security: import certificates in initramfs

Also dump for transfer durig switchroot so that the certificates can be potentially imported early after switchroot by a service. Resolves: INSTALLER-4030
rvykydal · Dec 17, 2024 · e774bb8 · e774bb8
1 parent 8a50688
commit e774bb8
Showing 1 changed file with 41 additions and 0 deletions.
diff --git a/dracut/parse-kickstart b/dracut/parse-kickstart
@@ -66,6 +66,8 @@ TMPDIR = "/tmp"
 ARPHRD_ETHER = "1"
 ARPHRD_INFINIBAND = "32"
 
+CERT_TRANSPORT_DIR = "/run/install/certificates"
+
 # Helper function for reading simple files in /sys
 def readsysfile(f):
     '''Return the contents of f, or "" if missing.'''
@@ -403,6 +405,44 @@ def ksnet_to_dracut(args, lineno, net, bootdev=False):
 
     return " ".join(line)
 
+
+def _dump_certificate(cert, root="/", dump_dir=None):
+    """Dump the certificate into specified file."""
+    dump_dir = dump_dir or cert.dir
+    if not dump_dir:
+        log.error("Certificate destination is missing for %s", cert.filename)
+        return
+
+    dst_dir = os.path.join(root+dump_dir.lstrip('/'))
+    log.debug("Dumping certificate %s into %s.", cert.filename, dst_dir)
+    if not os.path.exists(dst_dir):
+        log.debug("Path %s for certificate does not exist, creating.", dst_dir)
+        os.makedirs(dst_dir)
+
+    dst = os.path.join(dst_dir, cert.filename)
+
+    if os.path.exists(dst):
+        log.warning("Certificate file %s already exists, replacing.", dst)
+
+    with open(dst, 'w') as f:
+        f.write(cert.cert)
+        f.write('\n')
+
+
+def process_certificates(handler):
+    """Import certificates defined in %certificate sections."""
+    for cert in handler.certificates:
+        log.info("Processing kickstart certificate %s", cert.filename)
+
+        if not cert.filename:
+            log.error("Missing certificate file name, skipping.")
+            continue
+
+        _dump_certificate(cert)
+        # Dump for transport to switchroot
+        _dump_certificate(cert, root=CERT_TRANSPORT_DIR+"/path/")
+
+
 def process_kickstart(ksfile):
     handler = DracutHandler()
     try:
@@ -422,6 +462,7 @@ def process_kickstart(ksfile):
     with open(TMPDIR+"/ks.info", "a") as f:
         f.write('parsed_kickstart="%s"\n' % processed_file)
     log.info("finished parsing kickstart")
+    process_certificates(handler)
     return processed_file, handler.output
 
 if __name__ == '__main__':