Pull request #153: Add secure storage
Merge in ICO/coreos from add_secure_storage to master * commit 'e4fd830aa81a042f51b1cf98cbd83cdeb60c1177': feat(secure-storage): add kernel config fragment for dm_crypt feat(secure-storage): add secure-storage as Coreos base feature feat(secure-storage): add secure-storage base functionality feat(userdata): add userdata partition
This commit is contained in:
Patrick Vogelaar
commit
b819d0746d
|
|
@ -6,7 +6,9 @@ WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part
|
||||||
WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
|
WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
|
||||||
WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0'
|
WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0'
|
||||||
WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1'
|
WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1'
|
||||||
WKS_PART_ROOT_SIZE ??= '2G'
|
WKS_PART_ROOT_SIZE ??= '1G'
|
||||||
|
WKS_PART_USERDATA_SIZE ??= '1G'
|
||||||
|
WKS_PART_USERDATA ??= 'part /usr/local/data --fstype=btrfs --label userdata'
|
||||||
|
|
||||||
SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"'
|
SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"'
|
||||||
SFDISK_PART_EFIBOOTGUARD_A ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg0"'
|
SFDISK_PART_EFIBOOTGUARD_A ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg0"'
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,7 @@ ${WKS_PART_ROOT_A} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --o
|
||||||
${WKS_PART_ROOT_B} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
${WKS_PART_ROOT_B} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
||||||
${WKS_PART_EFIBOOTGUARD_A} --ondisk sda --align 1024 --size 128M --extra-space 0 --overhead-factor 1
|
${WKS_PART_EFIBOOTGUARD_A} --ondisk sda --align 1024 --size 128M --extra-space 0 --overhead-factor 1
|
||||||
${WKS_PART_EFIBOOTGUARD_B} --ondisk sda --align 1024 --size 128M --extra-space 0 --overhead-factor 1
|
${WKS_PART_EFIBOOTGUARD_B} --ondisk sda --align 1024 --size 128M --extra-space 0 --overhead-factor 1
|
||||||
|
${WKS_PART_USERDATA} --ondisk sda --size ${WKS_PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
|
||||||
|
|
||||||
part swap --ondisk sda --size 44 --label swap1 --fstype=swap
|
part swap --ondisk sda --size 44 --label swap1 --fstype=swap
|
||||||
bootloader --ptable gpt
|
bootloader --ptable gpt
|
||||||
|
|
|
||||||
|
|
@ -7,5 +7,6 @@ part / --source rootfs --fstype=ext4 --label rootfs0 --ondisk mmcblk1 --size ${W
|
||||||
part --fstype=ext4 --label rootfs1 --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
part --fstype=ext4 --label rootfs1 --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
||||||
part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --ondisk mmcblk1 --align 1024 --size 128M --extra-space 0 --overhead-factor 1
|
part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --ondisk mmcblk1 --align 1024 --size 128M --extra-space 0 --overhead-factor 1
|
||||||
part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --ondisk mmcblk1 --align 1024 --size 128M --extra-space 0 --overhead-factor 1
|
part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --ondisk mmcblk1 --align 1024 --size 128M --extra-space 0 --overhead-factor 1
|
||||||
|
${WKS_PART_USERDATA} --ondisk mmcblk1 --size ${WKS_PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
|
||||||
|
|
||||||
bootloader --ptable gpt
|
bootloader --ptable gpt
|
||||||
|
|
@ -68,6 +68,7 @@ PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTAL
|
||||||
COREOS_IMAGE_BASE_INSTALL = "\
|
COREOS_IMAGE_BASE_INSTALL = "\
|
||||||
packagegroup-coreos-boot \
|
packagegroup-coreos-boot \
|
||||||
packagegroup-coreos-base \
|
packagegroup-coreos-base \
|
||||||
|
secure-storage \
|
||||||
"
|
"
|
||||||
|
|
||||||
COREOS_IMAGE_EXTRA_INSTALL ?= ""
|
COREOS_IMAGE_EXTRA_INSTALL ?= ""
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,93 @@
|
||||||
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
|
loopdir=/usr/local/data/loopdevices
|
||||||
|
loopfile=$loopdir/crypt.loop
|
||||||
|
|
||||||
|
keyfiledir=/usr/local/data/.crypto
|
||||||
|
keyfile=$keyfiledir/ss_crypto.keyfile
|
||||||
|
|
||||||
|
#megabytes
|
||||||
|
loopsize=16
|
||||||
|
|
||||||
|
#/dev/mapper/xxxxx when open
|
||||||
|
cryptmapper=secStorage
|
||||||
|
|
||||||
|
makefilesystem=ext4
|
||||||
|
|
||||||
|
#mountpoint of uncrypted device
|
||||||
|
mountpoint=/usr/local/data/secure-storage
|
||||||
|
|
||||||
|
create_keyfile() {
|
||||||
|
# echo "Create key file"
|
||||||
|
systemd-notify --status="Create key file"
|
||||||
|
mkdir -p $keyfiledir
|
||||||
|
dd if=/dev/urandom of=$keyfile bs=1 count=256
|
||||||
|
chown root:root $keyfiledir/*
|
||||||
|
chmod 000 $keyfiledir/*
|
||||||
|
}
|
||||||
|
|
||||||
|
error() {
|
||||||
|
echo "Error: $1"
|
||||||
|
exit $?
|
||||||
|
}
|
||||||
|
|
||||||
|
#creates a new file
|
||||||
|
create_loopback_and_open() {
|
||||||
|
# echo "Creating a file with random bits.. this could take a while..."
|
||||||
|
systemd-notify --status="Creating a file with random bits.. this could take a while..."
|
||||||
|
mkdir -p $loopdir || error "Creating loopdir"
|
||||||
|
mkdir -p $mountpoint || error "Creating mountpoint"
|
||||||
|
dd if=/dev/urandom of=$loopfile bs=1M count=$loopsize || error "Creating loopfile"
|
||||||
|
loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
|
||||||
|
echo "Selected loop device: $loopdevice"
|
||||||
|
cryptsetup luksFormat -q --key-file $keyfile $loopdevice || error "Setting up encrypted loop device"
|
||||||
|
cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
|
||||||
|
mkfs.$makefilesystem /dev/mapper/$cryptmapper || error "Creating encrypted FS"
|
||||||
|
mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
|
||||||
|
systemd-notify --ready --status="Sucessfully mounted secure storage"
|
||||||
|
}
|
||||||
|
|
||||||
|
#mounts crypted loopback file
|
||||||
|
open() {
|
||||||
|
#echo "Open secure-storage"
|
||||||
|
systemd-notify --status="Open secure storage"
|
||||||
|
loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
|
||||||
|
echo "Selected loop device: $ld"
|
||||||
|
cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
|
||||||
|
mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
|
||||||
|
systemd-notify --ready --status="Sucessfully mounted secure storage"
|
||||||
|
}
|
||||||
|
|
||||||
|
#unmounts previously mounted loopback file
|
||||||
|
close() {
|
||||||
|
echo "Close secure-storage"
|
||||||
|
# get loopdevice
|
||||||
|
loopdevice=$(losetup --list --noheadings --output NAME,BACK-FILE | grep crypt.loop | awk '{print $1}')
|
||||||
|
umount $mountpoint
|
||||||
|
cryptsetup close $cryptmapper
|
||||||
|
losetup -d $loopdevice
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ $# -eq 1 ]
|
||||||
|
then
|
||||||
|
#echo "Parameter detected"
|
||||||
|
$1
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -e $keyfile ]
|
||||||
|
then
|
||||||
|
#echo "Key file available"
|
||||||
|
if [ -e $loopfile ]
|
||||||
|
then
|
||||||
|
#echo "Loop file available"
|
||||||
|
open
|
||||||
|
else
|
||||||
|
#echo "Loop file not available"
|
||||||
|
create_loopback_and_open
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
#echo "Key file not available"
|
||||||
|
create_keyfile
|
||||||
|
create_loopback_and_open
|
||||||
|
fi
|
||||||
|
|
@ -0,0 +1,12 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Secure Storage Service
|
||||||
|
RequiresMountsFor=/usr/local/data
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=notify
|
||||||
|
ExecStart=/usr/bin/sec-storage-loopback.sh
|
||||||
|
TimeoutSec=300
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=local-fs.target
|
||||||
|
|
||||||
|
|
@ -0,0 +1,34 @@
|
||||||
|
SUMMARY = "Provides a Secure Storage"
|
||||||
|
DESCRIPTION = "The secure storage is a loopback mount that is encrypted. It protects data in rest"
|
||||||
|
AUTHOR = "Patrick Vogelaar"
|
||||||
|
LICENSE = "CLOSED"
|
||||||
|
|
||||||
|
SRC_URI = "\
|
||||||
|
file://sec-storage-loopback.sh \
|
||||||
|
file://secure-storage.service \
|
||||||
|
"
|
||||||
|
|
||||||
|
S = "${WORKDIR}"
|
||||||
|
|
||||||
|
inherit systemd
|
||||||
|
|
||||||
|
FILES:${PN} += "\
|
||||||
|
/usr/local/data/ \
|
||||||
|
${systemd_unitdir}/system \
|
||||||
|
${bindir}/sec-storage-loopback.sh \
|
||||||
|
${systemd_unitdir}/system/secure-storage.service \
|
||||||
|
"
|
||||||
|
|
||||||
|
do_install() {
|
||||||
|
install -d ${D}$/usr/local/data/
|
||||||
|
install -d ${D}${bindir}
|
||||||
|
install -m 0731 ${S}/sec-storage-loopback.sh ${D}${bindir}/sec-storage-loopback.sh
|
||||||
|
|
||||||
|
install -d ${D}${systemd_unitdir}/system
|
||||||
|
install -m 0644 ${S}/secure-storage.service ${D}${systemd_unitdir}/system
|
||||||
|
}
|
||||||
|
|
||||||
|
SYSTEMD_SERVICE:${PN} = "secure-storage.service"
|
||||||
|
SYSTEMD_AUTO_ENABLE = "enable"
|
||||||
|
|
||||||
|
RDEPENDS:${PN} += "cryptsetup"
|
||||||
|
|
@ -0,0 +1,4 @@
|
||||||
|
CONFIG_BLK_DEV_DM=y
|
||||||
|
CONFIG_KEYS=y
|
||||||
|
CONFIG_ENCRYPTED_KEYS=y
|
||||||
|
CONFIG_DM_CRYPT=y
|
||||||
|
|
@ -12,6 +12,7 @@ SRC_URI = "git://gitlab.com/netmodule/kernel/linux-netmodule.git;protocol=ssh;us
|
||||||
file://0001-fix-phy-support-for-falcon-board.patch \
|
file://0001-fix-phy-support-for-falcon-board.patch \
|
||||||
file://0001-refactor-cn913x-defconfig-cleanup.patch \
|
file://0001-refactor-cn913x-defconfig-cleanup.patch \
|
||||||
file://cn913x_additions.cfg \
|
file://cn913x_additions.cfg \
|
||||||
|
file://secure-storage.cfg \
|
||||||
"
|
"
|
||||||
SRCREV ?= "be2f2f0c96e85ecec9d807397194e46bb8bea4a5"
|
SRCREV ?= "be2f2f0c96e85ecec9d807397194e46bb8bea4a5"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,5 +16,6 @@ ${WKS_PART_ROOT_A} --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0
|
||||||
${WKS_PART_ROOT_B} --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
${WKS_PART_ROOT_B} --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
|
||||||
${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk1 --align 1024 --size 128M --extra-space 0 --overhead-factor 1
|
${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk1 --align 1024 --size 128M --extra-space 0 --overhead-factor 1
|
||||||
${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk1 --align 1024 --size 128M --extra-space 0 --overhead-factor 1
|
${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk1 --align 1024 --size 128M --extra-space 0 --overhead-factor 1
|
||||||
|
${WKS_PART_USERDATA} --ondisk mmcblk1 --size ${WKS_PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1
|
||||||
|
|
||||||
bootloader --ptable gpt
|
bootloader --ptable gpt
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue