Pull request #153: Add secure storage

Merge in ICO/coreos from add_secure_storage to master * commit 'e4fd830aa81a042f51b1cf98cbd83cdeb60c1177': feat(secure-storage): add kernel config fragment for dm_crypt feat(secure-storage): add secure-storage as Coreos base feature feat(secure-storage): add secure-storage base functionality feat(userdata): add userdata partition
2024-01-17 12:08:29 +01:00 · 2024-01-17 12:08:29 +01:00 · b819d0746d
parent 027ffafd72 e4fd830aa8
commit b819d0746d
10 changed files with 151 additions and 1 deletions
--- a/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc
+++ b/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc
@ -6,7 +6,9 @@ WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part
 WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"'
 WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0'
 WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1'
-WKS_PART_ROOT_SIZE ??= '2G'
+WKS_PART_ROOT_SIZE ??= '1G'
+WKS_PART_USERDATA_SIZE ??= '1G'
+WKS_PART_USERDATA ??= 'part /usr/local/data --fstype=btrfs --label userdata'

 SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"'
 SFDISK_PART_EFIBOOTGUARD_A ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg0"'
--- a/layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in
+++ b/layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in
@ -5,6 +5,7 @@ ${WKS_PART_ROOT_A} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --o
 ${WKS_PART_ROOT_B} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
 ${WKS_PART_EFIBOOTGUARD_A} --ondisk sda  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
 ${WKS_PART_EFIBOOTGUARD_B} --ondisk sda  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
+${WKS_PART_USERDATA} --ondisk sda --size ${WKS_PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1

 part swap --ondisk sda --size 44 --label swap1 --fstype=swap
 bootloader --ptable gpt
--- a/layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in
+++ b/layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in
@ -7,5 +7,6 @@ part / --source rootfs --fstype=ext4 --label rootfs0 --ondisk mmcblk1 --size ${W
 part --fstype=ext4 --label rootfs1 --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
 part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
 part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
+${WKS_PART_USERDATA} --ondisk mmcblk1 --size ${WKS_PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1

 bootloader --ptable gpt
--- a/layers/meta-belden-coreos/classes/coreos-image.bbclass
+++ b/layers/meta-belden-coreos/classes/coreos-image.bbclass
@ -68,6 +68,7 @@ PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTAL
 COREOS_IMAGE_BASE_INSTALL = "\
    packagegroup-coreos-boot \
    packagegroup-coreos-base \
+    secure-storage \
    "

 COREOS_IMAGE_EXTRA_INSTALL ?= ""
--- a/layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh
+++ b/layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh
@ -0,0 +1,93 @@
+#!/usr/bin/env sh
+
+loopdir=/usr/local/data/loopdevices
+loopfile=$loopdir/crypt.loop
+
+keyfiledir=/usr/local/data/.crypto
+keyfile=$keyfiledir/ss_crypto.keyfile
+
+#megabytes
+loopsize=16
+
+#/dev/mapper/xxxxx when open
+cryptmapper=secStorage
+
+makefilesystem=ext4
+
+#mountpoint of uncrypted device
+mountpoint=/usr/local/data/secure-storage
+
+create_keyfile() {
+	# echo "Create key file"
+	systemd-notify --status="Create key file"
+	mkdir -p $keyfiledir
+	dd if=/dev/urandom of=$keyfile bs=1 count=256
+	chown root:root $keyfiledir/*
+	chmod 000 $keyfiledir/*
+}
+
+error() {
+	echo "Error: $1"
+	exit $?
+}
+
+#creates a new file
+create_loopback_and_open() {
+	# echo "Creating a file with random bits.. this could take a while..."
+	systemd-notify --status="Creating a file with random bits.. this could take a while..."
+	mkdir -p $loopdir || error "Creating loopdir"
+	mkdir -p $mountpoint || error "Creating mountpoint"
+	dd if=/dev/urandom of=$loopfile bs=1M count=$loopsize || error "Creating loopfile"
+	loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
+	echo "Selected loop device: $loopdevice"
+	cryptsetup luksFormat -q --key-file $keyfile $loopdevice || error "Setting up encrypted loop device"
+	cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
+	mkfs.$makefilesystem /dev/mapper/$cryptmapper || error "Creating encrypted FS"
+	mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
+	systemd-notify --ready --status="Sucessfully mounted secure storage"
+}
+
+#mounts crypted loopback file
+open() {
+	#echo "Open secure-storage"
+	systemd-notify --status="Open secure storage"
+	loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
+	echo "Selected loop device: $ld"
+	cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
+	mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
+	systemd-notify --ready --status="Sucessfully mounted secure storage"
+}
+
+#unmounts previously mounted loopback file
+close() {
+	echo "Close secure-storage"
+	# get loopdevice
+	loopdevice=$(losetup --list --noheadings --output NAME,BACK-FILE | grep crypt.loop | awk '{print $1}')
+	umount $mountpoint
+	cryptsetup close $cryptmapper
+	losetup -d $loopdevice
+}
+
+if [ $# -eq 1 ]
+then
+	#echo "Parameter detected"
+	$1
+	exit 0
+fi
+
+if [ -e $keyfile ]
+then
+	#echo "Key file available"
+	if [ -e $loopfile ]
+	then
+		#echo "Loop file available"
+		open
+	else
+		#echo "Loop file not available"
+		create_loopback_and_open
+	fi
+else
+	#echo "Key file not available"
+	create_keyfile
+	create_loopback_and_open
+fi
--- a/layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service
+++ b/layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service
@ -0,0 +1,12 @@
+[Unit]
+Description=Secure Storage Service
+RequiresMountsFor=/usr/local/data
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/sec-storage-loopback.sh
+TimeoutSec=300
+
+[Install]
+WantedBy=local-fs.target
+
--- a/layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb
+++ b/layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb
@ -0,0 +1,34 @@
+SUMMARY = "Provides a Secure Storage"
+DESCRIPTION = "The secure storage is a loopback mount that is encrypted. It protects data in rest"
+AUTHOR = "Patrick Vogelaar"
+LICENSE = "CLOSED"
+
+SRC_URI = "\
+    file://sec-storage-loopback.sh \
+    file://secure-storage.service \
+    "
+
+S = "${WORKDIR}"
+
+inherit systemd
+
+FILES:${PN} += "\
+    /usr/local/data/ \
+    ${systemd_unitdir}/system \
+    ${bindir}/sec-storage-loopback.sh \
+    ${systemd_unitdir}/system/secure-storage.service \
+    "
+
+do_install() {
+    install -d ${D}$/usr/local/data/
+    install -d ${D}${bindir}
+    install -m 0731 ${S}/sec-storage-loopback.sh ${D}${bindir}/sec-storage-loopback.sh
+
+    install -d ${D}${systemd_unitdir}/system
+    install -m 0644 ${S}/secure-storage.service ${D}${systemd_unitdir}/system
+}
+
+SYSTEMD_SERVICE:${PN} = "secure-storage.service"
+SYSTEMD_AUTO_ENABLE = "enable"
+
+RDEPENDS:${PN} += "cryptsetup"
--- a/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule/secure-storage.cfg
+++ b/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule/secure-storage.cfg
@ -0,0 +1,4 @@
+CONFIG_BLK_DEV_DM=y
+CONFIG_KEYS=y
+CONFIG_ENCRYPTED_KEYS=y
+CONFIG_DM_CRYPT=y
--- a/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb
+++ b/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb
@ -12,6 +12,7 @@ SRC_URI = "git://gitlab.com/netmodule/kernel/linux-netmodule.git;protocol=ssh;us
           file://0001-fix-phy-support-for-falcon-board.patch \
           file://0001-refactor-cn913x-defconfig-cleanup.patch \
           file://cn913x_additions.cfg \
+           file://secure-storage.cfg \
           "
 SRCREV ?= "be2f2f0c96e85ecec9d807397194e46bb8bea4a5"

--- a/layers/meta-belden-marvell-bsp/wic/cn913x-sdcard.wks.in
+++ b/layers/meta-belden-marvell-bsp/wic/cn913x-sdcard.wks.in
@ -16,5 +16,6 @@ ${WKS_PART_ROOT_A} --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0
 ${WKS_PART_ROOT_B} --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1
 ${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
 ${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk1  --align 1024 --size 128M --extra-space 0 --overhead-factor 1
+${WKS_PART_USERDATA} --ondisk mmcblk1 --size ${WKS_PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1

 bootloader --ptable gpt