Newer
Older
/**
* Callback function for encrypting an unencrypted device.
* 1. check if the device isn't already encrypted;
* 2. mount the unencrypted device;
* 3. determine the total size of the files on the device, and guess if they
* will fit into memory;
* 4. rsync all files from the unencrypted device to memory;
* 5. check if an authorized_keys file can be found on the root device;
* 6. unmount the unencrypted device;
* 7. repartition the device:
* . an info partition to hold unencrypted data for use from the initrd,
* like the dropbear ssh host keys and user's ssh public keys;
* . a data partition for the actual encrypted root device;
* 8. create a filesystem on the info partition;
* 9. copy ssh host keys and the authorized_keys file from the initrd
* to the info partition;
* 10. initialise a new encrypted container on the data partition, and unlock it
* for use;
* 11. create a new filesystem on this new encrypted data partition,
* and mount it;
* 12. rsync all files back from memory to the encrypted data partition;
* 13. unmount the new filesystem, and lock the encrypted container;
* 14. reboot.
* @param[in] request incoming HTTP request
* @param[out] response HTTP response to the request
* @param[in] user_data extra data to pass between handler and main thread
* @return internal status code
*/
int callback_encryption_add(const struct _u_request * request,
struct _u_response * response, void * user_data)
{
bool * reboot = (bool *)user_data;
int r;
// Read the encryption password from the request body.
json_t * json_input = ulfius_get_json_body_request(request, NULL);
const char * password = password = json_string_value(
json_object_get(json_input, "password"));
if (password == NULL)
{
return send_simple_response(response, 400, "error", "missing password");
}
// Check if the device isn't already encrypted.
if (is_encrypted_device(ROOT_DEVICE))
{
// The device is already encrypted; we don't want to encrypt it again.
return send_simple_response(response, 500, "error",
"already encrypted");
}
// Mount the filesystem on the unencrypted device.
r = temporary_mount(ROOT_DEVICE, UNENCRYPTED_MOUNTPOINT,
printf("mounting root device failed: return code %d\n", r);
return send_simple_response(response, 500, "error",
}
// Determine the filesystem usage of the device to be encrypted.
unsigned long size = filesystem_usage(UNENCRYPTED_MOUNTPOINT);
if (size < 0)
{
// Something went wrong in determining the filesystem usage.
printf("determining filesystem usage failed: return code %lu\n", size);
return send_simple_response(response, 500, "error",
"determining filesystem usage failed");
}
// Determine the available memory.
unsigned long memory = available_memory();
double projected_usage = (double)size / (double)memory;
printf("projected memory usage: %.3f\n", projected_usage);
if (projected_usage > MEMORY_USAGE)
{
// Projected memory usage is really high, so abort.
return send_simple_response(response, 500, "error",
"device too large");
}
// Copy device contents to temporary filesystem.
printf("copying existing root device contents to memory\n");
char * command = NULL;
asprintf(&command, "rsync -a %s/ %s", UNENCRYPTED_MOUNTPOINT, TMP_LOCATION);
r = system(command);
if(r != 0)
{
printf("copying root device contents into memory failed"
": return code %d\n", r);
return send_simple_response(response, 500, "error",
}
// Unmount unencrypted device.
printf("unmounting unencrypted device at %s\n", UNENCRYPTED_MOUNTPOINT);
r = umount(UNENCRYPTED_MOUNTPOINT);
if (r != 0)
{
printf("unmounting encrypted device failed: return code %d\n", r);
return send_simple_response(response, 500, "error",
// Check whether the authorized_keys file exists on root device.
char * authorized_keys_path = NULL;
asprintf(&authorized_keys_path, "%s%s",
TMP_LOCATION, AUTHORIZED_KEYS_PATH);
struct stat st = {0};
if (stat(authorized_keys_path, &st) == -1)
{
printf("authorized_keys not found on root device at %s\n",
authorized_keys_path);
return send_simple_response(response, 500, "error",
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
}
// Re-partition device.
printf("repartitioning device %s\n", ROOT_DEVICE);
command = NULL;
asprintf(&command, "sgdisk -a 8192 -n 1:0:48M -N 2 %s", ROOT_DEVICE);
r = system(command);
if (r != 0)
{
printf("partitioning root device failed: return code %d\n", r);
return send_simple_response(response, 500, "error",
"partitioning root device failed");
}
// Inform kernel of partitioning changes.
printf("running partprobe\n");
command = NULL;
asprintf(&command, "partprobe");
r = system(command);
if (r != 0)
{
printf("partprobe: return code %d\n", r);
return send_simple_response(response, 500, "error",
"partprobe failed");
}
// Sleep for a little while.
// This seems necessary for the newly created partitions to appear as
// devices.
printf("waiting a bit...\n");
// Create filesystem on the info partition.
printf("creating filesystem on info partition\n");
command = NULL;
asprintf(&command, "mkfs -t %s %s", FILESYSTEM_TYPE,
printf("command: %s\n", command);
r = system(command);
if (r != 0)
{
printf("creating filesystem failed: return code %d\n", r);
return send_simple_response(response, 500, "error",
"creating filesystem inside encrypted container failed");
}
// Mount the info partition.
printf("mounting info partition\n");
r = temporary_mount(INFO_PARTITION_DEVICE, INFO_MOUNTPOINT,
FILESYSTEM_TYPE);
if (r != 0)
{
printf("mounting encrypted device failed: return code %d\n", r);
return send_simple_response(response, 500, "error",
// Create some directories in the info partition.
printf("creating directories in info partition\n");
asprintf(&command, "mkdir -p %s%s %s%s", INFO_MOUNTPOINT,
AUTHORIZED_KEYS_DIR, INFO_MOUNTPOINT, SSH_HOST_KEY_DIR);
r = system(command);
if (r != 0)
{
printf("creating directories failed: return code %d\n", r);
return send_simple_response(response, 500, "error",
// Copy authorized_keys file to the info partition.
printf("copying authorized_keys to info partition\n");
asprintf(&command, "cp %s %s%s",
AUTHORIZED_KEYS_PATH, INFO_MOUNTPOINT, AUTHORIZED_KEYS_PATH);
r = system(command);
if (r != 0)
{
printf("copying authorized_keys failed: return code %d\n", r);
return send_simple_response(response, 500, "error",
// Copy dropbear ssh host keys from the initrd to the info partition.
printf("copying dropbear ssh host keys\n");
asprintf(&command, "cp /etc/dropbear/* %s%s/", INFO_MOUNTPOINT,
SSH_HOST_KEY_DIR);
r = system(command);
if (r != 0)
{
printf("copying dropbear ssh host keys failed: return code %d\n", r);
return send_simple_response(response, 500, "error",
// Unmount info partition.
printf("unmounting info partition at %s\n", INFO_MOUNTPOINT);
r = umount(INFO_MOUNTPOINT);
if (r != 0)
{
printf("unmounting failed: return code %d\n", r);
return send_simple_response(response, 500, "error",
"unmounting configuration partition failed");
}
// Initialise encrypted container on data partition.
printf("creating encrypted container at %s\n", DATA_PARTITION_DEVICE);
r = create_encrypted_device(DATA_PARTITION_DEVICE, password);
printf("creating encrypted container failed: return code %d\n", r);
return send_simple_response(response, 500, "error",
"creating encryption container failed");
}
// Unlock the new container.
printf("unlocking encrypted device\n");
r = encryption_unlock(DATA_PARTITION_DEVICE, MAPPED_DEVICE_NAME,
password);
if (r != 0)
printf("unlocking encrypted container failed: return code %d\n", r);
return send_simple_response(response, 500, "error",
"unlocking new encryption container failed");
}
// Create filesystem in the new container.
printf("creating filesystem in new container\n");
command = NULL;
asprintf(&command, "mkfs -t %s %s", FILESYSTEM_TYPE, MAPPED_DEVICE_PATH);
r = system(command);
printf("creating filesystem failed: return code %d\n", r);
return send_simple_response(response, 500, "error",
"creating filesystem inside encrypted container failed");
}
// Mount the unlocked container.
printf("mounting new filesystem\n");
r = temporary_mount(MAPPED_DEVICE_PATH, DATA_MOUNTPOINT,
FILESYSTEM_TYPE);
if (r != 0)
{
printf("mounting encrypted device failed: return code %d\n", r);
return send_simple_response(response, 500, "error",
}
// Copy device contents from temporary filesystem to encrypted container.
printf("copying root device contents from memory\n");
asprintf(&command, "rsync -a %s/ %s", TMP_LOCATION, DATA_MOUNTPOINT);
printf("copying from memory to encrypted device failed:"
" return code %d\n", r);
return send_simple_response(response, 500, "error",
// Unmount filesystem on encrypted data partition.
printf("unmounting encrypted device at %s\n", DATA_MOUNTPOINT);
r = umount(DATA_MOUNTPOINT);
printf("unmounting encrypted device failed: return code %d\n", r);
return send_simple_response(response, 500, "error",
}
// Lock the container.
printf("locking encrypted device\n");
r = encryption_lock(MAPPED_DEVICE_NAME);
printf("locking encrypted container failed: return code %d\n", r);
return send_simple_response(response, 500, "error",
"locking container failed");
}
// Record that we want to reboot the machine.
*reboot = true;
r = send_simple_response(response, 200, "status", "ok");
stop_server();
return r;