[feat] Add multi keys support

2021-04-11 16:29:58 +02:00 · 2021-04-11 16:29:58 +02:00 · 3227284322
commit 3227284322
parent c34c59ca82
6 changed files with 129 additions and 41 deletions
--- a/README.md
+++ b/README.md
@ -1,11 +1,13 @@
 # initrd_luks_pkcs

-### Acknowledgment
+## Acknowledgment
 It has been tested on a debian laptop and a mobian pinephone.
 The smartcard generation come from inspired by https://github.com/swoopla/smartcard-luks .
 The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/DebianOnMobile-team/osk-sdl.

-### The general steps:
+## Single key setup
+
+### General steps:
 * Erase and initialize card
 * Create public/private key pair on smartcard
 * Create key file and add it to a LUKS key slot
@ -13,7 +15,7 @@ The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/Debian
 * Modify initramfs to use smartcard to decrypt the encrypted keyfile
 * Modify decrypt_opensc script to swicth between smartcard and luks password and add osk-sdl support for touchscreen device

-### The details:
+### details:
 1. Install smartcard middleware

    ```sudo apt-get install pcscd opensc```
@ -62,14 +64,34 @@ The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/Debian

 9. Install the cryptsetup script and the initramfs-tool hook

-    ```sudo cp decrypt_pkcs /lib/cryptsetup/script/ ```
+    ```sudo cp lib/cryptsetup/scripts/decrypt_pkcs /lib/cryptsetup/script/ ```

-    ```sudo cp decrypt_pkcs_hook /etc/initramfs-tools/hooks && chmod +x /etc/initramfs-tools/hooks/decrypt_pkcs_hook ```
+    ```sudo cp etc/initramfs-tools/hooks/decrypt_pkcs /etc/initramfs-tools/hooks && sudo chmod +x /etc/initramfs-tools/hooks/decrypt_pkcs ```
    
-    ```sudo cp decrypt_pkcs_default /etc/default/decrypt_pkcs ```
+    ```sudo cp etc/default/decrypt_pkcs /etc/default/ ```

    ```sudo update-initramfs -u```

 10. Test smartcard (without USB Key)

 11. Test LUKS Password (without Smartcard)
+
+## Multi keys setup
+
+The setup is quite the same except that you need to put all the key files in the expected format. 
+With the provided exemple config and script all keys must be stored in the `/etc/keys` folder with the following filename : `internal-${ENCODED_SERIAL}.enc` with `${ENCODED_SERIAL} the result of the following commands : 
+
+```
+pkcs15-tool -c 2>/dev/null  | awk '{ if ($1$2=="Encodedserial") {print $NF}}'
+```
+
+You need to modify the `/etc/default/decrypt_pkcs` and set `DECIPHER_MULTI` to `1`
+
+and copy the script in charge of selecting the right key file form initramfs : 
+
+    ```sudo mkdir -p /usr/share/decrypt_pkcs && sudo cp usr/share/decrypt_pkcs/pkcs15_get-key.sh /usr/share/decrypt_pkcs/ && sudo chmod +x /usr/share/decrypt_pkcs/pkcs15_get-key.sh ```
+
+Every time a new key is added, the initrd mus be regenerated : 
+
+    ```sudo update-initramfs -u```
+
--- a/27
+++ b/27
@ -1,27 +0,0 @@
-# Decrypt_PKCS initramfs configuration 
-
-# Smartcard presence test 
-SMARTCARD_PRESENCE_COMMAND=/usr/bin/opensc-tool
-SMARTCARD_PRESENCE_ARGS='-n'
-
-# PKCS decipher command default to pkcs15-crypt
-#DECIPHER_COMMAND=/usr/bin/pkcs15-crypt
-DECIPHER_COMMAND=/usr/bin/pkcs15-crypt
-
-# PKCS decipher extra library (usefull with pkcs11 or custom command)
-# The initramfs hook will search in the multiarch default library path 
-# eg where the libc is stored and its subfolders.
-# Wildcard is allowed by using the find command
-DECIPHER_EXTRA_LIBS=
-
-# Define command parameters
-# DECIPHER_ARGS is followed by the data to decipher
-# DECIPHER_EXTRA_ARGS allow customization
-# DECIPHER_ASKPIN is followed by the PIN input from user
-# Default value for pkcs15-crypt 
-#DECIPHER_ARGS='--decipher --pkcs1 --raw --input'
-#DECIPHER_EXTRA_ARGS=
-#DECIPHER_ASK_PIN='--pin'
-DECIPHER_ARGS='--decipher --pkcs1 --raw --input'
-DECIPHER_EXTRA_ARGS=
-DECIPHER_ASK_PIN='--pin'
--- a/etc/default/decrypt_pkcs
+++ b/etc/default/decrypt_pkcs
@ -0,0 +1,46 @@
+# Decrypt_PKCS initramfs configuration 
+
+# Smartcard presence test 
+#SMARTCARD_PRESENCE_COMMAND=/usr/bin/opensc-tool
+#SMARTCARD_PRESENCE_ARGS='-n'
+SMARTCARD_PRESENCE_COMMAND=/usr/bin/opensc-tool
+SMARTCARD_PRESENCE_ARGS='-n'
+
+# PKCS decipher command default to pkcs15-crypt
+#DECIPHER_COMMAND=/usr/bin/pkcs15-crypt
+DECIPHER_COMMAND=
+
+# PKCS decipher extra library (usefull with pkcs11 or custom command)
+# The initramfs hook will search in the multiarch default library path 
+# eg where the libc is stored and its subfolders.
+# Wildcard is allowed by using the find command
+DECIPHER_EXTRA_LIBS=
+
+# Define command parameters
+# DECIPHER_ARGS is followed by the data to decipher
+# DECIPHER_EXTRA_ARGS allow customization
+# DECIPHER_ASKPIN is followed by the PIN input from user
+# Default value for pkcs15-crypt 
+#DECIPHER_ARGS='--decipher --pkcs1 --raw --input'
+#DECIPHER_ASK_PIN='--pin'
+DECIPHER_ARGS=
+DECIPHER_ASK_PIN=
+
+# Support multiple key files
+# Default behaviour use the key file provided by crypttab 
+#DECIPHER_MULTI=0
+#DECIPHER_MULTI_FOLDER=
+#DECIPHER_MULTI_PATTERN=
+#DECIPHER_MULTI_SCRIPT=
+#DECIPHER_MULTI_SCRIPT_DEPENDS=
+DECIPHER_MULTI=0
+# The keys are in /etc/keys/internal-"$EncodedSerial".enc
+# The key file extension .enc is hardcoded
+DECIPHER_MULTI_FOLDER="/etc/keys"
+DECIPHER_MULTI_PATTERN="internal-"
+# This script should return the approriate encrypted file for the current token
+# It can export the $DECIPHER_EXTRA_ARGS to pass arguments to the decipher command
+# such as slot specification, id filter ...
+DECIPHER_MULTI_SCRIPT="/usr/share/decrypt_pkcs/pkcs15_get-key.sh"
+# Script dependancies included in the initramfs
+DECIPHER_MULTI_SCRIPT_DEPENDS="/usr/bin/pkcs15-tool"
--- a/etc/initramfs-tools/hooks/decrypt_pkcs
+++ b/etc/initramfs-tools/hooks/decrypt_pkcs
@ -30,6 +30,8 @@ fi
 DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt}
 SMARTCARD_PRESENCE_COMMAND=${SMARTCARD_PRESENCE_COMMAND:-/usr/bin/opensc-tool}

+DECIPHER_MULTI=${DECIPHER_MULTI:-0}
+
 # Hooks for loading smartcard reading software into the initramfs
 copy_keys() {
    crypttab_parse_options
@ -46,9 +48,11 @@ copy_keys() {
 RV=0
 #copy default key
 crypttab_foreach_entry copy_keys
-#copy all users keys
-#mkdir -p "$DESTDIR/etc/keys"
-#cp /etc/keys/pass*.enc "$DESTDIR/etc/keys/"
+if [ $DECIPHER_MULTI = 1 ] ; then
+    #copy all keys
+    mkdir -p "$DESTDIR/${DECIPHER_MULTI_FOLDER}"
+    cp -t "$DESTDIR/${DECIPHER_MULTI_FOLDER}" "${DECIPHER_MULTI_FOLDER}/${DECIPHER_MULTI_PATTERN}"*
+fi

 # Install directories needed by smartcard reading daemon, command, and
 # key-script
@ -72,4 +76,15 @@ copy_exec $DECIPHER_COMMAND
 cp -t "$DESTDIR/etc/opensc" /etc/opensc/opensc.conf
 cp -t "$DESTDIR/etc/default" /etc/default/decrypt_pkcs 

+# If Multi
+if [ $DECIPHER_MULTI = 1 ] ; then
+    mkdir -p $DESTDIR/$(dirname "${DECIPHER_MULTI_SCRIPT}")
+    cp -t $DESTDIR/$(dirname "${DECIPHER_MULTI_SCRIPT}") "${DECIPHER_MULTI_SCRIPT}"
+    chmod +x $DESTDIR/"${DECIPHER_MULTI_SCRIPT}"
+    for bin in $DECIPHER_MULTI_SCRIPT_DEPENDS ; do
+        copy_exec $bin
+    done
+fi
+
+
 exit $RV
--- a/lib/cryptsetup/scripts/decrypt_pkcs
+++ b/lib/cryptsetup/scripts/decrypt_pkcs
@ -16,6 +16,7 @@ SMARTCARD_PRESENCE_ARGS=${SMARTCARD_PRESENCE_ARGS:-'-n'}
 DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt}
 DECIPHER_ARGS=${DECIPHER_ARGS:-'--decipher --pkcs1 --raw --input'}
 DECIPHER_ASK_PIN=${DECIPHER_ASK_PIN:-'--pin'}
+DECIPHER_MULTI=${DECIPHER_MULTI:-0}

 check_plymouth() {
    plymouth=0
@ -40,6 +41,16 @@ check_card() {
    fi
 }

+check_key() {
+    if [ $DECIPHER_MULTI = 1 ] ; then
+        temp=$($DECIPHER_MULTI_SCRIPT)
+        KEY=$(echo $temp | awk '{print $1}')
+        DECIPHER_EXTRA_ARGS=$(echo $temp | awk '{$1=""; print}')
+    else
+        KEY=$1 
+    fi
+}
+
 log_message() {
    if [ $plymouth = 1 ] ; then
        plymouth display-message --text="$@" 2>/dev/null
@ -105,27 +116,28 @@ if [ -b "/dev/mapper/${CRYPTTAB_NAME}" ] ; then
 fi

 wait_card
+check_key

 if [ $plymouth = 1 ] ; then
    if [ $osk_sdl = 1 ] ; then
 	# Get pin number from osk_sdl
 	plymouth hide-splash 2>/dev/null
-	${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \
+	${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS \
 		$DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)"
 	plymouth show-splash 2>/dev/null
    else
 	# Get pin number from plymouth
-	${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \
-                $DECIPHER_ASK_PIN "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME: ")"
+	${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS \
+                $DECIPHER_ASK_PIN "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME ($KEY): ")"
    fi
 else
    if [ $osk_sdl = 1 ] ; then
 	# Get pin number from osk_sdl
-	${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \
+	${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS \
 		$DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)"
    else
 	# Get pin number from console
-	${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS </dev/console 2>/dev/console
+	${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS </dev/console 2>/dev/console
    fi
 fi

--- a/usr/share/decrypt_pkcs/pkcs15_get-key.sh
+++ b/usr/share/decrypt_pkcs/pkcs15_get-key.sh
@ -0,0 +1,20 @@
+#!/bin/sh
+
+. /etc/default/decrypt_pkcs
+
+
+pkcs15-tool -c 2>/dev/null \
+ | awk '{ if ($1=="ID") 
+           {nline++ ; printf $NF" "} 
+         else if ($1=="Encoded" && $2=="serial")
+           {print $NF}}' \
+ | while read id serial ; do
+    if [ -f "${DECIPHER_MULTI_FOLDER}/${DECIPHER_MULTI_PATTERN}${serial}.enc" ] ; then
+        export key="${DECIPHER_MULTI_FOLDER}/${DECIPHER_MULTI_PATTERN}${serial}.enc"
+        export arg="-k ${id}"
+	echo ${key} ${arg}
+        exit 0
+    fi
+  done 
+exit 1
+