Commit 02ee5b08 authored by Guido Gunther's avatar Guido Gunther
Browse files

Enable luks support

Using '-l' will encrypt the root partition with the given password
parent 24746256
......@@ -16,6 +16,7 @@ usage() {
# TODO: add stable and drop ci
echo " -T kernel/uboot build type (legacy/current/next/plain)"
echo " -B build rootfs tarball as well"
echo " -l <passphrase>: luks enrypt root volume with passphrase"
}
......@@ -161,6 +162,8 @@ kernel_deb=
# The URL to download the kernel deb from
kernel_url=${KERNEL_URL:-}
custom_package_opt=
use_luks=
luks_opts=
# Extra board specific packages to install
board_packages=
meta_yml=files/meta.yml
......@@ -168,8 +171,9 @@ fk_machine=
JENKINS_AUTH=()
# in Megabytes
image_size=4100
passphrase=""
while getopts ":hb:d:T:B" opt; do
while getopts ":hb:d:T:Bl:" opt; do
case ${opt} in
b)
pureos_board=$OPTARG
......@@ -183,6 +187,9 @@ while getopts ":hb:d:T:B" opt; do
B)
build_tarball=1
;;
l)
passphrase=$OPTARG
;;
\?)
echo "Invalid Option: -$OPTARG" 1>&2
usage "$0"
......@@ -248,6 +255,12 @@ fi
[ -z "${kernel_deb}" ] || echo "Using kernel ${kernel_deb}"
if [ -n "${passphrase}" ]; then
echo "Enabling encryption"
luks_opts=(--no-update-initramfs --use-luks "--luks-passphrase=${passphrase}")
use_luks=1
fi
# Preserve newlines as '|'
# shellcheck disable=SC2001
escaped_apt_sources=$(echo "${apt_sources}" | sed 's/$/|/g')
......@@ -268,6 +281,7 @@ sudo pureos_board="${pureos_board}" \
ci_pkgs="${ci_pkgs}" \
kernel_deb="${kernel_deb}" \
FK_MACHINE="${fk_machine}" \
use_luks="${use_luks}" \
vmdebootstrap \
--enable-dhcp \
--verbose --image "${mainimg}" --log "tmp/${mainimg}.log" --size "${image_size}M" \
......@@ -282,6 +296,7 @@ sudo pureos_board="${pureos_board}" \
--no-extlinux \
"${custom_package_opt[@]}" \
"${vmdebootstrap_opts[@]}" \
"${luks_opts[@]}" \
${NULL}
set +x
......
......@@ -20,6 +20,7 @@
: "${patched:-}"
: "${qemu:-}"
: "${uboot_type:-}"
: "${use_luks:-}"
# distro and basedir set by calling script
basedir="$1"
......@@ -28,6 +29,7 @@ target_qemu="${basedir}/${qemu}"
stamp="${basedir}/var/log/gitrev.log"
ci_repo="${distro}ci"
ci_component=main
luks_pkgs=(osk-sdl cryptsetup-initramfs)
for env_var in distro pureos_board packages; do
if [ -z "${!env_var}" ]; then
......@@ -54,6 +56,57 @@ function setup_qemu()
[ -f "${target_qemu}" ] || cp "${qemu}" "${target_qemu}"
}
CRYPTROOT="${basedir}/etc/initramfs-tools/hooks/99_cryptroot"
# crypsetup tries to be clever and resolves the root device's UUID to
# /dev/mapper/loop0p? so just copy an unmodified crypttab over. We drop
# it aferwards so no harm will be done.
function setup_cryptroot()
{
cat <<EOF > "${CRYPTROOT}"
#!/bin/sh
PREREQ=""
prereqs()
{
echo "\$PREREQ"
}
case "\$1" in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
rm -f "\${DESTDIR}/cryptroot/crypttab"
copy_file crypttab /etc/crypttab /cryptroot/crypttab
exit 0
EOF
chmod a+x "$CRYPTROOT"
chroot "${basedir}" apt install -y "${luks_pkgs[@]}"
# Hack up cryttab until askpass supports it
sed -i 's%discard%discard,keyscript=/usr/bin/osk-sdl-keyscript%' "${basedir}/etc/crypttab"
chroot "${basedir}" update-initramfs -u
}
function cleanup_cryptroot()
{
# Things will work as expected in the installed system
rm "${CRYPTROOT}"
if ! grep crypt_root "${basedir}"/etc/crypttab; then
echo "cryptroot not found"
cat "${basedir}"/etc/crypttab
exit 1
fi
}
function setup_kernel()
{
......@@ -364,6 +417,11 @@ setup_sshd
setup_logins
setup_plymouth
if [ -n "${use_luks}" ]; then
echo "Setting up rootfs on luks"
setup_cryptroot
fi
setup_kernel
case "${pureos_board}" in
# Non flash-kernel boards
......@@ -375,6 +433,8 @@ case "${pureos_board}" in
;;
esac
[ -z "${use_luks}" ] || cleanup_cryptroot
check_patched
create_report > "./tmp/${pureos_board}-report.log"
create_stamp
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment