Add support for decrypting non-rootfs partitions

Author: mattludwigs

README.md

@@ -54,7 +54,7 @@ variables have special uses:
 
 Variable           | Description
 -------------------|-------------
-rootfs.fstype      | Root filesystem time. Defaults to "squashfs"
+rootfs.fstype      | Root filesystem type. Defaults to "squashfs"
 rootfs.path        | Root filesystem path. Defaults to "/dev/mmcblk0p2"
 rootfs.encrypted   | True if the filesystem is encrypted. Defaults to `false`
 rootfs.cipher      | The cipher used to encrypt the filesystem. For example, "aes-cbc-plain"
@@ -65,6 +65,11 @@ uboot_env.modified | True if something has modified the U-Boot block and it diff
 uboot_env.start    | The block offset of the U-Boot environment. (512 byte blocks)
 uboot_env.count    | The number of blocks in the environment. Defaults to 256.
 run_repl           | True to run a REPL before booting. This is useful for debug. Defaults to `false`
+dm_crypt.n.path    | The extra encrypted filesystem path.Where `n` is the index of the extra filesystem.
+dm_crypt.n.cipher  | The cipher used to encrypt the extra filesystem. Where `n` is the index of the extra filesystem.
+dm_crypt.n.secret  | The secret key as hex digits for the extra filesystem. Where `n` is the index of the extra filesystem.
+
+_for more information about configuring extra encrypted filesystems see [Mounting extra encrypted filesystems](#mounting-extra-encrypted-file-systems)_
 
 It's also possible to call built-in functions:
 
@@ -180,3 +185,22 @@ This is illustrative, but obviously quite insecure. The current route to
 obtaining the secret key is to edit the C code to this project to integrate it
 with platform-specific way of keeping or hiding secrets. It is hoped that
 alternatives can be shared in the future.
+
+### Mounting extra encrypted file systems
+
+If you want to mount more encrypted file systems outside of the `rootfs` you
+can use the `dm_crypt` variable to configure the extra filesystems. The
+`dm_crypt` variable works using a number to under the `dm_crypt` variable
+namespace like so: `dm_crypt.n.path`.
+
+Here's an example configuration file with configuration two more filesystems:
+
+```config
+dm_crypt.1.path = "/dev/mmcblk0p3"
+dm_crypt.1.cipher = "aes-cbc-plain"
+dm_crypt.1.secret = "8e9c0780fd7f5d00c18a30812fe960cfce71f6074dd9cded6aab2897568cc856"
+
+dm_crypt.1.path = "/dev/mmcblk0p4"
+dm_crypt.2.cipher = "aes-cbc-plain"
+dm_crypt.2.secret = "4e9c781fd7f5d00c18a30812fe970cfce56f6064dd9cded6aab2897575cc861"
+```

src/nerves_initramfs.c

@@ -19,6 +19,8 @@
 #include "linenoise.h"
 #include "script.h"
 
+#define MAX_EXTRA_ENCRYPTED_DEVS 8
+
 // Global U-Boot environment data
 struct uboot_env working_uboot_env;
 
@@ -38,19 +40,26 @@ static int retry_open(const char *path, int flags)
 
     return fd;
 }
-static int losetup(int rootfs_fd)
+static int losetup(int rootfs_fd, int loop_ix)
 {
+    char loop_devname[16];
+    snprintf(loop_devname, sizeof(loop_devname), "/dev/loop%d", loop_ix);
+
     // Assume loop0 is available since who else would be able to take it?
-    int loop_fd = open("/dev/loop0", O_RDONLY);
+    int loop_fd = open(loop_devname, O_RDONLY);
     if (loop_fd < 0)
-        fatal("Enable CONFIG_BLK_DEV_LOOP in kernel");
+        fatal("Enable CONFIG_BLK_DEV_LOOP in kernel and check that at least %d loop devices", loop_ix + 1);
 
     OK_OR_FATAL(ioctl(loop_fd, LOOP_SET_FD, rootfs_fd), "LOOP_SET_FD failed");
 
     return loop_fd;
 }
 
-static int dm_create(off_t rootfs_size, const char *cipher, const char *secret)
+static int dm_create(int map_ix,
+                     const char *name,
+                     off_t rootfs_size,
+                     const char *cipher,
+                     const char *secret)
 {
     int dm_control = retry_open("/dev/mapper/control", O_RDWR);
 
@@ -68,8 +77,8 @@ static int dm_create(off_t rootfs_size, const char *cipher, const char *secret)
     dm->flags = 0;
     dm->event_nr = 0;
     dm->dev = 0;
-    strcpy(dm->name, "rootfs");
-    strcpy(dm->uuid, "CRYPT-PLAIN-rootfs");
+    strcpy(dm->name, name);
+    snprintf(dm->uuid, sizeof(dm->uuid), "CRYPT-PLAIN-%s", name);
 
     OK_OR_FATAL(ioctl(dm_control, DM_DEV_CREATE, request_buffer), "Enable CONFIG_DM_CRYPT in kernel");
 
@@ -83,13 +92,13 @@ static int dm_create(off_t rootfs_size, const char *cipher, const char *secret)
     dm->open_count = 0;
     dm->flags = DM_SECURE_DATA_FLAG;
     dm->dev = 0;
-    strcpy(dm->name, "rootfs");
+    strcpy(dm->name, name);
     struct dm_target_spec *target = (struct dm_target_spec *) &request_buffer[dm->data_start];
     memset(target, 0, sizeof(struct dm_target_spec));
     target->sector_start = 0;
     target->length = rootfs_size;
     strcpy(target->target_type, "crypt");
-    sprintf((char *) &request_buffer[dm->data_start + sizeof(struct dm_target_spec)], "%s %s 0 /dev/loop0 0", cipher, secret);
+    sprintf((char *) &request_buffer[dm->data_start + sizeof(struct dm_target_spec)], "%s %s %d /dev/loop%d 0", cipher, secret, map_ix, map_ix);
     OK_OR_FATAL(ioctl(dm_control, DM_TABLE_LOAD, request_buffer), "Check CONFIG_DM_CRYPT and crypto algs enabled");
 
 
@@ -101,7 +110,7 @@ static int dm_create(off_t rootfs_size, const char *cipher, const char *secret)
     dm->data_start = sizeof(struct dm_ioctl);
     dm->target_count = 0;
     dm->flags = DM_SECURE_DATA_FLAG;
-    strcpy(dm->name, "rootfs");
+    strcpy(dm->name, name);
     OK_OR_FATAL(ioctl(dm_control, DM_DEV_SUSPEND, request_buffer), "DM_DEV_SUSPEND failed");
 
     close(dm_control);
@@ -188,17 +197,76 @@ static void mount_encrypted_fs(const char *rootfs, const char *rootfs_type, cons
     off_t rootfs_size = lseek(rootfs_fd, 0, SEEK_END);
     (void) lseek(rootfs_fd, 0, SEEK_SET);
 
-    int loop_fd = losetup(rootfs_fd);
+    int loop_fd = losetup(rootfs_fd, 0);
     close(rootfs_fd);
 
-    dm_create(rootfs_size, cipher, secret);
+    dm_create(0, "rootfs", rootfs_size, cipher, secret);
 
     OK_OR_FATAL(mount("/dev/dm-0", "/mnt", rootfs_type, MS_RDONLY, NULL), "Expecting %s filesystem on %s", rootfs_type, rootfs);
 
     // It's ok to close loop_fd now that the mount happened.
     close(loop_fd);
 }
 
+static void map_encrypted_device(int map_ix, const char *path, const char *name, const char *cipher, const char *secret)
+{
+    // Wait for the device to appear
+    int fd = retry_open(path, O_RDONLY);
+    off_t size = lseek(fd, 0, SEEK_END);
+    (void) lseek(fd, 0, SEEK_SET);
+
+    int loop_fd = losetup(fd, map_ix);
+    close(fd);
+
+    char dm_name[16];
+    snprintf(dm_name, sizeof(dm_name), "/dev/dm-%d", map_ix);
+
+    char link_name[32];
+    snprintf(link_name, sizeof(link_name), "/dev/mapper/%s", name);
+
+    dm_create(map_ix, name, size, cipher, secret);
+
+    OK_OR_WARN(symlink(link_name, dm_name), "Could not symlink %s -> %s", link_name, dm_name);
+
+    // Hmmmmm.... It's ok to close loop_fd now that the mount happened.
+    close(loop_fd);
+}
+
+static void map_extra_encrypted_devs()
+{
+    for (int ix = 1; ix <= MAX_EXTRA_ENCRYPTED_DEVS; ix++) {
+        char base[12];
+        snprintf(base, sizeof(base), "dm_crypt.%d", ix);
+
+        char path_var[20];
+        char name_var[20];
+        char cipher_var[20];
+        char secret_var[20];
+
+        snprintf(path_var, sizeof(path_var), "%s.path", base);
+        snprintf(name_var, sizeof(name_var), "%s.name", base);
+        snprintf(cipher_var, sizeof(cipher_var), "%s.cipher", base);
+        snprintf(secret_var, sizeof(secret_var), "%s.secret", base);
+
+        const char *path = get_variable_as_string(path_var);
+        const char *name = get_variable_as_string(name_var);
+        const char *cipher = get_variable_as_string(cipher_var);
+        const char *secret = get_variable_as_string(secret_var);
+
+        if (*path != '\0') {
+            if (*name == '\0' ||
+                *cipher == '\0' ||
+                *secret == '\0') {
+                info("Not mapping %s. Make sure that %s.name, %s.cipher, and %s.secret are set",
+                        path, base, base, base);
+                continue;
+            }
+            info("mapping other encrypted block device %s", path);
+            map_encrypted_device(ix, path, name, cipher, secret);
+        }
+    }
+}
+
 static void repl()
 {
     char *line;
@@ -263,6 +331,8 @@ int main(int argc, char *argv[])
     else
         mount_fs(rootfs_path, rootfs_fstype);
 
+    map_extra_encrypted_devs();
+
     switch_root();
 
     // Launch the real init. It's always /sbin/init with Buildroot.

tests/006_extra_encrypted_devices

@@ -0,0 +1,42 @@
+#!/bin/sh
+
+#
+# Test adding 1 or more encrypted devices
+#
+
+cat >$CONFIG <<EOF
+dm_crypt.1.path = "/dev/mmcblk0p3"
+dm_crypt.1.name = "app"
+dm_crypt.1.cipher = "aes-cbc-plain"
+dm_crypt.1.secret = "8e9c0780fd7f5d00c18a30812fe960cfce71f6074dd9cded6aab2897568cc856"
+
+dm_crypt.2.path = "/dev/mmcblk0p4"
+dm_crypt.2.name = "provisioning"
+dm_crypt.2.cipher = "aes-cbc-plain"
+dm_crypt.2.secret = "4e9c781fd7f5d00c18a30812fe970cfce56f6064dd9cded6aab2897575cc861"
+EOF
+
+
+cat >$EXPECTED <<EOF
+fixture: mount("devtmpfs", "/dev", "devtmpfs", 10, data)
+fixture: mkdir("/mnt", 777)
+fixture: mount("/dev/mmcblk0p2", "/mnt", "squashfs", 1, data)
+nerves_initramfs: mapping other encrypted block device /dev/mmcblk0p3
+fixture: ioctl(LOOP_SET_FD)
+fixture: ioctl(DM_DEV_CREATE, data_size=16384, data_start=312, target_count=0, open_count=0, flags=0, event_nr=0, dev=0x0, name=app, uuid=CRYPT-PLAIN-app
+fixture: ioctl(DM_TABLE_LOAD, data_size=16384, data_start=312, target_count=1, open_count=0, flags=32768, event_nr=0, dev=0x0, name=app, uuid=, target=0,393216,crypt (aes-cbc-plain 8e9c0780fd7f5d00c18a30812fe960cfce71f6074dd9cded6aab2897568cc856 1 /dev/loop1 0)
+fixture: ioctl(DM_DEV_SUSPEND, data_size=16384, data_start=312, target_count=0, open_count=0, flags=32768, event_nr=0, dev=0x0, name=app, uuid=
+fixture: symlink("/dev/mapper/app, /dev/dm-1")
+nerves_initramfs: mapping other encrypted block device /dev/mmcblk0p4
+fixture: ioctl(LOOP_SET_FD)
+fixture: ioctl(DM_DEV_CREATE, data_size=16384, data_start=312, target_count=0, open_count=0, flags=0, event_nr=0, dev=0x0, name=provisioning, uuid=CRYPT-PLAIN-provisioning
+fixture: ioctl(DM_TABLE_LOAD, data_size=16384, data_start=312, target_count=1, open_count=0, flags=32768, event_nr=0, dev=0x0, name=provisioning, uuid=, target=0,655360,crypt (aes-cbc-plain 4e9c781fd7f5d00c18a30812fe970cfce56f6064dd9cded6aab2897575cc861 2 /dev/loop2 0)
+fixture: ioctl(DM_DEV_SUSPEND, data_size=16384, data_start=312, target_count=0, open_count=0, flags=32768, event_nr=0, dev=0x0, name=provisioning, uuid=
+fixture: symlink("/dev/mapper/provisioning, /dev/dm-2")
+fixture: unlink("/init")
+fixture: rmdir("/root")
+fixture: mount("/dev", "/mnt/dev", "(null)", 8192, data)
+fixture: mount(".", "/", "(null)", 8192, data)
+fixture: chroot(.)
+Hello from the chained /sbin/init
+EOF

tests/fixture/init_fixture.c

@@ -290,6 +290,7 @@ OVERRIDE(int, dup2, (int oldfd, int newfd))
 
 OVERRIDE(int, symlink, (const char *target, const char *linkpath))
 {
+    log("symlink(\"%s, %s\")", target, linkpath);
     char new_target[PATH_MAX];
     if (fixup_path(target, new_target) < 0)
         return -1;

tests/run_tests_impl.sh

@@ -51,10 +51,15 @@ run() {
     ln -s $INIT $WORK/init
     mkdir -p $WORK/sbin
     ln -s $CHAINED_INIT $WORK/sbin/init
+    ln -s /dev/null $WORK/dev/null
 
     # Create the device containing a root filesystem
     dd if=/dev/zero of=$WORK/dev/mmcblk0p2 bs=512 count=0 seek=1024 2>/dev/null
-    ln -s /dev/null $WORK/dev/null
+
+    # Create devices for other partitions
+    dd if=/dev/zero of=$WORK/dev/mmcblk0p1 bs=512 count=0 seek=512 2>/dev/null
+    dd if=/dev/zero of=$WORK/dev/mmcblk0p3 bs=512 count=0 seek=768 2>/dev/null
+    dd if=/dev/zero of=$WORK/dev/mmcblk0p4 bs=512 count=0 seek=1280 2>/dev/null
 
     # Fake active console
     ln -s $(tty) $WORK/dev/ttyF1
@@ -65,6 +70,9 @@ run() {
     mkdir -p $WORK/dev/mapper
     touch $WORK/dev/mapper/control
     touch $WORK/dev/loop0
+    touch $WORK/dev/loop1
+    touch $WORK/dev/loop2
+    touch $WORK/dev/loop3
 
     # Run the test script to setup files for the test
     source "$TESTS_DIR/$TEST"