crypt_reboot 0.1.1 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ca95c9301674a1698f766dbfa5dfd06adc99e91a286c32b7eaa77d8611e21762
-  data.tar.gz: 5403a4ed739f8b5901451e3e413598e85acfee1765266a66d85257c708904399
+  metadata.gz: 90456cf783f95d79186882a7fce00b153b4ff1928a68efd4609fb7e8859d3b04
+  data.tar.gz: d5fd15cb6705793a7e357666158eaa4f95f5c14d41b22b1d82d087a921fa512c
 SHA512:
-  metadata.gz: d633a85afa5dc298f39c144d700347cb20ae4bc03e5865ba3a92c2a1ae0ec9bc679393b612f7c18838d35578f583db8f791aab223f896a1ed3fce8bcfd78c6e8
-  data.tar.gz: 59442b7e7106a5d2892def87930503472315dbc45da8d9bf8919d29fc7fc998edcb2dfe69b3bc4ea0306c173bc1dc305fa5be42954bb706eb35f4104531933a3
+  metadata.gz: 5c99c3e114727a1236ef3dd9f536a56b1a89639c4447f6387ec5bcd1bd25234f2655a75f306ace56dd78c36a0aadf77da4321ed6626c36c63e38c9852fefefea
+  data.tar.gz: 37acfc427190670ad362cfb60a8a18ed29bcab338d24ac728ac23f4e3934c6669175db7872836ac46211d09dd16cba861259ec8e99c829050c1a8a3b875b9724

data/CHANGELOG.md

@@ -1,3 +1,12 @@
+## [0.1.2] - 2023-07-22
+
+- Lock memory to prevent secrets leaking to swap
+- Use `ramfs` instead of `tmpfs` for the same reason
+
+## [0.1.1] - 2023-07-13
+
+- Standardize passphrase prompt
+
 ## [0.1.0] - 2023-07-09
 
 - Initial release

data/README.md

@@ -28,13 +28,16 @@ Debian, Ubuntu, Linux Mint, Pop!_OS, etc.
 On the other hand, do not expect it to work on other distributions now.
 But support for them may come in upcoming versions.
 
-Following distributions were tested by the author:
+Following distributions were tested by the author on the AMD64 machine:
+- DappNode 0.2.75 is based on Debian 12, see below
+- Debian 12 needs [symlinks for kernel and initramfs](#no-symlinks-to-most-recent-kernel-and-initramfs)
+- Pop!_OS 22.04 LTS
+- Ubuntu 23.04
 - Ubuntu 22.04 LTS
 - Ubuntu 20.04 LTS needs tiny adjustments to system settings,
   specifically [changing compression](#lz4-initramfs-compression) and
   [fixing systemd kexec support](#staged-kernel-not-being-executed-by-systemd)
 - ~~Ubuntu 18.04 LTS~~ is not supported (initramfs uses *pre-crypttab* format)
-- Pop!_OS 22.04 LTS
 
 If you have successfully run cryptreboot on another distribution,
 please contact me and I will update the list.
@@ -50,11 +53,18 @@ You need to ensure those are installed:
 If you use recent, mainstream Linux distribution, other requirements are
 probably already met:
 - `kexec` support in the kernel
-- `tmpfs` filesystem support in kernel
+- `ramfs` filesystem support in kernel
 - `cryptsetup` (if you use disk encryption, it should be installed)
 - `systemd` or another way to guarantee staged kernel is executed on reboot
 - `strace` (not required if `--skip-lz4-check` flag is specified)
 
+If you use Debian-based distribution, use this command to install required packages:
+
+    $ sudo apt install --no-install-recommends cryptsetup-initramfs kexec-tools ruby strace systemd
+
+When asked if kexec should handle reboots, answer `yes` (however the answer probably
+doesn't matter for cryptreboot to work).
+
 ## Installation
 
 Make sure the required software is installed, then install the gem system-wide by executing:
@@ -130,6 +140,26 @@ To cancel the change, remove the file:
 
     $ sudo rm /etc/systemd/system/systemd-kexec.service.d/override.conf
 
+### No symlinks to most recent kernel and initramfs
+
+By default cryptreboot looks for kernel in `/boot/vmlinuz` and for initramfs
+in `/boot/initrd.img`. If those files are missing in your Linux distribution,
+cryptreboot will fail, unless you use `--kernel` and `--initramfs` command line
+options.
+
+    $ sudo cryptreboot --kernel /boot/vmlinuz-`uname -r` --initramfs /boot/initrd.img-`uname -r`
+
+If you don't want to specify options every time you reboot, add symlinks to
+the currently running kernel and initramfs:
+
+    $ cd /boot
+    $ sudo ln -sf vmlinuz-`uname -r` vmlinuz
+    $ sudo ln -sf initrd.img-`uname -r` initrd.img
+
+Unfortunately, you need to rerun it after each kernel upgrade, otherwise,
+cryptreboot is going to boot the old kernel.
+Upcoming versions of cryptreboot will offer better solutions.
+
 ## Development
 
 After checking out the repo, run `bundle install` to install

data/lib/basic_loader.rb

@@ -14,6 +14,7 @@ require 'crypt_reboot/gziper'
 require 'crypt_reboot/initramfs_patch_squeezer'
 require 'crypt_reboot/kexec_patching_loader'
 require 'crypt_reboot/lazy_config'
+require 'crypt_reboot/memory_locker'
 require 'crypt_reboot/passphrase_asker'
 require 'crypt_reboot/patched_initramfs_generator'
 require 'crypt_reboot/rebooter'

data/lib/crypt_reboot/cli/params_parsing_executor.rb

@@ -5,9 +5,10 @@ module CryptReboot
     # Interprets parameters, executes everything and returns callable object
     class ParamsParsingExecutor
       def call(raw_params)
+        locker.call
         params = parser.call(raw_params)
         handle_action_params!(params) or configure_and_exec(params)
-      rescue StandardError => e
+      rescue StandardError, Interrupt => e
         raise if debug?
 
         sad_exiter_class.new(error_message(e))
@@ -45,7 +46,7 @@ module CryptReboot
 
       attr_reader :parser, :config_updater, :loader, :help_generator,
                   :version_string, :debug_checker, :rebooter,
-                  :happy_exiter_class, :sad_exiter_class
+                  :happy_exiter_class, :sad_exiter_class, :locker
 
       # rubocop:disable Metrics/ParameterLists
       def initialize(parser: Params::Parser.new,
@@ -56,7 +57,8 @@ module CryptReboot
                      debug_checker: LazyConfig.debug,
                      rebooter: Rebooter.new,
                      happy_exiter_class: HappyExiter,
-                     sad_exiter_class: SadExiter)
+                     sad_exiter_class: SadExiter,
+                     locker: MemoryLocker.new)
         @parser = parser
         @config_updater = config_updater
         @loader = loader
@@ -66,6 +68,7 @@ module CryptReboot
         @rebooter = rebooter
         @happy_exiter_class = happy_exiter_class
         @sad_exiter_class = sad_exiter_class
+        @locker = locker
       end
       # rubocop:enable Metrics/ParameterLists
     end

data/lib/crypt_reboot/memory_locker.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'ffi'
+
+module CryptReboot
+  # Lock process memory, so it won't be swapped by the kernel.
+  # It is implemented as a one-way operation: there is no unlock.
+  # That's because it's hard to properly clean memory in Ruby.
+  class MemoryLocker
+    Error = Class.new StandardError
+
+    def call
+      return if Libc.mlockall(Libc::MCL_CURRENT | Libc::MCL_FUTURE).zero?
+
+      raise Error, "Failed to lock memory: #{FFI.errno}"
+    end
+
+    # Low level interface to libc
+    module Libc
+      extend FFI::Library
+      ffi_lib 'libc.so.6'
+
+      # define mlockall constants
+      MCL_CURRENT = 1
+      MCL_FUTURE = 2
+      MCL_ONFAULT = 4
+
+      # declare mlockall function
+      attach_function :mlockall, [:int], :int
+    end
+    private_constant :Libc
+  end
+end

data/lib/crypt_reboot/safe_temp/directory.rb

@@ -4,7 +4,7 @@ require 'tmpdir'
 
 module CryptReboot
   module SafeTemp
-    # Create temporary directory, mounts tmpfs and yields tmp dir location.
+    # Create temporary directory, mounts ramfs and yields tmp dir location.
     # Make sure to cleanup afterwards.
     class Directory
       def call

data/lib/crypt_reboot/safe_temp/mounter.rb

@@ -2,7 +2,9 @@
 
 module CryptReboot
   module SafeTemp
-    # Mount tmpfs at the given mount point, yield and unmount
+    # Mount ramfs at the given mount point, yield and unmount.
+    # We don't want the contents of directory to be swapped,
+    # therefore ramfs is used instead of tmpfs.
     class Mounter
       def call(dir, &block)
         mounter.call(dir)
@@ -21,7 +23,7 @@ module CryptReboot
 
       def initialize(runner: Runner::NoResult.new,
                      mounter: lambda { |dir|
-                                runner.call(Config.mount_path, '-t', 'tmpfs', '-o', 'mode=700', 'none', dir)
+                                runner.call(Config.mount_path, '-t', 'ramfs', '-o', 'mode=700', 'none', dir)
                               },
                      umounter: ->(dir) { runner.call(Config.umount_path, dir) })
         @runner = runner

data/lib/crypt_reboot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module CryptReboot
-  VERSION = '0.1.1'
+  VERSION = '0.1.2'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: crypt_reboot
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - Paweł Pokrywka
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-07-13 00:00:00.000000000 Z
+date: 2023-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tty-command
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.3'
+- !ruby/object:Gem::Dependency
+  name: ffi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.0
 description: 
 email:
 - pepawel@users.noreply.github.com
@@ -93,6 +107,7 @@ files:
 - lib/crypt_reboot/luks/dumper/luks_v2_parser.rb
 - lib/crypt_reboot/luks/key_fetcher.rb
 - lib/crypt_reboot/luks/version_detector.rb
+- lib/crypt_reboot/memory_locker.rb
 - lib/crypt_reboot/passphrase_asker.rb
 - lib/crypt_reboot/patched_initramfs_generator.rb
 - lib/crypt_reboot/rebooter.rb