summaryrefslogtreecommitdiff
path: root/src/init
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2024-02-20 09:54:14 +0100
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2024-03-07 16:32:41 +0100
commit94b2a3a26827ffc7f212075641dc5c67866a1ac7 (patch)
tree79e1f72218f0413068670f1eb0a2ce676464b53a /src/init
parent4249473dbaf5a96a492e24b02787aa9f229fff7a (diff)
downloadvyos-1x-94b2a3a26827ffc7f212075641dc5c67866a1ac7.tar.gz
vyos-1x-94b2a3a26827ffc7f212075641dc5c67866a1ac7.zip
config: T4919: mount/unmount encrypted config on VyOS start/stop
Re-implements https://github.com/vyos/vyatta-cfg/pull/54
Diffstat (limited to 'src/init')
-rwxr-xr-xsrc/init/vyos-router67
1 files changed, 67 insertions, 0 deletions
diff --git a/src/init/vyos-router b/src/init/vyos-router
index eac3e7e47..74e3ca51b 100755
--- a/src/init/vyos-router
+++ b/src/init/vyos-router
@@ -64,6 +64,69 @@ disabled () {
grep -q -w no-vyos-$1 /proc/cmdline
}
+# Load encrypted config volume
+mount_encrypted_config() {
+ persist_path=$(/opt/vyatta/sbin/vyos-persistpath)
+ if [ $? == 0 ]; then
+ if [ -e $persist_path/boot ]; then
+ image_name=$(cat /proc/cmdline | sed -e s+^.*vyos-union=/boot/++ | sed -e 's/ .*$//')
+
+ if [ -z "$image_name" ]; then
+ return
+ fi
+
+ if [ ! -f $persist_path/luks/$image_name ]; then
+ return
+ fi
+
+ vyos_tpm_key=$(python3 -c 'from vyos.tpm import read_tpm_key; print(read_tpm_key().decode())' 2>/dev/null)
+
+ if [ $? -ne 0 ]; then
+ echo "ERROR: Failed to fetch encryption key from TPM. Encrypted config volume has not been mounted"
+ echo "Use 'encryption load' to load volume with recovery key"
+ echo "or 'encryption disable' to decrypt volume with recovery key"
+ return
+ fi
+
+ echo $vyos_tpm_key | tr -d '\r\n' | cryptsetup open $persist_path/luks/$image_name vyos_config --key-file=-
+
+ if [ $? -ne 0 ]; then
+ echo "ERROR: Failed to decrypt config volume. Encrypted config volume has not been mounted"
+ echo "Use 'encryption load' to load volume with recovery key"
+ echo "or 'encryption disable' to decrypt volume with recovery key"
+ return
+ fi
+
+ mount /dev/mapper/vyos_config /config
+ mount /dev/mapper/vyos_config $vyatta_sysconfdir/config
+
+ echo "Mounted encrypted config volume"
+ fi
+ fi
+}
+
+unmount_encrypted_config() {
+ persist_path=$(/opt/vyatta/sbin/vyos-persistpath)
+ if [ $? == 0 ]; then
+ if [ -e $persist_path/boot ]; then
+ image_name=$(cat /proc/cmdline | sed -e s+^.*vyos-union=/boot/++ | sed -e 's/ .*$//')
+
+ if [ -z "$image_name" ]; then
+ return
+ fi
+
+ if [ ! -f $persist_path/luks/$image_name ]; then
+ return
+ fi
+
+ umount /config
+ umount $vyatta_sysconfdir/config
+
+ cryptsetup close vyos_config
+ fi
+ fi
+}
+
# if necessary, provide initial config
init_bootfile () {
if [ ! -r $BOOTFILE ] ; then
@@ -402,6 +465,8 @@ start ()
&& chgrp ${GROUP} ${vyatta_configdir}
log_action_end_msg $?
+ mount_encrypted_config
+
# T5239: early read of system hostname as this value is read-only once during
# FRR initialisation
tmp=$(${vyos_libexec_dir}/read-saved-value.py --path "system host-name")
@@ -470,6 +535,8 @@ stop()
log_action_end_msg $?
systemctl stop frr.service
+
+ unmount_encrypted_config
}
case "$action" in