Affected by GO-2023-1583 and 3 other vulnerabilities

GO-2023-1583: User data in TPM attestation vulnerable to MITM in github.com/edgelesssys/constellation

GO-2023-1622: Constellation allows Emergency shell access during initramfs boot phase in github.com/edgelesssys/constellation

GO-2024-2727: Constellation has pods exposed to peers in VPC in github.com/edgelesssys/constellation

GO-2025-4076: Constellation has insecure LUKS2 persistent storage partitions which may be opened and used in github.com/edgelesssys/constellation

cryptmapper

package

v2.2.0 Latest Latest Go to latest Published: Nov 8, 2022 License: AGPL-3.0 Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/edgelesssys/constellation

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func IsIntegrityFS(fstype string) (string, bool)
type CryptDevice
type CryptMapper
- func New(kms KeyCreator, mapper DeviceMapper) *CryptMapper
type DeviceMapper
type KeyCreator

Constants ¶

View Source

const (
	// LUKSHeaderSize is the amount of bytes taken up by the header of a LUKS2 partition.
	// The header is 16MiB (1048576 Bytes * 16).
	LUKSHeaderSize = 16777216
)

Variables ¶

This section is empty.

Functions ¶

func IsIntegrityFS ¶

func IsIntegrityFS(fstype string) (string, bool)

IsIntegrityFS checks if the fstype string contains an integrity suffix. If yes, returns the trimmed fstype and true, fstype and false otherwise.

Types ¶

type CryptDevice ¶

type CryptDevice struct {
	*cryptsetup.Device
}

CryptDevice is a wrapper for cryptsetup.Device.

func (*CryptDevice) Free ¶

func (c *CryptDevice) Free() bool

Free releases crypt device context and used memory.

func (*CryptDevice) Init ¶

func (c *CryptDevice) Init(devicePath string) error

Init initializes a crypt device backed by 'devicePath'. Sets the cryptDevice's deviceMapper to the newly allocated Device or returns any error encountered.

func (*CryptDevice) InitByName ¶

func (c *CryptDevice) InitByName(name string) error

InitByName initializes a crypt device from provided active device 'name'. Sets the deviceMapper to the newly allocated Device or returns any error encountered.

type CryptMapper ¶

type CryptMapper struct {
	// contains filtered or unexported fields
}

CryptMapper manages dm-crypt volumes.

func New ¶

func New(kms KeyCreator, mapper DeviceMapper) *CryptMapper

New initializes a new CryptMapper with the given kms client and key-encryption-key ID. kms is used to fetch data encryption keys for the dm-crypt volumes.

func (*CryptMapper) CloseCryptDevice ¶

func (c *CryptMapper) CloseCryptDevice(volumeID string) error

CloseCryptDevice closes the crypt device mapped for volumeID. Returns nil if the volume does not exist.

func (*CryptMapper) GetDevicePath ¶

func (c *CryptMapper) GetDevicePath(volumeID string) (string, error)

GetDevicePath returns the device path of a mapped crypt device.

func (*CryptMapper) OpenCryptDevice ¶

func (c *CryptMapper) OpenCryptDevice(ctx context.Context, source, volumeID string, integrity bool) (string, error)

OpenCryptDevice maps the volume at source to the crypt device identified by volumeID. The key used to encrypt the volume is fetched using CryptMapper's kms client.

func (*CryptMapper) ResizeCryptDevice ¶

func (c *CryptMapper) ResizeCryptDevice(ctx context.Context, volumeID string) (string, error)

ResizeCryptDevice resizes the underlying crypt device and returns the mapped device path.

type DeviceMapper ¶

type DeviceMapper interface {
	// Init initializes a crypt device backed by 'devicePath'.
	// Sets the deviceMapper to the newly allocated Device or returns any error encountered.
	Init(devicePath string) error
	// InitByName initializes a crypt device from provided active device 'name'.
	// Sets the deviceMapper to the newly allocated Device or returns any error encountered.
	InitByName(name string) error
	// ActivateByPassphrase activates a device by using a passphrase from a specific keyslot.
	// Returns nil on success, or an error otherwise.
	ActivateByPassphrase(deviceName string, keyslot int, passphrase string, flags int) error
	// ActivateByVolumeKey activates a device by using a volume key.
	// Returns nil on success, or an error otherwise.
	ActivateByVolumeKey(deviceName string, volumeKey string, volumeKeySize int, flags int) error
	// Deactivate deactivates a device.
	// Returns nil on success, or an error otherwise.
	Deactivate(deviceName string) error
	// Format formats a Device, using a specific device type, and type-independent parameters.
	// Returns nil on success, or an error otherwise.
	Format(deviceType cryptsetup.DeviceType, genericParams cryptsetup.GenericParams) error
	// Free releases crypt device context and used memory.
	Free() bool
	// GetDeviceName gets the path to the underlying device.
	GetDeviceName() string
	// GetUUID gets the devices UUID
	GetUUID() string
	// Load loads crypt device parameters from the on-disk header.
	// Returns nil on success, or an error otherwise.
	Load(cryptsetup.DeviceType) error
	// KeyslotAddByVolumeKey adds a key slot using a volume key to perform the required security check.
	// Returns nil on success, or an error otherwise.
	KeyslotAddByVolumeKey(keyslot int, volumeKey string, passphrase string) error
	// Wipe removes existing data and clears the device for use with dm-integrity.
	// Returns nil on success, or an error otherwise.
	Wipe(devicePath string, pattern int, offset, length uint64, wipeBlockSize int, flags int, progress func(size, offset uint64) int) error
	// Resize the crypt device.
	// Returns nil on success, or an error otherwise.
	Resize(name string, newSize uint64) error
}

DeviceMapper is an interface for device mapper methods.

type KeyCreator ¶

type KeyCreator interface {
	GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error)
}

KeyCreator is an interface to create data encryption keys.

Source Files ¶

View all Source files

cryptmapper.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL