mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-18 20:47:55 +00:00
0cef8e1edc
cryptsetup2 2.6.1 is a new release that supports reencryption of Q4.2 release LUKS2 volumes created at installation.
This is a critical feature for the Qubes OS 4.2 release for added data at rest protection
Cryptsetup 2.6.x internal changes:
- Argon2 used externally and internally: requires a lot of RAM and CPU to derivate passphrase to key validated in key slots.
- This is used to rate limit efficiently bruteforcing of LUKS key slots, requiring each offline brute force attempt to consume ~15-30 seconds per attempt
- OF course, strong passphrases are still recommended, but bruteforcing LUKSv2 containers with Argon2 would require immense time, ram and CPU even to bruteforce low entropy passphrase/PINs.
- passphrase change doesn't permit LUKS key slot specification anymore: key slot rotates (new one consusumed per op: then old one wiped internally. EG: LUKS key slot 1 created, then 0 deleted)
- reencryption doesn't permit old call arguments. No more direct-io; inadmissively slow through AIO (async) calls, need workarounds for good enough perfs (arguments + newer kernel with cloudfare fixes in tree)
cryptsetup 2.6.1 requires:
- lvm2 2.03.23, which is also included in this PR.
- requires libaio, which is also included in this PR (could be hacked out but deep dependency at first sight: left in)
- requires util-linux 2.39
- patches for reproducible builds are included for above 3 packages.
luks-functions was updated to support the new cryptsetup2 version calls/changes
- reencryption happen in direct-io, offline mode and without locking, requiring linux 5.10.9+ to bypass linux queues
- from tests, this is best for performance and reliability in single-user mode
- LUKS container ops now validate Disk Recovery Key (DRK) passphrase prior and DRK key slot prior of going forward if needed, failing early.
- Heads don't expect DRK to be in static key slot anymore, and finds the DRK key slot dynamically.
- If reencrytipn/passphrase change: make sure all LUKS containers on same block device can be unlocked with same DRK
- Reencryption: requires to know which key slot to reencrypt.
- Find LUKS key slot that unlocks with DRK passphrase unlock prior of reencrypt call
- Passphrase change: no slot can be passed, but key slot of DRK rotates.
kexec-seal-key
- TPM LUKS Disk Unlock Key key slots have changed to be set in max slots per LUKS version (LUKSv1:7 /LUKSv2: 31)
- If key slot != default LUKS version's keyslot outside of DRK key slot: prompt the user before wiping that key slot, otherwise wipe automatically
- This takes for granted that the DRK key slot alone is needed on the system and Heads controls the LUKS key slots.
- If user has something else going on, ie: Using USB Security dongle + TPM DUK, then the user will need to say no when wiping keys.
- It was suggested to leave LUKS key slots outside of DRK alone, but then: what to do when all key slots would be used?
- Alternative implementation could be to only prompt users to wipe keyslots other then DRK when key slots are all used (LUKSv1: 0-7, LUKSv2: 0-31)
- But then cleanup would need to happen prior of operations (LUKS passphrase change, TPM DUK setup) and could be problematic.
- LUKS containers now checked to be same LUKS version prior of permitting to set TPM DUK and will refuse to go forward of different versions.
TODO:
- async (AIO) calls are not used. direct-io is used instead. libaio could be hacked out
- this could be subject to future work
Notes:
- time to deprecated legacy boards the do not enough space for the new space requirements
- x230-legacy, x230-legacy-flash, x230-hotp-legacy
- t430-legacy, t430-legacy-flash, t430-hotp-legacy already deprecated
Unrelated:
- typos fixes found along the way
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
266 lines
8.9 KiB
Bash
Executable File
266 lines
8.9 KiB
Bash
Executable File
#! /bin/ash
|
|
# Note this is used on legacy-flash boards that lack bash, it runs with busybox
|
|
# ash. Calls to bash scripts must be guarded by checking config.
|
|
|
|
mknod /dev/ttyprintk c 5 3
|
|
echo "hello world" > /dev/ttyprintk
|
|
|
|
# Setup our path
|
|
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
|
|
|
|
# This is the very first script invoked by the Linux kernel and is
|
|
# running out of the ram disk. There are no fileysstems mounted.
|
|
# It is important to have a way to invoke a recovery shell in case
|
|
# the boot scripts are messed up, but also important to modify the
|
|
# PCRs if this happens to prevent the TPM Disk Unlock Keys from being revealed.
|
|
|
|
# First thing it is vital to mount the /dev and other system directories
|
|
mkdir /proc /sys /dev /tmp /boot /media 2>&- 1>&-
|
|
mount /dev 2>/dev/ttyprintk
|
|
mount /proc 2>/dev/ttyprintk
|
|
mount /sys 2>/dev/ttyprintk
|
|
|
|
if [ "$CONFIG_LINUXBOOT" = "y" ]; then
|
|
mount /sys/firmware/efi/efivars
|
|
fi
|
|
|
|
# Setup the pty pseudo filesystem
|
|
mkdir /dev/pts
|
|
mount /dev/pts 2>/dev/ttyprintk
|
|
|
|
if [ ! -r /dev/ptmx ]; then
|
|
ln -s /dev/pts/ptmx /dev/ptmx
|
|
fi
|
|
|
|
# Needed by bash
|
|
[ -e /dev/stdin ] || ln -s /proc/self/fd/0 /dev/stdin
|
|
[ -e /dev/stdout ] || ln -s /proc/self/fd/1 /dev/stdout
|
|
[ -e /dev/stderr ] || ln -s /proc/self/fd/2 /dev/stderr
|
|
[ -e /dev/fd ] || ln -s /proc/self/fd /dev/fd
|
|
|
|
# Recovery shells will erase anything from here
|
|
mkdir -p /tmp/secret
|
|
|
|
# Now it is safe to print a banner
|
|
if [ -r /etc/motd ]; then
|
|
cat /etc/motd > /dev/tty0
|
|
fi
|
|
|
|
# Load the date from the hardware clock, setting it in local time
|
|
hwclock -l -s
|
|
|
|
# When mounting a filesystem, try exFAT last, since it logs errors if the
|
|
# filesystem is not exFAT, and the errors go to the console. Those errors are
|
|
# spurious when the medium is iso9660. By default in our config, the only
|
|
# filesystem after exFAT is iso9660, move exFAT last.
|
|
(grep -v '^\texfat$' /proc/filesystems && echo -e '\texfat') >/etc/filesystems
|
|
|
|
# Read the system configuration parameters
|
|
. /etc/ash_functions
|
|
. /etc/config
|
|
|
|
# Board config had CONFIG_DEBUG_OUTPUT=y defined.
|
|
# Note that boards's coreboot config kernel command line "debug" option only will have all kernel messages output on console prior of this point
|
|
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
|
|
#Maximize printk messages to output all to console (8=debug)
|
|
#DEBUG and TRACE calls will output to /dev/kmsg, outputting both on dmesg and on console
|
|
dmesg -n 8 || true
|
|
DEBUG "Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config)"
|
|
else
|
|
# Board config did't have CONFIG_DEBUG_OUTPUT=y defined
|
|
# config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
|
|
# Output only print messages with a priority of 4 (warnings) or lower (errors and critical) kernel messages to console
|
|
# This way, "debug" kernel command line option will have all kernel messages output on console prior of this point
|
|
# This is useful to debug boot issues but permits qemu board to boot without flooding console with kernel messages by disabling CONFIG_DEBUG_OUTPUT=y in qemu board config
|
|
dmesg -n 4 || true
|
|
DEBUG "Debug output enabled from /etc/config.user's CONFIG_DEBUG_OUTPUT=y after combine_configs (Config menu enabled Debug)"
|
|
fi
|
|
|
|
TRACE "Under init"
|
|
|
|
# make sure we have sysctl requirements
|
|
if [ ! -d /proc/sys ]; then
|
|
warn "BUG!!! The following requirements to apply runtime kernel tweaks are missing:"
|
|
warn "CONFIG_SYSCTL=y"
|
|
warn "CONFIG_PROC_SYSCTL=y"
|
|
warn "Please open an issue"
|
|
fi
|
|
|
|
if [ ! -e /proc/sys/vm/panic_on_oom ]; then
|
|
warn "BUG!!! Requirements to setup Panic when under Out Of Memory situation through PROC_SYSCTL are missing (panic_on_oom was not enabled)"
|
|
warn "Please open an issue"
|
|
else
|
|
DEBUG "Applying panic_on_oom setting to sysctl"
|
|
echo 1 > /proc/sys/vm/panic_on_oom
|
|
fi
|
|
|
|
|
|
# set CONFIG_TPM dynamically before init
|
|
if [ ! -e /dev/tpm0 ]; then
|
|
CONFIG_TPM='n'
|
|
CONFIG_TPM2_TOOLS='n'
|
|
fi
|
|
|
|
#Specify whiptail background colors cues under FBWhiptail only
|
|
if [ -x /bin/fbwhiptail ]; then
|
|
DEBUG "fbwhiptail BG_COLOR_* exported"
|
|
export BG_COLOR_WARNING="${CONFIG_WARNING_BG_COLOR:-"--background-gradient 0 0 0 150 125 0"}"
|
|
export BG_COLOR_ERROR="${CONFIG_ERROR_BG_COLOR:-"--background-gradient 0 0 0 150 0 0"}"
|
|
export BG_COLOR_MAIN_MENU="normal"
|
|
else
|
|
DEBUG "whiptail TEXT_BG_COLOR_* exported"
|
|
export TEXT_BG_COLOR_WARNING="${CONFIG_WARNING_TEXT_BG_COLOR:-"yellow"}"
|
|
export TEXT_BG_COLOR_ERROR="${CONFIG_ERROR_TEXT_BG_COLOR:-"red"}"
|
|
export BG_COLOR_MAIN_MENU="normal"
|
|
fi
|
|
|
|
if [ "$CONFIG_TPM" = "y" ]; then
|
|
# Initialize tpm2 encrypted sessions here
|
|
tpmr startsession
|
|
fi
|
|
|
|
if [ "$CONFIG_COREBOOT" = "y" ]; then
|
|
[ -x /bin/bash ] && /bin/cbfs-init
|
|
fi
|
|
if [ "$CONFIG_LINUXBOOT" = "y" ]; then
|
|
/bin/uefi-init
|
|
fi
|
|
|
|
# Set GPG_TTY before calling gpg in key-init
|
|
export GPG_TTY=/dev/console
|
|
|
|
# Initialize gpnupg with distro/user keys and setup the keyrings
|
|
[ -x /bin/bash ] && /bin/key-init
|
|
|
|
# Override CONFIG_USE_BLOB_JAIL if needed and persist via user config
|
|
if lspci -n | grep -E -q "8086:(2723|4df0)"; then
|
|
if ! cat /etc/config.user 2>/dev/null | grep -q "USE_BLOB_JAIL"; then
|
|
echo "CONFIG_USE_BLOB_JAIL=y" >> /etc/config.user
|
|
fi
|
|
fi
|
|
|
|
# Override CONFIG_TPM and CONFIG_TPM2_TOOLS from /etc/config with runtime value
|
|
# determined above.
|
|
#
|
|
# Values in user config have higher priority during combining thus effectively
|
|
# changing the value for the rest of the scripts which source /tmp/config.
|
|
|
|
#Only set CONFIG_TPM and CONFIG_TPM2_TOOLS if they are not already set in /etc/config.user
|
|
if ! grep -q 'CONFIG_TPM=' /etc/config.user; then
|
|
echo "export CONFIG_TPM=\"$CONFIG_TPM\"" >> /etc/config.user
|
|
fi
|
|
if ! grep -q 'CONFIG_TPM2_TOOLS=' /etc/config.user; then
|
|
echo "export CONFIG_TPM2_TOOLS=\"$CONFIG_TPM2_TOOLS\"" >> /etc/config.user
|
|
fi
|
|
|
|
# CONFIG_BASIC was previously CONFIG_PUREBOOT_BASIC in the PureBoot distribution.
|
|
# Substitute it in config.user if present for backward compatibility.
|
|
sed -i -e 's/^export CONFIG_PUREBOOT_BASIC=/export CONFIG_BASIC=/g' /etc/config.user
|
|
|
|
combine_configs
|
|
. /tmp/config
|
|
|
|
# Enable maximum debug info from here if config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
|
|
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
|
|
#Output all kernel messages to console (8=debug)
|
|
#DEBUG and TRACE calls will be in dmesg and on console
|
|
if ! grep -q 'CONFIG_DEBUG_OUTPUT="y"' /etc/config;then
|
|
# Board config did't have CONFIG_DEBUG_OUTPUT=y defined
|
|
# config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
|
|
dmesg -n 8
|
|
DEBUG "Debug output enabled from /etc/config.user's CONFIG_DEBUG_OUTPUT=y after combine_configs (Config menu enabled Debug)"
|
|
TRACE "Under init:after combine_configs"
|
|
fi
|
|
fi
|
|
|
|
|
|
# Setup recovery serial shell
|
|
if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then
|
|
stty -F "$CONFIG_BOOT_RECOVERY_SERIAL" 115200
|
|
pause_recovery 'Console recovery shell' \
|
|
< "$CONFIG_BOOT_RECOVERY_SERIAL" \
|
|
> "$CONFIG_BOOT_RECOVERY_SERIAL" 2>&1 &
|
|
fi
|
|
|
|
# load USB modules for boards using a USB keyboard
|
|
if [ "$CONFIG_USB_KEYBOARD_REQUIRED" = y ] || [ "$CONFIG_USER_USB_KEYBOARD" = "y" ]; then
|
|
enable_usb
|
|
fi
|
|
|
|
# If the user has been holding down r, enter a recovery shell
|
|
# otherwise immediately start the configured boot script.
|
|
# We don't print a prompt, since this is a near instant timeout.
|
|
read \
|
|
-t 0.1 \
|
|
-n 1 \
|
|
boot_option
|
|
echo
|
|
|
|
if [ "$boot_option" = "r" ]; then
|
|
# Start an interactive shell
|
|
recovery 'User requested recovery shell'
|
|
# just in case...
|
|
exit
|
|
elif [ "$boot_option" = "o" ]; then
|
|
# Launch OEM Factory Reset/Re-Ownership
|
|
oem-factory-reset
|
|
# just in case...
|
|
exit
|
|
fi
|
|
|
|
if [ "$CONFIG_BASIC" = "y" ]; then
|
|
echo -e "***** BASIC mode: tamper detection disabled\n" > /dev/tty0
|
|
fi
|
|
|
|
# export firmware version
|
|
export FW_VER=$(fw_version)
|
|
|
|
# Add our boot devices into the /etc/fstab, if they are defined
|
|
# in the configuration file.
|
|
if [ ! -z "$CONFIG_BOOT_DEV" ]; then
|
|
echo >> /etc/fstab "$CONFIG_BOOT_DEV /boot auto defaults,ro 0 0"
|
|
fi
|
|
|
|
# Set the console font if needed
|
|
[ -x /bin/bash ] && setconsolefont.sh
|
|
|
|
if [ "$CONFIG_BASIC" = "y" ]; then
|
|
CONFIG_BOOTSCRIPT=/bin/gui-init-basic
|
|
export CONFIG_HOTPKEY=n
|
|
fi
|
|
|
|
# Perform board-specific init if present
|
|
if [ -x /bin/board-init.sh ]; then
|
|
/bin/board-init.sh
|
|
fi
|
|
|
|
if [ ! -x "$CONFIG_BOOTSCRIPT" -a ! -x "$CONFIG_BOOTSCRIPT_NETWORK" ]; then
|
|
recovery 'Boot script missing? Entering recovery shell'
|
|
else
|
|
if [ -x "$CONFIG_BOOTSCRIPT_NETWORK" ]; then
|
|
echo '***** Network Boot:' $CONFIG_BOOTSCRIPT_NETWORK
|
|
$CONFIG_BOOTSCRIPT_NETWORK
|
|
echo '***** Network Boot Completed:' $CONFIG_BOOTSCRIPT_NETWORK
|
|
# not blocking
|
|
fi
|
|
|
|
if [ -x "$CONFIG_BOOTSCRIPT" ]; then
|
|
echo '***** Normal boot:' $CONFIG_BOOTSCRIPT
|
|
|
|
if [ -x /bin/setsid ] && [ -x /bin/agetty ]; then
|
|
for console in $CONFIG_BOOT_EXTRA_TTYS; do
|
|
setsid agetty -aroot -l"$CONFIG_BOOTSCRIPT" "$console" linux &
|
|
done
|
|
fi
|
|
|
|
#Setup a control tty so that all terminals outputs correct tty when tty is called
|
|
exec cttyhack "$CONFIG_BOOTSCRIPT"
|
|
else
|
|
# wait for boot via network to occur
|
|
pause_recovery 'Override network boot. Entering recovery shell'
|
|
fi
|
|
fi
|
|
|
|
# We should never reach here, but just in case...
|
|
recovery 'Boot script failure? Entering recovery shell'
|