From 5fe047ebc4de0666dfa83dc83ff4f6aec3ac23c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Thu, 12 Oct 2017 21:14:52 +0200 Subject: Add myinitramfs encryption use --- sys-boot/myinitramfs/files/init | 99 ----------------------------- sys-boot/myinitramfs/files/init.enc | 99 +++++++++++++++++++++++++++++ sys-boot/myinitramfs/files/init.plain | 94 +++++++++++++++++++++++++++ sys-boot/myinitramfs/myinitramfs-1.1.ebuild | 40 ------------ sys-boot/myinitramfs/myinitramfs-1.2.ebuild | 44 +++++++++++++ 5 files changed, 237 insertions(+), 139 deletions(-) delete mode 100755 sys-boot/myinitramfs/files/init create mode 100755 sys-boot/myinitramfs/files/init.enc create mode 100755 sys-boot/myinitramfs/files/init.plain delete mode 100644 sys-boot/myinitramfs/myinitramfs-1.1.ebuild create mode 100644 sys-boot/myinitramfs/myinitramfs-1.2.ebuild (limited to 'sys-boot') diff --git a/sys-boot/myinitramfs/files/init b/sys-boot/myinitramfs/files/init deleted file mode 100755 index 134d85c..0000000 --- a/sys-boot/myinitramfs/files/init +++ /dev/null @@ -1,99 +0,0 @@ -#!/bin/busybox sh -# vim:ft=sh - -# Init must have pid 1 otherwise switch_root won't work. -if [ $$ -ne 1 ]; then - echo "init must have pid 1!" - exit 1 -fi - -# Predefice colors -C_NO="\e[0m" -C_GRAY="\e[1;30m" -C_RED="\e[1;31m" -C_GREEN="\e[1;32m" -C_YELLOW="\e[1;33m" - -PATH="$PATH:/bin:/sbin" - -# disable kernel message from terminal and clear screen -echo 0 > /proc/sys/kernel/printk -clear - -# TODO print some welcome ascii art :-) - -# Function called if we fail. Argument is error message. -fail() { - echo -e "${C_RED}$@${C_NO}" - echo -e "${C_YELLOW}Dropping to interactive shell${C_NO}" - busybox --install -s - while true; do - echo -e "${C_GRAY}Mount root to /mnt/root and exit shell to switch root.${C_NO}" - # Note: this is hack to enable job control - setsid sh -c 'exec sh /dev/tty1 2>&1' - echo - exec switch_root /mnt/root /sbin/init || echo -e "${C_RED}Root switch failed!${C_NO}" - done -} - -# Preliminary mounts -busybox mount -t proc none /proc || fail "/proc mount failed!" -busybox mount -t sysfs none /sys || fail "/sys mount failed!" -busybox mount -t devtmpfs none /dev || fail "/dev mount failed!" - -# Now open and mount root -root="" -rootflags="" -recovery=false - -for opt in $(cat /proc/cmdline); do - case "$opt" in - root=*) - root=${opt:5} - ;; - rootflags=*) - rootflags=${opt:10} - ;; - recovery) - recovery=true - ;; - BOOT_IMAGE=*|initrd=*) - # Ignore those - ;; - *) - echo -e "${C_YELLOW}Unknown kernel argument: $opt${C_NO}" - ;; - esac -done - -$recovery && fail "Requested recovery." - -[ -z "$root" ] && fail "Missing root argument!" - -echo -ne "${C_GRAY}Waiting for root ($root)..." -CNT=10 -while [ ! -e "$root" ] && [ $CNT -gt 0 ]; do - CNT=$(expr $CNT - 1) - sleep 1 - echo -n " $CNT" -done -echo -e "${C_NO}" -[ -e "$root" ] || fail "Root not located!" - -# TODO mount boot parition and look for key saved there (on unlock remove it) - -echo -e "${C_GREEN}Unlocking root...${C_NO}" -cryptsetup open "$root" encroot || fail "Unlocking root failed! /proc/cmdline=$(cat /proc/cmdline)" - -echo -e "${C_GREEN}Mounting root...${C_NO}" -mount -t btrfs -o "$rootflags" /dev/mapper/encroot /mnt/root \ - || fail "Mounting root failed! /proc/cmdline=$(cat /proc/cmdline)" - - -echo -e "${C_GREEN}Switching to real root${C_NO}" - -# First clean up. The init process will remount proc, sys and dev later on -busybox umount /dev /sys /proc || fail "Unmouns failed!" - -# Now do switch -exec switch_root /mnt/root /sbin/init || fail "Root switch failed!" diff --git a/sys-boot/myinitramfs/files/init.enc b/sys-boot/myinitramfs/files/init.enc new file mode 100755 index 0000000..134d85c --- /dev/null +++ b/sys-boot/myinitramfs/files/init.enc @@ -0,0 +1,99 @@ +#!/bin/busybox sh +# vim:ft=sh + +# Init must have pid 1 otherwise switch_root won't work. +if [ $$ -ne 1 ]; then + echo "init must have pid 1!" + exit 1 +fi + +# Predefice colors +C_NO="\e[0m" +C_GRAY="\e[1;30m" +C_RED="\e[1;31m" +C_GREEN="\e[1;32m" +C_YELLOW="\e[1;33m" + +PATH="$PATH:/bin:/sbin" + +# disable kernel message from terminal and clear screen +echo 0 > /proc/sys/kernel/printk +clear + +# TODO print some welcome ascii art :-) + +# Function called if we fail. Argument is error message. +fail() { + echo -e "${C_RED}$@${C_NO}" + echo -e "${C_YELLOW}Dropping to interactive shell${C_NO}" + busybox --install -s + while true; do + echo -e "${C_GRAY}Mount root to /mnt/root and exit shell to switch root.${C_NO}" + # Note: this is hack to enable job control + setsid sh -c 'exec sh /dev/tty1 2>&1' + echo + exec switch_root /mnt/root /sbin/init || echo -e "${C_RED}Root switch failed!${C_NO}" + done +} + +# Preliminary mounts +busybox mount -t proc none /proc || fail "/proc mount failed!" +busybox mount -t sysfs none /sys || fail "/sys mount failed!" +busybox mount -t devtmpfs none /dev || fail "/dev mount failed!" + +# Now open and mount root +root="" +rootflags="" +recovery=false + +for opt in $(cat /proc/cmdline); do + case "$opt" in + root=*) + root=${opt:5} + ;; + rootflags=*) + rootflags=${opt:10} + ;; + recovery) + recovery=true + ;; + BOOT_IMAGE=*|initrd=*) + # Ignore those + ;; + *) + echo -e "${C_YELLOW}Unknown kernel argument: $opt${C_NO}" + ;; + esac +done + +$recovery && fail "Requested recovery." + +[ -z "$root" ] && fail "Missing root argument!" + +echo -ne "${C_GRAY}Waiting for root ($root)..." +CNT=10 +while [ ! -e "$root" ] && [ $CNT -gt 0 ]; do + CNT=$(expr $CNT - 1) + sleep 1 + echo -n " $CNT" +done +echo -e "${C_NO}" +[ -e "$root" ] || fail "Root not located!" + +# TODO mount boot parition and look for key saved there (on unlock remove it) + +echo -e "${C_GREEN}Unlocking root...${C_NO}" +cryptsetup open "$root" encroot || fail "Unlocking root failed! /proc/cmdline=$(cat /proc/cmdline)" + +echo -e "${C_GREEN}Mounting root...${C_NO}" +mount -t btrfs -o "$rootflags" /dev/mapper/encroot /mnt/root \ + || fail "Mounting root failed! /proc/cmdline=$(cat /proc/cmdline)" + + +echo -e "${C_GREEN}Switching to real root${C_NO}" + +# First clean up. The init process will remount proc, sys and dev later on +busybox umount /dev /sys /proc || fail "Unmouns failed!" + +# Now do switch +exec switch_root /mnt/root /sbin/init || fail "Root switch failed!" diff --git a/sys-boot/myinitramfs/files/init.plain b/sys-boot/myinitramfs/files/init.plain new file mode 100755 index 0000000..08a47b8 --- /dev/null +++ b/sys-boot/myinitramfs/files/init.plain @@ -0,0 +1,94 @@ +#!/bin/busybox sh +# vim:ft=sh + +# Init must have pid 1 otherwise switch_root won't work. +if [ $$ -ne 1 ]; then + echo "init must have pid 1!" + exit 1 +fi + +# Predefice colors +C_NO="\e[0m" +C_GRAY="\e[1;30m" +C_RED="\e[1;31m" +C_GREEN="\e[1;32m" +C_YELLOW="\e[1;33m" + +PATH="$PATH:/bin:/sbin" + +# disable kernel message from terminal and clear screen +echo 0 > /proc/sys/kernel/printk +clear + +# TODO print some welcome ascii art :-) + +# Function called if we fail. Argument is error message. +fail() { + echo -e "${C_RED}$@${C_NO}" + echo -e "${C_YELLOW}Dropping to interactive shell${C_NO}" + busybox --install -s + while true; do + echo -e "${C_GRAY}Mount root to /mnt/root and exit shell to switch root.${C_NO}" + # Note: this is hack to enable job control + setsid sh -c 'exec sh /dev/tty1 2>&1' + echo + exec switch_root /mnt/root /sbin/init || echo -e "${C_RED}Root switch failed!${C_NO}" + done +} + +# Preliminary mounts +busybox mount -t proc none /proc || fail "/proc mount failed!" +busybox mount -t sysfs none /sys || fail "/sys mount failed!" +busybox mount -t devtmpfs none /dev || fail "/dev mount failed!" + +# Now open and mount root +root="" +rootflags="" +recovery=false + +for opt in $(cat /proc/cmdline); do + case "$opt" in + root=*) + root=${opt:5} + ;; + rootflags=*) + rootflags=${opt:10} + ;; + recovery) + recovery=true + ;; + BOOT_IMAGE=*|initrd=*) + # Ignore those + ;; + *) + echo -e "${C_YELLOW}Unknown kernel argument: $opt${C_NO}" + ;; + esac +done + +$recovery && fail "Requested recovery." + +[ -z "$root" ] && fail "Missing root argument!" + +echo -ne "${C_GRAY}Waiting for root ($root)..." +CNT=10 +while [ ! -e "$root" ] && [ $CNT -gt 0 ]; do + CNT=$(expr $CNT - 1) + sleep 1 + echo -n " $CNT" +done +echo -e "${C_NO}" +[ -e "$root" ] || fail "Root not located!" + +echo -e "${C_GREEN}Mounting root...${C_NO}" +mount -t btrfs -o "$rootflags" "$root" /mnt/root \ + || fail "Mounting root failed! /proc/cmdline=$(cat /proc/cmdline)" + + +echo -e "${C_GREEN}Switching to real root${C_NO}" + +# First clean up. The init process will remount proc, sys and dev later on +busybox umount /dev /sys /proc || fail "Unmouns failed!" + +# Now do switch +exec switch_root /mnt/root /sbin/init || fail "Root switch failed!" diff --git a/sys-boot/myinitramfs/myinitramfs-1.1.ebuild b/sys-boot/myinitramfs/myinitramfs-1.1.ebuild deleted file mode 100644 index 9e8e999..0000000 --- a/sys-boot/myinitramfs/myinitramfs-1.1.ebuild +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 1999-2017 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -# TODO support encrytion and btrfs only as option - -EAPI=6 - -DESCRIPTION="My personal initramfs (verry simple with encryption support)" -HOMEPAGE="" -SRC_URI="" - -LICENSE="GPLv2" -SLOT="0" -KEYWORDS="amd64 x86" -IUSE="" - -DEPEND="sys-fs/cryptsetup -sys-fs/btrfs-progs -sys-apps/linux-misc-apps -sys-apps/busybox[static]" -RDEPEND="${DEPENDS}" - -src_unpack() { - # Well we have no sources so just create empty directory - mkdir -p "${S}" -} - -src_compile() { - # TODO generate list dynamically - cp "${FILESDIR}"/list list - echo "file /init ${FILESDIR}/init 755 0 0" >> list - gen_init_cpio list > initramfs.cpio - gzip initramfs.cpio -} - -src_install() { - dodir /boot - insinto /boot - newins initramfs.cpio.gz initramfs-gentoo -} diff --git a/sys-boot/myinitramfs/myinitramfs-1.2.ebuild b/sys-boot/myinitramfs/myinitramfs-1.2.ebuild new file mode 100644 index 0000000..8d1ed52 --- /dev/null +++ b/sys-boot/myinitramfs/myinitramfs-1.2.ebuild @@ -0,0 +1,44 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +# TODO support encrytion and btrfs only as option + +EAPI=6 + +DESCRIPTION="My personal initramfs (verry simple with encryption support)" +HOMEPAGE="" +SRC_URI="" + +LICENSE="GPLv2" +SLOT="0" +KEYWORDS="amd64 x86" +IUSE="+encrypted" + +DEPEND="sys-fs/cryptsetup +sys-fs/btrfs-progs +sys-apps/linux-misc-apps +sys-apps/busybox[static]" +RDEPEND="${DEPENDS}" + +src_unpack() { + # Well we have no sources so just create empty directory + mkdir -p "${S}" +} + +src_compile() { + # TODO generate list dynamically + cp "${FILESDIR}"/list list + if use encrypted; then + echo "file /init ${FILESDIR}/init.enc 755 0 0" >> list + else + echo "file /init ${FILESDIR}/init.plain 755 0 0" >> list + fi + gen_init_cpio list > initramfs.cpio + gzip initramfs.cpio +} + +src_install() { + dodir /boot + insinto /boot + newins initramfs.cpio.gz initramfs-gentoo +} -- cgit v1.2.3