Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:msmeissn
addimageencryption
_service:obs_scm:addimageencryption-1+git202306...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:obs_scm:addimageencryption-1+git20230627.7a2ccc3.obscpio of Package addimageencryption
07070100000000000081A4000000000000000000000001649AE8DE0000042E000000000000000000000000000000000000003100000000addimageencryption-1+git20230627.7a2ccc3/LICENSEMIT License Copyright (c) 2023 Ludwig Nussel Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 07070100000001000081A4000000000000000000000001649AE8DE000003A1000000000000000000000000000000000000003300000000addimageencryption-1+git20230627.7a2ccc3/README.mdConvert a plain text kiwi image into one with LUKS full disk encryption. Supports both raw and qcow2 images. It assumes that the third partition is the root fs using btrfs. After encrypting the disk, the fs is mounted and a new initrd created as well as the grub2 config adjusted. The script can either encrypt the image directly, or alternatively add code to the initrd of the image. In the latter case the image would encrypt itself on first boot. Example to encrypt an image: addimageencryption -v SLE-Micro.x86_64-5.4.0-Default-GM.raw Example to encrypt on first boot: addimageencryption -v --prime SLE-Micro.x86_64-5.4.0-Default-GM.raw It's also possible to integrate with combustion. The combustion script would have to look like this: #!/bin/bash # combustion: encrypt if [ "$1" = "--encrypt" ]; then echo 12345 | addimageencryption -v else echo root:12345 | chpasswd fi 07070100000002000081ED000000000000000000000001649AE8DE000021EA000000000000000000000000000000000000003C00000000addimageencryption-1+git20230627.7a2ccc3/addimageencryption#!/bin/bash # SPDX-License-Identifier: MIT # SPDX-FileCopyrightText: Copyright 2023 SUSE LLC set -e shopt -s nullglob unset "${!LC_@}" LANG="C.utf8" export LANG verbose= prime= switched_rw= cr_name='cr_root' cr_dev= blkdev= mp= mounted= tmpdir=$(mktemp -d -t addimageencryption.XXXXXX) cleanup() { set +e if [ -n "$mp" ]; then while read -r i; do [ "$i" != "$mp" ] || make_ro umount "$i" done < <(findmnt -o TARGET -Rn --list "$mp" | tac) fi if [ -n "$mounted" ]; then if [ -e "$tmpdir/mounts" ]; then # restore previous mounts while read -r line; do eval "$line" mapfile -td, options < <(echo -n "$OPTIONS") if [ -n "$cr_dev" ] && [ "$SOURCE" = "$blkpart" ]; then SOURCE="$cr_dev" fi mount "$SOURCE" "$TARGET" -t "$FSTYPE" -o "$OPTIONS" done < "$tmpdir/mounts" fi else [ -e "$cr_dev" ] && cryptsetup close "${cr_dev##*/}" case "$blkdev" in /dev/nbd*) qemu-nbd -d "$blkdev" ;; /dev/loop*) losetup -d "$blkdev" ;; esac fi [ -d "$tmpdir" ] && ! mountpoint -q "$tmpdir/mnt" && rm -rf "$tmpdir" } trap cleanup EXIT helpandquit() { cat <<-EOF Usage: $0 [OPTIONS] IMAGE Encrypt IMAGE OPTIONS: --verbose verbose --prime add hook scripts to initrd to encrypt on first boot -h help screen EOF exit 0 } log_info() { [ "${verbose:-0}" -gt 0 ] || return 0 echo "$@" } err() { echo "Error: $*" >&2 exit 1 } warn() { echo "Warning: $*" >&2 exit 1 } isdigits() { local v="${1:?}" [ -z "${v//[0-9]*/}" ] } settle_umount_events() { # Manual umount confuses systemd sometimes because it's async and the # .mount unit might still be active when the "start" is queued, making # it a noop, which ultimately leaves /sysroot unmounted # (https://github.com/systemd/systemd/issues/20329). To avoid that, # wait until systemd processed the umount events. In a chroot (or with # SYSTEMD_OFFLINE=1) systemctl always succeeds, so avoid an infinite loop. if [ "$mounted" = "/sysroot" ] && ! systemctl --quiet is-active does-not-exist.mount; then while systemctl --quiet is-active sysroot.mount; do sleep 0.5; done fi } read_password() { local password2 [ -z "$password" ] || return 0 if ! [ -t 0 ]; then read -r -s password return "$?" fi while true; do read -r -s -p "Enter encryption passphrase: " password echo if type -p pwscore &>/dev/null; then echo "$password" | pwscore || continue fi read -r -s -p "Confirm encryption passphrase: " password2 echo if [ "$password" != "$password2" ]; then echo "Entered passwords don't match" continue fi [ -n "$password" ] || err "No password, no encryption" break done } encrypt() { if type -p cryptsetup-reencrypt &> /dev/null; then echo "$password" | cryptsetup-reencrypt --new "$@" else echo "$password" | cryptsetup reencrypt --encrypt "$@" fi } call_dracut() { local initrd="$(readlink "$mp/boot/initrd")" local kv="${initrd#initrd-}" log_info "create initrd" chroot "$mp" dracut --add-drivers dm_crypt -q -f "/boot/$initrd" "$kv" "$@" } mountstuff() { mount -t tmpfs -o size=10m tmpfs "$mp/run" for i in proc dev sys; do mount --bind "/$i" "$mp/$i" done for i in /.snapshots /boot/efi /boot/writable /var; do mountpoint -q "$mp/$i" && continue mount -T "$mp"/etc/fstab --target-prefix="$mp" "/$i" done } make_rw() { log_info "switch to rw" btrfs prop set -t s "$mp" ro false switched_rw=1 } make_ro() { [ -n "$switched_rw" ] || return 0 unset switched_rw log_info "set ro again" btrfs prop set -t s "$mp" ro true } ####### main ####### getopttmp=$(getopt -o hv --long help,verbose,prime -n "${0##*/}" -- "$@") eval set -- "$getopttmp" while true ; do case "$1" in -h|--help) helpandquit ;; -v|--verbose) verbose=$((++verbose)); shift ;; --prime) prime="1"; shift ;; --) shift ; break ;; *) echo "Internal error!" ; exit 1 ;; esac done [ -z "$1" ] && [ -e /etc/initrd-release ] && set -- /sysroot [ -n "$1" ] || helpandquit if [ -d "$1" ]; then mountpoint -q "$1" || err "$1 is not a valid mountpoint" mp="$1" mounted="$1" blkpart="$(findmnt -nvo SOURCE "$mp")" [ -L "/sys/class/block/${blkpart##*/}" ] || err "$blkpart is not a partition" blkdev="$(readlink -f "/sys/class/block/${blkpart##*/}")" blkdev="${blkdev%/*}" blkdev="/dev/${blkdev##*/}" elif [ -b "$1" ]; then blkdev="$1" blkpart="${blkdev}3" else case "${1##*/}" in SLE-Micro.x86_64-5.*-Default-GM.raw ) log_info "setting up loop device" blkdev="$(losetup --show -fP "$1")" log_info "loop device $blkdev" ;; openSUSE-MicroOS.x86_64-*-kvm-and-xen*.qcow2) [ -e "/dev/nbd0" ] || modprobe nbd blkdev=/dev/nbd0 qemu-nbd -c "$blkdev" "$1" udevadm settle ;; *) err "Unsupported image" ;; esac blkpart="${blkdev}p3" fi eval "$(blkid -c /dev/null -o export "$blkpart"|sed 's/^/loop_/')" [ "$loop_TYPE" != crypto_LUKS ] || { echo "Already encrypted"; exit 0; } [ "$loop_TYPE" = btrfs ] || err "File system is ${loop_TYPE:-unknown} but only btrfs is supported" if [ -z "$mounted" ]; then log_info "mounting fs" mkdir -p "$tmpdir/mnt" mount -t btrfs -o rw "${blkpart}" "$tmpdir/mnt" mp="$tmpdir/mnt" else mountpoint -q "$mp" || err "$mp is not mounted" findmnt -o SOURCE,TARGET,FSTYPE,OPTIONS -Rvn --pairs "$mp" > "$tmpdir/mounts" mount -o remount,rw "$mp" fi if [ -z "$prime" ]; then read_password else mkdir -p "$tmpdir/overlay-w" dst="$tmpdir/overlay/95addimageencryption" mkdir -p "$dst" for i in addimageencryption addimageencryption-initrd module-setup.sh \ addimageencryption-initrd.service; do cp "${0%/*}/$i" "$dst/$i" done make_rw mountstuff mount -t overlay overlay \ -o lowerdir="$mp/usr/lib/dracut/modules.d/,upperdir=$tmpdir/overlay,workdir=$tmpdir/overlay-w" \ "$mp/usr/lib/dracut/modules.d/" call_dracut exit 0 fi read -r minsize bytes _rest < <(btrfs inspect-internal min-dev-size "$mp") isdigits "$minsize" || err "Failed to read minimum btrfs size" [ "$bytes" = 'bytes' ] || err "Failed to read minimum btrfs size" log_info "resizing fs" btrfs filesystem resize "$minsize" "$mp" if [ -e "$tmpdir/mounts" ]; then # subshell intentional here tac "$tmpdir/mounts" | while read -r line; do eval "$line" umount "$TARGET" done else umount "$mp" fi unset mp settle_umount_events # shrink partition to a minimum so reencryption doesn't write everything log_info "resizing partition" echo "size=$((minsize/1024+32*1024))KiB" | sfdisk -q -N 3 "$blkdev" udevadm settle echo "Encrypting..." encrypt \ --type luks1 \ --reduce-device-size 32m \ --progress-frequency=1 \ --iter-time 2000 \ "${blkpart}" log_info "Encryption done" log_info "grow partition again" echo ", +" | sfdisk -q -N 3 "$blkdev" log_info "open encrypted image" echo "$password" | cryptsetup open "${blkpart}" "$cr_name" cr_dev="/dev/mapper/$cr_name" if [ -z "$mounted" ]; then mount -o rw "$cr_dev" "/mnt" mp="/mnt" else read -r line < "$tmpdir/mounts" eval "$line" mapfile -td, options < <(echo -n "$OPTIONS") for ((i=0;i<${#options};++i)); do [ "${options[i]}" = ro ] && options[i]=rw; done OPTIONS="$(IFS=, eval echo '"${options[*]}"')" [ "$SOURCE" = "$blkpart" ] && SOURCE="$cr_dev" mount "$cr_dev" "$TARGET" -t "$FSTYPE" -o "$OPTIONS" mp="$TARGET" fi log_info "resizing fs to max again" btrfs filesystem resize max "$mp" make_rw eval "$(blkid -c /dev/null -o export "$blkpart"|sed 's/^/loop_/')" echo "$cr_name" "/dev/disk/by-uuid/$loop_UUID" none x-initrd.attach > "$mp"/etc/crypttab mountstuff if grep -q "LOADER_TYPE.*grub2" "$mp"/etc/sysconfig/bootloader; then log_info "Update bootloader" echo GRUB_ENABLE_CRYPTODISK=y >> "$mp"/etc/default/grub sed -i -e 's/^LOADER_TYPE=.*/LOADER_TYPE="grub2"/' "$mp"/etc/sysconfig/bootloader chroot "$mp" update-bootloader --reinit sed -i -e 's/^LOADER_TYPE=.*/LOADER_TYPE="grub2-efi"/' "$mp"/etc/sysconfig/bootloader chroot "$mp" update-bootloader --reinit mv "$mp/boot/grub2/grub.cfg" "$mp/boot/grub2/grub.cfg.bak" cat > "$mp/boot/grub2/grub.cfg" <<-'EOF' set linux=linux set initrd=initrd if [ "${grub_cpu}" = "x86_64" -o "${grub_cpu}" = "i386" ]; then if [ "${grub_platform}" = "efi" ]; then set linux=linuxefi set initrd=initrdefi fi fi export linux initrd EOF sed -e 's/linuxefi/$linux/;s/initrdefi/$initrd/' < "$mp/boot/grub2/grub.cfg.bak" >> "$mp/boot/grub2/grub.cfg" rm "$mp/boot/grub2/grub.cfg.bak" fi call_dracut make_ro echo "Image encryption completed" 07070100000003000081ED000000000000000000000001649AE8DE000001EE000000000000000000000000000000000000004300000000addimageencryption-1+git20230627.7a2ccc3/addimageencryption-initrd#!/bin/sh exec < /dev/console >/dev/console 2>&1 type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh script=/run/combustion/mount/combustion/script if [ -e "$script" ] && grep -qE '^# combustion:(.*)\<encrypt\>' "$script"; then systemctl start sysroot.mount chmod a+x "$script" "$script" --encrypt else systemctl start sysroot.mount #/usr/bin/addimageencryption -v < /dev/console >/dev/console 2>&1 || die "Encryption failed" /usr/bin/addimageencryption -v || die "Encryption failed" fi 07070100000004000081A4000000000000000000000001649AE8DE00000405000000000000000000000000000000000000004B00000000addimageencryption-1+git20230627.7a2ccc3/addimageencryption-initrd.service[Unit] Description=Encrypt root disk DefaultDependencies=false ConditionKernelCommandLine=|ignition.firstboot ConditionKernelCommandLine=|combustion.firstboot # /sysroot needs to be available, but it's temporarily stopped # for remounting so a direct requirement is not possible Requires=initrd-root-device.target After=initrd-root-device.target # we want to run after combustion copied the config but before combustion # itself runs Requires=combustion.service After=combustion-prepare.service Before=combustion.service # After ignition completed its stuff After=ignition-complete.target # So that /etc/fstab's x-initrd.mount entries are read (again) later Before=initrd-parse-etc.service Conflicts=initrd-switch-root.target umount.target Conflicts=dracut-emergency.service emergency.service emergency.target # Without this it goes into an endless loop on failure OnFailure=emergency.target OnFailureJobMode=isolate [Service] Type=oneshot ExecStart=/usr/bin/addimageencryption-initrd [Install] RequiredBy=initrd.target 07070100000005000081A4000000000000000000000001649AE8DE0000086A000000000000000000000000000000000000004100000000addimageencryption-1+git20230627.7a2ccc3/addimageencryption.spec# # spec file for package aaa_base # # Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # # icecream 0 %if 0%{?_build_in_place} %define git_version %(git log '-n1' '--date=format:%Y%m%d' '--no-show-signature' "--pretty=format:+git%cd.%h") BuildRequires: git-core %else # this is required for obs' source validator. It's # 20-files-present-and-referenced ignores all conditionals. So the # definition of git_version actually happens always. %define git_version %{nil} %endif Name: addimageencryption Version: 84.87%{git_version} Release: 0 Summary: Tool to reencrypt kiwi raw images License: MIT URL: https://github.com/lnussel/addimageencryption Source: addimageencryption-%{version}.tar Requires: cryptsetup %description Convert a plain text kiwi image into one with LUKS full disk encryption. Supports both raw and qcow2 images. It assumes that the third partition is the root fs using btrfs. After encrypting the disk, the fs is mounted and a new initrd created as well as the grub2 config adjusted. %prep %setup -q %build %install for i in addimageencryption{,-initrd,-initrd.service} module-setup.sh; do install -m 755 -D "$i" %buildroot/usr/lib/dracut/modules.d/95addimageencryption/$i done mkdir -p %buildroot/usr/bin ln -s ../lib/dracut/modules.d/95addimageencryption/addimageencryption %buildroot/usr/bin %files %license LICENSE /usr/bin/addimageencryption %dir /usr/lib/dracut %dir /usr/lib/dracut/modules.d /usr/lib/dracut/modules.d/95addimageencryption %changelog 07070100000006000081ED000000000000000000000001649AE8DE00000288000000000000000000000000000000000000003900000000addimageencryption-1+git20230627.7a2ccc3/module-setup.sh#!/bin/bash # called by dracut check() { require_any_binary cryptsetup || return 1 return 0 } # called by dracut depends() { echo "crypt" return 0 } # called by dracut install() { inst_multiple -o cryptsetup-reencrypt inst_multiple cryptsetup btrfs mktemp getopt mountpoint findmnt sfdisk tac sed inst_script "$moddir"/addimageencryption /usr/bin/addimageencryption inst_script "$moddir"/addimageencryption-initrd /usr/bin/addimageencryption-initrd for service in "addimageencryption-initrd.service"; do inst_simple "${moddir}/$service" "${systemdsystemunitdir}/$service" $SYSTEMCTL -q --root "$initdir" enable "$service" done } 07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!32 blocks
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor