public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos: initrd/luks: simplify Yubikey handling code

Browse Source 
From reading the source I'm pretty sure it doesn't support multiple Yubikeys, hence
those options are useless.

Also, I'm pretty sure nobody actually uses this feature, because enabling it causes
extra utils' checks to fail (even before applying any patches of this branch).

As I don't have the hardware to test this, I'm too lazy to fix the utils, but
I did test that with extra utils checks commented out and Yubikey
enabled the resulting script still passes the syntax check.
This commit is contained in:
Jan Malakhovski 2018-06-10 20:18:21 +00:00
parent a9d69a74d6
commit c35917e330
1 changed files with 16 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
nixos/modules/system/boot/luksroot.nix
View File

@ -75,9 +75,13 @@ let
# Warning: Do NOT replace with tmpfs! # Warning: Do NOT replace with tmpfs!
mkdir -p /crypt-ramfs mkdir -p /crypt-ramfs
mount -t ramfs none /crypt-ramfs mount -t ramfs none /crypt-ramfs
# For Yubikey salt storage
mkdir -p /crypt-storage
''; '';
postCommands = '' postCommands = ''
umount /crypt-storage 2>/dev/null
umount /crypt-ramfs 2>/dev/null umount /crypt-ramfs 2>/dev/null
''; '';
@ -184,11 +188,11 @@ let
local new_response local new_response
local new_k_luks local new_k_luks
mkdir -p ${yubikey.storage.mountPoint} mount -t ${yubikey.storage.fsType} ${yubikey.storage.device} /crypt-storage || \
mount -t ${yubikey.storage.fsType} ${toString yubikey.storage.device} ${yubikey.storage.mountPoint} die "Failed to mount Yubikey salt storage device"
salt="$(cat ${yubikey.storage.mountPoint}${yubikey.storage.path} | sed -n 1p | tr -d '\n')" salt="$(cat /crypt-storage${yubikey.storage.path} | sed -n 1p | tr -d '\n')"
iterations="$(cat ${yubikey.storage.mountPoint}${yubikey.storage.path} | sed -n 2p | tr -d '\n')" iterations="$(cat /crypt-storage${yubikey.storage.path} | sed -n 2p | tr -d '\n')"
challenge="$(echo -n $salt | openssl-wrap dgst -binary -sha512 | rbtohex)" challenge="$(echo -n $salt | openssl-wrap dgst -binary -sha512 | rbtohex)"
response="$(ykchalresp -${toString yubikey.slot} -x $challenge 2>/dev/null)" response="$(ykchalresp -${toString yubikey.slot} -x $challenge 2>/dev/null)"
@ -216,10 +220,7 @@ let
fi fi
done done
if [ "$opened" == false ]; then [ "$opened" == false ] && die "Maximum authentication errors reached"
umount ${yubikey.storage.mountPoint}
die "Maximum authentication errors reached"
fi
echo -n "Gathering entropy for new salt (please enter random keys to generate entropy if this blocks for long)..." echo -n "Gathering entropy for new salt (please enter random keys to generate entropy if this blocks for long)..."
for i in $(seq ${toString yubikey.saltLength}); do for i in $(seq ${toString yubikey.saltLength}); do
@ -244,26 +245,17 @@ let
new_k_luks="$(echo | pbkdf2-sha512 ${toString yubikey.keyLength} $new_iterations $new_response | rbtohex)" new_k_luks="$(echo | pbkdf2-sha512 ${toString yubikey.keyLength} $new_iterations $new_response | rbtohex)"
fi fi
mkdir -p ${yubikey.ramfsMountPoint} echo -n "$new_k_luks" | hextorb > /crypt-ramfs/new_key
# A ramfs is used here to ensure that the file used to update echo -n "$k_luks" | hextorb | ${cschange} --key-file=- /crypt-ramfs/new_key
# the key slot with cryptsetup will never get swapped out.
# Warning: Do NOT replace with tmpfs!
mount -t ramfs none ${yubikey.ramfsMountPoint}
echo -n "$new_k_luks" | hextorb > ${yubikey.ramfsMountPoint}/new_key
echo -n "$k_luks" | hextorb | ${cschange} --key-file=- ${yubikey.ramfsMountPoint}/new_key
if [ $? == 0 ]; then if [ $? == 0 ]; then
echo -ne "$new_salt\n$new_iterations" > ${yubikey.storage.mountPoint}${yubikey.storage.path} echo -ne "$new_salt\n$new_iterations" > /crypt-storage${yubikey.storage.path}
else else
echo "Warning: Could not update LUKS key, current challenge persists!" echo "Warning: Could not update LUKS key, current challenge persists!"
fi fi
rm -f ${yubikey.ramfsMountPoint}/new_key rm -f /crypt-ramfs/new_key
umount ${yubikey.ramfsMountPoint} umount /crypt-storage
rm -rf ${yubikey.ramfsMountPoint}
umount ${yubikey.storage.mountPoint}
} }
open_yubikey() { open_yubikey() {
@ -506,12 +498,6 @@ in
description = "Time in seconds to wait for the Yubikey."; description = "Time in seconds to wait for the Yubikey.";
}; };
ramfsMountPoint = mkOption {
default = "/crypt-ramfs";
type = types.str;
description = "Path where the ramfs used to update the LUKS key will be mounted during early boot.";
};
/* TODO: Add to the documentation of the current module: /* TODO: Add to the documentation of the current module:
Options related to the storing the salt. Options related to the storing the salt.
@ -532,12 +518,6 @@ in
description = "The filesystem of the unencrypted device."; description = "The filesystem of the unencrypted device.";
}; };
mountPoint = mkOption {
default = "/crypt-storage";
type = types.str;
description = "Path where the unencrypted device will be mounted during early boot.";
};
path = mkOption { path = mkOption {
default = "/crypt-storage/default"; default = "/crypt-storage/default";
type = types.str; type = types.str;
@ -550,8 +530,8 @@ in
}; };
}); });
}; };
};
}; })); }));
}; };
boot.initrd.luks.yubikeySupport = mkOption { boot.initrd.luks.yubikeySupport = mkOption {