From patchwork Fri Feb 15 00:35:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sam Mendoza-Jonas X-Patchwork-Id: 1042541 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 440vTX3LXLz9s7T for ; Fri, 15 Feb 2019 11:36:48 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=mendozajonas.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=mendozajonas.com header.i=@mendozajonas.com header.b="XLRYn1Q2"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="hVnYPjpP"; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 440vTW3YCSzDqWv for ; Fri, 15 Feb 2019 11:36:47 +1100 (AEDT) X-Original-To: petitboot@lists.ozlabs.org Delivered-To: petitboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=mendozajonas.com (client-ip=66.111.4.26; helo=out2-smtp.messagingengine.com; envelope-from=sam@mendozajonas.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=mendozajonas.com Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=mendozajonas.com header.i=@mendozajonas.com header.b="XLRYn1Q2"; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="hVnYPjpP"; dkim-atps=neutral Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 440vT71VS0zDqVy for ; Fri, 15 Feb 2019 11:36:27 +1100 (AEDT) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id D576B228F1; Thu, 14 Feb 2019 19:36:24 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Thu, 14 Feb 2019 19:36:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= mendozajonas.com; h=from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; s=fm2; bh=P2Iae9D30u4zkZDqxVMu1/0PW8n+nbeDRebb1Ah5ZMw=; b=XLRYn 1Q2WZo1aPtgK/U1/APAxMXx1zU1WWtKif5QK0+krTJTbHfJ1lCmEXKLwNhedTpCF 5O1g+PEMUc5+48dgB1/Xu65xIeYF7A9mDb2LZE2DjEN8ZfkFcq5Qkf/syy+15N2p b+UzJvRrxlrFruMzcpNWKJYrHEItHvz9bGGx7L+8jNhiM97Frig0EUv9fvw6TssK 13ihd32/u0wVZSf7/eVe4tu8c3X+pxGnG4s6D7BX3wKB/kau3FYIpBeQ01byK+AB Owy8KCnuZKJZnca9nabA/moEH2I9z+9s0IA7i8b1wBbW68D4TiZUFebo0xXRYtoY xecASFpnGdcAriqdA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=P2Iae9D30u4zkZDqxVMu1/0PW8n+nbeDRebb1Ah5ZMw=; b=hVnYPjpP +WPTRcDVa8Pa8ceefBvhQX6qYFSBq42rYitm93r0/vWVLTyV1l1B7H/HBXRz6Msh 8speTpGFDJRahnKPLBsIiJKFy4cChP4iDQC3mUkCGbi/x9vlwQVTqAXmIXN7fpkv B6rKGg2ag9nkVDu9/VREn8PuY52QXaAVE4N9SH7bIHiJj334O5X/Ve0GctIyw76W 4rwW82k2sPpf0JXL0MB0ZDPgoZhOIoYZBW38R3FKwIAfuJv4qCINRwdLG9dnxbdA ODnAh8DLv04vAgPFFFVFwhUvMDKy0e5w4b6rYFWnzRQf/5Qc+0V/OfBAN9R2GvDS v6B48X9Lpw0Phg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledruddtiedgvdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhhtnecuuegrihhlohhuthemucef tddtnecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpe furghmuhgvlhcuofgvnhguohiirgdqlfhonhgrshcuoehsrghmsehmvghnughoiigrjhho nhgrshdrtghomheqnecukfhppeduvddvrdelledrkedvrddutdenucfrrghrrghmpehmrg hilhhfrhhomhepshgrmhesmhgvnhguohiirghjohhnrghsrdgtohhmnecuvehluhhsthgv rhfuihiivgeptd X-ME-Proxy: Received: from v4.ozlabs.ibm.com (unknown [122.99.82.10]) by mail.messagingengine.com (Postfix) with ESMTPA id 7CEBCE4596; Thu, 14 Feb 2019 19:36:22 -0500 (EST) From: Samuel Mendoza-Jonas To: petitboot@lists.ozlabs.org Subject: [PATCH 1/5] lib/system: Add cryptsetup utility Date: Fri, 15 Feb 2019 11:35:59 +1100 Message-Id: <20190215003603.16285-2-sam@mendozajonas.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190215003603.16285-1-sam@mendozajonas.com> References: <20190215003603.16285-1-sam@mendozajonas.com> MIME-Version: 1.0 X-BeenThere: petitboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Petitboot bootloader development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Samuel Mendoza-Jonas Errors-To: petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Petitboot" Signed-off-by: Samuel Mendoza-Jonas --- configure.ac | 1 + lib/system/system.c | 1 + lib/system/system.h | 1 + 3 files changed, 3 insertions(+) diff --git a/configure.ac b/configure.ac index 4151b002..5d541fb4 100644 --- a/configure.ac +++ b/configure.ac @@ -426,6 +426,7 @@ DEFINE_HOST_PROG(PB_EXEC, pb-exec, [/usr/sbin/pb-exec]) DEFINE_HOST_PROG(SH, sh, [/bin/sh]) DEFINE_HOST_PROG(SCSI_RESCAN, scsi-rescan, [/usr/sbin/scsi-rescan]) DEFINE_HOST_PROG(DMIDECODE, dmidecode, [/sbin/dmidecode]) +DEFINE_HOST_PROG(CRYPTSETUP, CRYPTSETUP, [/usr/sbin/cryptsetup]) AC_ARG_WITH( [tftp], diff --git a/lib/system/system.c b/lib/system/system.c index 89790ba4..294c0f7b 100644 --- a/lib/system/system.c +++ b/lib/system/system.c @@ -36,6 +36,7 @@ const struct pb_system_apps pb_system_apps = { .sh = HOST_PROG_SH, .scsi_rescan = HOST_PROG_SCSI_RESCAN, .dmidecode = HOST_PROG_DMIDECODE, + .cryptsetup = HOST_PROG_CRYPTSETUP, }; #ifndef TFTP_TYPE diff --git a/lib/system/system.h b/lib/system/system.h index 2389951f..c0f550f4 100644 --- a/lib/system/system.h +++ b/lib/system/system.h @@ -21,6 +21,7 @@ struct pb_system_apps { const char *sh; const char *scsi_rescan; const char *dmidecode; + const char *cryptsetup; }; extern const struct pb_system_apps pb_system_apps; From patchwork Fri Feb 15 00:36:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sam Mendoza-Jonas X-Patchwork-Id: 1042542 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 440vTf6dJVz9s7T for ; Fri, 15 Feb 2019 11:36:54 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=mendozajonas.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=mendozajonas.com header.i=@mendozajonas.com header.b="Crvj+RZE"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="6maicr7r"; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 440vTf5bL8zDqXG for ; Fri, 15 Feb 2019 11:36:54 +1100 (AEDT) X-Original-To: petitboot@lists.ozlabs.org Delivered-To: petitboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=mendozajonas.com (client-ip=66.111.4.26; helo=out2-smtp.messagingengine.com; envelope-from=sam@mendozajonas.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=mendozajonas.com Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=mendozajonas.com header.i=@mendozajonas.com header.b="Crvj+RZE"; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="6maicr7r"; dkim-atps=neutral Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 440vT86tCGzDqWc for ; Fri, 15 Feb 2019 11:36:28 +1100 (AEDT) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id B9D7A2294D; Thu, 14 Feb 2019 19:36:26 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Thu, 14 Feb 2019 19:36:26 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= mendozajonas.com; h=from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; s=fm2; bh=J1cYtC/lsy//Yz4gal19XyMM6fO2RLUGKfgSJ5MYDms=; b=Crvj+ RZEtSJa2scEcRnU00pWzeeRfZ0M/kUrxcFirc4T5FTiwjbtcBzLHrNAgdIcFcy3Y nKpKXL2uUG+UgUBf0XwvlemDsAQCNbvkD8iaLzTj1vrH+9t1N7L8UELl1ZjXydxy Evftv/qEc/Xfg1GyFli85nDg+ZjwEaB2hYpPrFt8vODmlqxR6AUCjIMc7C5xP0jK Y7DlhJGPkf2J9iSxP+lbBvf3tlPCQ1wRxXLOBKU4uWdXv2OiKauSWBRH9D3ZautO FBt/EyoRBJY/8ogXIDiIWAaHsUJxqm7DoN66T+v7j3zg77NPr8c8IKnyx4uEMnRj 0fXxfJbL1Mb54Q9yg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=J1cYtC/lsy//Yz4gal19XyMM6fO2RLUGKfgSJ5MYDms=; b=6maicr7r VsfsYAkxhbY9D7YZyykPalTfPfPhDNRSlRT6VRHP52ku7Btc6OyxM3DGm2Eoc3NV ljPO/Aie1h7jBHgOsFl8Q6E/oE/C/iFZ35zc0kShqSv/3xGKrUs0Tp/2TlCyPdc4 +wI2Cg1ICntchfwBU+WbSU3w6OaplaldTDG5gdM2Y59BXWFyw6Wg+VsNqwJK+Fuc vzI9259OQbM1wKYllfR9AGjY5GrbEwbdkdKSrTd22I68D8RdknXmCkx5oAR1PlaT oTEoP0Cq6gsn9HdI9itmgmRtE4KgKTN3hag/OivOb6+LVoRhPrKJ6XEsMRkwkWw8 6rXrqhCl2ilaVw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledruddtiedgvdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhhtnecuuegrihhlohhuthemucef tddtnecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpe furghmuhgvlhcuofgvnhguohiirgdqlfhonhgrshcuoehsrghmsehmvghnughoiigrjhho nhgrshdrtghomheqnecukfhppeduvddvrdelledrkedvrddutdenucfrrghrrghmpehmrg hilhhfrhhomhepshgrmhesmhgvnhguohiirghjohhnrghsrdgtohhmnecuvehluhhsthgv rhfuihiivgeptd X-ME-Proxy: Received: from v4.ozlabs.ibm.com (unknown [122.99.82.10]) by mail.messagingengine.com (Postfix) with ESMTPA id 50472E4068; Thu, 14 Feb 2019 19:36:25 -0500 (EST) From: Samuel Mendoza-Jonas To: petitboot@lists.ozlabs.org Subject: [PATCH 2/5] lib/process: Add option to pipe to process stdin Date: Fri, 15 Feb 2019 11:36:00 +1100 Message-Id: <20190215003603.16285-3-sam@mendozajonas.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190215003603.16285-1-sam@mendozajonas.com> References: <20190215003603.16285-1-sam@mendozajonas.com> MIME-Version: 1.0 X-BeenThere: petitboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Petitboot bootloader development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Samuel Mendoza-Jonas Errors-To: petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Petitboot" If pipe_stdin exists, create a second pipe to write to the child process's STDIN. This allows Petitboot to pipe information to a process, for example piping a LUKS password to cryptsetup. Signed-off-by: Samuel Mendoza-Jonas --- lib/process/process.c | 33 +++++++++++++++++++++++++++++++++ lib/process/process.h | 1 + 2 files changed, 34 insertions(+) diff --git a/lib/process/process.c b/lib/process/process.c index 02b6f490..7bd29b82 100644 --- a/lib/process/process.c +++ b/lib/process/process.c @@ -50,6 +50,7 @@ struct process_info { int stdout_buf_len; struct waiter *stdout_waiter; int stdout_pipe[2]; + int stdin_pipe[2]; void *orig_ctx; }; @@ -130,12 +131,37 @@ static int process_setup_stdout_pipe(struct process_info *procinfo) return 0; } +static void process_setup_stdin_parent(struct process_info *procinfo) +{ + FILE *in; + + if (!procinfo->process.pipe_stdin) + return; + + close(procinfo->stdin_pipe[0]); + in = fdopen(procinfo->stdin_pipe[1], "w"); + if (!in) { + pb_log_fn("Failed to open stdin\n"); + return; + } + fputs(procinfo->process.pipe_stdin, in); + fflush(in); +} + +static void process_setup_stdin_child(struct process_info *procinfo) +{ + if (procinfo->process.pipe_stdin) { + close(procinfo->stdin_pipe[1]); + dup2(procinfo->stdin_pipe[0], STDIN_FILENO); + } +} static void process_setup_stdout_parent(struct process_info *procinfo) { if (!procinfo->process.keep_stdout || procinfo->process.raw_stdout) return; close(procinfo->stdout_pipe[1]); + } static void process_setup_stdout_child(struct process_info *procinfo) @@ -350,6 +376,11 @@ static int process_run_common(struct process_info *procinfo) rc = process_setup_stdout_pipe(procinfo); if (rc) return rc; + if (procinfo->process.pipe_stdin) { + rc = pipe(procinfo->stdin_pipe); + if (rc) + return rc; + } pid = fork(); if (pid < 0) { @@ -359,6 +390,7 @@ static int process_run_common(struct process_info *procinfo) if (pid == 0) { process_setup_stdout_child(procinfo); + process_setup_stdin_child(procinfo); if (procset->dry_run) exit(EXIT_SUCCESS); execvp(process->path, (char * const *)process->argv); @@ -366,6 +398,7 @@ static int process_run_common(struct process_info *procinfo) } process_setup_stdout_parent(procinfo); + process_setup_stdin_parent(procinfo); process->pid = pid; return 0; diff --git a/lib/process/process.h b/lib/process/process.h index 9473a0d4..eb6e3360 100644 --- a/lib/process/process.h +++ b/lib/process/process.h @@ -43,6 +43,7 @@ struct process { void *data; waiter_cb stdout_cb; void *stdout_data; + char *pipe_stdin; /* runtime data */ pid_t pid; From patchwork Fri Feb 15 00:36:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sam Mendoza-Jonas X-Patchwork-Id: 1042543 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 440vTl5NbCz9s7T for ; Fri, 15 Feb 2019 11:36:59 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=mendozajonas.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=mendozajonas.com header.i=@mendozajonas.com header.b="f5H30pG6"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="3Q3SbZ1m"; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 440vTl40myzDqXJ for ; Fri, 15 Feb 2019 11:36:59 +1100 (AEDT) X-Original-To: petitboot@lists.ozlabs.org Delivered-To: petitboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=mendozajonas.com (client-ip=66.111.4.26; helo=out2-smtp.messagingengine.com; envelope-from=sam@mendozajonas.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=mendozajonas.com Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=mendozajonas.com header.i=@mendozajonas.com header.b="f5H30pG6"; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="3Q3SbZ1m"; dkim-atps=neutral Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 440vTB4CnczDqVf for ; Fri, 15 Feb 2019 11:36:30 +1100 (AEDT) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 5D66822738; Thu, 14 Feb 2019 19:36:28 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Thu, 14 Feb 2019 19:36:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= mendozajonas.com; h=from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; s=fm2; bh=nxP1+KuheNKny5kVglADQTBN0qU4MeTDTjZ0aoQDYw8=; b=f5H30 pG6e+IJL8YM6KmeJjcV18kZI0YXejhXcOUl04guU39vscscbJaMz9NgL1OHZB8jr 05KS6r/2nqYNezv9uBr0ulP3LtE8HD3RI2US2ga8E+DWifEsxMNfKvY3A1FPCkc4 IowPHOrHQSaQTaq5N5IND7xRsUUroX49hyxMjMA/43sxVG6MKFIxPrccXHzdJIfo xNEhS/MlIq5htZxHEVs4XTuCoaDAzCtp/WIfykM9vGqWtYBT44FgELVgxzytoelM fv6C7pIlyrZBSpc5EswixK8BgT5SXv1gTGAspCxHfAUxi2dwK3WbDEVTVO4EJRw/ X2sPV1uv1rLmeXkfw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=nxP1+KuheNKny5kVglADQTBN0qU4MeTDTjZ0aoQDYw8=; b=3Q3SbZ1m CL9SdK754RMz3+u6d/JForzqWYamQOe25KX1YjIs0wuNKd2n2k3gHe8x/Wz7zv5i c7mOzJFYrlQsmtByb16/Pvv52clS9t9bxglSJc/fPM2jJ+NE1VfQGdB1H0QjB2th LFCBjFJMXgUum5oQwQys6tLJfcDsY7dGl9TrYOhYarIn39sKNwXyKyEyeOu4D2dH VYpQKg4j78YNB+OiNhBj7ce5EI/pndFheQsKIfPJAkK0XF/yxuVQREXAKbLcKcs6 EGzGqTOte0vheVDnMnoSsNzrlYzvJynwx1llLQ5Db0WgAtrC6+d/04fg14+A6zsG /q/EoHKOHx8Hkw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledruddtiedgvdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhhtnecuuegrihhlohhuthemucef tddtnecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpe furghmuhgvlhcuofgvnhguohiirgdqlfhonhgrshcuoehsrghmsehmvghnughoiigrjhho nhgrshdrtghomheqnecukfhppeduvddvrdelledrkedvrddutdenucfrrghrrghmpehmrg hilhhfrhhomhepshgrmhesmhgvnhguohiirghjohhnrghsrdgtohhmnecuvehluhhsthgv rhfuihiivgeptd X-ME-Proxy: Received: from v4.ozlabs.ibm.com (unknown [122.99.82.10]) by mail.messagingengine.com (Postfix) with ESMTPA id DD6FCE4046; Thu, 14 Feb 2019 19:36:26 -0500 (EST) From: Samuel Mendoza-Jonas To: petitboot@lists.ozlabs.org Subject: [PATCH 3/5] lib: Add AUTH_MSG_DECRYPT Date: Fri, 15 Feb 2019 11:36:01 +1100 Message-Id: <20190215003603.16285-4-sam@mendozajonas.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190215003603.16285-1-sam@mendozajonas.com> References: <20190215003603.16285-1-sam@mendozajonas.com> MIME-Version: 1.0 X-BeenThere: petitboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Petitboot bootloader development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Samuel Mendoza-Jonas Errors-To: petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Petitboot" Extend the auth_message struct to support the AUTH_MSG_DECRYPT operation, allowing the existing authentications methods to be used for passing a disk password from the UI to pb-discover. In addition add DEVICE_TYPE_LUKS to identify encrypted disk devices. Signed-off-by: Samuel Mendoza-Jonas --- lib/pb-protocol/pb-protocol.c | 17 +++++++++++++++++ lib/pb-protocol/pb-protocol.h | 5 +++++ lib/types/types.c | 6 ++++++ lib/types/types.h | 1 + ui/test/discover-test.c | 2 ++ 5 files changed, 31 insertions(+) diff --git a/lib/pb-protocol/pb-protocol.c b/lib/pb-protocol/pb-protocol.c index b4138bbf..33bd4e6e 100644 --- a/lib/pb-protocol/pb-protocol.c +++ b/lib/pb-protocol/pb-protocol.c @@ -394,6 +394,10 @@ int pb_protocol_authenticate_len(struct auth_message *msg) /* enum + password + password */ return 4 + 4 + optional_strlen(msg->set_password.password) + 4 + optional_strlen(msg->set_password.new_password); + case AUTH_MSG_DECRYPT: + /* enum + password + device id */ + return 4 + 4 + optional_strlen(msg->decrypt_dev.password) + + 4 + optional_strlen(msg->decrypt_dev.device_id); default: pb_log("%s: invalid input\n", __func__); return 0; @@ -750,6 +754,12 @@ int pb_protocol_serialise_authenticate(struct auth_message *msg, pos += pb_protocol_serialise_string(pos, msg->set_password.new_password); break; + case AUTH_MSG_DECRYPT: + pos += pb_protocol_serialise_string(pos, + msg->decrypt_dev.password); + pos += pb_protocol_serialise_string(pos, + msg->decrypt_dev.device_id); + break; default: pb_log("%s: invalid msg\n", __func__); return -1; @@ -1439,6 +1449,13 @@ int pb_protocol_deserialise_authenticate(struct auth_message *msg, &msg->set_password.new_password)) return -1; break; + case AUTH_MSG_DECRYPT: + if (read_string(msg, &pos, &len, &msg->decrypt_dev.password)) + return -1; + if (read_string(msg, &pos, &len, + &msg->decrypt_dev.device_id)) + return -1; + break; default: pb_log("%s: unable to parse\n", __func__); return -1; diff --git a/lib/pb-protocol/pb-protocol.h b/lib/pb-protocol/pb-protocol.h index 1d6c0485..f4975bc8 100644 --- a/lib/pb-protocol/pb-protocol.h +++ b/lib/pb-protocol/pb-protocol.h @@ -40,6 +40,7 @@ enum auth_msg_type { AUTH_MSG_REQUEST, AUTH_MSG_RESPONSE, AUTH_MSG_SET, + AUTH_MSG_DECRYPT, }; struct auth_message { @@ -51,6 +52,10 @@ struct auth_message { char *password; char *new_password; } set_password; + struct { + char *password; + char *device_id; + } decrypt_dev; }; }; diff --git a/lib/types/types.c b/lib/types/types.c index d7f4ead7..f4510e10 100644 --- a/lib/types/types.c +++ b/lib/types/types.c @@ -35,6 +35,8 @@ const char *device_type_display_name(enum device_type type) return _("Network"); case DEVICE_TYPE_ANY: return _("Any"); + case DEVICE_TYPE_LUKS: + return _("Encrypted Device"); case DEVICE_TYPE_UNKNOWN: default: return _("Unknown"); @@ -54,6 +56,8 @@ const char *device_type_name(enum device_type type) return "network"; case DEVICE_TYPE_ANY: return "any"; + case DEVICE_TYPE_LUKS: + return "encrypted"; case DEVICE_TYPE_UNKNOWN: default: return "unknown"; @@ -72,6 +76,8 @@ enum device_type find_device_type(const char *str) return DEVICE_TYPE_NETWORK; if (!strncmp(str, "any", strlen("any"))) return DEVICE_TYPE_ANY; + if (!strncmp(str, "encrypted", strlen("encrypted"))) + return DEVICE_TYPE_LUKS; return DEVICE_TYPE_UNKNOWN; } diff --git a/lib/types/types.h b/lib/types/types.h index 9d83d87d..433a37b2 100644 --- a/lib/types/types.h +++ b/lib/types/types.h @@ -11,6 +11,7 @@ enum device_type { DEVICE_TYPE_USB, DEVICE_TYPE_OPTICAL, DEVICE_TYPE_ANY, + DEVICE_TYPE_LUKS, DEVICE_TYPE_UNKNOWN, }; diff --git a/ui/test/discover-test.c b/ui/test/discover-test.c index f3e7dd8c..6fb14dec 100644 --- a/ui/test/discover-test.c +++ b/ui/test/discover-test.c @@ -16,6 +16,8 @@ static const char *device_type_string(enum device_type type) return "optical"; case DEVICE_TYPE_ANY: return "any"; + case DEVICE_TYPE_LUKS: + return "encrypted"; case DEVICE_TYPE_UNKNOWN: return "unknown"; } From patchwork Fri Feb 15 00:36:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sam Mendoza-Jonas X-Patchwork-Id: 1042544 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 440vTs53k8z9s7T for ; Fri, 15 Feb 2019 11:37:05 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=mendozajonas.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=mendozajonas.com header.i=@mendozajonas.com header.b="wSdm8jRP"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="qr7+eGcL"; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 440vTs3y6NzDqXJ for ; Fri, 15 Feb 2019 11:37:05 +1100 (AEDT) X-Original-To: petitboot@lists.ozlabs.org Delivered-To: petitboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=mendozajonas.com (client-ip=66.111.4.26; helo=out2-smtp.messagingengine.com; envelope-from=sam@mendozajonas.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=mendozajonas.com Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=mendozajonas.com header.i=@mendozajonas.com header.b="wSdm8jRP"; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="qr7+eGcL"; dkim-atps=neutral Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 440vTD0HpMzDqVf for ; Fri, 15 Feb 2019 11:36:32 +1100 (AEDT) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id CE66D22017; Thu, 14 Feb 2019 19:36:29 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Thu, 14 Feb 2019 19:36:29 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= mendozajonas.com; h=from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; s=fm2; bh=gzp1oLAnMm/TcugRX6ObYSFOKuWb+Ys925QeWOGS7HY=; b=wSdm8 jRPwYYkeTfc4Rx/R25lzoU6R3xaEwahlEyxYbzPMphHvUW1J8LyeQH00Yg8BbAvh JaVvoPterowf9fb9BuoGpYRJBTTSkHSyPTZJGD/lRvzLZjw/kyH94EJbsT1hgM4i 2FQ6HwQSRyhqaX6EnTGRQkP9j+N/oTcoe+Cmp5xqd/G9Gt+ehRfgRdyswWeu9vU9 kqQcrhFzo1C46ND5EQKGloPbUnLaJ/5QZJOUvgVAH0QqD/S5AY2L2VmJDO7PsDKF ZL45zqytZZ9nRhjQyuTnHT3CnhikHmvQ5omSLLILmWmPILn5di+ftPl0QxGI3jMl atUO906h1FJNnaHeg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=gzp1oLAnMm/TcugRX6ObYSFOKuWb+Ys925QeWOGS7HY=; b=qr7+eGcL 40Jj6QeQu7In0KtNcT5FuMSKZvxCRn5TVokd7dz6TS3FKEqK8DUc/A/zxHBC7ges 7ORKq6MEqzI9shJP/YbymG7GaFhA/34zl3V3MvLa72KK+0uoRNiP/kEdsQB44+qo +i4+53Ccx5FK2kk96+/cZNMsHdxC6xFG/woiH3AvZzLC+sC1gt58WUeySUzLbLmd 4qd+S4v4lTTqY2PKvP/UqdD3zLehq74TyIF0qApHcvTzt9A/mUmWGuQhZrYPwpXk W1W3N9r4qBpj7IOfv0+RaSluJ2TE9SnaGVlW7umcHjW4JfTTAaLIX0YKgjLzRxNy Be0jX5kd1Cz9jw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledruddtiedgvdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhhtnecuuegrihhlohhuthemucef tddtnecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpe furghmuhgvlhcuofgvnhguohiirgdqlfhonhgrshcuoehsrghmsehmvghnughoiigrjhho nhgrshdrtghomheqnecukfhppeduvddvrdelledrkedvrddutdenucfrrghrrghmpehmrg hilhhfrhhomhepshgrmhesmhgvnhguohiirghjohhnrghsrdgtohhmnecuvehluhhsthgv rhfuihiivgepfe X-ME-Proxy: Received: from v4.ozlabs.ibm.com (unknown [122.99.82.10]) by mail.messagingengine.com (Postfix) with ESMTPA id 6FEA4E4046; Thu, 14 Feb 2019 19:36:28 -0500 (EST) From: Samuel Mendoza-Jonas To: petitboot@lists.ozlabs.org Subject: [PATCH 4/5] discover: Recognise and open LUKS encrypted partitions Date: Fri, 15 Feb 2019 11:36:02 +1100 Message-Id: <20190215003603.16285-5-sam@mendozajonas.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190215003603.16285-1-sam@mendozajonas.com> References: <20190215003603.16285-1-sam@mendozajonas.com> MIME-Version: 1.0 X-BeenThere: petitboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Petitboot bootloader development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Samuel Mendoza-Jonas Errors-To: petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Petitboot" Handle devices encrypted with LUKS and call cryptsetup to open them if a client sends the associated password. If a new device has the "crypto_LUKS" filesystem type it is marked as a LUKS device and sent to clients but further discovery is not performed. Once a client sends the device's password cryptsetup is called to open it. The opened device will appear separately, so the source device is "forgotten" at this point and then the newly opened device is treated as a normal partition. On destruction the device is "closed" with cryptsetup so that discovery can start from the beginning. Signed-off-by: Samuel Mendoza-Jonas --- discover/device-handler.c | 134 ++++++++++++++++++++++++++++++++++++- discover/device-handler.h | 8 +++ discover/discover-server.c | 18 ++++- discover/udev.c | 33 +++++++-- 4 files changed, 186 insertions(+), 7 deletions(-) diff --git a/discover/device-handler.c b/discover/device-handler.c index e75f4123..7935a2b8 100644 --- a/discover/device-handler.c +++ b/discover/device-handler.c @@ -60,6 +60,13 @@ struct progress_info { struct list_item list; }; +struct crypt_info { + struct discover_device *source_device; + char *dm_name; + + struct list_item list; +}; + struct device_handler { struct discover_server *server; int dry_run; @@ -95,6 +102,8 @@ struct device_handler { struct plugin_option **plugins; unsigned int n_plugins; bool plugin_installing; + + struct list crypt_devices; }; static int mount_device(struct discover_device *dev); @@ -265,9 +274,30 @@ void device_handler_destroy(struct device_handler *handler) static int destroy_device(void *arg) { struct discover_device *dev = arg; + struct process *p; umount_device(dev); + devmapper_destroy_snapshot(dev); + + if (dev->crypt_device) { + const char *argv[] = { + pb_system_apps.cryptsetup, + "luksClose", + dev->device->id, + NULL + }; + + p = process_create(dev); + p->path = pb_system_apps.cryptsetup; + p->argv = argv; + + if (process_run_async(p)) { + pb_log("Failed to run cryptsetup\n"); + return -1; + } + } + return 0; } @@ -376,6 +406,7 @@ struct device_handler *device_handler_init(struct discover_server *server, list_init(&handler->unresolved_boot_options); list_init(&handler->progress); + list_init(&handler->crypt_devices); /* set up our mount point base */ pb_mkdir_recursive(mount_base()); @@ -399,6 +430,7 @@ struct device_handler *device_handler_init(struct discover_server *server, void device_handler_reinit(struct device_handler *handler) { struct discover_boot_option *opt, *tmp; + struct crypt_info *crypt, *c; struct ramdisk_device *ramdisk; struct config *config; unsigned int i; @@ -449,6 +481,11 @@ void device_handler_reinit(struct device_handler *handler) discover_server_notify_plugins_remove(handler->server); + /* forget encrypted devices */ + list_for_each_entry_safe(&handler->crypt_devices, crypt, c, list) + talloc_free(crypt); + list_init(&handler->crypt_devices); + set_env_variables(config_get()); /* If the safe mode warning was active disable it now */ @@ -1230,6 +1267,102 @@ void device_handler_release_ramdisk(struct discover_device *device) device->ramdisk = NULL; } +/* + * Check if a device name matches the name of an encrypted device that has been + * opened. If it matches remove it from the list and remove the original crypt + * discover device. + */ +bool device_handler_found_crypt_device(struct device_handler *handler, + const char *name) +{ + struct crypt_info *crypt, *c; + + list_for_each_entry_safe(&handler->crypt_devices, crypt, c, list) { + if (!strncmp(crypt->dm_name, name, strlen(crypt->dm_name))) { + device_handler_remove(handler, crypt->source_device); + list_remove(&crypt->list); + talloc_free(crypt); + return true; + } + } + + return false; +} + +static void cryptsetup_cb(struct process *process) +{ + struct device_handler *handler = process->data; + + if (process->exit_status) { + /* failed to open the device; stop tracking it */ + device_handler_found_crypt_device(handler, process->argv[3]); + device_handler_status_err(handler, + _("Failed to open encrypted device %s"), + process->argv[2]); + } +} + +void device_handler_open_encrypted_dev(struct device_handler *handler, + char *password, char *device_id) +{ + struct discover_device *dev; + struct crypt_info *crypt; + const char *device_path; + struct process *p; + char *name; + int result; + + dev = device_lookup_by_id(handler, device_id); + if (!dev) { + pb_log_fn("Can't find device %s\n", device_id); + device_handler_status_err(handler, + _("Encrypted device %s does not exist"), + device_id); + return; + } + + device_path = dev->device_path; + name = talloc_asprintf(handler, "luks_%s", device_id); + + const char *argv[] = { + pb_system_apps.cryptsetup, + "luksOpen", + device_path, + name, + "-", + NULL + }; + + p = process_create(handler); + p->path = pb_system_apps.cryptsetup; + p->argv = argv; + p->exit_cb = cryptsetup_cb; + p->keep_stdout = true; + p->pipe_stdin = talloc_asprintf(p, "%s\n", password); + + result = process_run_async(p); + if (result) { + pb_log("Failed to run cryptsetup\n"); + return; + } + + crypt = talloc(handler, struct crypt_info); + crypt->source_device = dev; + crypt->dm_name = name; + list_add(&handler->crypt_devices, &crypt->list); +} + +void device_handler_add_encrypted_dev(struct device_handler *handler, + struct discover_device *dev) +{ + system_info_register_blockdev(dev->device->id, dev->uuid, ""); + discover_server_notify_device_add(handler->server, + dev->device); + dev->notified = true; + if (!device_lookup_by_uuid(handler, dev->uuid)) + device_handler_add_device(handler, dev); +} + /* Start discovery on a hotplugged device. The device will be in our devices * array, but has only just been initialised by the hotplug source. */ @@ -2121,7 +2254,6 @@ static int umount_device(struct discover_device *dev) return -1; dev->mounted = false; - devmapper_destroy_snapshot(dev); pb_rmdir_recursive(mount_base(), dev->mount_path); diff --git a/discover/device-handler.h b/discover/device-handler.h index 9619a2df..65911208 100644 --- a/discover/device-handler.h +++ b/discover/device-handler.h @@ -33,6 +33,7 @@ struct discover_device { bool mounted; bool mounted_rw; bool unmount; + bool crypt_device; bool notified; @@ -89,6 +90,9 @@ const struct plugin_option *device_handler_get_plugin( struct network *device_handler_get_network( const struct device_handler *handler); +bool device_handler_found_crypt_device(struct device_handler *handler, + const char *name); + struct discover_device *discover_device_create(struct device_handler *handler, const char *uuid, const char *id); void device_handler_add_device(struct device_handler *handler, @@ -98,6 +102,10 @@ void device_handler_add_ramdisk(struct device_handler *handler, struct ramdisk_device *device_handler_get_ramdisk( struct device_handler *handler); void device_handler_release_ramdisk(struct discover_device *device); +void device_handler_open_encrypted_dev(struct device_handler *handler, + char *password, char *device_id); +void device_handler_add_encrypted_dev(struct device_handler *handler, + struct discover_device *dev); int device_handler_discover(struct device_handler *handler, struct discover_device *dev); int device_handler_dhcp(struct device_handler *handler, diff --git a/discover/discover-server.c b/discover/discover-server.c index 23d6113e..1a332cbf 100644 --- a/discover/discover-server.c +++ b/discover/discover-server.c @@ -365,13 +365,29 @@ static int discover_server_handle_auth_message(struct client *client, _("Password updated successfully")); } break; + case AUTH_MSG_DECRYPT: + if (!client->can_modify) { + pb_log("Unauthenticated client tried to open encrypted device %s\n", + auth_msg->decrypt_dev.device_id); + rc = -1; + status->type = STATUS_ERROR; + status->message = talloc_asprintf(status, + _("Must authenticate before opening encrypted device")); + break; + } + + device_handler_open_encrypted_dev(client->server->device_handler, + auth_msg->decrypt_dev.password, + auth_msg->decrypt_dev.device_id); + break; default: pb_log("%s: unknown op\n", __func__); rc = -1; break; } - write_boot_status_message(client->server, client, status); + if (status->message) + write_boot_status_message(client->server, client, status); talloc_free(status); return rc; diff --git a/discover/udev.c b/discover/udev.c index fa5d4b41..0c3da66a 100644 --- a/discover/udev.c +++ b/discover/udev.c @@ -106,7 +106,7 @@ static int udev_handle_block_add(struct pb_udev *udev, struct udev_device *dev, "swap", NULL, }; - bool cdrom, usb; + bool cdrom, usb, luks = false; typestr = udev_device_get_devtype(dev); if (!typestr) { @@ -142,11 +142,18 @@ static int udev_handle_block_add(struct pb_udev *udev, struct udev_device *dev, } } - /* Ignore any device mapper devices that aren't logical volumes */ + /* + * Ignore any device mapper devices that aren't logical volumes or + * opened encrypted devices + */ devname = udev_device_get_property_value(dev, "DM_NAME"); - if (devname && ! udev_device_get_property_value(dev, "DM_LV_NAME")) { - pb_debug("SKIP: dm-device %s\n", devname); - return 0; + if (devname) { + if (device_handler_found_crypt_device(udev->handler, devname)) { + luks = true; + } else if (!udev_device_get_property_value(dev, "DM_LV_NAME")) { + pb_debug("SKIP: dm-device %s\n", devname); + return 0; + } } type = udev_device_get_property_value(dev, "ID_FS_TYPE"); @@ -216,16 +223,32 @@ static int udev_handle_block_add(struct pb_udev *udev, struct udev_device *dev, usb = !!udev_device_get_property_value(dev, "ID_USB_DRIVER"); if (cdrom) ddev->device->type = DEVICE_TYPE_OPTICAL; + else if (strncmp(type, "crypto_LUKS", strlen("crypto_LUKS")) == 0) + ddev->device->type = DEVICE_TYPE_LUKS; else ddev->device->type = usb ? DEVICE_TYPE_USB : DEVICE_TYPE_DISK; udev_setup_device_params(dev, ddev); + /* + * Don't perform discovery on encrypted devices, just register and + * notify clients. + */ + if (ddev->device->type == DEVICE_TYPE_LUKS) { + pb_log("Notifying clients about encrypted device %s\n", + name); + device_handler_add_encrypted_dev(udev->handler, ddev); + return 0; + } + /* Create a snapshot for all disk devices */ if ((ddev->device->type == DEVICE_TYPE_DISK || ddev->device->type == DEVICE_TYPE_USB)) devmapper_init_snapshot(udev->handler, ddev); + /* Note if this is an opened LUKS device */ + ddev->crypt_device = luks; + device_handler_discover(udev->handler, ddev); return 0; From patchwork Fri Feb 15 00:36:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sam Mendoza-Jonas X-Patchwork-Id: 1042545 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 440vV024Xgz9s5c for ; Fri, 15 Feb 2019 11:37:12 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=mendozajonas.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=mendozajonas.com header.i=@mendozajonas.com header.b="aHcJRp9D"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="YvEwIDZ0"; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 440vV008g4zDqXW for ; Fri, 15 Feb 2019 11:37:12 +1100 (AEDT) X-Original-To: petitboot@lists.ozlabs.org Delivered-To: petitboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=mendozajonas.com (client-ip=66.111.4.26; helo=out2-smtp.messagingengine.com; envelope-from=sam@mendozajonas.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=mendozajonas.com Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=mendozajonas.com header.i=@mendozajonas.com header.b="aHcJRp9D"; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="YvEwIDZ0"; dkim-atps=neutral Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 440vTH4nF4zDqVf for ; Fri, 15 Feb 2019 11:36:35 +1100 (AEDT) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id D200122710; Thu, 14 Feb 2019 19:36:31 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Thu, 14 Feb 2019 19:36:31 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= mendozajonas.com; h=from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; s=fm2; bh=9Dq8QNbOBf8EaZy4sSNDCusnIHBw9JNrUP/0IuvgA0Y=; b=aHcJR p9Dz5WDJjk/wl04IwQADjyGssruljUR9CgDSi0+thhpfXDozax5AAOW/CG8mySNX /Q4nRYRU1G7CPNA8kgHRvmoz7D75r/zjt4nNyEIRdyCeS5Z5K3/rVugWzNQbZ8uU +DjoGONokixISMLaYCNI2OtTvnv1F3/vFhDzeyr7CF8YZ0XODRWayF44cWt7dNkx EVMa6chE8dHo48gD/tsROqv1bUF99p9P52hYXToUgTNKFDGlf+vq2MpHX6ghE0fD /CRGQEq27q4i/aaqyxyQ6933QU9eVekZnnnKK2XSd8OsrUsGXnsAO+CCaosxJ0Fh I6kvbIcP2ZbXRNH2A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=9Dq8QNbOBf8EaZy4sSNDCusnIHBw9JNrUP/0IuvgA0Y=; b=YvEwIDZ0 GbbuQpGLnO6OhI8OyRRHZAyoTmdD1HnxuUydPGaTh4D7ZYJxdG+OiuF1+AnbGTSF wS6ymIJU7nyqlec1rLbUfUG/EJ8ZLuixuHptbTPasd/NHO8nX0Hgoj+8Hj7LN8ZF VLLoKMWGSt2GJkXMeQjWdxc1wB2Rwch7pKtGiesHIW/hLACXknFmr6R4xm/AP1tH 0dSQguIoNwhDIwY0axE6yKjaDv0JQW9HYz59FwrbVtSKWxm47Q37VmV9QX0Bnso4 6cY60KXyOYnCgQ/U6EvQsiWwCawwunKKRSIzyKPI9+/ZPqoovRnuLO51qu75pqnr 66BEVDEQoe9fcA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledruddtiedgvdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhhtnecuuegrihhlohhuthemucef tddtnecunecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpe furghmuhgvlhcuofgvnhguohiirgdqlfhonhgrshcuoehsrghmsehmvghnughoiigrjhho nhgrshdrtghomheqnecukfhppeduvddvrdelledrkedvrddutdenucfrrghrrghmpehmrg hilhhfrhhomhepshgrmhesmhgvnhguohiirghjohhnrghsrdgtohhmnecuvehluhhsthgv rhfuihiivgepfe X-ME-Proxy: Received: from v4.ozlabs.ibm.com (unknown [122.99.82.10]) by mail.messagingengine.com (Postfix) with ESMTPA id 02757E4046; Thu, 14 Feb 2019 19:36:29 -0500 (EST) From: Samuel Mendoza-Jonas To: petitboot@lists.ozlabs.org Subject: [PATCH 5/5] ui/ncurses: Add prompt for LUKS device password Date: Fri, 15 Feb 2019 11:36:03 +1100 Message-Id: <20190215003603.16285-6-sam@mendozajonas.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190215003603.16285-1-sam@mendozajonas.com> References: <20190215003603.16285-1-sam@mendozajonas.com> MIME-Version: 1.0 X-BeenThere: petitboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Petitboot bootloader development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Samuel Mendoza-Jonas Errors-To: petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Petitboot" Implement device_add() in cui_client_ops and use this interface to recognise when the server notifies the client of an encrypted device. A "device header" will be created for this device and added to the menu with no associated boot options. The nc-auth prompt is extended to ask for a disk password when the device header for an encrypted device is selected. Assuming the password is correct pb-discover will remove the original device and notify the client about the newly opened device, which will be reflected in the menu. Signed-off-by: Samuel Mendoza-Jonas --- ui/common/discover-client.c | 25 ++++++ ui/common/discover-client.h | 3 + ui/ncurses/nc-auth.c | 30 ++++++- ui/ncurses/nc-auth.h | 1 + ui/ncurses/nc-cui.c | 166 +++++++++++++++++++++++++++++++++++- ui/ncurses/nc-cui.h | 3 + 6 files changed, 220 insertions(+), 8 deletions(-) diff --git a/ui/common/discover-client.c b/ui/common/discover-client.c index e7dfb831..6dda2d32 100644 --- a/ui/common/discover-client.c +++ b/ui/common/discover-client.c @@ -552,3 +552,28 @@ int discover_client_send_set_password(struct discover_client *client, pb_log("sending auth message..\n"); return pb_protocol_write_message(client->fd, message); } + +int discover_client_send_open_luks_device(struct discover_client *client, + char *password, char *device_id) +{ + struct pb_protocol_message *message; + struct auth_message auth_msg; + int len; + + auth_msg.op = AUTH_MSG_DECRYPT; + auth_msg.decrypt_dev.password = password; + auth_msg.decrypt_dev.device_id = device_id; + + len = pb_protocol_authenticate_len(&auth_msg); + + message = pb_protocol_create_message(client, + PB_PROTOCOL_ACTION_AUTHENTICATE, len); + if (!message) + return -1; + + pb_log("serialising auth message..\n"); + pb_protocol_serialise_authenticate(&auth_msg, message->payload, len); + + pb_log("sending auth message..\n"); + return pb_protocol_write_message(client->fd, message); +} diff --git a/ui/common/discover-client.h b/ui/common/discover-client.h index 9b56dcb7..183d1935 100644 --- a/ui/common/discover-client.h +++ b/ui/common/discover-client.h @@ -113,6 +113,9 @@ int discover_client_send_authenticate(struct discover_client *client, /* Set a new system password, authenticating with the current password */ int discover_client_send_set_password(struct discover_client *client, char *password, char *new_password); +/* Send a password to open an encrypted device */ +int discover_client_send_open_luks_device(struct discover_client *client, + char *password, char *device_id); /* send a temporary autoboot override */ int discover_client_send_temp_autoboot(struct discover_client *client, diff --git a/ui/ncurses/nc-auth.c b/ui/ncurses/nc-auth.c index 5bfda8b4..227c57bf 100644 --- a/ui/ncurses/nc-auth.c +++ b/ui/ncurses/nc-auth.c @@ -42,6 +42,7 @@ struct auth_screen { void (*process_key)(struct nc_scr *, int); bool set_password; + const struct device *dev; void (*callback)(struct nc_scr *); int offset_y; int label_x; @@ -144,6 +145,9 @@ static void ok_click(void *arg) if (screen->set_password) { new_password = widget_textbox_get_value(screen->widgets.new_f); rc = cui_send_set_password(screen->cui, password, new_password); + } else if (screen->dev) { + rc = cui_send_open_luks_device(screen->cui, password, + screen->dev->id); } else rc = cui_send_authenticate(screen->cui, password); @@ -194,6 +198,7 @@ static void auth_screen_layout_widgets(struct auth_screen *screen) static void auth_screen_draw(struct auth_screen *screen) { struct nc_widgetset *set; + char *label; set = widgetset_create(screen, screen->scr.main_ncw, screen->scr.sub_ncw); @@ -203,10 +208,20 @@ static void auth_screen_draw(struct auth_screen *screen) } screen->widgetset = set; - screen->widgets.title_a_l = widget_new_label(set, 0, 0, - _("This action requires authorisation.")); - screen->widgets.title_b_l = widget_new_label(set, 0, 0, - _("Please enter the system password.")); + if (screen->dev) { + label = talloc_asprintf(screen, + _("Opening encrypted device %s"), + screen->dev->id); + screen->widgets.title_a_l = widget_new_label(set, 0, 0, label); + screen->widgets.title_b_l = widget_new_label(set, 0, 0, + _("Please enter the disk password.")); + talloc_free(label); + } else { + screen->widgets.title_a_l = widget_new_label(set, 0, 0, + _("This action requires authorisation.")); + screen->widgets.title_b_l = widget_new_label(set, 0, 0, + _("Please enter the system password.")); + } screen->widgets.password_f = widget_new_textbox_hidden(set, 0, 0, COLS - 20 - 20, "", true); @@ -236,6 +251,7 @@ static int auth_screen_destroy(void *arg) struct auth_screen *auth_screen_init(struct cui *cui, WINDOW *parent, bool set_password, + const struct device *dev, void (*callback)(struct nc_scr *), void (*on_exit)(struct cui *)) { @@ -246,6 +262,11 @@ struct auth_screen *auth_screen_init(struct cui *cui, if (!cui || !parent) return NULL; + if (set_password && dev) { + pb_log_fn("Incorrect parameters (set_password and device)\n"); + return NULL; + } + screen = talloc_zero(cui, struct auth_screen); if (!screen) return NULL; @@ -254,6 +275,7 @@ struct auth_screen *auth_screen_init(struct cui *cui, screen->cui = cui; screen->return_scr = cui->current; screen->set_password = set_password; + screen->dev = dev; screen->callback = callback; screen->on_exit = on_exit; screen->label_x = 5; diff --git a/ui/ncurses/nc-auth.h b/ui/ncurses/nc-auth.h index e8e41482..0473c922 100644 --- a/ui/ncurses/nc-auth.h +++ b/ui/ncurses/nc-auth.h @@ -24,6 +24,7 @@ struct auth_screen; struct auth_screen *auth_screen_init(struct cui *cui, WINDOW *pad, bool set_password, + const struct device *dev, void (callback)(struct nc_scr *), void (*on_exit)(struct cui *)); diff --git a/ui/ncurses/nc-cui.c b/ui/ncurses/nc-cui.c index d80e2c3e..ae5e9bc6 100644 --- a/ui/ncurses/nc-cui.c +++ b/ui/ncurses/nc-cui.c @@ -360,7 +360,7 @@ static int menu_reinit_execute(struct pmenu_item *item) return 0; cui->auth_screen = auth_screen_init(cui, cui->current->main_ncw, - false, menu_reinit_cb, cui_auth_exit); + false, NULL, menu_reinit_cb, cui_auth_exit); if (cui->auth_screen) cui_set_current(cui, auth_screen_scr(cui->auth_screen)); @@ -407,6 +407,35 @@ static int cui_boot_check(struct pmenu_item *item) return 0; } +static void cui_luks_cb(struct nc_scr *scr) +{ + struct cui_opt_data *cod; + struct pmenu_item *item; + struct pmenu *menu; + struct cui *cui; + + menu = pmenu_from_scr(scr); + item = pmenu_find_selected(menu); + cod = cod_from_item(item); + cui = cui_from_item(item); + + cui_show_open_luks(cui, scr->main_ncw, cod->dev); +} + +static int cui_open_luks_device(struct pmenu_item *item) +{ + struct cui_opt_data *cod = cod_from_item(item); + struct cui *cui = cui_from_item(item); + + if (discover_client_authenticated(cui->client)) + cui_show_open_luks(cui, item->pmenu->scr.main_ncw, cod->dev); + else + cui_show_auth(cui, item->pmenu->scr.main_ncw, false, + cui_luks_cb); + + return 0; +} + static void cui_boot_editor_on_exit(struct cui *cui, struct pmenu_item *item, struct pb_boot_data *bd) @@ -707,13 +736,28 @@ void cui_show_auth(struct cui *cui, WINDOW *parent, bool set_password, if (cui->auth_screen) return; - cui->auth_screen = auth_screen_init(cui, parent, set_password, + cui->auth_screen = auth_screen_init(cui, parent, set_password, NULL, callback, cui_auth_exit); if (cui->auth_screen) cui_set_current(cui, auth_screen_scr(cui->auth_screen)); } +void cui_show_open_luks(struct cui *cui, WINDOW *parent, + const struct device *dev) +{ + if (!cui->current) + return; + + if (cui->auth_screen) + return; + + cui->auth_screen = auth_screen_init(cui, parent, false, dev, + NULL, cui_auth_exit); + + if (cui->auth_screen) + cui_set_current(cui, auth_screen_scr(cui->auth_screen)); +} /** * cui_set_current - Set the currently active screen and redraw it. */ @@ -899,7 +943,7 @@ static void cui_handle_resize(struct cui *cui) } /** - * cui_device_add - Client device_add callback. + * cui_boot_option_add - Client boot_option_add callback. * * Creates menu_items for all the device boot_options and inserts those * menu_items into the main menu. Redraws the main menu if it is active. @@ -1080,6 +1124,114 @@ static int cui_boot_option_add(struct device *dev, struct boot_option *opt, return 0; } +/** + * cui_device_add - Client device_add callback + * + * For ncurses this is only used to specially handle encrypted devices and + * create a special device header for them. + * Normal devices are handled as part of the cui_boot_option_add() process. + */ +static int cui_device_add(struct device *dev, void *arg) +{ + struct cui *cui = cui_from_arg(arg); + struct pmenu *menu = cui->main; + struct pmenu_item *dev_hdr; + unsigned int insert_pt, i; + struct cui_opt_data *cod; + struct blockdev_info *bd; + struct system_info *sys; + int result, rows, cols; + ITEM *selected; + char *name; + + /* Nothing to do */ + if (dev->type != DEVICE_TYPE_LUKS) { + pb_log("Ignoring dev %s with type %s\n", + dev->id, device_type_display_name(dev->type)); + return 0; + } + + pb_log("Creating header for encrypted device %s\n", dev->id); + + /* Create a dev_hdr for the encrypted device */ + /* Find block info */ + sys = cui->sysinfo; + name = NULL; + for (i = 0; sys && i < sys->n_blockdevs; i++) { + bd = sys->blockdevs[i]; + if (!strcmp(dev->id, bd->name)) { + name = talloc_asprintf(menu, "[%s: %s / %s]", + device_type_display_name(dev->type), + bd->name, bd->uuid); + break; + } + } + if (!name) { + name = talloc_asprintf(menu, "[%s: \"%s\"]", + device_type_display_name(dev->type), + dev->id); + } + + dev_hdr = pmenu_item_create(menu, name); + if (!dev_hdr) { + pb_log_fn("Failed to create header item\n"); + return -1; + } + talloc_free(name); + + dev_hdr->on_execute = cui_open_luks_device; + + cod = talloc_zero(dev_hdr, struct cui_opt_data); + cod->name = talloc_strdup(dev_hdr, dev->id); + cod->dev = dev; + dev_hdr->data = cod; + + if (cui->current == &cui->main->scr) + nc_scr_unpost(cui->current); + + /* This disconnects items array from menu. */ + result = set_menu_items(menu->ncm, NULL); + + if (result) { + pb_log_fn("set_menu_items failed: %d\n", result); + return -1; + } + + + insert_pt = pmenu_grow(menu, 1); + pmenu_item_insert(menu, dev_hdr, insert_pt); + pb_log("Added header for encrypted device %s\n", dev->id); + + selected = current_item(menu->ncm); + menu_format(menu->ncm, &rows, &cols); + + /* Re-attach the items array. */ + result = set_menu_items(menu->ncm, menu->items); + + if (result) + pb_log_fn("set_menu_items failed: %d\n", result); + + if (!item_visible(selected)) { + int idx, top; + + top = top_row(menu->ncm); + idx = item_index(selected); + + /* If our index is above the current top row, align + * us to the new top. Otherwise, align us to the new + * bottom */ + top = top < idx ? idx - rows + 1 : idx; + + set_top_row(menu->ncm, top); + set_current_item(menu->ncm, selected); + } + + if (cui->current == &menu->scr) + nc_scr_post(cui->current); + + return 0; +} + /** * cui_device_remove - Client device remove callback. * @@ -1482,6 +1634,12 @@ int cui_send_set_password(struct cui *cui, char *password, char *new_password) new_password); } +int cui_send_open_luks_device(struct cui *cui, char *password, char *device_id) +{ + return discover_client_send_open_luks_device(cui->client, password, + device_id); +} + void cui_send_reinit(struct cui *cui) { discover_client_send_reinit(cui->client); @@ -1629,7 +1787,7 @@ fail_setup: } static struct discover_client_ops cui_client_ops = { - .device_add = NULL, + .device_add = cui_device_add, .boot_option_add = cui_boot_option_add, .device_remove = cui_device_remove, .plugin_option_add = cui_plugin_option_add, diff --git a/ui/ncurses/nc-cui.h b/ui/ncurses/nc-cui.h index 8fa27aa7..039aa922 100644 --- a/ui/ncurses/nc-cui.h +++ b/ui/ncurses/nc-cui.h @@ -101,11 +101,14 @@ void cui_show_plugin(struct pmenu_item *item); void cui_show_plugin_menu(struct cui *cui); void cui_show_auth(struct cui *cui, WINDOW *parent, bool set_password, void (*callback)(struct nc_scr *)); +void cui_show_open_luks(struct cui *cui, WINDOW *parent, + const struct device *dev); int cui_send_config(struct cui *cui, struct config *config); int cui_send_url(struct cui *cui, char *url); int cui_send_plugin_install(struct cui *cui, char *file); int cui_send_authenticate(struct cui *cui, char *password); int cui_send_set_password(struct cui *cui, char *password, char *new_password); +int cui_send_open_luks_device(struct cui *cui, char *password, char *device_id); void cui_send_reinit(struct cui *cui); /* convenience routines */