Add LUKS recovery key to vault #59
Conversation
hkumarmk
force-pushed
the
t1
branch
2 times, most recently
from
1448093 to
1ccdc7a
Compare
hkumarmk
force-pushed
the
t1
branch
22 times, most recently
from
105cc96 to
adfde15
Compare
recovery_test.sh
Outdated
| tr -d ':') | ||
|
|
||
| echo "Removing TPM keyslot ${tpm_slot} (simulating TPM failure)..." | ||
| echo -n "$recovery_key" | cryptsetup luksKillSlot /dev/$test_device "$tpm_slot" --key-file=- |
There was a problem hiding this comment.
I believe this is functionally equivalent to systemd-cryptenroll --wipe-slot=tpm2.
recovery_test.sh
Outdated
|
|
||
| # THE CRITICAL TEST: Unlock with recovery key | ||
| echo "Unlocking with recovery key..." | ||
| echo -n "$recovery_key" | cryptsetup open /dev/$test_device $mapper_name --key-file=- |
There was a problem hiding this comment.
This is equivalent to systemd-cryptsetup attach $mapper_name $test_device $keyfile. I'm not entirely sure if it'll let you pass it on stdin like you did.
resources/mangosctl/mangosctl.sh
Outdated
| # Use TPM to unlock the device, then enroll a new recovery key | ||
| local output=$(systemd-cryptenroll "${device}" --recovery-key --unlock-tpm2-device=auto 2>&1) | ||
|
|
||
| # Extract recovery key - format: lowercase hex groups separated by dashes |
There was a problem hiding this comment.
Not hex. At least your example isn't :)
There was a problem hiding this comment.
yeah , will fix it - its just small case 8 letter words separated by -
| success=0 | ||
|
|
||
| # Temporarily disable exit-on-error for polling loop | ||
| set +e |
There was a problem hiding this comment.
This seems heavy handed. I assume it's for the alloc_status=$(...) call? Can you just put || true after it?
There was a problem hiding this comment.
I just did this see whats next when it fail, will remove it when build is passing
run_tests.sh
Outdated
| #!/bin/bash | ||
|
|
||
| set -e | ||
| set -x |
There was a problem hiding this comment.
I'd prefer to not have this on by default. Successful test runs should look clean.
There was a problem hiding this comment.
I did this for debugging whats happening when build fail. will remove once build is passed
|
Sorry about the wait. My dev branch was waaay out of date with main, and my local working tree had a lot of changes, too. It's all pretty well aligned now and the tests should be passing. If you can rebase on top of main now, we should be in good shape 🤞🏻 |
hkumarmk
force-pushed
the
t1
branch
11 times, most recently
from
cd36524 to
67d165a
Compare
* docker-ce 5:29.1.3-1~ubuntu.24.04~noble has broken dependency to newer containerd.io which is NOT there in the repo till yet. That fail the build so hardcoded the version for now to get the build working * Removed containerd.io from packages list from docker profile as docker-ce anyway install appropriate version of containerd as dependency
hkumarmk
force-pushed
the
t1
branch
3 times, most recently
from
bbc0f6d to
d52020e
Compare
* Add LUKS recovery key to vault as part of mangoctl bootstrap or enroll for LUKS volumes in each node * added validation steps in self_test.sh * Added additional recovery_test.sh to run as part of integration test within run_tests.sh * add machine id entity metadata for a node in the vault * Add policy so node token can write (not update or read) recovery key in vault kv
|
@sorenisanerd can you pls review this? |
2 participants
Add LUKS recovery key to vault
* Add LUKS recovery key to vault as part of mangoctl bootstrap or enroll
for LUKS volumes in each node
* added validation steps in self_test.sh
* Added additional recovery_test.sh to run as part of integration test
within run_tests.sh