#
2443a021 |
| 17-Mar-2023 |
John Wedig <johnwedig@google.com> |
Improve accuracy of 'Locked' property
The 'Locked' property in the volume interface is supposed to indicate whether the LUKS volume is currently activated, but this property is often inaccurate beca
Improve accuracy of 'Locked' property
The 'Locked' property in the volume interface is supposed to indicate whether the LUKS volume is currently activated, but this property is often inaccurate because it always defaults to false upon startup (i.e. unlocked). However, the LUKS volume is usually locked at startup. So, client daemons can get confused when looking at the Locked property.
This commit reworks the functionality for the 'Locked' property, so that it checks whether the mapped virtual crypt device exists, e.g. whether /dev/mapper/<luks_device> exists. This way, the Locked property should better reflect the actual state.
The one caveat to keep in mind is that 'Locked' will be True even if the device isn't formatted as a LUKS volume. If client daemons need to know whether it's already formatted, we may want to add another property to the Volume interface for that purpose. But in the meantime, eStoraged already exports an EncryptionStatus property as part of the Drive interface. So, the information is already available, if needed.
Tested: Checked 'Locked' property at startup $ busctl get-property xyz.openbmc_project.eStoraged \ /xyz/openbmc_project/inventory/storage/mmcblk0 \ xyz.openbmc_project.Inventory.Item.Volume Locked b true Formatted the LUKS volume, then checked 'Locked' property again $ busctl call xyz.openbmc_project.eStoraged \ /xyz/openbmc_project/inventory/storage/mmcblk0 \ xyz.openbmc_project.Inventory.Item.Volume FormatLuks ays 3 1 2 3 \ xyz.openbmc_project.Inventory.Item.Volume.FilesystemType.ext4 \ --timeout=60 $ busctl get-property xyz.openbmc_project.eStoraged \ /xyz/openbmc_project/inventory/storage/mmcblk0 \ xyz.openbmc_project.Inventory.Item.Volume Locked b false Restarted eStoraged and checked 'Locked' again. $ systemctl restart xyz.openbmc_project.eStoraged $ busctl get-property xyz.openbmc_project.eStoraged \ /xyz/openbmc_project/inventory/storage/mmcblk0 \ xyz.openbmc_project.Inventory.Item.Volume Locked b false Locked the LUKS volume, and checked 'Locked' again. $ busctl call xyz.openbmc_project.eStoraged \ /xyz/openbmc_project/inventory/storage/mmcblk0 \ xyz.openbmc_project.Inventory.Item.Volume Lock $ busctl get-property xyz.openbmc_project.eStoraged \ /xyz/openbmc_project/inventory/storage/mmcblk0 \ xyz.openbmc_project.Inventory.Item.Volume Locked b true Restarted eStoraged, and checked 'Locked' again. $ systemctl restart xyz.openbmc_project.eStoraged $ busctl get-property xyz.openbmc_project.eStoraged \ /xyz/openbmc_project/inventory/storage/mmcblk0 \ xyz.openbmc_project.Inventory.Item.Volume Locked b true
Signed-off-by: John Wedig <johnwedig@google.com> Change-Id: I5cd6bac4b4426c0e2579c3fc8cf7a27b4f2ccc08
show more ...
|
#
8d5a3a07 |
| 29-Sep-2022 |
John Wedig <johnwedig@google.com> |
Implement the changePassword method
With this commit, it is now possible to change the password for the LUKS-encrypted volume, using the changePassword D-Bus method for eStoraged.
Tested: $ busctl
Implement the changePassword method
With this commit, it is now possible to change the password for the LUKS-encrypted volume, using the changePassword D-Bus method for eStoraged.
Tested: $ busctl call xyz.openbmc_project.eStoraged \ /xyz/openbmc_project/inventory/storage/mmcblk0 \ xyz.openbmc_project.Inventory.Item.Volume FormatLuks ays 3 1 2 3 \ xyz.openbmc_project.Inventory.Item.Volume.FilesystemType.ext4 \ --timeout=60 $ busctl call xyz.openbmc_project.eStoraged \ /xyz/openbmc_project/inventory/storage/mmcblk0 \ xyz.openbmc_project.Inventory.Item.Volume ChangePassword \ ayay 3 1 2 3 3 4 5 6 $ busctl call xyz.openbmc_project.eStoraged \ /xyz/openbmc_project/inventory/storage/mmcblk0 \ xyz.openbmc_project.Inventory.Item.Volume Lock Attempted to unlock using the old password. It failed as expected. $ busctl call xyz.openbmc_project.eStoraged \ /xyz/openbmc_project/inventory/storage/mmcblk0 \ xyz.openbmc_project.Inventory.Item.Volume Unlock ay 3 1 2 3 Unlocked with the new password $ busctl call xyz.openbmc_project.eStoraged \ /xyz/openbmc_project/inventory/storage/mmcblk0 \ xyz.openbmc_project.Inventory.Item.Volume Unlock ay 3 4 5 6
Signed-off-by: John Wedig <johnwedig@google.com> Change-Id: If1395fb04f51b1fb1a3d26731422d21476205207
show more ...
|
#
b2c86be3 |
| 15-Apr-2022 |
John Edward Broadbent <jebr@google.com> |
Change ownership of handle to eStorageD object
Clients used to create both the CryptHandle and the eStorageD objects using the same information. Then the client would pass the CryptHandle into eStor
Change ownership of handle to eStorageD object
Clients used to create both the CryptHandle and the eStorageD objects using the same information. Then the client would pass the CryptHandle into eStorageD methods in order to perform crypto methods. This change creates the CryptHandle closer to where it is used. This makes the code simpler and easier to understand.
Tested: busctl call xyz.openbmc_project.eStoraged.mmcblk0 \ > /xyz/openbmc_project/inventory/storage/mmcblk0 \ > xyz.openbmc_project.Inventory.Item.Volume FormatLuks ays 3 1 2 3 \ > xyz.openbmc_project.Inventory.Item.Volume.FilesystemType.ext4 \ > --timeout=60
Change-Id: I276e97146f4498191eb19512bc244a1e8d9cd2cb Signed-off-by: John Edward Broadbent <jebr@google.com>
show more ...
|
#
28cc834c |
| 14-Apr-2022 |
John Edward Broadbent <jebr@google.com> |
Add exception when constructor fails
We should fail as soon as we know the object had failed to init the cryptdevice correctly. There is no logic to compensate this type of failure.
Signed-off-by:
Add exception when constructor fails
We should fail as soon as we know the object had failed to init the cryptdevice correctly. There is no logic to compensate this type of failure.
Signed-off-by: John Edward Broadbent <jebr@google.com> Change-Id: I4c4b3719840ef42d8ecf378410ff0788fb040b1a
show more ...
|
#
2b5454d3 |
| 14-Apr-2022 |
John Edward Broadbent <jebr@google.com> |
fix error handling for CryptHandle.get
The old code calls CryptHandle once to make sure it is valid, then calls it again to use it.
Tested: busctl call xyz.openbmc_project.eStoraged.mmcblk0 \ > /
fix error handling for CryptHandle.get
The old code calls CryptHandle once to make sure it is valid, then calls it again to use it.
Tested: busctl call xyz.openbmc_project.eStoraged.mmcblk0 \ > /xyz/openbmc_project/inventory/storage/mmcblk0 \ > xyz.openbmc_project.Inventory.Item.Volume FormatLuks ays 3 1 2 3 \ > xyz.openbmc_project.Inventory.Item.Volume.FilesystemType.ext4 \ > --timeout=60
Signed-off-by: John Edward Broadbent <jebr@google.com> Change-Id: I21c02315c365e74ead3d0b5b2578c62503376756
show more ...
|
#
82897c35 |
| 21-Feb-2022 |
Ed Tanous <edtanous@google.com> |
Check in a clang-tidy
This should've been done when we first created the repo, but better late than never.
Signed-off-by: Ed Tanous <edtanous@google.com> Signed-off-by: John Edward Broadbent <jebr@
Check in a clang-tidy
This should've been done when we first created the repo, but better late than never.
Signed-off-by: Ed Tanous <edtanous@google.com> Signed-off-by: John Edward Broadbent <jebr@google.com> Change-Id: I68da1d13167ec94f9d008dea307c9f23a991d42c
show more ...
|
#
59dffa63 |
| 13-Jan-2022 |
John Edward Broadbent <jebr@google.com> |
Add crypto Erase to eStorageD.
The goal is to erase the keys that are used to decrypt the drive. After the keys are erased it will not be possible to decrypt the drive, even if the password can be r
Add crypto Erase to eStorageD.
The goal is to erase the keys that are used to decrypt the drive. After the keys are erased it will not be possible to decrypt the drive, even if the password can be recalled. The data is forever inaccessible.
Testing:
$ systemctl stop emmc.service
$ /eStoraged -b /dev/mmcblk0 &
$ busctl call xyz.openbmc_project.eStoraged.mmcblk0 /xyz/openbmc_project/storage/mmcblk0 xyz.openbmc_project.Inventory.Item.Volume FormatLuks ays 3 1 2 3 xyz.openbmc_project.Inventory.Item.Volume.FilesystemType.ext4
$ busctl call xyz.openbmc_project.eStoraged.mmcblk0 /xyz/openbmc_project/storage/mmcblk0 xyz.openbmc_project.Inventory.Item.Volume Lock
$ busctl call xyz.openbmc_project.eStoraged.mmcblk0 /xyz/openbmc_project/storage/mmcblk0 xyz.openbmc_project.Inventory.Item.Volume Erase s xyz.openbmc_project.Inventory.Item.Volume.EraseMethod.CryptoErase
$ busctl call xyz.openbmc_project.eStoraged.mmcblk0 /xyz/openbmc_project/storage/mmcblk0 xyz.openbmc_project.Inventory.Item.Volume Unlock ay 3 1 2 3 Call failed: The operation failed internally.
Signed-off-by: John Edward Broadbent <jebr@google.com> Change-Id: I3221e82a92c1b555e2379b19c9e1d5b6e4b02f9b
show more ...
|
#
6218dc5d |
| 03-Dec-2021 |
John Wedig <johnwedig@google.com> |
Add get() function to CryptHandle class
This commit modifies the CryptHandle class so that the crypt_device struct is managed internally. This way, the caller does not need to provide it's own crypt
Add get() function to CryptHandle class
This commit modifies the CryptHandle class so that the crypt_device struct is managed internally. This way, the caller does not need to provide it's own crypt_device pointer. The caller can use the new get() function when it needs access to the crypt_device struct.
Signed-off-by: John Wedig <johnwedig@google.com> Change-Id: I82c2f96d74cc2714de5a656432cbaa2f6ee1244a
show more ...
|
#
b810c926 |
| 17-Nov-2021 |
John Wedig <johnwedig@google.com> |
Format LUKS encrypted device
This commit adds the functionality to format a new LUKS device, create a filesystem, and mount it. Unit tests are included.
Currently, the D-Bus interface to format the
Format LUKS encrypted device
This commit adds the functionality to format a new LUKS device, create a filesystem, and mount it. Unit tests are included.
Currently, the D-Bus interface to format the LUKS device is synchronous, but it may need to become asynchronous, since it can take some time. The format operation took about 20 seconds when testing it.
Tested: Ran eStoraged on a machine with an eMMC, using the following commands: $ /usr/bin/eStoraged -b /dev/mmcblk0 & $ busctl call xyz.openbmc_project.eStoraged.mmcblk0 \ /xyz/openbmc_project/storage/mmcblk0 xyz.openbmc_project.eStoraged \ Format ay 3 1 2 3 $ busctl call xyz.openbmc_project.eStoraged.mmcblk0 \ /xyz/openbmc_project/storage/mmcblk0 xyz.openbmc_project.eStoraged \ Lock ay 3 1 2 3 $ busctl call xyz.openbmc_project.eStoraged.mmcblk0 \ /xyz/openbmc_project/storage/mmcblk0 xyz.openbmc_project.eStoraged \ Unlock ay 3 1 2 3
Signed-off-by: John Wedig <johnwedig@google.com> Change-Id: Ib5d0b8bb201b43a60238bfd4f13a29a6519a9f7d
show more ...
|