Introduce Luks encrytion service

Add a luks encryption service which will setup as a systemd service
that manages the creation and configuration of encrypted volume and
runs during the boot process and host unlocking.

This commit covers only the debian packaging framework for
luks-fs-mgr. The code changes below will enable luks-fs-mgr pkg
build and be part of ISO when deployed.

Test Plan:
PASSED: build-pkgs -c -p luks-fs-mgr
PASSED: build-image
PASSED: AIO-SX bootstrap
PASSED: binary available at /usr/local/sbin/
PASSED: systemd unit file available at /lib/systemd/system
PASSED: luks_config.json avaiable at /etc/luks-fs-mgr.d/
PASSED: AIO-SX sudo systemctl status luks-fs-mgr
        luks-fs-mgr.service - Create and mount encrypted vault
        using LUKS
        Loaded: loaded (/lib/systemd/system/luks-fs-mgr.service;
        enabled; vendor preset: enabled)
        Active: inactive (dead) since Tue 2023-08-29 08:18:58 UTC;
        2h 16min ago
        Main PID: 4607 (code=exited, status=0/SUCCESS)
        CPU: 7.063s

Story: 2010872
Task: 48650

Change-Id: I12ca14368eaf466b3148c2de4ce9202a9aa5a19b
Signed-off-by: Rahul Roshan Kachchap <rahulroshan.kachchap@windriver.com>
This commit is contained in:
Rahul Roshan Kachchap 2023-08-18 09:26:48 -04:00
parent 2c20b741c8
commit f1a536ad8f
15 changed files with 192 additions and 0 deletions

View File

@ -271,6 +271,9 @@ libparted2
parted-doc parted-doc
parted parted
#luks-encryption
luks-fs-mgr
#pf-bb-config #pf-bb-config
pf-bb-config pf-bb-config

View File

@ -40,6 +40,7 @@ config/puppet-modules/puppet-rabbitmq-8.5.0
config/puppet-modules/puppet-staging config/puppet-modules/puppet-staging
docker/python-docker docker/python-docker
filesystem/drbd/drbd-tools filesystem/drbd/drbd-tools
filesystem/luks
filesystem/parted filesystem/parted
golang-github-dev/golang-github-appc-cni golang-github-dev/golang-github-appc-cni
golang-github-dev/golang-github-checkpoint-restore-go-criu-dev golang-github-dev/golang-github-checkpoint-restore-go-criu-dev

View File

@ -0,0 +1,5 @@
luks-fs-mgr (1.0-1) unstable; urgency=medium
* Initial release.
-- Rahul Roshan <rahulroshan.kachchap@windriver.com> Fri, 18 Aug 2023 13:02:42 +0000

View File

@ -0,0 +1,32 @@
Source: luks-fs-mgr
Section: admin
Priority: optional
Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
Build-Depends: debhelper-compat (= 13),
libjson-c-dev
Standards-Version: 4.5.1
Homepage: https://www.starlingx.io
Package: luks-fs-mgr
Architecture: any
Depends: ${misc:Depends}, ${shlibs:Depends}, systemd
Description: Luks encryption service manager
The Luks Encryption Service Manager operates as an essential component during
the boot process and host unlocking, serving as a critical safeguard for data
on StarlingX. This service is responsible for managing the creation,
configuration, and utilization of encrypted volumes, all in accordance with
the Linux Unified Key Setup (LUKS) standard. Its functionality is driven by
the information provided in the luks_config.json file, which acts as a
blueprint for configuring the encryption process.
Upon startup, the service reads the luks_config.json file to extract crucial
parameters, such as the vault file path, volume size, volume name, and
mounting path. If the service detects that the encryption volume is already
open, it unseals it. This step ensures a seamless experience for users, as they
can quickly access their encrypted data without redundant processes.
However, if the encryption volume is not open, the service dynamically creates
one based on the parameters defined in the JSON configuration. It initializes
the vault file using random data, then proceeds to set up the LUKS encryption
mechanism and unseals the newly created volume.
To ensure the highest level of security, the Luks Encryption Service Manager
employs error handling and logging mechanisms, enabling administrators to
monitor and troubleshoot any issues that may arise.

View File

@ -0,0 +1,41 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: luks-fs-mgr
Source: https://opendev.org/starlingx/integ/src/branch/master/filesystem/luks
Files: *
Copyright: (c) 2023 Wind River Systems, Inc
License: Apache-2
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
.
https://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
.
On Debian-based systems the full text of the Apache version 2.0 license
can be found in `/usr/share/common-licenses/Apache-2.0'.
# If you want to use GPL v2 or later for the /debian/* files use
# the following clauses, or change it to suit. Delete these two lines
Files: debian/*
Copyright: 2023 Wind River Systems, Inc
License: Apache-2
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
.
https://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
.
On Debian-based systems the full text of the Apache version 2.0 license
can be found in `/usr/share/common-licenses/Apache-2.0'.

View File

@ -0,0 +1,3 @@
etc/luks-fs-mgr.d
usr/local/sbin
lib/systemd/system

View File

@ -0,0 +1,3 @@
usr/local/sbin/luks-fs-mgr
lib/systemd/system/luks-fs-mgr.service
etc/luks-fs-mgr.d/luks_config.json

View File

@ -0,0 +1,11 @@
[Unit]
Description=Create and mount encrypted vault using LUKS
After=local-fs.target network-online.target
[Service]
Type=oneshot
ExecStart=/usr/local/sbin/luks-fs-mgr start
PIDFile=/var/run/luks-fs-mgr.pid
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,26 @@
#!/usr/bin/make -f
# export DH_VERBOSE = 1
export ROOT = debian/tmp
export LOCAL_SBINDIR = $(ROOT)/usr/local/sbin
export UNITDIR = $(ROOT)/lib/systemd/system
export CONFIGDIR = $(ROOT)/etc/luks-fs-mgr.d
%:
dh $@
override_dh_auto_test:
echo
override_dh_auto_install:
install -m 755 -d ${LOCAL_SBINDIR}
install -m 700 -p -D encryption/luks-fs-mgr ${LOCAL_SBINDIR}/luks-fs-mgr
install -m 755 -d ${UNITDIR}
install -p -D -m 644 ./debian/luks-fs-mgr.service ${UNITDIR}/luks-fs-mgr.service
install -p -D -m 644 encryption/scripts/luks_config.json ${CONFIGDIR}/luks_config.json
override_dh_installsystemd:
dh_installsystemd --name luks-fs-mgr
override_dh_usrlocal:
echo

View File

@ -0,0 +1 @@
3.0 (quilt)

View File

@ -0,0 +1,6 @@
debname: luks-fs-mgr
debver: 1.0
src_path: src
revision:
dist: $STX_DIST
PKG_GITREVCOUNT: true

View File

@ -0,0 +1,19 @@
#
# Copyright (c) 2023 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
VER=1
VER_MJR=1
build:
(cd encryption ; make all VER=$(VER) VER_MJR=$(VER_MJR))
clean:
@( cd encryption ; make clean )
backup: clean
mkdir -p ~/luks
cp -a * ~/luks

View File

@ -0,0 +1,26 @@
#
# Copyright (c) 2023 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
SHELL = /bin/bash
CFLAGS = -Wall -Wextra -g -Werror -std=c++11
LIBS = -lstdc++ -lstdc++ -ljson-c
INCLUDES = -I.
CC=g++
SRC = luks-fs-mgr.cpp
EXECUTABLE = luks-fs-mgr
.PHONY: all clean
all: $(EXECUTABLE)
$(EXECUTABLE): $(SRC)
$(CC) $(CFLAGS) -o $@ $< $(LIBS)
clean:
rm -f $(EXECUTABLE) *.o

View File

@ -0,0 +1,6 @@
#include <iostream>
int main() {
std::cout << "Hello, world!" << std::endl;
return 0;
}

View File

@ -0,0 +1,9 @@
{
"luksvolumes": [{
"PASSPHRASE_TYPE": "HWID",
"VAULT_FILE": "/var/luks/stx/luks_volume.img",
"VAULT_SIZE": "256M",
"VOL_NAME": "luks_encrypted_vault",
"MOUNT_PATH": "/var/luks/stx/luks_fs"
}]
}