diff --git a/Makefile b/Makefile index 22034aff..45fdc499 100644 --- a/Makefile +++ b/Makefile @@ -80,8 +80,8 @@ initrd_bins += initrd/bin/$(notdir $1) endef $(foreach _, $(call outputs,kexec), $(eval $(call initrd_bin,$_))) -$(foreach _, $(call outputs,tpmtotp), $(eval $(call initrd_bin,$_))) -$(foreach _, $(call outputs,xen), $(eval $(call initrd_bin,$_))) +#$(foreach _, $(call outputs,tpmtotp), $(eval $(call initrd_bin,$_))) +#$(foreach _, $(call outputs,xen), $(eval $(call initrd_bin,$_))) # hack to install busybox into the initrd initrd_bins += initrd/bin/busybox @@ -101,10 +101,21 @@ initrd/bin/cbmem: $(build)/$(coreboot_dir)/util/cbmem/cbmem $(build)/$(coreboot_dir)/util/cbmem/cbmem: $(build)/$(coreboot_dir)/.canary make -C "$(dir $@)" +# Mounting dm-verity file systems requires dm-verity to be installed +# We use gpgv to verify the signature on the root hash. +# Both of these should be brought in as modules instead of from /sbin +initrd_bins += initrd/bin/dmsetup +initrd/bin/dmsetup: /sbin/dmsetup + cp "$<" "$@" +initrd_bins += initrd/bin/gpgv +initrd/bin/gpgv: /usr/bin/gpgv + cp "$<" "$@" # Update all of the libraries in the initrd based on the executables # that were installed. initrd_libs: $(initrd_bins) + -find initrd/bin -type f -print0 \ + | xargs -0 strip ./populate-lib \ ./initrd/lib/x86_64-linux-gnu/ \ initrd/bin/* \ @@ -122,6 +133,8 @@ initrd_libs: $(initrd_bins) # # If there is in /dev/console, initrd can't startup. # We have to force it to be included into the cpio image. +# Since we are picking up the system's /dev/console, the +# timestamp will not be reproducible. # # initrd.cpio: $(initrd_bins) initrd_libs @@ -154,3 +167,9 @@ $(build)/$(coreboot_dir)/bzImage: $(call outputs,linux) cp -a "$^" "$@" $(call outputs,coreboot): $(build)/$(coreboot_dir)/bzImage + +# The CoreBoot gcc won't work for us since it doesn't have libc +#XGCC := $(build)/$(coreboot_dir)/util/crossgcc/xgcc/ +#export CC := $(XGCC)/bin/x86_64-elf-gcc +#export LDFLAGS := -L/lib/x86_64-linux-gnu + diff --git a/initrd/mount-boot b/initrd/mount-boot new file mode 100755 index 00000000..5f2d3515 --- /dev/null +++ b/initrd/mount-boot @@ -0,0 +1,71 @@ +#!/bin/sh +# Extract the GPG signed dmsetup configuration from +# the header of the file system, validate it against +# the trusted key database, and execute it to mount +# the /boot filesystem + +dev="$1" +offset="$2" + +cmd=/tmp/mount-boot +cmd_sig="$cmd.asc" + +if [ -z "$dev" ]; then + dev=/dev/sda +fi + +if [ -z "$offset" ]; then + offset=256 +fi + +# +# Find the size of the device +# Is there a better way? +# +dev_size_file="/sys/class/block/`basename $dev`/size" +if [ ! -r "$dev_size_file" ]; then + echo >&2 '!!!!!' + echo >&2 '!!!!! $dev file $dev_size_file not found' + echo >&2 '!!!!! Dropping to recovery shell' + echo >&2 '!!!!!' + exit -1 +fi + +dev_blocks=`cat "$dev_size_file"` + +# +# Extract the signed file from the hard disk image +# +if ! dd if="$dev" of="$cmd_sig" bs=512 skip="`expr $dev_blocks - 1`"; then + echo >&2 '!!!!!' + echo >&2 '!!!!! Boot block extraction failed' + echo >&2 '!!!!! Dropping to recovery shell' + echo >&2 '!!!!!' + exit -1 +fi + +# +# Validate the file +# +if ! gpgv --keyring /trustedkeys.gpg "$cmd_sig"; then + echo >&2 '!!!!!' + echo >&2 '!!!!! GPG signature on block failed' + echo >&2 '!!!!! Dropping to recovery shell' + echo >&2 '!!!!!' + exit -1 +fi + +# +# Strip the PGP signature off the file +# (too bad gpgv doesn't do this) +# +awk < "$cmd_sig" > "$cmd" ' + /BEGIN PGP SIGNATURE/ { exit }; + do_print {print}; + /^$/ { do_print=1 }; +' + +# +# And execute it! +# +sh -x "$cmd" diff --git a/initrd/trustedkeys.gpg b/initrd/trustedkeys.gpg new file mode 100644 index 00000000..3381d1de Binary files /dev/null and b/initrd/trustedkeys.gpg differ