lf-edge · eriknordmark · Oct 16, 2023 · Oct 12, 2023 · Oct 12, 2023 · Oct 12, 2023
@@ -13,6 +13,7 @@ In general, EVE is trying to make sure that its controller always has the last w
 * `wpa_supplicant.conf` - a legacy way of configuring EVE's WiFi
 * `authorized_keys` - initial authorized SSH keys for accessing EVE's debug console; DO NOT use options, we only accept 'keytype, base64-encoded key, comment' format
 * `bootstrap-config.pb`- initial device configuration used only until device is onboarded (see below for details)
+* `remote_access_disabled`- a file indicating remote access status, if it exist remote access (edge-view and ssh) is disabled. Please check [config document](SECURITY.md#disabling-remote-access) for more information.
 
 The initial content of these configuration files is stored in the EVE's source tree under [config](../config) folder. From there, these configuration files are baked into the EVE installer images. For the read-write bootable disk installer image these files can further be tweaked by mounting the "EVE" partition and editing those files directly on the installer image. This gives you an ability to take the default installer image and tweak it for your needs without re-building EVE from scratch (obviously this is not an option for a read-only ISO installer image). A typical workflow is to take an installer image from the official EVE build, flash it onto a USB flash drive, insert that USB flash drive into your desktop and edit file on the partition called EVE.
 

@@ -158,6 +158,10 @@ Two ECOs communicating using the overlay will get an secure channel since LISP w
 
 In addition, the LISP map server can provide ability to limit access to the mappings for certain EIDs based on the EID which is trying to look them up.
 
+## Disabling Remote Access
+
+EVE provides a mechanism to build an image with remote access disabled (edge-view and ssh), this can be done by configuring EVE when building an installer. Enabling remote access back requires access to the cloud controller to enable console keyboard access on the edge node, plus physical access to the edge node to issue `eve remote-access` command on the edge node. In addition changing remote access status from its initial value to anything else will result in change of PCR-14 value and subsequent failure in unsealing the vault key that needs to be handled using the cloud controller. Check [config document](CONFIG.md#eve-configuration) for more information.
+
 ## Details on keys and certificates
 
 These details are specified in [KEYS-AND-CERTS](KEYS-AND-CERTS.md).

@@ -7,4 +7,15 @@ echo -1 > /proc/sys/kernel/perf_event_paranoid
 KEYS=$(find /etc/ssh -name 'ssh_host_*_key')
 [ -z "$KEYS" ] && ssh-keygen -A >/dev/null 2>/dev/null
 
-exec /usr/sbin/sshd -D -e
+
+if [ -f "/config/remote_access_disabled" ]; then
+    # this is picked up by newlogd
+    echo "Remote access disabled, ssh server not started" > /dev/kmsg
+    while true; do
+        # sleep for INT_MAX, keep the container running
+        sleep inf
+    done
+else
+    exec /usr/sbin/sshd -D -e
+fi
+
@@ -19,6 +19,7 @@ Welcome to EVE!
             persist attach <disk>
             config mount <mountpoint>
             config unmount
+            remote-access on|off
             http-debug
             dump-stacks
             dump-memory
@@ -199,6 +200,27 @@ __EOT__
                  ;;
           esac
           ;;
+ remote-access)
+          CONFIGDIR_RW="/tmp/config_rw"
+          mkdir $CONFIGDIR_RW
+          if eval "$(mount_partlabel "CONFIG" $CONFIGDIR_RW)"; then
+              case "$2" in
+                on) rm -f $CONFIGDIR_RW/remote_access_disabled
+                    eval "$(unmount_partlabel "CONFIG")" && rm -rf $CONFIGDIR_RW
+                    echo "Remote access enabled. Please reboot to apply changes."
+                    ;;
+                off) touch $CONFIGDIR_RW/remote_access_disabled
+                     eval "$(unmount_partlabel "CONFIG")" && rm -rf $CONFIGDIR_RW
+                     echo "Remote access disabled. Please reboot to apply changes."
+                     ;;
+                *) eval "$(unmount_partlabel "CONFIG")" && rm -rf $CONFIGDIR_RW
+                   help
+                   ;;
+              esac
+          else
+              echo "Failed to set the remote access configuration!"
+          fi
+          ;;
  version)
           v=$(cat /run/eve-release)
           echo "$v"

@@ -17,11 +17,17 @@
 	"github.com/google/go-cmp/cmp"
 	zconfig "github.com/lf-edge/eve-api/go/config"
 	"github.com/lf-edge/eve/pkg/pillar/types"
+	"github.com/lf-edge/eve/pkg/pillar/utils"
 )
 
 // edge-view specific parser/utility routines
 
 func parseEvConfig(ctx *getconfigContext, config *zconfig.EdgeDevConfig) {
+	if utils.RemoteAccessDisabled() {
+		log.Noticef("Remote access to edgeview is disabled")
+		removeEvFiles()
+		return
+	}
 
 	log.Tracef("Started parsing edge-view config")
 	zcfgEv := config.GetEdgeview()

@@ -224,6 +224,9 @@
 
 	ReportDeviceInfo := new(info.ZInfoDevice)
 
+	// Get the remote access status
+	ReportDeviceInfo.RemoteAccessDisabled = utils.RemoteAccessDisabled()
+
 	var uname unix.Utsname
 	err := unix.Uname(&uname)
 	if err != nil {

@@ -25,7 +25,7 @@ require (
 	github.com/jackwakefield/gopac v1.0.2
 	github.com/jaypipes/ghw v0.8.0
 	github.com/lf-edge/edge-containers v0.0.0-20221025050409-93c34bebadd2
-	github.com/lf-edge/eve-api/go v0.0.0-20230917094129-590dad30fe13
+	github.com/lf-edge/eve-api/go v0.0.0-20231011200019-cb3cb1275e0d
 	github.com/lf-edge/eve-libs v0.0.0-20230921141205-94d6f6b65597
 	github.com/linuxkit/linuxkit/src/cmd/linuxkit v0.0.0-20220913135124-e532e7310810
 	github.com/miekg/dns v1.1.41

@@ -1119,6 +1119,8 @@ github.com/lf-edge/edge-containers v0.0.0-20221025050409-93c34bebadd2 h1:ckxNk8M
 github.com/lf-edge/edge-containers v0.0.0-20221025050409-93c34bebadd2/go.mod h1:eA41YxPbZRVvewIYRzmqDB1PeLQXxCy9WQEc3AVCsPI=
 github.com/lf-edge/eve-api/go v0.0.0-20230917094129-590dad30fe13 h1:10Bwbfl1w63u4t/+7t3XDBb20A+WPCBsmMTeYkW89B8=
 github.com/lf-edge/eve-api/go v0.0.0-20230917094129-590dad30fe13/go.mod h1:6XqpOM8p1HsluNIGw2ihYPYsaAisQ5CuJpbIKHXQo5w=
+github.com/lf-edge/eve-api/go v0.0.0-20231011200019-cb3cb1275e0d h1:PVKqYtPsH5BAIYfOaKej/+lc7+GKcFZBGnzbS6JWbrE=
+github.com/lf-edge/eve-api/go v0.0.0-20231011200019-cb3cb1275e0d/go.mod h1:6XqpOM8p1HsluNIGw2ihYPYsaAisQ5CuJpbIKHXQo5w=
 github.com/lf-edge/eve-libs v0.0.0-20230921141205-94d6f6b65597 h1:/UGYRj5tdRw5m3+VjZtTx1RVgphQbthfY/Gu5W7qb5o=
 github.com/lf-edge/eve-libs v0.0.0-20230921141205-94d6f6b65597/go.mod h1:dEMW+ISS+vVqukeNsorFlaGCo2nuDwkK0LGyBYd8yrc=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=

@@ -64,6 +64,8 @@ const (
 	APIV1FileName = IdentityDirname + "/Force-API-V1"
 	// BootstrapConfFileName - file to store initial device configuration for bootstrapping
 	BootstrapConfFileName = IdentityDirname + "/bootstrap-config.pb"
+	// RemoteAccessFlagFileName -- file to check for remote access configuration
+	RemoteAccessFlagFileName = IdentityDirname + "/remote_access_disabled"
 	// BootstrapShaFileName - file to store SHA hash of an already ingested bootstrap config
 	BootstrapShaFileName = IngestedDirname + "/bootstrap-config.sha"
 

@@ -0,0 +1,21 @@
+// Copyright (c) 2017-2023 Zededa, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package utils
+
+import (
+	"os"
+
+	"github.com/lf-edge/eve/pkg/pillar/types"
+)
+
+// RemoteAccessDisabled checks if remote access is enabled/disabled
+// by checking if the file /config/remote_access_disabled exists or not.
+func RemoteAccessDisabled() bool {
+	if _, err := os.Stat(types.RemoteAccessFlagFileName); err == nil {
-	if _, err := os.Stat(types.RemoteAccessFlagFileName); err == nil {
+	if FileExists(nil, types.RemoteAccessFlagFileName) {
-	if _, err := os.Stat(types.RemoteAccessFlagFileName); err == nil {
+	if FileExists(nil, types.RemoteAccessFlagFileName) {
+		// file exists, remote access is disabled
+		return true
+	} else {
+		return false
+	}
+}