module CryptReboot
   # Generate a hash with file names as keys and file contents as values
   class FilesGenerator
-    def call(entries, base_dir)
+    def call(entries, base_dir:, crypttab_path:)
       files = {}
       modified_entries = entries.map do |entry|
         next entry unless luks?(entry, base_dir)
@@ -13,14 +13,11 @@ module CryptReboot
         files[keyfile] = data.key
         entry_converter.call(entry, data, keyfile)
       end
-      files.merge(CRYPTAB_PATH => serializer.call(modified_entries))
+      files.merge(crypttab_path => serializer.call(modified_entries))
     end
 
     private
 
-    CRYPTAB_PATH = '/cryptroot/crypttab'
-    private_constant :CRYPTAB_PATH
-
     def luks?(entry, base_dir)
       headevice = entry.headevice(header_prefix: base_dir)
       luks_checker.call(headevice)

data/lib/crypt_reboot/initramfs/extractor.rb

@@ -10,7 +10,7 @@ module CryptReboot
         tmp_maker.call do |dir|
           logger.call message
           decompressor.call(filename, dir)
-          yield dir
+          yield File.join(dir, subdir)
         end
       end
 
@@ -20,16 +20,18 @@ module CryptReboot
         decompressor_factory.call
       end
 
-      attr_reader :tmp_maker, :decompressor_factory, :message, :logger
+      attr_reader :tmp_maker, :decompressor_factory, :message, :logger, :subdir
 
       def initialize(tmp_maker: Dir.method(:mktmpdir),
                      decompressor_factory: Decompressor.new,
                      message: 'Extracting initramfs... To speed things up, future versions will employ cache.',
-                     logger: ->(msg) { warn msg })
+                     logger: ->(msg) { warn msg },
+                     subdir: 'main')
         @tmp_maker = tmp_maker
         @decompressor_factory = decompressor_factory
         @message = message
         @logger = logger
+        @subdir = subdir
       end
     end
   end

data/lib/crypt_reboot/initramfs_patch_squeezer.rb

@@ -5,24 +5,51 @@ module CryptReboot
   class InitramfsPatchSqueezer
     def call(initramfs_path)
       extractor.call(initramfs_path) do |tmp_dir|
-        crypttab_path = File.join(tmp_dir, crypttab_relative_path)
-        crypttab_entries = deserializer.call(crypttab_path)
-        files_generator.call(crypttab_entries, tmp_dir)
+        main_files(tmp_dir).merge zfs_files(tmp_dir)
       end
     end
 
     private
 
-    attr_reader :crypttab_relative_path, :extractor, :deserializer, :files_generator
+    def main_files(tmp_dir)
+      full_crypttab_path = File.join(tmp_dir, crypttab_path)
+      crypttab_entries = crypttab_deserializer.call(full_crypttab_path)
+      files_generator.call(crypttab_entries, base_dir: tmp_dir, crypttab_path: crypttab_path)
+    end
+
+    def zfs_files(tmp_dir)
+      crypttab_entries = zfs_keystore_entries_generator.call
+      return {} if crypttab_entries.empty?
+      files = files_generator.call(crypttab_entries, base_dir: tmp_dir, crypttab_path: zfs_crypttab_path)
+      script_path = File.join(tmp_dir, zfs_script_path)
+      script = File.read(script_path)
+      files.merge(zfs_script_path => patch_zfs_script(script))
+    end
+
+    def patch_zfs_script(script)
+      patch = "cp #{zfs_crypttab_path} #{crypttab_path}; ${CRYPTROOT}"
+      script.sub(/^\s*\${CRYPTROOT}\s*$/, patch)
+    end
+
+    attr_reader :crypttab_path, :zfs_crypttab_path, :zfs_script_path, :extractor,
+                :crypttab_deserializer, :zfs_keystore_entries_generator, :files_generator
 
-    def initialize(crypttab_relative_path = 'main/cryptroot/crypttab',
+    # rubocop:disable Metrics/ParameterLists
+    def initialize(crypttab_path = '/cryptroot/crypttab',
+                   zfs_crypttab_path = '/cryptreboot/zfs_crypttab',
+                   zfs_script_path = '/scripts/zfs',
                    extractor: Initramfs::Extractor.new,
-                   deserializer: CryptTab::Deserializer.new,
+                   crypttab_deserializer: CryptTab::Deserializer.new,
+                   zfs_keystore_entries_generator: CryptTab::ZfsKeystoreEntriesGenerator.new,
                    files_generator: FilesGenerator.new)
-      @crypttab_relative_path = crypttab_relative_path
+      @crypttab_path = crypttab_path
+      @zfs_crypttab_path = zfs_crypttab_path
+      @zfs_script_path = zfs_script_path
       @extractor = extractor
-      @deserializer = deserializer
+      @crypttab_deserializer = crypttab_deserializer
+      @zfs_keystore_entries_generator = zfs_keystore_entries_generator
       @files_generator = files_generator
     end
+    # rubocop:enable Metrics/ParameterLists
   end
 end

data/lib/crypt_reboot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module CryptReboot
-  VERSION = '0.2.0'
+  VERSION = '0.3.0.beta.1'
 end

data/lib/crypt_reboot.rb

@@ -7,7 +7,6 @@ rescue LoadError => e
 
   require 'zeitwerk'
   loader = Zeitwerk::Loader.for_gem
-  loader.ignore("#{__dir__}/memory_locker.rb") # stub has to be loaded manually
   loader.setup
 end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: crypt_reboot
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0.beta.1
 platform: ruby
 authors:
 - Paweł Pokrywka
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-07-29 00:00:00.000000000 Z
+date: 2024-09-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tty-command
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.3'
+- !ruby/object:Gem::Dependency
+  name: memory_locker
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.3
 description: 
 email:
 - pepawel@users.noreply.github.com
@@ -71,6 +85,7 @@ files:
 - lib/crypt_reboot/crypt_tab/keyfile_locator.rb
 - lib/crypt_reboot/crypt_tab/luks_to_plain_converter.rb
 - lib/crypt_reboot/crypt_tab/serializer.rb
+- lib/crypt_reboot/crypt_tab/zfs_keystore_entries_generator.rb
 - lib/crypt_reboot/elastic_memory_locker.rb
 - lib/crypt_reboot/files_generator.rb
 - lib/crypt_reboot/files_writer.rb
@@ -132,7 +147,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.5.4
 signing_key: 
 specification_version: 4
 summary: Linux utility for automatic and secure unlocking of encrypted disks on reboot