forked from rhinstaller/anaconda
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a kickstart test for escrow packets and backup passphrases
- Loading branch information
Showing
2 changed files
with
155 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
%pre | ||
This comment has been minimized.
Sorry, something went wrong. |
||
# Create an nss database for the escrow certifcate | ||
mkdir -p /tmp/escrow_test/nss | ||
certutil -d /tmp/escrow_test/nss --empty-password -N | ||
# Create a self-signed certificate | ||
# certutil waits for input if not provided with entropy data (-z). Use some | ||
# crappy data from urandom in the hope of leaving some entropy for the LUKS | ||
# operations to use later. | ||
dd if=/dev/urandom of=/tmp/escrow_test/entropy bs=20 count=1 | ||
certutil -d /tmp/escrow_test/nss -S -x -n escrow_cert \ | ||
-s 'CN=Escrow Test' -t ',,TC' -z /tmp/escrow_test/entropy | ||
# Export the certificate | ||
certutil -d /tmp/escrow_test/nss -L -n escrow_cert -a -o /tmp/escrow_test/escrow.crt | ||
%end | ||
|
||
url --url=http://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/$basearch/os/ | ||
install | ||
network --bootproto=dhcp | ||
|
||
bootloader --timeout=1 | ||
zerombr | ||
clearpart --all | ||
part --fstype=ext4 --size=4400 / | ||
part --fstype=ext4 --size=500 /boot | ||
part --fstype=swap --size=500 swap | ||
|
||
# Create a partition that's easy to umount and poke at in %post | ||
part --fstype=ext4 --size=500 --encrypted --passphrase='passphrase' --escrowcert=file:///tmp/escrow_test/escrow.crt --backuppassphrase /home | ||
|
||
keyboard us | ||
lang en | ||
timezone America/New_York | ||
rootpw qweqwe | ||
shutdown | ||
|
||
%pre-install | ||
# Copy the escrow database to the install path so we can use it during %post | ||
mkdir $ANA_INSTALL_PATH/root | ||
cp -a /tmp/escrow_test $ANA_INSTALL_PATH/root/ | ||
%end | ||
|
||
%packages | ||
volume_key | ||
%end | ||
|
||
%post | ||
# First, check that the escrow stuff is there | ||
ls "/root/*-escrow" >/dev/null 2>&1 | ||
if [[ $? != 0 ]]; then | ||
echo '*** escrow packet was not created' > /root/RESULT | ||
exit 1 | ||
fi | ||
ls "/root/*-escrow-backup-passphrase" >/dev/null 2>&1 | ||
if [[ $? != 0 ]]; then | ||
echo '*** backup passphrase was not created' > /root/RESULT | ||
exit 1 | ||
fi | ||
# Get the LUKS device UUID from the escrow packet filename | ||
uuid="$(basename /root/*-escrow | sed 's|-escrow$||')" | ||
# umount and close the LUKS device | ||
umount /home | ||
cryptsetup close /dev/mapper/luks-$uuid | ||
# Try out the backup passphrase | ||
backup_passphrase="$(volume_key --secrets -d /root/escrow_test/nss /root/$uuid-escrow-backup-passphrase | sed -n '/^Passphrase:/s|^Passphrase:[[:space:]]*||p')" | ||
if [[ $? != 0 ]] || [[ -z "$backup_passphrase" ]]; then | ||
echo '*** unable to parse backup passphrase' > /root/RESULT | ||
exit 1 | ||
fi | ||
echo -n $backup_passphrase | cryptsetup open -q --key-file - --type luks --test-passphrase /dev/disk/by-uuid/$uuid | ||
if [[ $? != 0 ]]; then | ||
echo '*** unable to decrypt volume with backup passphrase' > /root/RESULT | ||
exit 1 | ||
fi | ||
# Restore access to the volume with the escrow packet | ||
# First, re-encrypt the packet with a passphrase | ||
echo -n -e 'packet passphrase\0packet passphrase\0' | volume_key --reencrypt -b -d /root/escrow_test/nss /root/$uuid-escrow -o /root/escrow-out | ||
if [[ $? != 0 ]] || [[ ! -f /root/escrow-out ]]; then | ||
echo '*** unable to reencrypt escrow packet' > /root/RESULT | ||
exit 1 | ||
fi | ||
# Use the escrow packet to set a new passphrase on the LUKS volume | ||
echo -n -e 'packet passphrase\0volume passphrase\0volume passphrase\0' | volume_key --restore -b /dev/disk/by-uuid/$uuid /root/escrow-out | ||
if [[ $? != 0 ]]; then | ||
echo '*** unable to restore volume access with escrow packet' > /root/RESULT | ||
exit 1 | ||
fi | ||
# Make sure the new passphrase actually works | ||
echo -n 'volume passphrase' | cryptsetup open -q --key-file - --type luks --test-passphrase /dev/disk/by-uuid/$uuid | ||
if [[ $? != 0 ]]; then | ||
echo '*** unable to open volume with restored passphrase' > /root/RESULT | ||
exit 1 | ||
fi | ||
echo 'SUCCESS' > /root/RESULT | ||
%end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
#!/bin/bash | ||
# | ||
# Copyright (C) 2015 Red Hat, Inc. | ||
# | ||
# This copyrighted material is made available to anyone wishing to use, | ||
# modify, copy, or redistribute it subject to the terms and conditions of | ||
# the GNU General Public License v.2, or (at your option) any later version. | ||
# This program is distributed in the hope that it will be useful, but WITHOUT | ||
# ANY WARRANTY expressed or implied, including the implied warranties of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General | ||
# Public License for more details. You should have received a copy of the | ||
# GNU General Public License along with this program; if not, write to the | ||
# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | ||
# 02110-1301, USA. Any Red Hat trademarks that are incorporated in the | ||
# source code or documentation are not subject to the GNU General Public | ||
# License and may only be used or replicated with the express permission of | ||
# Red Hat, Inc. | ||
# | ||
# Red Hat Author(s): David Shea <dshea@redhat.com> | ||
|
||
kernel_args() { | ||
echo vnc | ||
} | ||
|
||
prepare() { | ||
ks=$1 | ||
tmpdir=$2 | ||
|
||
echo ${ks} | ||
} | ||
|
||
validate() { | ||
img=$1 | ||
|
||
# There should be a /root/RESULT file with results in it. Check | ||
# its contents and decide whether the test finally succeeded or | ||
# not. | ||
result=$(virt-cat -a ${img} -m /dev/sda2 /root/RESULT) | ||
if [[ $? != 0 ]]; then | ||
status=1 | ||
echo '*** /root/RESULT does not exist in VM image.' | ||
elif [[ "${result}" != "SUCCESS" ]]; then | ||
status=1 | ||
echo "${result}" | ||
fi | ||
|
||
return ${status} | ||
} |
Just a stylistic thing - typically, people put all the scripts after the commands.