[PATCH v2 0/4] new dracut modules

[PATCH v2 0/4] new dracut modules

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 1904 bytes --]

Hi all

this patch set introduces three new modules (masterkey, integrity and
ecryptfs) and allows to mount the securityfs filesystem from the initial
ramdisk.

These patches are based upon the first version sent by Mimi Zohar, which
can be retrieved at the address:

http://article.gmane.org/gmane.linux.kernel.initramfs/1910

Roberto Sassu 


Roberto Sassu (4):
  base/init: mount the securityfs filesystem
  dracut: added new module masterkey
  dracut: added new module integrity
  dracut: added new module ecryptfs

 dracut.kernel.7.xml                      |   29 +++++++++
 modules.d/97masterkey/README             |   59 ++++++++++++++++++
 modules.d/97masterkey/masterkey.sh       |   67 +++++++++++++++++++++
 modules.d/97masterkey/module-setup.sh    |   25 ++++++++
 modules.d/98ecryptfs/README              |   45 ++++++++++++++
 modules.d/98ecryptfs/ecryptfs-mount.sh   |   95 ++++++++++++++++++++++++++++++
 modules.d/98ecryptfs/module-setup.sh     |   20 ++++++
 modules.d/98integrity/README             |   40 +++++++++++++
 modules.d/98integrity/evm-enable.sh      |   91 ++++++++++++++++++++++++++++
 modules.d/98integrity/ima-policy-load.sh |   41 +++++++++++++
 modules.d/98integrity/module-setup.sh    |   17 +++++
 modules.d/99base/init                    |    6 ++
 12 files changed, 535 insertions(+), 0 deletions(-)
 create mode 100644 modules.d/97masterkey/README
 create mode 100755 modules.d/97masterkey/masterkey.sh
 create mode 100755 modules.d/97masterkey/module-setup.sh
 create mode 100644 modules.d/98ecryptfs/README
 create mode 100755 modules.d/98ecryptfs/ecryptfs-mount.sh
 create mode 100755 modules.d/98ecryptfs/module-setup.sh
 create mode 100644 modules.d/98integrity/README
 create mode 100755 modules.d/98integrity/evm-enable.sh
 create mode 100755 modules.d/98integrity/ima-policy-load.sh
 create mode 100755 modules.d/98integrity/module-setup.sh

-- 
1.7.4.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

[PATCH v2 1/4] base/init: mount the securityfs filesystem

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 963 bytes --]

Mount the securityfs filesystem and make available its location through the
exported variable SECURITYFSDIR.

Signed-off-by: Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
Acked-by: Gianluca Ramunno <ramunno-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
---
 modules.d/99base/init |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/modules.d/99base/init b/modules.d/99base/init
index 5975b25..e2bbf3d 100755
--- a/modules.d/99base/init
+++ b/modules.d/99base/init
@@ -84,6 +84,12 @@ RD_DEBUG=""
 [ ! -d /sys/kernel ] && \
     mount -t sysfs -o nosuid,noexec,nodev sysfs /sys >/dev/null 2>&1
 
+SECURITYFSDIR="/sys/kernel/security"
+export SECURITYFSDIR
+if ! ismounted "${SECURITYFSDIR}"; then
+    mount -t securityfs -o nosuid,noexec,nodev ${SECURITYFSDIR} ${SECURITYFSDIR} >/dev/null 2>&1
+fi
+
 if [ -x /lib/systemd/systemd-timestamp ]; then
     RD_TIMESTAMP=$(/lib/systemd/systemd-timestamp)
 else
-- 
1.7.4.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

[PATCH v2 2/4] dracut: added new module masterkey

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 8096 bytes --]

This module initializes a trusted/user kernel master key that will be used
to decrypt other encrypted keys.

Signed-off-by: Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
Acked-by: Gianluca Ramunno <ramunno-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
---
 dracut.kernel.7.xml                   |   17 ++++++++
 modules.d/97masterkey/README          |   59 +++++++++++++++++++++++++++++
 modules.d/97masterkey/masterkey.sh    |   67 +++++++++++++++++++++++++++++++++
 modules.d/97masterkey/module-setup.sh |   25 ++++++++++++
 4 files changed, 168 insertions(+), 0 deletions(-)
 create mode 100644 modules.d/97masterkey/README
 create mode 100755 modules.d/97masterkey/masterkey.sh
 create mode 100755 modules.d/97masterkey/module-setup.sh

diff --git a/dracut.kernel.7.xml b/dracut.kernel.7.xml
index a277c74..3fac18b 100644
--- a/dracut.kernel.7.xml
+++ b/dracut.kernel.7.xml
@@ -703,6 +703,23 @@ rd.znet=ctc,0.0.0600,0.0.0601,0.0.0602,protocol=bar</programlisting></para>
         </varlistentry>
       </variablelist>
     </refsect2>
+   <refsect2>
+      <title>Kernel keys</title>
+      <variablelist>
+        <varlistentry>
+          <term><envar>masterkey=</envar><replaceable>&lt;kernel master key path name&gt;</replaceable></term>
+          <listitem>
+            <para>Set the path name of the kernel master key. e.g.: <programlisting>masterkey=/etc/keys/kmk-trusted.blob</programlisting></para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><envar>masterkeytype=</envar><replaceable>&lt;kernel master key type&gt;</replaceable></term>
+          <listitem>
+            <para>Set the type of the kernel master key. e.g.: <programlisting>masterkeytype=trusted</programlisting></para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </refsect2>
     <refsect2>
       <title>Deprecated, renamed Options</title>
       <para>Here is a list of options, which were used in dracut prior to version 008, and their new replacement.</para>
diff --git a/modules.d/97masterkey/README b/modules.d/97masterkey/README
new file mode 100644
index 0000000..c4e0fbd
--- /dev/null
+++ b/modules.d/97masterkey/README
@@ -0,0 +1,59 @@
+# Directions for creating the kernel master key that will be used for
+# encrypting/decrypting other keys.
+
+# A trusted key is a TPM random number, which is only ever exposed to
+# userspace as an encrypted datablob. A trusted key can be sealed to a
+# set of PCR values. For more details on trusted keys, refer to the
+# kernel keys-trusted-encrypted.txt documentation.
+$ keyctl add trusted kmk-trusted "new 32" @u
+801713097
+
+# For those systems which don't have a TPM, but want to experiment with
+# encrypted keys, create a user key of 32 random bytes. Unlike
+# trusted/encrypted keys, user type key data is visible to userspace.
+$ keyctl add user kmk-user "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
+144468621
+
+# Save the kernel master key (trusted type):
+$ su -c 'keyctl pipe `keyctl search @u trusted kmk-trusted` > /etc/keys/kmk-trusted.blob'
+
+# or (user type):
+$ su -c 'keyctl pipe `keyctl search @u user kmk-user` > /etc/keys/kmk-user.blob'
+
+# A useful feature of trusted keys is that it is possible to prevent their
+# unsealing at later time by providing the parameter 'pcrlock=<pcrnum>' when
+# loading it, which causes the PCR #<pcrnum> to be extended with a random value.
+# Actually, the <pcrnum> variable is set to '11' to let users experiment with
+# this feature by using a register that is never extended during the boot,
+# making the re-sealing not necessary. In the future, the kernel master key will
+# be sealed to the PCR #14 which is extended, according to the TrustedGRUB
+# documentation[1], to the measure of the kernel and the initial ramdisk.
+
+# The kernel master key path name and type can be set in one of the following
+# ways (specified in the order in which variables are overwritten):
+
+1) use default values:
+--------------------------------------------------------------------------
+MASTERKEYTYPE=trusted
+MASTERKEY=/etc/keys/kmk-trusted-$(uname -r).blob
+--------------------------------------------------------------------------
+
+2) create the configuration file '/etc/sysconfig/masterkey' to override the
+value of one or both variables;
+
+3) specify these parameters in the kernel command line:
+- masterkey=</kernel/master/key/path>, to override the MASTERKEY variable;
+- masterkeytype=<kernel-master-key-type>, to override the MASTERKEYTYPE variable.
+
+# If only the MASTERKEYTYPE variable is overridden with the value 'user',
+# the default value of MASTERKEY will be:
+--------------------------------------------------------------------------
+MASTERKEY=/etc/keys/kmk-user-$(uname -r).blob
+--------------------------------------------------------------------------
+
+# If the system is configured to boot multiple kernels and a trusted/user key is
+# tied to each one, the MASTERKEY variable should be not modified to avoid
+# setting the path name each time a different kernel is chosen.
+
+
+[1] https://projects.sirrix.com/trac/trustedgrub/
diff --git a/modules.d/97masterkey/masterkey.sh b/modules.d/97masterkey/masterkey.sh
new file mode 100755
index 0000000..af042a9
--- /dev/null
+++ b/modules.d/97masterkey/masterkey.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+# Licensed under the GPLv2
+#
+# Copyright (C) 2011 Politecnico di Torino, Italy
+#                    TORSEC group -- http://security.polito.it
+# Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
+
+MASTERKEYSCONFIG="${NEWROOT}/etc/sysconfig/masterkey"
+PCRLOCKNUM=11
+
+load_masterkey()
+{
+    # read the configuration from the config file
+    [ -f "${MASTERKEYSCONFIG}" ] && \
+        . ${MASTERKEYSCONFIG}
+
+    # override the kernel master key path name from the 'masterkey=' parameter
+    # in the kernel command line
+    MASTERKEYARG=$(getarg masterkey=)
+    [ $? -eq 0 ] && \
+        MASTERKEY=$MASTERKEYARG
+
+    # override the kernel master key type from the 'masterkeytype=' parameter
+    # in the kernel command line
+    MASTERKEYTYPEARG=$(getarg masterkeytype=)
+    [ $? -eq 0 ] && \
+        MASTERKEYTYPE=$MASTERKEYTYPEARG
+
+    # set default values
+    [ -z "$MASTERKEYTYPE" ] && \
+        MASTERKEYTYPE="trusted"
+
+    [ -z "$MASTERKEY" ] && \
+        MASTERKEY="/etc/keys/kmk-${MASTERKEYTYPE}-$(uname -r).blob"
+
+    # set the kernel master key path name
+    MASTERKEYPATH="${NEWROOT}${MASTERKEY}"
+
+    # check for kernel master key's existence
+    if [ ! -f "${MASTERKEYPATH}" ]; then
+        if [ "${RD_DEBUG}" = "yes" ]; then
+            info "masterkey: missing the kernel master key: kmk-${MASTERKEYTYPE}"
+        fi
+        return 1
+    fi
+
+    # read the kernel master key blob
+    KEYBLOB=$(cat ${MASTERKEYPATH})
+
+    # add the 'load' prefix if the key type is 'trusted'
+    [ "${MASTERKEYTYPE}" = "trusted" ] && \
+        KEYBLOB="load ${KEYBLOB} pcrlock=${PCRLOCKNUM}"
+
+    # load the kernel master key
+    info "Loading the kernel master key"
+    keyctl add "${MASTERKEYTYPE}" "kmk-${MASTERKEYTYPE}" "${KEYBLOB}" @u >/dev/null || {
+        info "masterkey: failed to load the kernel master key: kmk-${MASTERKEYTYPE}";
+        return 1;
+    }
+
+    return 0
+}
+
+load_masterkey
diff --git a/modules.d/97masterkey/module-setup.sh b/modules.d/97masterkey/module-setup.sh
new file mode 100755
index 0000000..64f164b
--- /dev/null
+++ b/modules.d/97masterkey/module-setup.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+    [ "$1" = "-h" ] && {
+        [ -x "/bin/keyctl" ] || return 1
+    }
+
+    return 0
+}
+
+depends() {
+    return 0
+}
+
+installkernel() {
+    instmods trusted encrypted
+}
+
+install() {
+    inst keyctl
+    inst uname
+    inst_hook pre-pivot 60 "$moddir/masterkey.sh"
+}
-- 
1.7.4.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

[PATCH v2 3/4] dracut: added new module integrity

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 7724 bytes --]

This module initializes the EVM software and permits to load a custom IMA
policy.

Signed-off-by: Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
Acked-by: Gianluca Ramunno <ramunno-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
---
 dracut.kernel.7.xml                      |    6 ++
 modules.d/98integrity/README             |   40 +++++++++++++
 modules.d/98integrity/evm-enable.sh      |   91 ++++++++++++++++++++++++++++++
 modules.d/98integrity/ima-policy-load.sh |   41 +++++++++++++
 modules.d/98integrity/module-setup.sh    |   17 ++++++
 5 files changed, 195 insertions(+), 0 deletions(-)
 create mode 100644 modules.d/98integrity/README
 create mode 100755 modules.d/98integrity/evm-enable.sh
 create mode 100755 modules.d/98integrity/ima-policy-load.sh
 create mode 100755 modules.d/98integrity/module-setup.sh

diff --git a/dracut.kernel.7.xml b/dracut.kernel.7.xml
index 3fac18b..759871b 100644
--- a/dracut.kernel.7.xml
+++ b/dracut.kernel.7.xml
@@ -718,6 +718,12 @@ rd.znet=ctc,0.0.0600,0.0.0601,0.0.0602,protocol=bar</programlisting></para>
             <para>Set the type of the kernel master key. e.g.: <programlisting>masterkeytype=trusted</programlisting></para>
           </listitem>
         </varlistentry>
+        <varlistentry>
+          <term><envar>evmkey=</envar><replaceable>&lt;EVM key path name&gt;</replaceable></term>
+          <listitem>
+            <para>Set the path name of the EVM key. e.g.: <programlisting>evmkey=/etc/keys/evm-trusted.blob</programlisting></para>
+          </listitem>
+        </varlistentry>
       </variablelist>
     </refsect2>
     <refsect2>
diff --git a/modules.d/98integrity/README b/modules.d/98integrity/README
new file mode 100644
index 0000000..f78f2cd
--- /dev/null
+++ b/modules.d/98integrity/README
@@ -0,0 +1,40 @@
+# Directions for creating the encrypted key that will be used to initialize
+# the EVM software.
+
+# Create the EVM key (encrypted key type)
+#
+# The encrypted key is a random number encrypted/decrypted using the
+# kernel master key.  The encrypted key is only exposed to userspace
+# as an encrypted datablob.
+$ keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u
+782117972
+
+# Save the encrypted key
+$ su -c 'keyctl pipe `keyctl search @u encrypted evm_key` > /etc/keys/evm-trusted.blob'
+
+# The EVM key path name can be set in one of the following ways (specified in
+# the order in which the variable is overwritten):
+
+1) use the default value:
+--------------------------------------------------------------------------
+EVMKEY=/etc/keys/evm-trusted.blob
+--------------------------------------------------------------------------
+
+2) create the configuration file '/etc/sysconfig/evm' and set the EVMKEY variable;
+
+3) specify the EVM key path name in the 'evmkey=' parameter of the kernel command
+line.
+
+
+# Directions for loading a custom IMA policy.
+
+# Write the policy following the instructions provided in the file
+# 'Documentation/ABI/testing/ima_policy' of the kernel documentation.
+
+# Save the policy in a file.
+
+# Create the configuration file '/etc/sysconfig/ima' to override the path name of
+# the IMA custom policy.
+------------- '/etc/sysconfig/ima' (with the default value) -------------
+IMAPOLICY=/etc/sysconfig/ima-policy
+-------------------------------------------------------------------------
diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh
new file mode 100755
index 0000000..5dc734f
--- /dev/null
+++ b/modules.d/98integrity/evm-enable.sh
@@ -0,0 +1,91 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+# Licensed under the GPLv2
+#
+# Copyright (C) 2011 Politecnico di Torino, Italy
+#                    TORSEC group -- http://security.polito.it
+# Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
+
+EVMSECFILE="${SECURITYFSDIR}/evm"
+EVMCONFIG="${NEWROOT}/etc/sysconfig/evm"
+EVMKEYDESC="evm-key"
+EVMKEYTYPE="encrypted"
+EVMKEYID=""
+
+load_evm_key()
+{
+    # read the configuration from the config file
+    [ -f "${EVMCONFIG}" ] && \
+        . ${EVMCONFIG}
+
+    # override the EVM key path name from the 'evmkey=' parameter in the kernel
+    # command line
+    EVMKEYARG=$(getarg evmkey=)
+    [ $? -eq 0 ] && \
+        EVMKEY=$EVMKEYARG
+
+    # set the default value
+    [ -z "$EVMKEY" ] && \
+        EVMKEY="/etc/keys/evm-trusted.blob";
+
+    # set the EVM key path name
+    EVMKEYPATH="${NEWROOT}${EVMKEY}"
+
+    # check for EVM encrypted key's existence
+    if [ ! -f "${EVMKEYPATH}" ]; then
+        if [ "${RD_DEBUG}" = "yes" ]; then
+            info "integrity: missing the EVM encrypted key"
+        fi
+        return 1
+    fi
+
+    # read the EVM encrypted key blob
+    KEYBLOB=$(cat ${EVMKEYPATH})
+
+    # load the EVM encrypted key
+    EVMKEYID=`keyctl add ${EVMKEYTYPE} ${EVMKEYDESC} "load ${KEYBLOB}" @u`
+    [ $? -eq 0 ] || {
+        info "integrity: failed to load the EVM encrypted key: ${EVMKEYDESC}";
+        return 1;
+    }
+
+    return 0
+}
+
+unload_evm_key()
+{
+    # unlink the EVM encrypted key
+    keyctl unlink ${EVMKEYID} @u || {
+        info "integrity: failed to unlink the EVM encrypted key: ${EVMKEYDESC}";
+        return 1;
+    }
+
+    return 0
+}
+
+enable_evm()
+{
+    # check kernel support for EVM
+    if [ ! -e "${EVMSECFILE}" ]; then
+        if [ "${RD_DEBUG}" = "yes" ]; then
+            info "integrity: EVM kernel support is disabled"
+        fi
+        return 0
+    fi
+
+    # load the EVM encrypted key
+    load_evm_key || return 1
+
+    # initialize EVM
+    info "Enabling EVM"
+    echo 1 > ${EVMSECFILE}
+
+    # unload the EVM encrypted key
+    unload_evm_key || return 1
+
+    return 0
+}
+
+enable_evm
diff --git a/modules.d/98integrity/ima-policy-load.sh b/modules.d/98integrity/ima-policy-load.sh
new file mode 100755
index 0000000..55c98bb
--- /dev/null
+++ b/modules.d/98integrity/ima-policy-load.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+# Licensed under the GPLv2
+#
+# Copyright (C) 2011 Politecnico di Torino, Italy
+#                    TORSEC group -- http://security.polito.it
+# Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
+
+IMASECDIR="${SECURITYFSDIR}/ima"
+IMACONFIG="${NEWROOT}/etc/sysconfig/ima"
+IMAPOLICY="/etc/sysconfig/ima-policy"
+
+load_ima_policy()
+{
+    # check kernel support for IMA
+    if [ ! -e "${IMASECDIR}" ]; then
+        if [ "${RD_DEBUG}" = "yes" ]; then
+            info "integrity: IMA kernel support is disabled"
+        fi
+        return 0
+    fi
+
+    # override the default configuration
+    [ -f "${IMACONFIG}" ] && \
+        . ${IMACONFIG}
+
+    # set the IMA policy path name
+    IMAPOLICYPATH="${NEWROOT}${IMAPOLICY}"
+
+    # check the existence of the IMA policy file
+    [ -f "${IMAPOLICYPATH}" ] && {
+        info "Loading the provided IMA custom policy";
+        cat ${IMAPOLICYPATH} > ${IMASECDIR}/policy;
+    }
+
+    return 0
+}
+
+load_ima_policy
diff --git a/modules.d/98integrity/module-setup.sh b/modules.d/98integrity/module-setup.sh
new file mode 100755
index 0000000..f1b97fd
--- /dev/null
+++ b/modules.d/98integrity/module-setup.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+    return 0
+}
+
+depends() {
+    echo masterkey
+    return 0
+}
+
+install() {
+    inst_hook pre-pivot 61 "$moddir/evm-enable.sh"
+    inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"
+}
-- 
1.7.4.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

[PATCH v2 4/4] dracut: added new module ecryptfs

[Roberto Sassu]

[-- Attachment #1: Type: text/plain, Size: 7498 bytes --]

This modules mounts an eCryptfs filesystem from the initial ramdisk using
an encrypted key.

Signed-off-by: Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
Acked-by: Gianluca Ramunno <ramunno-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
---
 dracut.kernel.7.xml                    |    6 ++
 modules.d/98ecryptfs/README            |   45 +++++++++++++++
 modules.d/98ecryptfs/ecryptfs-mount.sh |   95 ++++++++++++++++++++++++++++++++
 modules.d/98ecryptfs/module-setup.sh   |   20 +++++++
 4 files changed, 166 insertions(+), 0 deletions(-)
 create mode 100644 modules.d/98ecryptfs/README
 create mode 100755 modules.d/98ecryptfs/ecryptfs-mount.sh
 create mode 100755 modules.d/98ecryptfs/module-setup.sh

diff --git a/dracut.kernel.7.xml b/dracut.kernel.7.xml
index 759871b..c5d74d0 100644
--- a/dracut.kernel.7.xml
+++ b/dracut.kernel.7.xml
@@ -724,6 +724,12 @@ rd.znet=ctc,0.0.0600,0.0.0601,0.0.0602,protocol=bar</programlisting></para>
             <para>Set the path name of the EVM key. e.g.: <programlisting>evmkey=/etc/keys/evm-trusted.blob</programlisting></para>
           </listitem>
         </varlistentry>
+        <varlistentry>
+          <term><envar>ecryptfskey=</envar><replaceable>&lt;eCryptfs key path name&gt;</replaceable></term>
+          <listitem>
+            <para>Set the path name of the eCryptfs key. e.g.: <programlisting>ecryptfskey=/etc/keys/ecryptfs-trusted.blob</programlisting></para>
+          </listitem>
+        </varlistentry>
       </variablelist>
     </refsect2>
     <refsect2>
diff --git a/modules.d/98ecryptfs/README b/modules.d/98ecryptfs/README
new file mode 100644
index 0000000..c592d8d
--- /dev/null
+++ b/modules.d/98ecryptfs/README
@@ -0,0 +1,45 @@
+# Directions for creating the encrypted key that will be used to mount an
+# eCryptfs filesystem
+
+# Create the eCryptfs key (encrypted key type)
+#
+# The encrypted key type supports two formats: the 'default' format allows
+# to generate a random symmetric key of the length specified, the 'ecryptfs'
+# format generates an authentication token for the eCryptfs filesystem,
+# which contains a randomly generated key. Two requirements for the latter
+# format is that the key description must contain exactly 16 hexadecimal
+# characters and that the encrypted key length must be equal to 64.
+$ keyctl add encrypted 1000100010001000 "new ecryptfs trusted:kmk-trusted 64" @u
+782117972
+
+# Save the encrypted key
+$ su -c 'keyctl pipe `keyctl search @u encrypted 1000100010001000` > /etc/keys/ecryptfs-trusted.blob'
+
+# The eCryptfs key path name can be set in one of the following ways (specified in
+# the order in which the variable is overwritten):
+
+1) use the default value:
+--------------------------------------------------------------------------
+ECRYPTFSKEY=/etc/keys/ecryptfs-trusted.blob
+--------------------------------------------------------------------------
+
+2) create the configuration file '/etc/sysconfig/ecryptfs' and set the ECRYPTFSKEY
+variable;
+
+3) specify the eCryptfs key path name in the 'ecryptfskey=' parameter of the kernel command
+line.
+
+# The configuration file '/etc/sysconfig/ecryptfs' is also used to specify
+# more options for mounting the eCryptfs filesystem:
+
+ECRYPTFSDIR: mount point directory for the eCryptfs filesystem (the directory must be
+             created in the root filesystem before rebooting the system);
+ECRYPTFS_EXTRA_MOUNT_OPTS: extra mount options for the eCryptfs filesystem (the 'ecryptfs_sig'
+                           option is automatically added by the dracut script) 
+
+# Example of the configuration file:
+----------- '/etc/sysconfig/ecryptfs' (with default values) -----------
+ECRYPTFS_KEY=/etc/keys/ecryptfs-trusted.blob
+ECRYPTFSDIR="/secret"
+ECRYPTFS_EXTRA_MOUNT_OPTS="ecryptfs_cipher=aes,ecryptfs_key_bytes=32"
+-----------------------------------------------------------------------
diff --git a/modules.d/98ecryptfs/ecryptfs-mount.sh b/modules.d/98ecryptfs/ecryptfs-mount.sh
new file mode 100755
index 0000000..b1abfc2
--- /dev/null
+++ b/modules.d/98ecryptfs/ecryptfs-mount.sh
@@ -0,0 +1,95 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+# Licensed under the GPLv2
+#
+# Copyright (C) 2011 Politecnico di Torino, Italy
+#                    TORSEC group -- http://security.polito.it
+# Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
+
+ECRYPTFSCONFIG="${NEWROOT}/etc/sysconfig/ecryptfs"
+ECRYPTFSKEYTYPE="encrypted"
+ECRYPTFSKEYDESC="1000100010001000"
+ECRYPTFSKEYID=""
+ECRYPTFSDIR="/secret"
+ECRYPTFS_EXTRA_MOUNT_OPTS="ecryptfs_cipher=aes,ecryptfs_key_bytes=32"
+
+load_ecryptfs_key()
+{
+    # override the eCryptfs key path name from the 'ecryptfskey=' parameter in the kernel
+    # command line
+    ECRYPTFSKEYARG=$(getarg ecryptfskey=)
+    [ $? -eq 0 ] && \
+        ECRYPTFSKEY=$ECRYPTFSKEYARG
+
+    # set the default value
+    [ -z "$ECRYPTFSKEY" ] && \
+        ECRYPTFSKEY="/etc/keys/ecryptfs-trusted.blob";
+
+    # set the eCryptfs key path name
+    ECRYPTFSKEYPATH="${NEWROOT}${ECRYPTFSKEY}"
+
+    # check for eCryptfs encrypted key's existence
+    if [ ! -f "${ECRYPTFSKEYPATH}" ]; then
+        if [ "${RD_DEBUG}" = "yes" ]; then
+            info "eCryptfs: missing the eCryptfs key: ${ECRYPTFSKEYDESC}"
+        fi
+        return 1
+    fi
+
+    # read the eCryptfs encrypted key blob
+    KEYBLOB=$(cat ${ECRYPTFSKEYPATH})
+
+    # load the eCryptfs encrypted key blob
+    ECRYPTFSKEYID=`keyctl add ${ECRYPTFSKEYTYPE} ${ECRYPTFSKEYDESC} "load ${KEYBLOB}" @u`
+    [ $? -eq 0 ] || {
+        info "eCryptfs: failed to load the eCryptfs key: ${ECRYPTFSKEYDESC}";
+        return 1;
+    }
+
+    return 0
+}
+
+unload_ecryptfs_key()
+{
+    # unlink the eCryptfs encrypted key
+    keyctl unlink ${ECRYPTFSKEYID} @u || {
+        info "eCryptfs: failed to unlink the eCryptfs key: ${ECRYPTFSKEYDESC}";
+        return 1;
+    }
+
+    return 0
+}
+
+mount_ecryptfs()
+{
+    # read the configuration from the config file
+    [ -f "${ECRYPTFSCONFIG}" ] && \
+        . ${ECRYPTFSCONFIG}
+
+    # load the eCryptfs encrypted key
+    load_ecryptfs_key || return 1
+
+    # set the eCryptfs filesystem mount point
+    ECRYPTFSMNT="${NEWROOT}${ECRYPTFSDIR}"
+
+    # build the mount options variable
+    ECRYPTFS_MOUNT_OPTS="ecryptfs_sig=${ECRYPTFSKEYDESC}"
+    [ ! -z ${ECRYPTFS_EXTRA_MOUNT_OPTS} ] && \
+        ECRYPTFS_MOUNT_OPTS="${ECRYPTFS_MOUNT_OPTS},${ECRYPTFS_EXTRA_MOUNT_OPTS}"
+
+    # mount the eCryptfs filesystem
+    info "Mounting the configured eCryptfs filesystem"
+    mount -i -t ecryptfs -o${ECRYPTFS_MOUNT_OPTS} ${ECRYPTFSMNT} ${ECRYPTFSMNT} >/dev/null || {
+        info "eCryptfs: mount of the eCryptfs filesystem failed";
+        return 1;
+    }
+
+    # unload the eCryptfs encrypted key
+    unload_ecryptfs_key || return 1
+
+    return 0
+}
+
+mount_ecryptfs
diff --git a/modules.d/98ecryptfs/module-setup.sh b/modules.d/98ecryptfs/module-setup.sh
new file mode 100755
index 0000000..56c2d41
--- /dev/null
+++ b/modules.d/98ecryptfs/module-setup.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+    return 0
+}
+
+depends() {
+    echo masterkey
+    return 0
+}
+
+installkernel() {
+    instmods ecryptfs
+}
+
+install() {
+    inst_hook pre-pivot 63 "$moddir/ecryptfs-mount.sh"
+}
-- 
1.7.4.4


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2061 bytes --]

Re: [PATCH v2 0/4] new dracut modules

[Harald Hoyer]

On 05.07.2011 18:23, Roberto Sassu wrote:
> Hi all
> 
> this patch set introduces three new modules (masterkey, integrity and
> ecryptfs) and allows to mount the securityfs filesystem from the initial
> ramdisk.
> 
> These patches are based upon the first version sent by Mimi Zohar, which
> can be retrieved at the address:
> 
> http://article.gmane.org/gmane.linux.kernel.initramfs/1910
> 
> Roberto Sassu 
> 

Why did you split it into three dracut modules?
Personally, I would put it into one single module.

Re: [PATCH v2 0/4] new dracut modules

[Roberto Sassu]

On Thursday, July 07, 2011 10:29:54 AM Harald Hoyer wrote:
> On 05.07.2011 18:23, Roberto Sassu wrote:
> > Hi all
> > 
> > this patch set introduces three new modules (masterkey, integrity and
> > ecryptfs) and allows to mount the securityfs filesystem from the initial
> > ramdisk.
> > 
> > These patches are based upon the first version sent by Mimi Zohar, which
> > can be retrieved at the address:
> > 
> > http://article.gmane.org/gmane.linux.kernel.initramfs/1910
> > 
> > Roberto Sassu 
> > 
> 
> Why did you split it into three dracut modules?
> Personally, I would put it into one single module.
> 

Hi Harald

i've split the scripts in three modules because 'masterkey'
initializes a kernel key which can be further used by other
dracut modules, like 'integrity' and 'ecryptfs'.
Another reason is that the last two do completely different
things (the former initializes the EVM framework, the latter
mounts an eCryptfs filesystem).

Roberto Sassu

Re: [PATCH v2 0/4] new dracut modules

[Harald Hoyer]

On 07.07.2011 10:44, Roberto Sassu wrote:
> On Thursday, July 07, 2011 10:29:54 AM Harald Hoyer wrote:
>> On 05.07.2011 18:23, Roberto Sassu wrote:
>>> Hi all
>>>
>>> this patch set introduces three new modules (masterkey, integrity and
>>> ecryptfs) and allows to mount the securityfs filesystem from the initial
>>> ramdisk.
>>>
>>> These patches are based upon the first version sent by Mimi Zohar, which
>>> can be retrieved at the address:
>>>
>>> http://article.gmane.org/gmane.linux.kernel.initramfs/1910
>>>
>>> Roberto Sassu 
>>>
>>
>> Why did you split it into three dracut modules?
>> Personally, I would put it into one single module.
>>
> 
> Hi Harald
> 
> i've split the scripts in three modules because 'masterkey'
> initializes a kernel key which can be further used by other
> dracut modules, like 'integrity' and 'ecryptfs'.
> Another reason is that the last two do completely different
> things (the former initializes the EVM framework, the latter
> mounts an eCryptfs filesystem).
> 
> Roberto Sassu

Ok, fine with me. Thanks for the explanation.

Re: [PATCH v2 0/4] new dracut modules

[Mimi Zohar]

On Tue, 2011-07-05 at 18:23 +0200, Roberto Sassu wrote:
> Hi all
> 
> this patch set introduces three new modules (masterkey, integrity and
> ecryptfs) and allows to mount the securityfs filesystem from the initial
> ramdisk.
> 
> These patches are based upon the first version sent by Mimi Zohar, which
> can be retrieved at the address:
> 
> http://article.gmane.org/gmane.linux.kernel.initramfs/1910
> 
> Roberto Sassu 

Nice!  Thanks Roberto for updating the modules. They're look really
good.

One really minor issue is that although the user can override the
default masterkey blob filename, using a boot command line option, the
default filename is kernel version specific.  Until the tools are
available to create and seal keys to a set of PCRs, as we discussed,
perhaps there should be an additional filename default, without the
kernel version appended, as well.

thanks,  

Mimi

Re: [PATCH v2 0/4] new dracut modules

[Roberto Sassu]

On Thursday, July 07, 2011 03:53:22 PM Mimi Zohar wrote:
> On Tue, 2011-07-05 at 18:23 +0200, Roberto Sassu wrote:
> > Hi all
> > 
> > this patch set introduces three new modules (masterkey, integrity and
> > ecryptfs) and allows to mount the securityfs filesystem from the initial
> > ramdisk.
> > 
> > These patches are based upon the first version sent by Mimi Zohar, which
> > can be retrieved at the address:
> > 
> > http://article.gmane.org/gmane.linux.kernel.initramfs/1910
> > 
> > Roberto Sassu 
> 
> Nice!  Thanks Roberto for updating the modules. They're look really
> good.
> 
> One really minor issue is that although the user can override the
> default masterkey blob filename, using a boot command line option, the
> default filename is kernel version specific.  Until the tools are
> available to create and seal keys to a set of PCRs, as we discussed,
> perhaps there should be an additional filename default, without the
> kernel version appended, as well.
> 

Hi Mimi

thanks.
I think we can solve this issue by adding a new option, called
'MULTIKERNELMODE', which can be used to decide if the kernel
version should be added to the default masterkey filename or
not. By default, we can set its value to 'NO'.

Roberto Sassu


> thanks,  
> 
> Mimi
> 
> 

Re: [PATCH v2 0/4] new dracut modules

[Roberto Sassu]

On Thursday, July 07, 2011 04:42:11 PM Mimi Zohar wrote:
> On Thu, 2011-07-07 at 16:14 +0200, Roberto Sassu wrote:
> > On Thursday, July 07, 2011 03:53:22 PM Mimi Zohar wrote:
> > > On Tue, 2011-07-05 at 18:23 +0200, Roberto Sassu wrote:
> > > > Hi all
> > > > 
> > > > this patch set introduces three new modules (masterkey, integrity and
> > > > ecryptfs) and allows to mount the securityfs filesystem from the initial
> > > > ramdisk.
> > > > 
> > > > These patches are based upon the first version sent by Mimi Zohar, which
> > > > can be retrieved at the address:
> > > > 
> > > > http://article.gmane.org/gmane.linux.kernel.initramfs/1910
> > > > 
> > > > Roberto Sassu 
> > > 
> > > Nice!  Thanks Roberto for updating the modules. They're look really
> > > good.
> > > 
> > > One really minor issue is that although the user can override the
> > > default masterkey blob filename, using a boot command line option, the
> > > default filename is kernel version specific.  Until the tools are
> > > available to create and seal keys to a set of PCRs, as we discussed,
> > > perhaps there should be an additional filename default, without the
> > > kernel version appended, as well.
> > > 
> > 
> > Hi Mimi
> > 
> > thanks.
> > I think we can solve this issue by adding a new option, called
> > 'MULTIKERNELMODE', which can be used to decide if the kernel
> > version should be added to the default masterkey filename or
> > not. By default, we can set its value to 'NO'.
> > 
> > Roberto Sassu
> 
> Sounds good.
> 

Ok, i'll wait other comments before reposting patches.

Roberto Sassu


> thanks,
> 
> Mimi
> 
> 

Re: [PATCH v2 0/4] new dracut modules

[Mimi Zohar]

On Thu, 2011-07-07 at 16:14 +0200, Roberto Sassu wrote:
> On Thursday, July 07, 2011 03:53:22 PM Mimi Zohar wrote:
> > On Tue, 2011-07-05 at 18:23 +0200, Roberto Sassu wrote:
> > > Hi all
> > > 
> > > this patch set introduces three new modules (masterkey, integrity and
> > > ecryptfs) and allows to mount the securityfs filesystem from the initial
> > > ramdisk.
> > > 
> > > These patches are based upon the first version sent by Mimi Zohar, which
> > > can be retrieved at the address:
> > > 
> > > http://article.gmane.org/gmane.linux.kernel.initramfs/1910
> > > 
> > > Roberto Sassu 
> > 
> > Nice!  Thanks Roberto for updating the modules. They're look really
> > good.
> > 
> > One really minor issue is that although the user can override the
> > default masterkey blob filename, using a boot command line option, the
> > default filename is kernel version specific.  Until the tools are
> > available to create and seal keys to a set of PCRs, as we discussed,
> > perhaps there should be an additional filename default, without the
> > kernel version appended, as well.
> > 
> 
> Hi Mimi
> 
> thanks.
> I think we can solve this issue by adding a new option, called
> 'MULTIKERNELMODE', which can be used to decide if the kernel
> version should be added to the default masterkey filename or
> not. By default, we can set its value to 'NO'.
> 
> Roberto Sassu

Sounds good.

thanks,

Mimi

Re: [PATCH v2 4/4] dracut: added new module ecryptfs

[Tyler Hicks]

On Tue Jul 05, 2011 at 06:23:07PM +0200, Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> wrote:
> This modules mounts an eCryptfs filesystem from the initial ramdisk using
> an encrypted key.

Thanks Roberto - this is very useful. This patch looks pretty good, but
I do have a few comments below.

> 
> Signed-off-by: Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
> Acked-by: Gianluca Ramunno <ramunno-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
> ---
>  dracut.kernel.7.xml                    |    6 ++
>  modules.d/98ecryptfs/README            |   45 +++++++++++++++
>  modules.d/98ecryptfs/ecryptfs-mount.sh |   95 ++++++++++++++++++++++++++++++++
>  modules.d/98ecryptfs/module-setup.sh   |   20 +++++++
>  4 files changed, 166 insertions(+), 0 deletions(-)
>  create mode 100644 modules.d/98ecryptfs/README
>  create mode 100755 modules.d/98ecryptfs/ecryptfs-mount.sh
>  create mode 100755 modules.d/98ecryptfs/module-setup.sh
> 
> diff --git a/dracut.kernel.7.xml b/dracut.kernel.7.xml
> index 759871b..c5d74d0 100644
> --- a/dracut.kernel.7.xml
> +++ b/dracut.kernel.7.xml
> @@ -724,6 +724,12 @@ rd.znet=ctc,0.0.0600,0.0.0601,0.0.0602,protocol=bar</programlisting></para>
>              <para>Set the path name of the EVM key. e.g.: <programlisting>evmkey=/etc/keys/evm-trusted.blob</programlisting></para>
>            </listitem>
>          </varlistentry>
> +        <varlistentry>
> +          <term><envar>ecryptfskey=</envar><replaceable>&lt;eCryptfs key path name&gt;</replaceable></term>
> +          <listitem>
> +            <para>Set the path name of the eCryptfs key. e.g.: <programlisting>ecryptfskey=/etc/keys/ecryptfs-trusted.blob</programlisting></para>
> +          </listitem>
> +        </varlistentry>
>        </variablelist>
>      </refsect2>
>      <refsect2>
> diff --git a/modules.d/98ecryptfs/README b/modules.d/98ecryptfs/README
> new file mode 100644
> index 0000000..c592d8d
> --- /dev/null
> +++ b/modules.d/98ecryptfs/README
> @@ -0,0 +1,45 @@
> +# Directions for creating the encrypted key that will be used to mount an
> +# eCryptfs filesystem
> +
> +# Create the eCryptfs key (encrypted key type)
> +#
> +# The encrypted key type supports two formats: the 'default' format allows
> +# to generate a random symmetric key of the length specified, the 'ecryptfs'
> +# format generates an authentication token for the eCryptfs filesystem,
> +# which contains a randomly generated key. Two requirements for the latter
> +# format is that the key description must contain exactly 16 hexadecimal
> +# characters and that the encrypted key length must be equal to 64.
> +$ keyctl add encrypted 1000100010001000 "new ecryptfs trusted:kmk-trusted 64" @u
> +782117972
> +
> +# Save the encrypted key
> +$ su -c 'keyctl pipe `keyctl search @u encrypted 1000100010001000` > /etc/keys/ecryptfs-trusted.blob'
> +
> +# The eCryptfs key path name can be set in one of the following ways (specified in
> +# the order in which the variable is overwritten):
> +
> +1) use the default value:
> +--------------------------------------------------------------------------
> +ECRYPTFSKEY=/etc/keys/ecryptfs-trusted.blob
> +--------------------------------------------------------------------------
> +
> +2) create the configuration file '/etc/sysconfig/ecryptfs' and set the ECRYPTFSKEY
> +variable;
> +
> +3) specify the eCryptfs key path name in the 'ecryptfskey=' parameter of the kernel command
> +line.
> +
> +# The configuration file '/etc/sysconfig/ecryptfs' is also used to specify
> +# more options for mounting the eCryptfs filesystem:
> +
> +ECRYPTFSDIR: mount point directory for the eCryptfs filesystem (the directory must be
> +             created in the root filesystem before rebooting the system);

I'd like to see an ECRYPTFSSRCDIR and ECRYPTFSDSTDIR defined to allow
different source and destination directories. You can default both of
those variables to "/secret" and still keep the same functionality that
is in this patch.

> +ECRYPTFS_EXTRA_MOUNT_OPTS: extra mount options for the eCryptfs filesystem (the 'ecryptfs_sig'
> +                           option is automatically added by the dracut script) 
> +
> +# Example of the configuration file:
> +----------- '/etc/sysconfig/ecryptfs' (with default values) -----------
> +ECRYPTFS_KEY=/etc/keys/ecryptfs-trusted.blob
> +ECRYPTFSDIR="/secret"
> +ECRYPTFS_EXTRA_MOUNT_OPTS="ecryptfs_cipher=aes,ecryptfs_key_bytes=32"
> +-----------------------------------------------------------------------
> diff --git a/modules.d/98ecryptfs/ecryptfs-mount.sh b/modules.d/98ecryptfs/ecryptfs-mount.sh
> new file mode 100755
> index 0000000..b1abfc2
> --- /dev/null
> +++ b/modules.d/98ecryptfs/ecryptfs-mount.sh
> @@ -0,0 +1,95 @@
> +#!/bin/sh
> +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
> +# ex: ts=8 sw=4 sts=4 et filetype=sh
> +
> +# Licensed under the GPLv2
> +#
> +# Copyright (C) 2011 Politecnico di Torino, Italy
> +#                    TORSEC group -- http://security.polito.it
> +# Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
> +
> +ECRYPTFSCONFIG="${NEWROOT}/etc/sysconfig/ecryptfs"
> +ECRYPTFSKEYTYPE="encrypted"
> +ECRYPTFSKEYDESC="1000100010001000"
> +ECRYPTFSKEYID=""
> +ECRYPTFSDIR="/secret"
> +ECRYPTFS_EXTRA_MOUNT_OPTS="ecryptfs_cipher=aes,ecryptfs_key_bytes=32"

The default in both eCryptfs mount helpers is
"ecryptfs_cipher=aes,ecryptfs_key_bytes=16"

I'd prefer that you didn't bump the ecryptfs_key_bytes default up to 32
here.

> +
> +load_ecryptfs_key()
> +{
> +    # override the eCryptfs key path name from the 'ecryptfskey=' parameter in the kernel
> +    # command line
> +    ECRYPTFSKEYARG=$(getarg ecryptfskey=)
> +    [ $? -eq 0 ] && \
> +        ECRYPTFSKEY=$ECRYPTFSKEYARG
> +
> +    # set the default value
> +    [ -z "$ECRYPTFSKEY" ] && \
> +        ECRYPTFSKEY="/etc/keys/ecryptfs-trusted.blob";
> +
> +    # set the eCryptfs key path name
> +    ECRYPTFSKEYPATH="${NEWROOT}${ECRYPTFSKEY}"
> +
> +    # check for eCryptfs encrypted key's existence
> +    if [ ! -f "${ECRYPTFSKEYPATH}" ]; then
> +        if [ "${RD_DEBUG}" = "yes" ]; then
> +            info "eCryptfs: missing the eCryptfs key: ${ECRYPTFSKEYDESC}"

This debug message seems potentially confusing. How about something
along the lines of, "eCryptfs: key file not found: ${ECRYPTFSKEYPATH}"?

Tyler

> +        fi
> +        return 1
> +    fi
> +
> +    # read the eCryptfs encrypted key blob
> +    KEYBLOB=$(cat ${ECRYPTFSKEYPATH})
> +
> +    # load the eCryptfs encrypted key blob
> +    ECRYPTFSKEYID=`keyctl add ${ECRYPTFSKEYTYPE} ${ECRYPTFSKEYDESC} "load ${KEYBLOB}" @u`
> +    [ $? -eq 0 ] || {
> +        info "eCryptfs: failed to load the eCryptfs key: ${ECRYPTFSKEYDESC}";
> +        return 1;
> +    }
> +
> +    return 0
> +}
> +
> +unload_ecryptfs_key()
> +{
> +    # unlink the eCryptfs encrypted key
> +    keyctl unlink ${ECRYPTFSKEYID} @u || {
> +        info "eCryptfs: failed to unlink the eCryptfs key: ${ECRYPTFSKEYDESC}";
> +        return 1;
> +    }
> +
> +    return 0
> +}
> +
> +mount_ecryptfs()
> +{
> +    # read the configuration from the config file
> +    [ -f "${ECRYPTFSCONFIG}" ] && \
> +        . ${ECRYPTFSCONFIG}
> +
> +    # load the eCryptfs encrypted key
> +    load_ecryptfs_key || return 1
> +
> +    # set the eCryptfs filesystem mount point
> +    ECRYPTFSMNT="${NEWROOT}${ECRYPTFSDIR}"
> +
> +    # build the mount options variable
> +    ECRYPTFS_MOUNT_OPTS="ecryptfs_sig=${ECRYPTFSKEYDESC}"
> +    [ ! -z ${ECRYPTFS_EXTRA_MOUNT_OPTS} ] && \
> +        ECRYPTFS_MOUNT_OPTS="${ECRYPTFS_MOUNT_OPTS},${ECRYPTFS_EXTRA_MOUNT_OPTS}"
> +
> +    # mount the eCryptfs filesystem
> +    info "Mounting the configured eCryptfs filesystem"
> +    mount -i -t ecryptfs -o${ECRYPTFS_MOUNT_OPTS} ${ECRYPTFSMNT} ${ECRYPTFSMNT} >/dev/null || {
> +        info "eCryptfs: mount of the eCryptfs filesystem failed";
> +        return 1;
> +    }
> +
> +    # unload the eCryptfs encrypted key
> +    unload_ecryptfs_key || return 1
> +
> +    return 0
> +}
> +
> +mount_ecryptfs
> diff --git a/modules.d/98ecryptfs/module-setup.sh b/modules.d/98ecryptfs/module-setup.sh
> new file mode 100755
> index 0000000..56c2d41
> --- /dev/null
> +++ b/modules.d/98ecryptfs/module-setup.sh
> @@ -0,0 +1,20 @@
> +#!/bin/bash
> +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
> +# ex: ts=8 sw=4 sts=4 et filetype=sh
> +
> +check() {
> +    return 0
> +}
> +
> +depends() {
> +    echo masterkey
> +    return 0
> +}
> +
> +installkernel() {
> +    instmods ecryptfs
> +}
> +
> +install() {
> +    inst_hook pre-pivot 63 "$moddir/ecryptfs-mount.sh"
> +}
> -- 
> 1.7.4.4
> 

Re: [PATCH v2 4/4] dracut: added new module ecryptfs

[Roberto Sassu]

Hi Tyler

thanks for comments. I'll implement them in
the next version of patches.
Just one improvement that i can see is to leave
the ECRYPTFS_EXTRA_MOUNT_OPTS variable
empty, so that we don't need to change the
script if the default value of an eCryptfs mount
parameter changes. What do you think about it?

Roberto Sassu


On Thursday, July 07, 2011 05:55:56 PM Tyler Hicks wrote:
> On Tue Jul 05, 2011 at 06:23:07PM +0200, Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> wrote:
> > This modules mounts an eCryptfs filesystem from the initial ramdisk using
> > an encrypted key.
> 
> Thanks Roberto - this is very useful. This patch looks pretty good, but
> I do have a few comments below.
> 
> > 
> > Signed-off-by: Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
> > Acked-by: Gianluca Ramunno <ramunno-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
> > ---
> >  dracut.kernel.7.xml                    |    6 ++
> >  modules.d/98ecryptfs/README            |   45 +++++++++++++++
> >  modules.d/98ecryptfs/ecryptfs-mount.sh |   95 ++++++++++++++++++++++++++++++++
> >  modules.d/98ecryptfs/module-setup.sh   |   20 +++++++
> >  4 files changed, 166 insertions(+), 0 deletions(-)
> >  create mode 100644 modules.d/98ecryptfs/README
> >  create mode 100755 modules.d/98ecryptfs/ecryptfs-mount.sh
> >  create mode 100755 modules.d/98ecryptfs/module-setup.sh
> > 
> > diff --git a/dracut.kernel.7.xml b/dracut.kernel.7.xml
> > index 759871b..c5d74d0 100644
> > --- a/dracut.kernel.7.xml
> > +++ b/dracut.kernel.7.xml
> > @@ -724,6 +724,12 @@ rd.znet=ctc,0.0.0600,0.0.0601,0.0.0602,protocol=bar</programlisting></para>
> >              <para>Set the path name of the EVM key. e.g.: <programlisting>evmkey=/etc/keys/evm-trusted.blob</programlisting></para>
> >            </listitem>
> >          </varlistentry>
> > +        <varlistentry>
> > +          <term><envar>ecryptfskey=</envar><replaceable>&lt;eCryptfs key path name&gt;</replaceable></term>
> > +          <listitem>
> > +            <para>Set the path name of the eCryptfs key. e.g.: <programlisting>ecryptfskey=/etc/keys/ecryptfs-trusted.blob</programlisting></para>
> > +          </listitem>
> > +        </varlistentry>
> >        </variablelist>
> >      </refsect2>
> >      <refsect2>
> > diff --git a/modules.d/98ecryptfs/README b/modules.d/98ecryptfs/README
> > new file mode 100644
> > index 0000000..c592d8d
> > --- /dev/null
> > +++ b/modules.d/98ecryptfs/README
> > @@ -0,0 +1,45 @@
> > +# Directions for creating the encrypted key that will be used to mount an
> > +# eCryptfs filesystem
> > +
> > +# Create the eCryptfs key (encrypted key type)
> > +#
> > +# The encrypted key type supports two formats: the 'default' format allows
> > +# to generate a random symmetric key of the length specified, the 'ecryptfs'
> > +# format generates an authentication token for the eCryptfs filesystem,
> > +# which contains a randomly generated key. Two requirements for the latter
> > +# format is that the key description must contain exactly 16 hexadecimal
> > +# characters and that the encrypted key length must be equal to 64.
> > +$ keyctl add encrypted 1000100010001000 "new ecryptfs trusted:kmk-trusted 64" @u
> > +782117972
> > +
> > +# Save the encrypted key
> > +$ su -c 'keyctl pipe `keyctl search @u encrypted 1000100010001000` > /etc/keys/ecryptfs-trusted.blob'
> > +
> > +# The eCryptfs key path name can be set in one of the following ways (specified in
> > +# the order in which the variable is overwritten):
> > +
> > +1) use the default value:
> > +--------------------------------------------------------------------------
> > +ECRYPTFSKEY=/etc/keys/ecryptfs-trusted.blob
> > +--------------------------------------------------------------------------
> > +
> > +2) create the configuration file '/etc/sysconfig/ecryptfs' and set the ECRYPTFSKEY
> > +variable;
> > +
> > +3) specify the eCryptfs key path name in the 'ecryptfskey=' parameter of the kernel command
> > +line.
> > +
> > +# The configuration file '/etc/sysconfig/ecryptfs' is also used to specify
> > +# more options for mounting the eCryptfs filesystem:
> > +
> > +ECRYPTFSDIR: mount point directory for the eCryptfs filesystem (the directory must be
> > +             created in the root filesystem before rebooting the system);
> 
> I'd like to see an ECRYPTFSSRCDIR and ECRYPTFSDSTDIR defined to allow
> different source and destination directories. You can default both of
> those variables to "/secret" and still keep the same functionality that
> is in this patch.
> 
> > +ECRYPTFS_EXTRA_MOUNT_OPTS: extra mount options for the eCryptfs filesystem (the 'ecryptfs_sig'
> > +                           option is automatically added by the dracut script) 
> > +
> > +# Example of the configuration file:
> > +----------- '/etc/sysconfig/ecryptfs' (with default values) -----------
> > +ECRYPTFS_KEY=/etc/keys/ecryptfs-trusted.blob
> > +ECRYPTFSDIR="/secret"
> > +ECRYPTFS_EXTRA_MOUNT_OPTS="ecryptfs_cipher=aes,ecryptfs_key_bytes=32"
> > +-----------------------------------------------------------------------
> > diff --git a/modules.d/98ecryptfs/ecryptfs-mount.sh b/modules.d/98ecryptfs/ecryptfs-mount.sh
> > new file mode 100755
> > index 0000000..b1abfc2
> > --- /dev/null
> > +++ b/modules.d/98ecryptfs/ecryptfs-mount.sh
> > @@ -0,0 +1,95 @@
> > +#!/bin/sh
> > +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
> > +# ex: ts=8 sw=4 sts=4 et filetype=sh
> > +
> > +# Licensed under the GPLv2
> > +#
> > +# Copyright (C) 2011 Politecnico di Torino, Italy
> > +#                    TORSEC group -- http://security.polito.it
> > +# Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
> > +
> > +ECRYPTFSCONFIG="${NEWROOT}/etc/sysconfig/ecryptfs"
> > +ECRYPTFSKEYTYPE="encrypted"
> > +ECRYPTFSKEYDESC="1000100010001000"
> > +ECRYPTFSKEYID=""
> > +ECRYPTFSDIR="/secret"
> > +ECRYPTFS_EXTRA_MOUNT_OPTS="ecryptfs_cipher=aes,ecryptfs_key_bytes=32"
> 
> The default in both eCryptfs mount helpers is
> "ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
> 
> I'd prefer that you didn't bump the ecryptfs_key_bytes default up to 32
> here.
> 
> > +
> > +load_ecryptfs_key()
> > +{
> > +    # override the eCryptfs key path name from the 'ecryptfskey=' parameter in the kernel
> > +    # command line
> > +    ECRYPTFSKEYARG=$(getarg ecryptfskey=)
> > +    [ $? -eq 0 ] && \
> > +        ECRYPTFSKEY=$ECRYPTFSKEYARG
> > +
> > +    # set the default value
> > +    [ -z "$ECRYPTFSKEY" ] && \
> > +        ECRYPTFSKEY="/etc/keys/ecryptfs-trusted.blob";
> > +
> > +    # set the eCryptfs key path name
> > +    ECRYPTFSKEYPATH="${NEWROOT}${ECRYPTFSKEY}"
> > +
> > +    # check for eCryptfs encrypted key's existence
> > +    if [ ! -f "${ECRYPTFSKEYPATH}" ]; then
> > +        if [ "${RD_DEBUG}" = "yes" ]; then
> > +            info "eCryptfs: missing the eCryptfs key: ${ECRYPTFSKEYDESC}"
> 
> This debug message seems potentially confusing. How about something
> along the lines of, "eCryptfs: key file not found: ${ECRYPTFSKEYPATH}"?
> 
> Tyler
> 
> > +        fi
> > +        return 1
> > +    fi
> > +
> > +    # read the eCryptfs encrypted key blob
> > +    KEYBLOB=$(cat ${ECRYPTFSKEYPATH})
> > +
> > +    # load the eCryptfs encrypted key blob
> > +    ECRYPTFSKEYID=`keyctl add ${ECRYPTFSKEYTYPE} ${ECRYPTFSKEYDESC} "load ${KEYBLOB}" @u`
> > +    [ $? -eq 0 ] || {
> > +        info "eCryptfs: failed to load the eCryptfs key: ${ECRYPTFSKEYDESC}";
> > +        return 1;
> > +    }
> > +
> > +    return 0
> > +}
> > +
> > +unload_ecryptfs_key()
> > +{
> > +    # unlink the eCryptfs encrypted key
> > +    keyctl unlink ${ECRYPTFSKEYID} @u || {
> > +        info "eCryptfs: failed to unlink the eCryptfs key: ${ECRYPTFSKEYDESC}";
> > +        return 1;
> > +    }
> > +
> > +    return 0
> > +}
> > +
> > +mount_ecryptfs()
> > +{
> > +    # read the configuration from the config file
> > +    [ -f "${ECRYPTFSCONFIG}" ] && \
> > +        . ${ECRYPTFSCONFIG}
> > +
> > +    # load the eCryptfs encrypted key
> > +    load_ecryptfs_key || return 1
> > +
> > +    # set the eCryptfs filesystem mount point
> > +    ECRYPTFSMNT="${NEWROOT}${ECRYPTFSDIR}"
> > +
> > +    # build the mount options variable
> > +    ECRYPTFS_MOUNT_OPTS="ecryptfs_sig=${ECRYPTFSKEYDESC}"
> > +    [ ! -z ${ECRYPTFS_EXTRA_MOUNT_OPTS} ] && \
> > +        ECRYPTFS_MOUNT_OPTS="${ECRYPTFS_MOUNT_OPTS},${ECRYPTFS_EXTRA_MOUNT_OPTS}"
> > +
> > +    # mount the eCryptfs filesystem
> > +    info "Mounting the configured eCryptfs filesystem"
> > +    mount -i -t ecryptfs -o${ECRYPTFS_MOUNT_OPTS} ${ECRYPTFSMNT} ${ECRYPTFSMNT} >/dev/null || {
> > +        info "eCryptfs: mount of the eCryptfs filesystem failed";
> > +        return 1;
> > +    }
> > +
> > +    # unload the eCryptfs encrypted key
> > +    unload_ecryptfs_key || return 1
> > +
> > +    return 0
> > +}
> > +
> > +mount_ecryptfs
> > diff --git a/modules.d/98ecryptfs/module-setup.sh b/modules.d/98ecryptfs/module-setup.sh
> > new file mode 100755
> > index 0000000..56c2d41
> > --- /dev/null
> > +++ b/modules.d/98ecryptfs/module-setup.sh
> > @@ -0,0 +1,20 @@
> > +#!/bin/bash
> > +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
> > +# ex: ts=8 sw=4 sts=4 et filetype=sh
> > +
> > +check() {
> > +    return 0
> > +}
> > +
> > +depends() {
> > +    echo masterkey
> > +    return 0
> > +}
> > +
> > +installkernel() {
> > +    instmods ecryptfs
> > +}
> > +
> > +install() {
> > +    inst_hook pre-pivot 63 "$moddir/ecryptfs-mount.sh"
> > +}
> 
> 
> 

Re: [PATCH v2 4/4] dracut: added new module ecryptfs

[Tyler Hicks]

On Thu Jul 07, 2011 at 06:09:11PM +0200, Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> wrote:
> Hi Tyler
> 
> thanks for comments. I'll implement them in
> the next version of patches.
> Just one improvement that i can see is to leave
> the ECRYPTFS_EXTRA_MOUNT_OPTS variable
> empty, so that we don't need to change the
> script if the default value of an eCryptfs mount
> parameter changes. What do you think about it?

That makes sense to me.

Tyler

> 
> Roberto Sassu
> 
> 
> On Thursday, July 07, 2011 05:55:56 PM Tyler Hicks wrote:
> > On Tue Jul 05, 2011 at 06:23:07PM +0200, Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org> wrote:
> > > This modules mounts an eCryptfs filesystem from the initial ramdisk using
> > > an encrypted key.
> > 
> > Thanks Roberto - this is very useful. This patch looks pretty good, but
> > I do have a few comments below.
> > 
> > > 
> > > Signed-off-by: Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
> > > Acked-by: Gianluca Ramunno <ramunno-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
> > > ---
> > >  dracut.kernel.7.xml                    |    6 ++
> > >  modules.d/98ecryptfs/README            |   45 +++++++++++++++
> > >  modules.d/98ecryptfs/ecryptfs-mount.sh |   95 ++++++++++++++++++++++++++++++++
> > >  modules.d/98ecryptfs/module-setup.sh   |   20 +++++++
> > >  4 files changed, 166 insertions(+), 0 deletions(-)
> > >  create mode 100644 modules.d/98ecryptfs/README
> > >  create mode 100755 modules.d/98ecryptfs/ecryptfs-mount.sh
> > >  create mode 100755 modules.d/98ecryptfs/module-setup.sh
> > > 
> > > diff --git a/dracut.kernel.7.xml b/dracut.kernel.7.xml
> > > index 759871b..c5d74d0 100644
> > > --- a/dracut.kernel.7.xml
> > > +++ b/dracut.kernel.7.xml
> > > @@ -724,6 +724,12 @@ rd.znet=ctc,0.0.0600,0.0.0601,0.0.0602,protocol=bar</programlisting></para>
> > >              <para>Set the path name of the EVM key. e.g.: <programlisting>evmkey=/etc/keys/evm-trusted.blob</programlisting></para>
> > >            </listitem>
> > >          </varlistentry>
> > > +        <varlistentry>
> > > +          <term><envar>ecryptfskey=</envar><replaceable>&lt;eCryptfs key path name&gt;</replaceable></term>
> > > +          <listitem>
> > > +            <para>Set the path name of the eCryptfs key. e.g.: <programlisting>ecryptfskey=/etc/keys/ecryptfs-trusted.blob</programlisting></para>
> > > +          </listitem>
> > > +        </varlistentry>
> > >        </variablelist>
> > >      </refsect2>
> > >      <refsect2>
> > > diff --git a/modules.d/98ecryptfs/README b/modules.d/98ecryptfs/README
> > > new file mode 100644
> > > index 0000000..c592d8d
> > > --- /dev/null
> > > +++ b/modules.d/98ecryptfs/README
> > > @@ -0,0 +1,45 @@
> > > +# Directions for creating the encrypted key that will be used to mount an
> > > +# eCryptfs filesystem
> > > +
> > > +# Create the eCryptfs key (encrypted key type)
> > > +#
> > > +# The encrypted key type supports two formats: the 'default' format allows
> > > +# to generate a random symmetric key of the length specified, the 'ecryptfs'
> > > +# format generates an authentication token for the eCryptfs filesystem,
> > > +# which contains a randomly generated key. Two requirements for the latter
> > > +# format is that the key description must contain exactly 16 hexadecimal
> > > +# characters and that the encrypted key length must be equal to 64.
> > > +$ keyctl add encrypted 1000100010001000 "new ecryptfs trusted:kmk-trusted 64" @u
> > > +782117972
> > > +
> > > +# Save the encrypted key
> > > +$ su -c 'keyctl pipe `keyctl search @u encrypted 1000100010001000` > /etc/keys/ecryptfs-trusted.blob'
> > > +
> > > +# The eCryptfs key path name can be set in one of the following ways (specified in
> > > +# the order in which the variable is overwritten):
> > > +
> > > +1) use the default value:
> > > +--------------------------------------------------------------------------
> > > +ECRYPTFSKEY=/etc/keys/ecryptfs-trusted.blob
> > > +--------------------------------------------------------------------------
> > > +
> > > +2) create the configuration file '/etc/sysconfig/ecryptfs' and set the ECRYPTFSKEY
> > > +variable;
> > > +
> > > +3) specify the eCryptfs key path name in the 'ecryptfskey=' parameter of the kernel command
> > > +line.
> > > +
> > > +# The configuration file '/etc/sysconfig/ecryptfs' is also used to specify
> > > +# more options for mounting the eCryptfs filesystem:
> > > +
> > > +ECRYPTFSDIR: mount point directory for the eCryptfs filesystem (the directory must be
> > > +             created in the root filesystem before rebooting the system);
> > 
> > I'd like to see an ECRYPTFSSRCDIR and ECRYPTFSDSTDIR defined to allow
> > different source and destination directories. You can default both of
> > those variables to "/secret" and still keep the same functionality that
> > is in this patch.
> > 
> > > +ECRYPTFS_EXTRA_MOUNT_OPTS: extra mount options for the eCryptfs filesystem (the 'ecryptfs_sig'
> > > +                           option is automatically added by the dracut script) 
> > > +
> > > +# Example of the configuration file:
> > > +----------- '/etc/sysconfig/ecryptfs' (with default values) -----------
> > > +ECRYPTFS_KEY=/etc/keys/ecryptfs-trusted.blob
> > > +ECRYPTFSDIR="/secret"
> > > +ECRYPTFS_EXTRA_MOUNT_OPTS="ecryptfs_cipher=aes,ecryptfs_key_bytes=32"
> > > +-----------------------------------------------------------------------
> > > diff --git a/modules.d/98ecryptfs/ecryptfs-mount.sh b/modules.d/98ecryptfs/ecryptfs-mount.sh
> > > new file mode 100755
> > > index 0000000..b1abfc2
> > > --- /dev/null
> > > +++ b/modules.d/98ecryptfs/ecryptfs-mount.sh
> > > @@ -0,0 +1,95 @@
> > > +#!/bin/sh
> > > +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
> > > +# ex: ts=8 sw=4 sts=4 et filetype=sh
> > > +
> > > +# Licensed under the GPLv2
> > > +#
> > > +# Copyright (C) 2011 Politecnico di Torino, Italy
> > > +#                    TORSEC group -- http://security.polito.it
> > > +# Roberto Sassu <roberto.sassu-8RLafaVCWuNeoWH0uzbU5w@public.gmane.org>
> > > +
> > > +ECRYPTFSCONFIG="${NEWROOT}/etc/sysconfig/ecryptfs"
> > > +ECRYPTFSKEYTYPE="encrypted"
> > > +ECRYPTFSKEYDESC="1000100010001000"
> > > +ECRYPTFSKEYID=""
> > > +ECRYPTFSDIR="/secret"
> > > +ECRYPTFS_EXTRA_MOUNT_OPTS="ecryptfs_cipher=aes,ecryptfs_key_bytes=32"
> > 
> > The default in both eCryptfs mount helpers is
> > "ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
> > 
> > I'd prefer that you didn't bump the ecryptfs_key_bytes default up to 32
> > here.
> > 
> > > +
> > > +load_ecryptfs_key()
> > > +{
> > > +    # override the eCryptfs key path name from the 'ecryptfskey=' parameter in the kernel
> > > +    # command line
> > > +    ECRYPTFSKEYARG=$(getarg ecryptfskey=)
> > > +    [ $? -eq 0 ] && \
> > > +        ECRYPTFSKEY=$ECRYPTFSKEYARG
> > > +
> > > +    # set the default value
> > > +    [ -z "$ECRYPTFSKEY" ] && \
> > > +        ECRYPTFSKEY="/etc/keys/ecryptfs-trusted.blob";
> > > +
> > > +    # set the eCryptfs key path name
> > > +    ECRYPTFSKEYPATH="${NEWROOT}${ECRYPTFSKEY}"
> > > +
> > > +    # check for eCryptfs encrypted key's existence
> > > +    if [ ! -f "${ECRYPTFSKEYPATH}" ]; then
> > > +        if [ "${RD_DEBUG}" = "yes" ]; then
> > > +            info "eCryptfs: missing the eCryptfs key: ${ECRYPTFSKEYDESC}"
> > 
> > This debug message seems potentially confusing. How about something
> > along the lines of, "eCryptfs: key file not found: ${ECRYPTFSKEYPATH}"?
> > 
> > Tyler
> > 
> > > +        fi
> > > +        return 1
> > > +    fi
> > > +
> > > +    # read the eCryptfs encrypted key blob
> > > +    KEYBLOB=$(cat ${ECRYPTFSKEYPATH})
> > > +
> > > +    # load the eCryptfs encrypted key blob
> > > +    ECRYPTFSKEYID=`keyctl add ${ECRYPTFSKEYTYPE} ${ECRYPTFSKEYDESC} "load ${KEYBLOB}" @u`
> > > +    [ $? -eq 0 ] || {
> > > +        info "eCryptfs: failed to load the eCryptfs key: ${ECRYPTFSKEYDESC}";
> > > +        return 1;
> > > +    }
> > > +
> > > +    return 0
> > > +}
> > > +
> > > +unload_ecryptfs_key()
> > > +{
> > > +    # unlink the eCryptfs encrypted key
> > > +    keyctl unlink ${ECRYPTFSKEYID} @u || {
> > > +        info "eCryptfs: failed to unlink the eCryptfs key: ${ECRYPTFSKEYDESC}";
> > > +        return 1;
> > > +    }
> > > +
> > > +    return 0
> > > +}
> > > +
> > > +mount_ecryptfs()
> > > +{
> > > +    # read the configuration from the config file
> > > +    [ -f "${ECRYPTFSCONFIG}" ] && \
> > > +        . ${ECRYPTFSCONFIG}
> > > +
> > > +    # load the eCryptfs encrypted key
> > > +    load_ecryptfs_key || return 1
> > > +
> > > +    # set the eCryptfs filesystem mount point
> > > +    ECRYPTFSMNT="${NEWROOT}${ECRYPTFSDIR}"
> > > +
> > > +    # build the mount options variable
> > > +    ECRYPTFS_MOUNT_OPTS="ecryptfs_sig=${ECRYPTFSKEYDESC}"
> > > +    [ ! -z ${ECRYPTFS_EXTRA_MOUNT_OPTS} ] && \
> > > +        ECRYPTFS_MOUNT_OPTS="${ECRYPTFS_MOUNT_OPTS},${ECRYPTFS_EXTRA_MOUNT_OPTS}"
> > > +
> > > +    # mount the eCryptfs filesystem
> > > +    info "Mounting the configured eCryptfs filesystem"
> > > +    mount -i -t ecryptfs -o${ECRYPTFS_MOUNT_OPTS} ${ECRYPTFSMNT} ${ECRYPTFSMNT} >/dev/null || {
> > > +        info "eCryptfs: mount of the eCryptfs filesystem failed";
> > > +        return 1;
> > > +    }
> > > +
> > > +    # unload the eCryptfs encrypted key
> > > +    unload_ecryptfs_key || return 1
> > > +
> > > +    return 0
> > > +}
> > > +
> > > +mount_ecryptfs
> > > diff --git a/modules.d/98ecryptfs/module-setup.sh b/modules.d/98ecryptfs/module-setup.sh
> > > new file mode 100755
> > > index 0000000..56c2d41
> > > --- /dev/null
> > > +++ b/modules.d/98ecryptfs/module-setup.sh
> > > @@ -0,0 +1,20 @@
> > > +#!/bin/bash
> > > +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
> > > +# ex: ts=8 sw=4 sts=4 et filetype=sh
> > > +
> > > +check() {
> > > +    return 0
> > > +}
> > > +
> > > +depends() {
> > > +    echo masterkey
> > > +    return 0
> > > +}
> > > +
> > > +installkernel() {
> > > +    instmods ecryptfs
> > > +}
> > > +
> > > +install() {
> > > +    inst_hook pre-pivot 63 "$moddir/ecryptfs-mount.sh"
> > > +}
> > 
> > 
> >