crypt_reboot 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 449c9b12be881f213dffc9090686e7d73bb3f2523806c5edf41dc2e4d7d17c4b
+  data.tar.gz: ba391871d8d5f438ba2474a8a21d8738be020636ac8c4bfcd0fd8100d7e07aec
+SHA512:
+  metadata.gz: 466befee2a5027cae8be7cb036c87e8c779e64fb4725775111b112e53ff5bf2691bc543ac86e7c229e8e75642c0c3eb0168fed1bca14a2b0598b94bf3c5245c0
+  data.tar.gz: 68bef507bea7444722f3281b94d8ea5af0bda0d031871f82fc9ff0398614e7b83564f2b541a42d745d2eefecde9f0a409817dcd29332b01797cd13b434bd7db0

data/CHANGELOG.md

@@ -0,0 +1,3 @@
+## [0.1.0] - 2023-07-09
+
+- Initial release

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2023 Paweł Pokrywka
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,169 @@
+# Cryptreboot
+
+Convenient reboot for Linux systems with encrypted root partition.
+
+> Just type `cryptreboot` instead of `reboot`.
+
+It asks for a passphrase and reboots the system afterward, automatically
+unlocking the drive on startup using in-memory initramfs patching and kexec.
+Without explicit consent, no secrets are stored on disk, even temporarily.
+
+Useful when unlocking the drive at startup is difficult, such as on headless
+and remote systems.
+
+By default, it uses the current kernel command line, `/boot/vmlinuz` as kernel
+and `/boot/initrd.img` as initramfs.
+
+Will work properly when using standard passphrase-based disk unlocking.
+Fancy methods such as using an external USB with a passphrase file will fail.
+
+## Compatible Linux distributions
+
+Currently, cryptreboot depends on `initramfs-tools` package which is available in
+Debian-based distributions. Therefore one should expect, this tool to work on
+Debian, Ubuntu, Linux Mint, Pop!_OS, etc.
+
+On the other hand, do not expect it to work on other distributions now.
+But support for them may come in upcoming versions.
+
+Following distributions were tested by the author:
+- Ubuntu 22.04 LTS
+- Ubuntu 20.04 LTS needs tiny adjustments to system settings,
+  specifically [changing compression](#lz4-initramfs-compression) and
+  [fixing systemd kexec support](#staged-kernel-not-being-executed-by-systemd)
+- ~~Ubuntu 18.04 LTS~~ is not supported (initramfs uses *pre-crypttab* format)
+- Pop!_OS 22.04 LTS
+
+If you have successfully run cryptreboot on another distribution,
+please contact me and I will update the list.
+
+## Requirements
+
+You need to ensure those are installed:
+- `ruby` >= 2.7
+- `kexec-tools`
+- `initramfs-tools` (other initramfs generators, such as `dracut` are
+  not supported yet)
+
+If you use recent, mainstream Linux distribution, other requirements are
+probably already met:
+- `kexec` support in the kernel
+- `tmpfs` filesystem support in kernel
+- `cryptsetup` (if you use disk encryption, it should be installed)
+- `systemd` or another way to guarantee staged kernel is executed on reboot
+- `strace` (not required if `--skip-lz4-check` flag is specified)
+
+## Installation
+
+Make sure the required software is installed, then install the gem by executing:
+
+    $ gem install crypt_reboot
+
+## Usage
+
+Cryptreboot performs operations normally only available to the root user,
+so it is suggested to use sudo or a similar utility.
+
+To perform a reboot type:
+
+    $ sudo cryptreboot
+
+To see the usage, run:
+
+    $ cryptreboot --help
+
+## Resolutions for common issues
+
+### LZ4 initramfs compression
+
+If you get:
+
+> LZ4 compression is not allowed, change the compression algorithm in
+initramfs.conf and regenerate the initramfs image
+
+it means initramfs was compressed using the LZ4 algorithm, which seems to
+have issues with concatenating initramfs images.
+
+In case you are 100% sure LZ4 won't cause problems, you can use
+`--skip-lz4-check` command line flag. This will make the error message
+go away, but you risk automatic disk unlocking at startup to fail randomly.
+
+Instead, the recommended approach is to change the compression algorithm
+in `/etc/initramfs-tools/initramfs.conf` file. Look for `COMPRESS` and
+set it to some other value such as `gzip` (the safe choice), or `zstd`
+(the best compression, but your kernel and `initramfs-tools` need to support it).
+
+Here is a one-liner to change compression to `gzip`:
+
+    $ sudo sed -iE 's/^\s*COMPRESS=.*$/COMPRESS=gzip/' /etc/initramfs-tools/initramfs.conf
+
+Then you need to regenerate all of your initramfs images:
+
+    $ sudo update-initramfs -k all -u
+
+That's it.
+
+Resources related to the issue:
+- [Appending files to initramfs image - reliable? (StackExchange)](https://unix.stackexchange.com/a/737219)
+- [What is the correct frame format for Linux (Lz4 issue)](https://github.com/lz4/lz4/issues/956)
+- [Initramfs unpacking failed (Ubuntu bug report)](https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1835660)
+
+### Staged kernel not being executed by systemd
+
+If rebooting with cryptreboot doesn't seem to differ from a standard
+reboot, it may suggest staged kernel is not being executed by the
+`systemd` at the end of the shutdown procedure.
+
+The solution I found is to execute `kexec -e` instead of
+`systemctl --force kexec` when the system is ready for a reboot.
+To do that `systemd-kexec.service` has to be modified.
+To make the change minimal, let's use `systemd drop-in` for that:
+
+    $ sudo mkdir -p /etc/systemd/system/systemd-kexec.service.d/
+    $ echo -e "[Service]\nExecStart=\nExecStart=kexec -e" | sudo tee /etc/systemd/system/systemd-kexec.service.d/override.conf
+
+That should work.
+
+To cancel the change, remove the file:
+
+    $ sudo rm /etc/systemd/system/systemd-kexec.service.d/override.conf
+
+## Development
+
+After checking out the repo, run `bundle install` to install
+dependencies. Then, run `rake spec` to run the tests. You can also
+run `bin/console` for an interactive prompt that will allow you
+to experiment.
+
+To build the gem, run `rake build`. To release a new version, update
+the version number in `version.rb`, and then run `rake release`, which
+will create a git tag for the version, push git commits and the created
+tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at
+https://github.com/phantom-node/cryptreboot.
+This project is intended to be a safe, welcoming space for collaboration,
+and contributors are expected to adhere to the
+[code of conduct](https://github.com/phantom-node/cryptreboot/blob/master/CODE_OF_CONDUCT.md).
+
+## Author
+
+My name is Paweł Pokrywka and I'm the author of cryptreboot.
+
+If you want to contact me or get to know me better, check out
+[my blog](https://blog.pawelpokrywka.com).
+
+Thank you for your interest in this project :)
+
+## License
+
+The software is available as open source under the terms of the
+[MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the Cryptreboot project's codebases, issue
+trackers, chat rooms, and mailing lists is expected to follow the
+[code of conduct](https://github.com/phantom-node/cryptreboot/blob/master/CODE_OF_CONDUCT.md).

data/exe/cryptreboot

@@ -0,0 +1,9 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'crypt_reboot'
+
+executor = CryptReboot::Cli::ParamsParsingExecutor.new
+result = executor.call(ARGV)
+exit result.call

data/lib/basic_loader.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+# File generated automatically, do not edit
+
+require 'crypt_reboot/version'
+require 'crypt_reboot/boot_config'
+require 'crypt_reboot/cli'
+require 'crypt_reboot/concatenator'
+require 'crypt_reboot/instantiable_config'
+require 'crypt_reboot/config'
+require 'crypt_reboot/files_generator'
+require 'crypt_reboot/files_writer'
+require 'crypt_reboot/gziper'
+require 'crypt_reboot/initramfs_patch_squeezer'
+require 'crypt_reboot/kexec_patching_loader'
+require 'crypt_reboot/lazy_config'
+require 'crypt_reboot/passphrase_asker'
+require 'crypt_reboot/patched_initramfs_generator'
+require 'crypt_reboot/rebooter'
+require 'crypt_reboot/runner'
+require 'crypt_reboot/single_assign_restricted_map'
+require 'crypt_reboot/cli/exiter'
+require 'crypt_reboot/cli/happy_exiter'
+require 'crypt_reboot/cli/params_parsing_executor'
+require 'crypt_reboot/cli/sad_exiter'
+require 'crypt_reboot/crypt_tab/deserializer'
+require 'crypt_reboot/crypt_tab/entry'
+require 'crypt_reboot/crypt_tab/entry_deserializer'
+require 'crypt_reboot/crypt_tab/entry_serializer'
+require 'crypt_reboot/crypt_tab/keyfile_locator'
+require 'crypt_reboot/crypt_tab/luks_to_plain_converter'
+require 'crypt_reboot/crypt_tab/serializer'
+require 'crypt_reboot/initramfs/archiver'
+require 'crypt_reboot/initramfs/decompressor'
+require 'crypt_reboot/initramfs/extractor'
+require 'crypt_reboot/initramfs/patcher'
+require 'crypt_reboot/kexec/loader'
+require 'crypt_reboot/luks/checker'
+require 'crypt_reboot/luks/data'
+require 'crypt_reboot/luks/data_fetcher'
+require 'crypt_reboot/luks/dumper'
+require 'crypt_reboot/luks/key_fetcher'
+require 'crypt_reboot/luks/version_detector'
+require 'crypt_reboot/runner/generic'
+require 'crypt_reboot/runner/binary'
+require 'crypt_reboot/runner/boolean'
+require 'crypt_reboot/runner/lines'
+require 'crypt_reboot/runner/no_result'
+require 'crypt_reboot/runner/text'
+require 'crypt_reboot/safe_temp/directory'
+require 'crypt_reboot/safe_temp/file_name'
+require 'crypt_reboot/safe_temp/mounter'
+require 'crypt_reboot/cli/params/definition'
+require 'crypt_reboot/cli/params/flattener'
+require 'crypt_reboot/cli/params/help_generator'
+require 'crypt_reboot/cli/params/parser'
+require 'crypt_reboot/initramfs/decompressor/intolerant_decompressor'
+require 'crypt_reboot/initramfs/decompressor/tolerant_decompressor'
+require 'crypt_reboot/luks/dumper/luks_v1_parser'
+require 'crypt_reboot/luks/dumper/luks_v2_parser'

data/lib/crypt_reboot/boot_config.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  # Data required for booting
+  class BootConfig
+    attr_reader :kernel, :initramfs, :cmdline
+
+    def ==(other)
+      kernel == other.kernel && initramfs == other.initramfs && cmdline == other.cmdline
+    end
+
+    def with_initramfs(new_initramfs)
+      self.class.new(kernel: kernel, initramfs: new_initramfs, cmdline: cmdline)
+    end
+
+    private
+
+    def initialize(kernel:, initramfs: nil, cmdline: nil)
+      @kernel = kernel
+      @initramfs = initramfs
+      @cmdline = cmdline
+    end
+  end
+end

data/lib/crypt_reboot/cli/exiter.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Cli
+    # Print a message and return exit status
+    class Exiter
+      attr_reader :text
+
+      def call
+        stream.puts text.strip if text
+        status
+      end
+
+      private
+
+      attr_reader :status, :stream
+
+      def initialize(text, status:, stream:)
+        @text = text
+        @status = status
+        @stream = stream
+      end
+    end
+  end
+end

data/lib/crypt_reboot/cli/happy_exiter.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Cli
+    # Exit with a success message
+    class HappyExiter < Exiter
+      private
+
+      def initialize(text)
+        super(text, status: 0, stream: $stdout)
+      end
+    end
+  end
+end

data/lib/crypt_reboot/cli/params/definition.rb

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+
+require 'tty-option'
+
+module CryptReboot
+  module Cli
+    module Params
+      # Definition of options, flags, help and other CLI related things
+      class Definition
+        include TTY::Option
+
+        # rubocop:disable Metrics/BlockLength
+        usage do
+          header 'Reboot for Linux systems with encrypted root partition.'
+
+          program PROGRAM_NAME
+          no_command
+
+          desc 'It asks for a password and reboots the system afterward, automatically unlocking ' \
+               'the drive on startup using in-memory initramfs patching and kexec. ' \
+               'Without explicit consent, no secrets are stored on disk, even temporarily.',
+               '',
+               'Useful when unlocking the drive at startup is difficult, such as on headless and remote systems.',
+               '',
+               "By default, it uses the current kernel command line, \"#{Config.kernel}\" as " \
+               "kernel and \"#{Config.initramfs}\" as initramfs.",
+               '',
+               'It performs operations normally only available to the root user, so it is suggested to use ' \
+               'sudo or a similar utility.'
+
+          example 'Normal usage:',
+                  "$ sudo #{PROGRAM_NAME}"
+          example 'Reboot into custom kernel:',
+                  "$ sudo #{PROGRAM_NAME} --kernel /boot/vmlinuz.old --initramfs /boot/initrd.old"
+          example 'Specify custom kernel options:',
+                  "$ sudo #{PROGRAM_NAME} --cmdline \"root=UUID=d0...a2 ro nomodeset acpi=off\""
+          example 'Prepare to reboot and perform it manually later:',
+                  "$ sudo #{PROGRAM_NAME} --prepare-only",
+                  '$ sleep 3600 # do anything else in-between',
+                  '$ sudo reboot --no-wall --no-wtmp'
+
+          footer 'To report a bug, get support or contribute, please visit the project page:',
+                 'https://phantomno.de/cryptreboot',
+                 '',
+                 "Thank you for using #{PROGRAM_NAME}. Happy rebooting!"
+        end
+        # rubocop:enable Metrics/BlockLength
+
+        option :kernel do
+          long '--kernel path'
+          desc 'Path to the kernel you want to reboot into'
+          default Config.kernel
+        end
+
+        option :initramfs do
+          long '--initramfs path'
+          desc 'Path to the initramfs to be used by loaded kernel'
+          default Config.initramfs
+        end
+
+        option :cmdline do
+          long '--cmdline string'
+          desc 'Command line for loaded kernel; current command line is used if not provided'
+        end
+
+        option :paths do
+          arity :any
+          long '--tool name:path'
+          desc 'Path to given external tool specified by "name". By default, tools are searched in the PATH. ' \
+               'If you want to specify paths for more than 1 tool, use this option multiple times. Tool names: ' \
+               'cat, cpio, cryptsetup, grep, kexec, mount, reboot, strace, umount, unmkinitramfs'
+          convert :map
+        end
+
+        # Flags
+
+        flag :prepare_only do
+          short '-p'
+          long '--prepare-only'
+          desc 'Load kernel and initramfs, but do not reboot'
+        end
+
+        flag :skip_lz4_check do
+          long '--skip-lz4-check'
+          desc 'Do not check if initramfs is compressed with LZ4 algorithm. ' \
+               'If you use different compression and specify this flag, it will make ' \
+               'initramfs extraction much faster. But if your initramfs uses ' \
+               'LZ4 you risk you will need to manually unlock your disk on startup. ' \
+               'See the README file to learn how to change the compression ' \
+               'algorithm to a more robust one.'
+        end
+
+        flag :debug do
+          short '-d'
+          long '--debug'
+          desc 'Print debug messages'
+        end
+
+        option :patch_save_path do
+          long '--save-patch path'
+          desc 'Save initramfs patch to file for debug purposes. ' \
+               'WARNING: it contains encryption keys, you are responsible for ' \
+               'their safe disposal, which may be difficult after the file comes ' \
+               'into contact with the disk. Deleting the file alone may not be enough.'
+        end
+
+        flag :version do
+          short '-v'
+          long '--version'
+          desc 'Print version and exit'
+        end
+
+        flag :help do
+          short '-h'
+          long '--help'
+          desc 'Print this usage and exit'
+        end
+      end
+
+      # This class contains code from external source,
+      # do not expose it anywhere outside of the module
+      private_constant :Definition
+    end
+  end
+end

data/lib/crypt_reboot/cli/params/flattener.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Cli
+    module Params
+      # Replace given key in params with new keys obtained from its contents with suffixes added
+      class Flattener
+        def call(params)
+          paths = params.fetch(key, {}).transform_keys { |k| :"#{k}#{suffix}" }
+          params.reject { |k, _| k == key }.merge(paths)
+        end
+
+        private
+
+        attr_reader :key, :suffix
+
+        def initialize(key:, suffix:)
+          @key = key.to_sym
+          @suffix = suffix
+        end
+      end
+    end
+  end
+end

data/lib/crypt_reboot/cli/params/help_generator.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Cli
+    module Params
+      # Returns usage
+      class HelpGenerator
+        def call
+          definition.help(order: ->(params) { params })
+        end
+
+        private
+
+        attr_reader :definition
+
+        def initialize(definition: Definition.new)
+          @definition = definition
+        end
+      end
+    end
+  end
+end

data/lib/crypt_reboot/cli/params/parser.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Cli
+    module Params
+      # Parse given ARGV and return params hash or raise exception with error summary
+      class Parser
+        ParseError = Class.new StandardError
+
+        def call(raw_params)
+          params = definition.parse(raw_params).params
+          raise ParseError, params.errors.summary unless params.valid?
+
+          flattener.call params.to_h
+        end
+
+        private
+
+        attr_reader :definition, :flattener
+
+        def initialize(definition: Definition.new,
+                       flattener: Flattener.new(key: 'paths', suffix: '_path'))
+          @definition = definition
+          @flattener = flattener
+        end
+      end
+    end
+  end
+end

data/lib/crypt_reboot/cli/params_parsing_executor.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Cli
+    # Interprets parameters, executes everything and returns callable object
+    class ParamsParsingExecutor
+      def call(raw_params)
+        params = parser.call(raw_params)
+        handle_action_params!(params) or configure_and_exec(params)
+      rescue StandardError => e
+        raise if debug?
+
+        sad_exiter_class.new(error_message(e))
+      end
+
+      private
+
+      def debug?
+        debug_checker.call
+      end
+
+      def configure_and_exec(params)
+        config_updater.call(**params)
+        loader.call
+        rebooter
+      end
+
+      def handle_action_params!(params)
+        return happy_exiter_class.new(help_generator.call) if params[:help]
+        return happy_exiter_class.new(version_string) if params[:version]
+
+        params.reject! { |param_name, _| %i[help version].include? param_name }
+
+        false
+      end
+
+      def exception_name(exception)
+        name = exception.class.name.split('::').last
+        name.gsub(/([a-z\d])([A-Z])/, '\1 \2').capitalize
+      end
+
+      def error_message(exception)
+        "#{exception_name(exception)}: #{exception.message}"
+      end
+
+      attr_reader :parser, :config_updater, :loader, :help_generator,
+                  :version_string, :debug_checker, :rebooter,
+                  :happy_exiter_class, :sad_exiter_class
+
+      # rubocop:disable Metrics/ParameterLists
+      def initialize(parser: Params::Parser.new,
+                     config_updater: Config.method(:update!),
+                     loader: KexecPatchingLoader.new,
+                     help_generator: Params::HelpGenerator.new,
+                     version_string: "#{PROGRAM_NAME} #{VERSION}",
+                     debug_checker: LazyConfig.debug,
+                     rebooter: Rebooter.new,
+                     happy_exiter_class: HappyExiter,
+                     sad_exiter_class: SadExiter)
+        @parser = parser
+        @config_updater = config_updater
+        @loader = loader
+        @help_generator = help_generator
+        @version_string = version_string
+        @debug_checker = debug_checker
+        @rebooter = rebooter
+        @happy_exiter_class = happy_exiter_class
+        @sad_exiter_class = sad_exiter_class
+      end
+      # rubocop:enable Metrics/ParameterLists
+    end
+  end
+end

data/lib/crypt_reboot/cli/sad_exiter.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Cli
+    # Exit with error message
+    class SadExiter < Exiter
+      private
+
+      def initialize(text)
+        super(text, status: 1, stream: $stderr)
+      end
+    end
+  end
+end

data/lib/crypt_reboot/cli.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  # Command Line Interface
+  module Cli
+    PROGRAM_NAME = 'cryptreboot'
+  end
+end

data/lib/crypt_reboot/concatenator.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  # Concatenate files into one
+  class Concatenator
+    def call(*files, to:)
+      runner.call(tool, *files, output_file: to)
+    end
+
+    private
+
+    def tool
+      lazy_tool.call
+    end
+
+    attr_reader :lazy_tool, :runner
+
+    def initialize(lazy_tool: LazyConfig.cat_path,
+                   runner: Runner::NoResult.new)
+      @lazy_tool = lazy_tool
+      @runner = runner
+    end
+  end
+end