diff --git a/cryptpilot-0.2.4.tar.gz b/cryptpilot-0.2.9.tar.gz similarity index 77% rename from cryptpilot-0.2.4.tar.gz rename to cryptpilot-0.2.9.tar.gz index e8d026ca8665c6f547ce15f5c711340693b17719..11d099a7d24263bc22384c1d6929deb9e0aef224 100644 Binary files a/cryptpilot-0.2.4.tar.gz and b/cryptpilot-0.2.9.tar.gz differ diff --git a/cryptpilot.spec b/cryptpilot.spec index f27128240a7bf229a8b71a29acaa35ab5b47376e..b580faa1732097b9f3d396592c2f9949c07c8bf2 100644 --- a/cryptpilot.spec +++ b/cryptpilot.spec @@ -2,29 +2,34 @@ %define release_num 1 Name: cryptpilot -Version: 0.2.4 +Version: 0.2.9 Release: %{release_num}%{?dist} Summary: A utility for protecting data at rest in confidential environment Group: Applications/System License: Apache-2.0 URL: https://www.alibaba.com -Source0: https://github.com/openanolis/cryptpilot/releases/download/v%{version}-%{release_num}/cryptpilot-%{version}.tar.gz +Source0: https://github.com/openanolis/cryptpilot/releases/download/v%{version}/cryptpilot-%{version}.tar.gz Requires: dracut Requires: lvm2 Requires: cryptsetup Requires: coreutils Requires: systemd +Requires: systemd-udev Requires: veritysetup Requires: device-mapper-libs +Requires: kmod # mkfs.vfat Requires: dosfstools # mkfs.xfs Requires: xfsprogs # mkfs.ext4 Requires: e2fsprogs -# swapon +# swapon, sfdisk Requires: util-linux +# qemu-nbd +Requires: qemu-img +Requires: file # If not installed, the kbs and kms-oidc keyprovider will not work. Recommends: confidential-data-hub @@ -73,43 +78,55 @@ install -p -m 755 dist/dracut/modules.d/91cryptpilot/initrd-trigger-network-onli install -p -m 755 dist/dracut/modules.d/91cryptpilot/initrd-wait-network-online.sh %{buildroot}%{dracut_dst} install -p -m 644 dist/dracut/modules.d/91cryptpilot/cryptpilot-fde-before-sysroot.service %{buildroot}%{dracut_dst} install -p -m 644 dist/dracut/modules.d/91cryptpilot/cryptpilot-fde-after-sysroot.service %{buildroot}%{dracut_dst} -install -p -m 644 dist/dracut/modules.d/91cryptpilot/cryptpilot-auto-open.service %{buildroot}%{dracut_dst} install -p -m 644 dist/dracut/modules.d/91cryptpilot/initrd-wait-network-online.service %{buildroot}%{dracut_dst} +install -p -m 644 dist/dracut/modules.d/91cryptpilot/lvm.conf %{buildroot}%{dracut_dst} install -d -p %{buildroot}%{_prefix}/lib/systemd/system +install -p -m 644 dist/systemd/cryptpilot.service %{buildroot}%{_prefix}/lib/systemd/system/cryptpilot.service install -d -p %{buildroot}/etc/cryptpilot install -p -m 600 dist/etc/global.toml.template %{buildroot}/etc/cryptpilot/global.toml.template install -p -m 600 dist/etc/fde.toml.template %{buildroot}/etc/cryptpilot/fde.toml.template install -d -p %{buildroot}/etc/cryptpilot/volumes -install -p -m 600 dist/etc/volumes/kms.toml.template %{buildroot}/etc/cryptpilot/volumes/kms.toml.template install -p -m 600 dist/etc/volumes/otp.toml.template %{buildroot}/etc/cryptpilot/volumes/otp.toml.template install -p -m 600 dist/etc/volumes/kbs.toml.template %{buildroot}/etc/cryptpilot/volumes/kbs.toml.template +install -p -m 600 dist/etc/volumes/kms.toml.template %{buildroot}/etc/cryptpilot/volumes/kms.toml.template +install -p -m 600 dist/etc/volumes/oidc.toml.template %{buildroot}/etc/cryptpilot/volumes/oidc.toml.template install -p -m 600 dist/etc/volumes/exec.toml.template %{buildroot}/etc/cryptpilot/volumes/exec.toml.template +install -d -p %{buildroot}/usr/share/cryptpilot +install -p -m 644 dist/usr/share/cryptpilot/policy.rego %{buildroot}/usr/share/cryptpilot/policy.rego +install -d -p %{buildroot}/usr/lib/udev/rules.d +install -p -m 644 dist/usr/lib/udev/rules.d/12-cryptpilot-hide-intermediate-devices.rules %{buildroot}/usr/lib/udev/rules.d/12-cryptpilot-hide-intermediate-devices.rules popd + %post -# Check if it is a install or update -if [ $1 == 1 ] || [ $1 == 2 ]; then - if command -v dracut >&- ; then - echo "Updating initrd ..." - dracut --force - fi +# Reload systemd manager configuration to pick up new/updated service files +if command -v systemctl >/dev/null 2>&1; then + systemctl daemon-reload || : +fi + +# Reload udev rules to apply new device filtering rules +if command -v udevadm >/dev/null 2>&1; then + udevadm control --reload-rules || : fi + %clean -rm -f ~/.cargo/config rm -rf %{buildroot} + %files %license src/LICENSE %{_prefix}/bin/cryptpilot %{_prefix}/bin/cryptpilot-convert +%{_prefix}/lib/systemd/system/cryptpilot.service %dir /etc/cryptpilot /etc/cryptpilot/global.toml.template /etc/cryptpilot/fde.toml.template %dir /etc/cryptpilot/volumes /etc/cryptpilot/volumes/otp.toml.template -/etc/cryptpilot/volumes/kms.toml.template /etc/cryptpilot/volumes/kbs.toml.template +/etc/cryptpilot/volumes/kms.toml.template +/etc/cryptpilot/volumes/oidc.toml.template /etc/cryptpilot/volumes/exec.toml.template %dir %{dracut_dst} %{dracut_dst}module-setup.sh @@ -117,10 +134,149 @@ rm -rf %{buildroot} %{dracut_dst}initrd-wait-network-online.sh %{dracut_dst}cryptpilot-fde-before-sysroot.service %{dracut_dst}cryptpilot-fde-after-sysroot.service -%{dracut_dst}cryptpilot-auto-open.service %{dracut_dst}initrd-wait-network-online.service +%{dracut_dst}lvm.conf +%dir /usr/share/cryptpilot +/usr/share/cryptpilot/policy.rego +/usr/lib/udev/rules.d/12-cryptpilot-hide-intermediate-devices.rules + + +%preun +if [ $1 == 0 ]; then #uninstall + systemctl unmask cryptpilot.service + systemctl stop cryptpilot.service + systemctl disable cryptpilot.service +fi + + +%postun +if [ $1 == 0 ]; then #uninstall + systemctl daemon-reload + systemctl reset-failed +fi + %changelog +* Tue Nov 11 2025 Kun Lai - 0.2.9-1 +- fix(fde): fix panic due to wrong default hash algo + + +* Fri Oct 31 2025 Kun Lai - 0.2.8-1 +- feat(fde): support multiple hash algorithms in show-reference-value (sha1, sha256, sha384, sm3) +- feat(fde): allow show-reference-value to work on non-encrypted disks +- feat(fs): make TmpMountPoint::mount support read-only mode by default +- fix(nbd): wait 1 second after connecting NBD device to ensure partition detection +- fix: set LC_ALL=C before running external commands for consistent output +- build: switch to git clone for source copy in tarball creation +- build: generate ttrpc protocol files in OUT_DIR and clean up attributes +- refactor: fix wrong URL in .proto file +- docs: update AAEL documentation for new tcg2 log format +- reference value: use IETF 4634 compliant hash algorithm names (e.g., SHA-384) +- fde: use --key-file=- consistently to avoid newline issues in LUKS operations +- fde: include both GRUB kernel cmdline variants in reference values +- fde: add CentOS 7 compatibility for boot measurement +- fde: add DM_UDEV_DISABLE_OTHER_RULES_FLAG to hide intermediate cryptpilot devices +- Remove -E option for `file` command in mkfs.rs +- cryptpilot-convert: improve logging for boot partition creation +- boot_service: remove spurious findmnt failure warning during boot +- boot_service: fix LVM resize failures in initramfs with custom lvm.conf +- fde: disable LVM locking in pvresize and lvextend during early boot + +* Fri Sep 26 2025 Kun Lai - 0.2.7-1 +- fde: auto-expand system PV and data LV on boot +- boot_service: split stage logic into separate modules +- fde: fix path handling in fde mount setup by using path operations +- boot_service: handle OTP-backed data volumes correctly across reboots +- cryptpilot-convert.sh: lock essential packages after install +- fde: hide intermediate device-mapper devices from udev and udisks +- Revert "cryptpilot: add force override root=/dev/mapper/rootfs to cmdline" +- Revert "cryptpilot-convert: force override the mount source for / in /etc/fstab" +- cryptpilot-convert: rename --clean-freed-space to --wipe-freed-space +- dracut: fix in case initrd-root-device.target are missing on some distros e.g. centos 7 +- Rewrite file -E to stdout string matching in mkfs.rs +- Rewrite lvcreate --nolocking in mod.rs +- fde: make GPT device detection resilient to command failure +- fde: improve disk mount handling with better error reporting +- dracut: fix network-manager may not exist in centos7 +- cryptpilot-convert: suppress ext4 signature warning by forcing LVM creation +- dracut: remove dependency on /usr/lib/systemd/systemd-makefs +- cryptpilot-convert: Add support for network proxy environment variables +- cryptpilot-convert: Be compatible with different e2fsprogs versions + + +* Mon Sep 15 2025 Kun Lai - 0.2.6-1 +- cryptpilot & FDE Enhancements: + * Redirect all logs to stderr for consistent logging behavior + * Fix kernel module loading failures on specific systems + * Resolve race condition where block devices appear after cryptpilot service start + * Add passphrase validation before unlocking encrypted volumes + * Enforce root=/dev/mapper/rootfs in kernel command line via force override + * Fix boot partition detection logic + * Improve network stability during early boot + +- cryptpilot-convert Improvements: + * Speed up conversion of large disk images + * Replace yum --installroot with chroot-based package installation + * Add --boot_part_size parameter to customize boot partition size + * Add --rootfs-part-num to set root filesystem partition number + * Enhance EFI and rootfs partition detection based on content inspection + * Fix access failure after partition creation + * Correctly detect default kernel in multi-kernel systems + * Fix encrypted image creation for AnolisOS-23.3-x86_64.qcow2 + * Prevent repeated mounting of EFI/boot partitions by adding noauto,nofail to fstab + * Optimize e2fsck execution logic + * Add boot partition pre-check functionality + * Improve compatibility with various disk partition layouts + * Force override / mount source in /etc/fstab + * Add colored logging output for better readability + * Enable support for AnolisOS 23.3 and Alinux3 software installation via yum + +- show-reference-value Updates: + * Support SM3 hash algorithm for reference value calculation + * Generate reference values for GRUB, kernel, cmdline, and initrd + * Fix kernel path generation issues + * Support multiple GRUB and shim binaries in /boot + * Suppress noisy mount error messages + * Remove irrelevant print output during command execution + * Fix failure in cleaning up DM devices from NBD instances + * Remove redundant 'tdx' prefix from output + +- Container & OverlayFS Fixes: + * Fix "not supported as upperdir" error in Docker + * Resolve "overlay is not supported over overlayfs" error in Podman + +- FDE & Configuration Changes: + * Change load_config content format from JSON object to hex hash value + +- Infrastructure & Compatibility: + * Add Aliyun IMDS availability check before fetching instance config + +* Mon Jul 7 2025 Kun Lai - 0.2.5-5 +- fde: sync time to system before call cdh if run in aliyun ecs. +- fde: add timeout fetching config from cloudinit. + +* Wed Jul 2 2025 Kun Lai - 0.2.5-4 +- Fix "Failed to load kernel module 'nbd'" when used in docker container. + +* Mon Jun 30 2025 Kun Lai - 0.2.5-3 +- cryptpilot-convert: fix occasional "device or resource busy" error when rootfs encryption is enabled + + +* Thu Jun 12 2025 Kun Lai - 0.2.5-2 +- cryptpilot-convert: fix failed checking free nbd device when no nbd kernel module avaliable +- cryptpilot.spec: add missing requires for file package +- cmd/open: add checking passphrase before open the volume +- fs/nbd.rs: change udev rule path to volatile runtime directory /run/udev/rules.d + + +* Thu Jun 12 2025 Kun Lai - 0.2.5-1 +- Add "cryptpilot config check" command to check if the config is valid +- Add support to specify more than one volume name to open/init/close command +- Remove the "config dump" command +- Change short form of --config-dir from -d to -c +- Add the "fde show-reference-value" and "fde dump-config" command +- Add --rootfs-no-encryption option to cryptpilot-convert to make disk with rootfs volume unencrypted + * Fri May 23 2025 Kun Lai - 0.2.4-1 - Fix broken FDE due to wrong dm-verity kernel module name