Merge pull request #717 from bcressey/add-rottweiler

add rottweiler to manage storage encryption

Author: bcressey

Cargo.lock

@@ -128,6 +128,7 @@ procps = { path = "../../packages/procps" }
 rdma-core = { path = "../../packages/rdma-core" }
 readline = { path = "../../packages/readline" }
 release = { path = "../../packages/release" }
+rottweiler = { path = "../../packages/rottweiler" }
 runc = { path = "../../packages/runc" }
 selinux-policy = { path = "../../packages/selinux-policy" }
 socat = { path = "../../packages/socat" }

kits/bottlerocket-core-kit/Cargo.toml

@@ -0,0 +1,18 @@
+[package]
+name = "rottweiler"
+version = "0.1.0"
+edition = "2021"
+publish = false
+build = "../build.rs"
+
+[lib]
+path = "../packages.rs"
+
+[package.metadata.build-package]
+source-groups = [
+    "rottweiler",
+    "generate-readme",
+]
+
+[build-dependencies]
+glibc = { path = "../glibc" }

packages/rottweiler/Cargo.toml

@@ -0,0 +1,34 @@
+%global _cross_first_party 1
+%undefine _debugsource_packages
+
+Name: %{_cross_os}rottweiler
+Version: 0.1.0
+Release: 1%{?dist}
+Summary: Bottlerocket storage encryption helper
+License: Apache-2.0 OR MIT
+URL: https://github.com/bottlerocket-os/bottlerocket
+
+BuildRequires: %{_cross_os}glibc-devel
+Requires: %{_cross_os}cryptsetup
+Requires: %{_cross_os}systemd-cryptsetup
+Requires: %{_cross_os}tpm2-tools
+
+%description
+%{summary}.
+
+%prep
+%setup -T -c
+%cargo_prep
+
+%build
+%cargo_build --manifest-path %{_builddir}/sources/Cargo.toml \
+    -p rottweiler
+
+%install
+install -d %{buildroot}%{_cross_bindir}
+install -p -m 0755 %{__cargo_outdir}/rottweiler %{buildroot}%{_cross_bindir}
+ln -s rottweiler %{buildroot}%{_cross_bindir}/rw
+
+%files
+%{_cross_bindir}/rottweiler
+%{_cross_bindir}/rw

packages/rottweiler/rottweiler.spec

@@ -46,6 +46,7 @@
 (filecon "/.*/usr/bin/apiserver" file api_exec)
 (filecon "/.*/usr/bin/early-boot-config" file api_exec)
 (filecon "/.*/usr(/fips)?/bin/migrator" file api_exec)
+(filecon "/.*/usr/bin/rottweiler" file api_exec)
 (filecon "/.*/usr/bin/storewolf" file api_exec)
 (filecon "/.*/usr(/fips)?/bin/cfsignal" file api_exec)
 (filecon "/.*/usr/bin/thar-be-settings" file api_exec)

packages/selinux-policy/fs.cil

@@ -26,6 +26,8 @@ members = [
 
     "bootstrap-commands",
 
+    "bottlerocket-image-features",
+
     "bottlerocket-release",
 
     "brush",
@@ -69,6 +71,8 @@ members = [
 
     "retry-read",
 
+    "rottweiler",
+
     "updater/block-party",
     "updater/signpost",
     "updater/update_metadata",
@@ -85,6 +89,7 @@ members = [
 apiclient = { version = "0.1", path = "api/apiclient", default-features = false }
 aws-smithy-experimental = { version = "0.1", path = "aws-smithy-experimental" }
 block-party = { version = "0.1", path = "updater/block-party" }
+bottlerocket-image-features = { version = "0.1", path = "bottlerocket-image-features" }
 bottlerocket-release = { version = "0.1", path = "bottlerocket-release" }
 constants = { version = "0.1", path = "constants" }
 datastore = { version = "0.1", path = "api/datastore" }
@@ -144,7 +149,9 @@ gptman = { version = "1", default-features = false }
 handlebars = "4"
 h2 = "0.4"
 headers = "0.4"
+hex = "0.4"
 hex-literal = "0.4"
+hkdf = { version = "0.12", default-features = false }
 http = "0.2"
 httparse = "1"
 httptest = "0.15"
@@ -187,6 +194,7 @@ serde_json = "1"
 serde_plain = "1"
 serde_yaml = "0.9"
 serde_repr = "0.1"
+sha2 = "0.10"
 shell-words = "1"
 shlex = "1"
 signal-hook = "0.3"
@@ -210,6 +218,7 @@ url = "2"
 walkdir = "2.5"
 which = "4"
 zbus = { version = "5.11", default-features = false }
+zeroize = { version = "1", default-features = false }
 zvariant = "5.7"
 x509-parser = "0.16"
 base64 = "0.22"

sources/Cargo.lock

@@ -0,0 +1,14 @@
+[package]
+name = "bottlerocket-image-features"
+version = "0.1.0"
+edition = "2024"
+license = "Apache-2.0 OR MIT"
+publish = false
+
+[dependencies]
+envy.workspace = true
+serde = { workspace = true, features = ["derive"] }
+snafu.workspace = true
+
+[build-dependencies]
+generate-readme.workspace = true

sources/Cargo.toml

@@ -0,0 +1,49 @@
+# bottlerocket-image-features
+
+Current version: 0.1.0
+
+## Introduction
+
+*bottlerocket-image-features* is a library for parsing Bottlerocket image feature flags
+from the system configuration file.
+
+### Overview
+
+This crate provides functionality to read and parse the `/usr/share/bottlerocket/image-features.env`
+file, which contains feature flags that control various aspects of the Bottlerocket system.
+
+### Features
+
+Currently supported feature flags:
+
+- `IN_PLACE_UPDATES` - Controls whether in-place updates are enabled (default: true)
+- `ENCRYPTED_STORAGE` - Controls whether encrypted storage is enabled (default: false)
+
+### Usage
+
+```rust
+use bottlerocket_image_features::parse_image_features;
+
+let features = parse_image_features()?;
+if features.in_place_updates {
+    println!("In-place updates are enabled");
+}
+```
+
+### File Format
+
+The image features file uses a simple key=value format with support for:
+- Comments (lines starting with `#`)
+- Empty lines (ignored)
+- Quoted or unquoted values
+- Boolean values ("true" or "false")
+
+Example:
+```
+# Image feature configuration
+IN_PLACE_UPDATES="true"
+```
+
+## Colophon
+
+This text was generated using [cargo-readme](https://crates.io/crates/cargo-readme), and includes the rustdoc from `src/lib.rs`.

sources/bottlerocket-image-features/Cargo.toml

@@ -0,0 +1,9 @@
+# {{crate}}
+
+Current version: {{version}}
+
+{{readme}}
+
+## Colophon
+
+This text was generated using [cargo-readme](https://crates.io/crates/cargo-readme), and includes the rustdoc from `src/lib.rs`.