Browse Source
This module mounts an eCryptfs filesystem from the initial ramdisk using an encrypted key. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it>master
Roberto Sassu
13 years ago
committed by
Harald Hoyer
4 changed files with 176 additions and 0 deletions
@ -0,0 +1,50 @@
@@ -0,0 +1,50 @@
|
||||
# Directions for creating the encrypted key that will be used to mount an |
||||
# eCryptfs filesystem |
||||
|
||||
# Create the eCryptfs key (encrypted key type) |
||||
# |
||||
# The encrypted key type supports two formats: the 'default' format allows |
||||
# to generate a random symmetric key of the length specified, the 'ecryptfs' |
||||
# format generates an authentication token for the eCryptfs filesystem, |
||||
# which contains a randomly generated key. Two requirements for the latter |
||||
# format is that the key description must contain exactly 16 hexadecimal |
||||
# characters and that the encrypted key length must be equal to 64. |
||||
$ keyctl add encrypted 1000100010001000 "new ecryptfs trusted:kmk-trusted 64" @u |
||||
782117972 |
||||
|
||||
# Save the encrypted key |
||||
$ su -c 'keyctl pipe `keyctl search @u encrypted 1000100010001000` > /etc/keys/ecryptfs-trusted.blob' |
||||
|
||||
# The eCryptfs key path name can be set in one of the following ways (specified in |
||||
# the order in which the variable is overwritten): |
||||
|
||||
1) use the default value: |
||||
-------------------------------------------------------------------------- |
||||
ECRYPTFSKEY="/etc/keys/ecryptfs-trusted.blob" |
||||
-------------------------------------------------------------------------- |
||||
|
||||
2) create the configuration file '/etc/sysconfig/ecryptfs' and set the ECRYPTFSKEY |
||||
variable; |
||||
|
||||
3) specify the eCryptfs key path name in the 'ecryptfskey=' parameter of the kernel command |
||||
line. |
||||
|
||||
# The configuration file '/etc/sysconfig/ecryptfs' is also used to specify |
||||
# more options for mounting the eCryptfs filesystem: |
||||
|
||||
ECRYPTFSSRCDIR: existent directory in the lower root filesystem; |
||||
ECRYPTFSDSTDIR: mount point directory for the eCryptfs filesystem (the directory must be |
||||
created in the root filesystem before rebooting the platform); |
||||
ECRYPTFS_EXTRA_MOUNT_OPTS: extra mount options for the eCryptfs filesystem (the 'ecryptfs_sig' |
||||
option is automatically added by the dracut script). |
||||
|
||||
# Example of the configuration file: |
||||
----------- '/etc/sysconfig/ecryptfs' (with default values) ----------- |
||||
ECRYPTFS_KEY="/etc/keys/ecryptfs-trusted.blob" |
||||
ECRYPTFSSRCDIR="/secret" |
||||
ECRYPTFSDSTDIR="${ECRYPTFSSRCDIR}" |
||||
ECRYPTFS_EXTRA_MOUNT_OPTS="" |
||||
----------------------------------------------------------------------- |
||||
|
||||
# If the variable ECRYPTFSDSTDIR is not specified in the configuration file, |
||||
# its value will be equal to that of ECRYPTFSSRCDIR. |
@ -0,0 +1,100 @@
@@ -0,0 +1,100 @@
|
||||
#!/bin/sh |
||||
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- |
||||
# ex: ts=8 sw=4 sts=4 et filetype=sh |
||||
|
||||
# Licensed under the GPLv2 |
||||
# |
||||
# Copyright (C) 2011 Politecnico di Torino, Italy |
||||
# TORSEC group -- http://security.polito.it |
||||
# Roberto Sassu <roberto.sassu@polito.it> |
||||
|
||||
ECRYPTFSCONFIG="${NEWROOT}/etc/sysconfig/ecryptfs" |
||||
ECRYPTFSKEYTYPE="encrypted" |
||||
ECRYPTFSKEYDESC="1000100010001000" |
||||
ECRYPTFSKEYID="" |
||||
ECRYPTFSSRCDIR="/secret" |
||||
ECRYPTFS_EXTRA_MOUNT_OPTS="" |
||||
|
||||
load_ecryptfs_key() |
||||
{ |
||||
# override the eCryptfs key path name from the 'ecryptfskey=' parameter in the kernel |
||||
# command line |
||||
ECRYPTFSKEYARG=$(getarg ecryptfskey=) |
||||
[ $? -eq 0 ] && \ |
||||
ECRYPTFSKEY=${ECRYPTFSKEYARG} |
||||
|
||||
# set the default value |
||||
[ -z "${ECRYPTFSKEY}" ] && \ |
||||
ECRYPTFSKEY="/etc/keys/ecryptfs-trusted.blob"; |
||||
|
||||
# set the eCryptfs key path name |
||||
ECRYPTFSKEYPATH="${NEWROOT}${ECRYPTFSKEY}" |
||||
|
||||
# check for eCryptfs encrypted key's existence |
||||
if [ ! -f "${ECRYPTFSKEYPATH}" ]; then |
||||
if [ "${RD_DEBUG}" = "yes" ]; then |
||||
info "eCryptfs: key file not found: ${ECRYPTFSKEYPATH}" |
||||
fi |
||||
return 1 |
||||
fi |
||||
|
||||
# read the eCryptfs encrypted key blob |
||||
KEYBLOB=$(cat ${ECRYPTFSKEYPATH}) |
||||
|
||||
# load the eCryptfs encrypted key blob |
||||
ECRYPTFSKEYID=$(keyctl add ${ECRYPTFSKEYTYPE} ${ECRYPTFSKEYDESC} "load ${KEYBLOB}" @u) |
||||
[ $? -eq 0 ] || { |
||||
info "eCryptfs: failed to load the eCryptfs key: ${ECRYPTFSKEYDESC}"; |
||||
return 1; |
||||
} |
||||
|
||||
return 0 |
||||
} |
||||
|
||||
unload_ecryptfs_key() |
||||
{ |
||||
# unlink the eCryptfs encrypted key |
||||
keyctl unlink ${ECRYPTFSKEYID} @u || { |
||||
info "eCryptfs: failed to unlink the eCryptfs key: ${ECRYPTFSKEYDESC}"; |
||||
return 1; |
||||
} |
||||
|
||||
return 0 |
||||
} |
||||
|
||||
mount_ecryptfs() |
||||
{ |
||||
# read the configuration from the config file |
||||
[ -f "${ECRYPTFSCONFIG}" ] && \ |
||||
. ${ECRYPTFSCONFIG} |
||||
|
||||
# load the eCryptfs encrypted key |
||||
load_ecryptfs_key || return 1 |
||||
|
||||
# set the default value for ECRYPTFSDSTDIR |
||||
[ -z "${ECRYPTFSDSTDIR}" ] && \ |
||||
ECRYPTFSDSTDIR=${ECRYPTFSSRCDIR} |
||||
|
||||
# set the eCryptfs filesystem mount point |
||||
ECRYPTFSSRCMNT="${NEWROOT}${ECRYPTFSSRCDIR}" |
||||
ECRYPTFSDSTMNT="${NEWROOT}${ECRYPTFSDSTDIR}" |
||||
|
||||
# build the mount options variable |
||||
ECRYPTFS_MOUNT_OPTS="ecryptfs_sig=${ECRYPTFSKEYDESC}" |
||||
[ ! -z "${ECRYPTFS_EXTRA_MOUNT_OPTS}" ] && \ |
||||
ECRYPTFS_MOUNT_OPTS="${ECRYPTFS_MOUNT_OPTS},${ECRYPTFS_EXTRA_MOUNT_OPTS}" |
||||
|
||||
# mount the eCryptfs filesystem |
||||
info "Mounting the configured eCryptfs filesystem" |
||||
mount -i -t ecryptfs -o${ECRYPTFS_MOUNT_OPTS} ${ECRYPTFSSRCMNT} ${ECRYPTFSDSTMNT} >/dev/null || { |
||||
info "eCryptfs: mount of the eCryptfs filesystem failed"; |
||||
return 1; |
||||
} |
||||
|
||||
# unload the eCryptfs encrypted key |
||||
unload_ecryptfs_key || return 1 |
||||
|
||||
return 0 |
||||
} |
||||
|
||||
mount_ecryptfs |
@ -0,0 +1,20 @@
@@ -0,0 +1,20 @@
|
||||
#!/bin/bash |
||||
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- |
||||
# ex: ts=8 sw=4 sts=4 et filetype=sh |
||||
|
||||
check() { |
||||
return 0 |
||||
} |
||||
|
||||
depends() { |
||||
echo masterkey |
||||
return 0 |
||||
} |
||||
|
||||
installkernel() { |
||||
instmods ecryptfs |
||||
} |
||||
|
||||
install() { |
||||
inst_hook pre-pivot 63 "$moddir/ecryptfs-mount.sh" |
||||
} |
Loading…
Reference in new issue