Improve accuracy of 'Locked' property

The 'Locked' property in the volume interface is supposed to indicate
whether the LUKS volume is currently activated, but this property is
often inaccurate beca

Improve accuracy of 'Locked' property

The 'Locked' property in the volume interface is supposed to indicate
whether the LUKS volume is currently activated, but this property is
often inaccurate because it always defaults to false upon startup
(i.e. unlocked). However, the LUKS volume is usually locked at startup.
So, client daemons can get confused when looking at the Locked
property.

This commit reworks the functionality for the 'Locked' property, so that
it checks whether the mapped virtual crypt device exists, e.g. whether
/dev/mapper/<luks_device> exists. This way, the Locked property should
better reflect the actual state.

The one caveat to keep in mind is that 'Locked' will be True even if the
device isn't formatted as a LUKS volume. If client daemons need to know
whether it's already formatted, we may want to add another property to
the Volume interface for that purpose. But in the meantime, eStoraged
already exports an EncryptionStatus property as part of the Drive
interface. So, the information is already available, if needed.

Tested:
Checked 'Locked' property at startup
$ busctl get-property xyz.openbmc_project.eStoraged \
/xyz/openbmc_project/inventory/storage/mmcblk0 \
xyz.openbmc_project.Inventory.Item.Volume Locked
b true
Formatted the LUKS volume, then checked 'Locked' property again
$ busctl call xyz.openbmc_project.eStoraged \
/xyz/openbmc_project/inventory/storage/mmcblk0 \
xyz.openbmc_project.Inventory.Item.Volume FormatLuks ays 3 1 2 3 \
xyz.openbmc_project.Inventory.Item.Volume.FilesystemType.ext4 \
--timeout=60
$ busctl get-property xyz.openbmc_project.eStoraged \
/xyz/openbmc_project/inventory/storage/mmcblk0 \
xyz.openbmc_project.Inventory.Item.Volume Locked
b false
Restarted eStoraged and checked 'Locked' again.
$ systemctl restart xyz.openbmc_project.eStoraged
$ busctl get-property xyz.openbmc_project.eStoraged \
/xyz/openbmc_project/inventory/storage/mmcblk0 \
xyz.openbmc_project.Inventory.Item.Volume Locked
b false
Locked the LUKS volume, and checked 'Locked' again.
$ busctl call xyz.openbmc_project.eStoraged \
/xyz/openbmc_project/inventory/storage/mmcblk0 \
xyz.openbmc_project.Inventory.Item.Volume Lock
$ busctl get-property xyz.openbmc_project.eStoraged \
/xyz/openbmc_project/inventory/storage/mmcblk0 \
xyz.openbmc_project.Inventory.Item.Volume Locked
b true
Restarted eStoraged, and checked 'Locked' again.
$ systemctl restart xyz.openbmc_project.eStoraged
$ busctl get-property xyz.openbmc_project.eStoraged \
/xyz/openbmc_project/inventory/storage/mmcblk0 \
xyz.openbmc_project.Inventory.Item.Volume Locked
b true

Signed-off-by: John Wedig <johnwedig@google.com>
Change-Id: I5cd6bac4b4426c0e2579c3fc8cf7a27b4f2ccc08

show more ...

Implement the changePassword method

With this commit, it is now possible to change the password for the
LUKS-encrypted volume, using the changePassword D-Bus method for
eStoraged.

Tested:
$ busctl

Implement the changePassword method

With this commit, it is now possible to change the password for the
LUKS-encrypted volume, using the changePassword D-Bus method for
eStoraged.

Tested:
$ busctl call xyz.openbmc_project.eStoraged \
/xyz/openbmc_project/inventory/storage/mmcblk0 \
xyz.openbmc_project.Inventory.Item.Volume FormatLuks ays 3 1 2 3 \
xyz.openbmc_project.Inventory.Item.Volume.FilesystemType.ext4 \
--timeout=60
$ busctl call xyz.openbmc_project.eStoraged \
/xyz/openbmc_project/inventory/storage/mmcblk0 \
xyz.openbmc_project.Inventory.Item.Volume ChangePassword \
ayay 3 1 2 3 3 4 5 6
$ busctl call xyz.openbmc_project.eStoraged \
/xyz/openbmc_project/inventory/storage/mmcblk0 \
xyz.openbmc_project.Inventory.Item.Volume Lock
Attempted to unlock using the old password. It failed as expected.
$ busctl call xyz.openbmc_project.eStoraged \
/xyz/openbmc_project/inventory/storage/mmcblk0 \
xyz.openbmc_project.Inventory.Item.Volume Unlock ay 3 1 2 3
Unlocked with the new password
$ busctl call xyz.openbmc_project.eStoraged \
/xyz/openbmc_project/inventory/storage/mmcblk0 \
xyz.openbmc_project.Inventory.Item.Volume Unlock ay 3 4 5 6

Signed-off-by: John Wedig <johnwedig@google.com>
Change-Id: If1395fb04f51b1fb1a3d26731422d21476205207

show more ...

Add crypto Erase to eStorageD.

The goal is to erase the keys that are used to decrypt the drive. After
the keys are erased it will not be possible to decrypt the drive, even
if the password can be r

Add crypto Erase to eStorageD.

The goal is to erase the keys that are used to decrypt the drive. After
the keys are erased it will not be possible to decrypt the drive, even
if the password can be recalled. The data is forever inaccessible.

Testing:

$ systemctl stop emmc.service

$ /eStoraged -b /dev/mmcblk0 &

$ busctl call xyz.openbmc_project.eStoraged.mmcblk0 /xyz/openbmc_project/storage/mmcblk0 xyz.openbmc_project.Inventory.Item.Volume FormatLuks ays 3 1 2 3 xyz.openbmc_project.Inventory.Item.Volume.FilesystemType.ext4

$ busctl call xyz.openbmc_project.eStoraged.mmcblk0 /xyz/openbmc_project/storage/mmcblk0 xyz.openbmc_project.Inventory.Item.Volume Lock

$ busctl call xyz.openbmc_project.eStoraged.mmcblk0 /xyz/openbmc_project/storage/mmcblk0 xyz.openbmc_project.Inventory.Item.Volume Erase s xyz.openbmc_project.Inventory.Item.Volume.EraseMethod.CryptoErase

$ busctl call xyz.openbmc_project.eStoraged.mmcblk0 /xyz/openbmc_project/storage/mmcblk0 xyz.openbmc_project.Inventory.Item.Volume Unlock ay 3 1 2 3
Call failed: The operation failed internally.

Signed-off-by: John Edward Broadbent <jebr@google.com>
Change-Id: I3221e82a92c1b555e2379b19c9e1d5b6e4b02f9b

show more ...