Merge pull request ostreedev#2694 from jschintag/rhel8-secex-backport

Backport Secure Execution enablement from 2022.5
mangelajo · Aug 19, 2022 · 2c0e841 · 2c0e841
2 parents dd194ec + 2c8d5b9
commit 2c0e841
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 18 deletions.
diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c
@@ -21,12 +21,18 @@
 #include "ostree-bootloader-zipl.h"
 #include "ostree-deployment-private.h"
 #include "otutil.h"
+#include <sys/mount.h>
+#include <sys/stat.h>
 #include <string.h>
 
-#define SECURE_EXECUTION_BOOT_IMAGE     "/boot/sd-boot"
+#define SECURE_EXECUTION_SYSFS_FLAG     "/sys/firmware/uv/prot_virt_guest"
+#define SECURE_EXECUTION_PARTITION      "/dev/disk/by-label/se"
+#define SECURE_EXECUTION_MOUNTPOINT     "/sysroot/se"
+#define SECURE_EXECUTION_BOOT_IMAGE     SECURE_EXECUTION_MOUNTPOINT "/sdboot"
 #define SECURE_EXECUTION_HOSTKEY_PATH   "/etc/se-hostkeys/"
 #define SECURE_EXECUTION_HOSTKEY_PREFIX "ibm-z-hostkey"
 #define SECURE_EXECUTION_LUKS_ROOT_KEY  "/etc/luks/root"
+#define SECURE_EXECUTION_LUKS_BOOT_KEY  "/etc/luks/boot"
 #define SECURE_EXECUTION_LUKS_CONFIG    "/etc/crypttab"
 #define SECURE_EXECUTION_RAMDISK_TOOL   PKGLIBEXECDIR "/s390x-se-luks-gencpio"
 
@@ -67,6 +73,25 @@ _ostree_bootloader_zipl_get_name (OstreeBootloader *bootloader)
   return "zipl";
 }
 
+static gboolean
+_ostree_secure_execution_mount(GError **error)
+{
+  const char *device = realpath (SECURE_EXECUTION_PARTITION, NULL);
+  if (device == NULL)
+    return glnx_throw_errno_prefix(error, "s390x SE: resolving %s", SECURE_EXECUTION_PARTITION);
+  if (mount (device, SECURE_EXECUTION_MOUNTPOINT, "ext4", 0, NULL) < 0)
+    return glnx_throw_errno_prefix (error, "s390x SE: Mounting %s", device);
+  return TRUE;
+}
+
+static gboolean
+_ostree_secure_execution_umount(GError **error)
+{
+  if (umount (SECURE_EXECUTION_MOUNTPOINT) < 0)
+    return glnx_throw_errno_prefix (error, "s390x SE: Unmounting %s", SECURE_EXECUTION_MOUNTPOINT);
+  return TRUE;
+}
+
 static gboolean
 _ostree_bootloader_zipl_write_config (OstreeBootloader  *bootloader,
                                           int                bootversion,
@@ -85,6 +110,23 @@ _ostree_bootloader_zipl_write_config (OstreeBootloader  *bootloader,
   return TRUE;
 }
 
+static gboolean _ostree_secure_execution_is_enabled (gboolean *out_enabled,
+                                                     GCancellable *cancellable,
+                                                     GError **error)
+{
+  *out_enabled = FALSE;
+  glnx_autofd int fd = -1;
+  if (!ot_openat_ignore_enoent (AT_FDCWD, SECURE_EXECUTION_SYSFS_FLAG, &fd, error))
+    return FALSE;
+  if (fd == -1)
+    return TRUE; //ENOENT --> SecureExecution is disabled
+  g_autofree char *data = glnx_fd_readall_utf8 (fd, NULL, cancellable, error);
+  if (!data)
+    return FALSE;
+  *out_enabled = strstr (data, "1") != NULL;
+  return TRUE;
+}
+
 static gboolean
 _ostree_secure_execution_get_keys (GPtrArray **keys,
                                    GCancellable *cancellable,
@@ -152,8 +194,8 @@ _ostree_secure_execution_get_bls_config (OstreeBootloaderZipl *self,
 static gboolean
 _ostree_secure_execution_luks_key_exists (void)
 {
-  return (access(SECURE_EXECUTION_LUKS_ROOT_KEY, F_OK) == 0 &&
-          access(SECURE_EXECUTION_LUKS_CONFIG, F_OK) == 0);
+  return (access(SECURE_EXECUTION_LUKS_CONFIG, F_OK) == 0 &&
+    (access(SECURE_EXECUTION_LUKS_ROOT_KEY, F_OK) == 0 || access(SECURE_EXECUTION_LUKS_BOOT_KEY, F_OK) == 0));
 }
 
 static gboolean
@@ -250,7 +292,7 @@ static gboolean
 _ostree_secure_execution_call_zipl (GError **error)
 {
   int status = 0;
-  const char *const zipl_argv[] = {"zipl", "-V", "-t", "/boot", "-i", SECURE_EXECUTION_BOOT_IMAGE, NULL};
+  const char *const zipl_argv[] = {"zipl", "-V", "-t", SECURE_EXECUTION_MOUNTPOINT, "-i", SECURE_EXECUTION_BOOT_IMAGE, NULL};
   if (!g_spawn_sync (NULL, (char**)zipl_argv, NULL, G_SPAWN_SEARCH_PATH,
                        NULL, NULL, NULL, NULL, &status, error))
     return glnx_prefix_error(error, "s390x SE: spawning zipl");
@@ -274,9 +316,11 @@ _ostree_secure_execution_enable (OstreeBootloaderZipl *self,
   g_autofree gchar* options = NULL;
 
   gboolean rc =
+      _ostree_secure_execution_mount (error) &&
       _ostree_secure_execution_get_bls_config (self, bootversion, &vmlinuz, &initramfs, &options, cancellable, error) &&
       _ostree_secure_execution_generate_sdboot (vmlinuz, initramfs, options, keys, error) &&
-      _ostree_secure_execution_call_zipl (error);
+      _ostree_secure_execution_call_zipl (error) &&
+      _ostree_secure_execution_umount (error);
 
   return rc;
 }
@@ -303,12 +347,18 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader  *bootloader,
     return TRUE;
 
   /* Try with Secure Execution */
-  g_autoptr(GPtrArray) keys = NULL;
-  if (!_ostree_secure_execution_get_keys (&keys, cancellable, error))
+  gboolean se_enabled = FALSE;
+  if ( !_ostree_secure_execution_is_enabled (&se_enabled, cancellable, error))
     return FALSE;
-  if (keys && keys->len)
-    return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error);
-
+  if (se_enabled)
+    {
+      g_autoptr(GPtrArray) keys = NULL;
+      if (!_ostree_secure_execution_get_keys (&keys, cancellable, error))
+        return FALSE;
+      if (!keys || keys->len == 0)
+        return glnx_throw (error, "s390x SE: no keys");
+      return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error);
+    }
   /* Fallback to non-SE setup */
   const char *const zipl_argv[] = {"zipl", NULL};
   int estatus;

diff --git a/src/libostree/s390x-se-luks-gencpio b/src/libostree/s390x-se-luks-gencpio
@@ -4,19 +4,19 @@ set -euo pipefail
 
 old_initrd=$1
 new_initrd=$2
+currdir=$PWD
 
-# Unpacking existing initramdisk
+# Copying existing initramdisk
+cp ${old_initrd} ${new_initrd}
+
+# Appending LUKS root keys and crypttab config to the end of initrd
 workdir=$(mktemp -d -p /tmp se-initramfs-XXXXXX)
 cd ${workdir}
-gzip -cd ${old_initrd} | cpio -imd --quiet
-
-# Adding LUKS root key and crypttab config
 mkdir -p etc/luks
-cp -f /etc/luks/root etc/luks/
+cp -f /etc/luks/* etc/luks/
 cp -f /etc/crypttab etc/
-
-# Creating new initramdisk image
-find . | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
+find . -mindepth 1 | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
 
 # Cleanup
+cd ${currdir}
 rm -rf ${workdir}