From 319994698e5387d7fdef10096165ff97a30b920e Mon Sep 17 00:00:00 2001
From: Alex Gonzalez <alexg@balena.io>
Date: Thu, 6 Jun 2024 16:04:40 +0200
Subject: [PATCH] initrdscripts: cryptsetup: have flasher remove pre-installed
 LUKS key

If the flasher is being used on a pre-installed device, make sure the
encrypted data will be protected by removing the key.

This is a fail-safe to avoid flasher exploits.

Changelog-entry: have flasher remove pre-installed LUKS key
Signed-off-by: Alex Gonzalez <alexg@balena.io>
---
 .../initrdscripts/files/cryptsetup-rpi        | 24 +++++++++++++++----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/layers/meta-balena-raspberrypi/recipes-core/initrdscripts/files/cryptsetup-rpi b/layers/meta-balena-raspberrypi/recipes-core/initrdscripts/files/cryptsetup-rpi
index 84951399c..50cbff943 100644
--- a/layers/meta-balena-raspberrypi/recipes-core/initrdscripts/files/cryptsetup-rpi
+++ b/layers/meta-balena-raspberrypi/recipes-core/initrdscripts/files/cryptsetup-rpi
@@ -16,8 +16,27 @@ wait4file "/dev/disk/by-state" "50"
 BALENA_NONENC_BOOT_DEV=""
 
 cryptsetup_enabled() {
+    BALENA_NONENC_BOOT_DEV=$(get_state_path_from_label @@BALENA_NONENC_BOOT_LABEL@@)
+    # Only run if the boot partition is split
+    if [ ! -e "$BALENA_NONENC_BOOT_DEV" ]; then
+        return 1
+    fi
+
     # Flasher should not try to unlock the partitions
     if [ "$bootparam_flasher" = "true" ]; then
+        # Remove the encrypted key to guarantee flasher cannot mount pre-existing partitions
+        _tmpdir=$(mktemp -d)
+        if mount "$BALENA_NONENC_BOOT_DEV" "$_tmpdir"; then
+            if [ -f "${_tmpdir}/balena-luks.enc" ]; then
+                if ! rm "${_tmpdir}/balena-luks.enc"; then
+                    fail "Failure to remove pre-installed LUKS key - aborting boot"
+                fi
+                sync
+                info "Removed pre-installed LUKS key."
+            fi
+        else
+            fail "Failure to mount $BALENA_NONENC_BOOT_DEV - aborting boot"
+        fi
         return 1
     fi
 
@@ -26,11 +45,6 @@ cryptsetup_enabled() {
       fail "Device not locked - boot aborted"
     fi
 
-    BALENA_NONENC_BOOT_DEV=$(get_state_path_from_label @@BALENA_NONENC_BOOT_LABEL@@)
-    # Only run if the boot partition is split
-    if [ ! -e "$BALENA_NONENC_BOOT_DEV" ]; then
-        return 1
-    fi
 
     # Check whether there are any LUKS partitions
     if ! lsblk -nlo fstype | grep -q crypto_LUKS; then