Merge pull request #119 from postmarketOS/optional-fde

Optional Full Disk Encryption (Close #86)
This commit is contained in:
Oliver Smith 2017-06-28 22:03:08 +00:00 committed by GitHub
commit 21128d29d3
7 changed files with 181 additions and 82 deletions

View file

@ -1,7 +1,9 @@
#!/bin/sh #!/bin/sh
IP=172.16.42.1 . ./init_functions.sh
TELNET_PORT=24 TELNET_PORT=24
setup_usb_network
start_udhcpd
telnetd -b "${IP}:${TELNET_PORT}" -l /bin/sh telnetd -b "${IP}:${TELNET_PORT}" -l /bin/sh
echo "---" echo "---"
@ -9,4 +11,3 @@ echo "WARNING: usb shell is active on ${IP}:${TELNET_PORT}."
echo "This is a security hole! Only use it for debugging, and" echo "This is a security hole! Only use it for debugging, and"
echo "uninstall the usb-shell hook afterwards!" echo "uninstall the usb-shell hook afterwards!"
echo "---" echo "---"

View file

@ -1,6 +1,6 @@
pkgname=postmarketos-mkinitfs-hook-usb-shell pkgname=postmarketos-mkinitfs-hook-usb-shell
pkgver=0.0.1 pkgver=0.1.0
pkgrel=1 pkgrel=0
pkgdesc="Root shell in the initramfs (security hole, for debugging only)" pkgdesc="Root shell in the initramfs (security hole, for debugging only)"
url="https://github.com/postmarketOS" url="https://github.com/postmarketOS"
# multipath-tools: kpartx # multipath-tools: kpartx
@ -18,4 +18,4 @@ package() {
install -Dm644 "$srcdir"/20-usb-shell.sh \ install -Dm644 "$srcdir"/20-usb-shell.sh \
"$pkgdir"/etc/postmarketos-mkinitfs/hooks/ "$pkgdir"/etc/postmarketos-mkinitfs/hooks/
} }
sha512sums="7154ded57cba1ff76fb8be9bd773ccdb4cd70c588ef763469d7e2fc9796fba13e5624480669b528138c1c5ebfc1a7927dcb80b850e72308b89736d9baee9c231 20-usb-shell.sh" sha512sums="40c6c445fdd03f8c76ba39075e9112ca963dd832f392e469057b622826f274604ec950bbbb89620c5c88e5d76caa0fa4665e445e33ebe31d4c566d4359d24935 20-usb-shell.sh"

View file

@ -1,51 +1,28 @@
#!/bin/sh #!/bin/sh
IP=172.16.42.1 . ./init_functions.sh
TELNET_PORT=23 TELNET_PORT=23
usb_setup_android() { start_usb_unlock() {
SYS=/sys/class/android_usb/android0 # Only run if we have an encrypted partition
[ -e "$SYS" ] || return cryptsetup isLuks "$(find_root_partition)" || return
printf "%s" "0" > "$SYS/enable"
printf "%s" "18D1" > "$SYS/idVendor"
printf "%s" "D001" > "$SYS/idProduct"
printf "%s" "rndis" > "$SYS/functions"
printf "%s" "1" > "$SYS/enable"
}
dhcpcd_start() # Set up networking
{ setup_usb_network
# get usb interface start_udhcpd
INTERFACE=""
ifconfig rndis0 "$IP" && INTERFACE=rndis0
if [ -z $INTERFACE ]; then
ifconfig usb0 "$IP" && INTERFACE=usb0
fi
# create /etc/udhcpd.conf # Telnet splash
{ show_splash /splash1.ppm.gz
echo "start 172.16.42.2"
echo "end 172.16.42.254"
echo "lease_file /var/udhcpd.leases"
echo "interface $INTERFACE"
echo "option subnet 255.255.255.0"
} > /etc/udhcpd.conf
udhcpd
}
telnetd_start() # Start the telnet daemon
{
mkdir -p /dev/pts
mount -t devpts devpts /dev/pts
{ {
echo '#!/bin/sh' echo '#!/bin/sh'
echo '. /init_functions.sh' echo '. /init_functions.sh'
echo 'unlock_root_partition' echo 'unlock_root_partition'
echo 'killall cryptsetup telnetd' echo 'killall cryptsetup telnetd'
} > /telnet_connect.sh } >/telnet_connect.sh
chmod +x /telnet_connect.sh chmod +x /telnet_connect.sh
telnetd -b "${IP}:${TELNET_PORT}" -l /telnet_connect.sh telnetd -b "${IP}:${TELNET_PORT}" -l /telnet_connect.sh
} }
usb_setup_android start_usb_unlock
dhcpcd_start
telnetd_start

View file

@ -1,6 +1,6 @@
pkgname=postmarketos-mkinitfs pkgname=postmarketos-mkinitfs
pkgver=0.0.5 pkgver=0.1.1
pkgrel=4 pkgrel=0
pkgdesc="Tool to generate initramfs images for postmarketOS" pkgdesc="Tool to generate initramfs images for postmarketOS"
url="https://github.com/postmarketOS" url="https://github.com/postmarketOS"
# multipath-tools: kpartx # multipath-tools: kpartx
@ -27,9 +27,9 @@ package() {
install -Dm644 "$srcdir/10-usb-unlock.sh" \ install -Dm644 "$srcdir/10-usb-unlock.sh" \
"$pkgdir/etc/postmarketos-mkinitfs/hooks/" "$pkgdir/etc/postmarketos-mkinitfs/hooks/"
} }
sha512sums="2f45dee1ad9ef75166d614774e0ee2a6856950990c063bce7d0e98ed27599d2f8040c6118a9381aab4a69c79f96a30eb044b6b29ef2afb2a9374bac5f5a398da init.sh.in sha512sums="db4a7642544d60a2e9e88fbacf652f093f0570f859bd9658d2a0a39c9d08d27eb9d21e72e9c0ca5f7676646732068c087396334c4fa5e6099aa7d2d64055f764 init.sh.in
3ebc5fa2220a8da920ebca67f14c38b0c296eafdbcf312997b442a020d1683bd622a42a946a61b4d80cbecf28853c915480e26ffe59eda57769855303b67bbdf init_functions.sh 66f442648fb38529ec594e62ee2307269ca875c7f9340726adcb211e9be42a6ba60fd296af0503a65c7f230c25cf3494783e4282f2468c63116b9500f5d184c6 init_functions.sh
dd3c86c6ba4f91e20b72f4180049960a58dc01002f69ad9e5d98c752da3b34711c2bbe6e0c7d003eb6a4a8d9e185796aa2fe84c0231a3057b204912c439140f7 mkinitfs.sh dd3c86c6ba4f91e20b72f4180049960a58dc01002f69ad9e5d98c752da3b34711c2bbe6e0c7d003eb6a4a8d9e185796aa2fe84c0231a3057b204912c439140f7 mkinitfs.sh
82f0b9927bfef919c6561d67283a0e77c36ef8f8d11000a6153b52e39731ceaa65b9a34c682e737881dc676cc8bfc97dfbbfdeb2ca03594b8f9beef9e49a754d 10-usb-unlock.sh 81d001ab185a8db1b9335d7c8c278d49ab0446bc15bb00dd22e4de16633433a183888f3f1096399bfe361ed719dcc4203afdf4b4f10e74a9c1e50bbbfc46951c 10-usb-unlock.sh
35a8eabad947347afec7e3f5860d31ab9e3534972c0960ccf553c7e1cc9262316bfdddb8d61d3588db1ee2261077597617806080b9956798b3e5088d6f9b596b splash1.ppm.gz 35a8eabad947347afec7e3f5860d31ab9e3534972c0960ccf553c7e1cc9262316bfdddb8d61d3588db1ee2261077597617806080b9956798b3e5088d6f9b596b splash1.ppm.gz
bf11d8b3a50db984cfbb2cafe6687de327242c1f6f56c6fdd02ca579b05213f9c886aa1c0527530fdec21b16e65e68962e40a600c4ce155819df2f610b435087 splash2.ppm.gz" bf11d8b3a50db984cfbb2cafe6687de327242c1f6f56c6fdd02ca579b05213f9c886aa1c0527530fdec21b16e65e68962e40a600c4ce155819df2f610b435087 splash2.ppm.gz"

View file

@ -1,6 +1,3 @@
- use device labels or uuids inside init to properly detect the right
partition
- support for adding files/modules in hooks (one file per hook): - support for adding files/modules in hooks (one file per hook):
- add build() function - add build() function
- should have add_module and add_file functions - should have add_module and add_file functions

View file

@ -5,34 +5,41 @@ export PATH=/usr/bin:/bin:/usr/sbin:/sbin
/bin/busybox --install -s /bin/busybox --install -s
/bin/busybox-extras --install -s /bin/busybox-extras --install -s
# kernel modules # Mount everything, set up logging, modules, mdev
modprobe -a @MODULES@ mount_proc_sys_dev
setup_log
# mdev [ -d /lib/modules ] && modprobe -a @MODULES@
mount -t proc -o nodev,noexec,nosuid proc /proc setup_mdev
mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
echo /sbin/mdev > /proc/sys/kernel/hotplug
mdev -s
# subpartitions
mount_subpartitions mount_subpartitions
# hooks # Always run dhcp daemon/usb networking for now (later this should only
# be enabled, when having the usb-shell hook installed for debugging,
# or get activated after the initramfs is done with an OpenRC service).
setup_usb_network
start_udhcpd
# Hooks
for hook in /etc/postmarketos-mkinitfs/hooks/*.sh; do for hook in /etc/postmarketos-mkinitfs/hooks/*.sh; do
[ -e "$hook" ] || continue [ -e "$hook" ] || continue
sh "$hook" sh "$hook"
done done
show_splash /splash1.ppm.gz
# unlock root partition # Unlock root partition
unlock_root_partition unlock_root_partition
# switch root # Switch root
show_splash /splash2.ppm.gz show_splash /splash2.ppm.gz
killall telnetd mdev 2&> /dev/null killall telnetd mdev 2>/dev/null
mount -w -t ext4 /dev/mapper/root /sysroot
umount /proc umount /proc
umount /sys umount /sys
umount /dev/pts umount /dev/pts
umount /dev umount /dev
# shellcheck disable=SC2093
exec switch_root /sysroot /sbin/init exec switch_root /sysroot /sbin/init
echo "ERROR: switch_root failed!"
echo "Looping forever. Install and use the usb-shell hook to debug this."
while true; do
sleep 1
done

View file

@ -1,10 +1,43 @@
#!/bin/sh #!/bin/sh
# This file will be in /init_functions.sh inside the initramfs. # This file will be in /init_functions.sh inside the initramfs.
IP=172.16.42.1
mount_subpartitions() # Redirect stdout and stderr to logfile
{ setup_log() {
# Bail out if PMOS_NO_OUTPUT_REDIRECT is set
echo "### postmarketOS initramfs ###"
grep -q PMOS_NO_OUTPUT_REDIRECT /proc/cmdline && return
# Print a message about what is going on to the normal output
echo "NOTE: All output from the initramfs gets redirected to:"
echo "/pmOS_init.log"
echo "If you want to disable this behavior (e.g. because you're"
echo "debugging over serial), please add this to your kernel"
echo "command line: PMOS_NO_OUTPUT_REDIRECT"
# Start redirect, print the first line again
exec >/pmOS_init.log 2>&1
echo "### postmarketOS initramfs ###"
}
mount_proc_sys_dev() {
# mdev
mount -t proc -o nodev,noexec,nosuid proc /proc
mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
# /dev/pts (needed for telnet)
mkdir -p /dev/pts
mount -t devpts devpts /dev/pts
}
setup_mdev() {
echo /sbin/mdev >/proc/sys/kernel/hotplug
mdev -s
}
mount_subpartitions() {
for i in /dev/mmcblk*; do for i in /dev/mmcblk*; do
case "$(kpartx -l "$i" 2> /dev/null | wc -l)" in case "$(kpartx -l "$i" 2>/dev/null | wc -l)" in
2) 2)
echo "mount subpartitions of $i" echo "mount subpartitions of $i"
kpartx -afs "$i" kpartx -afs "$i"
@ -17,33 +50,117 @@ mount_subpartitions()
done done
} }
find_root_partition() find_root_partition() {
{ # The partition layout is one of the following:
for i in /dev/mapper/* /dev/mmcblk*; do # a) boot, root partitions on sdcard
cryptsetup isLuks "$i" || continue # b) boot, root partition on the "system" partition (which has its
echo "$i" # own partition header! so we have partitions on partitions!)
break #
# mount_subpartitions() must get executed before calling
# find_root_partition(), so partitions from b) also get found.
#
# However, after executing mount_subpartitions(), the partitions
# from a) get mounted to /dev/mapper - and then you can only use
# the ones from /dev/mapper, not the original partition paths (they
# will appear as busy when trying to mount them). This is an
# unwanted side-effect, that we must deal with.
# The subpartitions from b) get mounted to /dev/mapper, and this is
# what we want.
#
# To deal with the side-effect, we use the partitions from
# /dev/mapper first, and then fall back to partitions with all paths
# (in case the user inserted an SD card after mount_subpartitions()
# ran!).
# Try the partitions in /dev/mapper first.
for id in pmOS_root crypto_LUKS; do
DEVICE="$(blkid | grep /dev/mapper | grep "$id" \
| cut -d ":" -f 1)"
[ -z "$DEVICE" ] || break
done done
# Then try all devices
if [ -z "$DEVICE" ]; then
for id in pmOS_root crypto_LUKS; do
DEVICE="$(blkid | grep "$id" | cut -d ":" -f 1)"
[ -z "$DEVICE" ] || break
done
fi
echo "$DEVICE"
} }
unlock_root_partition() setup_usb_network_android() {
{ # Only run, when we have the android usb driver
while ! [ -e /dev/mapper/root ]; do SYS=/sys/class/android_usb/android0
[ -e "$SYS" ] || return
# Do the setup
printf "%s" "0" >"$SYS/enable"
printf "%s" "18D1" >"$SYS/idVendor"
printf "%s" "D001" >"$SYS/idProduct"
printf "%s" "rndis" >"$SYS/functions"
printf "%s" "1" >"$SYS/enable"
}
setup_usb_network() {
# Only run once
_marker="/tmp/_setup_usb_network"
[ -e "$_marker" ] && return
touch "$_marker"
# Run all usb network setup functions (add more below!)
setup_usb_network_android
}
start_udhcpd() {
# Only run once
[ -e /etc/udhcpd.conf ] && return
# Get usb interface
INTERFACE=""
ifconfig rndis0 "$IP" && INTERFACE=rndis0
if [ -z $INTERFACE ]; then
ifconfig usb0 "$IP" && INTERFACE=usb0
fi
# Create /etc/udhcpd.conf
{
echo "start 172.16.42.2"
echo "end 172.16.42.254"
echo "lease_file /var/udhcpd.leases"
echo "interface $INTERFACE"
echo "option subnet 255.255.255.0"
} >/etc/udhcpd.conf
# Start the dhcpcd daemon (forks into background)
udhcpd
}
unlock_root_partition() {
# Wait for the root partition (and unlock it if it is encrypted)
while ! [ -e /sysroot/usr ]; do
partition="$(find_root_partition)" partition="$(find_root_partition)"
if [ -z "$partition" ]; then if [ -z "$partition" ]; then
echo "Could not find cryptsetup partition." echo "Could not find the root partition."
echo "Maybe you need to insert the sdcard, if your device has" echo "Maybe you need to insert the sdcard, if your device has"
echo "any? Trying again in one second..." echo "any? Trying again in one second..."
sleep 1 sleep 1
elif cryptsetup isLuks "$partition"; then
cryptsetup luksOpen "$partition" root || continue
partition="/dev/mapper/root"
break
else else
cryptsetup luksOpen "$partition" root # Unencrypted
break
fi fi
done done
# Mount the root partition
[ -e /sysroot/usr ] || mount -w -t ext4 "$partition" /sysroot
} }
# $1: path to ppm.gz file # $1: path to ppm.gz file
show_splash() show_splash() {
{ gzip -c -d "$1" >/tmp/splash.ppm
gzip -c -d "$1" > /tmp/splash.ppm
fbsplash -s /tmp/splash.ppm fbsplash -s /tmp/splash.ppm
} }