-
Notifications
You must be signed in to change notification settings - Fork 991
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes #36885 - Add Clevis/Tang disk encryption template
For disk encryption Clevis/Tang is often used. This commit introduces partition templates for Kickstart and Autoinstall taking care of disk encryption and a snippet responsible for binding the LUKS device via Clevis to a given Tang server. The default partition template encrypts the disk with a passphrase which can be provided via `disk_enc_passphrase` host parameter. If no host parameter is provided, the default passphrase is 'linux'. If, in addition, `disk_enc_tang_servers` host parameter is provided (can be one address as string or multiple addresses as array), the LUKS device will be bind to these Tang servers using Clevis. In this case, the passphrase will be removed. This commit targets the Red Hat family and Ubuntu operating system.
- Loading branch information
Showing
7 changed files
with
149 additions
and
1 deletion.
There are no files selected for viewing
18 changes: 18 additions & 0 deletions
18
app/views/unattended/partition_tables_templates/kickstart_default_encrypted.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
<%# | ||
kind: ptable | ||
name: Kickstart default encrypted | ||
model: Ptable | ||
oses: | ||
- AlmaLinux | ||
- RedHat | ||
- Rocky | ||
-%> | ||
<% if host_param('driverdisk_source') -%> | ||
driverdisk --source=<%= host_param('driverdisk_source') %> | ||
<% end -%> | ||
<% if host_param('ignoredisk_options') -%> | ||
ignoredisk <%= host_param('ignoredisk_options') %> | ||
<% end -%> | ||
zerombr | ||
clearpart --all --initlabel | ||
autopart --encrypted --passphrase="<%= host_param('disk_enc_passphrase', 'linux') %>" <%= host_param('autopart_options') %> |
17 changes: 17 additions & 0 deletions
17
app/views/unattended/partition_tables_templates/preseed_default_autoinstall_encrypted.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
<%# | ||
kind: ptable | ||
name: Preseed default autoinstall encrypted | ||
model: Ptable | ||
description: | | ||
Preseed Autoinstall default storage snippet configures drives automatically | ||
with LVM and disk encryption. | ||
Requires Ubuntu >= 22.04.3. | ||
The snippet is automatically indented by 2 spaces. For reference: | ||
https://ubuntu.com/server/docs/install/autoinstall-reference | ||
oses: | ||
- Ubuntu | ||
%> | ||
storage: | ||
layout: | ||
name: lvm | ||
password: <%= host_param('disk_enc_passphrase', 'linux') %> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
89 changes: 89 additions & 0 deletions
89
app/views/unattended/provisioning_templates/snippet/disk_enc_clevis_tang.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
<%# | ||
kind: snippet | ||
name: disk_enc_clevis_tang | ||
model: ProvisioningTemplate | ||
snippet: true | ||
description: | | ||
Binds encrypted root directory ('/') utilizing Clevis to Tang server(s) for | ||
decryption. The first parent device containing a LUKS container will be used. | ||
The temporary passphrase will be removed afterwards. Currently, only Red Hat | ||
family and Ubuntu operating systems are supported. | ||
-%> | ||
<% | ||
passphrase = host_param('disk_enc_passphrase', 'linux') | ||
tang_server_list = [] | ||
packages_redhat = "clevis clevis-luks clevis-systemd clevis-dracut" | ||
packages_ubuntu = "clevis clevis-luks clevis-systemd clevis-initramfs" | ||
|
||
unless host_param('disk_enc_tang_servers').blank? | ||
if host_param('disk_enc_tang_servers').is_a?(String) | ||
tang_server_list = [host_param('disk_enc_tang_servers')] | ||
else | ||
tang_server_list = host_param('disk_enc_tang_servers') | ||
end | ||
end | ||
-%> | ||
<% if (@host.operatingsystem.family == 'Redhat' || @host.operatingsystem.name == 'Ubuntu') && unless tang_server_list.blank? -%> | ||
|
||
cat > /tmp/rootdir-luks-device.sh << "EOF" | ||
#!/bin/sh | ||
# | ||
# Author Jan Löser <loeser@atix.de> | ||
# Published under the GNU Public Licence 3 | ||
# | ||
# This scripts tries to find the 1st LUKS device for / (root directory). | ||
# | ||
set -o pipefail | ||
|
||
rootdev=$(df / --output=source | tail -n1) | ||
targetdev=$(readlink -f $rootdev) | ||
slavedev=$targetdev | ||
|
||
while : ; do | ||
/sbin/cryptsetup luksDump $slavedev &>/dev/null && echo $slavedev && exit 0 | ||
set -e | ||
slave=$(find /sys/class/block/$(basename $slavedev)/slaves -type l | head -n1) | ||
slavedev=$(find /dev -name "$(basename $slave)" | head -n1) | ||
set +e | ||
done | ||
|
||
exit 1 | ||
EOF | ||
|
||
# needs bash here because Ubuntu's sh (dash) doesn't support `-o pipefail` option | ||
luksdev=$(bash /tmp/rootdir-luks-device.sh) | ||
|
||
if [[ -n "$luksdev" ]]; then | ||
echo "LUKS device found for '/': $luksdev" | ||
|
||
<% if @host.operatingsystem.family == 'Redhat' -%> | ||
$PKG_MANAGER_INSTALL <%= packages_redhat %> | ||
<% elsif @host.operatingsystem.name == 'Ubuntu' -%> | ||
$PKG_MANAGER_INSTALL <%= packages_ubuntu %> | ||
<% end -%> | ||
<% for tang_server in tang_server_list -%> | ||
echo '<%= passphrase %>' | clevis luks bind -y -k - -d $luksdev tang '{"url": "<%= tang_server %>"}' | ||
if [[ $? -ne 0 ]]; then | ||
echo "---" | ||
echo "There was an error during Clevis LUKS bind of '$luksdev' to Tang server '<%= tang_server %>'." | ||
echo "System halted." | ||
sleep infinity | ||
fi | ||
<% end -%> | ||
echo '<%= passphrase %>' | cryptsetup luksRemoveKey $luksdev | ||
systemctl enable clevis-luks-askpass.path | ||
systemctl enable remote-cryptsetup.target | ||
|
||
<% if @host.operatingsystem.family == 'Redhat' -%> | ||
dracut --verbose --force --hostonly-cmdline --regenerate-all | ||
<% elsif @host.operatingsystem.name == 'Ubuntu' -%> | ||
update-initramfs -u -k 'all' | ||
<% end -%> | ||
|
||
else | ||
echo "No LUKS device found!" | ||
fi | ||
|
||
<% end -%> |
18 changes: 18 additions & 0 deletions
18
...ews/unattended/provisioning_templates/snippet/preseed_autoinstall_clevis_tang_wrapper.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
<%# | ||
kind: snippet | ||
name: preseed_autoinstall_clevis_tang_wrapper | ||
model: ProvisioningTemplate | ||
snippet: true | ||
description: | | ||
Wrapper snippet to set up Clevis/Tang disk encryption. | ||
Requires Ubuntu >= 22.04.3. | ||
The snippet is automatically indented by 2 spaces. For reference: | ||
https://ubuntu.com/server/docs/install/autoinstall-reference | ||
%> | ||
- | | ||
cat > /target/tmp/disk_enc_clevis_tang.sh <<"WRAPPER" | ||
#!/bin/sh | ||
<%= indent(2) { snippet 'disk_enc_clevis_tang' } %> | ||
WRAPPER | ||
- curtin in-target -- bash /tmp/disk_enc_clevis_tang.sh | ||
- curtin in-target -- rm /tmp/disk_enc_clevis_tang.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters