Commit 7e905845 authored by Arie Peterson's avatar Arie Peterson 🐚
Browse files

Add endpoint for selfdestruct

parent b798460d
/**
* Callback function for destroying the data on an encrypted device.
* It does so by overwriting the luks header and keyslots with zeroes.
* See https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions:
* 5.4 How do I securely erase a LUKS (or other) partition?
* @param[in] request incoming HTTP request
* @param[out] response HTTP response to the request
* @param[in] user_data extra data to pass between handler and main thread
* @return internal status code
*/
int callback_encryption_selfdestruct_post(const struct _u_request * request,
struct _u_response * response, void * user_data)
{
bool * reboot = (bool *)user_data;
int r;
// Overwrite start of data partition with zeroes.
y_log_message(Y_LOG_LEVEL_DEBUG,
"Overwriting start of data partition with zeroes");
char * command = NULL;
asprintf(&command, "head -c %d /dev/zero > %s; sync",
LUKS_HEADER_SIZE, DATA_PARTITION_DEVICE);
r = system(command);
if (r != 0)
{
y_log_message(Y_LOG_LEVEL_ERROR,
"overwriting data device failed: return code %d",
r);
return send_simple_response(response, 500, "error",
"overwriting data device failed");
}
y_log_message(Y_LOG_LEVEL_DEBUG,
"Overwriting finished succesfully");
// Record that we want to reboot the machine.
*reboot = true;
y_log_message(Y_LOG_LEVEL_DEBUG,
"Will reboot");
r = send_simple_response(response, 200, "status", "ok");
y_log_message(Y_LOG_LEVEL_DEBUG,
"Response sent");
stop_server();
return r;
}
......@@ -10,6 +10,7 @@
#include <api/encryption_init_post.c>
#include <api/encryption_remove_post.c>
#include <api/encryption_unlock_post.c>
#include <api/encryption_selfdestruct_post.c>
#include <api/encryption_keys_get.c>
#include <api/encryption_keys_delete.c>
#include <api/encryption_keys_put_post.c>
......@@ -56,6 +57,9 @@ int main(int argc, char ** argv)
ulfius_add_endpoint_by_val(&instance, "POST", PREFIX,
"/encryption/unlock",
0, &callback_encryption_unlock_post, NULL);
ulfius_add_endpoint_by_val(&instance, "POST", PREFIX,
"/encryption/selfdestruct",
0, &callback_encryption_selfdestruct_post, &reboot);
ulfius_add_endpoint_by_val(&instance, "GET" , PREFIX,
"/encryption/keys",
0, &callback_encryption_keys_get, NULL);
......
......@@ -33,3 +33,6 @@
// Ssh authorized_keys settings.
// This string is prepended to new and converted authorized_keys.
#define SSH_COMMAND "command=\"cd / && /usr/bin/cryptops-client\""
// Luks parameters.
#define LUKS_HEADER_SIZE 1052672
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment