crypt_reboot 0.2.1 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6ec1b79f3b99fddc49e170693df471d0eebc44af064787cb29b2694985a91418
-  data.tar.gz: e3fa5ac025fc7ea7544a6e4c6d9db1f5894a0da44b6c39d07689a7594c0fc714
+  metadata.gz: c87fe69139eb41dd5bf41ec7e790cef1934e4c0c1d9bac7d46990d0a190a4f7f
+  data.tar.gz: d9aa729f6fabb43042a260b53a622a1ad33d1d011301719b7e2f1d141f46dcba
 SHA512:
-  metadata.gz: 8aebba8307469fc4cba898f0c3427b4c6242e7f90dea985b33a72e89e13ee7e0854b232870b1afaea518c92eee03dca8c32d4c1f956a6da2e6cd55adae67f07e
-  data.tar.gz: 56d86831971b547b4d1856b426dafac2a77bffa23fd8ced861908902ce969186be52710e92dd50ec01242c77133d77439a088a651626dd9e8ce2977ce136483a
+  metadata.gz: 24ebddd15821359a61c6eaab3915b0a6bc70b5d3acae7cfd1dee2a0dcaafe749d52abf22d5e8ead46b10b43bcfeaba7ef78bfed325ef360f740b0c40c6a5e192
+  data.tar.gz: 4b4a0ddb6a508f3e590ac2c8df6e78730c244fd1860a14fd4035953d4b066b448d56312dfa908151a1a5ff85db0b984142ec3ad8d611020458264ac1358f2cad

data/CHANGELOG.md

@@ -1,6 +1,14 @@
+## [0.3.0] - 2024-09-27
+
+- Refactor ZFS keystore encryption support
+
+## [0.3.0.beta.1] - 2024-09-26
+
+- Add preliminary support for LUKS-keystore-based ZFS encryption implemented by Ubuntu
+
 ## [0.2.1] - 2023-11-12
 
-- use new MemoryLocker without a need for FFI compilation step
+- Use new MemoryLocker without a need for FFI compilation step
 
 ## [0.2.0] - 2023-07-29
 

data/README.md

@@ -20,6 +20,14 @@ and `/boot/initrd.img` as initramfs.
 Will work properly when using standard passphrase-based disk unlocking.
 Fancy methods such as using an external USB with a passphrase file will fail.
 
+## Supported disk encryption methods
+
+### LUKS crypttab
+LUKS-based disk-encryption configured with `/etc/crypttab` file.
+
+### ZFS keystore
+Native ZFS encryption with LUKS-encrypted keystore volume.
+
 ## Compatible Linux distributions
 
 Currently, cryptreboot depends on `initramfs-tools` package which is available in
@@ -30,16 +38,23 @@ On the other hand, do not expect it to work on other distributions now.
 But support for them may come in upcoming versions.
 
 Following distributions were tested by the author on the AMD64 machine:
-- DappNode 0.2.75 is based on Debian 12, see below
-- Debian 12 needs [symlinks for kernel and initramfs](#no-symlinks-to-most-recent-kernel-and-initramfs)
-- Pop!_OS 22.04 LTS
-- Ubuntu 23.04
-- Ubuntu 22.04 LTS
-- Ubuntu 20.04 LTS needs tiny adjustments to system settings,
-  specifically [changing compression](#lz4-initramfs-compression) and
-  [fixing systemd kexec support](#staged-kernel-not-being-executed-by-systemd), but still
-  [sometimes](#unable-to-kexec-on-reboot-using-old-systemd) reboot experience may be suboptimal
-- ~~Ubuntu 18.04 LTS~~ is not supported (initramfs uses *pre-crypttab* format)
+
+- LUKS crypttab disk encryption method
+  - DappNode 0.2.75 is based on Debian 12, see below
+  - Debian 12 needs [symlinks for kernel and initramfs](#no-symlinks-to-most-recent-kernel-and-initramfs)
+  - Pop!_OS 22.04 LTS
+  - Ubuntu 24.04 LTS
+  - Ubuntu 23.04
+  - Ubuntu 22.04 LTS
+  - Ubuntu 20.04 LTS needs tiny adjustments to system settings,
+    specifically [changing compression](#lz4-initramfs-compression) and
+    [fixing systemd kexec support](#staged-kernel-not-being-executed-by-systemd), but still
+    [sometimes](#unable-to-kexec-on-reboot-using-old-systemd) reboot experience may be suboptimal
+  - ~~Ubuntu 18.04 LTS~~ is not supported (initramfs uses *pre-crypttab* format)
+
+- ZFS keystore disk encryption method
+  - Ubuntu 24.04 LTS
+  - Ubuntu 22.04 LTS
 
 If you have successfully run cryptreboot on another distribution,
 please contact me and I will update the list.

data/lib/basic_loader.rb

@@ -15,11 +15,13 @@ require 'crypt_reboot/gziper'
 require 'crypt_reboot/initramfs_patch_squeezer'
 require 'crypt_reboot/kexec_patching_loader'
 require 'crypt_reboot/lazy_config'
+require 'crypt_reboot/luks_crypt_tab_patcher'
 require 'crypt_reboot/passphrase_asker'
 require 'crypt_reboot/patched_initramfs_generator'
 require 'crypt_reboot/rebooter'
 require 'crypt_reboot/runner'
 require 'crypt_reboot/single_assign_restricted_map'
+require 'crypt_reboot/zfs_keystore_patcher'
 require 'crypt_reboot/cli/exiter'
 require 'crypt_reboot/cli/happy_exiter'
 require 'crypt_reboot/cli/params_parsing_executor'
@@ -31,6 +33,7 @@ require 'crypt_reboot/crypt_tab/entry_serializer'
 require 'crypt_reboot/crypt_tab/keyfile_locator'
 require 'crypt_reboot/crypt_tab/luks_to_plain_converter'
 require 'crypt_reboot/crypt_tab/serializer'
+require 'crypt_reboot/crypt_tab/zfs_keystore_entries_generator'
 require 'crypt_reboot/initramfs/archiver'
 require 'crypt_reboot/initramfs/decompressor'
 require 'crypt_reboot/initramfs/extractor'

data/lib/crypt_reboot/crypt_tab/zfs_keystore_entries_generator.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module CryptTab
+    # Get a list of keystore zvols from a running system and return entries array
+    class ZfsKeystoreEntriesGenerator
+      def call
+        glob = File.join(zvol_dir, '**/*')
+        Dir.glob(glob)
+           .select { |path| path =~ %r{/keystore$} && exist?(path) }
+           .map { |path| generate_entry(path) }
+      end
+
+      private
+
+      def exist?(path)
+        File.exist? File.realpath(path)
+      end
+
+      def generate_entry(path)
+        pool = File.basename File.dirname(path)
+        # Target name is the same as produced by /scripts/zfs script within initramfs
+        entry_builder.call target: "keystore-#{pool}", source: path
+      end
+
+      attr_reader :zvol_dir, :entry_builder
+
+      def initialize(zvol_dir: '/dev/zvol',
+                     entry_builder: lambda { |target:, source:|
+                       # Flags and options are the same as produced by /scripts/zfs script within initramfs
+                       Entry.new target: target,
+                                 source: source,
+                                 key_file: 'none',
+                                 options: {},
+                                 flags: %i[luks discard]
+                     })
+        @zvol_dir = zvol_dir
+        @entry_builder = entry_builder
+      end
+    end
+  end
+end

data/lib/crypt_reboot/files_generator.rb

@@ -3,7 +3,7 @@
 module CryptReboot
   # Generate a hash with file names as keys and file contents as values
   class FilesGenerator
-    def call(entries, base_dir)
+    def call(entries, base_dir:, crypttab_path:)
       files = {}
       modified_entries = entries.map do |entry|
         next entry unless luks?(entry, base_dir)
@@ -13,14 +13,11 @@ module CryptReboot
         files[keyfile] = data.key
         entry_converter.call(entry, data, keyfile)
       end
-      files.merge(CRYPTAB_PATH => serializer.call(modified_entries))
+      files.merge(crypttab_path => serializer.call(modified_entries))
     end
 
     private
 
-    CRYPTAB_PATH = '/cryptroot/crypttab'
-    private_constant :CRYPTAB_PATH
-
     def luks?(entry, base_dir)
       headevice = entry.headevice(header_prefix: base_dir)
       luks_checker.call(headevice)

data/lib/crypt_reboot/initramfs/extractor.rb

@@ -10,7 +10,7 @@ module CryptReboot
         tmp_maker.call do |dir|
           logger.call message
           decompressor.call(filename, dir)
-          yield dir
+          yield File.join(dir, subdir)
         end
       end
 
@@ -20,16 +20,18 @@ module CryptReboot
         decompressor_factory.call
       end
 
-      attr_reader :tmp_maker, :decompressor_factory, :message, :logger
+      attr_reader :tmp_maker, :decompressor_factory, :message, :logger, :subdir
 
       def initialize(tmp_maker: Dir.method(:mktmpdir),
                      decompressor_factory: Decompressor.new,
                      message: 'Extracting initramfs... To speed things up, future versions will employ cache.',
-                     logger: ->(msg) { warn msg })
+                     logger: ->(msg) { warn msg },
+                     subdir: 'main')
         @tmp_maker = tmp_maker
         @decompressor_factory = decompressor_factory
         @message = message
         @logger = logger
+        @subdir = subdir
       end
     end
   end

data/lib/crypt_reboot/initramfs_patch_squeezer.rb

@@ -5,24 +5,23 @@ module CryptReboot
   class InitramfsPatchSqueezer
     def call(initramfs_path)
       extractor.call(initramfs_path) do |tmp_dir|
-        crypttab_path = File.join(tmp_dir, crypttab_relative_path)
-        crypttab_entries = deserializer.call(crypttab_path)
-        files_generator.call(crypttab_entries, tmp_dir)
+        patchers.inject({}) do |files, patcher|
+          files.merge patcher.call(tmp_dir)
+        end
       end
     end
 
     private
 
-    attr_reader :crypttab_relative_path, :extractor, :deserializer, :files_generator
+    attr_reader :extractor, :patchers
 
-    def initialize(crypttab_relative_path = 'main/cryptroot/crypttab',
-                   extractor: Initramfs::Extractor.new,
-                   deserializer: CryptTab::Deserializer.new,
-                   files_generator: FilesGenerator.new)
-      @crypttab_relative_path = crypttab_relative_path
+    def initialize(extractor: Initramfs::Extractor.new,
+                   patchers: [
+                     LuksCryptTabPatcher.new,
+                     ZfsKeystorePatcher.new
+                   ])
       @extractor = extractor
-      @deserializer = deserializer
-      @files_generator = files_generator
+      @patchers = patchers
     end
   end
 end

data/lib/crypt_reboot/luks_crypt_tab_patcher.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  # Generate patch (files hash) from files in a directory containing uncompressed initramfs
+  class LuksCryptTabPatcher
+    def call(dir)
+      full_crypttab_path = File.join(dir, crypttab_path)
+      return {} unless File.exist?(full_crypttab_path)
+
+      crypttab_entries = crypttab_deserializer.call(full_crypttab_path)
+      files_generator.call(crypttab_entries, base_dir: dir, crypttab_path: crypttab_path)
+    end
+
+    private
+
+    attr_reader :crypttab_path, :crypttab_deserializer, :files_generator
+
+    def initialize(crypttab_path: '/cryptroot/crypttab',
+                   crypttab_deserializer: CryptTab::Deserializer.new,
+                   files_generator: FilesGenerator.new)
+      @crypttab_path = crypttab_path
+      @crypttab_deserializer = crypttab_deserializer
+      @files_generator = files_generator
+    end
+  end
+end

data/lib/crypt_reboot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module CryptReboot
-  VERSION = '0.2.1'
+  VERSION = '0.3.0'
 end

data/lib/crypt_reboot/zfs_keystore_patcher.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  # Generate patch (files hash) from files in a directory containing uncompressed initramfs
+  class ZfsKeystorePatcher
+    def call(dir)
+      crypttab_entries = entries_generator.call
+      return {} if crypttab_entries.empty?
+
+      files_generator
+        .call(crypttab_entries, base_dir: dir, crypttab_path: tmp_crypttab_path)
+        .merge(script_patch_files(dir))
+    end
+
+    private
+
+    def script_patch_files(dir)
+      path = File.join(dir, script_path)
+      content = File.read(path)
+      { script_path => patch_script(content) }
+    rescue Errno::ENOENT
+      {}
+    end
+
+    def patch_script(script)
+      comment = '# Following line has been added by cryptreboot'
+      patch = "cp #{tmp_crypttab_path} #{crypttab_path}"
+      script.sub(/^(\s*)(\${CRYPTROOT})\s*$/, "\n\\1#{comment}\n\\1#{patch}\n\n\\1\\2")
+    end
+
+    attr_reader :crypttab_path, :tmp_crypttab_path, :script_path,
+                :entries_generator, :files_generator
+
+    def initialize(crypttab_path: '/cryptroot/crypttab',
+                   tmp_crypttab_path: '/cryptreboot/zfs_crypttab',
+                   script_path: '/scripts/zfs',
+                   entries_generator: CryptTab::ZfsKeystoreEntriesGenerator.new,
+                   files_generator: FilesGenerator.new)
+      @crypttab_path = crypttab_path
+      @tmp_crypttab_path = tmp_crypttab_path
+      @script_path = script_path
+      @entries_generator = entries_generator
+      @files_generator = files_generator
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: crypt_reboot
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.3.0
 platform: ruby
 authors:
 - Paweł Pokrywka
-autorequire:
+autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-11-12 00:00:00.000000000 Z
+date: 2024-09-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tty-command
@@ -52,7 +52,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 1.0.3
-description:
+description: 
 email:
 - pepawel@users.noreply.github.com
 executables:
@@ -85,6 +85,7 @@ files:
 - lib/crypt_reboot/crypt_tab/keyfile_locator.rb
 - lib/crypt_reboot/crypt_tab/luks_to_plain_converter.rb
 - lib/crypt_reboot/crypt_tab/serializer.rb
+- lib/crypt_reboot/crypt_tab/zfs_keystore_entries_generator.rb
 - lib/crypt_reboot/elastic_memory_locker.rb
 - lib/crypt_reboot/files_generator.rb
 - lib/crypt_reboot/files_writer.rb
@@ -108,6 +109,7 @@ files:
 - lib/crypt_reboot/luks/dumper/luks_v2_parser.rb
 - lib/crypt_reboot/luks/key_fetcher.rb
 - lib/crypt_reboot/luks/version_detector.rb
+- lib/crypt_reboot/luks_crypt_tab_patcher.rb
 - lib/crypt_reboot/passphrase_asker.rb
 - lib/crypt_reboot/patched_initramfs_generator.rb
 - lib/crypt_reboot/rebooter.rb
@@ -123,6 +125,7 @@ files:
 - lib/crypt_reboot/safe_temp/mounter.rb
 - lib/crypt_reboot/single_assign_restricted_map.rb
 - lib/crypt_reboot/version.rb
+- lib/crypt_reboot/zfs_keystore_patcher.rb
 homepage: https://phantomno.de/cryptreboot
 licenses:
 - MIT
@@ -131,7 +134,7 @@ metadata:
   source_code_uri: https://github.com/phantom-node/cryptreboot
   changelog_uri: https://github.com/phantom-node/cryptreboot/blob/master/CHANGELOG.md
   rubygems_mfa_required: 'true'
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -146,8 +149,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.22
-signing_key:
+rubygems_version: 3.5.4
+signing_key: 
 specification_version: 4
 summary: Linux utility for automatic and secure unlocking of encrypted disks on reboot
 test_files: []