[PATCH] Support for LUKS-contained encrypted rootfs

To: debian-live@lists.debian.org
Subject: [PATCH] Support for LUKS-contained encrypted rootfs
From: Jérôme Charaoui <jcharaoui@cmaisonneuve.qc.ca>
Date: Wed, 14 May 2014 17:13:36 -0400
Message-id: <[🔎] 5373DC80.6020903@cmaisonneuve.qc.ca>

Hi,

I'd like to submit these small patches to live-build and live-boot whichallow me to build a useable encrypted live root filesystem usingcryptsetup and LUKS.

These are surely not fit for merging as-is, but I'm providing it in thehope that it might provide some kind of baseline for the return ofencrypted rootfs in debian-live.


Some notes :

* This code is barely tested, please don't use it on anything but a testbuild system.

* The cryptsetup package still needs to be added manually using apackage-list. I couldn't figure out the right way to install itautomatically in the chroot stage.


* The live-boot parameter to use is encryption=luks.

* The config/binary paramater to use is LB_LUKS_ENCRYPTION="true".

* The aforementioned variable and parameter names might need to bechanged to something else for namespace consistency.


* cryptsetup operations in binary stage execute outside of the chroot only.

* The interactive part of binary_luks_encryption is flaky, it could be alot more robust I think.

* I didn't take the liberty of patching out cryptoloop support fromlive-boot, however that might need to be considered due to itsdeprecated status.



Regards,

-- Jerome

diff --git a/components/9990-misc-helpers.sh b/components/9990-misc-helpers.sh
index 2bf2db1..9df8b68 100755
--- a/components/9990-misc-helpers.sh
+++ b/components/9990-misc-helpers.sh
@@ -614,6 +614,10 @@ setup_loop ()
 			if [ -z "${encryption}" ]
 			then
 				losetup ${options} "${dev}" "${fspath}"
+			elif [ "${encryption}" = "luks" ]
+			then
+				losetup ${options} "${dev}" "${fspath}"
+				dev=$(open_luks_device "${dev}")
 			else
 				# Loop AES encryption
 				while true

diff --git a/scripts/build/binary b/scripts/build/binary
index 60e0532..f8bdc27 100755
--- a/scripts/build/binary
+++ b/scripts/build/binary
@@ -68,6 +68,7 @@ lb binary_disk ${@}
 lb binary_loadlin ${@}
 lb binary_win32-loader ${@}
 lb binary-includes ${@}
+lb binary_luks_encryption ${@}
 lb binary-hooks ${@}
 lb binary_checksums ${@}
 
diff --git a/scripts/build/binary_luks_encryption b/scripts/build/binary_luks_encryption
new file mode 100755
index 0000000..b68a59c
--- /dev/null
+++ b/scripts/build/binary_luks_encryption
@@ -0,0 +1,119 @@
+#!/bin/sh
+
+set -e
+
+# Including common functions
+[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh
+
+# Setting static variables
+DESCRIPTION="$(Echo 'create rootfs luks container')"
+HELP=""
+USAGE="${PROGRAM}"
+
+Arguments "${@}"
+
+# Reading configuration files
+Read_conffiles config/all config/common config/bootstrap config/chroot config/binary config/source
+Set_defaults
+
+if [ "${LB_LUKS_ENCRYPTION}" != "true" ]
+then
+    return 0
+fi
+
+# Requiring stage file
+Require_stagefile .build/binary_rootfs
+
+# Checking stage file
+Check_stagefile .build/binary_luks_encryption
+
+# Checking lock file
+Check_lockfile .lock
+
+# Creating lock file
+Create_lockfile .lock
+
+case "${LB_INITRAMFS}" in
+        casper)
+                INITFS="casper"
+                ;;
+
+        live-boot)
+                INITFS="live"
+                ;;
+
+        *)
+                INITFS="boot"
+                ;;
+esac
+
+# Checking depends
+Check_package chroot/sbin/cryptsetup cryptsetup
+
+# Restoring cache
+Restore_cache cache/packages.binary
+
+# Installing depends
+Install_package
+
+# Find available loop device
+LOOPDEV=$(losetup -f)
+
+# Calculate LUKS container size by adding 4k for the LUKS header
+BLOCKS=$(ls -l --block-size=512 binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM} | awk '{print $5+4096}')
+
+Echo_message "Begin creating LUKS encrypted container for root filesystem..."
+
+dd if=/dev/zero of=binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}.tmp bs=512 count=1 seek=${BLOCKS}
+losetup ${LOOPDEV} binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}.tmp
+
+# Check if /dev/mapper/live is available
+if /sbin/cryptsetup status live 1>/dev/null 2>&1
+then
+	log_warning_msg "Couldn't create LUKS device 'live', already open"
+	return 1
+fi
+
+while true
+do
+
+	echo
+	echo " **************************************"
+	Echo " ** Configuring encrypted filesystem **"
+	echo " **************************************"
+	echo
+
+	/lib/cryptsetup/askpass "Enter root filesystem passphrase : " | \
+		/sbin/cryptsetup --batch-mode --key-file - luksFormat ${LOOPDEV}
+
+	echo
+	if /lib/cryptsetup/askpass "Confirm root filesystem passphrase : " | \
+		/sbin/cryptsetup -T 1 luksOpen ${LOOPDEV} live
+        then
+		echo
+		break
+        fi
+
+        echo
+        echo -n "There was an error creating the LUKS container ... Retry? [Y/n] "
+        read answer
+
+        if [ "$(echo "${answer}" | cut -b1 | tr A-Z a-z)" = "n" ]
+        then
+ 		return 1
+        fi
+done
+
+Echo_message "Begin moving root filesystem into encrypted LUKS container..."
+
+dd if=binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM} of=/dev/mapper/live bs=512
+
+# Close LUKS container
+cryptsetup luksClose /dev/mapper/live
+losetup -d ${LOOPDEV}
+
+# Move LUKS container into place
+mv binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}.tmp binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}
+
+# Creating stage file
+Create_stagefile .build/binary_luks_encryption
diff --git a/scripts/build/config b/scripts/build/config
index e3ae141..aa1f220 100755
--- a/scripts/build/config
+++ b/scripts/build/config
@@ -122,7 +122,8 @@ USAGE="${PROGRAM}   [--apt apt|aptitude]\n\
 \t    [--win32-loader true|false]\n\
 \t    [--bootstrap-qemu-exclude PACKAGES]\n\
 \t    [--bootstrap-qemu-static PATH]\n\
-\t    [--bootstrap-qemu-arch ARCH]"
+\t    [--bootstrap-qemu-arch ARCH]\n
+\t    [--luks-encryption true|false]"
 
 
 Local_arguments ()
@@ -147,7 +148,7 @@ Local_arguments ()
 		net-cow-server:,net-tarball:,firmware-binary:,firmware-chroot:,swap-file-path:,swap-file-size:,
 		loadlin:,win32-loader:,source:,source-images:,breakpoints,conffile:,debug,force,
 		help,ignore-system-defaults,quiet,usage,verbose,version,bootstrap-qemu-static:,bootstrap-qemu-arch:,
-		bootstrap-qemu-exclude:"
+		bootstrap-qemu-exclude:,luks-encryption:"
 	# Remove spaces added by indentation
 	LONG_OPTIONS="$(echo ${LONG_OPTIONS} | tr -d ' ')"
 	ARGUMENTS="$(getopt --longoptions ${LONG_OPTIONS} --name="${PROGRAM}" --options a:f:d:m:l:k:p:b:e:s:c:huv --shell sh -- "${@}")"
@@ -703,6 +704,11 @@ Local_arguments ()
 				shift 2
 				;;
 
+			--luks-encryption)
+				LB_LUKS_ENCRYPTION="${2}"
+				shift 2
+				;;
+
 			# config/source
 			--source)
 				LB_SOURCE="${2}"
@@ -1307,6 +1313,10 @@ LB_SWAP_FILE_PATH="${LB_SWAP_FILE_PATH}"
 # \$LB_SWAP_FILE_SIZE: set swap file size
 # (Default: ${LB_SWAP_FILE_SIZE})
 LB_SWAP_FILE_SIZE="${LB_SWAP_FILE_SIZE}"
+
+# \$LB_LUKS_ENCRYPTION: encrypt rootfs using luks
+# (Default: ${LB_LUKS_ENCRYPTION})
+LB_LUKS_ENCRYPTION="${LB_LUKS_ENCRYPTION}"
 EOF
 
 # Creating lb_source_* configuration

Reply to:

Prev by Date: Bug#747508: Done: [live-tools] scripts not aligned with last upstream release
Next by Date: thanks a lot, however build failed.
Previous by thread: Bug#747508: Done: [live-tools] scripts not aligned with last upstream release
Next by thread: thanks a lot, however build failed.
Index(es):
- Date
- Thread