s390x: add secure-execution support #1353
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bgilbert
previously requested changes
Nov 29, 2021
nikita-dubrovskii
force-pushed
the
secure-execution
branch
2 times, most recently
from
626f9eb to
0609f3e
Compare
nikita-dubrovskii
force-pushed
the
secure-execution
branch
from
0609f3e to
49d018b
Compare
nikita-dubrovskii
force-pushed
the
secure-execution
branch
from
49d018b to
320c0c4
Compare
nikita-dubrovskii
changed the title
nikita-dubrovskii
force-pushed
the
secure-execution
branch
4 times, most recently
from
00f916d to
194400a
Compare
nikita-dubrovskii
force-pushed
the
secure-execution
branch
from
194400a to
0f7d60e
Compare
nikita-dubrovskii
changed the title
nikita-dubrovskii
force-pushed
the
secure-execution
branch
from
0f7d60e to
fb401c5
Compare
travier
reviewed
May 23, 2022
overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh
Outdated
Show resolved
Hide resolved
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-gpt-setup.sh
Outdated
Show resolved
Hide resolved
nikita-dubrovskii
force-pushed
the
secure-execution
branch
2 times, most recently
from
e63b281 to
0b9b28a
Compare
jlebon
reviewed
May 24, 2022
overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh
Outdated
Show resolved
Hide resolved
| device=$(realpath /dev/disk/by-label/"${DM_NAME}") | ||
| eval $(udevadm info --query=property --export $device | grep PARTN=) | ||
| eval $(lsblk -o PKNAME --nodeps --noheadings --paths --pairs $device) | ||
| parted $PKNAME resizepart $PARTN 100% |
There was a problem hiding this comment.
Isn't this already done by growpart at the earlier part iteration?
There was a problem hiding this comment.
if it does, than it's broken or doesn't work wit LUKS pre-encrypted partitions
There was a problem hiding this comment.
That growpart is tested by CI at least. There's actually a LUKS test which does this: https://github.com/coreos/fedora-coreos-config/tree/testing-devel/tests/kola/root-reprovision/luks. That should be the same setup as we have here (root on LUKS on partition).
There was a problem hiding this comment.
Some debug output:
[ 19.502720] ignition-ostree-growfs[1292]: ++ realpath /dev/disk/by-label/root
[ 19.503058] ignition-ostree-growfs[1288]: + partition=/dev/dm-0
[ 19.503216] ignition-ostree-growfs[1293]: + lsblk -no TYPE /dev/dm-0
...
[ 19.504843] ignition-ostree-growfs[1288]: + current_blkdev=/dev/dm-0
[ 19.504855] ignition-ostree-growfs[1288]: + true
[ 19.504933] ignition-ostree-growfs[1296]: ++ lsblk --paths --nodeps --pairs -o NAME,TYPE,PKNAME /dev/dm-0
[ 19.505523] ignition-ostree-growfs[1288]: + eval 'NAME="/dev/mapper/crypt_rootfs" TYPE="crypt" PKNAME=""'
[ 19.505538] ignition-ostree-growfs[1288]: ++ NAME=/dev/mapper/crypt_rootfs
[ 19.505550] ignition-ostree-growfs[1288]: ++ TYPE=crypt
[ 19.505561] ignition-ostree-growfs[1288]: ++ PKNAME=
[ 19.505892] ignition-ostree-growfs[1298]: +++ lsblk -dno MAJ:MIN /dev/mapper/crypt_rootfs
So we always enter crypt case-switch first. And part is unreachable in that case
There was a problem hiding this comment.
That should be the same setup as we have here (root on LUKS on partition).
pls correct me if i'm wrong, but that test creates LUKSed root with ignition.disks stage
There was a problem hiding this comment.
Yes indeed, that test uses Ignition to create the LUKS root. I thought the end result would be the same, but maybe I'm missing something.
What's the output of lsblk on a booted s390x system with your cosa patch? Maybe we should do a screen sharing session for this.
There was a problem hiding this comment.
[core@localhost ~]$ lsblk -f
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
vda
|-vda1 ext4 1.0 se 71589f1a-5698-4d22-8877-91317173ec61
|-vda3 crypto_LUKS 2 crypt_bootfs 8dc99436-f245-470e-81c3-d2f07d49dcfa
| `-crypt_bootfs ext4 1.0 boot a774674a-e0d6-11ec-8ab8-0f20fe3c51e1 224M 26% /boot
`-vda4 crypto_LUKS 2 crypt_rootfs 5e9d4812-87e5-4ed7-8c68-dd1874031839
`-crypt_rootfs xfs root a8ec61ea-e0d6-11ec-a07c-525400123456 7.9G 16% /var
/sysroot/ostree/deploy/fedora-coreos/var
/usr
/etc
/
/sysroot
There was a problem hiding this comment.
OK right, looking at this more, I think we need to adapt the top of the file to handle Secure Execution correctly. Can you try the following patch on top of this PR?
diff --git a/manifests/bootable-rpm-ostree.yaml b/manifests/bootable-rpm-ostree.yaml
index b0659834..8c41320c 100644
--- a/manifests/bootable-rpm-ostree.yaml
+++ b/manifests/bootable-rpm-ostree.yaml
@@ -29,8 +29,6 @@ packages-s390x:
# provided by s390utils-base, but soon will be -core too.
- /usr/sbin/zipl
- /usr/bin/genprotimg
- # resize LUKS encrypted rootfs
- - /usr/sbin/parted
packages-x86_64:
- grub2 grub2-efi-x64 efibootmgr shim
- microcode_ctl
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh
index 1a0d68a7..946de6e1 100755
--- a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh
@@ -17,8 +17,21 @@ path=/sysroot
# this shouldn't happen for us but we're being conservative.
src=$(findmnt -nvr -o SOURCE "$path" | tail -n1)
+# IBM SecureExecution
+secure_execution=0
+if [[ $(uname -m) == s390x ]] && [[ -e /sys/firmware/uv/prot_virt_guest ]]; then
+ secure_execution=$(cat /sys/firmware/uv/prot_virt_guest)
+fi
+
if [ ! -f "${saved_partstate}" ]; then
partition=$(realpath /dev/disk/by-label/root)
+ # in the Secure Execution case, the rootfs is pre-baked on LUKS, so
+ # `partition` is actually the device mapper device; get its parent
+ if [[ "${secure_execution}" != "0" ]]; then
+ # lsblk doesn't print PKNAME of crypt devices with --nodeps
+ MAJMIN=$(echo $(lsblk -dno MAJ:MIN "${partition}"))
+ partition=/dev/$(ls "/sys/dev/block/${MAJMIN}/slaves")
+ fi
else
# The rootfs was reprovisioned. Our rule in this case is: we only grow if
# the partition backing the rootfs is the same and its size didn't change
@@ -40,12 +53,6 @@ else
fi
fi
-# IBM SecureExecution
-secure_execution=0
-if [[ $(uname -m) == s390x ]] && [[ -e /sys/firmware/uv/prot_virt_guest ]]; then
- secure_execution=$(cat /sys/firmware/uv/prot_virt_guest)
-fi
-
# Go through each blockdev in the hierarchy and verify we know how to grow them
lsblk -no TYPE "${partition}" | while read dev; do
case "${dev}" in
@@ -86,22 +93,13 @@ while true; do
fi
;;
crypt)
- eval $(udevadm info --query=property --export "${NAME}")
- if [[ "${secure_execution}" == "0" ]]; then
- # XXX: yuck... we need to expose this sanely in clevis
- (. /usr/bin/clevis-luks-common-functions
- # lsblk doesn't print PKNAME of crypt devices with --nodeps
- PKNAME=/dev/$(ls "/sys/dev/block/${MAJMIN}/slaves")
- clevis_luks_unlock_device "${PKNAME}" | cryptsetup resize -d- "${DM_NAME}"
- )
- else
- device=$(realpath /dev/disk/by-label/"${DM_NAME}")
- eval $(udevadm info --query=property --export $device | grep PARTN=)
- eval $(lsblk -o PKNAME --nodeps --noheadings --paths --pairs $device)
- growpart "${PKNAME}" "${PARTN}" || :
- parted $PKNAME resizepart $PARTN 100%
- cryptsetup resize --key-file=/etc/luks/root "${DM_NAME}"
- fi
+ # XXX: yuck... we need to expose this sanely in clevis
+ (. /usr/bin/clevis-luks-common-functions
+ eval $(udevadm info --query=property --export "${NAME}")
+ # lsblk doesn't print PKNAME of crypt devices with --nodeps
+ PKNAME=/dev/$(ls "/sys/dev/block/${MAJMIN}/slaves")
+ clevis_luks_unlock_device "${PKNAME}" | cryptsetup resize -d- "${DM_NAME}"
+ )
;;
# already checked
*) echo "unreachable" 1>&2; exit 1 ;;
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh
index 1ce53c48..bf9a7872 100755
--- a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh
@@ -46,7 +46,6 @@ install() {
xfs_admin \
xfs_growfs \
wc \
- parted \
wipefs
# growpart depsThere was a problem hiding this comment.
OK right, looking at this more, I think we need to adapt the top of the file to handle Secure Execution correctly. Can you try the following patch on top of this PR?
yup, thx. only had to skip clevis part in SE. not sure, but maybe clevis bind could be used to automate the unlocking here. will check that
There was a problem hiding this comment.
looks like we cannot and shouldn't use clevis
jlebon
reviewed
May 25, 2022
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-gpt-setup.sh
Outdated
Show resolved
Hide resolved
nikita-dubrovskii
force-pushed
the
secure-execution
branch
2 times, most recently
from
6bda640 to
5e4f879
Compare
jlebon
reviewed
May 30, 2022
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-gpt-setup.sh
Outdated
Show resolved
Hide resolved
| device=$(realpath /dev/disk/by-label/"${DM_NAME}") | ||
| eval $(udevadm info --query=property --export $device | grep PARTN=) | ||
| eval $(lsblk -o PKNAME --nodeps --noheadings --paths --pairs $device) | ||
| parted $PKNAME resizepart $PARTN 100% |
There was a problem hiding this comment.
Yes indeed, that test uses Ignition to create the LUKS root. I thought the end result would be the same, but maybe I'm missing something.
What's the output of lsblk on a booted s390x system with your cosa patch? Maybe we should do a screen sharing session for this.
nikita-dubrovskii
force-pushed
the
secure-execution
branch
3 times, most recently
from
6cd553a to
02808f0
Compare
Signed-off-by: Nikita Dubrovskii <[email protected]>
nikita-dubrovskii
force-pushed
the
secure-execution
branch
from
02808f0 to
20789d2
Compare
jlebon
reviewed
Jun 24, 2022
| @@ -28,6 +28,9 @@ packages-s390x: | |||
| # On Fedora, this is provided by s390utils-core. on RHEL, this is for now | |||
| # provided by s390utils-base, but soon will be -core too. | |||
| - /usr/sbin/zipl | |||
| - /usr/bin/genprotimg | |||
There was a problem hiding this comment.
Are you able to compose an s390x FCOS with this? I suspect it will fail because of:
We'll have to temporarily split that out into a separately conditional-included treefile until coreos/fedora-coreos-tracker#1217 is fixed.
There was a problem hiding this comment.
Are you able to compose an s390x FCOS with this?
yes, no issues at all (metal/metal4k/qemu/secex/live/dasd images)
There was a problem hiding this comment.
Ahh interesting. So actually, /usr/bin/perl is provided by perl-interpreter, which is why this works.
I'll add it to the list, but will take care of doing the include splitting to not break s390x builds.
There was a problem hiding this comment.
Follow-up to this in #1848 now that we've moved it out of FCOS again.
| device=$(realpath /dev/disk/by-label/"${DM_NAME}") | ||
| eval $(udevadm info --query=property --export $device | grep PARTN=) | ||
| eval $(lsblk -o PKNAME --nodeps --noheadings --paths --pairs $device) | ||
| parted $PKNAME resizepart $PARTN 100% |
There was a problem hiding this comment.
OK right, looking at this more, I think we need to adapt the top of the file to handle Secure Execution correctly. Can you try the following patch on top of this PR?
diff --git a/manifests/bootable-rpm-ostree.yaml b/manifests/bootable-rpm-ostree.yaml
index b0659834..8c41320c 100644
--- a/manifests/bootable-rpm-ostree.yaml
+++ b/manifests/bootable-rpm-ostree.yaml
@@ -29,8 +29,6 @@ packages-s390x:
# provided by s390utils-base, but soon will be -core too.
- /usr/sbin/zipl
- /usr/bin/genprotimg
- # resize LUKS encrypted rootfs
- - /usr/sbin/parted
packages-x86_64:
- grub2 grub2-efi-x64 efibootmgr shim
- microcode_ctl
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh
index 1a0d68a7..946de6e1 100755
--- a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh
@@ -17,8 +17,21 @@ path=/sysroot
# this shouldn't happen for us but we're being conservative.
src=$(findmnt -nvr -o SOURCE "$path" | tail -n1)
+# IBM SecureExecution
+secure_execution=0
+if [[ $(uname -m) == s390x ]] && [[ -e /sys/firmware/uv/prot_virt_guest ]]; then
+ secure_execution=$(cat /sys/firmware/uv/prot_virt_guest)
+fi
+
if [ ! -f "${saved_partstate}" ]; then
partition=$(realpath /dev/disk/by-label/root)
+ # in the Secure Execution case, the rootfs is pre-baked on LUKS, so
+ # `partition` is actually the device mapper device; get its parent
+ if [[ "${secure_execution}" != "0" ]]; then
+ # lsblk doesn't print PKNAME of crypt devices with --nodeps
+ MAJMIN=$(echo $(lsblk -dno MAJ:MIN "${partition}"))
+ partition=/dev/$(ls "/sys/dev/block/${MAJMIN}/slaves")
+ fi
else
# The rootfs was reprovisioned. Our rule in this case is: we only grow if
# the partition backing the rootfs is the same and its size didn't change
@@ -40,12 +53,6 @@ else
fi
fi
-# IBM SecureExecution
-secure_execution=0
-if [[ $(uname -m) == s390x ]] && [[ -e /sys/firmware/uv/prot_virt_guest ]]; then
- secure_execution=$(cat /sys/firmware/uv/prot_virt_guest)
-fi
-
# Go through each blockdev in the hierarchy and verify we know how to grow them
lsblk -no TYPE "${partition}" | while read dev; do
case "${dev}" in
@@ -86,22 +93,13 @@ while true; do
fi
;;
crypt)
- eval $(udevadm info --query=property --export "${NAME}")
- if [[ "${secure_execution}" == "0" ]]; then
- # XXX: yuck... we need to expose this sanely in clevis
- (. /usr/bin/clevis-luks-common-functions
- # lsblk doesn't print PKNAME of crypt devices with --nodeps
- PKNAME=/dev/$(ls "/sys/dev/block/${MAJMIN}/slaves")
- clevis_luks_unlock_device "${PKNAME}" | cryptsetup resize -d- "${DM_NAME}"
- )
- else
- device=$(realpath /dev/disk/by-label/"${DM_NAME}")
- eval $(udevadm info --query=property --export $device | grep PARTN=)
- eval $(lsblk -o PKNAME --nodeps --noheadings --paths --pairs $device)
- growpart "${PKNAME}" "${PARTN}" || :
- parted $PKNAME resizepart $PARTN 100%
- cryptsetup resize --key-file=/etc/luks/root "${DM_NAME}"
- fi
+ # XXX: yuck... we need to expose this sanely in clevis
+ (. /usr/bin/clevis-luks-common-functions
+ eval $(udevadm info --query=property --export "${NAME}")
+ # lsblk doesn't print PKNAME of crypt devices with --nodeps
+ PKNAME=/dev/$(ls "/sys/dev/block/${MAJMIN}/slaves")
+ clevis_luks_unlock_device "${PKNAME}" | cryptsetup resize -d- "${DM_NAME}"
+ )
;;
# already checked
*) echo "unreachable" 1>&2; exit 1 ;;
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh
index 1ce53c48..bf9a7872 100755
--- a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh
@@ -46,7 +46,6 @@ install() {
xfs_admin \
xfs_growfs \
wc \
- parted \
wipefs
# growpart depsSigned-off-by: Nikita Dubrovskii <[email protected]>
This brings Secure Execution support. Signed-off-by: Nikita Dubrovskii <[email protected]>
nikita-dubrovskii
force-pushed
the
secure-execution
branch
from
20789d2 to
1d4931a
Compare
|
Hmm, interesting. It looks like the FCOS pipeline is failing to build s390x with this: |
|
Ahh yes of course, we missed a step here. We need to add |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds
genprotimgtool, for creating encryptedsd-bootimage, and turns on (if required) SecureExecution duringfirstboot-completeDepends on: coreos/coreos-installer#851