feat(secure-storage): add secure-storage base functionality

The secure-storage feature provides a encrypted filesystem to securely store data in rest. It will be auto-mounted under /usr/local/data/secure-storage. The loopbackfile will be stored under /usr/local/data/loopdevices. The keyfile is located under /usr/local/data/.crypto.
2024-01-15 11:19:50 +01:00 · 2024-01-15 11:19:50 +01:00 · fd2a0835ac
parent 94c8692f43
commit fd2a0835ac
3 changed files with 139 additions and 0 deletions
--- a/layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh
+++ b/layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh
@ -0,0 +1,93 @@
+#!/usr/bin/env sh
+
+loopdir=/usr/local/data/loopdevices
+loopfile=$loopdir/crypt.loop
+
+keyfiledir=/usr/local/data/.crypto
+keyfile=$keyfiledir/ss_crypto.keyfile
+
+#megabytes
+loopsize=16
+
+#/dev/mapper/xxxxx when open
+cryptmapper=secStorage
+
+makefilesystem=ext4
+
+#mountpoint of uncrypted device
+mountpoint=/usr/local/data/secure-storage
+
+create_keyfile() {
+	# echo "Create key file"
+	systemd-notify --status="Create key file"
+	mkdir -p $keyfiledir
+	dd if=/dev/urandom of=$keyfile bs=1 count=256
+	chown root:root $keyfiledir/*
+	chmod 000 $keyfiledir/*
+}
+
+error() {
+	echo "Error: $1"
+	exit $?
+}
+
+#creates a new file
+create_loopback_and_open() {
+	# echo "Creating a file with random bits.. this could take a while..."
+	systemd-notify --status="Creating a file with random bits.. this could take a while..."
+	mkdir -p $loopdir || error "Creating loopdir"
+	mkdir -p $mountpoint || error "Creating mountpoint"
+	dd if=/dev/urandom of=$loopfile bs=1M count=$loopsize || error "Creating loopfile"
+	loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
+	echo "Selected loop device: $loopdevice"
+	cryptsetup luksFormat -q --key-file $keyfile $loopdevice || error "Setting up encrypted loop device"
+	cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
+	mkfs.$makefilesystem /dev/mapper/$cryptmapper || error "Creating encrypted FS"
+	mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
+	systemd-notify --ready --status="Sucessfully mounted secure storage"
+}
+
+#mounts crypted loopback file
+open() {
+	#echo "Open secure-storage"
+	systemd-notify --status="Open secure storage"
+	loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device"
+	echo "Selected loop device: $ld"
+	cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device"
+	mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS"
+	systemd-notify --ready --status="Sucessfully mounted secure storage"
+}
+
+#unmounts previously mounted loopback file
+close() {
+	echo "Close secure-storage"
+	# get loopdevice
+	loopdevice=$(losetup --list --noheadings --output NAME,BACK-FILE | grep crypt.loop | awk '{print $1}')
+	umount $mountpoint
+	cryptsetup close $cryptmapper
+	losetup -d $loopdevice
+}
+
+if [ $# -eq 1 ]
+then
+	#echo "Parameter detected"
+	$1
+	exit 0
+fi
+
+if [ -e $keyfile ]
+then
+	#echo "Key file available"
+	if [ -e $loopfile ]
+	then
+		#echo "Loop file available"
+		open
+	else
+		#echo "Loop file not available"
+		create_loopback_and_open
+	fi
+else
+	#echo "Key file not available"
+	create_keyfile
+	create_loopback_and_open
+fi
--- a/layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service
+++ b/layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service
@ -0,0 +1,12 @@
+[Unit]
+Description=Secure Storage Service
+RequiresMountsFor=/usr/local/data
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/sec-storage-loopback.sh
+TimeoutSec=300
+
+[Install]
+WantedBy=local-fs.target
+
--- a/layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb
+++ b/layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb
@ -0,0 +1,34 @@
+SUMMARY = "Provides a Secure Storage"
+DESCRIPTION = "The secure storage is a loopback mount that is encrypted. It protects data in rest"
+AUTHOR = "Patrick Vogelaar"
+LICENSE = "CLOSED"
+
+SRC_URI = "\
+    file://sec-storage-loopback.sh \
+    file://secure-storage.service \
+    "
+
+S = "${WORKDIR}"
+
+inherit systemd
+
+FILES:${PN} += "\
+    /usr/local/data/ \
+    ${systemd_unitdir}/system \
+    ${bindir}/sec-storage-loopback.sh \
+    ${systemd_unitdir}/system/secure-storage.service \
+    "
+
+do_install() {
+    install -d ${D}$/usr/local/data/
+    install -d ${D}${bindir}
+    install -m 0731 ${S}/sec-storage-loopback.sh ${D}${bindir}/sec-storage-loopback.sh
+
+    install -d ${D}${systemd_unitdir}/system
+    install -m 0644 ${S}/secure-storage.service ${D}${systemd_unitdir}/system
+}
+
+SYSTEMD_SERVICE:${PN} = "secure-storage.service"
+SYSTEMD_AUTO_ENABLE = "enable"
+
+RDEPENDS:${PN} += "cryptsetup"