Commit bef46d72 authored by Guido Gunther's avatar Guido Gunther
Browse files

Merge branch 'pureos/amber' into 'pureos/amber'

Add luks support

See merge request !2
parents 9453ce07 842de996
Pipeline #61744 passed with stages
in 1 minute and 39 seconds
include:
- 'https://source.puri.sm/Librem5/librem5-ci/raw/master/librem5-pipeline-definitions.yml'
stages:
- package
- test-package
package:deb-debian-buster:
extends: .l5-build-debian-package
lintian-debian-buster-package:
dependencies:
- package:deb-debian-buster
extends: .l5-lintian-debian-package
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Thu, 12 Nov 2020 14:01:22 +0100
Subject: Add luks support
This allows to build a crypted rootfs and sets up crypttab accordingly.
No assumption is made about how the rootfs is unlocked.
---
bin/vmdebootstrap | 13 ++++++++++++-
vmdebootstrap/filesystem.py | 41 ++++++++++++++++++++++++++++++++++-------
2 files changed, 46 insertions(+), 8 deletions(-)
diff --git a/bin/vmdebootstrap b/bin/vmdebootstrap
index d9a697d..0bf2bd2 100755
--- a/bin/vmdebootstrap
+++ b/bin/vmdebootstrap
@@ -84,6 +84,8 @@ class VmDebootstrap(cliapp.Application): # pylint: disable=too-many-public-meth
self.settings.string(['part-type'], 'Partition type to use for this image', default='msdos')
self.settings.string(['roottype'], 'specify file system type for /', default='ext4')
self.settings.bytesize(['swap'], 'create swap space of size SIZE (min 256MB)')
+ self.settings.boolean(['use-luks'], 'Setup rootfs on a luks device', default=False)
+ self.settings.string(['luks-passphrase'], 'luks passphrase to use', default='')
self.settings.string(['foreign'], 'set up foreign debootstrap environment '
'using provided program (ie binfmt handler)')
self.settings.string_list(['debootstrapopts'], 'pass additional options to debootstrap')
@@ -237,6 +239,10 @@ class VmDebootstrap(cliapp.Application): # pylint: disable=too-many-public-meth
distro.was_stable(datetime.date(2015, 4, 26)):
if self.settings['roottype'] in ['ext2', 'ext3', 'ext4']:
opt = "^metadata_csum"
+ if self.settings['use-luks']:
+ filesystem.devices['luksdev'] = rootdev
+ rootdev = filesystem.mkluks(rootdev, self.settings['luks-passphrase'])
+ filesystem.devices['rootdev'] = rootdev
filesystem.mkfs(rootdev, fstype=roottype, opt=opt)
rootdir = self.mount(rootdev)
filesystem.devices['rootdir'] = rootdir
@@ -282,7 +288,9 @@ class VmDebootstrap(cliapp.Application): # pylint: disable=too-many-public-meth
grub.install_extra_grub_uefi(rootdir)
uefi.configure_extra_efi(rootdir)
elif self.settings['grub']:
- if not grub.install_grub2(rootdev, rootdir):
+ filesystem = self.handlers[Filesystem.name]
+ dev = filesystem.devices['luksdev'] if self.settings['use-luks'] else rootdev
+ if not grub.install_grub2(dev, rootdir):
# FIXME: don't fall back.
extlinux.install_extlinux(rootdev, rootdir)
elif self.settings['extlinux']:
@@ -314,6 +322,7 @@ class VmDebootstrap(cliapp.Application): # pylint: disable=too-many-public-meth
self.debootstrap(rootdir)
filesystem.set_hostname()
filesystem.create_fstab()
+ filesystem.create_crypttab()
self.install_debs(rootdir)
base.set_root_password(rootdir)
base.create_users(rootdir)
@@ -571,6 +580,8 @@ class VmDebootstrap(cliapp.Application): # pylint: disable=too-many-public-meth
# tidy up loop mounting issues on failure.
out = runcmd(['losetup', '-a'])
+ if self.settings['use-luks']:
+ filesystem.luksclose()
rootdev = filesystem.devices['rootdev']
if rootdev:
runcmd(['dmsetup', 'remove', rootdev], ignore_fail=True)
diff --git a/vmdebootstrap/filesystem.py b/vmdebootstrap/filesystem.py
index 5ca7e5a..3a1422b 100644
--- a/vmdebootstrap/filesystem.py
+++ b/vmdebootstrap/filesystem.py
@@ -48,7 +48,9 @@ class Filesystem(Base):
'boottype': None,
'roottype': None,
'swapdev': None,
+ 'lukdsdev': None,
}
+ self.luks_root = 'crypt_root'
def define_settings(self, settings):
self.settings = settings
@@ -140,6 +142,11 @@ class Filesystem(Base):
else:
runcmd(['mkfs', '-t', fstype, device])
+ def fsuuid(self, device):
+ out = runcmd(['blkid', '-c', '/dev/null', '-o', 'value',
+ '-s', 'UUID', device])
+ return out.splitlines()[0].strip()
+
def create_fstab(self):
rootdir = self.devices['rootdir']
rootdev = self.devices['rootdev']
@@ -147,18 +154,13 @@ class Filesystem(Base):
boottype = self.devices['boottype']
roottype = self.devices['roottype']
- def fsuuid(device):
- out = runcmd(['blkid', '-c', '/dev/null', '-o', 'value',
- '-s', 'UUID', device])
- return out.splitlines()[0].strip()
-
if rootdev:
- rootdevstr = 'UUID=%s' % fsuuid(rootdev)
+ rootdevstr = 'UUID=%s' % self.fsuuid(rootdev)
else:
rootdevstr = '/dev/sda1'
if bootdev and not self.settings['use-uefi']:
- bootdevstr = 'UUID=%s' % fsuuid(bootdev)
+ bootdevstr = 'UUID=%s' % self.fsuuid(bootdev)
else:
bootdevstr = None
@@ -178,6 +180,18 @@ class Filesystem(Base):
elif self.settings['swap'] > 0:
fstab.write("/dev/sda2 swap swap defaults 0 0\n")
+ def create_crypttab(self):
+ if not self.devices['luksdev']:
+ return
+
+ rootdir = self.devices['rootdir']
+ luksdev = self.devices['luksdev']
+ luksdevstr = 'UUID=%s' % self.fsuuid(luksdev)
+
+ crypttab = os.path.join(str(rootdir), 'etc', 'crypttab')
+ with open(crypttab, 'w') as crypttab:
+ crypttab.write('%s %s none luks,discard,initramfs\n' % (self.luks_root, luksdevstr))
+
@staticmethod
def get_mount_flags(fstype):
"""Return the fstab mount flags for a given file system type."""
@@ -315,3 +329,16 @@ class Filesystem(Base):
os.rename(self.settings['image'], tmpname)
runcmd(['qemu-img', 'convert', '-O', 'qcow2',
tmpname, self.settings['image']])
+
+ def mkluks(self, device, passphrase):
+ fn = "passphrase.txt"
+ with open(fn, "w") as f:
+ f.write(passphrase)
+ runcmd(['cryptsetup', 'luksFormat', device, fn])
+ runcmd(['cryptsetup', 'luksOpen', '--key-file', fn, device, self.luks_root])
+ os.unlink(fn)
+ return os.path.join("/dev/mapper", self.luks_root)
+
+ def luksclose(self):
+ runcmd(['cryptsetup', 'luksClose', os.path.join("/dev/mapper", self.luks_root)])
+
Don-t-enforce-U-EFI-on-arm64.patch
Don-t-pass-any-filesystem-flags-for-f2fs.patch
doc-encoding.patch
Add-luks-support.patch
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment