-
Notifications
You must be signed in to change notification settings - Fork 21
/
Copy pathmqtt-ensure-secret-mounted
executable file
·112 lines (94 loc) · 3.51 KB
/
mqtt-ensure-secret-mounted
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/bin/bash
set -euxo pipefail
TC_SECRET="/etc/intel-manageability/secret"
TC_PUBLIC="/etc/intel-manageability/public"
TC_SECRET_IMG_DIR="/var/intel-manageability"
TC_SECRET_IMG="$TC_SECRET_IMG_DIR/secret.img"
# Check if /mnt/udm-luks is mounted
if mountpoint -q "/mnt/udm-luks" ; then
echo "/mnt/udm-luks is mounted. Using bind mount instead of TPM/LUKS."
# Create /mnt/udm-luks/inbm if it doesn't exist
mkdir -p /mnt/udm-luks/inbm
# Ensure the target directory exists
mkdir -p "$TC_SECRET"
# Perform bind mount
mount --bind /mnt/udm-luks/inbm "$TC_SECRET"
# Ensure public directory exists
mkdir -p "$TC_PUBLIC"
# Ensure this directory exists as it is also used for SQLITE3 DB
mkdir -p "$TC_SECRET_IMG_DIR"
# Exit the script since we've completed the necessary steps for UDM mode
exit 0
fi
safe_mode() {
set -ex
mkdir -p "$TC_SECRET"
mkdir -p "$TC_PUBLIC"
echo "Error accessing secrets. Falling back to safe mode."
if mountpoint "$TC_SECRET" ; then
echo "$TC_SECRET" already mounted. Skipping safe mode.
else
if ! mount -t tmpfs -o size=32m,mode=0755,uid=root,gid=root,nodev tmpfs "$TC_SECRET" ; then
exit 1
fi
touch "$TC_SECRET"/SAFE_MODE
# Save current public directory
PUBLIC_TMP=$(mktemp -d)
cp -av "$TC_PUBLIC"/* "$PUBLIC_TMP"
# Mount public directory as tmpfs to not overwrite permanent certs
if ! mount -t tmpfs -o size=32m,mode=0755,uid=root,gid=root,nodev tmpfs "$TC_PUBLIC" ; then
exit 1
fi
# Restore public directory contents to tmpfs
cp -av "$PUBLIC_TMP/"* "$TC_PUBLIC"
rm -rf "$PUBLIC_TMP"
exit 0
fi
}
trap safe_mode ERR
set +x
PASSPHRASE="$(/usr/bin/tc-get-secret-passphrase)"
set -x
DEV_MAPPER_SECRET="intel-manageability-secret"
set +x
echo md5sum of passphrase --
echo -n "$PASSPHRASE" | md5sum
set -x
sleep 1
# Ensure secret image exists
if ! [ -e "$TC_SECRET_IMG" ] ; then
mkdir -p "$TC_SECRET_IMG_DIR"
dd if=/dev/urandom of="$TC_SECRET_IMG" bs=1M count=32
# Protect secret image before formatting
chown root.root "$TC_SECRET_IMG"
chmod og-rwx -R "$TC_SECRET_IMG"
set +x
echo Running cryptsetup commands--trace is off.
echo -n "$PASSPHRASE" | cryptsetup -v -h sha384 luksFormat --type luks2 "$TC_SECRET_IMG" -d -
echo -n "$PASSPHRASE" | cryptsetup -v open "$TC_SECRET_IMG" "$DEV_MAPPER_SECRET" -d -
echo Trace is back on.
set -x
mkfs.ext4 /dev/mapper/"$DEV_MAPPER_SECRET"
cryptsetup close "$DEV_MAPPER_SECRET"
fi
# In case of upgrade, re-protect secret image.
chown root.root "$TC_SECRET_IMG"
chmod og-rwx -R "$TC_SECRET_IMG"
# Ensure /dev/mapper entry is set up
if ! [ -b /dev/mapper/"$DEV_MAPPER_SECRET" ] ; then
set +x
echo Running cryptsetup commands--trace is off.
# Try passphrase first with newlines included, then fallback to older passphrase scheme with
# cutoff at first newline. Finally fallback to "TRUE".
( echo "Trying with bare passphrase." && echo -n "$PASSPHRASE" | cryptsetup -v open "$TC_SECRET_IMG" "$DEV_MAPPER_SECRET" -d - ) \
|| ( echo "Trying with newline separated passphrase." && echo -n "$PASSPHRASE" | cryptsetup -v open "$TC_SECRET_IMG" "$DEV_MAPPER_SECRET" ) \
|| ( echo "Trying with TRUE" && echo -n "TRUE" | cryptsetup -v open "$TC_SECRET_IMG" "$DEV_MAPPER_SECRET" )
echo Trace is back on.
set -x
fi
# Ensure filesystem is mounted
if ! mountpoint "$TC_SECRET" ; then
fsck -y /dev/mapper/"$DEV_MAPPER_SECRET"
mkdir -p "$TC_SECRET"
mount /dev/mapper/"$DEV_MAPPER_SECRET" -o nodev "$TC_SECRET"
fi