s390x: secex: decrypt ignition config on firstboot

coreos · Dec 19, 2022 · 8233731 · 8233731
1 parent bcd79a2
commit 8233731
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 3 deletions.
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
@@ -75,7 +75,7 @@ EOF
         touch /run/coreos/secure-execution
         # Add dropins to disable Ignition logging for all stages
         stages=("fetch-offline" "fetch" "kargs" "disks" "mount" "files" )
-        for s in ${stages[@]}; do
+        for s in "${stages[@]}"; do
             dropin="${UNIT_DIR}/ignition-${s}.service.d"
             mkdir -p "${dropin}"
             cat > "${dropin}/10-secex.conf" <<EOF

diff --git a/...d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service b/...d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=CoreOS Secex Ignition Config Decryptor
+ConditionPathExists=/etc/initrd-release
+ConditionPathExists=/run/coreos/secure-execution
+DefaultDependencies=false
+
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+# Run after virtio_blk and before Ignition
+After=coreos-gpt-setup.service
+Before=ignition-fetch-offline.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/sbin/coreos-secex-ignition-decrypt
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+set -euo pipefail
+
+disk=/dev/disk/by-id/virtio-ignition_crypted
+conf=/usr/lib/ignition/user.ign
+pkey=/etc/ignition.asc
+
+cleanup() {
+    rm -f "${pkey}"
+    rm -rf "${tmpd}"
+}
+tmpd=$(mktemp -d) && trap cleanup EXIT
+
+if [ ! -e "${disk}" ]; then
+    echo "Ignition config must be encrypted"
+    exit 1
+fi
+
+gpg --homedir "${tmpd}" --import "${pkey}"
+gpg --homedir "${tmpd}" --skip-verify --output "${conf}" --decrypt "${disk}"
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh
@@ -26,6 +26,13 @@ install() {
         sgdisk \
         uname
 
+    # For IBM SecureExecution
+    if [[ $(uname -m) = s390x ]]; then
+        inst_multiple \
+            gpg \
+            gpg-agent
+    fi
+
     inst_simple "$moddir/coreos-diskful-generator" \
         "$systemdutildir/system-generators/coreos-diskful-generator"
 
@@ -76,4 +83,8 @@ install() {
 
     # IBM Secure Execution. Ignition config for reencryption of / and /boot
     inst_simple "$moddir/01-secex.ign" /usr/lib/coreos/01-secex.ign
+    install_ignition_unit "coreos-secex-ignition-decrypt.service"
+    inst_script "$moddir/coreos-secex-ignition-decrypt.sh" \
+        "/usr/sbin/coreos-secex-ignition-decrypt"
+
 }
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh b/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh
@@ -70,9 +70,9 @@ EOF
     fi
 }
 
-# in SE case drop config before entering shell
+# in SE case drop everything before entering shell
 if [ -f /run/coreos/secure-execution ]; then
-    rm -f /run/ignition.json
+    rm -f /run/ignition.json /etc/ignition.asc
 fi
 
 # Print warnings/informational messages to all configured consoles on the