Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature request] Add mkinitcpio hook support. #334

Open
ShapeShifter499 opened this issue Aug 29, 2021 · 4 comments · May be fixed by #374
Open

[Feature request] Add mkinitcpio hook support. #334

ShapeShifter499 opened this issue Aug 29, 2021 · 4 comments · May be fixed by #374

Comments

@ShapeShifter499
Copy link

ShapeShifter499 commented Aug 29, 2021

I use Arch Linux and someone I've talked with on their IRC channel stated that the clevis package for Arch Linux doesn't have mkinitcpio support because upstream didn't. For Arch Linux mkinitcpio is the default way of generating a init ram disk including adding any modules and features you may want to have at boot time. https://wiki.archlinux.org/title/Mkinitcpio

This is a mkinitcpio install and hook I found from the Arch Linux forums that would enable clevis at boot but I am not sure if this is totally correct. https://bbs.archlinux.org/viewtopic.php?id=230948

clevis-mkinitcpio-install:

#!/bin/bash

build() {
    add_binary "clevis-decrypt-http"
    add_binary "clevis-decrypt-tang"
    add_binary "clevis-decrypt-sss"
    add_binary "clevis-decrypt"
    add_binary "luksmeta"
    add_binary "clevis"
    add_binary "jose"
    add_binary "curl"
    add_binary "bash"
    add_runscript
}

help() {
    cat <<HELPEOF
This hook will attempt to unlock LUKS volumes using data stored in the header
by clevis and luksmeta. Use this hook in combination with any early userspace
networking hook, such as mkinitcpio-netconf or mkinitcpio-ppp. It also requires
mkinitcpio-utils for the encryptssh hook.

An example usage would be to have 'netconf clevis encryptssh' added before your
filesystems hook. You also need to configure clevis unlocking by using the
'clevis bind luks' command on your luks partition.
HELPEOF
}

clevis-mkinitcpio-hook:

#!/usr/bin/bash

run_hook ()
{
    clevis_loop &
    echo $! > /.clevis.pid
}

clevis_loop()
{
    while ! [ -c /dev/mapper/control -a -f /.cryptdev -a -f /.cryptname -a -f /.cryptargs ];
do
        sleep 0.1
    done

    CRYPTDEV=$(cat /.cryptdev)
    CRYPTNAME=$(cat /.cryptname)
    UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
    luksmeta show -d "$CRYPTDEV" | while read -r slot state uuid; do
        [ "$state" != "active" ] && continue
        [ "$uuid" != "$UUID" ] && continue

        if ( luksmeta load -d "$CRYPTDEV" -s $slot -u $UUID | clevis decrypt \
            | cryptsetup luksOpen $(cat /.cryptdev) $CRYPTNAME $(cat /.cryptargs) ); then
            echo > /.done
            echo -e "\n\n$CRYPTNAME sucessfully decrypted via clevis."
            killall cryptsetup
            break
        fi
    done
    rm /.clevis.pid
}

run_cleanuphook ()
{
    if [ -f /.clevis.pid ]; then
        kill $(/.clevis.pid)
        rm /.clevis.pid
    fi
}
@anatol
Copy link
Contributor

anatol commented Oct 5, 2021

You might be interested in booster initramfs that supports clevis tokens out of the box https://github.com/anatol/booster

@ShapeShifter499
Copy link
Author

You might be interested in booster initramfs that supports clevis tokens out of the box https://github.com/anatol/booster

So I could setup tang as normal and then use booster to help with the clevis side on other boxes?

@anatol
Copy link
Contributor

anatol commented Nov 12, 2021

So I could setup tang as normal and then use booster to help with the clevis side on other boxes?

Yes. Booster works with clevis tokens out-of-the-box. See https://wiki.archlinux.org/title/Booster

@ShapeShifter499
Copy link
Author

I'm not sure if I should close this since I feel like some support for Clevis and Tang should be brought to mkinitcpio. But I have since switched to booster and it does seem to be working alright after some setup hiccups.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants