added hot key decryption using SNP KDF

init.sh

@@ -1,29 +1,38 @@
 #!/bin/bash
 source /init_functions.sh
 
-export INSTALL_URL="/tmp/detee_install_url"
+install_url="/tmp/detee_install_url"
-export INSTALL_SHA="/tmp/detee_install_sha"
+install_sha="/tmp/detee_install_sha"
-export ROOT_KEYFILE="/tmp/detee_root_keyfile"
+root_keyfile="/tmp/detee_root_keyfile"
-export SSH_KEY_FILE="/tmp/detee_ssh_key"
+ssh_key_file="/tmp/detee_ssh_key"
+snp_key_file="/tmp/detee_luks_hotkey"
 
 create_mounts
 load_modules
-create_certs
 setup_network
 
 # if you wait a bit, it works. The Kernel works in mysterious ways.
-sleep 5
+sleep 2
 modprobe sev_guest
 
-guest_api || echo DeTEE API got killed by the user.
+snp_key="$(GET_DERIVATION_KEY=yes guest_api)"
+[[ -n $snp_key ]] && echo $snp_key > $snp_key_file
 
-if [[ -f "$INSTALL_URL" ]]; then 
+try_hot_decrypt || {
+  create_certs
+  guest_api
+  if [[ -f "$install_url" ]]; then 
     install_os
   else
-  mount_root
+    cryptsetup luksKillSlot -d $root_keyfile /dev/vda1 1
+    [[ -f "$snp_key_file" ]] && cryptsetup luksAddKey \
+      --key-file $root_keyfile \
+      --new-keyfile $snp_key_file /dev/vda1
+    cryptsetup open -d $root_keyfile /dev/vda1 root
+    mount /dev/mapper/root /mnt
   fi
+}
 
-# TODO: take into consideration to remove github key injection
 github_ssh_key
 detee_ssh_key
 

init_functions.sh

@@ -33,6 +33,15 @@ create_mounts() {
     ln -sfT /proc/self/fd/2 /dev/stderr
 }
 
+try_hot_decrypt() {
+  [[ -f "$snp_key_file" ]] && {
+    cryptsetup open --key-file $snp_key_file /dev/vda1 root || return 1
+    mount /dev/mapper/root /mnt || return 1
+    return 0
+  }
+  return 1
+}
+
 create_certs() {
   cert_dir="/tmp/certs"
   key="$cert_dir/guest_api.key"
@@ -63,15 +72,16 @@ setup_network() {
   ip link set eth0 up
   ip route add default via $gateway
   echo nameserver $nameserver > /etc/resolv.conf
-  sleep 4
+  sleep 2
   ping -c 2 $gateway
 }
 
 install_os() {
-  local url="$(cat $INSTALL_URL)" hostname=''
+  local url="$(cat $install_url)" hostname=''
   # mount root if it exists
   blkid | grep vda1 | grep LUKS && {
-    mount_root
+    cryptsetup open -d $root_keyfile /dev/vda1 root
+    mount /dev/mapper/root /mnt
     return 0
   }
   # install OS if disk is empty
@@ -83,12 +93,15 @@ install_os() {
     echo 
     echo w
   ) | fdisk /dev/vda
-  cryptsetup luksFormat --batch-mode -d $ROOT_KEYFILE /dev/vda1
+  cryptsetup luksFormat --batch-mode -d $root_keyfile /dev/vda1
-  cryptsetup open -d $ROOT_KEYFILE /dev/vda1 root
+  [[ -f "$snp_key_file" ]] && cryptsetup luksAddKey \
+    --key-file $root_keyfile \
+    --new-keyfile $snp_key_file /dev/vda1
+  cryptsetup open -d $root_keyfile /dev/vda1 root
   mkfs.ext4 /dev/mapper/root
   mount /dev/mapper/root /mnt
   wget -O /mnt/template.fsa "$url"
-  sha256sum /mnt/template.fsa | grep $(cat ${INSTALL_SHA}) || exit 1
+  sha256sum /mnt/template.fsa | grep $(cat ${install_sha}) || exit 1
   fsarchiver restdir /mnt/template.fsa /
   rm /mnt/template.fsa
   # TODO: decide for UX if maybe we should allow user to inject fstab
@@ -106,7 +119,7 @@ github_ssh_key() {
   cd /mnt/root/.ssh
   touch authorized_keys
   key="$(wget -O - https://github.com/${github_user}.keys)"
-  grep -F "$( echo $key | awk '{ print $2 }' )" authorized_keys || {
+  grep -F "$( echo $key | awk '{ print $2 }' )" authorized_keys > /dev/null || {
     echo "$key" >> authorized_keys
     chmod 600 authorized_keys
   }
@@ -116,15 +129,11 @@ github_ssh_key() {
 detee_ssh_key() {
   local key=''
   mkdir -p /mnt/root/.ssh
-  [[ -f "$SSH_KEY_FILE" ]] && while read -r key; do
+  cd /mnt/root/.ssh
-    grep -F "$( echo $key | awk '{ print $2 }' )" authorized_keys || {
+  [[ -f "$ssh_key_file" ]] && while read -r key; do
+    grep -F "$( echo $key | awk '{ print $2 }' )" authorized_keys > /dev/null || {
       echo "$key" >> authorized_keys
     }
-  done < "$SSH_KEY_FILE"
+  done < "$ssh_key_file"
   chmod 600 authorized_keys
 }
-
-mount_root() {
-  cryptsetup open -d $ROOT_KEYFILE /dev/vda1 root
-  mount /dev/mapper/root /mnt
-}