Enable luks support

Using '-l' will encrypt the root partition with the given password

build-image

@@ -16,6 +16,7 @@ usage() {
   # TODO: add stable and drop ci
   echo "    -T kernel/uboot build type (legacy/current/next/plain)"
   echo "    -B build rootfs tarball as well"
+  echo "    -l <passphrase>: luks enrypt root volume with passphrase"
 }
 
 
@@ -161,6 +162,8 @@ kernel_deb=
 # The URL to download the kernel deb from
 kernel_url=${KERNEL_URL:-}
 custom_package_opt=
+use_luks=
+luks_opts=
 # Extra board specific packages to install
 board_packages=
 meta_yml=files/meta.yml
@@ -168,8 +171,9 @@ fk_machine=
 JENKINS_AUTH=()
 # in Megabytes
 image_size=4100
+passphrase=""
 
-while getopts ":hb:d:T:B" opt; do
+while getopts ":hb:d:T:Bl:" opt; do
   case ${opt} in
     b)
       pureos_board=$OPTARG
@@ -183,6 +187,9 @@ while getopts ":hb:d:T:B" opt; do
     B)
       build_tarball=1
       ;;
+    l)
+      passphrase=$OPTARG
+      ;;
     \?)
       echo "Invalid Option: -$OPTARG" 1>&2
       usage "$0"
@@ -248,6 +255,12 @@ fi
 
 [ -z "${kernel_deb}" ] || echo "Using kernel ${kernel_deb}"
 
+if [ -n "${passphrase}" ]; then
+    echo "Enabling encryption"
+    luks_opts=(--no-update-initramfs --use-luks "--luks-passphrase=${passphrase}")
+    use_luks=1
+fi
+
 # Preserve newlines as '|'
 # shellcheck disable=SC2001
 escaped_apt_sources=$(echo "${apt_sources}" | sed 's/$/|/g')
@@ -268,6 +281,7 @@ sudo pureos_board="${pureos_board}" \
      ci_pkgs="${ci_pkgs}" \
      kernel_deb="${kernel_deb}" \
      FK_MACHINE="${fk_machine}" \
+     use_luks="${use_luks}" \
     vmdebootstrap \
     --enable-dhcp \
     --verbose --image "${mainimg}" --log "tmp/${mainimg}.log" --size "${image_size}M"  \
@@ -282,6 +296,7 @@ sudo pureos_board="${pureos_board}" \
     --no-extlinux \
     "${custom_package_opt[@]}" \
     "${vmdebootstrap_opts[@]}" \
+    "${luks_opts[@]}" \
     ${NULL}
 set +x
 

root.sh

@@ -20,6 +20,7 @@
 : "${patched:-}"
 : "${qemu:-}"
 : "${uboot_type:-}"
+: "${use_luks:-}"
 
 # distro and basedir set by calling script
 basedir="$1"
@@ -28,6 +29,7 @@ target_qemu="${basedir}/${qemu}"
 stamp="${basedir}/var/log/gitrev.log"
 ci_repo="${distro}ci"
 ci_component=main
+luks_pkgs=(osk-sdl cryptsetup-initramfs)
 
 for env_var in distro pureos_board packages; do
     if [ -z "${!env_var}" ]; then
@@ -54,6 +56,57 @@ function setup_qemu()
     [ -f "${target_qemu}" ] || cp "${qemu}" "${target_qemu}"
 }
 
+CRYPTROOT="${basedir}/etc/initramfs-tools/hooks/99_cryptroot"
+
+# crypsetup tries to be clever and resolves the root device's UUID to
+# /dev/mapper/loop0p? so just copy an unmodified crypttab over. We drop
+# it aferwards so no harm will be done.
+function setup_cryptroot()
+{
+  cat <<EOF > "${CRYPTROOT}"
+#!/bin/sh
+
+PREREQ=""
+
+prereqs()
+{
+	echo "\$PREREQ"
+}
+
+case "\$1" in
+    prereqs)
+        prereqs
+        exit 0
+        ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+rm -f "\${DESTDIR}/cryptroot/crypttab"
+copy_file crypttab /etc/crypttab /cryptroot/crypttab
+
+exit 0
+EOF
+  chmod a+x "$CRYPTROOT"
+
+  chroot "${basedir}" apt install -y "${luks_pkgs[@]}"
+
+  # Hack up cryttab until askpass supports it
+  sed -i 's%discard%discard,keyscript=/usr/bin/osk-sdl-keyscript%' "${basedir}/etc/crypttab"
+  chroot "${basedir}" update-initramfs -u
+}
+
+function cleanup_cryptroot()
+{
+  # Things will work as expected in the installed system
+  rm "${CRYPTROOT}"
+
+  if ! grep crypt_root "${basedir}"/etc/crypttab; then
+    echo "cryptroot not found"
+    cat "${basedir}"/etc/crypttab
+    exit 1
+  fi
+}
 
 function setup_kernel()
 {
@@ -364,6 +417,11 @@ setup_sshd
 setup_logins
 setup_plymouth
 
+if [ -n "${use_luks}" ]; then
+  echo "Setting up rootfs on luks"
+  setup_cryptroot
+fi
+
 setup_kernel
 case "${pureos_board}" in
     # Non flash-kernel boards
@@ -375,6 +433,8 @@ case "${pureos_board}" in
         ;;
 esac
 
+[ -z "${use_luks}" ] || cleanup_cryptroot
+
 check_patched
 create_report > "./tmp/${pureos_board}-report.log"
 create_stamp