Merge pull request #119 from postmarketOS/optional-fde

Optional Full Disk Encryption (Close #86)
2017-06-28 22:03:08 +00:00 · 2017-06-28 22:03:08 +00:00 · 21128d29d3
commit 21128d29d3
parent 310df10d3c 238cc65ad7
7 changed files with 181 additions and 82 deletions
--- a/postmarketos-mkinitfs-hook-usb-shell/20-usb-shell.sh
+++ b/postmarketos-mkinitfs-hook-usb-shell/20-usb-shell.sh
@ -1,7 +1,9 @@
 #!/bin/sh
-IP=172.16.42.1
+. ./init_functions.sh
 TELNET_PORT=24

+setup_usb_network
+start_udhcpd
 telnetd -b "${IP}:${TELNET_PORT}" -l /bin/sh

 echo "---"
@ -9,4 +11,3 @@ echo "WARNING: usb shell is active on ${IP}:${TELNET_PORT}."
 echo "This is a security hole! Only use it for debugging, and"
 echo "uninstall the usb-shell hook afterwards!"
 echo "---"
-
--- a/postmarketos-mkinitfs-hook-usb-shell/APKBUILD
+++ b/postmarketos-mkinitfs-hook-usb-shell/APKBUILD
@ -1,6 +1,6 @@
 pkgname=postmarketos-mkinitfs-hook-usb-shell
-pkgver=0.0.1
-pkgrel=1
+pkgver=0.1.0
+pkgrel=0
 pkgdesc="Root shell in the initramfs (security hole, for debugging only)"
 url="https://github.com/postmarketOS"
 # multipath-tools: kpartx
@ -18,4 +18,4 @@ package() {
 	install -Dm644 "$srcdir"/20-usb-shell.sh \
 		"$pkgdir"/etc/postmarketos-mkinitfs/hooks/
 }
-sha512sums="7154ded57cba1ff76fb8be9bd773ccdb4cd70c588ef763469d7e2fc9796fba13e5624480669b528138c1c5ebfc1a7927dcb80b850e72308b89736d9baee9c231  20-usb-shell.sh"
+sha512sums="40c6c445fdd03f8c76ba39075e9112ca963dd832f392e469057b622826f274604ec950bbbb89620c5c88e5d76caa0fa4665e445e33ebe31d4c566d4359d24935  20-usb-shell.sh"
--- a/postmarketos-mkinitfs/10-usb-unlock.sh
+++ b/postmarketos-mkinitfs/10-usb-unlock.sh
@ -1,51 +1,28 @@
 #!/bin/sh
-IP=172.16.42.1
+. ./init_functions.sh
+
 TELNET_PORT=23

-usb_setup_android() {
-	SYS=/sys/class/android_usb/android0
-	[ -e "$SYS" ] || return
-	printf "%s" "0"		> "$SYS/enable"
-	printf "%s" "18D1"	> "$SYS/idVendor"
-	printf "%s" "D001"	> "$SYS/idProduct"
-	printf "%s"	"rndis"	> "$SYS/functions"
-	printf "%s" "1"		> "$SYS/enable"
-}
+start_usb_unlock() {
+	# Only run if we have an encrypted partition
+	cryptsetup isLuks "$(find_root_partition)" || return

-dhcpcd_start()
-{
-	# get usb interface
-	INTERFACE=""
-	ifconfig rndis0 "$IP" && INTERFACE=rndis0
-	if [ -z $INTERFACE ]; then
-		ifconfig usb0 "$IP" && INTERFACE=usb0
-	fi
+	# Set up networking
+	setup_usb_network
+	start_udhcpd

-	# create /etc/udhcpd.conf
-	{
-		echo "start 172.16.42.2"
-		echo "end 172.16.42.254"
-		echo "lease_file /var/udhcpd.leases"
-		echo "interface $INTERFACE"
-		echo "option subnet 255.255.255.0"
-	} > /etc/udhcpd.conf
-	udhcpd
-}
+	# Telnet splash
+	show_splash /splash1.ppm.gz

-telnetd_start()
-{
-	mkdir -p /dev/pts
-	mount -t devpts devpts /dev/pts
+	# Start the telnet daemon
 	{
 		echo '#!/bin/sh'
 		echo '. /init_functions.sh'
 		echo 'unlock_root_partition'
 		echo 'killall cryptsetup telnetd'
-	} > /telnet_connect.sh
+	} >/telnet_connect.sh
 	chmod +x /telnet_connect.sh
 	telnetd -b "${IP}:${TELNET_PORT}" -l /telnet_connect.sh
 }

-usb_setup_android
-dhcpcd_start
-telnetd_start
+start_usb_unlock
--- a/postmarketos-mkinitfs/APKBUILD
+++ b/postmarketos-mkinitfs/APKBUILD
@ -1,6 +1,6 @@
 pkgname=postmarketos-mkinitfs
-pkgver=0.0.5
-pkgrel=4
+pkgver=0.1.1
+pkgrel=0
 pkgdesc="Tool to generate initramfs images for postmarketOS"
 url="https://github.com/postmarketOS"
 # multipath-tools: kpartx
@ -27,9 +27,9 @@ package() {
 	install -Dm644 "$srcdir/10-usb-unlock.sh" \
 		"$pkgdir/etc/postmarketos-mkinitfs/hooks/"
 }
-sha512sums="2f45dee1ad9ef75166d614774e0ee2a6856950990c063bce7d0e98ed27599d2f8040c6118a9381aab4a69c79f96a30eb044b6b29ef2afb2a9374bac5f5a398da  init.sh.in
-3ebc5fa2220a8da920ebca67f14c38b0c296eafdbcf312997b442a020d1683bd622a42a946a61b4d80cbecf28853c915480e26ffe59eda57769855303b67bbdf  init_functions.sh
+sha512sums="db4a7642544d60a2e9e88fbacf652f093f0570f859bd9658d2a0a39c9d08d27eb9d21e72e9c0ca5f7676646732068c087396334c4fa5e6099aa7d2d64055f764  init.sh.in
+66f442648fb38529ec594e62ee2307269ca875c7f9340726adcb211e9be42a6ba60fd296af0503a65c7f230c25cf3494783e4282f2468c63116b9500f5d184c6  init_functions.sh
 dd3c86c6ba4f91e20b72f4180049960a58dc01002f69ad9e5d98c752da3b34711c2bbe6e0c7d003eb6a4a8d9e185796aa2fe84c0231a3057b204912c439140f7  mkinitfs.sh
-82f0b9927bfef919c6561d67283a0e77c36ef8f8d11000a6153b52e39731ceaa65b9a34c682e737881dc676cc8bfc97dfbbfdeb2ca03594b8f9beef9e49a754d  10-usb-unlock.sh
+81d001ab185a8db1b9335d7c8c278d49ab0446bc15bb00dd22e4de16633433a183888f3f1096399bfe361ed719dcc4203afdf4b4f10e74a9c1e50bbbfc46951c  10-usb-unlock.sh
 35a8eabad947347afec7e3f5860d31ab9e3534972c0960ccf553c7e1cc9262316bfdddb8d61d3588db1ee2261077597617806080b9956798b3e5088d6f9b596b  splash1.ppm.gz
 bf11d8b3a50db984cfbb2cafe6687de327242c1f6f56c6fdd02ca579b05213f9c886aa1c0527530fdec21b16e65e68962e40a600c4ce155819df2f610b435087  splash2.ppm.gz"
--- a/postmarketos-mkinitfs/TODO
+++ b/postmarketos-mkinitfs/TODO
@ -1,6 +1,3 @@
- use device labels or uuids inside init to properly detect the right
-	partition
-
 - support for adding files/modules in hooks (one file per hook):
 	- add build() function
 		- should have add_module and add_file functions
--- a/postmarketos-mkinitfs/init.sh.in
+++ b/postmarketos-mkinitfs/init.sh.in
@ -5,34 +5,41 @@ export PATH=/usr/bin:/bin:/usr/sbin:/sbin
 /bin/busybox --install -s
 /bin/busybox-extras --install -s

-# kernel modules
-modprobe -a @MODULES@
-
-# mdev
-mount -t proc -o nodev,noexec,nosuid proc /proc
-mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
-echo /sbin/mdev > /proc/sys/kernel/hotplug
-mdev -s
-
-# subpartitions
+# Mount everything, set up logging, modules, mdev
+mount_proc_sys_dev
+setup_log
+[ -d /lib/modules ] && modprobe -a @MODULES@
+setup_mdev
 mount_subpartitions

-# hooks
+# Always run dhcp daemon/usb networking for now (later this should only
+# be enabled, when having the usb-shell hook installed for debugging,
+# or get activated after the initramfs is done with an OpenRC service).
+setup_usb_network
+start_udhcpd
+
+# Hooks
 for hook in /etc/postmarketos-mkinitfs/hooks/*.sh; do
 	[ -e "$hook" ] || continue
 	sh "$hook"
 done
-show_splash /splash1.ppm.gz

-# unlock root partition
+# Unlock root partition
 unlock_root_partition

-# switch root
+# Switch root
 show_splash /splash2.ppm.gz
-killall telnetd mdev 2&> /dev/null
-mount -w -t ext4 /dev/mapper/root /sysroot
+killall telnetd mdev 2>/dev/null
 umount /proc
 umount /sys
 umount /dev/pts
 umount /dev
+
+# shellcheck disable=SC2093
 exec switch_root /sysroot /sbin/init
+
+echo "ERROR: switch_root failed!"
+echo "Looping forever. Install and use the usb-shell hook to debug this."
+while true; do
+	sleep 1
+done
--- a/postmarketos-mkinitfs/init_functions.sh
+++ b/postmarketos-mkinitfs/init_functions.sh
@ -1,10 +1,43 @@
 #!/bin/sh
 # This file will be in /init_functions.sh inside the initramfs.
+IP=172.16.42.1

-mount_subpartitions()
-{
+# Redirect stdout and stderr to logfile
+setup_log() {
+	# Bail out if PMOS_NO_OUTPUT_REDIRECT is set
+	echo "### postmarketOS initramfs ###"
+	grep -q PMOS_NO_OUTPUT_REDIRECT /proc/cmdline && return
+
+	# Print a message about what is going on to the normal output
+	echo "NOTE: All output from the initramfs gets redirected to:"
+	echo "/pmOS_init.log"
+	echo "If you want to disable this behavior (e.g. because you're"
+	echo "debugging over serial), please add this to your kernel"
+	echo "command line: PMOS_NO_OUTPUT_REDIRECT"
+
+	# Start redirect, print the first line again
+	exec >/pmOS_init.log 2>&1
+	echo "### postmarketOS initramfs ###"
+}
+
+mount_proc_sys_dev() {
+	# mdev
+	mount -t proc -o nodev,noexec,nosuid proc /proc
+	mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
+
+	# /dev/pts (needed for telnet)
+	mkdir -p /dev/pts
+	mount -t devpts devpts /dev/pts
+}
+
+setup_mdev() {
+	echo /sbin/mdev >/proc/sys/kernel/hotplug
+	mdev -s
+}
+
+mount_subpartitions() {
 	for i in /dev/mmcblk*; do
-		case "$(kpartx -l "$i" 2> /dev/null | wc -l)" in
+		case "$(kpartx -l "$i" 2>/dev/null | wc -l)" in
 			2)
 				echo "mount subpartitions of $i"
 				kpartx -afs "$i"
@ -17,33 +50,117 @@ mount_subpartitions()
 	done
 }

-find_root_partition()
-{
-	for i in /dev/mapper/* /dev/mmcblk*; do
-		cryptsetup isLuks "$i" || continue
-		echo "$i"
-		break
+find_root_partition() {
+	# The partition layout is one of the following:
+	# a) boot, root partitions on sdcard
+	# b) boot, root partition on the "system" partition (which has its
+	#    own partition header! so we have partitions on partitions!)
+	#
+	# mount_subpartitions() must get executed before calling
+	# find_root_partition(), so partitions from b) also get found.
+	#
+	# However, after executing mount_subpartitions(), the partitions
+	# from a) get mounted to /dev/mapper - and then you can only use
+	# the ones from /dev/mapper, not the original partition paths (they
+	# will appear as busy when trying to mount them). This is an
+	# unwanted side-effect, that we must deal with.
+	# The subpartitions from b) get mounted to /dev/mapper, and this is
+	# what we want.
+	#
+	# To deal with the side-effect, we use the partitions from
+	# /dev/mapper first, and then fall back to partitions with all paths
+	# (in case the user inserted an SD card after mount_subpartitions()
+	# ran!).
+
+	# Try the partitions in /dev/mapper first.
+	for id in pmOS_root crypto_LUKS; do
+		DEVICE="$(blkid | grep /dev/mapper | grep "$id" \
+			| cut -d ":" -f 1)"
+		[ -z "$DEVICE" ] || break
 	done
+
+	# Then try all devices
+	if [ -z "$DEVICE" ]; then
+		for id in pmOS_root crypto_LUKS; do
+			DEVICE="$(blkid | grep "$id" | cut -d ":" -f 1)"
+			[ -z "$DEVICE" ] || break
+		done
+	fi
+	echo "$DEVICE"
 }

-unlock_root_partition()
-{
-	while ! [ -e /dev/mapper/root ]; do
+setup_usb_network_android() {
+	# Only run, when we have the android usb driver
+	SYS=/sys/class/android_usb/android0
+	[ -e "$SYS" ] || return
+
+	# Do the setup
+	printf "%s" "0" >"$SYS/enable"
+	printf "%s" "18D1" >"$SYS/idVendor"
+	printf "%s" "D001" >"$SYS/idProduct"
+	printf "%s" "rndis" >"$SYS/functions"
+	printf "%s" "1" >"$SYS/enable"
+}
+
+setup_usb_network() {
+	# Only run once
+	_marker="/tmp/_setup_usb_network"
+	[ -e "$_marker" ] && return
+	touch "$_marker"
+
+	# Run all usb network setup functions (add more below!)
+	setup_usb_network_android
+}
+
+start_udhcpd() {
+	# Only run once
+	[ -e /etc/udhcpd.conf ] && return
+
+	# Get usb interface
+	INTERFACE=""
+	ifconfig rndis0 "$IP" && INTERFACE=rndis0
+	if [ -z $INTERFACE ]; then
+		ifconfig usb0 "$IP" && INTERFACE=usb0
+	fi
+
+	# Create /etc/udhcpd.conf
+	{
+		echo "start 172.16.42.2"
+		echo "end 172.16.42.254"
+		echo "lease_file /var/udhcpd.leases"
+		echo "interface $INTERFACE"
+		echo "option subnet 255.255.255.0"
+	} >/etc/udhcpd.conf
+
+	# Start the dhcpcd daemon (forks into background)
+	udhcpd
+}
+
+unlock_root_partition() {
+	# Wait for the root partition (and unlock it if it is encrypted)
+	while ! [ -e /sysroot/usr ]; do
 		partition="$(find_root_partition)"
 		if [ -z "$partition" ]; then
-			echo "Could not find cryptsetup partition."
+			echo "Could not find the root partition."
 			echo "Maybe you need to insert the sdcard, if your device has"
 			echo "any? Trying again in one second..."
 			sleep 1
+		elif cryptsetup isLuks "$partition"; then
+			cryptsetup luksOpen "$partition" root || continue
+			partition="/dev/mapper/root"
+			break
 		else
-			cryptsetup luksOpen "$partition" root
+			# Unencrypted
+			break
 		fi
 	done
+
+	# Mount the root partition
+	[ -e /sysroot/usr ] || mount -w -t ext4 "$partition" /sysroot
 }

 # $1: path to ppm.gz file
-show_splash()
-{
-	gzip -c -d "$1" > /tmp/splash.ppm
+show_splash() {
+	gzip -c -d "$1" >/tmp/splash.ppm
 	fbsplash -s /tmp/splash.ppm
 }