diff options
| author |   Maciej S. Szmigiero <mail@maciej.szmigiero.name> | 2020-11-22 02:06:47 +0100 |
|---|---|---|
| committer | Maciej S. Szmigiero <mail@maciej.szmigiero.name> | 2022-05-22 20:45:16 +0200 |
| commit | 72839de16243fb410d587e18d76d3b637fa3f389 (patch) | |
| tree | 895cb2bb1364702ce171dce6e032d8d8f2cffdd5 /defaults/linuxrc | |
| parent | arch: Copy s390 config to s390x (it's 64bit anyway!) (diff) | |
| download | genkernel-72839de16243fb410d587e18d76d3b637fa3f389.tar.gz genkernel-72839de16243fb410d587e18d76d3b637fa3f389.tar.bz2 genkernel-72839de16243fb410d587e18d76d3b637fa3f389.zip | |
genkernel: add keyctl support for loading LUKS passphrase into a keyring
cryptsetup LUKS2 format comes with an ability to automatically unlock
multiple devices (root, swap, etc.) sharing the same passphrase, without
retyping it for each of them, by loading it into the user keyring.
This commit adds such (optional) genkernel support for loading LUKS
passphrase into the user keyring on boot.
In the default mode of operation the newly added key is (possibly) used
only to unlock root and swap devices and is removed soon after that.
By providing appropriate kernel command line parameter the key can be left
in the keyring instead (with an optional timeout) for unlocking other LUKS
devices post-initramfs time.
Because one of the most common use cases of this functionality will be
having an encrypted swap for doing suspend to disk (hibernation) let's also
make sure that we don't unlock the root device when doing so is unnecessary
(when we are resuming the system from hibernation).
Since the security of a FDE passphrase is of paramount importance in this
solution significant care has been taken not to leak it accidentally:
* The passphrase is read directly by keyctl to avoid storing it in the
shell,
* If the passphrase is used only to unlock root and swap devices (which is
the default mode of operation) the init script will check whether its
removal from keyring has actually succeeded and, if not, reboot the system
rather than continue while leaving it exposed,
* keyutils includes a patch (already upstreamed) to wipe the passphrase
from memory when no longer needed.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Diffstat (limited to 'defaults/linuxrc')
| -rw-r--r-- | defaults/linuxrc | 34 |
1 files changed, 32 insertions, 2 deletions
diff --git a/defaults/linuxrc b/defaults/linuxrc index 15fbf7c..5ee7804 100644 --- a/defaults/linuxrc +++ b/defaults/linuxrc @@ -272,6 +272,15 @@ do swap_keydev_fstype=*) CRYPT_SWAP_KEYDEV_FSTYPE=${x#*=} ;; + keyctl_keydesc=*) + KEYCTL_KEYDESC=${x#*=} + ;; + keyctl_keytimeout=*) + KEYCTL_KEYTIMEOUT=${x#*=} + ;; + keyctl_keykeep) + KEYCTL_KEYKEEP=1 + ;; real_resume=*|resume=*) REAL_RESUME=${x#*=} ;; @@ -656,10 +665,23 @@ then start_sshd fi +keyctl_keyadd + # Initialize LUKS root device except for livecd's if [ "${CDROOT}" != '1' ] then - start_LUKS + if ( [ -n "${CRYPT_SWAP_KEY}" ] && [ -z "${CRYPT_SWAP_KEYDEV}" ] ) || \ + ( [ -n "${CRYPT_SWAP_HEADER}" ] && [ -z "${CRYPT_SWAP_HEADERDEV}" ] ) + then + # the swap key or header might be on the root fs so start it first in this case + start_LUKS_root + luks_root_started=1 + start_LUKS_swap + else + # we don't need to start the root at all if we are resuming from suspend + start_LUKS_swap + fi + if [ "${NORESUME}" != '1' ] && [ -n "${REAL_RESUME}" ] then case "${REAL_RESUME}" in @@ -691,6 +713,11 @@ then do_resume fi + + if [ -z "${luks_root_started}" ] + then + start_LUKS_root + fi fi run mkdir -p "${NEW_ROOT}" @@ -1060,7 +1087,8 @@ then losetup /dev/loop0 "${CDROOT_PATH}/${LOOPEXT}${LOOP}" test_success 'Preparing loop filesystem' - start_LUKS + start_LUKS_root + start_LUKS_swap case ${LOOPTYPE} in normal) @@ -1302,6 +1330,8 @@ else fi fi # if [ "${CDROOT}" = '1' ] +keyctl_keyremove + # Re-run to ensure $NEWROOT/etc/initramfs.mounts was processed at least once process_initramfs_mounts |