feat(dgw): encrypt in-memory credentials at rest with ChaCha20-Poly1305

.github/workflows/ci.yml

@@ -618,17 +618,8 @@ jobs:
 
       - name: Configure Linux runner
         if: ${{ matrix.os == 'linux' }}
-        run: |
-          sudo apt-get update
-          sudo apt-get -o Acquire::Retries=3 install python3-wget python3-setuptools libsystemd-dev dh-make
-
-      - name: Configure Linux (arm) runner
-        if: ${{ matrix.os == 'linux' && matrix.arch == 'arm64' }}
-        run: |
-          sudo dpkg --add-architecture arm64
-          sudo apt-get -o Acquire::Retries=3 install -qy binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu g++-aarch64-linux-gnu qemu-user
-          rustup target add aarch64-unknown-linux-gnu
-          echo "STRIP_EXECUTABLE=aarch64-linux-gnu-strip" >> $GITHUB_ENV
+        run: ./ci/setup-linux-build-deps.ps1 -Architecture ${{ matrix.arch }}
+        shell: pwsh
 
       - name: Install fpm
         if: ${{ matrix.os == 'Linux' }}
@@ -871,17 +862,8 @@ jobs:
 
       - name: Configure Linux runner
         if: ${{ matrix.os == 'linux' }}
-        run: |
-          sudo apt-get update
-          sudo apt-get -o Acquire::Retries=3 install python3-wget python3-setuptools libsystemd-dev dh-make
-
-      - name: Configure Linux (arm) runner
-        if: ${{ matrix.os == 'linux' && matrix.arch == 'arm64' }}
-        run: |
-          sudo dpkg --add-architecture arm64
-          sudo apt-get -o Acquire::Retries=3 install -qy binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu g++-aarch64-linux-gnu qemu-user
-          rustup target add aarch64-unknown-linux-gnu
-          echo "STRIP_EXECUTABLE=aarch64-linux-gnu-strip" >> $GITHUB_ENV
+        run: ./ci/setup-linux-build-deps.ps1 -Architecture ${{ matrix.arch }}
+        shell: pwsh
 
       - name: Install fpm
         if: ${{ matrix.os == 'Linux' }}
@@ -1180,10 +1162,35 @@ jobs:
           psexec -accepteula -s pwsh.exe $scriptPath
           Get-Content -Path ./crates/pedm-simulator/pedm-simulator_run-expect-elevation.out
 
+  secure-memory-verifier:
+    name: secure-memory-verifier
+    runs-on: windows-2022
+    needs: [preflight]
+
+    steps:
+      - name: Checkout ${{ github.repository }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.preflight.outputs.ref }}
+
+      - name: Setup Rust cache
+        uses: ./.github/actions/setup-rust-cache
+        with:
+          sccache-enabled: ${{ needs.preflight.outputs.sccache }}
+
+      - name: Run secure-memory-verifier
+        run: cargo run -p secure-memory-verifier -- all
+        shell: pwsh
+
+      - name: Show sccache stats
+        if: ${{ needs.preflight.outputs.sccache == 'true' && !cancelled() }}
+        shell: pwsh
+        run: sccache --show-stats
+
   success:
     name: Success
     if: ${{ always() }}
-    needs: [tests, lints, check-dependencies, jetsocat-lipo, devolutions-gateway-powershell, devolutions-gateway, devolutions-gateway-merge, devolutions-pedm-desktop, devolutions-agent, devolutions-agent-merge, devolutions-pedm-client, dotnet-utils-tests, winapi-sanitizer-tests, winapi-miri, pedm-simulator]
+    needs: [tests, lints, check-dependencies, jetsocat-lipo, devolutions-gateway-powershell, devolutions-gateway, devolutions-gateway-merge, devolutions-pedm-desktop, devolutions-agent, devolutions-agent-merge, devolutions-pedm-client, dotnet-utils-tests, winapi-sanitizer-tests, winapi-miri, pedm-simulator, secure-memory-verifier]
     runs-on: ubuntu-latest
 
     steps:

README.md

@@ -20,7 +20,7 @@ immediately, without going through the acceptance testing process of our quality
 
 ### From sources
 
-Ensure that you have [the Rust toolchain installed][install_rust], then clone this repository and run:
+Ensure that you have [the Rust toolchain installed][install_rust] and then clone this repository and run:
 
 ```shell
 cargo install --path ./devolutions-gateway

ci/setup-linux-build-deps.ps1

@@ -0,0 +1,33 @@
+#!/usr/bin/env pwsh
+
+param(
+    [Parameter(Mandatory = $true)]
+    [ValidateSet('x86_64', 'arm64')]
+    [string] $Architecture
+)
+
+$ErrorActionPreference = 'Stop'
+
+$packages = @(
+    'python3-wget',
+    'python3-setuptools',
+    'libsystemd-dev',
+    'dh-make'
+)
+
+if ($Architecture -eq 'arm64') {
+    $packages += @(
+        'binutils-aarch64-linux-gnu',
+        'gcc-aarch64-linux-gnu',
+        'g++-aarch64-linux-gnu',
+        'qemu-user'
+    )
+}
+
+& sudo apt-get update
+& sudo apt-get '-o' 'Acquire::Retries=3' 'install' '-qy' @packages
+
+if ($Architecture -eq 'arm64') {
+    & rustup target add aarch64-unknown-linux-gnu
+    Add-Content -Path $Env:GITHUB_ENV -Value 'STRIP_EXECUTABLE=aarch64-linux-gnu-strip'
+}

crates/secure-memory-verifier/Cargo.toml

@@ -0,0 +1,24 @@
+[package]
+name = "secure-memory-verifier"
+version = "0.0.0"
+authors = ["Devolutions Inc. <infos@devolutions.net>"]
+edition = "2024"
+publish = false
+description = "Windows runtime verifier for the secure-memory crate"
+
+[lints]
+workspace = true
+
+[dependencies]
+secure-memory = { path = "../secure-memory" }
+
+[target.'cfg(windows)'.dependencies.windows]
+version = "0.61"
+features = [
+    "Win32_Foundation",
+    "Win32_System_Kernel",
+    "Win32_System_Memory",
+    "Win32_System_ProcessStatus",
+    "Win32_System_SystemInformation",
+    "Win32_System_Threading",
+]