From ecda6ec9781a08e9257a5c5f0b9ee1c5b38398cb Mon Sep 17 00:00:00 2001 From: Nikita Dubrovskii Date: Mon, 22 Aug 2022 14:17:08 +0200 Subject: [PATCH] s390x: secex: decrypt ignition config on firstboot --- .../coreos-secex-ignition-decrypt.service | 18 ++++++++++++++++++ .../coreos-secex-ignition-decrypt.sh | 19 +++++++++++++++++++ .../35coreos-ignition/module-setup.sh | 11 +++++++++++ .../emergency-shell.sh | 3 ++- 4 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service create mode 100755 overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service new file mode 100644 index 0000000000..271bb2e1df --- /dev/null +++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service @@ -0,0 +1,18 @@ +[Unit] +Description=CoreOS Secex Ignition Config Decryptor +ConditionPathExists=/etc/initrd-release +ConditionPathExists=/run/coreos/secure-execution +ConditionPathExists=/dev/disk/by-id/virtio-ignition_crypted +DefaultDependencies=false + +OnFailure=emergency.target +OnFailureJobMode=isolate + +# Run after virtio_blk and before Ignition +After=coreos-gpt-setup.service +Before=ignition-fetch-offline.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/sbin/coreos-secex-ignition-decrypt diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh new file mode 100755 index 0000000000..7547c10b20 --- /dev/null +++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh @@ -0,0 +1,19 @@ +#!/bin/bash +set -euo pipefail + +disk=/dev/disk/by-id/virtio-ignition_crypted +conf=/usr/lib/ignition/user.ign +pkey=/tmp/ignition.asc +tmpd= + +cleanup() { + rm -f "${pkey}" + if [[ -n "${tmpd}" ]]; then + rm -rf "${tmpd}" + fi +} + +tmpd=$(mktemp -d) && trap cleanup EXIT + +gpg --homedir "${tmpd}" --import "${pkey}" +gpg --homedir "${tmpd}" --skip-verify --output "${conf}" --decrypt "${disk}" diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh index f53564dd7c..d39da6fa08 100755 --- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh +++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh @@ -26,6 +26,13 @@ install() { sgdisk \ uname + # For IBM SecureExecution + if [[ $(uname -m) = s390x ]]; then + inst_multiple \ + gpg \ + gpg-agent + fi + inst_simple "$moddir/coreos-diskful-generator" \ "$systemdutildir/system-generators/coreos-diskful-generator" @@ -76,4 +83,8 @@ install() { # IBM Secure Execution. Ignition config for reencryption of / and /boot inst_simple "$moddir/01-secex.ign" /usr/lib/coreos/01-secex.ign + install_ignition_unit "coreos-secex-ignition-decrypt.service" + inst_script "$moddir/coreos-secex-ignition-decrypt.sh" \ + "/usr/sbin/coreos-secex-ignition-decrypt" + } diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh b/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh index 5623e60c70..7ad1001a33 100644 --- a/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh +++ b/overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh @@ -70,10 +70,11 @@ EOF fi } -# in SE case drop config before entering shell +# in SE case drop everything before entering shell if [ -f /run/coreos/secure-execution ]; then rm -f /run/ignition.json rm -f /usr/lib/ignition/user.ign + rm -f /tmp/ignition.asc fi # Print warnings/informational messages to all configured consoles on the