Commit Graph

65 Commits

Author SHA1 Message Date
43800cdc6e Initial implementation of keyring
Keyring is an encrypted file to store secrets. The encryption key is
derived from the disk decryption passphrase so that the file can be
automatically decrypted and processed during boot.

The keys contained in the keyring file are loaded into the kernel key
store so that they can later be retrieved by other components.

Currenly during installation a signing key is generated and stored in
the keyring so that the system can transparently sign RealmFS images
when the user modifies or updates them.
2019-02-02 20:42:42 -05:00
0e1a06ae7f goodbye Ring hello sodiumoxide 2019-02-02 20:33:50 -05:00
28401b589e move /run/realms to /run/citadel/realms 2019-01-30 23:36:43 -05:00
d3ac4bb000 small cleanup 2019-01-30 21:43:55 -05:00
2dc32d1f20 Refactor multiple tools into a single binary.
citadel-tool now installed with a hardlink for each binary tool and
dispatches on the exe path to the tool implementation. This makes
the build faster, uses less disk space, and makes it easier to
create new small tools.
2019-01-30 21:31:13 -05:00
dbdf0d4035 added bless and install commands 2019-01-30 14:27:50 -05:00
e7151f8de2 Initial implementation of RealmFS 2019-01-30 14:26:46 -05:00
884d056420 refactor for realmfs implementation 2019-01-30 14:21:54 -05:00
e5d0b7f6f2 installer refactored to support RealmFS 2019-01-30 14:15:44 -05:00
a0d39431e8 bless method added to mark partition which has booted successfully 2019-01-30 14:13:24 -05:00
c00e11ee8f rootfs symlink is created when realm is started so remove this check 2019-01-30 14:12:37 -05:00
55b08fb683 decompress images in parallel by spawning a thread for each one 2019-01-30 14:11:30 -05:00
0b2480f849 Refactor to chain realm specific config to global config
Now if a variable is not set in a realm config file (or the file does
not exist), the 'global' config file will also be searched in the
parent directory (ie: /storage/realms/config). If the variable is
still not found, the value from the default instance is returned.
2019-01-30 14:09:34 -05:00
6215b58167 realmfs-owner is name of realm that can write to unsealed realm 2019-01-30 14:06:18 -05:00
191b580440 refactor verity module to work on images without removing header first 2019-01-30 14:05:11 -05:00
e7e75061a1 Everything optional except 'image-type' now. Also removed a couple fields.
When a RealmFS image is not sealed it has a very simple header and
doesn't use most of the metainfo fields.
2019-01-29 13:53:22 -05:00
d23e488aaa method to write header to a path 2019-01-29 13:42:17 -05:00
322fa97f6a add 'realmfs-name' as a potential metainfo field 2019-01-29 13:41:50 -05:00
c13fb5fb61 method to clear signature field 2019-01-29 13:39:30 -05:00
0299d2814f function added to also find mounts by target path 2019-01-29 11:56:56 -05:00
41708c870e Added option to enable sealed realmfs images from kernel command line 2019-01-29 11:51:24 -05:00
3782668514 Refactor how images are built to support realmfs images
Main change in building images is that an empty 4096 byte block is
prepended to raw image before compression so that upon decompression
the header can be written without having to shuffle around decompressed
image.
2019-01-29 11:50:10 -05:00
e4665f3f5c function to test for valid names of things 2019-01-29 11:42:27 -05:00
f5bf92f488 function for piping section of a file to a command
This makes it possible to calculate sha256sum in place on an image file
which has both a header and an appended dm-verity tree. Before this
required a message process of extracting the body into a temporary file.
2019-01-29 11:40:20 -05:00
ff115e6005 Put everything into a single workspace 2019-01-17 11:03:37 -05:00
c864e58f6d external crate declarations no longer needed 2019-01-17 09:39:06 -05:00
b258604fd0 Updated everything for Rust 2018 with cargo fix --edition 2019-01-17 09:25:24 -05:00
928e8cc41c pass arguments when installing rootfs to partitions 2019-01-17 09:11:50 -05:00
29f487a16e set PREFER_BOOT flag by default when installing a rootfs partition 2019-01-17 09:11:18 -05:00
d244c07483 refactor boot selection algorithm 2019-01-17 09:10:28 -05:00
8f8cbab72f refactor partition signature verification 2019-01-17 09:05:53 -05:00
72b7af4f2d Separate errors for no public key and signature verify failure 2019-01-17 09:04:35 -05:00
ad29d58413 Split signature verification into two steps: get pubkey, verify 2019-01-17 09:02:57 -05:00
0f4b319ea1 added a couple of information messages 2019-01-15 16:59:12 -05:00
4f603cf4d4 add two flags to install-rootfs, --just-choose and --skip-sha
--just-choose will print information about which partition would be
chosen to install a rootfs image.

--skip-sha will avoid checking the sha256 sum of the image file. This
is mainly meant for use by the installer since the sum has already
been confirmed
2019-01-15 16:56:03 -05:00
851da8a98c sort partitions by path 2019-01-15 16:53:39 -05:00
91530279cf Rename target to image_data, make compression optional 2019-01-15 09:38:42 -05:00
41179a720d Add an option to choose to build a compressed image or not 2019-01-15 09:37:40 -05:00
6e5ec2ec1b Update ring dependency to latest 13.x version 2019-01-15 09:22:57 -05:00
26cdaed973 Don't use /etc/citadel-channel anymore 2019-01-15 09:22:22 -05:00
bda6410d7b Use new timestamp metainfo field to compare images with same version. 2019-01-07 19:00:02 -05:00
da0922c29d Add mandatory timestamp field to image metainfo 2019-01-07 18:59:21 -05:00
8e341d6005 Mount tmpfs overlay over rootfs if citadel.overlay is set 2019-01-06 18:15:44 -05:00
96429ed4c7 remove old comment information 2019-01-06 18:06:42 -05:00
db820aff68 Rename modules image to kernel image and add some extra metadata 2019-01-06 18:05:05 -05:00
c992b32946 Use $PATH lookup for xz and sha256sum when building image 2019-01-05 20:40:07 -05:00
c580d784ff calculate image shasum 2019-01-05 20:39:17 -05:00
dc9a49fd8a Clean up keys api 2019-01-05 20:38:57 -05:00
b59188311d Don't pass config file around, it's a lazy_static now 2019-01-05 20:34:22 -05:00
434c19433e enable signature verification by default 2019-01-05 20:25:28 -05:00