Start9/start-os
2
0
Fork 0
mirror of https://github.com/Start9Labs/start-os.git synced 2026-03-26 02:11:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

disable encryption for new raspi setups (#2348)

Browse Source 
* disable encryption for new raspi setups

* use config instead of OS_ARCH

* fixes from testing
This commit is contained in:
Aiden McClelland
2023-07-14 12:30:52 -06:00
committed by GitHub
parent 59d6795d9e
commit 90a9db3a91
6 changed files with 123 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
backend/src/bins/start_init.rs
View File

@@ -125,7 +125,11 @@ async fn setup_or_init(cfg_path: Option<PathBuf>) -> Result<(), Error> {
} else { } else {
RepairStrategy::Preen RepairStrategy::Preen
}, },
DEFAULT_PASSWORD, if guid.ends_with("_UNENC") {
None
} else {
Some(DEFAULT_PASSWORD)
},
) )
.await?; .await?;
if tokio::fs::metadata(REPAIR_DISK_PATH).await.is_ok() { if tokio::fs::metadata(REPAIR_DISK_PATH).await.is_ok() {

4
backend/src/context/setup.rs
View File

@@ -45,6 +45,8 @@ pub struct SetupContextConfig {
pub migration_batch_rows: Option<usize>, pub migration_batch_rows: Option<usize>,
pub migration_prefetch_rows: Option<usize>, pub migration_prefetch_rows: Option<usize>,
pub datadir: Option<PathBuf>, pub datadir: Option<PathBuf>,
#[serde(default)]
pub disable_encryption: bool,
} }
impl SetupContextConfig { impl SetupContextConfig {
#[instrument(skip_all)] #[instrument(skip_all)]
@@ -75,6 +77,7 @@ pub struct SetupContextSeed {
pub config_path: Option<PathBuf>, pub config_path: Option<PathBuf>,
pub migration_batch_rows: usize, pub migration_batch_rows: usize,
pub migration_prefetch_rows: usize, pub migration_prefetch_rows: usize,
pub disable_encryption: bool,
pub shutdown: Sender<()>, pub shutdown: Sender<()>,
pub datadir: PathBuf, pub datadir: PathBuf,
pub selected_v2_drive: RwLock<Option<PathBuf>>, pub selected_v2_drive: RwLock<Option<PathBuf>>,
@@ -102,6 +105,7 @@ impl SetupContext {
config_path: path.as_ref().map(|p| p.as_ref().to_owned()), config_path: path.as_ref().map(|p| p.as_ref().to_owned()),
migration_batch_rows: cfg.migration_batch_rows.unwrap_or(25000), migration_batch_rows: cfg.migration_batch_rows.unwrap_or(25000),
migration_prefetch_rows: cfg.migration_prefetch_rows.unwrap_or(100_000), migration_prefetch_rows: cfg.migration_prefetch_rows.unwrap_or(100_000),
disable_encryption: cfg.disable_encryption,
shutdown, shutdown,
datadir, datadir,
selected_v2_drive: RwLock::new(None), selected_v2_drive: RwLock::new(None),

176
backend/src/disk/main.rs
View File

@@ -13,7 +13,7 @@ use crate::disk::mount::util::unmount;
use crate::util::Invoke; use crate::util::Invoke;
use crate::{Error, ErrorKind, ResultExt}; use crate::{Error, ErrorKind, ResultExt};
pub const PASSWORD_PATH: &'static str = "/etc/embassy/password"; pub const PASSWORD_PATH: &'static str = "/run/embassy/password";
pub const DEFAULT_PASSWORD: &'static str = "password"; pub const DEFAULT_PASSWORD: &'static str = "password";
pub const MAIN_FS_SIZE: FsSize = FsSize::Gigabytes(8); pub const MAIN_FS_SIZE: FsSize = FsSize::Gigabytes(8);
@@ -22,13 +22,13 @@ pub async fn create<I, P>(
disks: &I, disks: &I,
pvscan: &BTreeMap<PathBuf, Option<String>>, pvscan: &BTreeMap<PathBuf, Option<String>>,
datadir: impl AsRef<Path>, datadir: impl AsRef<Path>,
password: &str, password: Option<&str>,
) -> Result<String, Error> ) -> Result<String, Error>
where where
for<'a> &'a I: IntoIterator<Item = &'a P>, for<'a> &'a I: IntoIterator<Item = &'a P>,
P: AsRef<Path>, P: AsRef<Path>,
{ {
let guid = create_pool(disks, pvscan).await?; let guid = create_pool(disks, pvscan, password.is_some()).await?;
create_all_fs(&guid, &datadir, password).await?; create_all_fs(&guid, &datadir, password).await?;
export(&guid, datadir).await?; export(&guid, datadir).await?;
Ok(guid) Ok(guid)
@@ -38,6 +38,7 @@ where
pub async fn create_pool<I, P>( pub async fn create_pool<I, P>(
disks: &I, disks: &I,
pvscan: &BTreeMap<PathBuf, Option<String>>, pvscan: &BTreeMap<PathBuf, Option<String>>,
encrypted: bool,
) -> Result<String, Error> ) -> Result<String, Error>
where where
for<'a> &'a I: IntoIterator<Item = &'a P>, for<'a> &'a I: IntoIterator<Item = &'a P>,
@@ -62,13 +63,16 @@ where
.invoke(crate::ErrorKind::DiskManagement) .invoke(crate::ErrorKind::DiskManagement)
.await?; .await?;
} }
let guid = format!( let mut guid = format!(
"EMBASSY_{}", "EMBASSY_{}",
base32::encode( base32::encode(
base32::Alphabet::RFC4648 { padding: false }, base32::Alphabet::RFC4648 { padding: false },
&rand::random::<[u8; 32]>(), &rand::random::<[u8; 32]>(),
) )
); );
if !encrypted {
guid += "_UNENC";
}
let mut cmd = Command::new("vgcreate"); let mut cmd = Command::new("vgcreate");
cmd.arg("-y").arg(&guid); cmd.arg("-y").arg(&guid);
for disk in disks { for disk in disks {
@@ -90,11 +94,8 @@ pub async fn create_fs<P: AsRef<Path>>(
datadir: P, datadir: P,
name: &str, name: &str,
size: FsSize, size: FsSize,
password: &str, password: Option<&str>,
) -> Result<(), Error> { ) -> Result<(), Error> {
tokio::fs::write(PASSWORD_PATH, password)
.await
.with_ctx(|_| (crate::ErrorKind::Filesystem, PASSWORD_PATH))?;
let mut cmd = Command::new("lvcreate"); let mut cmd = Command::new("lvcreate");
match size { match size {
FsSize::Gigabytes(a) => cmd.arg("-L").arg(format!("{}G", a)), FsSize::Gigabytes(a) => cmd.arg("-L").arg(format!("{}G", a)),
@@ -106,37 +107,38 @@ pub async fn create_fs<P: AsRef<Path>>(
.arg(guid) .arg(guid)
.invoke(crate::ErrorKind::DiskManagement) .invoke(crate::ErrorKind::DiskManagement)
.await?; .await?;
let crypt_path = Path::new("/dev").join(guid).join(name); let mut blockdev_path = Path::new("/dev").join(guid).join(name);
Command::new("cryptsetup") if let Some(password) = password {
.arg("-q") tokio::fs::write(PASSWORD_PATH, password)
.arg("luksFormat") .await
.arg(format!("--key-file={}", PASSWORD_PATH)) .with_ctx(|_| (crate::ErrorKind::Filesystem, PASSWORD_PATH))?;
.arg(format!("--keyfile-size={}", password.len())) Command::new("cryptsetup")
.arg(&crypt_path) .arg("-q")
.invoke(crate::ErrorKind::DiskManagement) .arg("luksFormat")
.await?; .arg(format!("--key-file={}", PASSWORD_PATH))
Command::new("cryptsetup") .arg(format!("--keyfile-size={}", password.len()))
.arg("-q") .arg(&blockdev_path)
.arg("luksOpen") .invoke(crate::ErrorKind::DiskManagement)
.arg(format!("--key-file={}", PASSWORD_PATH)) .await?;
.arg(format!("--keyfile-size={}", password.len())) Command::new("cryptsetup")
.arg(&crypt_path) .arg("-q")
.arg(format!("{}_{}", guid, name)) .arg("luksOpen")
.invoke(crate::ErrorKind::DiskManagement) .arg(format!("--key-file={}", PASSWORD_PATH))
.await?; .arg(format!("--keyfile-size={}", password.len()))
.arg(&blockdev_path)
.arg(format!("{}_{}", guid, name))
.invoke(crate::ErrorKind::DiskManagement)
.await?;
tokio::fs::remove_file(PASSWORD_PATH)
.await
.with_ctx(|_| (crate::ErrorKind::Filesystem, PASSWORD_PATH))?;
blockdev_path = Path::new("/dev/mapper").join(format!("{}_{}", guid, name));
}
Command::new("mkfs.btrfs") Command::new("mkfs.btrfs")
.arg(Path::new("/dev/mapper").join(format!("{}_{}", guid, name))) .arg(&blockdev_path)
.invoke(crate::ErrorKind::DiskManagement) .invoke(crate::ErrorKind::DiskManagement)
.await?; .await?;
mount( mount(&blockdev_path, datadir.as_ref().join(name), ReadWrite).await?;
Path::new("/dev/mapper").join(format!("{}_{}", guid, name)),
datadir.as_ref().join(name),
ReadWrite,
)
.await?;
tokio::fs::remove_file(PASSWORD_PATH)
.await
.with_ctx(|_| (crate::ErrorKind::Filesystem, PASSWORD_PATH))?;
Ok(()) Ok(())
} }
@@ -144,7 +146,7 @@ pub async fn create_fs<P: AsRef<Path>>(
pub async fn create_all_fs<P: AsRef<Path>>( pub async fn create_all_fs<P: AsRef<Path>>(
guid: &str, guid: &str,
datadir: P, datadir: P,
password: &str, password: Option<&str>,
) -> Result<(), Error> { ) -> Result<(), Error> {
create_fs(guid, &datadir, "main", MAIN_FS_SIZE, password).await?; create_fs(guid, &datadir, "main", MAIN_FS_SIZE, password).await?;
create_fs( create_fs(
@@ -161,12 +163,14 @@ pub async fn create_all_fs<P: AsRef<Path>>(
#[instrument(skip_all)] #[instrument(skip_all)]
pub async fn unmount_fs<P: AsRef<Path>>(guid: &str, datadir: P, name: &str) -> Result<(), Error> { pub async fn unmount_fs<P: AsRef<Path>>(guid: &str, datadir: P, name: &str) -> Result<(), Error> {
unmount(datadir.as_ref().join(name)).await?; unmount(datadir.as_ref().join(name)).await?;
Command::new("cryptsetup") if !guid.ends_with("_UNENC") {
.arg("-q") Command::new("cryptsetup")
.arg("luksClose") .arg("-q")
.arg(format!("{}_{}", guid, name)) .arg("luksClose")
.invoke(crate::ErrorKind::DiskManagement) .arg(format!("{}_{}", guid, name))
.await?; .invoke(crate::ErrorKind::DiskManagement)
.await?;
}
Ok(()) Ok(())
} }
@@ -203,7 +207,7 @@ pub async fn import<P: AsRef<Path>>(
guid: &str, guid: &str,
datadir: P, datadir: P,
repair: RepairStrategy, repair: RepairStrategy,
password: &str, mut password: Option<&str>,
) -> Result<RequiresReboot, Error> { ) -> Result<RequiresReboot, Error> {
let scan = pvscan().await?; let scan = pvscan().await?;
if scan if scan
@@ -261,46 +265,56 @@ pub async fn mount_fs<P: AsRef<Path>>(
datadir: P, datadir: P,
name: &str, name: &str,
repair: RepairStrategy, repair: RepairStrategy,
password: &str, password: Option<&str>,
) -> Result<RequiresReboot, Error> { ) -> Result<RequiresReboot, Error> {
tokio::fs::write(PASSWORD_PATH, password) let orig_path = Path::new("/dev").join(guid).join(name);
.await let mut blockdev_path = orig_path.clone();
.with_ctx(|_| (crate::ErrorKind::Filesystem, PASSWORD_PATH))?;
let crypt_path = Path::new("/dev").join(guid).join(name);
let full_name = format!("{}_{}", guid, name); let full_name = format!("{}_{}", guid, name);
Command::new("cryptsetup") if !guid.ends_with("_UNENC") {
.arg("-q") let password = password.unwrap_or(DEFAULT_PASSWORD);
.arg("luksOpen") if let Some(parent) = Path::new(PASSWORD_PATH).parent() {
.arg(format!("--key-file={}", PASSWORD_PATH)) tokio::fs::create_dir_all(parent).await?;
.arg(format!("--keyfile-size={}", password.len())) }
.arg(&crypt_path) tokio::fs::write(PASSWORD_PATH, password)
.arg(&full_name) .await
.invoke(crate::ErrorKind::DiskManagement) .with_ctx(|_| (crate::ErrorKind::Filesystem, PASSWORD_PATH))?;
.await?; Command::new("cryptsetup")
let mapper_path = Path::new("/dev/mapper").join(&full_name); .arg("-q")
let reboot = repair.fsck(&mapper_path).await?; .arg("luksOpen")
// Backup LUKS header if e2fsck succeeded .arg(format!("--key-file={}", PASSWORD_PATH))
let luks_folder = Path::new("/media/embassy/config/luks"); .arg(format!("--keyfile-size={}", password.len()))
tokio::fs::create_dir_all(luks_folder).await?; .arg(&blockdev_path)
let tmp_luks_bak = luks_folder.join(format!(".{full_name}.luks.bak.tmp")); .arg(&full_name)
if tokio::fs::metadata(&tmp_luks_bak).await.is_ok() { .invoke(crate::ErrorKind::DiskManagement)
tokio::fs::remove_file(&tmp_luks_bak).await?; .await?;
tokio::fs::remove_file(PASSWORD_PATH)
.await
.with_ctx(|_| (crate::ErrorKind::Filesystem, PASSWORD_PATH))?;
blockdev_path = Path::new("/dev/mapper").join(&full_name);
} }
let luks_bak = luks_folder.join(format!("{full_name}.luks.bak")); let reboot = repair.fsck(&blockdev_path).await?;
Command::new("cryptsetup")
.arg("-q")
.arg("luksHeaderBackup")
.arg("--header-backup-file")
.arg(&tmp_luks_bak)
.arg(&crypt_path)
.invoke(crate::ErrorKind::DiskManagement)
.await?;
tokio::fs::rename(&tmp_luks_bak, &luks_bak).await?;
mount(&mapper_path, datadir.as_ref().join(name), ReadWrite).await?;
tokio::fs::remove_file(PASSWORD_PATH) if !guid.ends_with("_UNENC") {
.await // Backup LUKS header if e2fsck succeeded
.with_ctx(|_| (crate::ErrorKind::Filesystem, PASSWORD_PATH))?; let luks_folder = Path::new("/media/embassy/config/luks");
tokio::fs::create_dir_all(luks_folder).await?;
let tmp_luks_bak = luks_folder.join(format!(".{full_name}.luks.bak.tmp"));
if tokio::fs::metadata(&tmp_luks_bak).await.is_ok() {
tokio::fs::remove_file(&tmp_luks_bak).await?;
}
let luks_bak = luks_folder.join(format!("{full_name}.luks.bak"));
Command::new("cryptsetup")
.arg("-q")
.arg("luksHeaderBackup")
.arg("--header-backup-file")
.arg(&tmp_luks_bak)
.arg(&orig_path)
.invoke(crate::ErrorKind::DiskManagement)
.await?;
tokio::fs::rename(&tmp_luks_bak, &luks_bak).await?;
}
mount(&blockdev_path, datadir.as_ref().join(name), ReadWrite).await?;
Ok(reboot) Ok(reboot)
} }
@@ -310,7 +324,7 @@ pub async fn mount_all_fs<P: AsRef<Path>>(
guid: &str, guid: &str,
datadir: P, datadir: P,
repair: RepairStrategy, repair: RepairStrategy,
password: &str, password: Option<&str>,
) -> Result<RequiresReboot, Error> { ) -> Result<RequiresReboot, Error> {
let mut reboot = RequiresReboot(false); let mut reboot = RequiresReboot(false);
reboot |= mount_fs(guid, &datadir, "main", repair, password).await?; reboot |= mount_fs(guid, &datadir, "main", repair, password).await?;

6
backend/src/disk/util.rs
View File

@@ -324,11 +324,13 @@ pub async fn list(os: &OsPartitionInfo) -> Result<Vec<DiskInfo>, Error> {
if index.internal { if index.internal {
for part in index.parts { for part in index.parts {
let mut disk_info = disk_info(disk.clone()).await; let mut disk_info = disk_info(disk.clone()).await;
disk_info.logicalname = part; let part_info = part_info(part).await;
disk_info.logicalname = part_info.logicalname.clone();
disk_info.capacity = part_info.capacity;
if let Some(g) = disk_guids.get(&disk_info.logicalname) { if let Some(g) = disk_guids.get(&disk_info.logicalname) {
disk_info.guid = g.clone(); disk_info.guid = g.clone();
} else { } else {
disk_info.partitions = vec![part_info(disk_info.logicalname.clone()).await]; disk_info.partitions = vec![part_info];
} }
res.push(disk_info); res.push(disk_info);
} }

17
backend/src/setup.rs
View File

@@ -125,7 +125,7 @@ pub async fn attach(
} else { } else {
RepairStrategy::Preen RepairStrategy::Preen
}, },
DEFAULT_PASSWORD, if guid.ends_with("_UNENC") { None } else { Some(DEFAULT_PASSWORD) },
) )
.await?; .await?;
if tokio::fs::metadata(REPAIR_DISK_PATH).await.is_ok() { if tokio::fs::metadata(REPAIR_DISK_PATH).await.is_ok() {
@@ -337,12 +337,17 @@ pub async fn execute_inner(
recovery_source: Option<RecoverySource>, recovery_source: Option<RecoverySource>,
recovery_password: Option<String>, recovery_password: Option<String>,
) -> Result<(Arc<String>, Hostname, OnionAddressV3, X509), Error> { ) -> Result<(Arc<String>, Hostname, OnionAddressV3, X509), Error> {
let encryption_password = if ctx.disable_encryption {
None
} else {
Some(DEFAULT_PASSWORD)
};
let guid = Arc::new( let guid = Arc::new(
crate::disk::main::create( crate::disk::main::create(
&[embassy_logicalname], &[embassy_logicalname],
&pvscan().await?, &pvscan().await?,
&ctx.datadir, &ctx.datadir,
DEFAULT_PASSWORD, encryption_password,
) )
.await?, .await?,
); );
@@ -350,7 +355,7 @@ pub async fn execute_inner(
&*guid, &*guid,
&ctx.datadir, &ctx.datadir,
RepairStrategy::Preen, RepairStrategy::Preen,
DEFAULT_PASSWORD, encryption_password,
) )
.await?; .await?;
@@ -418,7 +423,11 @@ async fn migrate(
&old_guid, &old_guid,
"/media/embassy/migrate", "/media/embassy/migrate",
RepairStrategy::Preen, RepairStrategy::Preen,
DEFAULT_PASSWORD, if guid.ends_with("_UNENC") {
None
} else {
Some(DEFAULT_PASSWORD)
},
) )
.await?; .await?;

3
build/raspberrypi/config.yaml
View File

@@ -2,4 +2,5 @@ os-partitions:
boot: /dev/mmcblk0p1 boot: /dev/mmcblk0p1
root: /dev/mmcblk0p2 root: /dev/mmcblk0p2
ethernet-interface: end0 ethernet-interface: end0
wifi-interface: wlan0 wifi-interface: wlan0
disable-encryption: true