Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(90crypt): add support for AF_UNIX key files #2627

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat(90crypt): add support for AF_UNIX key files #2627

wants to merge 1 commit into from

Conversation

kszczek
Copy link

@kszczek kszczek commented Feb 20, 2024
edited
Loading

systemd v248 introduced support for using AF_UNIX sockets as key files in /etc/crypttab. This pull request enhances the 90crypt module to identify socket units with matching socket file paths. It includes the first matching socket unit along with its corresponding service unit. This correspondence is determined by checking the Service= option in the socket unit or, if that's not available, by replacing the .socket suffix with either @.service or .service, depending on the Accept= option (see man page for systemd.socket). Futhermore, this functionality handles sockets located under /run/cryptsetup-keys.d/, which are automatically discoverable by the systemd-cryptsetup utility when the key file field in /etc/crypttab is empty.

Checklist

  • I have tested it locally
  • I have reviewed and updated any documentation if relevant
  • I am providing new code and test(s) for it

@github-actions github-actions bot added modules Issue tracker for all modules crypt Issues related to the crypt module labels Feb 20, 2024
@kszczek
Copy link
Author

kszczek commented Feb 20, 2024
edited
Loading

Example configuration/use case

/usr/local/bin/get-secret

#!/bin/bash
echo -n "secret"

/etc/dracut.conf.d/get-secret.conf

install_items+=" /usr/local/bin/get-secret "

/etc/systemd/system/root-volume-key.socket

[Unit]
Description=Root Volume Key Socket
DefaultDependencies=no
Conflicts=multi-user.target shutdown.target
Before=cryptsetup-pre.target multi-user.target shutdown.target
Wants=cryptsetup-pre.target

[Socket]
ListenStream=/run/cryptsetup-keys.d/luks-<UUID>.key
SocketUser=root
SocketGroup=root
SocketMode=0400
DirectoryMode=0750
Accept=yes
MaxConnections=1
RemoveOnStop=yes

[Install]
WantedBy=sockets.target

/etc/systemd/system/[email protected]

[Unit]
Description=Root Volume Key Service
DefaultDependencies=no
After=root-volume-key.socket
Requisite=root-volume-key.socket
RefuseManualStart=yes
RefuseManualStop=yes

[Service]
Type=exec
ExecStart=/bin/bash /usr/local/bin/get-secret
StandardOutput=socket
StandardError=kmsg+console

/etc/crypttab

luks-<UUID> UUID=<UUID> none discard

Also, make sure to enable the root-volume-key.socket before regenerating the initramfs.

@stale Stale
Copy link

stale bot commented Apr 22, 2024

This issue is being marked as stale because it has not had any recent activity. It will be closed if no further activity occurs. If this is still an issue in the latest release of Dracut and you would like to keep it open please comment on this issue within the next 7 days. Thank you for your contributions.

@stale stale bot added the stale communication is stuck label Apr 22, 2024
@kszczek
Copy link
Author

kszczek commented Apr 29, 2024

Commenting to keep this open.

Also opened a PR in the fork: dracut-ng/dracut-ng#257

@stale stale bot removed the stale communication is stuck label Apr 29, 2024
@kszczek
feat(90crypt): add support for AF_UNIX key files
ec3b8a9 
systemd v248 introduced support for using AF_UNIX stream sockets
as key files in /etc/crypttab. This commit enhances the 90crypt module
to identify socket units with matching socket file paths. It then
includes the first matching socket unit along with its corresponding
service unit. This correspondence is determined by checking the
Service= option in the socket unit or, if that's not available,
by replacing the .socket suffix with either @.service or .service,
depending on the Accept= option (see man page for systemd.socket).

Futhermore, this functionality handles sockets located under
/run/cryptsetup-keys.d/, which are automatically discoverable by
the systemd-cryptsetup utility when the key file field in /etc/crypttab
is empty.
@kszczek kszczek force-pushed the systemd-cryptsetup-socket-keyfiles branch from 58241ff to ec3b8a9 Compare April 30, 2024 09:01
@kszczek kszczek changed the title feat(90crypt): install required systemd units when using AF_UNIX sockets as keyfiles feat(90crypt): add support for AF_UNIX key files Apr 30, 2024
@kszczek
Copy link
Author

kszczek commented Apr 30, 2024

Force pushed to fix the commit message and shell lint issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haraldh haraldh Awaiting requested review from haraldh haraldh is a code owner

@johannbg johannbg Awaiting requested review from johannbg johannbg is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
crypt Issues related to the crypt module modules Issue tracker for all modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kszczek