added guest_api and rewrote it based on new spec

2024-11-24 03:39:33 +02:00 · 2024-11-24 03:39:33 +02:00 · e212e9a99c
commit e212e9a99c
parent 0a2b4ce89d
9 changed files with 2973 additions and 70 deletions
--- a/dtrfs_api/Cargo.lock
+++ b/dtrfs_api/Cargo.lock
--- a/dtrfs_api/Cargo.toml
+++ b/dtrfs_api/Cargo.toml
@ -0,0 +1,18 @@
+[package]
+name = "dtrfs_api"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+anyhow = "1.0.93"
+base64 = "0.22.1"
+bincode = "1.3.3"
+regex = "1.11.1"
+sev = { version = "4.0", default-features = false, features = ['crypto_nossl','snp'] }
+ed25519-dalek = { version = "2.1.1", features = ["pem", "pkcs8"] }
+lazy_static = "1.5.0"
+actix-web = { version = "4.9.0", features = ["rustls-0_23"] }
+sha3 = "0.10.8"
+rustls = "0.23.18"
+rustls-pemfile = "2.2.0"
+serde = { version = "1.0.215", features = ["derive"] }
--- a/dtrfs_api/install_os.sh
+++ b/dtrfs_api/install_os.sh
@ -0,0 +1,60 @@
+#!/bin/bash
+
+# This script is called by dtrfs_api to install an OS.
+
+[[ -z "$INSTALL_URL" ]] || {
+  echo "Did not find INSTALL_URL env variable".
+  exit 1
+}
+
+[[ -z "$INSTALL_URL" ]] || {
+  echo "Did not find INSTALL_SHA env variable".
+  exit 2
+}
+
+[[ -f "$ROOT_KEYFILE" ]] || {
+  echo "Did not find keyfile at the following location: $ROOT_KEYFILE"
+  exit 3
+}
+
+# mount root if it exists
+blkid | grep vda1 | grep LUKS && {
+  echo "/dev/vda1 already has a LUKS partition"
+  exit 4
+}
+
+echo === Creating partition /dev/vda1
+(
+  echo n
+  echo p
+  echo 
+  echo 
+  echo 
+  echo w
+) | fdisk /dev/vda
+echo "=== Formatting /dev/vda1 using cryptsetup luksFormat and opening as root"
+cryptsetup luksFormat --batch-mode -d $root_keyfile /dev/vda1
+[[ -f "$SNP_KEY_FILE" ]] && {
+  echo "Adding LUKS slot via SNP KDF key found at $SNP_KEY_FILE"
+  cryptsetup luksAddKey \             
+    --key-file $ROOT_KEYFILE \        
+    --new-keyfile $SNP_KEY_FILE /dev/vda1
+}
+cryptsetup open -d $ROOT_KEYFILE /dev/vda1 root
+echo "=== Formatting /dev/mapper/root as ext4 and mounting at /mnt"
+mkfs.ext4 /dev/mapper/root
+mount /dev/mapper/root /mnt
+echo "=== Downloading OS template from $INSTALL_URL and verifying hash"
+wget -O /mnt/template.fsa "$INSTALL_URL" || {
+  echo "Failed to download $INSTALL_URL"
+  exit 5
+}
+sha256sum /mnt/template.fsa | grep $(cat ${INSTALL_SHA}) || exit 1
+echo "=== Installing OS template"
+fsarchiver restdir /mnt/template.fsa /
+rm /mnt/template.fsa
+# TODO: decide for UX if maybe we should allow user to inject fstab
+echo "" > /mnt/etc/fstab
+hostname=$(cat /proc/cmdline | grep -oE 'detee_name=[0-9a-z\_\.\-]+' | cut -d '=' -f2)
+echo "=== Setting up guest hostname as $hostname"
+[[ -n "$hostname" ]] && echo $hostname > /mnt/etc/hostname
--- a/dtrfs_api/rustfmt.toml
+++ b/dtrfs_api/rustfmt.toml
@ -0,0 +1,3 @@
+reorder_impl_items = true
+use_small_heuristics = "Max"
+merge_imports = true
--- a/dtrfs_api/src/main.rs
+++ b/dtrfs_api/src/main.rs
@ -0,0 +1,197 @@
+mod os;
+mod snp;
+
+use actix_web::{get, post, web, App, HttpRequest, HttpResponse, HttpServer};
+use base64::prelude::{Engine, BASE64_URL_SAFE};
+use ed25519_dalek::{pkcs8::DecodePublicKey, Signature, Verifier, VerifyingKey};
+use lazy_static::lazy_static;
+use regex::Regex;
+use rustls::{pki_types::PrivateKeyDer, ServerConfig};
+use rustls_pemfile::{certs, pkcs8_private_keys};
+use serde::Deserialize;
+use sha3::{Digest, Sha3_512};
+use std::{
+    fs::File,
+    io::{BufReader, Read},
+};
+
+const CRT_FILE: &str = "/tmp/certs/guest_api.crt";
+const KEY_FILE: &str = "/tmp/certs/guest_api.key";
+const CMDLINE_FILE: &str = "/proc/cmdline";
+
+lazy_static! {
+    static ref SNP_REPORT: String = snp::get_report_as_base64(get_cert_hash()).unwrap();
+    static ref CRT_CONTENTS: String = {
+        let mut msg = String::new();
+        let _ = BufReader::new(File::open(CRT_FILE).unwrap()).read_to_string(&mut msg);
+        msg
+    };
+    static ref CMDLINE: String = {
+        let mut cmdline = String::new();
+        let _ = BufReader::new(File::open(CMDLINE_FILE).unwrap()).read_to_string(&mut cmdline);
+        cmdline
+    };
+}
+
+fn get_cert_hash() -> [u8; 64] {
+    let mut hasher = Sha3_512::new();
+    let crt = File::open(CRT_FILE).expect("Could not open crt file.");
+    let mut buf_reader = BufReader::new(crt);
+    let mut buffer = Vec::new();
+    buf_reader.read_to_end(&mut buffer).expect("Could not read certificate.");
+    hasher.update(buffer);
+    let crt_hash = hasher.finalize();
+    crt_hash.into()
+}
+
+fn verifying_key() -> Result<VerifyingKey, Box<dyn std::error::Error>> {
+    let re = Regex::new(r"detee_admin=([A-Za-z0-9+/=]+)").unwrap();
+    let key_str = re.find(&CMDLINE).map(|m| m.as_str()).unwrap_or("");
+    let key_pem = format!(
+        "-----BEGIN PUBLIC KEY-----\n{}\n-----END PUBLIC KEY-----\n",
+        key_str.strip_prefix("detee_admin=").ok_or("Could not get admin key from cmdline")?
+    );
+    Ok(VerifyingKey::from_public_key_pem(&key_pem)?)
+}
+
+fn verify(req: &HttpRequest) -> Result<(), Box<dyn std::error::Error>> {
+    let signature = req
+        .headers()
+        .get("ed25519-signature")
+        .ok_or_else(|| "Did not find ed25519-signature header")?;
+
+    let signature: &[u8] = &BASE64_URL_SAFE.decode(signature)?;
+    let signature = Signature::from_bytes(signature.try_into()?);
+    let verifying_key = verifying_key()?;
+    Ok(verifying_key.verify(CRT_CONTENTS.as_bytes(), &signature)?)
+}
+
+#[get("/")]
+async fn homepage() -> HttpResponse {
+    let mut text: String = "Available commands:\n".to_string();
+    text += "GET: /report /ssh_key\n";
+    text += "POST: /install /decrypt /switch_root /ssh_key\n";
+    text += "\nAll requests require the ed25519-signature header";
+    HttpResponse::Ok().body(text)
+}
+
+#[get("/report")]
+async fn get_report() -> HttpResponse {
+    HttpResponse::Ok().body(SNP_REPORT.clone())
+}
+
+#[derive(Deserialize)]
+struct InstallForm {
+    url: String,
+    sha: String,
+    keyfile: String,
+}
+
+// TODO: QA this function to make sure we don't accidentally allow empty string keyfile
+#[post("/install")]
+async fn post_install_form(req: HttpRequest, form: web::Form<InstallForm>) -> HttpResponse {
+    if let Err(e) = verify(&req) {
+        return HttpResponse::BadRequest().body(format!("Signature verification failed: {}", e));
+    };
+    match os::encrypt_and_install_os(&form.url, &form.sha, &form.keyfile) {
+        Ok(()) => HttpResponse::Ok().body("Successfully installed OS"),
+        Err(e) => HttpResponse::BadRequest().body(format!("{e:?}")),
+    }
+}
+
+#[derive(Deserialize)]
+struct DecryptForm {
+    keyfile: String,
+}
+
+// TODO: QA this function to make sure we don't accidentally allow empty string keyfile
+#[post("/decrypt")]
+async fn post_decrypt_form(req: HttpRequest, form: web::Form<DecryptForm>) -> HttpResponse {
+    if let Err(e) = verify(&req) {
+        return HttpResponse::BadRequest().body(format!("Signature verification failed: {}", e));
+    };
+    let decrypt_result = os::try_backup_keyfile(&form.keyfile);
+    if let Err(decryption_error) = decrypt_result {
+        return HttpResponse::BadRequest()
+            .body(format!("Could not decrypt root: {decryption_error:?}"));
+    }
+    let hot_key_result = os::replace_hot_keyfile();
+    HttpResponse::Ok().body(format!("{:?}\n{:?}", decrypt_result, hot_key_result))
+}
+
+#[post("/switch_root")]
+async fn post_process_exit(req: HttpRequest) -> HttpResponse {
+    if let Err(e) = verify(&req) {
+        return HttpResponse::BadRequest().body(format!("Signature verification failed: {}", e));
+    };
+    std::process::exit(0);
+}
+
+#[derive(Deserialize)]
+struct SSHKeyForm {
+    ssh_key: String,
+}
+
+#[get("/ssh_key")]
+async fn get_ssh_keys(req: HttpRequest) -> HttpResponse {
+    if let Err(e) = verify(&req) {
+        return HttpResponse::BadRequest().body(format!("Signature verification failed: {}", e));
+    };
+    match os::list_ssh_keys() {
+        Ok(keys) => HttpResponse::Ok().body(keys),
+        Err(e) => HttpResponse::BadRequest().body(format!("{e:?}")),
+    }
+}
+
+#[post("/ssh_key")]
+async fn post_ssh_key(req: HttpRequest, form: web::Form<SSHKeyForm>) -> HttpResponse {
+    if let Err(e) = verify(&req) {
+        return HttpResponse::BadRequest().body(format!("Signature verification failed: {}", e));
+    };
+    let ssh_key = &form.ssh_key;
+    match os::add_ssh_key(ssh_key) {
+        Ok(()) => HttpResponse::Ok().body("Key added to authorized_keys"),
+        Err(e) => HttpResponse::BadRequest().body(format!("{e:?}")),
+    }
+}
+
+fn load_rustls_config() -> rustls::ServerConfig {
+    rustls::crypto::aws_lc_rs::default_provider().install_default().unwrap();
+
+    let config = ServerConfig::builder().with_no_client_auth();
+
+    let cert_file = &mut BufReader::new(File::open(CRT_FILE).unwrap());
+    let key_file = &mut BufReader::new(File::open(KEY_FILE).unwrap());
+
+    let cert_chain = certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
+    let mut keys = pkcs8_private_keys(key_file)
+        .map(|key| key.map(PrivateKeyDer::Pkcs8))
+        .collect::<Result<Vec<_>, _>>()
+        .unwrap();
+
+    if keys.is_empty() {
+        eprintln!("Could not locate PKCS 8 private keys.");
+        std::process::exit(1);
+    }
+
+    config.with_single_cert(cert_chain, keys.remove(0)).unwrap()
+}
+
+#[actix_web::main]
+async fn main() -> std::io::Result<()> {
+    os::try_hot_keyfile().unwrap();
+    let config = load_rustls_config();
+    HttpServer::new(|| {
+        App::new()
+            .service(post_install_form)
+            .service(post_decrypt_form)
+            .service(post_process_exit)
+            .service(post_ssh_key)
+            .service(get_ssh_keys)
+            .service(get_report)
+            .service(homepage)
+    })
+    .bind_rustls_0_23("[::]:8443", config)?
+    .run()
+    .await
+}
--- a/dtrfs_api/src/os.rs
+++ b/dtrfs_api/src/os.rs
@ -0,0 +1,135 @@
+use crate::snp::get_derived_key;
+use anyhow::{anyhow, Result};
+use base64::prelude::{Engine, BASE64_URL_SAFE};
+use std::{
+    fs::File,
+    io::{BufRead, BufReader, Write},
+    path::Path,
+    process::Command,
+};
+
+const SNP_KEYFILE_PATH: &str = "/tmp/detee_snp_keyfile";
+const BACKUP_KEYFILE_PATH: &str = "/tmp/detee_backup_keyfile";
+
+pub fn encrypt_and_install_os(install_url: &str, install_sha: &str, keyfile: &str) -> Result<()> {
+    let binary_keyfile = BASE64_URL_SAFE.decode(keyfile)?;
+    std::fs::write(BACKUP_KEYFILE_PATH, binary_keyfile)?;
+    let install_result = Command::new("install_os.sh")
+        .env("INSTALL_URL", install_url)
+        .env("INSTALL_SHA", install_sha)
+        .env("SNP_KEY_FILE", SNP_KEYFILE_PATH)
+        .env("ROOT_KEYFILE", BACKUP_KEYFILE_PATH)
+        .output()?;
+
+    if !install_result.status.success() {
+        return Err(anyhow!(
+            "Could not install OS.\nstdout:{:?}\nstderr:\n{:?}",
+            install_result.stdout,
+            install_result.stderr
+        ));
+    }
+
+    Ok(())
+}
+
+pub fn try_hot_keyfile() -> Result<()> {
+    let hot_key = get_derived_key()?;
+    std::fs::write(SNP_KEYFILE_PATH, hot_key)?;
+    decrypt_and_mount(SNP_KEYFILE_PATH)?;
+    Ok(())
+}
+
+pub fn try_backup_keyfile(keyfile: &str) -> Result<String> {
+    let binary_keyfile = BASE64_URL_SAFE.decode(keyfile)?;
+    std::fs::write(BACKUP_KEYFILE_PATH, binary_keyfile)?;
+    decrypt_and_mount(BACKUP_KEYFILE_PATH)?;
+    Ok("Succesfully mounted /mnt using backup keyfile.".to_string())
+}
+
+pub fn replace_hot_keyfile() -> Result<String> {
+    let _delete_old_keyfile = Command::new("cryptsetup")
+        .arg("luksKillSlot")
+        .arg("-d")
+        .arg(BACKUP_KEYFILE_PATH)
+        .arg("/dev/vda1")
+        .arg("1")
+        .output();
+
+    let meta = std::fs::metadata(SNP_KEYFILE_PATH)?;
+    if meta.len() == 0 {
+        return Err(anyhow!("Could not replace hot keyfile using SNP KDF."));
+    }
+
+    let _add_hot_keyfile = Command::new("cryptsetup")
+        .arg("luksAddKey")
+        .arg("--key-file")
+        .arg(BACKUP_KEYFILE_PATH)
+        .arg("--new-keyfile")
+        .arg(SNP_KEYFILE_PATH)
+        .arg("/dev/vda1")
+        .output();
+
+    Ok("Succesfully replaced hot keyfile using SNP KDF.".to_string())
+}
+
+fn decrypt_and_mount(keyfile_path: &str) -> Result<()> {
+    let decryption_result = Command::new("cryptsetup")
+        .arg("open")
+        .arg("--key-file")
+        .arg(keyfile_path)
+        .arg("/dev/vda1")
+        .arg("root")
+        .output()?;
+    if !decryption_result.status.success() {
+        return Err(anyhow!("Could not decrypt disk."));
+    }
+    let mount_result = Command::new("mount").arg("/dev/mapper/root").arg("/mnt").output()?;
+    if !mount_result.status.success() {
+        return Err(anyhow!("Could not mount /dev/mapper/root to /mnt"));
+    }
+    Ok(())
+}
+
+pub fn add_ssh_key(key: &str) -> Result<()> {
+    use std::os::unix::fs::PermissionsExt;
+    if !Path::new("/mnt/etc/os-release").try_exists().is_ok_and(|found| found == true) {
+        return Err(anyhow!(
+            "Operating system not mounted. Please install OS or decrypt existing OS."
+        ));
+    }
+
+    let encoded_key: Vec<&str> = key.split(" ").collect();
+    if encoded_key.len() < 2 {
+        return Err(anyhow!("Supplied key is expected to have at least two words."));
+    }
+    if let Ok(keys) = File::open("/mnt/.ssh/authorized_keys") {
+        let mut buffered = BufReader::new(keys).lines();
+        while let Some(Ok(k)) = buffered.next() {
+            if k.contains(encoded_key[1]) {
+                return Err(anyhow!("authorized_keys already contains {key}"));
+            }
+        }
+    } else {
+        std::fs::create_dir_all("/mnt/root/.ssh")?;
+        let permissions = std::fs::Permissions::from_mode(0o700);
+        std::fs::set_permissions("/mnt/root/.ssh", permissions)?;
+        std::fs::OpenOptions::new()
+            .create(true)
+            .write(true)
+            .open("/mnt/root/.ssh/authorized_keys")?;
+        let permissions = std::fs::Permissions::from_mode(0o600);
+        std::fs::set_permissions("/mnt/root/.ssh/authorized_keys", permissions)?;
+    }
+
+    let mut keys_file = std::fs::OpenOptions::new()
+        .append(true) // Open in append mode
+        .create(true) // Create the file if it doesn't exist
+        .open("/mnt/root/.ssh/authorized_keys")?;
+    writeln!(keys_file, "{key}")?;
+
+    Ok(())
+}
+
+pub fn list_ssh_keys() -> Result<String> {
+    Ok(std::fs::read_to_string("/mnt/root/.ssh/authorized_keys")?)
+}
--- a/dtrfs_api/src/snp.rs
+++ b/dtrfs_api/src/snp.rs
@ -0,0 +1,21 @@
+use anyhow::{Context, Result};
+use sev::firmware::guest::{AttestationReport, DerivedKey, Firmware, GuestFieldSelect};
+use base64::prelude::{Engine, BASE64_URL_SAFE};
+
+fn request_hardware_report(data: [u8; 64]) -> Result<AttestationReport> {
+    let mut fw = Firmware::open().context("unable to open /dev/sev-guest")?;
+    fw.get_report(None, Some(data), Some(0)).context("unable to fetch attestation report")
+}
+
+pub fn get_report_as_base64(data: [u8; 64]) -> Result<String> {
+    let report = request_hardware_report(data)?;
+    Ok(BASE64_URL_SAFE.encode(bincode::serialize(&report)?))
+}
+
+pub fn get_derived_key() -> Result<String> {
+    let mut fw = Firmware::open()?;
+    let request =
+        DerivedKey::new(false, GuestFieldSelect(u64::from_str_radix("11111", 2)?), 1, 0, 0);
+    let derived_key: [u8; 32] = fw.get_derived_key(None, request)?;
+    Ok(BASE64_URL_SAFE.encode(derived_key))
+}
--- a/scripts/init.sh
+++ b/scripts/init.sh
@ -14,28 +14,11 @@ setup_network
 # load this module again cause it fails the first time
 modprobe sev_guest

-snp_key="$(GET_DERIVATION_KEY=yes guest_api)"
-[[ -n $snp_key ]] && echo $snp_key > $snp_key_file
-
-try_hot_decrypt || {
-  create_certs
-  guest_api
-  if [[ -f "$install_url" ]]; then 
-    install_os
-  else
-    cryptsetup open -d $root_keyfile /dev/vda1 root
-    mount /dev/mapper/root /mnt
-  fi
-  cryptsetup luksKillSlot -d $root_keyfile /dev/vda1 1
-  [[ -f "$snp_key_file" ]] && cryptsetup luksAddKey \
-    --key-file $root_keyfile \
-    --new-keyfile $snp_key_file /dev/vda1
-}
+dtrfs_api

 github_ssh_key
-detee_ssh_key
-
 cp /etc/resolv.conf /mnt/etc/resolv.conf
+
 # copy kernel modules in case the user deleted the old modules
 mkdir -p /mnt/lib/modules/
 cp -rn /lib/modules/* /mnt/lib/modules/
--- a/scripts/init_functions.sh
+++ b/scripts/init_functions.sh
@ -1,13 +1,5 @@
 #!/bin/bash

-echo_blue() {
-  echo -e "\033[34m$1\033[0m"
-}
-
-echo_red() {
-  echo -e "\033[0;31m$1\033[0m"
-}
-
 load_modules() {
  cat /load_modules.sh | bash
 }
@ -76,36 +68,6 @@ setup_network() {
  ping -c 2 $gateway
 }

-install_os() {
-  local url="$(cat $install_url)" hostname=''
-  # mount root if it exists
-  blkid | grep vda1 | grep LUKS && {
-    cryptsetup open -d $root_keyfile /dev/vda1 root
-    mount /dev/mapper/root /mnt
-    return 0
-  }
-  # install OS if disk is empty
-  (
-    echo n
-    echo p
-    echo 
-    echo 
-    echo 
-    echo w
-  ) | fdisk /dev/vda
-  cryptsetup luksFormat --batch-mode -d $root_keyfile /dev/vda1
-  cryptsetup open -d $root_keyfile /dev/vda1 root
-  mkfs.ext4 /dev/mapper/root
-  mount /dev/mapper/root /mnt
-  wget -O /mnt/template.fsa "$url"
-  sha256sum /mnt/template.fsa | grep $(cat ${install_sha}) || exit 1
-  fsarchiver restdir /mnt/template.fsa /
-  rm /mnt/template.fsa
-  # TODO: decide for UX if maybe we should allow user to inject fstab
-  echo "" > /mnt/etc/fstab
-  hostname=$(cat /proc/cmdline | grep -oE 'detee_name=[0-9a-z\_\.\-]+' | cut -d '=' -f2)
-  [[ -n "$hostname" ]] && echo $hostname > /mnt/etc/hostname
-}

 # detee_ghu stands for GitHub user and expects format detee_ghu=ghe0
 github_ssh_key() {
@ -121,16 +83,3 @@ github_ssh_key() {
    chmod 600 authorized_keys
  }
 }
-
-# this can be injected through the guest_api
-detee_ssh_key() {
-  local key=''
-  mkdir -p /mnt/root/.ssh
-  cd /mnt/root/.ssh
-  [[ -f "$ssh_key_file" ]] && while read -r key; do
-    grep -F "$( echo $key | awk '{ print $2 }' )" authorized_keys > /dev/null || {
-      echo "$key" >> authorized_keys
-    }
-  done < "$ssh_key_file"
-  chmod 600 authorized_keys
-}