Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Guido Gunther
image-builder
Commits
02ee5b08
Commit
02ee5b08
authored
Nov 12, 2020
by
Guido Gunther
Browse files
Enable luks support
Using '-l' will encrypt the root partition with the given password
parent
24746256
Changes
2
Hide whitespace changes
Inline
Side-by-side
build-image
View file @
02ee5b08
...
...
@@ -16,6 +16,7 @@ usage() {
# TODO: add stable and drop ci
echo
" -T kernel/uboot build type (legacy/current/next/plain)"
echo
" -B build rootfs tarball as well"
echo
" -l <passphrase>: luks enrypt root volume with passphrase"
}
...
...
@@ -161,6 +162,8 @@ kernel_deb=
# The URL to download the kernel deb from
kernel_url
=
${
KERNEL_URL
:-}
custom_package_opt
=
use_luks
=
luks_opts
=
# Extra board specific packages to install
board_packages
=
meta_yml
=
files/meta.yml
...
...
@@ -168,8 +171,9 @@ fk_machine=
JENKINS_AUTH
=()
# in Megabytes
image_size
=
4100
passphrase
=
""
while
getopts
":hb:d:T:B"
opt
;
do
while
getopts
":hb:d:T:B
l:
"
opt
;
do
case
${
opt
}
in
b
)
pureos_board
=
$OPTARG
...
...
@@ -183,6 +187,9 @@ while getopts ":hb:d:T:B" opt; do
B
)
build_tarball
=
1
;;
l
)
passphrase
=
$OPTARG
;;
\?
)
echo
"Invalid Option: -
$OPTARG
"
1>&2
usage
"
$0
"
...
...
@@ -248,6 +255,12 @@ fi
[
-z
"
${
kernel_deb
}
"
]
||
echo
"Using kernel
${
kernel_deb
}
"
if
[
-n
"
${
passphrase
}
"
]
;
then
echo
"Enabling encryption"
luks_opts
=(
--no-update-initramfs
--use-luks
"--luks-passphrase=
${
passphrase
}
"
)
use_luks
=
1
fi
# Preserve newlines as '|'
# shellcheck disable=SC2001
escaped_apt_sources
=
$(
echo
"
${
apt_sources
}
"
|
sed
's/$/|/g'
)
...
...
@@ -268,6 +281,7 @@ sudo pureos_board="${pureos_board}" \
ci_pkgs
=
"
${
ci_pkgs
}
"
\
kernel_deb
=
"
${
kernel_deb
}
"
\
FK_MACHINE
=
"
${
fk_machine
}
"
\
use_luks
=
"
${
use_luks
}
"
\
vmdebootstrap
\
--enable-dhcp
\
--verbose
--image
"
${
mainimg
}
"
--log
"tmp/
${
mainimg
}
.log"
--size
"
${
image_size
}
M"
\
...
...
@@ -282,6 +296,7 @@ sudo pureos_board="${pureos_board}" \
--no-extlinux
\
"
${
custom_package_opt
[@]
}
"
\
"
${
vmdebootstrap_opts
[@]
}
"
\
"
${
luks_opts
[@]
}
"
\
${
NULL
}
set
+x
...
...
root.sh
View file @
02ee5b08
...
...
@@ -20,6 +20,7 @@
:
"
${
patched
:-}
"
:
"
${
qemu
:-}
"
:
"
${
uboot_type
:-}
"
:
"
${
use_luks
:-}
"
# distro and basedir set by calling script
basedir
=
"
$1
"
...
...
@@ -28,6 +29,7 @@ target_qemu="${basedir}/${qemu}"
stamp
=
"
${
basedir
}
/var/log/gitrev.log"
ci_repo
=
"
${
distro
}
ci"
ci_component
=
main
luks_pkgs
=(
osk-sdl cryptsetup-initramfs
)
for
env_var
in
distro pureos_board packages
;
do
if
[
-z
"
${
!env_var
}
"
]
;
then
...
...
@@ -54,6 +56,57 @@ function setup_qemu()
[
-f
"
${
target_qemu
}
"
]
||
cp
"
${
qemu
}
"
"
${
target_qemu
}
"
}
CRYPTROOT
=
"
${
basedir
}
/etc/initramfs-tools/hooks/99_cryptroot"
# crypsetup tries to be clever and resolves the root device's UUID to
# /dev/mapper/loop0p? so just copy an unmodified crypttab over. We drop
# it aferwards so no harm will be done.
function
setup_cryptroot
()
{
cat
<<
EOF
> "
${
CRYPTROOT
}
"
#!/bin/sh
PREREQ=""
prereqs()
{
echo "
\$
PREREQ"
}
case "
\$
1" in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
rm -f "
\$
{DESTDIR}/cryptroot/crypttab"
copy_file crypttab /etc/crypttab /cryptroot/crypttab
exit 0
EOF
chmod
a+x
"
$CRYPTROOT
"
chroot
"
${
basedir
}
"
apt
install
-y
"
${
luks_pkgs
[@]
}
"
# Hack up cryttab until askpass supports it
sed
-i
's%discard%discard,keyscript=/usr/bin/osk-sdl-keyscript%'
"
${
basedir
}
/etc/crypttab"
chroot
"
${
basedir
}
"
update-initramfs
-u
}
function
cleanup_cryptroot
()
{
# Things will work as expected in the installed system
rm
"
${
CRYPTROOT
}
"
if
!
grep
crypt_root
"
${
basedir
}
"
/etc/crypttab
;
then
echo
"cryptroot not found"
cat
"
${
basedir
}
"
/etc/crypttab
exit
1
fi
}
function
setup_kernel
()
{
...
...
@@ -364,6 +417,11 @@ setup_sshd
setup_logins
setup_plymouth
if
[
-n
"
${
use_luks
}
"
]
;
then
echo
"Setting up rootfs on luks"
setup_cryptroot
fi
setup_kernel
case
"
${
pureos_board
}
"
in
# Non flash-kernel boards
...
...
@@ -375,6 +433,8 @@ case "${pureos_board}" in
;;
esac
[
-z
"
${
use_luks
}
"
]
||
cleanup_cryptroot
check_patched
create_report
>
"./tmp/
${
pureos_board
}
-report.log"
create_stamp
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment