crypt_reboot 0.3.0.beta.1 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +25 -16
- data/lib/basic_loader.rb +2 -0
- data/lib/crypt_reboot/crypt_tab/deserializer.rb +1 -7
- data/lib/crypt_reboot/crypt_tab/zfs_keystore_entries_generator.rb +13 -5
- data/lib/crypt_reboot/initramfs_patch_squeezer.rb +10 -38
- data/lib/crypt_reboot/luks_crypt_tab_patcher.rb +26 -0
- data/lib/crypt_reboot/version.rb +1 -1
- data/lib/crypt_reboot/zfs_keystore_patcher.rb +46 -0
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c87fe69139eb41dd5bf41ec7e790cef1934e4c0c1d9bac7d46990d0a190a4f7f
|
|
4
|
+
data.tar.gz: d9aa729f6fabb43042a260b53a622a1ad33d1d011301719b7e2f1d141f46dcba
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 24ebddd15821359a61c6eaab3915b0a6bc70b5d3acae7cfd1dee2a0dcaafe749d52abf22d5e8ead46b10b43bcfeaba7ef78bfed325ef360f740b0c40c6a5e192
|
|
7
|
+
data.tar.gz: 4b4a0ddb6a508f3e590ac2c8df6e78730c244fd1860a14fd4035953d4b066b448d56312dfa908151a1a5ff85db0b984142ec3ad8d611020458264ac1358f2cad
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -20,6 +20,14 @@ and `/boot/initrd.img` as initramfs.
|
|
|
20
20
|
Will work properly when using standard passphrase-based disk unlocking.
|
|
21
21
|
Fancy methods such as using an external USB with a passphrase file will fail.
|
|
22
22
|
|
|
23
|
+
## Supported disk encryption methods
|
|
24
|
+
|
|
25
|
+
### LUKS crypttab
|
|
26
|
+
LUKS-based disk-encryption configured with `/etc/crypttab` file.
|
|
27
|
+
|
|
28
|
+
### ZFS keystore
|
|
29
|
+
Native ZFS encryption with LUKS-encrypted keystore volume.
|
|
30
|
+
|
|
23
31
|
## Compatible Linux distributions
|
|
24
32
|
|
|
25
33
|
Currently, cryptreboot depends on `initramfs-tools` package which is available in
|
|
@@ -30,26 +38,27 @@ On the other hand, do not expect it to work on other distributions now.
|
|
|
30
38
|
But support for them may come in upcoming versions.
|
|
31
39
|
|
|
32
40
|
Following distributions were tested by the author on the AMD64 machine:
|
|
33
|
-
|
|
34
|
-
-
|
|
35
|
-
-
|
|
36
|
-
-
|
|
37
|
-
-
|
|
38
|
-
- Ubuntu
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
41
|
+
|
|
42
|
+
- LUKS crypttab disk encryption method
|
|
43
|
+
- DappNode 0.2.75 is based on Debian 12, see below
|
|
44
|
+
- Debian 12 needs [symlinks for kernel and initramfs](#no-symlinks-to-most-recent-kernel-and-initramfs)
|
|
45
|
+
- Pop!_OS 22.04 LTS
|
|
46
|
+
- Ubuntu 24.04 LTS
|
|
47
|
+
- Ubuntu 23.04
|
|
48
|
+
- Ubuntu 22.04 LTS
|
|
49
|
+
- Ubuntu 20.04 LTS needs tiny adjustments to system settings,
|
|
50
|
+
specifically [changing compression](#lz4-initramfs-compression) and
|
|
51
|
+
[fixing systemd kexec support](#staged-kernel-not-being-executed-by-systemd), but still
|
|
52
|
+
[sometimes](#unable-to-kexec-on-reboot-using-old-systemd) reboot experience may be suboptimal
|
|
53
|
+
- ~~Ubuntu 18.04 LTS~~ is not supported (initramfs uses *pre-crypttab* format)
|
|
54
|
+
|
|
55
|
+
- ZFS keystore disk encryption method
|
|
56
|
+
- Ubuntu 24.04 LTS
|
|
57
|
+
- Ubuntu 22.04 LTS
|
|
43
58
|
|
|
44
59
|
If you have successfully run cryptreboot on another distribution,
|
|
45
60
|
please contact me and I will update the list.
|
|
46
61
|
|
|
47
|
-
## Disk encryption method
|
|
48
|
-
|
|
49
|
-
Currently, only LUKS-based disk-encryption is supported.
|
|
50
|
-
If you use ZFS native encryption, cryptreboot will [downgrade](https://github.com/phantom-node/cryptreboot/issues/2)
|
|
51
|
-
to standard reboot (using kexec).
|
|
52
|
-
|
|
53
62
|
## Requirements
|
|
54
63
|
|
|
55
64
|
You need to ensure those are installed:
|
data/lib/basic_loader.rb
CHANGED
|
@@ -15,11 +15,13 @@ require 'crypt_reboot/gziper'
|
|
|
15
15
|
require 'crypt_reboot/initramfs_patch_squeezer'
|
|
16
16
|
require 'crypt_reboot/kexec_patching_loader'
|
|
17
17
|
require 'crypt_reboot/lazy_config'
|
|
18
|
+
require 'crypt_reboot/luks_crypt_tab_patcher'
|
|
18
19
|
require 'crypt_reboot/passphrase_asker'
|
|
19
20
|
require 'crypt_reboot/patched_initramfs_generator'
|
|
20
21
|
require 'crypt_reboot/rebooter'
|
|
21
22
|
require 'crypt_reboot/runner'
|
|
22
23
|
require 'crypt_reboot/single_assign_restricted_map'
|
|
24
|
+
require 'crypt_reboot/zfs_keystore_patcher'
|
|
23
25
|
require 'crypt_reboot/cli/exiter'
|
|
24
26
|
require 'crypt_reboot/cli/happy_exiter'
|
|
25
27
|
require 'crypt_reboot/cli/params_parsing_executor'
|
|
@@ -4,7 +4,7 @@ module CryptReboot
|
|
|
4
4
|
module CryptTab
|
|
5
5
|
# Load crypttab file and return array with deserialized entries
|
|
6
6
|
class Deserializer
|
|
7
|
-
def call(filename = nil, content:
|
|
7
|
+
def call(filename = nil, content: File.read(filename))
|
|
8
8
|
split_to_important_lines(content).map do |line|
|
|
9
9
|
entry_deserializer.call line
|
|
10
10
|
end
|
|
@@ -12,12 +12,6 @@ module CryptReboot
|
|
|
12
12
|
|
|
13
13
|
private
|
|
14
14
|
|
|
15
|
-
def read_tolerate_missing(filename)
|
|
16
|
-
File.read(filename)
|
|
17
|
-
rescue Errno::ENOENT
|
|
18
|
-
''
|
|
19
|
-
end
|
|
20
|
-
|
|
21
15
|
def split_to_important_lines(content)
|
|
22
16
|
content.split(/\n+|\r+/)
|
|
23
17
|
.reject(&:empty?)
|
|
@@ -19,15 +19,23 @@ module CryptReboot
|
|
|
19
19
|
|
|
20
20
|
def generate_entry(path)
|
|
21
21
|
pool = File.basename File.dirname(path)
|
|
22
|
-
|
|
23
|
-
|
|
22
|
+
# Target name is the same as produced by /scripts/zfs script within initramfs
|
|
23
|
+
entry_builder.call target: "keystore-#{pool}", source: path
|
|
24
24
|
end
|
|
25
25
|
|
|
26
|
-
attr_reader :zvol_dir, :
|
|
26
|
+
attr_reader :zvol_dir, :entry_builder
|
|
27
27
|
|
|
28
|
-
def initialize(zvol_dir: '/dev/zvol',
|
|
28
|
+
def initialize(zvol_dir: '/dev/zvol',
|
|
29
|
+
entry_builder: lambda { |target:, source:|
|
|
30
|
+
# Flags and options are the same as produced by /scripts/zfs script within initramfs
|
|
31
|
+
Entry.new target: target,
|
|
32
|
+
source: source,
|
|
33
|
+
key_file: 'none',
|
|
34
|
+
options: {},
|
|
35
|
+
flags: %i[luks discard]
|
|
36
|
+
})
|
|
29
37
|
@zvol_dir = zvol_dir
|
|
30
|
-
@
|
|
38
|
+
@entry_builder = entry_builder
|
|
31
39
|
end
|
|
32
40
|
end
|
|
33
41
|
end
|
|
@@ -5,51 +5,23 @@ module CryptReboot
|
|
|
5
5
|
class InitramfsPatchSqueezer
|
|
6
6
|
def call(initramfs_path)
|
|
7
7
|
extractor.call(initramfs_path) do |tmp_dir|
|
|
8
|
-
|
|
8
|
+
patchers.inject({}) do |files, patcher|
|
|
9
|
+
files.merge patcher.call(tmp_dir)
|
|
10
|
+
end
|
|
9
11
|
end
|
|
10
12
|
end
|
|
11
13
|
|
|
12
14
|
private
|
|
13
15
|
|
|
14
|
-
|
|
15
|
-
full_crypttab_path = File.join(tmp_dir, crypttab_path)
|
|
16
|
-
crypttab_entries = crypttab_deserializer.call(full_crypttab_path)
|
|
17
|
-
files_generator.call(crypttab_entries, base_dir: tmp_dir, crypttab_path: crypttab_path)
|
|
18
|
-
end
|
|
19
|
-
|
|
20
|
-
def zfs_files(tmp_dir)
|
|
21
|
-
crypttab_entries = zfs_keystore_entries_generator.call
|
|
22
|
-
return {} if crypttab_entries.empty?
|
|
23
|
-
files = files_generator.call(crypttab_entries, base_dir: tmp_dir, crypttab_path: zfs_crypttab_path)
|
|
24
|
-
script_path = File.join(tmp_dir, zfs_script_path)
|
|
25
|
-
script = File.read(script_path)
|
|
26
|
-
files.merge(zfs_script_path => patch_zfs_script(script))
|
|
27
|
-
end
|
|
28
|
-
|
|
29
|
-
def patch_zfs_script(script)
|
|
30
|
-
patch = "cp #{zfs_crypttab_path} #{crypttab_path}; ${CRYPTROOT}"
|
|
31
|
-
script.sub(/^\s*\${CRYPTROOT}\s*$/, patch)
|
|
32
|
-
end
|
|
33
|
-
|
|
34
|
-
attr_reader :crypttab_path, :zfs_crypttab_path, :zfs_script_path, :extractor,
|
|
35
|
-
:crypttab_deserializer, :zfs_keystore_entries_generator, :files_generator
|
|
16
|
+
attr_reader :extractor, :patchers
|
|
36
17
|
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
crypttab_deserializer: CryptTab::Deserializer.new,
|
|
43
|
-
zfs_keystore_entries_generator: CryptTab::ZfsKeystoreEntriesGenerator.new,
|
|
44
|
-
files_generator: FilesGenerator.new)
|
|
45
|
-
@crypttab_path = crypttab_path
|
|
46
|
-
@zfs_crypttab_path = zfs_crypttab_path
|
|
47
|
-
@zfs_script_path = zfs_script_path
|
|
18
|
+
def initialize(extractor: Initramfs::Extractor.new,
|
|
19
|
+
patchers: [
|
|
20
|
+
LuksCryptTabPatcher.new,
|
|
21
|
+
ZfsKeystorePatcher.new
|
|
22
|
+
])
|
|
48
23
|
@extractor = extractor
|
|
49
|
-
@
|
|
50
|
-
@zfs_keystore_entries_generator = zfs_keystore_entries_generator
|
|
51
|
-
@files_generator = files_generator
|
|
24
|
+
@patchers = patchers
|
|
52
25
|
end
|
|
53
|
-
# rubocop:enable Metrics/ParameterLists
|
|
54
26
|
end
|
|
55
27
|
end
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module CryptReboot
|
|
4
|
+
# Generate patch (files hash) from files in a directory containing uncompressed initramfs
|
|
5
|
+
class LuksCryptTabPatcher
|
|
6
|
+
def call(dir)
|
|
7
|
+
full_crypttab_path = File.join(dir, crypttab_path)
|
|
8
|
+
return {} unless File.exist?(full_crypttab_path)
|
|
9
|
+
|
|
10
|
+
crypttab_entries = crypttab_deserializer.call(full_crypttab_path)
|
|
11
|
+
files_generator.call(crypttab_entries, base_dir: dir, crypttab_path: crypttab_path)
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
private
|
|
15
|
+
|
|
16
|
+
attr_reader :crypttab_path, :crypttab_deserializer, :files_generator
|
|
17
|
+
|
|
18
|
+
def initialize(crypttab_path: '/cryptroot/crypttab',
|
|
19
|
+
crypttab_deserializer: CryptTab::Deserializer.new,
|
|
20
|
+
files_generator: FilesGenerator.new)
|
|
21
|
+
@crypttab_path = crypttab_path
|
|
22
|
+
@crypttab_deserializer = crypttab_deserializer
|
|
23
|
+
@files_generator = files_generator
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
end
|
data/lib/crypt_reboot/version.rb
CHANGED
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module CryptReboot
|
|
4
|
+
# Generate patch (files hash) from files in a directory containing uncompressed initramfs
|
|
5
|
+
class ZfsKeystorePatcher
|
|
6
|
+
def call(dir)
|
|
7
|
+
crypttab_entries = entries_generator.call
|
|
8
|
+
return {} if crypttab_entries.empty?
|
|
9
|
+
|
|
10
|
+
files_generator
|
|
11
|
+
.call(crypttab_entries, base_dir: dir, crypttab_path: tmp_crypttab_path)
|
|
12
|
+
.merge(script_patch_files(dir))
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
private
|
|
16
|
+
|
|
17
|
+
def script_patch_files(dir)
|
|
18
|
+
path = File.join(dir, script_path)
|
|
19
|
+
content = File.read(path)
|
|
20
|
+
{ script_path => patch_script(content) }
|
|
21
|
+
rescue Errno::ENOENT
|
|
22
|
+
{}
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
def patch_script(script)
|
|
26
|
+
comment = '# Following line has been added by cryptreboot'
|
|
27
|
+
patch = "cp #{tmp_crypttab_path} #{crypttab_path}"
|
|
28
|
+
script.sub(/^(\s*)(\${CRYPTROOT})\s*$/, "\n\\1#{comment}\n\\1#{patch}\n\n\\1\\2")
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
attr_reader :crypttab_path, :tmp_crypttab_path, :script_path,
|
|
32
|
+
:entries_generator, :files_generator
|
|
33
|
+
|
|
34
|
+
def initialize(crypttab_path: '/cryptroot/crypttab',
|
|
35
|
+
tmp_crypttab_path: '/cryptreboot/zfs_crypttab',
|
|
36
|
+
script_path: '/scripts/zfs',
|
|
37
|
+
entries_generator: CryptTab::ZfsKeystoreEntriesGenerator.new,
|
|
38
|
+
files_generator: FilesGenerator.new)
|
|
39
|
+
@crypttab_path = crypttab_path
|
|
40
|
+
@tmp_crypttab_path = tmp_crypttab_path
|
|
41
|
+
@script_path = script_path
|
|
42
|
+
@entries_generator = entries_generator
|
|
43
|
+
@files_generator = files_generator
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: crypt_reboot
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.0
|
|
4
|
+
version: 0.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Paweł Pokrywka
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-09-
|
|
11
|
+
date: 2024-09-28 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: tty-command
|
|
@@ -109,6 +109,7 @@ files:
|
|
|
109
109
|
- lib/crypt_reboot/luks/dumper/luks_v2_parser.rb
|
|
110
110
|
- lib/crypt_reboot/luks/key_fetcher.rb
|
|
111
111
|
- lib/crypt_reboot/luks/version_detector.rb
|
|
112
|
+
- lib/crypt_reboot/luks_crypt_tab_patcher.rb
|
|
112
113
|
- lib/crypt_reboot/passphrase_asker.rb
|
|
113
114
|
- lib/crypt_reboot/patched_initramfs_generator.rb
|
|
114
115
|
- lib/crypt_reboot/rebooter.rb
|
|
@@ -124,6 +125,7 @@ files:
|
|
|
124
125
|
- lib/crypt_reboot/safe_temp/mounter.rb
|
|
125
126
|
- lib/crypt_reboot/single_assign_restricted_map.rb
|
|
126
127
|
- lib/crypt_reboot/version.rb
|
|
128
|
+
- lib/crypt_reboot/zfs_keystore_patcher.rb
|
|
127
129
|
homepage: https://phantomno.de/cryptreboot
|
|
128
130
|
licenses:
|
|
129
131
|
- MIT
|