search

dracutdevs / dracut

dracut the event driven initramfs infrastructure
https://github.com/dracutdevs/dracut/wiki
GNU General Public License v2.0
573 stars 396 forks source link

feat(90crypt): add support for AF_UNIX key files #2627

Open kszczek opened 4 months ago

kszczek commented 4 months ago

systemd v248 introduced support for using AF_UNIX sockets as key files in /etc/crypttab. This pull request enhances the 90crypt module to identify socket units with matching socket file paths. It includes the first matching socket unit along with its corresponding service unit. This correspondence is determined by checking the Service= option in the socket unit or, if that's not available, by replacing the .socket suffix with either @.service or .service, depending on the Accept= option (see man page for systemd.socket). Futhermore, this functionality handles sockets located under /run/cryptsetup-keys.d/, which are automatically discoverable by the systemd-cryptsetup utility when the key file field in /etc/crypttab is empty.

Checklist

kszczek commented 4 months ago

Example configuration/use case

/usr/local/bin/get-secret

#!/bin/bash
echo -n "secret"

/etc/dracut.conf.d/get-secret.conf

install_items+=" /usr/local/bin/get-secret "

/etc/systemd/system/root-volume-key.socket

[Unit]
Description=Root Volume Key Socket
DefaultDependencies=no
Conflicts=multi-user.target shutdown.target
Before=cryptsetup-pre.target multi-user.target shutdown.target
Wants=cryptsetup-pre.target

[Socket]
ListenStream=/run/cryptsetup-keys.d/luks-<UUID>.key
SocketUser=root
SocketGroup=root
SocketMode=0400
DirectoryMode=0750
Accept=yes
MaxConnections=1
RemoveOnStop=yes

[Install]
WantedBy=sockets.target

/etc/systemd/system/root-volume-key@.service

[Unit]
Description=Root Volume Key Service
DefaultDependencies=no
After=root-volume-key.socket
Requisite=root-volume-key.socket
RefuseManualStart=yes
RefuseManualStop=yes

[Service]
Type=exec
ExecStart=/bin/bash /usr/local/bin/get-secret
StandardOutput=socket
StandardError=kmsg+console

/etc/crypttab

luks-<UUID> UUID=<UUID> none discard

Also, make sure to enable the root-volume-key.socket before regenerating the initramfs.

stale[bot] commented 2 months ago

This issue is being marked as stale because it has not had any recent activity. It will be closed if no further activity occurs. If this is still an issue in the latest release of Dracut and you would like to keep it open please comment on this issue within the next 7 days. Thank you for your contributions.

kszczek commented 2 months ago

Commenting to keep this open.

Also opened a PR in the fork: https://github.com/dracut-ng/dracut-ng/pull/257

kszczek commented 2 months ago

Force pushed to fix the commit message and shell lint issues.