Skip to content

Commit

Permalink
s390x: secex: decrypt ignition config on firstboot
Browse files Browse the repository at this point in the history
  • Loading branch information
@nikita-dubrovskii
nikita-dubrovskii committed Feb 10, 2023
1 parent b77bfa9 commit ecda6ec
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 1 deletion.
18 changes: 18 additions & 0 deletions ...d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
[Unit]
Description=CoreOS Secex Ignition Config Decryptor
ConditionPathExists=/etc/initrd-release
ConditionPathExists=/run/coreos/secure-execution
ConditionPathExists=/dev/disk/by-id/virtio-ignition_crypted
DefaultDependencies=false

OnFailure=emergency.target
OnFailureJobMode=isolate

# Run after virtio_blk and before Ignition
After=coreos-gpt-setup.service
Before=ignition-fetch-offline.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/coreos-secex-ignition-decrypt
19 changes: 19 additions & 0 deletions overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
#!/bin/bash
set -euo pipefail

disk=/dev/disk/by-id/virtio-ignition_crypted
conf=/usr/lib/ignition/user.ign
pkey=/tmp/ignition.asc
tmpd=

cleanup() {
rm -f "${pkey}"
if [[ -n "${tmpd}" ]]; then
rm -rf "${tmpd}"
fi
}

tmpd=$(mktemp -d) && trap cleanup EXIT

gpg --homedir "${tmpd}" --import "${pkey}"
gpg --homedir "${tmpd}" --skip-verify --output "${conf}" --decrypt "${disk}"
11 changes: 11 additions & 0 deletions overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,13 @@ install() {
sgdisk \
uname

# For IBM SecureExecution
if [[ $(uname -m) = s390x ]]; then
inst_multiple \
gpg \
gpg-agent
fi

inst_simple "$moddir/coreos-diskful-generator" \
"$systemdutildir/system-generators/coreos-diskful-generator"

Expand Down Expand Up @@ -76,4 +83,8 @@ install() {

# IBM Secure Execution. Ignition config for reencryption of / and /boot
inst_simple "$moddir/01-secex.ign" /usr/lib/coreos/01-secex.ign
install_ignition_unit "coreos-secex-ignition-decrypt.service"
inst_script "$moddir/coreos-secex-ignition-decrypt.sh" \
"/usr/sbin/coreos-secex-ignition-decrypt"

}
3 changes: 2 additions & 1 deletion overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,10 +70,11 @@ EOF
fi
}

# in SE case drop config before entering shell
# in SE case drop everything before entering shell
if [ -f /run/coreos/secure-execution ]; then
rm -f /run/ignition.json
rm -f /usr/lib/ignition/user.ign
rm -f /tmp/ignition.asc
fi

# Print warnings/informational messages to all configured consoles on the
Expand Down

0 comments on commit ecda6ec

Please sign in to comment.