diff --git a/init.sh b/init.sh index cc33601..2746d92 100755 --- a/init.sh +++ b/init.sh @@ -1,29 +1,38 @@ #!/bin/bash source /init_functions.sh -export INSTALL_URL="/tmp/detee_install_url" -export INSTALL_SHA="/tmp/detee_install_sha" -export ROOT_KEYFILE="/tmp/detee_root_keyfile" -export SSH_KEY_FILE="/tmp/detee_ssh_key" +install_url="/tmp/detee_install_url" +install_sha="/tmp/detee_install_sha" +root_keyfile="/tmp/detee_root_keyfile" +ssh_key_file="/tmp/detee_ssh_key" +snp_key_file="/tmp/detee_luks_hotkey" create_mounts load_modules -create_certs setup_network # if you wait a bit, it works. The Kernel works in mysterious ways. -sleep 5 +sleep 2 modprobe sev_guest -guest_api || echo DeTEE API got killed by the user. +snp_key="$(GET_DERIVATION_KEY=yes guest_api)" +[[ -n $snp_key ]] && echo $snp_key > $snp_key_file -if [[ -f "$INSTALL_URL" ]]; then - install_os -else - mount_root -fi +try_hot_decrypt || { + create_certs + guest_api + if [[ -f "$install_url" ]]; then + install_os + else + cryptsetup luksKillSlot -d $root_keyfile /dev/vda1 1 + [[ -f "$snp_key_file" ]] && cryptsetup luksAddKey \ + --key-file $root_keyfile \ + --new-keyfile $snp_key_file /dev/vda1 + cryptsetup open -d $root_keyfile /dev/vda1 root + mount /dev/mapper/root /mnt + fi +} -# TODO: take into consideration to remove github key injection github_ssh_key detee_ssh_key diff --git a/init_functions.sh b/init_functions.sh index 587bbe2..b19f616 100644 --- a/init_functions.sh +++ b/init_functions.sh @@ -33,6 +33,15 @@ create_mounts() { ln -sfT /proc/self/fd/2 /dev/stderr } +try_hot_decrypt() { + [[ -f "$snp_key_file" ]] && { + cryptsetup open --key-file $snp_key_file /dev/vda1 root || return 1 + mount /dev/mapper/root /mnt || return 1 + return 0 + } + return 1 +} + create_certs() { cert_dir="/tmp/certs" key="$cert_dir/guest_api.key" @@ -63,15 +72,16 @@ setup_network() { ip link set eth0 up ip route add default via $gateway echo nameserver $nameserver > /etc/resolv.conf - sleep 4 + sleep 2 ping -c 2 $gateway } install_os() { - local url="$(cat $INSTALL_URL)" hostname='' + local url="$(cat $install_url)" hostname='' # mount root if it exists blkid | grep vda1 | grep LUKS && { - mount_root + cryptsetup open -d $root_keyfile /dev/vda1 root + mount /dev/mapper/root /mnt return 0 } # install OS if disk is empty @@ -83,12 +93,15 @@ install_os() { echo echo w ) | fdisk /dev/vda - cryptsetup luksFormat --batch-mode -d $ROOT_KEYFILE /dev/vda1 - cryptsetup open -d $ROOT_KEYFILE /dev/vda1 root + cryptsetup luksFormat --batch-mode -d $root_keyfile /dev/vda1 + [[ -f "$snp_key_file" ]] && cryptsetup luksAddKey \ + --key-file $root_keyfile \ + --new-keyfile $snp_key_file /dev/vda1 + cryptsetup open -d $root_keyfile /dev/vda1 root mkfs.ext4 /dev/mapper/root mount /dev/mapper/root /mnt wget -O /mnt/template.fsa "$url" - sha256sum /mnt/template.fsa | grep $(cat ${INSTALL_SHA}) || exit 1 + sha256sum /mnt/template.fsa | grep $(cat ${install_sha}) || exit 1 fsarchiver restdir /mnt/template.fsa / rm /mnt/template.fsa # TODO: decide for UX if maybe we should allow user to inject fstab @@ -106,7 +119,7 @@ github_ssh_key() { cd /mnt/root/.ssh touch authorized_keys key="$(wget -O - https://github.com/${github_user}.keys)" - grep -F "$( echo $key | awk '{ print $2 }' )" authorized_keys || { + grep -F "$( echo $key | awk '{ print $2 }' )" authorized_keys > /dev/null || { echo "$key" >> authorized_keys chmod 600 authorized_keys } @@ -116,15 +129,11 @@ github_ssh_key() { detee_ssh_key() { local key='' mkdir -p /mnt/root/.ssh - [[ -f "$SSH_KEY_FILE" ]] && while read -r key; do - grep -F "$( echo $key | awk '{ print $2 }' )" authorized_keys || { + cd /mnt/root/.ssh + [[ -f "$ssh_key_file" ]] && while read -r key; do + grep -F "$( echo $key | awk '{ print $2 }' )" authorized_keys > /dev/null || { echo "$key" >> authorized_keys } - done < "$SSH_KEY_FILE" + done < "$ssh_key_file" chmod 600 authorized_keys } - -mount_root() { - cryptsetup open -d $ROOT_KEYFILE /dev/vda1 root - mount /dev/mapper/root /mnt -}