crypt_reboot 0.2.1 → 0.3.0.beta.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -1
- data/README.md +6 -0
- data/lib/basic_loader.rb +1 -0
- data/lib/crypt_reboot/crypt_tab/deserializer.rb +7 -1
- data/lib/crypt_reboot/crypt_tab/zfs_keystore_entries_generator.rb +34 -0
- data/lib/crypt_reboot/files_generator.rb +2 -5
- data/lib/crypt_reboot/initramfs/extractor.rb +5 -3
- data/lib/crypt_reboot/initramfs_patch_squeezer.rb +35 -8
- data/lib/crypt_reboot/version.rb +1 -1
- metadata +8 -7
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 01bc4b369ba12b4f4197e8935a0b89a2e6f4a95af950e3e1eb048a389ef7672e
|
|
4
|
+
data.tar.gz: 98e360717e15344ae14d41dd9557101c833efa75bcfcd01426096015a7faa2b4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 19d4fe5d9a715a8cc8e6f55bea983f3a676b2af1f17fe4705cb68122e90b17ac378da756bb3f1dadcd02df75f578c89105c84b654d6dc5e6837a0eedc6efba9c
|
|
7
|
+
data.tar.gz: 9d9010da9c9177229345ce804491593aaa4336bdeda5e92becc268035b539f4387b6b89f0e2b13d769d4a8b6e932981fa9e2b4e1085da65b5c177166e15bf437
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,10 @@
|
|
|
1
|
+
## [0.3.0.beta.1] - 2024-09-26
|
|
2
|
+
|
|
3
|
+
- Add preliminary support for LUKS-keystore-based ZFS encryption implemented by Ubuntu
|
|
4
|
+
|
|
1
5
|
## [0.2.1] - 2023-11-12
|
|
2
6
|
|
|
3
|
-
-
|
|
7
|
+
- Use new MemoryLocker without a need for FFI compilation step
|
|
4
8
|
|
|
5
9
|
## [0.2.0] - 2023-07-29
|
|
6
10
|
|
data/README.md
CHANGED
|
@@ -44,6 +44,12 @@ Following distributions were tested by the author on the AMD64 machine:
|
|
|
44
44
|
If you have successfully run cryptreboot on another distribution,
|
|
45
45
|
please contact me and I will update the list.
|
|
46
46
|
|
|
47
|
+
## Disk encryption method
|
|
48
|
+
|
|
49
|
+
Currently, only LUKS-based disk-encryption is supported.
|
|
50
|
+
If you use ZFS native encryption, cryptreboot will [downgrade](https://github.com/phantom-node/cryptreboot/issues/2)
|
|
51
|
+
to standard reboot (using kexec).
|
|
52
|
+
|
|
47
53
|
## Requirements
|
|
48
54
|
|
|
49
55
|
You need to ensure those are installed:
|
data/lib/basic_loader.rb
CHANGED
|
@@ -31,6 +31,7 @@ require 'crypt_reboot/crypt_tab/entry_serializer'
|
|
|
31
31
|
require 'crypt_reboot/crypt_tab/keyfile_locator'
|
|
32
32
|
require 'crypt_reboot/crypt_tab/luks_to_plain_converter'
|
|
33
33
|
require 'crypt_reboot/crypt_tab/serializer'
|
|
34
|
+
require 'crypt_reboot/crypt_tab/zfs_keystore_entries_generator'
|
|
34
35
|
require 'crypt_reboot/initramfs/archiver'
|
|
35
36
|
require 'crypt_reboot/initramfs/decompressor'
|
|
36
37
|
require 'crypt_reboot/initramfs/extractor'
|
|
@@ -4,7 +4,7 @@ module CryptReboot
|
|
|
4
4
|
module CryptTab
|
|
5
5
|
# Load crypttab file and return array with deserialized entries
|
|
6
6
|
class Deserializer
|
|
7
|
-
def call(filename = nil, content:
|
|
7
|
+
def call(filename = nil, content: read_tolerate_missing(filename))
|
|
8
8
|
split_to_important_lines(content).map do |line|
|
|
9
9
|
entry_deserializer.call line
|
|
10
10
|
end
|
|
@@ -12,6 +12,12 @@ module CryptReboot
|
|
|
12
12
|
|
|
13
13
|
private
|
|
14
14
|
|
|
15
|
+
def read_tolerate_missing(filename)
|
|
16
|
+
File.read(filename)
|
|
17
|
+
rescue Errno::ENOENT
|
|
18
|
+
''
|
|
19
|
+
end
|
|
20
|
+
|
|
15
21
|
def split_to_important_lines(content)
|
|
16
22
|
content.split(/\n+|\r+/)
|
|
17
23
|
.reject(&:empty?)
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module CryptReboot
|
|
4
|
+
module CryptTab
|
|
5
|
+
# Get a list of keystore zvols from a running system and return entries array
|
|
6
|
+
class ZfsKeystoreEntriesGenerator
|
|
7
|
+
def call
|
|
8
|
+
glob = File.join(zvol_dir, '**/*')
|
|
9
|
+
Dir.glob(glob)
|
|
10
|
+
.select { |path| path =~ %r{/keystore$} && exist?(path) }
|
|
11
|
+
.map { |path| generate_entry(path) }
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
private
|
|
15
|
+
|
|
16
|
+
def exist?(path)
|
|
17
|
+
File.exist? File.realpath(path)
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
def generate_entry(path)
|
|
21
|
+
pool = File.basename File.dirname(path)
|
|
22
|
+
target = "keystore-#{pool}"
|
|
23
|
+
entry_class.new target: target, source: path, key_file: 'none', options: {}, flags: %i[luks discard]
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
attr_reader :zvol_dir, :entry_class
|
|
27
|
+
|
|
28
|
+
def initialize(zvol_dir: '/dev/zvol', entry_class: Entry)
|
|
29
|
+
@zvol_dir = zvol_dir
|
|
30
|
+
@entry_class = entry_class
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
module CryptReboot
|
|
4
4
|
# Generate a hash with file names as keys and file contents as values
|
|
5
5
|
class FilesGenerator
|
|
6
|
-
def call(entries, base_dir)
|
|
6
|
+
def call(entries, base_dir:, crypttab_path:)
|
|
7
7
|
files = {}
|
|
8
8
|
modified_entries = entries.map do |entry|
|
|
9
9
|
next entry unless luks?(entry, base_dir)
|
|
@@ -13,14 +13,11 @@ module CryptReboot
|
|
|
13
13
|
files[keyfile] = data.key
|
|
14
14
|
entry_converter.call(entry, data, keyfile)
|
|
15
15
|
end
|
|
16
|
-
files.merge(
|
|
16
|
+
files.merge(crypttab_path => serializer.call(modified_entries))
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
private
|
|
20
20
|
|
|
21
|
-
CRYPTAB_PATH = '/cryptroot/crypttab'
|
|
22
|
-
private_constant :CRYPTAB_PATH
|
|
23
|
-
|
|
24
21
|
def luks?(entry, base_dir)
|
|
25
22
|
headevice = entry.headevice(header_prefix: base_dir)
|
|
26
23
|
luks_checker.call(headevice)
|
|
@@ -10,7 +10,7 @@ module CryptReboot
|
|
|
10
10
|
tmp_maker.call do |dir|
|
|
11
11
|
logger.call message
|
|
12
12
|
decompressor.call(filename, dir)
|
|
13
|
-
yield dir
|
|
13
|
+
yield File.join(dir, subdir)
|
|
14
14
|
end
|
|
15
15
|
end
|
|
16
16
|
|
|
@@ -20,16 +20,18 @@ module CryptReboot
|
|
|
20
20
|
decompressor_factory.call
|
|
21
21
|
end
|
|
22
22
|
|
|
23
|
-
attr_reader :tmp_maker, :decompressor_factory, :message, :logger
|
|
23
|
+
attr_reader :tmp_maker, :decompressor_factory, :message, :logger, :subdir
|
|
24
24
|
|
|
25
25
|
def initialize(tmp_maker: Dir.method(:mktmpdir),
|
|
26
26
|
decompressor_factory: Decompressor.new,
|
|
27
27
|
message: 'Extracting initramfs... To speed things up, future versions will employ cache.',
|
|
28
|
-
logger: ->(msg) { warn msg }
|
|
28
|
+
logger: ->(msg) { warn msg },
|
|
29
|
+
subdir: 'main')
|
|
29
30
|
@tmp_maker = tmp_maker
|
|
30
31
|
@decompressor_factory = decompressor_factory
|
|
31
32
|
@message = message
|
|
32
33
|
@logger = logger
|
|
34
|
+
@subdir = subdir
|
|
33
35
|
end
|
|
34
36
|
end
|
|
35
37
|
end
|
|
@@ -5,24 +5,51 @@ module CryptReboot
|
|
|
5
5
|
class InitramfsPatchSqueezer
|
|
6
6
|
def call(initramfs_path)
|
|
7
7
|
extractor.call(initramfs_path) do |tmp_dir|
|
|
8
|
-
|
|
9
|
-
crypttab_entries = deserializer.call(crypttab_path)
|
|
10
|
-
files_generator.call(crypttab_entries, tmp_dir)
|
|
8
|
+
main_files(tmp_dir).merge zfs_files(tmp_dir)
|
|
11
9
|
end
|
|
12
10
|
end
|
|
13
11
|
|
|
14
12
|
private
|
|
15
13
|
|
|
16
|
-
|
|
14
|
+
def main_files(tmp_dir)
|
|
15
|
+
full_crypttab_path = File.join(tmp_dir, crypttab_path)
|
|
16
|
+
crypttab_entries = crypttab_deserializer.call(full_crypttab_path)
|
|
17
|
+
files_generator.call(crypttab_entries, base_dir: tmp_dir, crypttab_path: crypttab_path)
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
def zfs_files(tmp_dir)
|
|
21
|
+
crypttab_entries = zfs_keystore_entries_generator.call
|
|
22
|
+
return {} if crypttab_entries.empty?
|
|
23
|
+
files = files_generator.call(crypttab_entries, base_dir: tmp_dir, crypttab_path: zfs_crypttab_path)
|
|
24
|
+
script_path = File.join(tmp_dir, zfs_script_path)
|
|
25
|
+
script = File.read(script_path)
|
|
26
|
+
files.merge(zfs_script_path => patch_zfs_script(script))
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def patch_zfs_script(script)
|
|
30
|
+
patch = "cp #{zfs_crypttab_path} #{crypttab_path}; ${CRYPTROOT}"
|
|
31
|
+
script.sub(/^\s*\${CRYPTROOT}\s*$/, patch)
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
attr_reader :crypttab_path, :zfs_crypttab_path, :zfs_script_path, :extractor,
|
|
35
|
+
:crypttab_deserializer, :zfs_keystore_entries_generator, :files_generator
|
|
17
36
|
|
|
18
|
-
|
|
37
|
+
# rubocop:disable Metrics/ParameterLists
|
|
38
|
+
def initialize(crypttab_path = '/cryptroot/crypttab',
|
|
39
|
+
zfs_crypttab_path = '/cryptreboot/zfs_crypttab',
|
|
40
|
+
zfs_script_path = '/scripts/zfs',
|
|
19
41
|
extractor: Initramfs::Extractor.new,
|
|
20
|
-
|
|
42
|
+
crypttab_deserializer: CryptTab::Deserializer.new,
|
|
43
|
+
zfs_keystore_entries_generator: CryptTab::ZfsKeystoreEntriesGenerator.new,
|
|
21
44
|
files_generator: FilesGenerator.new)
|
|
22
|
-
@
|
|
45
|
+
@crypttab_path = crypttab_path
|
|
46
|
+
@zfs_crypttab_path = zfs_crypttab_path
|
|
47
|
+
@zfs_script_path = zfs_script_path
|
|
23
48
|
@extractor = extractor
|
|
24
|
-
@
|
|
49
|
+
@crypttab_deserializer = crypttab_deserializer
|
|
50
|
+
@zfs_keystore_entries_generator = zfs_keystore_entries_generator
|
|
25
51
|
@files_generator = files_generator
|
|
26
52
|
end
|
|
53
|
+
# rubocop:enable Metrics/ParameterLists
|
|
27
54
|
end
|
|
28
55
|
end
|
data/lib/crypt_reboot/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: crypt_reboot
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.0.beta.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Paweł Pokrywka
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-09-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: tty-command
|
|
@@ -52,7 +52,7 @@ dependencies:
|
|
|
52
52
|
- - "~>"
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
54
|
version: 1.0.3
|
|
55
|
-
description:
|
|
55
|
+
description:
|
|
56
56
|
email:
|
|
57
57
|
- pepawel@users.noreply.github.com
|
|
58
58
|
executables:
|
|
@@ -85,6 +85,7 @@ files:
|
|
|
85
85
|
- lib/crypt_reboot/crypt_tab/keyfile_locator.rb
|
|
86
86
|
- lib/crypt_reboot/crypt_tab/luks_to_plain_converter.rb
|
|
87
87
|
- lib/crypt_reboot/crypt_tab/serializer.rb
|
|
88
|
+
- lib/crypt_reboot/crypt_tab/zfs_keystore_entries_generator.rb
|
|
88
89
|
- lib/crypt_reboot/elastic_memory_locker.rb
|
|
89
90
|
- lib/crypt_reboot/files_generator.rb
|
|
90
91
|
- lib/crypt_reboot/files_writer.rb
|
|
@@ -131,7 +132,7 @@ metadata:
|
|
|
131
132
|
source_code_uri: https://github.com/phantom-node/cryptreboot
|
|
132
133
|
changelog_uri: https://github.com/phantom-node/cryptreboot/blob/master/CHANGELOG.md
|
|
133
134
|
rubygems_mfa_required: 'true'
|
|
134
|
-
post_install_message:
|
|
135
|
+
post_install_message:
|
|
135
136
|
rdoc_options: []
|
|
136
137
|
require_paths:
|
|
137
138
|
- lib
|
|
@@ -146,8 +147,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
146
147
|
- !ruby/object:Gem::Version
|
|
147
148
|
version: '0'
|
|
148
149
|
requirements: []
|
|
149
|
-
rubygems_version: 3.
|
|
150
|
-
signing_key:
|
|
150
|
+
rubygems_version: 3.5.4
|
|
151
|
+
signing_key:
|
|
151
152
|
specification_version: 4
|
|
152
153
|
summary: Linux utility for automatic and secure unlocking of encrypted disks on reboot
|
|
153
154
|
test_files: []
|