Various small improvements

aplanas / dracut-pcr-signature

Dracut module to import PCR signatures

GNU General Public License v2.0

1 stars 3 forks source link

Various small improvements #1

Closed Vogtinator closed 7 months ago

Vogtinator commented 7 months ago

Avoid using bash for working with binary data, use dd + tr instead
Mount the ESP read-only
Detect if policy files already exist in the destination
Use mktemp -d instead of hardcoding a location

Draft because not tested in production yet.

Vogtinator commented 7 months ago

Next step is probably to convert the ExecStartPre into a service, which can then be added as Wants to the cryptsetup units. That has two benefits: Failure doesn't stop booting immediately (only if cryptsetup fails as fallout) and it's only run once even if there are multiple cryptsetup units.

Vogtinator commented 7 months ago

For some systemd upstreamable approach I have an idea: systemd-cryptsetup-generator could convert the tpm2-pcrlock= crypttab option (and maybe tpm2-signature=?) to a RequiresMountsFor= dependency. Then only a matching mount unit needs to be generated or simply an fstab entry added to the initrd for the needed location.

aplanas commented 7 months ago

For some systemd upstreamable approach I have an idea: systemd-cryptsetup-generator could convert the tpm2-pcrlock= crypttab option (and maybe tpm2-signature=?) to a RequiresMountsFor= dependency.

That will force to use those parameters in fstab, and for now we avoid then at take the default value. But for me makes sense.

Then only a matching mount unit needs to be generated or simply an fstab entry added to the initrd for the needed location.

Can this conflict with UKIs? The mounting of the ESP is outside of the systemd approach. Ideally this json is delivered as a credential, and the stub has code to do all the things that we do here. IMHO what is missing is how to deliver ESP credentials in a non UKI case. With this feature we could drop dracut-pcr-signature.

Vogtinator commented 7 months ago

For some systemd upstreamable approach I have an idea: systemd-cryptsetup-generator could convert the tpm2-pcrlock= crypttab option (and maybe tpm2-signature=?) to a RequiresMountsFor= dependency.

That will force to use those parameters in fstab, and for now we avoid then at take the default value. But for me makes sense.

Then only a matching mount unit needs to be generated or simply an fstab entry added to the initrd for the needed location.

Can this conflict with UKIs? The mounting of the ESP is outside of the systemd approach. Ideally this json is delivered as a credential, and the stub has code to do all the things that we do here. IMHO what is missing is how to deliver ESP credentials in a non UKI case. With this feature we could drop dracut-pcr-signature.

It shouldn't conflict. RequiresMountsFor= is a noop if there are no matching mount units for the path.

aplanas commented 7 months ago

@Vogtinator I tested the code and it is working as expected. Are you OK with merging it?

Vogtinator commented 7 months ago

@Vogtinator I tested the code and it is working as expected. Are you OK with merging it?

If it works, that should be fine. Just some minor change missing I forgot initially, I can push that tomorrow

aplanas commented 7 months ago

Thanks!