feat: add disk encryption to serviceinfo API server

This adds a simple configuration for the provided API server to return clevis disk encryption. Signed-off-by: Patrick Uiterwijk <[email protected]>
fdo-rs · Mar 29, 2022 · 4656975 · 4656975
1 parent 44d1e71
commit 4656975
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 44 deletions.
diff --git a/admin-tool/src/aio/configure.rs b/admin-tool/src/aio/configure.rs
@@ -163,6 +163,7 @@ impl Configuration {
             initial_user: None,
             files: None,
             commands: None,
+            diskencryption_clevis: None,
             additional_serviceinfo: None,
         })
     }

diff --git a/integration-tests/templates/serviceinfo-api-server.yml.j2 b/integration-tests/templates/serviceinfo-api-server.yml.j2
@@ -31,3 +31,11 @@ service_info:
   - command: touch
     args:
     - {{ keys_path }}/command-testfile
+{% if encrypted_disk_label %}
+  diskencryption_clevis:
+  - disk_label: {{ encrypted_disk_label }}
+    binding:
+      pin: test
+      config: "{}"
+    reencrypt: true
+{% endif %}
diff --git a/integration-tests/tests/e2e.rs b/integration-tests/tests/e2e.rs
@@ -110,6 +110,8 @@ where
 {
     let mut ctx = TestContext::new().context("Error building test context")?;
 
+    let encrypted_disk_loc = ctx.testpath().join("encrypted.img");
+
     let rendezvous_server = ctx
         .start_test_server(
             Binary::RendezvousServer,
@@ -120,7 +122,15 @@ where
     let serviceinfo_api_server = ctx
         .start_test_server(
             Binary::ServiceInfoApiServer,
-            |cfg| Ok(cfg.prepare_config_file(None, |_| Ok(()))?),
+            |cfg| {
+                Ok(cfg.prepare_config_file(None, |cfg| {
+                    cfg.insert(
+                        "encrypted_disk_label",
+                        &encrypted_disk_loc.to_string_lossy(),
+                    );
+                    Ok(())
+                })?)
+            },
             |_| Ok(()),
         )
         .context("Error creating serviceinfo API dev server")?;
@@ -243,14 +253,12 @@ where
     // It should have been extended to the "owner" time by the manufacturer
     owner_output.expect_stdout_line("Entry 0")?;
 
-    let disk_loc = ctx.testpath().join("encrypted.img");
-
     L.l("Adding disk encryption tests");
     L.l("Creating empty disk image");
     if !Command::new("truncate")
         .arg("-s")
         .arg("1G")
-        .arg(&disk_loc)
+        .arg(&encrypted_disk_loc)
         .status()
         .context("Error running truncate")?
         .success()
@@ -261,7 +269,7 @@ where
     L.l("Encrypting disk image");
     let mut child = Command::new("cryptsetup")
         .arg("luksFormat")
-        .arg(&disk_loc)
+        .arg(&encrypted_disk_loc)
         .arg("--force-password")
         .stdin(std::process::Stdio::piped())
         .spawn()
@@ -282,7 +290,7 @@ where
         .arg("luks")
         .arg("bind")
         .arg("-d")
-        .arg(&disk_loc)
+        .arg(&encrypted_disk_loc)
         .arg("test")
         .arg("{}")
         .env("PATH", ctx.get_path_env()?)
@@ -301,43 +309,11 @@ where
     }
 
     #[allow(unused_mut)]
-    let mut service_info = vec![
-        (
-            "CI".to_string(),
-            "teststring".to_string(),
-            serde_json::Value::String(CI_TESTSTRING.to_string()),
-        ),
-        (
-            "org.fedoraiot.diskencryption-clevis".to_string(),
-            "disk-label".to_string(),
-            serde_json::Value::String(
-                ctx.testpath()
-                    .join("encrypted.img")
-                    .to_string_lossy()
-                    .to_string(),
-            ),
-        ),
-        (
-            "org.fedoraiot.diskencryption-clevis".to_string(),
-            "pin".to_string(),
-            serde_json::Value::String("test".to_string()),
-        ),
-        (
-            "org.fedoraiot.diskencryption-clevis".to_string(),
-            "config".to_string(),
-            serde_json::Value::String("{}".to_string()),
-        ),
-        (
-            "org.fedoraiot.diskencryption-clevis".to_string(),
-            "reencrypt".to_string(),
-            serde_json::Value::Bool(true),
-        ),
-        (
-            "org.fedoraiot.diskencryption-clevis".to_string(),
-            "execute".to_string(),
-            serde_json::Value::Null,
-        ),
-    ];
+    let mut service_info = vec![(
+        "CI".to_string(),
+        "teststring".to_string(),
+        serde_json::Value::String(CI_TESTSTRING.to_string()),
+    )];
 
     let client = reqwest::Client::new();
     // Submit additional ServiceInfo for this device
@@ -415,7 +391,7 @@ testkey
     L.l("Checking encrypted disk image");
     let output = Command::new("cryptsetup")
         .arg("luksDump")
-        .arg(ctx.testpath().join("encrypted.img"))
+        .arg(encrypted_disk_loc)
         .output()
         .context("Error running cryptsetup")?;
     if !output.status.success() {

diff --git a/serviceinfo-api-server/src/main.rs b/serviceinfo-api-server/src/main.rs
@@ -290,6 +290,45 @@ async fn serviceinfo_handler(
         }
     }
 
+    if query_info
+        .modules
+        .contains(&FedoraIotServiceInfoModule::DiskEncryptionClevis.into())
+    {
+        if let Some(disk_encryptions) = &user_data
+            .service_info_configuration
+            .settings
+            .diskencryption_clevis
+        {
+            for encryption in disk_encryptions {
+                reply.add_extra(
+                    FedoraIotServiceInfoModule::DiskEncryptionClevis,
+                    "disk-label",
+                    &encryption.disk_label,
+                );
+                reply.add_extra(
+                    FedoraIotServiceInfoModule::DiskEncryptionClevis,
+                    "pin",
+                    &encryption.binding.pin,
+                );
+                reply.add_extra(
+                    FedoraIotServiceInfoModule::DiskEncryptionClevis,
+                    "config",
+                    &encryption.binding.config,
+                );
+                reply.add_extra(
+                    FedoraIotServiceInfoModule::DiskEncryptionClevis,
+                    "reencrypt",
+                    &encryption.reencrypt,
+                );
+                reply.add_extra(
+                    FedoraIotServiceInfoModule::DiskEncryptionClevis,
+                    "execute",
+                    &serde_json::Value::Null,
+                );
+            }
+        }
+    }
+
     if let Some(additional_serviceinfo) = &user_data
         .service_info_configuration
         .settings

diff --git a/util/src/servers/configuration/serviceinfo_api_server.rs b/util/src/servers/configuration/serviceinfo_api_server.rs
@@ -25,9 +25,24 @@ pub struct ServiceInfoSettings {
 
     pub commands: Option<Vec<ServiceInfoCommand>>,
 
+    pub diskencryption_clevis: Option<Vec<ServiceInfoDiskEncryptionClevis>>,
+
     pub additional_serviceinfo: Option<HashMap<ServiceInfoModule, Vec<(String, String)>>>,
 }
 
+#[derive(Debug, Serialize, Deserialize, Clone)]
+pub struct ServiceInfoDiskEncryptionClevisBinding {
+    pub pin: String,
+    pub config: String,
+}
+
+#[derive(Debug, Serialize, Deserialize, Clone)]
+pub struct ServiceInfoDiskEncryptionClevis {
+    pub disk_label: String,
+    pub binding: ServiceInfoDiskEncryptionClevisBinding,
+    pub reencrypt: bool,
+}
+
 #[derive(Debug, Serialize, Deserialize, Clone)]
 pub struct ServiceInfoFile {
     pub path: String,