improve robustness of the initrd sdk

This commit: - Implements LUKS and TPM2 toolchain checks and enforcement in order to avoid issues originating from uninitialized hardware and driver modules. - Improves the "testability" of the code - Changes the configuration workflow of the unlock-mount-luks.sh to rely on a config file instead of positional cmdline arguments in order to make configuration more explicit and easier to debug. - Ads script used for tpm2.0 persistent secret unsealing - Ads a config file with value presets intended for testing - Implements support for disks where only the root partition need decryption by the unlock-mount-luks.sh - Implements auto discovery for root partition based on GPT partition label - Implements auto discovery for config drive partition based on GPT partition label - Implement support for environments where only the config-drive is encrypted - Reorganizes and updates comments - Fixes evaluation bug of the "key_command" - Typo fixes - Exclude .swp files via .gitignore - Fix incorrect config drive partition name generation in relation to disks types that doesn't use partition prefixes - Introduce config option to skip the preparation "phase" intended for testing - Add support for use-case where encryption is not present and the tool chain is also missing Signed-off-by: Adam Rozman <adam.rozman@est.tech>
metal3-io · Oct 28, 2024 · ece938f · ece938f
1 parent ffd7e18
commit ece938f
Show file tree

Hide file tree

Showing 4 changed files with 402 additions and 71 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,4 @@
 *~
 *.tmp
 .DS_Store
+*.swp
diff --git a/jenkins/image_building/initrd_sdk/test_unlock_config b/jenkins/image_building/initrd_sdk/test_unlock_config
@@ -0,0 +1,20 @@
+#!/bin/bash
+# This file is used to provide a test configuration for the
+# unlock-mount-luks.sh
+# This script acts as an example config file thus to avoid needless shellchecks
+# the '.sh' extension has been removed intentionally.
+
+# key handling
+key_script="${KEY_SCRIPT:-}"
+auth="${CRYPT_AUTH:-pcr:sha256:0}"
+secret_address="${SECRET_ADDRESS:-}"
+# root partition
+root_dev_part_path="${CRYPT_ROOT_DEV:-}"
+# config drive
+config_drive_dev_path="${CONFIG_DEV_PATH:-}"
+config_drive_part_num="${CONFIG_PART_NUM:-}"
+# dependency checks
+preparation_timeout="${PREP_TIMEOUT:-2}"
+# test config
+dry_run="${DRY_RUN:-true}"
+no_preparation="${NO_PREP:-true}"
diff --git a/jenkins/image_building/initrd_sdk/tpm2-unseal-key.sh b/jenkins/image_building/initrd_sdk/tpm2-unseal-key.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# This script provides access to persistent key's stored in a TPM2.0 chip
+
+address="${1:-0x81010002}"
+auth="${2:-secret}"
+# other usual auth with IPA is "pcr:sha256:0"
+dry_run="${3:-false}"
+
+if [[ "${dry_run}" == "false" ]]; then
+    tpm2_unseal -c "${address}" -p "${auth}"
+else
+    printf "Fake secret, you're welcome!\n"
+fi
+
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,3 +2,4 @@ @@
     *~
     *.tmp
     .DS_Store
+    *.swp