update for sed drives

Author: jasoncolburne

src/core-switch/scripts/collect.sh

@@ -19,7 +19,8 @@ sudo tar czvf ~/install.bundle/configuration.tgz \
   etc/network/interfaces \
   etc/ssh/sshd_config.d/10-no-passwords.conf \
   etc/sysctl.d/10-disable-ipv6.conf \
-  opt/nomad/docker.json
+  opt/nomad/docker.json \
+  lib/systemd/system/monitor-systemd-journal.service
 
 sudo tar czvf ~/install.bundle/mok.tgz \
   var/lib/shim-signed/mok
@@ -32,6 +33,7 @@ tar czvf ~/install.bundle/$USER.tgz \
   .zshrc \
   .zshenv \
   .p10k.zsh \
+  bin
 
 cp -v ~{,/install.bundle}/secrets.tgz
 cp -v ~{,/install.bundle}/kernel.tgz

src/core-switch/scripts/orchestration/hashicorp/nomad-pack/deploy.sh

@@ -7,6 +7,9 @@ else
   set -euo pipefail
 fi
 
+sudo apt-get update
+sudo apt-get install -y build-essential
+
 cd ~
 if [[ ! -d /usr/local/go ]] || [[ "${FETCH_GO:-0}" == "1" ]]
 then

src/core-switch/scripts/provision.sh

@@ -34,6 +34,11 @@ sudo systemctl stop networking
 cd /
 echo "deploying system configuration"
 sudo tar xzvf ~/install/configuration.tgz
+
+echo "enabling journal monitor"
+sudo systemctl daemon-reload
+sudo systemctl enable monitor-systemd-journal.service
+
 echo "deploying sev firmware"
 sudo tar xzvf ~/install/firmware.tgz
 echo "deploying existing MOK"
@@ -53,6 +58,9 @@ cp ~/install/secrets.tgz .
 echo "enabling clevis on demand"
 sudo systemctl enable clevis-luks-askpass.path
 
+echo "creating src dir"
+mkdir -p ~/src
+
 echo "cleaning up"
 sudo apt-get -y autoremove
 

src/core-switch/scripts/security/aes256gcm/deploy.sh

@@ -7,6 +7,9 @@ else
   set -euo pipefail
 fi
 
+sudo apt-get update
+sudo apt-get install -y build-essential libssl-dev
+
 mkdir -p ~/bin
 gcc -Wall -o ~/bin/aes256gcm ~/install/scripts/security/aes256gcm/aes256gcm.c -lcrypto
 gcc -Wall -o ~/bin/aes256gcm-decrypt ~/install/scripts/security/aes256gcm/aes256gcm-decrypt.c -lcrypto

src/core-switch/scripts/security/sedutil/deploy.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/bash
+
+if [[ "$DEBUG" == "1" ]]
+then
+  set -euxo pipefail
+else
+  set -euo pipefail
+fi
+
+sudo apt-get update
+sudo apt-get install -y argon2 parted
+
+cd ~/src
+wget --content-disposition https://github.com/Drive-Trust-Alliance/exec/blob/master/sedutil_LINUX.tgz?raw=true
+tar xzvf sedutil_LINUX.tgz
+sudo cp sedutil/Release_x86_64/sedutil-cli /usr/sbin

src/core-switch/scripts/security/sedutil/module-setup.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Nathaniel McCallum <[email protected]>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+check() {
+  return 0
+}
+
+install() {
+    inst_hook initqueue/online 60 "$moddir/unlock-sed.sh"
+    inst_hook initqueue/settled 60 "$moddir/unlock-sed.sh"
+
+    inst_multiple \
+        /etc/sedutil/nvme0.passphrase.enc \
+        /etc/sedutil/nvme1.passphrase.enc \
+        /usr/lib/x86_64-linux-gnu/libstdc++.so.6 \
+        grep sed cut tr \
+        argon2 \
+        sedutil-cli \
+        partprobe \
+        clevis-decrypt \
+        clevis
+}

src/core-switch/scripts/security/sedutil/setup.sh

@@ -0,0 +1,67 @@
+#!/usr/bin/bash
+
+if [[ "$DEBUG" == "1" ]]
+then
+  set -euxo pipefail
+else
+  set -euo pipefail
+fi
+
+derive_hdd_passphrase() {
+  local HDD_NAME=$1
+
+  echo -n "enter a passphrase for ${HDD_NAME}: "
+  STTY_ORIG=$(stty -g)
+  stty -echo
+  IFS= read -r PASSPHRASE
+  stty "${STTY_ORIG}"
+  echo
+
+  echo -n "verify: "
+  STTY_ORIG=$(stty -g)
+  stty -echo
+  IFS= read -r VERIFICATION
+  stty "${STTY_ORIG}"
+  echo
+
+  if [[ "${PASSPHRASE}" != "${VERIFICATION}" ]]; then
+    echo "passphrases did not match!"
+    exit 1
+  fi
+  unset VERIFICATION
+
+  echo "deriving key..."
+  # we use a null salt so that we can recover the drive with only the passphrase, this is atypical salt usage
+  export HDD_PASSPHRASE=$(echo -n "${PASSPHRASE}" | argon2 '\0\0\0\0\0\0\0\0' -id -e -t 10 -m 20 -p 8 | cut -d'$' -f6 | tr -d '\n')
+  unset PASSPHRASE
+}
+
+setup() {
+  local HDD_NAME=$1
+
+  derive_hdd_passphrase "${HDD_NAME}"
+  echo -n "${HDD_PASSPHRASE}" | sudo clevis encrypt tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,2,3,4,6,7,8"}' | sudo dd of=/etc/sedutil/${HDD_NAME}.passphrase.enc
+
+  if [[ "${INITIALIZE_HDDS:-0}" == "1" ]]; then
+    PASSPHRASE_LABEL=PSID_${HDD_NAME}
+    CURRENT_PASSPHRASE="${!PASSPHRASE_LABEL}"
+
+    sudo sedutil-cli --PSIDrevert "${CURRENT_PASSPHRASE}" /dev/${HDD_NAME}
+    sudo sedutil-cli --initialSetup "${HDD_PASSPHRASE}" /dev/${HDD_NAME}
+
+    sudo sedutil-cli --enableLockingRange 0 "${HDD_PASSPHRASE}" /dev/${HDD_NAME}
+    sudo sedutil-cli --setMBREnable off "${HDD_PASSPHRASE}" /dev/${HDD_NAME}
+    sudo sedutil-cli --setMBRDone off "${HDD_PASSPHRASE}" /dev/${HDD_NAME}
+  fi
+  unset HDD_PASSPHRASE
+}
+
+sudo mkdir -p /etc/sedutil
+setup "nvme0"
+setup "nvme1"
+
+sudo mkdir -p /usr/lib/dracut/modules.d/60unlock-sed
+sudo cp ~/install/scripts/security/sedutil/module-setup.sh /usr/lib/dracut/modules.d/60unlock-sed
+sudo cp ~/install/scripts/security/sedutil/unlock-sed.sh /usr/lib/dracut/modules.d/60unlock-sed
+
+sudo dracut -f --regenerate-all -v

src/core-switch/scripts/security/sedutil/unlock-sed.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Make sure to exit cleanly if SIGTERM is received.
+trap 'echo "Exiting due to SIGTERM" && exit 0' TERM
+
+derive_hdd_passphrase() {
+  local HDD_NAME=$1
+
+  # echo -n "enter the passphrase for ${HDD_NAME}: "
+  # STTY_ORIG=$(stty -g)
+  # stty -echo
+  # IFS= read -r PASSPHRASE
+  # stty "${STTY_ORIG}"
+  # echo
+
+  PASSPHRASE=$(systemd-ask-password "enter the passphrase for ${HDD_NAME}: ")
+
+  echo "deriving key..."
+  # we use a null salt so that we can recover the drive with only the passphrase, this is atypical salt usage
+  export HDD_PASSPHRASE=$(echo -n "${PASSPHRASE}" | argon2 '\0\0\0\0\0\0\0\0' -id -e -t 10 -m 20 -p 8 | cut -d'$' -f6 | tr -d '\n')
+  unset PASSPHRASE
+}
+
+unlock() {
+  local HDD_NAME=$1
+
+  LOCKED=$(sedutil-cli --query /dev/${HDD_NAME} | grep Locked | cut -d',' -f1 | cut -d'=' -f2 | sed 's/ //g')
+
+  if [[ "${LOCKED}" == "Y" ]]; then
+    HDD_PASSPHRASE=$( (cat /etc/sedutil/${HDD_NAME}.passphrase.enc | clevis decrypt) || true )
+    sedutil-cli --setLockingRange 0 rw "${HDD_PASSPHRASE}" /dev/${HDD_NAME} || true
+    unset HDD_PASSPHRASE
+
+    LOCKED=$(sedutil-cli --query /dev/${HDD_NAME} | grep Locked | cut -d',' -f1 | cut -d'=' -f2 | sed 's/ //g')
+
+    if [[ "${LOCKED}" == "Y" ]]; then
+      derive_hdd_passphrase "${HDD_NAME}"
+      sedutil-cli --setLockingRange 0 rw "${HDD_PASSPHRASE}" /dev/${HDD_NAME}
+    fi
+
+    echo "successfully unlocked /dev/${HDD_NAME}" >&2
+
+    partprobe /dev/${HDD_NAME}n1
+  else
+    echo "/dev/${HDD_NAME} is already unlocked. continuing." >&2
+  fi
+}
+
+echo "unlocking nvme drives" >&2
+unlock "nvme0"
+unlock "nvme1"
+
+exit 0

src/core-switch/scripts/store-hdd-passphrases.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/bash
+
+set -euo pipefail
+
+install/scripts/security/sedutil/setup.sh
+
+if [[ "${UNBIND:-0}" == "1" ]]; then
+  sudo clevis luks unbind -d /dev/sda3 -s 1
+  sudo clevis luks unbind -d /dev/sda4 -s 1
+fi
+
+sudo clevis luks bind -d /dev/sda3 tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,2,3,4,6,7,8"}'
+sudo clevis luks bind -d /dev/sda4 tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,2,3,4,6,7,8"}'