On Tue Jul 05, 2011 at 06:23:07PM +0200, Roberto Sassu <roberto.sassu@xxxxxxxxx> wrote: > This modules mounts an eCryptfs filesystem from the initial ramdisk using > an encrypted key. Thanks Roberto - this is very useful. This patch looks pretty good, but I do have a few comments below. > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxx> > Acked-by: Gianluca Ramunno <ramunno@xxxxxxxxx> > --- > dracut.kernel.7.xml | 6 ++ > modules.d/98ecryptfs/README | 45 +++++++++++++++ > modules.d/98ecryptfs/ecryptfs-mount.sh | 95 ++++++++++++++++++++++++++++++++ > modules.d/98ecryptfs/module-setup.sh | 20 +++++++ > 4 files changed, 166 insertions(+), 0 deletions(-) > create mode 100644 modules.d/98ecryptfs/README > create mode 100755 modules.d/98ecryptfs/ecryptfs-mount.sh > create mode 100755 modules.d/98ecryptfs/module-setup.sh > > diff --git a/dracut.kernel.7.xml b/dracut.kernel.7.xml > index 759871b..c5d74d0 100644 > --- a/dracut.kernel.7.xml > +++ b/dracut.kernel.7.xml > @@ -724,6 +724,12 @@ rd.znet=ctc,0.0.0600,0.0.0601,0.0.0602,protocol=bar</programlisting></para> > <para>Set the path name of the EVM key. e.g.: <programlisting>evmkey=/etc/keys/evm-trusted.blob</programlisting></para> > </listitem> > </varlistentry> > + <varlistentry> > + <term><envar>ecryptfskey=</envar><replaceable><eCryptfs key path name></replaceable></term> > + <listitem> > + <para>Set the path name of the eCryptfs key. e.g.: <programlisting>ecryptfskey=/etc/keys/ecryptfs-trusted.blob</programlisting></para> > + </listitem> > + </varlistentry> > </variablelist> > </refsect2> > <refsect2> > diff --git a/modules.d/98ecryptfs/README b/modules.d/98ecryptfs/README > new file mode 100644 > index 0000000..c592d8d > --- /dev/null > +++ b/modules.d/98ecryptfs/README > @@ -0,0 +1,45 @@ > +# Directions for creating the encrypted key that will be used to mount an > +# eCryptfs filesystem > + > +# Create the eCryptfs key (encrypted key type) > +# > +# The encrypted key type supports two formats: the 'default' format allows > +# to generate a random symmetric key of the length specified, the 'ecryptfs' > +# format generates an authentication token for the eCryptfs filesystem, > +# which contains a randomly generated key. Two requirements for the latter > +# format is that the key description must contain exactly 16 hexadecimal > +# characters and that the encrypted key length must be equal to 64. > +$ keyctl add encrypted 1000100010001000 "new ecryptfs trusted:kmk-trusted 64" @u > +782117972 > + > +# Save the encrypted key > +$ su -c 'keyctl pipe `keyctl search @u encrypted 1000100010001000` > /etc/keys/ecryptfs-trusted.blob' > + > +# The eCryptfs key path name can be set in one of the following ways (specified in > +# the order in which the variable is overwritten): > + > +1) use the default value: > +-------------------------------------------------------------------------- > +ECRYPTFSKEY=/etc/keys/ecryptfs-trusted.blob > +-------------------------------------------------------------------------- > + > +2) create the configuration file '/etc/sysconfig/ecryptfs' and set the ECRYPTFSKEY > +variable; > + > +3) specify the eCryptfs key path name in the 'ecryptfskey=' parameter of the kernel command > +line. > + > +# The configuration file '/etc/sysconfig/ecryptfs' is also used to specify > +# more options for mounting the eCryptfs filesystem: > + > +ECRYPTFSDIR: mount point directory for the eCryptfs filesystem (the directory must be > + created in the root filesystem before rebooting the system); I'd like to see an ECRYPTFSSRCDIR and ECRYPTFSDSTDIR defined to allow different source and destination directories. You can default both of those variables to "/secret" and still keep the same functionality that is in this patch. > +ECRYPTFS_EXTRA_MOUNT_OPTS: extra mount options for the eCryptfs filesystem (the 'ecryptfs_sig' > + option is automatically added by the dracut script) > + > +# Example of the configuration file: > +----------- '/etc/sysconfig/ecryptfs' (with default values) ----------- > +ECRYPTFS_KEY=/etc/keys/ecryptfs-trusted.blob > +ECRYPTFSDIR="/secret" > +ECRYPTFS_EXTRA_MOUNT_OPTS="ecryptfs_cipher=aes,ecryptfs_key_bytes=32" > +----------------------------------------------------------------------- > diff --git a/modules.d/98ecryptfs/ecryptfs-mount.sh b/modules.d/98ecryptfs/ecryptfs-mount.sh > new file mode 100755 > index 0000000..b1abfc2 > --- /dev/null > +++ b/modules.d/98ecryptfs/ecryptfs-mount.sh > @@ -0,0 +1,95 @@ > +#!/bin/sh > +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- > +# ex: ts=8 sw=4 sts=4 et filetype=sh > + > +# Licensed under the GPLv2 > +# > +# Copyright (C) 2011 Politecnico di Torino, Italy > +# TORSEC group -- http://security.polito.it > +# Roberto Sassu <roberto.sassu@xxxxxxxxx> > + > +ECRYPTFSCONFIG="${NEWROOT}/etc/sysconfig/ecryptfs" > +ECRYPTFSKEYTYPE="encrypted" > +ECRYPTFSKEYDESC="1000100010001000" > +ECRYPTFSKEYID="" > +ECRYPTFSDIR="/secret" > +ECRYPTFS_EXTRA_MOUNT_OPTS="ecryptfs_cipher=aes,ecryptfs_key_bytes=32" The default in both eCryptfs mount helpers is "ecryptfs_cipher=aes,ecryptfs_key_bytes=16" I'd prefer that you didn't bump the ecryptfs_key_bytes default up to 32 here. > + > +load_ecryptfs_key() > +{ > + # override the eCryptfs key path name from the 'ecryptfskey=' parameter in the kernel > + # command line > + ECRYPTFSKEYARG=$(getarg ecryptfskey=) > + [ $? -eq 0 ] && \ > + ECRYPTFSKEY=$ECRYPTFSKEYARG > + > + # set the default value > + [ -z "$ECRYPTFSKEY" ] && \ > + ECRYPTFSKEY="/etc/keys/ecryptfs-trusted.blob"; > + > + # set the eCryptfs key path name > + ECRYPTFSKEYPATH="${NEWROOT}${ECRYPTFSKEY}" > + > + # check for eCryptfs encrypted key's existence > + if [ ! -f "${ECRYPTFSKEYPATH}" ]; then > + if [ "${RD_DEBUG}" = "yes" ]; then > + info "eCryptfs: missing the eCryptfs key: ${ECRYPTFSKEYDESC}" This debug message seems potentially confusing. How about something along the lines of, "eCryptfs: key file not found: ${ECRYPTFSKEYPATH}"? Tyler > + fi > + return 1 > + fi > + > + # read the eCryptfs encrypted key blob > + KEYBLOB=$(cat ${ECRYPTFSKEYPATH}) > + > + # load the eCryptfs encrypted key blob > + ECRYPTFSKEYID=`keyctl add ${ECRYPTFSKEYTYPE} ${ECRYPTFSKEYDESC} "load ${KEYBLOB}" @u` > + [ $? -eq 0 ] || { > + info "eCryptfs: failed to load the eCryptfs key: ${ECRYPTFSKEYDESC}"; > + return 1; > + } > + > + return 0 > +} > + > +unload_ecryptfs_key() > +{ > + # unlink the eCryptfs encrypted key > + keyctl unlink ${ECRYPTFSKEYID} @u || { > + info "eCryptfs: failed to unlink the eCryptfs key: ${ECRYPTFSKEYDESC}"; > + return 1; > + } > + > + return 0 > +} > + > +mount_ecryptfs() > +{ > + # read the configuration from the config file > + [ -f "${ECRYPTFSCONFIG}" ] && \ > + . ${ECRYPTFSCONFIG} > + > + # load the eCryptfs encrypted key > + load_ecryptfs_key || return 1 > + > + # set the eCryptfs filesystem mount point > + ECRYPTFSMNT="${NEWROOT}${ECRYPTFSDIR}" > + > + # build the mount options variable > + ECRYPTFS_MOUNT_OPTS="ecryptfs_sig=${ECRYPTFSKEYDESC}" > + [ ! -z ${ECRYPTFS_EXTRA_MOUNT_OPTS} ] && \ > + ECRYPTFS_MOUNT_OPTS="${ECRYPTFS_MOUNT_OPTS},${ECRYPTFS_EXTRA_MOUNT_OPTS}" > + > + # mount the eCryptfs filesystem > + info "Mounting the configured eCryptfs filesystem" > + mount -i -t ecryptfs -o${ECRYPTFS_MOUNT_OPTS} ${ECRYPTFSMNT} ${ECRYPTFSMNT} >/dev/null || { > + info "eCryptfs: mount of the eCryptfs filesystem failed"; > + return 1; > + } > + > + # unload the eCryptfs encrypted key > + unload_ecryptfs_key || return 1 > + > + return 0 > +} > + > +mount_ecryptfs > diff --git a/modules.d/98ecryptfs/module-setup.sh b/modules.d/98ecryptfs/module-setup.sh > new file mode 100755 > index 0000000..56c2d41 > --- /dev/null > +++ b/modules.d/98ecryptfs/module-setup.sh > @@ -0,0 +1,20 @@ > +#!/bin/bash > +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- > +# ex: ts=8 sw=4 sts=4 et filetype=sh > + > +check() { > + return 0 > +} > + > +depends() { > + echo masterkey > + return 0 > +} > + > +installkernel() { > + instmods ecryptfs > +} > + > +install() { > + inst_hook pre-pivot 63 "$moddir/ecryptfs-mount.sh" > +} > -- > 1.7.4.4 > -- To unsubscribe from this list: send the line "unsubscribe initramfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
