alpine-conf: Support encrypted root in setup-disk v1 PROPOSED

Drew DeVault: 1
 Support encrypted root in setup-disk

 1 files changed, 40 insertions(+), 1 deletions(-)

Trying to take a look but doesn't seem to apply cleanly to master for
me -- I may be driving git wrong though.

Drew DeVault <sir@cmpwn.com>

5 years ago

Cheers, I'll rebase it.

Next

Not familiar with dm-crypt but looking through the patch, it seems plausible.

Drew DeVault <sir@cmpwn.com>

5 years ago

Note, I've used this patch in production on a half a dozen machines
without any issues so far.

Next

Possibly need to add "e" to the parameter list to getopts?

Drew DeVault <sir@cmpwn.com>

5 years ago

Ah, you're right.

On Mon, 23 Sep 2019 at 21:25, Drew DeVault <sir@cmpwn.com> wrote:

Actually, it seems to apply cleanly to me. Try this command:

curl -s https://lists.alpinelinux.org/~alpine/devel/%3C20190424160230.26544-1-sir%40cmpwn.com%3E/raw | git am -3

Richard Mortier <mort@cantab.net>

5 years ago

-- 
Richard Mortier
mort@cantab.net

Huh, notwithstanding git appearing to give me errors, at least one of
the combinations of apply/am/mailinfo that I tried seemed to have in
fact worked. Sigh. One day I'll learn how to use git properly... :)

One other query - I don't understand the #TODO message...?

Drew DeVault <sir@cmpwn.com>

5 years ago

The if statement it's TODO'ing skips prompting the user for encryption
if they're using LVM or a non-sys disk setup. The task that remains to
be done is tweaking the crypt support to support setting up encrypted
disks for any case other than the basic one.

Don't have a machine handy to try it on but like I said, seems ok to
me, and if you've been using it for a while then SGTM.

Thanks!

On Wed, 25 Sep 2019 at 14:58, Drew DeVault <sir@cmpwn.com> wrote:

Ah ok; FWIW I didn't interpret it like that.

I think the only other query I'd have is whether that interactive
block can be entered even if the user has specified -e -- if so, seems
odd to ask when they've already told you.

On Wed, 25 Sep 2019 at 15:13, Drew DeVault <sir@cmpwn.com> wrote:

[alpine-devel] [PATCH alpine-conf] Support encrypted root in setup-disk Export this patch

---
 setup-disk.in | 41 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/setup-disk.in b/setup-disk.in
index 5eb8638..1f66230 100644
--- a/setup-disk.in
+++ b/setup-disk.in
@@ -402,6 +402,9 @@ install_mounted_root() {
 		esac
 	done
 
+	if [ "$USE_CRYPT" ]; then
+		initfs_features="${initfs_features% cryptsetup} cryptsetup"
+	fi
 
 	if [ -n "$VERBOSE" ]; then
 		echo "Root device:     $rootdev"
@@ -442,6 +445,11 @@ install_mounted_root() {
 	if [ -n "$(get_bootopt nomodeset)" ]; then
 		kernel_opts="nomodeset $kernel_opts"
 	fi
+	if [ "$USE_CRYPT" ]; then
+		root=$(cryptsetup status "$rootdev" | grep "device:" | awk '{ print $2 }')
+		kernel_opts="cryptroot=$root cryptdm=root"
+		root=/dev/mapper/root
+	fi
 	modules="sd-mod,usb-storage,${root_fs}${raidmod}"
 
 	# generate the fstab
@@ -503,6 +511,10 @@ unmount_partitions() {
 
 	# unmount the partitions
 	umount $(awk '{print $2}' /proc/mounts | egrep "^$mnt(/|\$)" | sort -r)
+
+	if [ "$USE_CRYPT" ]; then
+		cryptsetup close /dev/mapper/root
+	fi
 }
 
 # figure out decent default swap size in mega bytes
@@ -994,6 +1006,18 @@ native_disk_install_lvm() {
 	setup_root $root_dev $BOOT_DEV
 }
 
+setup_crypt() {
+	mkdir -p /run/cryptsetup
+	echo "Preparing root partition for encryption." >&2
+	echo "You will be prompted for your password at boot." >&2
+	echo "If you forget your password, your data will be lost." >&2
+	cryptsetup luksFormat --type luks2 "$1" >&2
+	echo "Enter password again to unlock disk for installation." >&2
+	cryptsetup open "$1" root >&2
+	cryptroot="$1"
+	echo "/dev/mapper/root"
+}
+
 native_disk_install() {
 	local prep_part_type=$(partition_id prep)
 	local root_part_type=$(partition_id linux)
@@ -1065,6 +1089,10 @@ native_disk_install() {
 		root_dev=$(find_nth_non_boot_parts $index "$root_part_type" $@)
 	fi
 
+	if [ "$USE_CRYPT" ]; then
+		root_dev=$(setup_crypt $root_dev)
+	fi
+
 	[ $SWAP_SIZE -gt 0 ] && setup_swap_dev $swap_dev
 	setup_root $root_dev $BOOT_DEV $@
 }
@@ -1143,7 +1171,7 @@ ask_disk() {
 
 usage() {
 	cat <<-__EOF__
-		usage: setup-disk [-hLqrv] [-k kernelflavor] [-m MODE] [-o apkovl] [-s SWAPSIZE]
+		usage: setup-disk [-hLqrve] [-k kernelflavor] [-m MODE] [-o apkovl] [-s SWAPSIZE]
 		                  [MOUNTPOINT | DISKDEV...]
 
 		Install alpine on harddisk.
@@ -1157,6 +1185,7 @@ usage() {
 
 		options:
 		 -h  Show this help
+		 -e  Encrypt disk
 		 -m  Use disk for MODE without asking, where MODE is either 'data' or 'sys'
 		 -o  Restore system from given apkovl file
 		 -k  Use kernelflavor instead of $KERNEL_FLAVOR
@@ -1198,6 +1227,7 @@ USE_LVM=
 # Parse args
 while getopts "hk:Lm:o:qrs:v" opt; do
 	case $opt in
+		e) USE_CRYPT=1;;
 		m) DISK_MODE="$OPTARG";;
 		k) KERNEL_FLAVOR="$OPTARG";;
 		L) USE_LVM="_lvm";;
@@ -1290,6 +1320,15 @@ if [ -n "$diskdevs" ] && [ -z "$DISK_MODE" ]; then
 		esac
 	done
 	DISK_MODE="$answer"
+	# TODO: support encryption for more installation types
+	if [ "$DISK_MODE" = "sys" ] && [ -z "$USE_LVM" ]; then
+		echon "Would you like to encrypt $it_them? [y/N] "
+		default_read answer '?'
+		if yesno "$answer"
+		then
+			USE_CRYPT=1
+		fi
+	fi
 fi
 
 if [ -z "$SWAP_SIZE" ]; then
-- 
2.21.0



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---

Drew DeVault <sir@cmpwn.com>

5 years ago

Bump. Cc'ing recent committers to this repo.