feat(encrypt_disk): add systemd-cryptenroll option

When Secret Registration Client is not enabled, allow disk encryption
with systemd-cryptenroll. This binds disk encryption with TPM PCR7.
Use crypttab and fstab for auto mount.

Signed-off-by: Li Tian <litian@redhat.com>

Author: litian1992

README.md

@@ -66,11 +66,14 @@ When enabled, this task:
 
 ## Encrypt Disk
 
-When enabled, this task:
+An unpartitioned empty disk must be attached to the target. When enabled, this task:
 
 1. Finds the first unpartitioned and unmounted disk
-2. Requests disk encryption key from Secret Registration Client
-3. Encrypts the disk using above encryption key and mounts it at the designated path
+2. Encrypts the disk using a key from either:
+  a. secret key fetched using Secret Registration Client (when enabled), or
+  b. `systemd-cryptenroll` which binds to PCR 7
+3. Mounts it at the designated path
+4. Sets up automatic unlock and mount either with Secret Registration Client service or /etc/crypttab with `systemd-cryptenroll`
 
 ## License
 

tasks/encrypt_disk.yml

@@ -43,6 +43,22 @@
       ansible.builtin.shell: |
         /usr/local/bin/secret_registration_client.sh --fetch-key-to {{ __trustee_client_secret_key_tempfile.path }}
       changed_when: true
+      when: trustee_client_secret_registration_enabled | bool
+      no_log: true
+
+    - name: Check systemd-cryptenroll command exists
+      ansible.builtin.command: command -v systemd-cryptenroll
+      register: __trustee_client_cryptenroll_check
+      changed_when: false
+      when: not trustee_client_secret_registration_enabled | bool
+
+    - name: Create a random disk encryption key
+      ansible.builtin.shell: |
+        head -c 32 /dev/urandom | base64 > {{ __trustee_client_secret_key_tempfile.path }}
+      changed_when: true
+      when:
+        - __trustee_client_cryptenroll_check.rc == 0
+        - not trustee_client_secret_registration_enabled | bool
       no_log: true
 
     - name: Encrypt the partition
@@ -51,13 +67,46 @@
         parted -s {{ __trustee_client_disk_device }} mklabel gpt
         parted -s {{ __trustee_client_disk_device }} mkpart primary ext4 0% 100%
         cryptsetup luksFormat --key-file {{ __trustee_client_secret_key_tempfile.path }} --batch-mode {{ __trustee_client_disk_partition }}
-        cryptsetup open --key-file {{ __trustee_client_secret_key_tempfile.path }} {{ __trustee_client_disk_partition }} encrypted-disk
-        mkfs.ext4 /dev/mapper/encrypted-disk
+        cryptsetup open --key-file {{ __trustee_client_secret_key_tempfile.path }} {{ __trustee_client_disk_partition }} encrypted_disk
+        mkfs.ext4 /dev/mapper/encrypted_disk
         [ -d {{ trustee_client_encrypt_disk_mount_point }} ] || mkdir -p {{ trustee_client_encrypt_disk_mount_point }}
-        mount /dev/mapper/encrypted-disk {{ trustee_client_encrypt_disk_mount_point }}
+        mount /dev/mapper/encrypted_disk {{ trustee_client_encrypt_disk_mount_point }}
       changed_when: true
       no_log: true
 
+    - name: TPM2 cryptenroll and configure crypttab/fstab
+      when:
+        - __trustee_client_cryptenroll_check.rc == 0
+        - not trustee_client_secret_registration_enabled | bool
+      block:
+        - name: Bind TPM2 slot to LUKS volume
+          ansible.builtin.shell: |
+            set -o pipefail
+            systemd-cryptenroll {{ __trustee_client_disk_partition }} --tpm2-device=auto --tpm2-pcrs=7 --unlock-key-file={{ __trustee_client_secret_key_tempfile.path }}
+            systemd-cryptenroll {{ __trustee_client_disk_partition }} --wipe-slot=password
+          no_log: true
+
+        - name: Get UUID of the LUKS partition
+          ansible.builtin.command: "lsblk -dno UUID {{ __trustee_client_disk_partition }}"
+          register: __luks_uuid
+          changed_when: false
+
+        - name: Configure /etc/crypttab for TPM auto-unlock
+          ansible.builtin.lineinfile:
+            path: /etc/crypttab
+            line: "encrypted_disk    UUID={{ __luks_uuid.stdout }}    none    tpm2-device=auto"
+            regexp: '^encrypted_disk\s+'
+            create: true
+            mode: "0600"
+
+        - name: Configure /etc/fstab and mount volume
+          ansible.builtin.mount:
+            path: "{{ trustee_client_encrypt_disk_mount_point }}"
+            src: /dev/mapper/encrypted_disk
+            fstype: ext4
+            opts: defaults,x-systemd.requires=systemd-cryptsetup@encrypted_disk.service
+            state: mounted
+
     - name: Clean up disk encryption key file
       ansible.builtin.file:
         path: "{{ __trustee_client_secret_key_tempfile.path }}"

tasks/main.yml

@@ -17,7 +17,6 @@
   include_tasks: encrypt_disk.yml
   when:
     - trustee_client_encrypt_disk | bool
-    - trustee_client_secret_registration_enabled | bool
 
 - name: Flush handlers to ensure services are started
   ansible.builtin.meta: flush_handlers

templates/secret_registration_client.sh.j2

@@ -61,8 +61,8 @@ mount_disk() {
     trap 'rm -f "$key_path"' EXIT
     fetch_key "$key_path"
     mkdir -p "$MOUNT_POINT" || die "Failed to create mount point directory"
-    cryptsetup open --key-file "$key_path" "$disk_partition" encrypted-disk || die "Failed to open encrypted disk"
-    mount /dev/mapper/encrypted-disk "$MOUNT_POINT" || die "Failed to mount encrypted disk"
+    cryptsetup open --key-file "$key_path" "$disk_partition" encrypted_disk || die "Failed to open encrypted disk"
+    mount /dev/mapper/encrypted_disk "$MOUNT_POINT" || die "Failed to mount encrypted disk"
     log "Mounted encrypted disk at $MOUNT_POINT"
 }
 

tests/tests_encrypt_disk.yml

@@ -75,25 +75,25 @@
       ansible.builtin.assert:
         that:
           - >-
-            '/dev/mapper/encrypted-disk' in
+            '/dev/mapper/encrypted_disk' in
             (__test_findmnt.stdout | trim)
         fail_msg: >-
-          Expected /dev/mapper/encrypted-disk to be mounted at
+          Expected /dev/mapper/encrypted_disk to be mounted at
           {{ trustee_client_encrypt_disk_mount_point }} but found:
           {{ __test_findmnt.stdout }}
       when: not __test_skip_encrypt_assertions
 
     - name: Stat the LUKS mapper device
       ansible.builtin.stat:
-        path: /dev/mapper/encrypted-disk
+        path: /dev/mapper/encrypted_disk
       register: __test_mapper_dev
       when: not __test_skip_encrypt_assertions
 
     - name: Assert LUKS mapper device exists
       ansible.builtin.assert:
         that:
           - __test_mapper_dev.stat.exists
-        fail_msg: "LUKS mapper device /dev/mapper/encrypted-disk does not exist"
+        fail_msg: "LUKS mapper device /dev/mapper/encrypted_disk does not exist"
       when: not __test_skip_encrypt_assertions
 
     - name: Assert encrypted_disk_key fact was set
@@ -137,3 +137,113 @@
           /etc/containers/storage.conf does not reference the encrypted
           disk mount point {{ trustee_client_encrypt_disk_mount_point }}
       when: not __test_skip_encrypt_assertions
+
+- name: Ensure disk encryption works with systemd-cryptenroll when secret_registration_client is disabled
+  hosts: all
+  gather_facts: false
+  vars:
+    trustee_client_trustee_gc: false
+    trustee_client_encrypt_disk: true
+    trustee_client_secret_registration_enabled: false
+    trustee_client_encrypt_disk_mount_point: /mnt/encrypted-disk
+  tasks:
+    - name: Check for an unpartitioned disk device
+      ansible.builtin.shell: |
+        set -o pipefail
+        lsblk -n -o NAME,TYPE,PKNAME | awk '
+          $2=="disk" && $1 !~ /^zram|^loop|^dm/ { disk=$1; haspart[disk]=0 }
+          $2=="part" { parent=$3; if (parent in haspart) haspart[parent]=1 }
+          END {
+            for (d in haspart) {
+              if (haspart[d] == 0) {
+                print d
+                exit 0
+              }
+            }
+          }
+        '
+      register: __test_unpartitioned_disk
+      changed_when: false
+      failed_when: false
+
+    - name: Set fact when no unpartitioned disk is available
+      ansible.builtin.set_fact:
+        __test_skip_cryptenroll_assertions: "{{ __test_unpartitioned_disk.stdout | trim == '' }}"
+
+    - name: Check systemd-cryptenroll exists
+      ansible.builtin.command: type systemd-cryptenroll
+      register: __test_cryptenroll_check
+      changed_when: false
+      failed_when: false
+      when: not __test_skip_cryptenroll_assertions
+
+    - name: Set fact when systemd-cryptenroll is not available
+      ansible.builtin.set_fact:
+        __test_skip_cryptenroll_assertions: "{{ __test_skip_cryptenroll_assertions or __test_cryptenroll_check.rc != 0 }}"
+      when: not __test_skip_cryptenroll_assertions
+
+    - name: Run trustee_client role with disk encryption (cryptenroll path)
+      ansible.builtin.include_role:
+        name: linux-system-roles.trustee_client
+      when: not __test_skip_cryptenroll_assertions
+
+    - name: Stat the encrypted disk mount point
+      ansible.builtin.stat:
+        path: "{{ trustee_client_encrypt_disk_mount_point }}"
+      register: __test_mount_point
+      when: not __test_skip_cryptenroll_assertions
+
+    - name: Assert mount point directory exists
+      ansible.builtin.assert:
+        that:
+          - __test_mount_point.stat.exists
+          - __test_mount_point.stat.isdir
+        fail_msg: >-
+          Encrypted disk mount point
+          {{ trustee_client_encrypt_disk_mount_point }} does not exist
+      when: not __test_skip_cryptenroll_assertions
+
+    - name: Assert the encrypted disk is mounted
+      ansible.builtin.command: findmnt --noheadings --output SOURCE {{ trustee_client_encrypt_disk_mount_point }}
+      register: __test_findmnt
+      changed_when: false
+      when: not __test_skip_cryptenroll_assertions
+
+    - name: Assert the mounted device is the LUKS mapper device
+      ansible.builtin.assert:
+        that:
+          - __test_findmnt.rc == 0
+          - "'/dev/mapper/encrypted_disk' in (__test_findmnt.stdout | default('') | trim)"
+        fail_msg: >-
+          Expected /dev/mapper/encrypted_disk to be mounted at
+          {{ trustee_client_encrypt_disk_mount_point }} but found:
+          {{ __test_findmnt.stdout | default('') }}
+      when: not __test_skip_cryptenroll_assertions
+
+    - name: Assert crypttab contains encrypted_disk entry
+      ansible.builtin.slurp:
+        src: /etc/crypttab
+      register: __test_crypttab
+      when: not __test_skip_cryptenroll_assertions
+
+    - name: Verify crypttab has encrypted_disk with tpm2-device=auto
+      ansible.builtin.assert:
+        that:
+          - "'encrypted_disk' in (__test_crypttab.content | b64decode)"
+          - "'tpm2-device=auto' in (__test_crypttab.content | b64decode)"
+        fail_msg: "/etc/crypttab does not contain encrypted_disk entry with tpm2-device=auto"
+      when: not __test_skip_cryptenroll_assertions
+
+    - name: Assert fstab contains encrypted disk mount
+      ansible.builtin.slurp:
+        src: /etc/fstab
+      register: __test_fstab
+      when: not __test_skip_cryptenroll_assertions
+
+    - name: Verify fstab has encrypted disk mount point
+      ansible.builtin.assert:
+        that:
+          - trustee_client_encrypt_disk_mount_point in (__test_fstab.content | b64decode)
+          - "'/dev/mapper/encrypted_disk' in (__test_fstab.content | b64decode)"
+        fail_msg: "/etc/fstab does not contain encrypted disk mount entry"
+      when: not __test_skip_cryptenroll_assertions