search

latchset / clevis

Automated Encryption Framework
GNU General Public License v3.0
891 stars 100 forks source link

[Feature request] Add mkinitcpio hook support. #334

Open ShapeShifter499 opened 3 years ago

ShapeShifter499 commented 3 years ago

I use Arch Linux and someone I've talked with on their IRC channel stated that the clevis package for Arch Linux doesn't have mkinitcpio support because upstream didn't. For Arch Linux mkinitcpio is the default way of generating a init ram disk including adding any modules and features you may want to have at boot time. https://wiki.archlinux.org/title/Mkinitcpio

This is a mkinitcpio install and hook I found from the Arch Linux forums that would enable clevis at boot but I am not sure if this is totally correct. https://bbs.archlinux.org/viewtopic.php?id=230948

clevis-mkinitcpio-install:

#!/bin/bash

build() {
    add_binary "clevis-decrypt-http"
    add_binary "clevis-decrypt-tang"
    add_binary "clevis-decrypt-sss"
    add_binary "clevis-decrypt"
    add_binary "luksmeta"
    add_binary "clevis"
    add_binary "jose"
    add_binary "curl"
    add_binary "bash"
    add_runscript
}

help() {
    cat <<HELPEOF
This hook will attempt to unlock LUKS volumes using data stored in the header
by clevis and luksmeta. Use this hook in combination with any early userspace
networking hook, such as mkinitcpio-netconf or mkinitcpio-ppp. It also requires
mkinitcpio-utils for the encryptssh hook.

An example usage would be to have 'netconf clevis encryptssh' added before your
filesystems hook. You also need to configure clevis unlocking by using the
'clevis bind luks' command on your luks partition.
HELPEOF
}

clevis-mkinitcpio-hook: 

#!/usr/bin/bash

run_hook ()
{
    clevis_loop &
    echo $! > /.clevis.pid
}

clevis_loop()
{
    while ! [ -c /dev/mapper/control -a -f /.cryptdev -a -f /.cryptname -a -f /.cryptargs ];
do
        sleep 0.1
    done

    CRYPTDEV=$(cat /.cryptdev)
    CRYPTNAME=$(cat /.cryptname)
    UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
    luksmeta show -d "$CRYPTDEV" | while read -r slot state uuid; do
        [ "$state" != "active" ] && continue
        [ "$uuid" != "$UUID" ] && continue

        if ( luksmeta load -d "$CRYPTDEV" -s $slot -u $UUID | clevis decrypt \
            | cryptsetup luksOpen $(cat /.cryptdev) $CRYPTNAME $(cat /.cryptargs) ); then
            echo > /.done
            echo -e "\n\n$CRYPTNAME sucessfully decrypted via clevis."
            killall cryptsetup
            break
        fi
    done
    rm /.clevis.pid
}

run_cleanuphook ()
{
    if [ -f /.clevis.pid ]; then
        kill $(/.clevis.pid)
        rm /.clevis.pid
    fi
}
anatol commented 2 years ago

You might be interested in booster initramfs that supports clevis tokens out of the box https://github.com/anatol/booster

ShapeShifter499 commented 2 years ago

You might be interested in booster initramfs that supports clevis tokens out of the box https://github.com/anatol/booster

So I could setup tang as normal and then use booster to help with the clevis side on other boxes?

anatol commented 2 years ago

So I could setup tang as normal and then use booster to help with the clevis side on other boxes?

Yes. Booster works with clevis tokens out-of-the-box. See https://wiki.archlinux.org/title/Booster

ShapeShifter499 commented 2 years ago

I'm not sure if I should close this since I feel like some support for Clevis and Tang should be brought to mkinitcpio. But I have since switched to booster and it does seem to be working alright after some setup hiccups.