Hi Tyler thanks for comments. I'll implement them in the next version of patches. Just one improvement that i can see is to leave the ECRYPTFS_EXTRA_MOUNT_OPTS variable empty, so that we don't need to change the script if the default value of an eCryptfs mount parameter changes. What do you think about it? Roberto Sassu On Thursday, July 07, 2011 05:55:56 PM Tyler Hicks wrote: > On Tue Jul 05, 2011 at 06:23:07PM +0200, Roberto Sassu <roberto.sassu@xxxxxxxxx> wrote: > > This modules mounts an eCryptfs filesystem from the initial ramdisk using > > an encrypted key. > > Thanks Roberto - this is very useful. This patch looks pretty good, but > I do have a few comments below. > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxx> > > Acked-by: Gianluca Ramunno <ramunno@xxxxxxxxx> > > --- > > dracut.kernel.7.xml | 6 ++ > > modules.d/98ecryptfs/README | 45 +++++++++++++++ > > modules.d/98ecryptfs/ecryptfs-mount.sh | 95 ++++++++++++++++++++++++++++++++ > > modules.d/98ecryptfs/module-setup.sh | 20 +++++++ > > 4 files changed, 166 insertions(+), 0 deletions(-) > > create mode 100644 modules.d/98ecryptfs/README > > create mode 100755 modules.d/98ecryptfs/ecryptfs-mount.sh > > create mode 100755 modules.d/98ecryptfs/module-setup.sh > > > > diff --git a/dracut.kernel.7.xml b/dracut.kernel.7.xml > > index 759871b..c5d74d0 100644 > > --- a/dracut.kernel.7.xml > > +++ b/dracut.kernel.7.xml > > @@ -724,6 +724,12 @@ rd.znet=ctc,0.0.0600,0.0.0601,0.0.0602,protocol=bar</programlisting></para> > > <para>Set the path name of the EVM key. e.g.: <programlisting>evmkey=/etc/keys/evm-trusted.blob</programlisting></para> > > </listitem> > > </varlistentry> > > + <varlistentry> > > + <term><envar>ecryptfskey=</envar><replaceable><eCryptfs key path name></replaceable></term> > > + <listitem> > > + <para>Set the path name of the eCryptfs key. e.g.: <programlisting>ecryptfskey=/etc/keys/ecryptfs-trusted.blob</programlisting></para> > > + </listitem> > > + </varlistentry> > > </variablelist> > > </refsect2> > > <refsect2> > > diff --git a/modules.d/98ecryptfs/README b/modules.d/98ecryptfs/README > > new file mode 100644 > > index 0000000..c592d8d > > --- /dev/null > > +++ b/modules.d/98ecryptfs/README > > @@ -0,0 +1,45 @@ > > +# Directions for creating the encrypted key that will be used to mount an > > +# eCryptfs filesystem > > + > > +# Create the eCryptfs key (encrypted key type) > > +# > > +# The encrypted key type supports two formats: the 'default' format allows > > +# to generate a random symmetric key of the length specified, the 'ecryptfs' > > +# format generates an authentication token for the eCryptfs filesystem, > > +# which contains a randomly generated key. Two requirements for the latter > > +# format is that the key description must contain exactly 16 hexadecimal > > +# characters and that the encrypted key length must be equal to 64. > > +$ keyctl add encrypted 1000100010001000 "new ecryptfs trusted:kmk-trusted 64" @u > > +782117972 > > + > > +# Save the encrypted key > > +$ su -c 'keyctl pipe `keyctl search @u encrypted 1000100010001000` > /etc/keys/ecryptfs-trusted.blob' > > + > > +# The eCryptfs key path name can be set in one of the following ways (specified in > > +# the order in which the variable is overwritten): > > + > > +1) use the default value: > > +-------------------------------------------------------------------------- > > +ECRYPTFSKEY=/etc/keys/ecryptfs-trusted.blob > > +-------------------------------------------------------------------------- > > + > > +2) create the configuration file '/etc/sysconfig/ecryptfs' and set the ECRYPTFSKEY > > +variable; > > + > > +3) specify the eCryptfs key path name in the 'ecryptfskey=' parameter of the kernel command > > +line. > > + > > +# The configuration file '/etc/sysconfig/ecryptfs' is also used to specify > > +# more options for mounting the eCryptfs filesystem: > > + > > +ECRYPTFSDIR: mount point directory for the eCryptfs filesystem (the directory must be > > + created in the root filesystem before rebooting the system); > > I'd like to see an ECRYPTFSSRCDIR and ECRYPTFSDSTDIR defined to allow > different source and destination directories. You can default both of > those variables to "/secret" and still keep the same functionality that > is in this patch. > > > +ECRYPTFS_EXTRA_MOUNT_OPTS: extra mount options for the eCryptfs filesystem (the 'ecryptfs_sig' > > + option is automatically added by the dracut script) > > + > > +# Example of the configuration file: > > +----------- '/etc/sysconfig/ecryptfs' (with default values) ----------- > > +ECRYPTFS_KEY=/etc/keys/ecryptfs-trusted.blob > > +ECRYPTFSDIR="/secret" > > +ECRYPTFS_EXTRA_MOUNT_OPTS="ecryptfs_cipher=aes,ecryptfs_key_bytes=32" > > +----------------------------------------------------------------------- > > diff --git a/modules.d/98ecryptfs/ecryptfs-mount.sh b/modules.d/98ecryptfs/ecryptfs-mount.sh > > new file mode 100755 > > index 0000000..b1abfc2 > > --- /dev/null > > +++ b/modules.d/98ecryptfs/ecryptfs-mount.sh > > @@ -0,0 +1,95 @@ > > +#!/bin/sh > > +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- > > +# ex: ts=8 sw=4 sts=4 et filetype=sh > > + > > +# Licensed under the GPLv2 > > +# > > +# Copyright (C) 2011 Politecnico di Torino, Italy > > +# TORSEC group -- http://security.polito.it > > +# Roberto Sassu <roberto.sassu@xxxxxxxxx> > > + > > +ECRYPTFSCONFIG="${NEWROOT}/etc/sysconfig/ecryptfs" > > +ECRYPTFSKEYTYPE="encrypted" > > +ECRYPTFSKEYDESC="1000100010001000" > > +ECRYPTFSKEYID="" > > +ECRYPTFSDIR="/secret" > > +ECRYPTFS_EXTRA_MOUNT_OPTS="ecryptfs_cipher=aes,ecryptfs_key_bytes=32" > > The default in both eCryptfs mount helpers is > "ecryptfs_cipher=aes,ecryptfs_key_bytes=16" > > I'd prefer that you didn't bump the ecryptfs_key_bytes default up to 32 > here. > > > + > > +load_ecryptfs_key() > > +{ > > + # override the eCryptfs key path name from the 'ecryptfskey=' parameter in the kernel > > + # command line > > + ECRYPTFSKEYARG=$(getarg ecryptfskey=) > > + [ $? -eq 0 ] && \ > > + ECRYPTFSKEY=$ECRYPTFSKEYARG > > + > > + # set the default value > > + [ -z "$ECRYPTFSKEY" ] && \ > > + ECRYPTFSKEY="/etc/keys/ecryptfs-trusted.blob"; > > + > > + # set the eCryptfs key path name > > + ECRYPTFSKEYPATH="${NEWROOT}${ECRYPTFSKEY}" > > + > > + # check for eCryptfs encrypted key's existence > > + if [ ! -f "${ECRYPTFSKEYPATH}" ]; then > > + if [ "${RD_DEBUG}" = "yes" ]; then > > + info "eCryptfs: missing the eCryptfs key: ${ECRYPTFSKEYDESC}" > > This debug message seems potentially confusing. How about something > along the lines of, "eCryptfs: key file not found: ${ECRYPTFSKEYPATH}"? > > Tyler > > > + fi > > + return 1 > > + fi > > + > > + # read the eCryptfs encrypted key blob > > + KEYBLOB=$(cat ${ECRYPTFSKEYPATH}) > > + > > + # load the eCryptfs encrypted key blob > > + ECRYPTFSKEYID=`keyctl add ${ECRYPTFSKEYTYPE} ${ECRYPTFSKEYDESC} "load ${KEYBLOB}" @u` > > + [ $? -eq 0 ] || { > > + info "eCryptfs: failed to load the eCryptfs key: ${ECRYPTFSKEYDESC}"; > > + return 1; > > + } > > + > > + return 0 > > +} > > + > > +unload_ecryptfs_key() > > +{ > > + # unlink the eCryptfs encrypted key > > + keyctl unlink ${ECRYPTFSKEYID} @u || { > > + info "eCryptfs: failed to unlink the eCryptfs key: ${ECRYPTFSKEYDESC}"; > > + return 1; > > + } > > + > > + return 0 > > +} > > + > > +mount_ecryptfs() > > +{ > > + # read the configuration from the config file > > + [ -f "${ECRYPTFSCONFIG}" ] && \ > > + . ${ECRYPTFSCONFIG} > > + > > + # load the eCryptfs encrypted key > > + load_ecryptfs_key || return 1 > > + > > + # set the eCryptfs filesystem mount point > > + ECRYPTFSMNT="${NEWROOT}${ECRYPTFSDIR}" > > + > > + # build the mount options variable > > + ECRYPTFS_MOUNT_OPTS="ecryptfs_sig=${ECRYPTFSKEYDESC}" > > + [ ! -z ${ECRYPTFS_EXTRA_MOUNT_OPTS} ] && \ > > + ECRYPTFS_MOUNT_OPTS="${ECRYPTFS_MOUNT_OPTS},${ECRYPTFS_EXTRA_MOUNT_OPTS}" > > + > > + # mount the eCryptfs filesystem > > + info "Mounting the configured eCryptfs filesystem" > > + mount -i -t ecryptfs -o${ECRYPTFS_MOUNT_OPTS} ${ECRYPTFSMNT} ${ECRYPTFSMNT} >/dev/null || { > > + info "eCryptfs: mount of the eCryptfs filesystem failed"; > > + return 1; > > + } > > + > > + # unload the eCryptfs encrypted key > > + unload_ecryptfs_key || return 1 > > + > > + return 0 > > +} > > + > > +mount_ecryptfs > > diff --git a/modules.d/98ecryptfs/module-setup.sh b/modules.d/98ecryptfs/module-setup.sh > > new file mode 100755 > > index 0000000..56c2d41 > > --- /dev/null > > +++ b/modules.d/98ecryptfs/module-setup.sh > > @@ -0,0 +1,20 @@ > > +#!/bin/bash > > +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- > > +# ex: ts=8 sw=4 sts=4 et filetype=sh > > + > > +check() { > > + return 0 > > +} > > + > > +depends() { > > + echo masterkey > > + return 0 > > +} > > + > > +installkernel() { > > + instmods ecryptfs > > +} > > + > > +install() { > > + inst_hook pre-pivot 63 "$moddir/ecryptfs-mount.sh" > > +} > > > -- To unsubscribe from this list: send the line "unsubscribe initramfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
