Introduce Luks encrytion service
Add a luks encryption service which will setup as a systemd service that manages the creation and configuration of encrypted volume and runs during the boot process and host unlocking. This commit covers only the debian packaging framework for luks-fs-mgr. The code changes below will enable luks-fs-mgr pkg build and be part of ISO when deployed. Test Plan: PASSED: build-pkgs -c -p luks-fs-mgr PASSED: build-image PASSED: AIO-SX bootstrap PASSED: binary available at /usr/local/sbin/ PASSED: systemd unit file available at /lib/systemd/system PASSED: luks_config.json avaiable at /etc/luks-fs-mgr.d/ PASSED: AIO-SX sudo systemctl status luks-fs-mgr luks-fs-mgr.service - Create and mount encrypted vault using LUKS Loaded: loaded (/lib/systemd/system/luks-fs-mgr.service; enabled; vendor preset: enabled) Active: inactive (dead) since Tue 2023-08-29 08:18:58 UTC; 2h 16min ago Main PID: 4607 (code=exited, status=0/SUCCESS) CPU: 7.063s Story: 2010872 Task: 48650 Change-Id: I12ca14368eaf466b3148c2de4ce9202a9aa5a19b Signed-off-by: Rahul Roshan Kachchap <rahulroshan.kachchap@windriver.com>
This commit is contained in:
parent
2c20b741c8
commit
f1a536ad8f
@ -271,6 +271,9 @@ libparted2
|
|||||||
parted-doc
|
parted-doc
|
||||||
parted
|
parted
|
||||||
|
|
||||||
|
#luks-encryption
|
||||||
|
luks-fs-mgr
|
||||||
|
|
||||||
#pf-bb-config
|
#pf-bb-config
|
||||||
pf-bb-config
|
pf-bb-config
|
||||||
|
|
||||||
|
@ -40,6 +40,7 @@ config/puppet-modules/puppet-rabbitmq-8.5.0
|
|||||||
config/puppet-modules/puppet-staging
|
config/puppet-modules/puppet-staging
|
||||||
docker/python-docker
|
docker/python-docker
|
||||||
filesystem/drbd/drbd-tools
|
filesystem/drbd/drbd-tools
|
||||||
|
filesystem/luks
|
||||||
filesystem/parted
|
filesystem/parted
|
||||||
golang-github-dev/golang-github-appc-cni
|
golang-github-dev/golang-github-appc-cni
|
||||||
golang-github-dev/golang-github-checkpoint-restore-go-criu-dev
|
golang-github-dev/golang-github-checkpoint-restore-go-criu-dev
|
||||||
|
5
filesystem/luks/debian/deb_folder/changelog
Normal file
5
filesystem/luks/debian/deb_folder/changelog
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
luks-fs-mgr (1.0-1) unstable; urgency=medium
|
||||||
|
|
||||||
|
* Initial release.
|
||||||
|
|
||||||
|
-- Rahul Roshan <rahulroshan.kachchap@windriver.com> Fri, 18 Aug 2023 13:02:42 +0000
|
32
filesystem/luks/debian/deb_folder/control
Normal file
32
filesystem/luks/debian/deb_folder/control
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
Source: luks-fs-mgr
|
||||||
|
Section: admin
|
||||||
|
Priority: optional
|
||||||
|
Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
|
||||||
|
Build-Depends: debhelper-compat (= 13),
|
||||||
|
libjson-c-dev
|
||||||
|
Standards-Version: 4.5.1
|
||||||
|
Homepage: https://www.starlingx.io
|
||||||
|
|
||||||
|
Package: luks-fs-mgr
|
||||||
|
Architecture: any
|
||||||
|
Depends: ${misc:Depends}, ${shlibs:Depends}, systemd
|
||||||
|
Description: Luks encryption service manager
|
||||||
|
The Luks Encryption Service Manager operates as an essential component during
|
||||||
|
the boot process and host unlocking, serving as a critical safeguard for data
|
||||||
|
on StarlingX. This service is responsible for managing the creation,
|
||||||
|
configuration, and utilization of encrypted volumes, all in accordance with
|
||||||
|
the Linux Unified Key Setup (LUKS) standard. Its functionality is driven by
|
||||||
|
the information provided in the luks_config.json file, which acts as a
|
||||||
|
blueprint for configuring the encryption process.
|
||||||
|
Upon startup, the service reads the luks_config.json file to extract crucial
|
||||||
|
parameters, such as the vault file path, volume size, volume name, and
|
||||||
|
mounting path. If the service detects that the encryption volume is already
|
||||||
|
open, it unseals it. This step ensures a seamless experience for users, as they
|
||||||
|
can quickly access their encrypted data without redundant processes.
|
||||||
|
However, if the encryption volume is not open, the service dynamically creates
|
||||||
|
one based on the parameters defined in the JSON configuration. It initializes
|
||||||
|
the vault file using random data, then proceeds to set up the LUKS encryption
|
||||||
|
mechanism and unseals the newly created volume.
|
||||||
|
To ensure the highest level of security, the Luks Encryption Service Manager
|
||||||
|
employs error handling and logging mechanisms, enabling administrators to
|
||||||
|
monitor and troubleshoot any issues that may arise.
|
41
filesystem/luks/debian/deb_folder/copyright
Normal file
41
filesystem/luks/debian/deb_folder/copyright
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
|
||||||
|
Upstream-Name: luks-fs-mgr
|
||||||
|
Source: https://opendev.org/starlingx/integ/src/branch/master/filesystem/luks
|
||||||
|
|
||||||
|
Files: *
|
||||||
|
Copyright: (c) 2023 Wind River Systems, Inc
|
||||||
|
License: Apache-2
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
.
|
||||||
|
https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
.
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
.
|
||||||
|
On Debian-based systems the full text of the Apache version 2.0 license
|
||||||
|
can be found in `/usr/share/common-licenses/Apache-2.0'.
|
||||||
|
|
||||||
|
# If you want to use GPL v2 or later for the /debian/* files use
|
||||||
|
# the following clauses, or change it to suit. Delete these two lines
|
||||||
|
Files: debian/*
|
||||||
|
Copyright: 2023 Wind River Systems, Inc
|
||||||
|
License: Apache-2
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
.
|
||||||
|
https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
.
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
.
|
||||||
|
On Debian-based systems the full text of the Apache version 2.0 license
|
||||||
|
can be found in `/usr/share/common-licenses/Apache-2.0'.
|
3
filesystem/luks/debian/deb_folder/luks-fs-mgr.dirs
Normal file
3
filesystem/luks/debian/deb_folder/luks-fs-mgr.dirs
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
etc/luks-fs-mgr.d
|
||||||
|
usr/local/sbin
|
||||||
|
lib/systemd/system
|
3
filesystem/luks/debian/deb_folder/luks-fs-mgr.install
Normal file
3
filesystem/luks/debian/deb_folder/luks-fs-mgr.install
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
usr/local/sbin/luks-fs-mgr
|
||||||
|
lib/systemd/system/luks-fs-mgr.service
|
||||||
|
etc/luks-fs-mgr.d/luks_config.json
|
11
filesystem/luks/debian/deb_folder/luks-fs-mgr.service
Normal file
11
filesystem/luks/debian/deb_folder/luks-fs-mgr.service
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Create and mount encrypted vault using LUKS
|
||||||
|
After=local-fs.target network-online.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/local/sbin/luks-fs-mgr start
|
||||||
|
PIDFile=/var/run/luks-fs-mgr.pid
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
26
filesystem/luks/debian/deb_folder/rules
Normal file
26
filesystem/luks/debian/deb_folder/rules
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
#!/usr/bin/make -f
|
||||||
|
# export DH_VERBOSE = 1
|
||||||
|
|
||||||
|
export ROOT = debian/tmp
|
||||||
|
export LOCAL_SBINDIR = $(ROOT)/usr/local/sbin
|
||||||
|
export UNITDIR = $(ROOT)/lib/systemd/system
|
||||||
|
export CONFIGDIR = $(ROOT)/etc/luks-fs-mgr.d
|
||||||
|
|
||||||
|
%:
|
||||||
|
dh $@
|
||||||
|
|
||||||
|
override_dh_auto_test:
|
||||||
|
echo
|
||||||
|
|
||||||
|
override_dh_auto_install:
|
||||||
|
install -m 755 -d ${LOCAL_SBINDIR}
|
||||||
|
install -m 700 -p -D encryption/luks-fs-mgr ${LOCAL_SBINDIR}/luks-fs-mgr
|
||||||
|
install -m 755 -d ${UNITDIR}
|
||||||
|
install -p -D -m 644 ./debian/luks-fs-mgr.service ${UNITDIR}/luks-fs-mgr.service
|
||||||
|
install -p -D -m 644 encryption/scripts/luks_config.json ${CONFIGDIR}/luks_config.json
|
||||||
|
|
||||||
|
override_dh_installsystemd:
|
||||||
|
dh_installsystemd --name luks-fs-mgr
|
||||||
|
|
||||||
|
override_dh_usrlocal:
|
||||||
|
echo
|
1
filesystem/luks/debian/deb_folder/source/format
Normal file
1
filesystem/luks/debian/deb_folder/source/format
Normal file
@ -0,0 +1 @@
|
|||||||
|
3.0 (quilt)
|
6
filesystem/luks/debian/meta_data.yaml
Normal file
6
filesystem/luks/debian/meta_data.yaml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
debname: luks-fs-mgr
|
||||||
|
debver: 1.0
|
||||||
|
src_path: src
|
||||||
|
revision:
|
||||||
|
dist: $STX_DIST
|
||||||
|
PKG_GITREVCOUNT: true
|
19
filesystem/luks/src/Makefile
Normal file
19
filesystem/luks/src/Makefile
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
#
|
||||||
|
# Copyright (c) 2023 Wind River Systems, Inc.
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
#
|
||||||
|
|
||||||
|
VER=1
|
||||||
|
VER_MJR=1
|
||||||
|
|
||||||
|
build:
|
||||||
|
(cd encryption ; make all VER=$(VER) VER_MJR=$(VER_MJR))
|
||||||
|
|
||||||
|
clean:
|
||||||
|
@( cd encryption ; make clean )
|
||||||
|
|
||||||
|
|
||||||
|
backup: clean
|
||||||
|
mkdir -p ~/luks
|
||||||
|
cp -a * ~/luks
|
26
filesystem/luks/src/encryption/Makefile
Normal file
26
filesystem/luks/src/encryption/Makefile
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
#
|
||||||
|
# Copyright (c) 2023 Wind River Systems, Inc.
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
#
|
||||||
|
|
||||||
|
SHELL = /bin/bash
|
||||||
|
|
||||||
|
CFLAGS = -Wall -Wextra -g -Werror -std=c++11
|
||||||
|
LIBS = -lstdc++ -lstdc++ -ljson-c
|
||||||
|
INCLUDES = -I.
|
||||||
|
|
||||||
|
CC=g++
|
||||||
|
|
||||||
|
SRC = luks-fs-mgr.cpp
|
||||||
|
EXECUTABLE = luks-fs-mgr
|
||||||
|
|
||||||
|
.PHONY: all clean
|
||||||
|
|
||||||
|
all: $(EXECUTABLE)
|
||||||
|
|
||||||
|
$(EXECUTABLE): $(SRC)
|
||||||
|
$(CC) $(CFLAGS) -o $@ $< $(LIBS)
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f $(EXECUTABLE) *.o
|
6
filesystem/luks/src/encryption/luks-fs-mgr.cpp
Normal file
6
filesystem/luks/src/encryption/luks-fs-mgr.cpp
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
#include <iostream>
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
std::cout << "Hello, world!" << std::endl;
|
||||||
|
return 0;
|
||||||
|
}
|
9
filesystem/luks/src/encryption/scripts/luks_config.json
Normal file
9
filesystem/luks/src/encryption/scripts/luks_config.json
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
{
|
||||||
|
"luksvolumes": [{
|
||||||
|
"PASSPHRASE_TYPE": "HWID",
|
||||||
|
"VAULT_FILE": "/var/luks/stx/luks_volume.img",
|
||||||
|
"VAULT_SIZE": "256M",
|
||||||
|
"VOL_NAME": "luks_encrypted_vault",
|
||||||
|
"MOUNT_PATH": "/var/luks/stx/luks_fs"
|
||||||
|
}]
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user