diff options
| author | Daniil Baturin <daniil@vyos.io> | 2024-03-07 16:36:44 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-03-07 16:36:44 +0100 |
| commit | 6e7e7842bc1ba55bd4c91c3af35faf8961793318 (patch) | |
| tree | 14e32e239451b380e8b2d7bd80b38beeb5b057cf /src/init/vyos-router | |
| parent | 38fdc27ee2b3253053b2794e3e7ec5d8e0d5aa02 (diff) | |
| parent | 4a882d3f8dfcf1900da9f98f5993c9d63e70d3a8 (diff) | |
| download | vyos-1x-6e7e7842bc1ba55bd4c91c3af35faf8961793318.tar.gz vyos-1x-6e7e7842bc1ba55bd4c91c3af35faf8961793318.zip | |
Merge pull request #1740 from sarthurdev/tpm_luks
config: T4919: Add support for encrypted config with TPM
Diffstat (limited to 'src/init/vyos-router')
| -rwxr-xr-x | src/init/vyos-router | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/src/init/vyos-router b/src/init/vyos-router index 912a9ef3b..adf892371 100755 --- a/src/init/vyos-router +++ b/src/init/vyos-router @@ -64,6 +64,69 @@ disabled () { grep -q -w no-vyos-$1 /proc/cmdline } +# Load encrypted config volume +mount_encrypted_config() { + persist_path=$(/opt/vyatta/sbin/vyos-persistpath) + if [ $? == 0 ]; then + if [ -e $persist_path/boot ]; then + image_name=$(cat /proc/cmdline | sed -e s+^.*vyos-union=/boot/++ | sed -e 's/ .*$//') + + if [ -z "$image_name" ]; then + return + fi + + if [ ! -f $persist_path/luks/$image_name ]; then + return + fi + + vyos_tpm_key=$(python3 -c 'from vyos.tpm import read_tpm_key; print(read_tpm_key().decode())' 2>/dev/null) + + if [ $? -ne 0 ]; then + echo "ERROR: Failed to fetch encryption key from TPM. Encrypted config volume has not been mounted" + echo "Use 'encryption load' to load volume with recovery key" + echo "or 'encryption disable' to decrypt volume with recovery key" + return + fi + + echo $vyos_tpm_key | tr -d '\r\n' | cryptsetup open $persist_path/luks/$image_name vyos_config --key-file=- + + if [ $? -ne 0 ]; then + echo "ERROR: Failed to decrypt config volume. Encrypted config volume has not been mounted" + echo "Use 'encryption load' to load volume with recovery key" + echo "or 'encryption disable' to decrypt volume with recovery key" + return + fi + + mount /dev/mapper/vyos_config /config + mount /dev/mapper/vyos_config $vyatta_sysconfdir/config + + echo "Mounted encrypted config volume" + fi + fi +} + +unmount_encrypted_config() { + persist_path=$(/opt/vyatta/sbin/vyos-persistpath) + if [ $? == 0 ]; then + if [ -e $persist_path/boot ]; then + image_name=$(cat /proc/cmdline | sed -e s+^.*vyos-union=/boot/++ | sed -e 's/ .*$//') + + if [ -z "$image_name" ]; then + return + fi + + if [ ! -f $persist_path/luks/$image_name ]; then + return + fi + + umount /config + umount $vyatta_sysconfdir/config + + cryptsetup close vyos_config + fi + fi +} + # if necessary, provide initial config init_bootfile () { if [ ! -r $BOOTFILE ] ; then @@ -402,6 +465,8 @@ start () && chgrp ${GROUP} ${vyatta_configdir} log_action_end_msg $? + mount_encrypted_config + # T5239: early read of system hostname as this value is read-only once during # FRR initialisation tmp=$(${vyos_libexec_dir}/read-saved-value.py --path "system host-name") @@ -470,6 +535,8 @@ stop() log_action_end_msg $? systemctl stop frr.service + + unmount_encrypted_config } case "$action" in |