From 722382175cbdb4f9241ca2519844bd5def04437e Mon Sep 17 00:00:00 2001
From: Nikita Dubrovskii <nikita@linux.ibm.com>
Date: Mon, 22 Aug 2022 14:17:08 +0200
Subject: [PATCH] s390x: secex: decrypt ignition config on firstboot

---
 .../coreos-secex-ignition-decrypt.service      | 17 +++++++++++++++++
 .../coreos-secex-ignition-decrypt.sh           | 18 ++++++++++++++++++
 .../35coreos-ignition/module-setup.sh          | 11 +++++++++++
 3 files changed, 46 insertions(+)
 create mode 100644 overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service
 create mode 100755 overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service
new file mode 100644
index 0000000000..02283bc3d0
--- /dev/null
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=CoreOS Secex Ignition Config Decryptor
+ConditionPathExists=/etc/initrd-release
+ConditionPathExists=/run/coreos/secure-execution
+DefaultDependencies=false
+
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+# Run after virtio_blk and before Ignition
+After=coreos-gpt-setup.service
+Before=ignition-fetch-offline.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/sbin/coreos-secex-ignition-decrypt
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh
new file mode 100755
index 0000000000..a94ffc449a
--- /dev/null
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -euo pipefail
+
+disk=/dev/disk/by-id/virtio-ignition_crypted
+conf=/usr/lib/ignition/user.ign
+pkey=/etc/ignition.pem
+
+cleanup() {
+    rm -f "${pkey}"
+    rm -rf "${tmpd}"
+}
+
+tmpd=$(mktemp -d) && trap cleanup EXIT
+mkdir -p /usr/lib/ignition
+cd "${tmpd}"
+cat "${disk}" | tar -xf -
+openssl pkeyutl -decrypt -in key.crypted -out key -inkey "${pkey}"
+openssl enc -pbkdf2 -aes256 -d -in config.crypted -out "${conf}" -pass file:./key
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh
index 86b845eeb1..5b1f59909c 100755
--- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh
@@ -26,6 +26,13 @@ install() {
         sgdisk \
         uname
 
+    # For IBM SecureExecution
+    if [[ $(uname -m) = s390x ]]; then
+        inst_multiple \
+            tar \
+            openssl
+    fi
+
     inst_simple "$moddir/coreos-diskful-generator" \
         "$systemdutildir/system-generators/coreos-diskful-generator"
 
@@ -76,4 +83,8 @@ install() {
 
     # IBM Secure Execution. Ignition config for reencryption of / and /boot
     inst_simple "$moddir/01-secex.ign" /usr/lib/coreos/01-secex.ign
+    install_ignition_unit "coreos-secex-ignition-decrypt.service"
+    inst_script "$moddir/coreos-secex-ignition-decrypt.sh" \
+        "/usr/sbin/coreos-secex-ignition-decrypt"
+
 }