From f1a536ad8ff52dc5eb6d74407dde1a6d70e6d6e9 Mon Sep 17 00:00:00 2001
From: Rahul Roshan Kachchap <rahulroshan.kachchap@windriver.com>
Date: Fri, 18 Aug 2023 09:26:48 -0400
Subject: [PATCH] Introduce Luks encrytion service

Add a luks encryption service which will setup as a systemd service
that manages the creation and configuration of encrypted volume and
runs during the boot process and host unlocking.

This commit covers only the debian packaging framework for
luks-fs-mgr. The code changes below will enable luks-fs-mgr pkg
build and be part of ISO when deployed.

Test Plan:
PASSED: build-pkgs -c -p luks-fs-mgr
PASSED: build-image
PASSED: AIO-SX bootstrap
PASSED: binary available at /usr/local/sbin/
PASSED: systemd unit file available at /lib/systemd/system
PASSED: luks_config.json avaiable at /etc/luks-fs-mgr.d/
PASSED: AIO-SX sudo systemctl status luks-fs-mgr
        luks-fs-mgr.service - Create and mount encrypted vault
        using LUKS
        Loaded: loaded (/lib/systemd/system/luks-fs-mgr.service;
        enabled; vendor preset: enabled)
        Active: inactive (dead) since Tue 2023-08-29 08:18:58 UTC;
        2h 16min ago
        Main PID: 4607 (code=exited, status=0/SUCCESS)
        CPU: 7.063s

Story: 2010872
Task: 48650

Change-Id: I12ca14368eaf466b3148c2de4ce9202a9aa5a19b
Signed-off-by: Rahul Roshan Kachchap <rahulroshan.kachchap@windriver.com>
---
 debian_iso_image.inc                          |  3 ++
 debian_pkg_dirs                               |  1 +
 filesystem/luks/debian/deb_folder/changelog   |  5 +++
 filesystem/luks/debian/deb_folder/control     | 32 +++++++++++++++
 filesystem/luks/debian/deb_folder/copyright   | 41 +++++++++++++++++++
 .../luks/debian/deb_folder/luks-fs-mgr.dirs   |  3 ++
 .../debian/deb_folder/luks-fs-mgr.install     |  3 ++
 .../debian/deb_folder/luks-fs-mgr.service     | 11 +++++
 filesystem/luks/debian/deb_folder/rules       | 26 ++++++++++++
 .../luks/debian/deb_folder/source/format      |  1 +
 filesystem/luks/debian/meta_data.yaml         |  6 +++
 filesystem/luks/src/Makefile                  | 19 +++++++++
 filesystem/luks/src/encryption/Makefile       | 26 ++++++++++++
 .../luks/src/encryption/luks-fs-mgr.cpp       |  6 +++
 .../src/encryption/scripts/luks_config.json   |  9 ++++
 15 files changed, 192 insertions(+)
 create mode 100644 filesystem/luks/debian/deb_folder/changelog
 create mode 100644 filesystem/luks/debian/deb_folder/control
 create mode 100644 filesystem/luks/debian/deb_folder/copyright
 create mode 100644 filesystem/luks/debian/deb_folder/luks-fs-mgr.dirs
 create mode 100644 filesystem/luks/debian/deb_folder/luks-fs-mgr.install
 create mode 100644 filesystem/luks/debian/deb_folder/luks-fs-mgr.service
 create mode 100644 filesystem/luks/debian/deb_folder/rules
 create mode 100644 filesystem/luks/debian/deb_folder/source/format
 create mode 100644 filesystem/luks/debian/meta_data.yaml
 create mode 100644 filesystem/luks/src/Makefile
 create mode 100644 filesystem/luks/src/encryption/Makefile
 create mode 100644 filesystem/luks/src/encryption/luks-fs-mgr.cpp
 create mode 100644 filesystem/luks/src/encryption/scripts/luks_config.json

diff --git a/debian_iso_image.inc b/debian_iso_image.inc
index 28c6b9db7..c3b309047 100644
--- a/debian_iso_image.inc
+++ b/debian_iso_image.inc
@@ -271,6 +271,9 @@ libparted2
 parted-doc
 parted
 
+#luks-encryption
+luks-fs-mgr
+
 #pf-bb-config
 pf-bb-config
 
diff --git a/debian_pkg_dirs b/debian_pkg_dirs
index 406e81584..ba8cf259c 100644
--- a/debian_pkg_dirs
+++ b/debian_pkg_dirs
@@ -40,6 +40,7 @@ config/puppet-modules/puppet-rabbitmq-8.5.0
 config/puppet-modules/puppet-staging
 docker/python-docker
 filesystem/drbd/drbd-tools
+filesystem/luks
 filesystem/parted
 golang-github-dev/golang-github-appc-cni
 golang-github-dev/golang-github-checkpoint-restore-go-criu-dev
diff --git a/filesystem/luks/debian/deb_folder/changelog b/filesystem/luks/debian/deb_folder/changelog
new file mode 100644
index 000000000..6a334cb2b
--- /dev/null
+++ b/filesystem/luks/debian/deb_folder/changelog
@@ -0,0 +1,5 @@
+luks-fs-mgr (1.0-1) unstable; urgency=medium
+
+  * Initial release.
+
+ --  Rahul Roshan <rahulroshan.kachchap@windriver.com>  Fri, 18 Aug 2023 13:02:42 +0000
diff --git a/filesystem/luks/debian/deb_folder/control b/filesystem/luks/debian/deb_folder/control
new file mode 100644
index 000000000..46e56a3c8
--- /dev/null
+++ b/filesystem/luks/debian/deb_folder/control
@@ -0,0 +1,32 @@
+Source: luks-fs-mgr
+Section: admin
+Priority: optional
+Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
+Build-Depends: debhelper-compat (= 13),
+ libjson-c-dev
+Standards-Version: 4.5.1
+Homepage: https://www.starlingx.io
+
+Package: luks-fs-mgr
+Architecture: any
+Depends: ${misc:Depends}, ${shlibs:Depends}, systemd
+Description: Luks encryption service manager
+ The Luks Encryption Service Manager operates as an essential component during
+ the boot process and host unlocking, serving as a critical safeguard for data
+ on StarlingX. This service is responsible for managing the creation,
+ configuration, and utilization of encrypted volumes, all in accordance with
+ the Linux Unified Key Setup (LUKS) standard. Its functionality is driven by
+ the information provided in the luks_config.json file, which acts as a
+ blueprint for configuring the encryption process.
+ Upon startup, the service reads the luks_config.json file to extract crucial
+ parameters, such as the vault file path, volume size, volume name, and
+ mounting path. If the service detects that the encryption volume is already
+ open, it unseals it. This step ensures a seamless experience for users, as they
+ can quickly access their encrypted data without redundant processes.
+ However, if the encryption volume is not open, the service dynamically creates
+ one based on the parameters defined in the JSON configuration. It initializes
+ the vault file using random data, then proceeds to set up the LUKS encryption
+ mechanism and unseals the newly created volume.
+ To ensure the highest level of security, the Luks Encryption Service Manager
+ employs error handling and logging mechanisms, enabling administrators to
+ monitor and troubleshoot any issues that may arise.
diff --git a/filesystem/luks/debian/deb_folder/copyright b/filesystem/luks/debian/deb_folder/copyright
new file mode 100644
index 000000000..ba415cfc7
--- /dev/null
+++ b/filesystem/luks/debian/deb_folder/copyright
@@ -0,0 +1,41 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: luks-fs-mgr
+Source: https://opendev.org/starlingx/integ/src/branch/master/filesystem/luks
+
+Files: *
+Copyright: (c) 2023 Wind River Systems, Inc
+License: Apache-2
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+    https://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ On Debian-based systems the full text of the Apache version 2.0 license
+ can be found in `/usr/share/common-licenses/Apache-2.0'.
+
+# If you want to use GPL v2 or later for the /debian/* files use
+# the following clauses, or change it to suit. Delete these two lines
+Files: debian/*
+Copyright: 2023 Wind River Systems, Inc
+License: Apache-2
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+    https://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ On Debian-based systems the full text of the Apache version 2.0 license
+ can be found in `/usr/share/common-licenses/Apache-2.0'.
diff --git a/filesystem/luks/debian/deb_folder/luks-fs-mgr.dirs b/filesystem/luks/debian/deb_folder/luks-fs-mgr.dirs
new file mode 100644
index 000000000..a4acf0245
--- /dev/null
+++ b/filesystem/luks/debian/deb_folder/luks-fs-mgr.dirs
@@ -0,0 +1,3 @@
+etc/luks-fs-mgr.d
+usr/local/sbin
+lib/systemd/system
diff --git a/filesystem/luks/debian/deb_folder/luks-fs-mgr.install b/filesystem/luks/debian/deb_folder/luks-fs-mgr.install
new file mode 100644
index 000000000..79e06aef2
--- /dev/null
+++ b/filesystem/luks/debian/deb_folder/luks-fs-mgr.install
@@ -0,0 +1,3 @@
+usr/local/sbin/luks-fs-mgr
+lib/systemd/system/luks-fs-mgr.service
+etc/luks-fs-mgr.d/luks_config.json
diff --git a/filesystem/luks/debian/deb_folder/luks-fs-mgr.service b/filesystem/luks/debian/deb_folder/luks-fs-mgr.service
new file mode 100644
index 000000000..70bd92953
--- /dev/null
+++ b/filesystem/luks/debian/deb_folder/luks-fs-mgr.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Create and mount encrypted vault using LUKS
+After=local-fs.target network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/sbin/luks-fs-mgr start
+PIDFile=/var/run/luks-fs-mgr.pid
+
+[Install]
+WantedBy=multi-user.target
diff --git a/filesystem/luks/debian/deb_folder/rules b/filesystem/luks/debian/deb_folder/rules
new file mode 100644
index 000000000..b9a4273a1
--- /dev/null
+++ b/filesystem/luks/debian/deb_folder/rules
@@ -0,0 +1,26 @@
+#!/usr/bin/make -f
+# export DH_VERBOSE = 1
+
+export ROOT = debian/tmp
+export LOCAL_SBINDIR = $(ROOT)/usr/local/sbin
+export UNITDIR = $(ROOT)/lib/systemd/system
+export CONFIGDIR = $(ROOT)/etc/luks-fs-mgr.d
+
+%:
+	dh $@
+
+override_dh_auto_test:
+	echo
+
+override_dh_auto_install:
+	install -m 755 -d ${LOCAL_SBINDIR}
+	install -m 700 -p -D encryption/luks-fs-mgr ${LOCAL_SBINDIR}/luks-fs-mgr
+	install -m 755 -d ${UNITDIR}
+	install -p -D -m 644 ./debian/luks-fs-mgr.service ${UNITDIR}/luks-fs-mgr.service
+	install -p -D -m 644 encryption/scripts/luks_config.json ${CONFIGDIR}/luks_config.json
+
+override_dh_installsystemd:
+	dh_installsystemd --name luks-fs-mgr
+
+override_dh_usrlocal:
+	echo
diff --git a/filesystem/luks/debian/deb_folder/source/format b/filesystem/luks/debian/deb_folder/source/format
new file mode 100644
index 000000000..163aaf8d8
--- /dev/null
+++ b/filesystem/luks/debian/deb_folder/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/filesystem/luks/debian/meta_data.yaml b/filesystem/luks/debian/meta_data.yaml
new file mode 100644
index 000000000..99828aaa4
--- /dev/null
+++ b/filesystem/luks/debian/meta_data.yaml
@@ -0,0 +1,6 @@
+debname: luks-fs-mgr
+debver: 1.0
+src_path: src
+revision:
+  dist: $STX_DIST
+  PKG_GITREVCOUNT: true
diff --git a/filesystem/luks/src/Makefile b/filesystem/luks/src/Makefile
new file mode 100644
index 000000000..b7e6f80de
--- /dev/null
+++ b/filesystem/luks/src/Makefile
@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2023 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+VER=1
+VER_MJR=1
+
+build:
+	(cd encryption ; make all VER=$(VER) VER_MJR=$(VER_MJR))
+
+clean:
+	@( cd encryption ; make clean )
+
+
+backup: clean
+	mkdir -p ~/luks
+	cp -a * ~/luks
diff --git a/filesystem/luks/src/encryption/Makefile b/filesystem/luks/src/encryption/Makefile
new file mode 100644
index 000000000..2e7dc761e
--- /dev/null
+++ b/filesystem/luks/src/encryption/Makefile
@@ -0,0 +1,26 @@
+#
+# Copyright (c) 2023 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+SHELL = /bin/bash
+
+CFLAGS = -Wall -Wextra -g -Werror -std=c++11
+LIBS = -lstdc++ -lstdc++ -ljson-c
+INCLUDES = -I.
+
+CC=g++
+
+SRC = luks-fs-mgr.cpp
+EXECUTABLE = luks-fs-mgr
+
+.PHONY: all clean
+
+all: $(EXECUTABLE)
+
+$(EXECUTABLE): $(SRC)
+	$(CC) $(CFLAGS) -o $@ $< $(LIBS)
+
+clean:
+	rm -f $(EXECUTABLE) *.o
diff --git a/filesystem/luks/src/encryption/luks-fs-mgr.cpp b/filesystem/luks/src/encryption/luks-fs-mgr.cpp
new file mode 100644
index 000000000..54e47ecd1
--- /dev/null
+++ b/filesystem/luks/src/encryption/luks-fs-mgr.cpp
@@ -0,0 +1,6 @@
+#include <iostream>
+
+int main() {
+    std::cout << "Hello, world!" << std::endl;
+    return 0;
+}
diff --git a/filesystem/luks/src/encryption/scripts/luks_config.json b/filesystem/luks/src/encryption/scripts/luks_config.json
new file mode 100644
index 000000000..43b7d64ab
--- /dev/null
+++ b/filesystem/luks/src/encryption/scripts/luks_config.json
@@ -0,0 +1,9 @@
+{
+	"luksvolumes": [{
+		"PASSPHRASE_TYPE": "HWID",
+		"VAULT_FILE": "/var/luks/stx/luks_volume.img",
+		"VAULT_SIZE": "256M",
+		"VOL_NAME": "luks_encrypted_vault",
+		"MOUNT_PATH": "/var/luks/stx/luks_fs"
+	}]
+}