Merge pull request #119 from postmarketOS/optional-fde
Optional Full Disk Encryption (Close #86)
This commit is contained in:
commit
21128d29d3
7 changed files with 181 additions and 82 deletions
|
@ -1,7 +1,9 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
IP=172.16.42.1
|
. ./init_functions.sh
|
||||||
TELNET_PORT=24
|
TELNET_PORT=24
|
||||||
|
|
||||||
|
setup_usb_network
|
||||||
|
start_udhcpd
|
||||||
telnetd -b "${IP}:${TELNET_PORT}" -l /bin/sh
|
telnetd -b "${IP}:${TELNET_PORT}" -l /bin/sh
|
||||||
|
|
||||||
echo "---"
|
echo "---"
|
||||||
|
@ -9,4 +11,3 @@ echo "WARNING: usb shell is active on ${IP}:${TELNET_PORT}."
|
||||||
echo "This is a security hole! Only use it for debugging, and"
|
echo "This is a security hole! Only use it for debugging, and"
|
||||||
echo "uninstall the usb-shell hook afterwards!"
|
echo "uninstall the usb-shell hook afterwards!"
|
||||||
echo "---"
|
echo "---"
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
pkgname=postmarketos-mkinitfs-hook-usb-shell
|
pkgname=postmarketos-mkinitfs-hook-usb-shell
|
||||||
pkgver=0.0.1
|
pkgver=0.1.0
|
||||||
pkgrel=1
|
pkgrel=0
|
||||||
pkgdesc="Root shell in the initramfs (security hole, for debugging only)"
|
pkgdesc="Root shell in the initramfs (security hole, for debugging only)"
|
||||||
url="https://github.com/postmarketOS"
|
url="https://github.com/postmarketOS"
|
||||||
# multipath-tools: kpartx
|
# multipath-tools: kpartx
|
||||||
|
@ -18,4 +18,4 @@ package() {
|
||||||
install -Dm644 "$srcdir"/20-usb-shell.sh \
|
install -Dm644 "$srcdir"/20-usb-shell.sh \
|
||||||
"$pkgdir"/etc/postmarketos-mkinitfs/hooks/
|
"$pkgdir"/etc/postmarketos-mkinitfs/hooks/
|
||||||
}
|
}
|
||||||
sha512sums="7154ded57cba1ff76fb8be9bd773ccdb4cd70c588ef763469d7e2fc9796fba13e5624480669b528138c1c5ebfc1a7927dcb80b850e72308b89736d9baee9c231 20-usb-shell.sh"
|
sha512sums="40c6c445fdd03f8c76ba39075e9112ca963dd832f392e469057b622826f274604ec950bbbb89620c5c88e5d76caa0fa4665e445e33ebe31d4c566d4359d24935 20-usb-shell.sh"
|
||||||
|
|
|
@ -1,51 +1,28 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
IP=172.16.42.1
|
. ./init_functions.sh
|
||||||
|
|
||||||
TELNET_PORT=23
|
TELNET_PORT=23
|
||||||
|
|
||||||
usb_setup_android() {
|
start_usb_unlock() {
|
||||||
SYS=/sys/class/android_usb/android0
|
# Only run if we have an encrypted partition
|
||||||
[ -e "$SYS" ] || return
|
cryptsetup isLuks "$(find_root_partition)" || return
|
||||||
printf "%s" "0" > "$SYS/enable"
|
|
||||||
printf "%s" "18D1" > "$SYS/idVendor"
|
|
||||||
printf "%s" "D001" > "$SYS/idProduct"
|
|
||||||
printf "%s" "rndis" > "$SYS/functions"
|
|
||||||
printf "%s" "1" > "$SYS/enable"
|
|
||||||
}
|
|
||||||
|
|
||||||
dhcpcd_start()
|
# Set up networking
|
||||||
{
|
setup_usb_network
|
||||||
# get usb interface
|
start_udhcpd
|
||||||
INTERFACE=""
|
|
||||||
ifconfig rndis0 "$IP" && INTERFACE=rndis0
|
|
||||||
if [ -z $INTERFACE ]; then
|
|
||||||
ifconfig usb0 "$IP" && INTERFACE=usb0
|
|
||||||
fi
|
|
||||||
|
|
||||||
# create /etc/udhcpd.conf
|
# Telnet splash
|
||||||
{
|
show_splash /splash1.ppm.gz
|
||||||
echo "start 172.16.42.2"
|
|
||||||
echo "end 172.16.42.254"
|
|
||||||
echo "lease_file /var/udhcpd.leases"
|
|
||||||
echo "interface $INTERFACE"
|
|
||||||
echo "option subnet 255.255.255.0"
|
|
||||||
} > /etc/udhcpd.conf
|
|
||||||
udhcpd
|
|
||||||
}
|
|
||||||
|
|
||||||
telnetd_start()
|
# Start the telnet daemon
|
||||||
{
|
|
||||||
mkdir -p /dev/pts
|
|
||||||
mount -t devpts devpts /dev/pts
|
|
||||||
{
|
{
|
||||||
echo '#!/bin/sh'
|
echo '#!/bin/sh'
|
||||||
echo '. /init_functions.sh'
|
echo '. /init_functions.sh'
|
||||||
echo 'unlock_root_partition'
|
echo 'unlock_root_partition'
|
||||||
echo 'killall cryptsetup telnetd'
|
echo 'killall cryptsetup telnetd'
|
||||||
} > /telnet_connect.sh
|
} >/telnet_connect.sh
|
||||||
chmod +x /telnet_connect.sh
|
chmod +x /telnet_connect.sh
|
||||||
telnetd -b "${IP}:${TELNET_PORT}" -l /telnet_connect.sh
|
telnetd -b "${IP}:${TELNET_PORT}" -l /telnet_connect.sh
|
||||||
}
|
}
|
||||||
|
|
||||||
usb_setup_android
|
start_usb_unlock
|
||||||
dhcpcd_start
|
|
||||||
telnetd_start
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
pkgname=postmarketos-mkinitfs
|
pkgname=postmarketos-mkinitfs
|
||||||
pkgver=0.0.5
|
pkgver=0.1.1
|
||||||
pkgrel=4
|
pkgrel=0
|
||||||
pkgdesc="Tool to generate initramfs images for postmarketOS"
|
pkgdesc="Tool to generate initramfs images for postmarketOS"
|
||||||
url="https://github.com/postmarketOS"
|
url="https://github.com/postmarketOS"
|
||||||
# multipath-tools: kpartx
|
# multipath-tools: kpartx
|
||||||
|
@ -27,9 +27,9 @@ package() {
|
||||||
install -Dm644 "$srcdir/10-usb-unlock.sh" \
|
install -Dm644 "$srcdir/10-usb-unlock.sh" \
|
||||||
"$pkgdir/etc/postmarketos-mkinitfs/hooks/"
|
"$pkgdir/etc/postmarketos-mkinitfs/hooks/"
|
||||||
}
|
}
|
||||||
sha512sums="2f45dee1ad9ef75166d614774e0ee2a6856950990c063bce7d0e98ed27599d2f8040c6118a9381aab4a69c79f96a30eb044b6b29ef2afb2a9374bac5f5a398da init.sh.in
|
sha512sums="db4a7642544d60a2e9e88fbacf652f093f0570f859bd9658d2a0a39c9d08d27eb9d21e72e9c0ca5f7676646732068c087396334c4fa5e6099aa7d2d64055f764 init.sh.in
|
||||||
3ebc5fa2220a8da920ebca67f14c38b0c296eafdbcf312997b442a020d1683bd622a42a946a61b4d80cbecf28853c915480e26ffe59eda57769855303b67bbdf init_functions.sh
|
66f442648fb38529ec594e62ee2307269ca875c7f9340726adcb211e9be42a6ba60fd296af0503a65c7f230c25cf3494783e4282f2468c63116b9500f5d184c6 init_functions.sh
|
||||||
dd3c86c6ba4f91e20b72f4180049960a58dc01002f69ad9e5d98c752da3b34711c2bbe6e0c7d003eb6a4a8d9e185796aa2fe84c0231a3057b204912c439140f7 mkinitfs.sh
|
dd3c86c6ba4f91e20b72f4180049960a58dc01002f69ad9e5d98c752da3b34711c2bbe6e0c7d003eb6a4a8d9e185796aa2fe84c0231a3057b204912c439140f7 mkinitfs.sh
|
||||||
82f0b9927bfef919c6561d67283a0e77c36ef8f8d11000a6153b52e39731ceaa65b9a34c682e737881dc676cc8bfc97dfbbfdeb2ca03594b8f9beef9e49a754d 10-usb-unlock.sh
|
81d001ab185a8db1b9335d7c8c278d49ab0446bc15bb00dd22e4de16633433a183888f3f1096399bfe361ed719dcc4203afdf4b4f10e74a9c1e50bbbfc46951c 10-usb-unlock.sh
|
||||||
35a8eabad947347afec7e3f5860d31ab9e3534972c0960ccf553c7e1cc9262316bfdddb8d61d3588db1ee2261077597617806080b9956798b3e5088d6f9b596b splash1.ppm.gz
|
35a8eabad947347afec7e3f5860d31ab9e3534972c0960ccf553c7e1cc9262316bfdddb8d61d3588db1ee2261077597617806080b9956798b3e5088d6f9b596b splash1.ppm.gz
|
||||||
bf11d8b3a50db984cfbb2cafe6687de327242c1f6f56c6fdd02ca579b05213f9c886aa1c0527530fdec21b16e65e68962e40a600c4ce155819df2f610b435087 splash2.ppm.gz"
|
bf11d8b3a50db984cfbb2cafe6687de327242c1f6f56c6fdd02ca579b05213f9c886aa1c0527530fdec21b16e65e68962e40a600c4ce155819df2f610b435087 splash2.ppm.gz"
|
||||||
|
|
|
@ -1,6 +1,3 @@
|
||||||
- use device labels or uuids inside init to properly detect the right
|
|
||||||
partition
|
|
||||||
|
|
||||||
- support for adding files/modules in hooks (one file per hook):
|
- support for adding files/modules in hooks (one file per hook):
|
||||||
- add build() function
|
- add build() function
|
||||||
- should have add_module and add_file functions
|
- should have add_module and add_file functions
|
||||||
|
|
|
@ -5,34 +5,41 @@ export PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
||||||
/bin/busybox --install -s
|
/bin/busybox --install -s
|
||||||
/bin/busybox-extras --install -s
|
/bin/busybox-extras --install -s
|
||||||
|
|
||||||
# kernel modules
|
# Mount everything, set up logging, modules, mdev
|
||||||
modprobe -a @MODULES@
|
mount_proc_sys_dev
|
||||||
|
setup_log
|
||||||
# mdev
|
[ -d /lib/modules ] && modprobe -a @MODULES@
|
||||||
mount -t proc -o nodev,noexec,nosuid proc /proc
|
setup_mdev
|
||||||
mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
|
|
||||||
echo /sbin/mdev > /proc/sys/kernel/hotplug
|
|
||||||
mdev -s
|
|
||||||
|
|
||||||
# subpartitions
|
|
||||||
mount_subpartitions
|
mount_subpartitions
|
||||||
|
|
||||||
# hooks
|
# Always run dhcp daemon/usb networking for now (later this should only
|
||||||
|
# be enabled, when having the usb-shell hook installed for debugging,
|
||||||
|
# or get activated after the initramfs is done with an OpenRC service).
|
||||||
|
setup_usb_network
|
||||||
|
start_udhcpd
|
||||||
|
|
||||||
|
# Hooks
|
||||||
for hook in /etc/postmarketos-mkinitfs/hooks/*.sh; do
|
for hook in /etc/postmarketos-mkinitfs/hooks/*.sh; do
|
||||||
[ -e "$hook" ] || continue
|
[ -e "$hook" ] || continue
|
||||||
sh "$hook"
|
sh "$hook"
|
||||||
done
|
done
|
||||||
show_splash /splash1.ppm.gz
|
|
||||||
|
|
||||||
# unlock root partition
|
# Unlock root partition
|
||||||
unlock_root_partition
|
unlock_root_partition
|
||||||
|
|
||||||
# switch root
|
# Switch root
|
||||||
show_splash /splash2.ppm.gz
|
show_splash /splash2.ppm.gz
|
||||||
killall telnetd mdev 2&> /dev/null
|
killall telnetd mdev 2>/dev/null
|
||||||
mount -w -t ext4 /dev/mapper/root /sysroot
|
|
||||||
umount /proc
|
umount /proc
|
||||||
umount /sys
|
umount /sys
|
||||||
umount /dev/pts
|
umount /dev/pts
|
||||||
umount /dev
|
umount /dev
|
||||||
|
|
||||||
|
# shellcheck disable=SC2093
|
||||||
exec switch_root /sysroot /sbin/init
|
exec switch_root /sysroot /sbin/init
|
||||||
|
|
||||||
|
echo "ERROR: switch_root failed!"
|
||||||
|
echo "Looping forever. Install and use the usb-shell hook to debug this."
|
||||||
|
while true; do
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
|
|
|
@ -1,10 +1,43 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
# This file will be in /init_functions.sh inside the initramfs.
|
# This file will be in /init_functions.sh inside the initramfs.
|
||||||
|
IP=172.16.42.1
|
||||||
|
|
||||||
mount_subpartitions()
|
# Redirect stdout and stderr to logfile
|
||||||
{
|
setup_log() {
|
||||||
|
# Bail out if PMOS_NO_OUTPUT_REDIRECT is set
|
||||||
|
echo "### postmarketOS initramfs ###"
|
||||||
|
grep -q PMOS_NO_OUTPUT_REDIRECT /proc/cmdline && return
|
||||||
|
|
||||||
|
# Print a message about what is going on to the normal output
|
||||||
|
echo "NOTE: All output from the initramfs gets redirected to:"
|
||||||
|
echo "/pmOS_init.log"
|
||||||
|
echo "If you want to disable this behavior (e.g. because you're"
|
||||||
|
echo "debugging over serial), please add this to your kernel"
|
||||||
|
echo "command line: PMOS_NO_OUTPUT_REDIRECT"
|
||||||
|
|
||||||
|
# Start redirect, print the first line again
|
||||||
|
exec >/pmOS_init.log 2>&1
|
||||||
|
echo "### postmarketOS initramfs ###"
|
||||||
|
}
|
||||||
|
|
||||||
|
mount_proc_sys_dev() {
|
||||||
|
# mdev
|
||||||
|
mount -t proc -o nodev,noexec,nosuid proc /proc
|
||||||
|
mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
|
||||||
|
|
||||||
|
# /dev/pts (needed for telnet)
|
||||||
|
mkdir -p /dev/pts
|
||||||
|
mount -t devpts devpts /dev/pts
|
||||||
|
}
|
||||||
|
|
||||||
|
setup_mdev() {
|
||||||
|
echo /sbin/mdev >/proc/sys/kernel/hotplug
|
||||||
|
mdev -s
|
||||||
|
}
|
||||||
|
|
||||||
|
mount_subpartitions() {
|
||||||
for i in /dev/mmcblk*; do
|
for i in /dev/mmcblk*; do
|
||||||
case "$(kpartx -l "$i" 2> /dev/null | wc -l)" in
|
case "$(kpartx -l "$i" 2>/dev/null | wc -l)" in
|
||||||
2)
|
2)
|
||||||
echo "mount subpartitions of $i"
|
echo "mount subpartitions of $i"
|
||||||
kpartx -afs "$i"
|
kpartx -afs "$i"
|
||||||
|
@ -17,33 +50,117 @@ mount_subpartitions()
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
find_root_partition()
|
find_root_partition() {
|
||||||
{
|
# The partition layout is one of the following:
|
||||||
for i in /dev/mapper/* /dev/mmcblk*; do
|
# a) boot, root partitions on sdcard
|
||||||
cryptsetup isLuks "$i" || continue
|
# b) boot, root partition on the "system" partition (which has its
|
||||||
echo "$i"
|
# own partition header! so we have partitions on partitions!)
|
||||||
break
|
#
|
||||||
|
# mount_subpartitions() must get executed before calling
|
||||||
|
# find_root_partition(), so partitions from b) also get found.
|
||||||
|
#
|
||||||
|
# However, after executing mount_subpartitions(), the partitions
|
||||||
|
# from a) get mounted to /dev/mapper - and then you can only use
|
||||||
|
# the ones from /dev/mapper, not the original partition paths (they
|
||||||
|
# will appear as busy when trying to mount them). This is an
|
||||||
|
# unwanted side-effect, that we must deal with.
|
||||||
|
# The subpartitions from b) get mounted to /dev/mapper, and this is
|
||||||
|
# what we want.
|
||||||
|
#
|
||||||
|
# To deal with the side-effect, we use the partitions from
|
||||||
|
# /dev/mapper first, and then fall back to partitions with all paths
|
||||||
|
# (in case the user inserted an SD card after mount_subpartitions()
|
||||||
|
# ran!).
|
||||||
|
|
||||||
|
# Try the partitions in /dev/mapper first.
|
||||||
|
for id in pmOS_root crypto_LUKS; do
|
||||||
|
DEVICE="$(blkid | grep /dev/mapper | grep "$id" \
|
||||||
|
| cut -d ":" -f 1)"
|
||||||
|
[ -z "$DEVICE" ] || break
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# Then try all devices
|
||||||
|
if [ -z "$DEVICE" ]; then
|
||||||
|
for id in pmOS_root crypto_LUKS; do
|
||||||
|
DEVICE="$(blkid | grep "$id" | cut -d ":" -f 1)"
|
||||||
|
[ -z "$DEVICE" ] || break
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
echo "$DEVICE"
|
||||||
}
|
}
|
||||||
|
|
||||||
unlock_root_partition()
|
setup_usb_network_android() {
|
||||||
{
|
# Only run, when we have the android usb driver
|
||||||
while ! [ -e /dev/mapper/root ]; do
|
SYS=/sys/class/android_usb/android0
|
||||||
|
[ -e "$SYS" ] || return
|
||||||
|
|
||||||
|
# Do the setup
|
||||||
|
printf "%s" "0" >"$SYS/enable"
|
||||||
|
printf "%s" "18D1" >"$SYS/idVendor"
|
||||||
|
printf "%s" "D001" >"$SYS/idProduct"
|
||||||
|
printf "%s" "rndis" >"$SYS/functions"
|
||||||
|
printf "%s" "1" >"$SYS/enable"
|
||||||
|
}
|
||||||
|
|
||||||
|
setup_usb_network() {
|
||||||
|
# Only run once
|
||||||
|
_marker="/tmp/_setup_usb_network"
|
||||||
|
[ -e "$_marker" ] && return
|
||||||
|
touch "$_marker"
|
||||||
|
|
||||||
|
# Run all usb network setup functions (add more below!)
|
||||||
|
setup_usb_network_android
|
||||||
|
}
|
||||||
|
|
||||||
|
start_udhcpd() {
|
||||||
|
# Only run once
|
||||||
|
[ -e /etc/udhcpd.conf ] && return
|
||||||
|
|
||||||
|
# Get usb interface
|
||||||
|
INTERFACE=""
|
||||||
|
ifconfig rndis0 "$IP" && INTERFACE=rndis0
|
||||||
|
if [ -z $INTERFACE ]; then
|
||||||
|
ifconfig usb0 "$IP" && INTERFACE=usb0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create /etc/udhcpd.conf
|
||||||
|
{
|
||||||
|
echo "start 172.16.42.2"
|
||||||
|
echo "end 172.16.42.254"
|
||||||
|
echo "lease_file /var/udhcpd.leases"
|
||||||
|
echo "interface $INTERFACE"
|
||||||
|
echo "option subnet 255.255.255.0"
|
||||||
|
} >/etc/udhcpd.conf
|
||||||
|
|
||||||
|
# Start the dhcpcd daemon (forks into background)
|
||||||
|
udhcpd
|
||||||
|
}
|
||||||
|
|
||||||
|
unlock_root_partition() {
|
||||||
|
# Wait for the root partition (and unlock it if it is encrypted)
|
||||||
|
while ! [ -e /sysroot/usr ]; do
|
||||||
partition="$(find_root_partition)"
|
partition="$(find_root_partition)"
|
||||||
if [ -z "$partition" ]; then
|
if [ -z "$partition" ]; then
|
||||||
echo "Could not find cryptsetup partition."
|
echo "Could not find the root partition."
|
||||||
echo "Maybe you need to insert the sdcard, if your device has"
|
echo "Maybe you need to insert the sdcard, if your device has"
|
||||||
echo "any? Trying again in one second..."
|
echo "any? Trying again in one second..."
|
||||||
sleep 1
|
sleep 1
|
||||||
|
elif cryptsetup isLuks "$partition"; then
|
||||||
|
cryptsetup luksOpen "$partition" root || continue
|
||||||
|
partition="/dev/mapper/root"
|
||||||
|
break
|
||||||
else
|
else
|
||||||
cryptsetup luksOpen "$partition" root
|
# Unencrypted
|
||||||
|
break
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# Mount the root partition
|
||||||
|
[ -e /sysroot/usr ] || mount -w -t ext4 "$partition" /sysroot
|
||||||
}
|
}
|
||||||
|
|
||||||
# $1: path to ppm.gz file
|
# $1: path to ppm.gz file
|
||||||
show_splash()
|
show_splash() {
|
||||||
{
|
gzip -c -d "$1" >/tmp/splash.ppm
|
||||||
gzip -c -d "$1" > /tmp/splash.ppm
|
|
||||||
fbsplash -s /tmp/splash.ppm
|
fbsplash -s /tmp/splash.ppm
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue