Add support to allow unlocking a luks volume by keyfile

...reworked the luks mappings a little to allow more complex patterns of parsing parameters and building mappings.

This slightly tweaks creating luksMapping lists so they can occur multiple times in the kernel parameter list and it just updates the relevant properties for each mapping (to allow extending even further if desired).

updated luksMapping type to hold a keyfile
add a luksMapping findOrCreate function in luks.go, either finds the existing mapping by UUID or adds one
update the rd.luks.uuid and rd.luks.name in cmdline.go to make use of findOrCreate
adds rd.luks.key with the format UUID=keyfile which should point to a file in initramfs containing the password
adds recoverKeyfilePassword go routine which attempts to read the password from the keyfile and unlock the device, falling back to running the requestKeyboardPassword option if that fails
update luksOpen to call recoverKeyfilePassword if a keyfile is defined on the mapping
Putting this forward more as an idea for the approach, not sure how good or bad the specific way I implemented it is.

Implements #37

Author: jacobmyers-codeninja

docs/manpage.md

@@ -114,6 +114,7 @@ Some parts of booster boot functionality can be modified with kernel boot parame
  * `rootflags=$OPTIONS` mount options for the root filesystem, e.g. rootflags=user_xattr,nobarrier. In partition autodiscovery mode GPT attribute 60 ("read-only") is taken into account.
  * `rd.luks.uuid=$UUID` UUID of the LUKS partition where the root partition is enclosed. booster will try to unlock this LUKS device.
  * `rd.luks.name=$UUID=$NAME` similar to rd.luks.uuid parameter but also specifies the name used for the LUKS device opening.
+ * `rd.luks.key=$UUID=$PATH` absolute path to a keyfile in the initrd/initramfs which can be unsed to unlock the device identified by UUID, if this file does not exist or fails to unlock it will fall back to a password request.
  * `rd.luks.options=opt1,opt2` a comma-separated list of LUKS flags. Supported options are `discard`, `same-cpu-crypt`, `submit-from-crypt-cpus`, `no-read-workqueue`, `no-write-workqueue`.
     Note that booster also supports LUKS v2 persistent flags stored with the partition metadata. Any command-line options are added on top of the persistent flags.
  * `resume=$deviceref` device reference to suspend-to-disk device.

init/cmdline.go

@@ -222,27 +222,52 @@ func parseParams(params string) error {
 			if len(parts) != 2 {
 				return fmt.Errorf("invalid rd.luks.name kernel parameter %s, expected format rd.luks.name=<UUID>=<name>", value)
 			}
+
 			uuid, err := parseUUID(parts[0])
 			if err != nil {
 				return fmt.Errorf("invalid UUID %s %v", parts[0], err)
 			}
 
-			dev := luksMapping{
-				ref:  &deviceRef{refFsUUID, uuid},
-				name: parts[1],
-			}
-			luksMappings = append(luksMappings, dev)
+			m := findOrCreateLuksMapping(uuid)
+			m.name = parts[1]
 		case "rd.luks.uuid":
-			u, err := parseUUID(value)
+			uuid, err := parseUUID(value)
 			if err != nil {
 				return fmt.Errorf("invalid UUID %s in rd.luks.uuid boot param: %v", value, err)
 			}
 
-			dev := luksMapping{
-				ref:  &deviceRef{refFsUUID, u},
-				name: "luks-" + value,
+			findOrCreateLuksMapping(uuid)
+		case "rd.luks.key":
+			var uuid UUID
+			var keyfile string
+
+			parts := strings.SplitN(value, "=", 2)
+
+			if len(parts) == 1 {
+				// do we only have 1 luks device?
+				if len(luksMappings) == 1 {
+					// we attach to it and hope for the best
+					uuid = luksMappings[0].ref.data.(UUID)
+				} else {
+					// don't know what to do here
+					return fmt.Errorf("invalid rd.luks.key kernel parameter %s, more than 1 luks device", value)
+				}
+
+				keyfile = parts[0]
+			} else if len(parts) == 2 {
+				var err error
+				uuid, err = parseUUID(parts[0])
+				if err != nil {
+					return fmt.Errorf("invalid UUID %s in rd.luks.key boot param: %v", value, err)
+				}
+
+				keyfile = parts[1]
+			} else {
+				return fmt.Errorf("invalid rd.luks.key kernel parameter %s, expected format rd.luks.key=<UUID>=<keyfile>", value)
 			}
-			luksMappings = append(luksMappings, dev)
+
+			m := findOrCreateLuksMapping(uuid)
+			m.keyfile = keyfile
 		case "zfs":
 			zfsDataset = value
 		default:

init/luks.go

@@ -12,6 +12,7 @@ import (
 	"net"
 	"os"
 	"os/exec"
+	"regexp"
 	"strings"
 	"time"
 
@@ -24,6 +25,7 @@ import (
 type luksMapping struct {
 	ref     *deviceRef
 	name    string
+	keyfile string
 	options []string
 }
 
@@ -298,6 +300,47 @@ func recoverTokenPassword(volumes chan *luks.Volume, d luks.Device, t luks.Token
 	info("password from %s token #%d does not match", t.Type, t.ID)
 }
 
+func recoverKeyfilePassword(volumes chan *luks.Volume, d luks.Device, checkSlots []int, mappingName string, keyfile string) {
+	var err error
+	var password []byte
+
+	// keyfile might be in the format /path:UUID=<DEV UUID> to indicate the keyfile lives on another device
+	parts := regexp.MustCompile("(?i):UUID=").Split(keyfile, 2)
+
+	if len(parts) == 1 {
+		password, err = os.ReadFile(parts[0])
+
+		if err != nil {
+			warning("reading password: %v", err)
+		}
+	} else {
+		// read password from device matching uuid
+		uuid, err := parseUUID(parts[1])
+		if err != nil {
+			warning("invalid UUID %s in rd.luks.key boot param: %s", uuid, keyfile)
+		} else {
+			// TODO: access path on uuid device, read password
+			warning("user wants keyfile from device %s, but I don't know how to do that", uuid)
+		}
+	}
+
+	if len(password) > 0 {
+		for _, s := range checkSlots {
+			v, err := d.UnsealVolume(s, password)
+			if err == luks.ErrPassphraseDoesNotMatch {
+				continue
+			}
+			volumes <- v
+			return
+		}
+	}
+
+	warning("password in keyfile #{keyfile} was unable to unseal #{mappingName}\n")
+
+	// have to use keyboard password
+	requestKeyboardPassword(volumes, d, checkSlots, mappingName)
+}
+
 func requestKeyboardPassword(volumes chan *luks.Volume, d luks.Device, checkSlots []int, mappingName string) {
 	for {
 		prompt := fmt.Sprintf("Enter passphrase for %s:", mappingName)
@@ -369,7 +412,13 @@ func luksOpen(dev string, mapping *luksMapping) error {
 		}
 	}
 	if len(checkSlotsWithPassword) > 0 {
-		go requestKeyboardPassword(volumes, d, checkSlotsWithPassword, mapping.name)
+		// is there a keyfile defined for the password for this volume?
+		if len(mapping.keyfile) > 0 {
+			// if the keyfile doesn't work we will fallback to password
+			go recoverKeyfilePassword(volumes, d, checkSlotsWithPassword, mapping.name, mapping.keyfile)
+		} else {
+			go requestKeyboardPassword(volumes, d, checkSlotsWithPassword, mapping.name)
+		}
 	}
 
 	v := <-volumes
@@ -381,7 +430,7 @@ func luksOpen(dev string, mapping *luksMapping) error {
 func matchLuksMapping(blk *blkInfo) *luksMapping {
 	for _, m := range luksMappings {
 		if blk.matchesRef(m.ref) {
-			return &m
+			return m
 		}
 	}
 
@@ -410,3 +459,24 @@ func handleLuksBlockDevice(blk *blkInfo) error {
 
 	return luksOpen(blk.path, m)
 }
+
+func findOrCreateLuksMapping(uuid UUID) *luksMapping {
+	blk := blkInfo{
+		uuid: uuid,
+	}
+
+	for _, o := range luksMappings {
+		if blk.matchesRef(o.ref) {
+			return o
+		}
+	}
+
+	// didn't locate the device make a new one
+	m := &luksMapping{
+		ref:  &deviceRef{refFsUUID, uuid},
+		name: "luks-" + uuid.toString(),
+	}
+	luksMappings = append(luksMappings, m)
+
+	return m
+}

init/main.go

@@ -36,7 +36,7 @@ var (
 
 	initBinary = "/sbin/init" // path to init binary inside the user's chroot
 
-	luksMappings []luksMapping // list of LUKS devices that booster unlocked during boot process
+	luksMappings []*luksMapping // list of LUKS devices that booster unlocked during boot process
 
 	rootAutodiscoveryMode       bool
 	rootAutodiscoveryMountFlags uintptr // autodiscovery mode uses GPT attribute to configure mount flags