Merge "Introduce Luks encrytion service"

debian_iso_image.inc

@@ -271,6 +271,9 @@ libparted2
 parted-doc
 parted
 
+#luks-encryption
+luks-fs-mgr
+
 #pf-bb-config
 pf-bb-config
 

debian_pkg_dirs

@@ -40,6 +40,7 @@ config/puppet-modules/puppet-rabbitmq-8.5.0
 config/puppet-modules/puppet-staging
 docker/python-docker
 filesystem/drbd/drbd-tools
+filesystem/luks
 filesystem/parted
 golang-github-dev/golang-github-appc-cni
 golang-github-dev/golang-github-checkpoint-restore-go-criu-dev

filesystem/luks/debian/deb_folder/changelog

@@ -0,0 +1,5 @@
+luks-fs-mgr (1.0-1) unstable; urgency=medium
+
+  * Initial release.
+
+ --  Rahul Roshan <rahulroshan.kachchap@windriver.com>  Fri, 18 Aug 2023 13:02:42 +0000

filesystem/luks/debian/deb_folder/control

@@ -0,0 +1,32 @@
+Source: luks-fs-mgr
+Section: admin
+Priority: optional
+Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
+Build-Depends: debhelper-compat (= 13),
+ libjson-c-dev
+Standards-Version: 4.5.1
+Homepage: https://www.starlingx.io
+
+Package: luks-fs-mgr
+Architecture: any
+Depends: ${misc:Depends}, ${shlibs:Depends}, systemd
+Description: Luks encryption service manager
+ The Luks Encryption Service Manager operates as an essential component during
+ the boot process and host unlocking, serving as a critical safeguard for data
+ on StarlingX. This service is responsible for managing the creation,
+ configuration, and utilization of encrypted volumes, all in accordance with
+ the Linux Unified Key Setup (LUKS) standard. Its functionality is driven by
+ the information provided in the luks_config.json file, which acts as a
+ blueprint for configuring the encryption process.
+ Upon startup, the service reads the luks_config.json file to extract crucial
+ parameters, such as the vault file path, volume size, volume name, and
+ mounting path. If the service detects that the encryption volume is already
+ open, it unseals it. This step ensures a seamless experience for users, as they
+ can quickly access their encrypted data without redundant processes.
+ However, if the encryption volume is not open, the service dynamically creates
+ one based on the parameters defined in the JSON configuration. It initializes
+ the vault file using random data, then proceeds to set up the LUKS encryption
+ mechanism and unseals the newly created volume.
+ To ensure the highest level of security, the Luks Encryption Service Manager
+ employs error handling and logging mechanisms, enabling administrators to
+ monitor and troubleshoot any issues that may arise.

filesystem/luks/debian/deb_folder/copyright

@@ -0,0 +1,41 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: luks-fs-mgr
+Source: https://opendev.org/starlingx/integ/src/branch/master/filesystem/luks
+
+Files: *
+Copyright: (c) 2023 Wind River Systems, Inc
+License: Apache-2
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+    https://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ On Debian-based systems the full text of the Apache version 2.0 license
+ can be found in `/usr/share/common-licenses/Apache-2.0'.
+
+# If you want to use GPL v2 or later for the /debian/* files use
+# the following clauses, or change it to suit. Delete these two lines
+Files: debian/*
+Copyright: 2023 Wind River Systems, Inc
+License: Apache-2
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+    https://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ On Debian-based systems the full text of the Apache version 2.0 license
+ can be found in `/usr/share/common-licenses/Apache-2.0'.

filesystem/luks/debian/deb_folder/luks-fs-mgr.dirs

@@ -0,0 +1,3 @@
+etc/luks-fs-mgr.d
+usr/local/sbin
+lib/systemd/system

filesystem/luks/debian/deb_folder/luks-fs-mgr.install

@@ -0,0 +1,3 @@
+usr/local/sbin/luks-fs-mgr
+lib/systemd/system/luks-fs-mgr.service
+etc/luks-fs-mgr.d/luks_config.json

filesystem/luks/debian/deb_folder/luks-fs-mgr.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Create and mount encrypted vault using LUKS
+After=local-fs.target network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/sbin/luks-fs-mgr start
+PIDFile=/var/run/luks-fs-mgr.pid
+
+[Install]
+WantedBy=multi-user.target

filesystem/luks/debian/deb_folder/rules

@@ -0,0 +1,26 @@
+#!/usr/bin/make -f
+# export DH_VERBOSE = 1
+
+export ROOT = debian/tmp
+export LOCAL_SBINDIR = $(ROOT)/usr/local/sbin
+export UNITDIR = $(ROOT)/lib/systemd/system
+export CONFIGDIR = $(ROOT)/etc/luks-fs-mgr.d
+
+%:
+	dh $@
+
+override_dh_auto_test:
+	echo
+
+override_dh_auto_install:
+	install -m 755 -d ${LOCAL_SBINDIR}
+	install -m 700 -p -D encryption/luks-fs-mgr ${LOCAL_SBINDIR}/luks-fs-mgr
+	install -m 755 -d ${UNITDIR}
+	install -p -D -m 644 ./debian/luks-fs-mgr.service ${UNITDIR}/luks-fs-mgr.service
+	install -p -D -m 644 encryption/scripts/luks_config.json ${CONFIGDIR}/luks_config.json
+
+override_dh_installsystemd:
+	dh_installsystemd --name luks-fs-mgr
+
+override_dh_usrlocal:
+	echo

filesystem/luks/debian/deb_folder/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

filesystem/luks/debian/meta_data.yaml

@@ -0,0 +1,6 @@
+debname: luks-fs-mgr
+debver: 1.0
+src_path: src
+revision:
+  dist: $STX_DIST
+  PKG_GITREVCOUNT: true

filesystem/luks/src/Makefile

@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2023 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+VER=1
+VER_MJR=1
+
+build:
+	(cd encryption ; make all VER=$(VER) VER_MJR=$(VER_MJR))
+
+clean:
+	@( cd encryption ; make clean )
+
+
+backup: clean
+	mkdir -p ~/luks
+	cp -a * ~/luks

filesystem/luks/src/encryption/Makefile

@@ -0,0 +1,26 @@
+#
+# Copyright (c) 2023 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+SHELL = /bin/bash
+
+CFLAGS = -Wall -Wextra -g -Werror -std=c++11
+LIBS = -lstdc++ -lstdc++ -ljson-c
+INCLUDES = -I.
+
+CC=g++
+
+SRC = luks-fs-mgr.cpp
+EXECUTABLE = luks-fs-mgr
+
+.PHONY: all clean
+
+all: $(EXECUTABLE)
+
+$(EXECUTABLE): $(SRC)
+	$(CC) $(CFLAGS) -o $@ $< $(LIBS)
+
+clean:
+	rm -f $(EXECUTABLE) *.o

filesystem/luks/src/encryption/luks-fs-mgr.cpp

@@ -0,0 +1,6 @@
+#include <iostream>
+
+int main() {
+    std::cout << "Hello, world!" << std::endl;
+    return 0;
+}

filesystem/luks/src/encryption/scripts/luks_config.json

@@ -0,0 +1,9 @@
+{
+	"luksvolumes": [{
+		"PASSPHRASE_TYPE": "HWID",
+		"VAULT_FILE": "/var/luks/stx/luks_volume.img",
+		"VAULT_SIZE": "256M",
+		"VOL_NAME": "luks_encrypted_vault",
+		"MOUNT_PATH": "/var/luks/stx/luks_fs"
+	}]
+}