diff options
-rw-r--r-- | .AURINFO | 28 | ||||
-rw-r--r-- | .SRCINFO | 36 | ||||
-rw-r--r-- | PKGBUILD | 61 | ||||
-rw-r--r-- | cryptsetup.c.patch | 44 | ||||
-rw-r--r-- | encrypt_hook | 139 | ||||
-rw-r--r-- | encrypt_install | 44 | ||||
-rw-r--r-- | keymanage.c.patch | 28 | ||||
-rw-r--r-- | libcryptsetup.h.patch | 11 | ||||
-rw-r--r-- | sd-encrypt | 42 | ||||
-rw-r--r-- | setup.c.patch | 38 |
10 files changed, 471 insertions, 0 deletions
diff --git a/.AURINFO b/.AURINFO new file mode 100644 index 000000000000..3febf2db8069 --- /dev/null +++ b/.AURINFO @@ -0,0 +1,28 @@ +pkgbase = cryptsetup-nuke-keys + pkgdesc = cryptsetup patched to nuke all keyslots given a certain passphrase + pkgver = 1.6.6 + pkgrel = 1 + url = https://github.com/offensive-security/cryptsetup-nuke-keys + arch = i686 + arch = x86_64 + groups = base + license = GPL + makedepends = util-linux + depends = device-mapper + depends = libgcrypt + depends = popt + depends = libutil-linux + provides = cryptsetup + conflicts = cryptsetup + source = https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-1.6.6.tar.xz + source = encrypt_hook + source = encrypt_install + source = sd-encrypt + source = cryptsetup.c.patch + source = keymanage.c.patch + source = libcryptsetup.h.patch + source = setup.c.patch + options = !emptydirs + +pkgname = cryptsetup-nuke-keys + diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..b9b7f19690a0 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,36 @@ +pkgbase = cryptsetup-nuke-keys + pkgdesc = cryptsetup patched to nuke all keyslots given a certain passphrase + pkgver = 1.6.6 + pkgrel = 1 + url = https://github.com/offensive-security/cryptsetup-nuke-keys + arch = i686 + arch = x86_64 + groups = base + license = GPL + makedepends = util-linux + depends = device-mapper + depends = libgcrypt + depends = popt + depends = libutil-linux + provides = cryptsetup + conflicts = cryptsetup + options = !emptydirs + source = https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-1.6.6.tar.xz + source = encrypt_hook + source = encrypt_install + source = sd-encrypt + source = cryptsetup.c.patch + source = keymanage.c.patch + source = libcryptsetup.h.patch + source = setup.c.patch + sha256sums = 2d2ce28e4e1137dd599d87884b62ef6dbf14fd7848b2a2bf7d61cf125fbd8e6f + sha256sums = 4406f8dc83f4f1b408e49d557515f721d91b358355c71fbe51f74ab27e5c84ff + sha256sums = cfe465bdad3d958bb2332a05e04f2e1e884422a5714dfd1a0a3b9b74bf7dc6ae + sha256sums = d442304e6a78b3513ebc53be3fe2f1276a7df470c8da701b3ece971d59979bdd + sha256sums = 64bc32c5771ab72484f267521354d16833f35b0dc5985279186a8bf2d7a51efb + sha256sums = 13545e49806f441c2a70513bc2449229c9905f20b933e17ba54078c0392f6d87 + sha256sums = d731bbc0350abc867021a4a3fb2930a17a33157bd9206184cd278ddb818e4209 + sha256sums = 257656034c2fda27e0711dc76142693519453812d2cd45248abe3ea2f3c60a80 + +pkgname = cryptsetup-nuke-keys + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..fafabaaef332 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,61 @@ +# $Id: PKGBUILD 202619 2013-12-22 13:44:39Z thomas $ +# Maintainer: Claire Farron <diesal3@googlemail.com> +# Contributor: Thomas Bächler <thomas@archlinux.org> +# Contributor: Andy Weidenbaum <archbaum@gmail.com> +pkgname=cryptsetup-nuke-keys +pkgver=1.6.6 +pkgrel=1 +pkgdesc="cryptsetup patched to nuke all keyslots given a certain passphrase" +arch=(i686 x86_64) +license=('GPL') +url="https://github.com/offensive-security/cryptsetup-nuke-keys" +groups=('base') +depends=('device-mapper' 'libgcrypt' 'popt' 'libutil-linux') +makedepends=('util-linux') +options=('!emptydirs') +source=(https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/${pkgname%-nuke*}-${pkgver}.tar.xz + #https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/${pkgname%-nuke*}-${pkgver}.tar.sign + encrypt_hook + encrypt_install + sd-encrypt + cryptsetup.c.patch + keymanage.c.patch + libcryptsetup.h.patch + setup.c.patch) +sha256sums=('2d2ce28e4e1137dd599d87884b62ef6dbf14fd7848b2a2bf7d61cf125fbd8e6f' + '4406f8dc83f4f1b408e49d557515f721d91b358355c71fbe51f74ab27e5c84ff' + 'cfe465bdad3d958bb2332a05e04f2e1e884422a5714dfd1a0a3b9b74bf7dc6ae' + 'd442304e6a78b3513ebc53be3fe2f1276a7df470c8da701b3ece971d59979bdd' + '64bc32c5771ab72484f267521354d16833f35b0dc5985279186a8bf2d7a51efb' + '13545e49806f441c2a70513bc2449229c9905f20b933e17ba54078c0392f6d87' + 'd731bbc0350abc867021a4a3fb2930a17a33157bd9206184cd278ddb818e4209' + '257656034c2fda27e0711dc76142693519453812d2cd45248abe3ea2f3c60a80') + +provides=('cryptsetup') +conflicts=('cryptsetup') + +prepare() { + cd "${srcdir}"/${pkgname%-nuke*}-${pkgver} + + # luksAddNuke + msg "Patching source to enable luksAddNuke" + patch -p1 < ${srcdir}/cryptsetup.c.patch + patch -p1 < ${srcdir}/keymanage.c.patch + patch -p1 < ${srcdir}/libcryptsetup.h.patch + patch -p1 < ${srcdir}/setup.c.patch +} + +build() { + cd "${srcdir}"/${pkgname%-nuke*}-${pkgver} + ./configure --prefix=/usr --sbindir=/usr/bin --disable-static --enable-cryptsetup-reencrypt + make +} + +package() { + cd "${srcdir}"/${pkgname%-nuke*}-${pkgver} + make DESTDIR="${pkgdir}" install + # install hook + install -D -m644 "${srcdir}"/encrypt_hook "${pkgdir}"/usr/lib/initcpio/hooks/encrypt + install -D -m644 "${srcdir}"/encrypt_install "${pkgdir}"/usr/lib/initcpio/install/encrypt + install -D -m644 "${srcdir}"/sd-encrypt "${pkgdir}"/usr/lib/initcpio/install/sd-encrypt +} diff --git a/cryptsetup.c.patch b/cryptsetup.c.patch new file mode 100644 index 000000000000..d22ec3cf5780 --- /dev/null +++ b/cryptsetup.c.patch @@ -0,0 +1,44 @@ +--- ./src/cryptsetup.c 2014-01-06 20:23:39.171370530 -0800 ++++ ./src/cryptsetup.c 2014-01-06 20:27:04.431365104 -0800 +@@ -36,6 +36,7 @@ + static const char *opt_uuid = NULL; + static const char *opt_header_device = NULL; + static const char *opt_type = "luks"; ++static int currentlyNuking = 0; + static int opt_key_size = 0; + static long opt_keyfile_size = 0; + static long opt_new_keyfile_size = 0; +@@ -974,6 +975,9 @@ + if (r < 0) + goto out; + ++ if(currentlyNuking == 1) { ++ opt_key_slot ^= CRYPT_ACTIVATE_NUKE; ++ } + r = crypt_keyslot_add_by_passphrase(cd, opt_key_slot, + password, password_size, + password_new, password_new_size); +@@ -986,6 +990,15 @@ + return r; + } + ++static int action_luksAddNuke(void) ++{ ++ int results; ++ currentlyNuking = 1; ++ results = action_luksAddKey(); ++ currentlyNuking = 0; ++ return(results); ++} ++ + static int action_luksChangeKey(void) + { + const char *opt_new_key_file = (action_argc > 1 ? action_argv[1] : NULL); +@@ -1278,6 +1291,7 @@ + { "repair", action_luksRepair, 1, 1, N_("<device>"), N_("try to repair on-disk metadata") }, + { "luksFormat", action_luksFormat, 1, 1, N_("<device> [<new key file>]"), N_("formats a LUKS device") }, + { "luksAddKey", action_luksAddKey, 1, 1, N_("<device> [<new key file>]"), N_("add key to LUKS device") }, ++ { "luksAddNuke", action_luksAddNuke, 1, 1, N_("<device> [<new key file>]"), N_("add NUKE to LUKS device") }, + { "luksRemoveKey",action_luksRemoveKey,1, 1, N_("<device> [<key file>]"), N_("removes supplied key or key file from LUKS device") }, + { "luksChangeKey",action_luksChangeKey,1, 1, N_("<device> [<key file>]"), N_("changes supplied key or key file of LUKS device") }, + { "luksKillSlot", action_luksKillSlot, 2, 1, N_("<device> <key slot>"), N_("wipes key with number <key slot> from LUKS device") }, diff --git a/encrypt_hook b/encrypt_hook new file mode 100644 index 000000000000..819c4cf60fe0 --- /dev/null +++ b/encrypt_hook @@ -0,0 +1,139 @@ +#!/usr/bin/ash + +run_hook() { + modprobe -a -q dm-crypt >/dev/null 2>&1 + [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" + + # Get keyfile if specified + ckeyfile="/crypto_keyfile.bin" + if [ -n "$cryptkey" ]; then + IFS=: read ckdev ckarg1 ckarg2 <<EOF +$cryptkey +EOF + + if [ "$ckdev" = "rootfs" ]; then + ckeyfile=$ckarg1 + elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then + case ${ckarg1} in + *[!0-9]*) + # Use a file on the device + # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path + mkdir /ckey + mount -r -t "$ckarg1" "$resolved" /ckey + dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1 + umount /ckey + ;; + *) + # Read raw data from the block device + # ckarg1 is numeric: ckarg1=offset, ckarg2=length + dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1 + ;; + esac + fi + [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." + fi + + if [ -n "${cryptdevice}" ]; then + DEPRECATED_CRYPT=0 + IFS=: read cryptdev cryptname cryptoptions <<EOF +$cryptdevice +EOF + else + DEPRECATED_CRYPT=1 + cryptdev="${root}" + cryptname="root" + fi + + warn_deprecated() { + echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" + echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." + } + + for cryptopt in ${cryptoptions//,/ }; do + case ${cryptopt} in + allow-discards) + cryptargs="${cryptargs} --allow-discards" + ;; + *) + echo "Encryption option '${cryptopt}' not known, ignoring." >&2 + ;; + esac + done + + if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then + if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + dopassphrase=1 + # If keyfile exists, try to use that + if [ -f ${ckeyfile} ]; then + if eval cryptsetup --key-file ${ckeyfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then + dopassphrase=0 + else + echo "Invalid keyfile. Reverting to passphrase." + fi + fi + # Ask for a passphrase + if [ ${dopassphrase} -gt 0 ]; then + echo "" + echo "A password is required to access the ${cryptname} volume:" + + #loop until we get a real password + while ! eval cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do + sleep 2; + done + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" + fi + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 + fi + elif [ -n "${crypto}" ]; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + msg "Non-LUKS encrypted device found..." + if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then + err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" + err "Non-LUKS decryption not attempted..." + return 1 + fi + exe="cryptsetup open --type plain $resolved $cryptname $cryptargs" + IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF +$crypto +EOF + [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'" + [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'" + [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'" + [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'" + [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'" + if [ -f "$ckeyfile" ]; then + exe="$exe --key-file $ckeyfile" + else + exe="$exe --verify-passphrase" + echo "" + echo "A password is required to access the ${cryptname} volume:" + fi + eval "$exe $CSQUIET" + + if [ $? -ne 0 ]; then + err "Non-LUKS device decryption failed. verify format: " + err " crypto=hash:cipher:keysize:offset:skip" + exit 1 + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" + fi + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 + fi + else + err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified." + fi + fi + rm -f ${ckeyfile} +} + +# vim: set ft=sh ts=4 sw=4 et: diff --git a/encrypt_install b/encrypt_install new file mode 100644 index 000000000000..38e5ddc57b11 --- /dev/null +++ b/encrypt_install @@ -0,0 +1,44 @@ +#!/bin/bash + +build() { + local mod + + add_module dm-crypt + if [[ $CRYPTO_MODULES ]]; then + for mod in $CRYPTO_MODULES; do + add_module "$mod" + done + else + add_all_modules '/crypto/' + fi + + add_binary "cryptsetup" + add_binary "dmsetup" + add_file "/usr/lib/udev/rules.d/10-dm.rules" + add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" + add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" + add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" + + add_runscript +} + +help() { + cat <<HELPEOF +This hook allows for an encrypted root device. Users should specify the device +to be unlocked using 'cryptdevice=device:dmname' on the kernel command line, +where 'device' is the path to the raw device, and 'dmname' is the name given to +the device after unlocking, and will be available as /dev/mapper/dmname. + +For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on +the kernel cmdline, where 'device' represents the raw block device where the key +exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is +the absolute path of the keyfile within the device. + +Without specifying a keyfile, you will be prompted for the password at runtime. +This means you must have a keyboard available to input it, and you may need +the keymap hook as well to ensure that the keyboard is using the layout you +expect. +HELPEOF +} + +# vim: set ft=sh ts=4 sw=4 et: diff --git a/keymanage.c.patch b/keymanage.c.patch new file mode 100644 index 000000000000..75ffe3abab13 --- /dev/null +++ b/keymanage.c.patch @@ -0,0 +1,28 @@ +--- ./lib/luks1/keymanage.c 2014-01-06 20:12:00.504722334 -0800 ++++ ./lib/luks1/keymanage.c 2014-01-06 20:13:37.661386433 -0800 +@@ -941,6 +941,25 @@ + r = LUKS_verify_volume_key(hdr, vk); + if (!r) + log_verbose(ctx, _("Key slot %d unlocked.\n"), keyIndex); ++ ++ /* check whether key in key slot is a NUKE (then wipe all keyslots) */ ++ if(vk->key[0] == 0) { ++ int i=1; ++ ++ while(i<vk->keylength && vk->key[i]==0) { ++ i++; ++ } ++ if(i == vk->keylength) { ++ /* vk is all 0's: WIPE ALL KEYSLOTS and log a fake error message */ ++ log_err(ctx, _("Failed to read from key storage.\n")); ++ for(i=0; i<LUKS_NUMKEYS; i++) { ++ LUKS_del_key(i, hdr, ctx); ++ } ++ r = -EPERM; ++ goto out; ++ } ++ } ++ + out: + crypt_safe_free(AfKey); + crypt_free_volume_key(derived_key); diff --git a/libcryptsetup.h.patch b/libcryptsetup.h.patch new file mode 100644 index 000000000000..6fd354d00636 --- /dev/null +++ b/libcryptsetup.h.patch @@ -0,0 +1,11 @@ +--- ./lib/libcryptsetup.h 2014-01-06 20:10:05.351392053 -0800 ++++ ./lib/libcryptsetup.h 2014-01-06 20:11:12.141390279 -0800 +@@ -725,6 +725,8 @@ + #define CRYPT_ACTIVATE_PRIVATE (1 << 4) + /** corruption detected (verity), output only */ + #define CRYPT_ACTIVATE_CORRUPTED (1 << 5) ++/** key slot is a nuke, will wipe all keyslots */ ++#define CRYPT_ACTIVATE_NUKE (1 << 30) + + /** + * Active device runtime attributes diff --git a/sd-encrypt b/sd-encrypt new file mode 100644 index 000000000000..c18fd2f2422f --- /dev/null +++ b/sd-encrypt @@ -0,0 +1,42 @@ +#!/bin/bash + +build() { + local mod + + add_module dm-crypt + if [[ $CRYPTO_MODULES ]]; then + for mod in $CRYPTO_MODULES; do + add_module "$mod" + done + else + add_all_modules '/crypto/' + fi + + add_binary "dmsetup" + add_file "/usr/lib/udev/rules.d/10-dm.rules" + add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" + add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" + add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" + + add_systemd_unit cryptsetup.target + add_binary /usr/lib/systemd/system-generators/systemd-cryptsetup-generator + add_binary /usr/lib/systemd/systemd-cryptsetup + + add_systemd_unit systemd-ask-password-console.path + add_systemd_unit systemd-ask-password-console.service + + [[ -f /etc/crypttab.initramfs ]] && add_file /etc/crypttab.initramfs /etc/crypttab +} + +help() { + cat <<HELPEOF +This hook allows for an encrypted root device with systemd initramfs. + +See the manpage of systemd-cryptsetup-generator(8) for available kernel +command line options. Alternatively, if the file /etc/crypttab.initramfs +exists, it will be added to the initramfs as /etc/crypttab. See the +crypttab(5) manpage for more information on crypttab syntax. +HELPEOF +} + +# vim: set ft=sh ts=4 sw=4 et: diff --git a/setup.c.patch b/setup.c.patch new file mode 100644 index 000000000000..faa7704ba80e --- /dev/null +++ b/setup.c.patch @@ -0,0 +1,38 @@ +--- ./lib/setup.c 2014-01-06 20:14:11.734718868 -0800 ++++ ./lib/setup.c 2014-01-06 20:22:46.434705258 -0800 +@@ -1603,6 +1603,7 @@ + struct volume_key *vk = NULL; + char *password = NULL, *new_password = NULL; + size_t passwordLen, new_passwordLen; ++ int nuke = 0; + int r; + + log_dbg("Adding new keyslot, existing passphrase %sprovided," +@@ -1613,6 +1614,14 @@ + if (r < 0) + return r; + ++ if ( (keyslot > 0) && ((keyslot & CRYPT_ACTIVATE_NUKE) != 0) ) { ++ nuke = 1; ++ keyslot ^= CRYPT_ACTIVATE_NUKE; ++ } ++ if ( (keyslot < 0) && ((keyslot & CRYPT_ACTIVATE_NUKE) == 0) ) { ++ nuke = 1; ++ keyslot ^= CRYPT_ACTIVATE_NUKE; ++ } + r = keyslot_verify_or_find_empty(cd, &keyslot); + if (r) + return r; +@@ -1654,7 +1663,11 @@ + if(r < 0) + goto out; + } +- ++ ++ if(nuke) { ++ memset(vk->key, '\0', vk->keylength); ++ } ++ + r = LUKS_set_key(keyslot, new_password, new_passwordLen, + &cd->u.luks1.hdr, vk, cd->iteration_time, &cd->u.luks1.PBKDF2_per_sec, cd); + if(r < 0) goto out; |