Commit 7848d9d1 authored by Arie Peterson's avatar Arie Peterson 🐚
Browse files

Destroy all keyslots before zeroing luks header

On selfdestruct, first destroy all active keyslots through the
cryptsetup library, before zeroing the luks header.

Also take a factor two safety margin when zeroing the luks header,
and halt the machine (instead of rebooting) after selfdestruct.
parent 692f6ed2
/**
* Destroy all active keyslots.
* @param[in] request incoming HTTP request
* @param[out] response HTTP response to the request
* @param[in] user_data extra data to pass between handler and main thread
* @return internal status code
*/
int destroy_active_keyslots()
{
int r;
// Initialise encrypted container.
struct crypt_device * cd = NULL;
r = container_initialise(&cd, DATA_PARTITION_DEVICE, true);
if (r < 0)
{
crypt_free(cd);
}
if (r != 0)
{
return r;
}
// Determine number of keyslots.
int keyslot_max = crypt_keyslot_max(CRYPT_LUKS1);
int result = 0;
if (keyslot_max >= 0)
{
// Destroy all active keyslots.
int i;
crypt_keyslot_info ki;
for (i = 0; i < keyslot_max; i++)
{
ki = crypt_keyslot_status(cd, i);
if (ki == CRYPT_SLOT_ACTIVE || ki == CRYPT_SLOT_ACTIVE_LAST)
{
r = crypt_keyslot_destroy(cd, i);
if (r == 0)
{
y_log_message(Y_LOG_LEVEL_DEBUG,
"keyslot destroyed succesfully");
}
else
{
y_log_message(Y_LOG_LEVEL_ERROR,
"failed to destroy keyslot");
result = 1;
}
}
}
}
return result;
}
/**
* Callback function for destroying the data on an encrypted device.
* It does so by overwriting the luks header and keyslots with zeroes.
* It does so by destroying all active keyslots.
* Also, as an extra safety measure, it then overwrites the luks header and
* keyslot area with zeroes.
* See https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions:
* 5.4 How do I securely erase a LUKS (or other) partition?
* @param[in] request incoming HTTP request
......@@ -11,15 +68,20 @@
int callback_encryption_selfdestruct_post(const struct _u_request * request,
struct _u_response * response, void * user_data)
{
bool * reboot = (bool *)user_data;
bool * shutdown = (bool *)user_data;
int r;
destroy_active_keyslots();
// Overwrite start of data partition with zeroes.
// We take twice the size of the luks header and keyslot area
// as a safety margin.
int bytes_to_zero = 2 * LUKS_HEADER_SIZE;
y_log_message(Y_LOG_LEVEL_DEBUG,
"Overwriting start of data partition with zeroes");
char * command = NULL;
asprintf(&command, "head -c %d /dev/zero > %s; sync",
LUKS_HEADER_SIZE, DATA_PARTITION_DEVICE);
bytes_to_zero, DATA_PARTITION_DEVICE);
r = system(command);
if (r != 0)
{
......@@ -29,17 +91,11 @@ int callback_encryption_selfdestruct_post(const struct _u_request * request,
return send_simple_response(response, 500, "error",
"overwriting data device failed");
}
y_log_message(Y_LOG_LEVEL_DEBUG,
"Overwriting finished succesfully");
// Record that we want to reboot the machine.
*reboot = true;
y_log_message(Y_LOG_LEVEL_DEBUG,
"Will reboot");
// Record that we want to shut down the machine.
*shutdown = true;
r = send_simple_response(response, 200, "status", "ok");
y_log_message(Y_LOG_LEVEL_DEBUG,
"Response sent");
stop_server();
return r;
}
......@@ -186,17 +186,27 @@ int temporary_mount(char * device_path, char * mount_path,
}
/**
* Reboot the system. We cannot simply use the `reboot` command because
* Reboot or halt the system. We cannot simply use the `reboot` command because
* we're running as init (pid 0).
* @param restart If `true` reboot, if `false` halt.
*/
void reboot_initrd()
void reboot_initrd(bool restart)
{
pid_t pid;
pid = vfork();
if (pid == 0)
{
// Child.
reboot(RB_AUTOBOOT);
int cmd;
if (restart)
{
cmd = RB_AUTOBOOT;
}
else
{
cmd = RB_POWER_OFF;
}
reboot(cmd);
_exit(EXIT_SUCCESS);
}
// Parent (init) waits.
......
......@@ -45,6 +45,7 @@ int main(int argc, char ** argv)
// Add api endpoints.
bool reboot = false;
bool shutdown = false;
ulfius_add_endpoint_by_val(&instance, "GET" , PREFIX,
"/encryption",
0, &callback_encryption_get, NULL);
......@@ -59,7 +60,7 @@ int main(int argc, char ** argv)
0, &callback_encryption_unlock_post, NULL);
ulfius_add_endpoint_by_val(&instance, "POST", PREFIX,
"/encryption/selfdestruct",
0, &callback_encryption_selfdestruct_post, &reboot);
0, &callback_encryption_selfdestruct_post, &shutdown);
ulfius_add_endpoint_by_val(&instance, "GET" , PREFIX,
"/encryption/keys",
0, &callback_encryption_keys_get, NULL);
......@@ -142,7 +143,14 @@ int main(int argc, char ** argv)
if (reboot)
{
y_log_message(Y_LOG_LEVEL_INFO, "rebooting...");
reboot_initrd();
reboot_initrd(true);
}
// Check if the encryption/init handler said that we should halt.
if (shutdown)
{
y_log_message(Y_LOG_LEVEL_INFO, "shutting down...");
reboot_initrd(false);
}
return 0;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment