Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] base: recipes-core: initrdscripts: clear RPMB if aktualizr is configured to use PKCS11 #1115

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[WIP] base: recipes-core: initrdscripts: clear RPMB if aktualizr is configured to use PKCS11 #1115

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 22 additions & 2 deletions meta-lmp-base/recipes-core/initrdscripts/initramfs-framework/ostree_factory_reset
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ ostree_factory_reset_enabled() {
factory_reset() {
keep_sota=$1
keep_docker=$2
keep_rpmb="false"
aktualizr_uses_rpmb="false"

msg "Performing factory reset..."

Expand All @@ -34,15 +36,34 @@ factory_reset() {
if [ "${keep_sota}" = "true" ]; then
msg "Keeping current ${OSTREE_DISTRO} SOTA content"
FIND_EXCLUDE="${FIND_EXCLUDE} ! -name 'sota'"
keep_rpmb="true"
fi
if [ "${keep_docker}" = "true" ]; then
msg "Keeping current docker content"
FIND_EXCLUDE="${FIND_EXCLUDE} ! -name 'lib'"
fi

cd ${OSTREE_VAR}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not related to this PR, but to help testing this approach you can just call sh and iterate over the commands manually.


# Validate if aktualizr-lite was configured to use
# RPMB storage for the device certificate and keys.
sota_rpmb=$(grep pkey_source sota/sota.toml | cut -d'"' -f 2)
if [ "${sota_rpmb}" = "pkcs11" ]; then
aktualizr_uses_rpmb="true"
fi

# Cleanup RPMB before /var gets removed since we need some
# parameters which are stored in /var/sota/sota.toml
if [ "${keep_rpmb}" = "false" ] && [ "${aktualizr_uses_rpmb}" = "true" ]; then
ptool_module=$(grep module sota/sota.toml | cut -d'"' -f 2)

# Reinitializing a PKCS11 token destroys all objects which
# were associated with that slot.
pkcs11-tool --module ${ptool_module} --init-token --label "unused" --slot ${AKTUALIZR_SLOT}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here I assume you are using the pkcs11 OP-TEE implementation (due RPMB access), so this call will only really work in a generic way with the right module, as we could have other pkcs11 providers that are not necessarily provided by OP-TEE (e.g. softhsm2, pkcs11-tpm2, etc).

Since we can assume we're using pkcs11 OP-TEE we can search if the module is libckteec, and skip otherwise.

You might also need the sopin to initialize, but needs testing (it is also available in sota.toml if needed).

One other thing, since the pkcs11 OP-TEE implementation requires that the pkcs11 trusted application to be loaded and operational in optee, you will need to make sure tee-supplicant is running before executing this command (libckteec will request the TA to be loaded via tee-supplicant on first access). You can use https://github.com/foundriesio/meta-lmp/blob/main/meta-lmp-base/recipes-core/initrdscripts/initramfs-framework/cryptfs_pkcs11 as a guide, since it is also executed as part of the initrd.

Copy link
Author

@bravl bravl Apr 21, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here I assume you are using the pkcs11 OP-TEE implementation (due RPMB access), so this call will only really work in a generic way with the right module, as we could have other pkcs11 providers that are not necessarily provided by OP-TEE (e.g. softhsm2, pkcs11-tpm2, etc).

Since we can assume we're using pkcs11 OP-TEE we can search if the module is libckteec, and skip otherwise.

I'm not really familiar with the softhsm2 or tpm2 implementations but if they are both using the PKCS11 interface should this call not be generic? (As long as the right --module parameter is provided)

You might also need the sopin to initialize, but needs testing (it is also available in sota.toml if needed).

Hmm indeed, this call needs an SO pin which will be set during initialisation, No sure if we should re-use the one that was present before or just some static placeholder? I've checked, only the user pin seems to be stored in the sota.toml file. I've got some patches ready to store the hsm_so_pin in fiovb since it's a bit more security sensitive than the user pin but after some testing, even though the spec mentioned when re-initialising you should provide the active SO pin, this does not seem to be enforced in OP-TEE implementation.

One other thing, since the pkcs11 OP-TEE implementation requires that the pkcs11 trusted application to be loaded and operational in optee, you will need to make sure tee-supplicant is running before executing this command (libckteec will request the TA to be loaded via tee-supplicant on first access). You can use https://github.com/foundriesio/meta-lmp/blob/main/meta-lmp-base/recipes-core/initrdscripts/initramfs-framework/cryptfs_pkcs11 as a guide, since it is also executed as part of the initrd.

Thanks for the pointer, I'll have a look at that and add the initialisation.

fi

# Clear /var, stored under the shared ostree folder, not
# available after prepare-root (mounted later by systemd)
cd ${OSTREE_VAR}
eval find . -maxdepth 1 ${FIND_EXCLUDE} -exec rm -rf {} "';'"
if [ "${keep_docker}" = "true" ] && [ -d lib ]; then
find lib -maxdepth 1 ! -name "lib" ! -name "docker" -exec rm -rf {} ';'
Expand All @@ -51,7 +72,6 @@ factory_reset() {
fi
cd - >/dev/null

# TODO: Erase HSM/Secure storage content?
# TODO: U-Boot/fiovb env?
}

Expand Down