ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add external/usb disk encryption (adds exfatprogs and e2fsprogs)

Browse Source 
prepare_thumb_drive: default to creating 10% LUKS container on usb drive, prompts for passphrase is not provided and scan drives if no --device specified

NOTE: qemu usb_thumb drive of 128 mb are not big enough so that 10% of it (12mb) can be used to create thumb drive.

Adds:
- e2fsprogs to support ext4 filesystem creation through mke2fs
- add /etc/mke2fs.conf so that mke2fs knows how to handle ext2/ext3/ext4
- removes mke2fs support from busybox
- bump busybox to latest version which adds cpu accelerated hash functions (not needed per se here)
- Adds exfatprogs to have mkfs.exfat and fsck.exfat
- Adds prepare_thumb_drive /etc/luks-functions to be able to prepare a thumb drive with percentage of drive assigned to LUKS, rest to exfat
- Modify most board configs to test space requirements failing
- Talos2 linux config: add staging Exfat support
- Make e2fsprogs and exfatprogs included by default unless explicitely deactivate in board configs
- Change cryptsetup calls : luksOpen to open and luksClose to close to addresss review
- etc/luks_functions: cleanup

GOAL here is to have secure thumb drive creation which Heads will be able to use to backup/restore/use generated GPG key material in the future (next PR)
This commit is contained in:
Thierry Laurion 2023-07-19 18:48:03 -04:00
parent d853f62445
commit f6eed42208
No known key found for this signature in database
GPG Key ID: E7B4A71658E36A93
13 changed files with 638 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -525,6 +525,8 @@ bin_modules-$(CONFIG_IO386) += io386
bin_modules-$(CONFIG_IOPORT) += ioport bin_modules-$(CONFIG_IOPORT) += ioport
bin_modules-$(CONFIG_KBD) += kbd bin_modules-$(CONFIG_KBD) += kbd
bin_modules-$(CONFIG_ZSTD) += zstd bin_modules-$(CONFIG_ZSTD) += zstd
bin_modules-$(CONFIG_E2FSPROGS) += e2fsprogs
bin_modules-$(CONFIG_EXFATPROGS) += exfatprogs
$(foreach m, $(bin_modules-y), \ $(foreach m, $(bin_modules-y), \
$(call map,initrd_bin_add,$(call bins,$m)) \ $(call map,initrd_bin_add,$(call bins,$m)) \

94
config/busybox.config
View File

@ -1,7 +1,7 @@
# #
# Automatically generated make config: don't edit # Automatically generated make config: don't edit
# Busybox version: 1.33.2 # Busybox version: 1.36.1
# Mon Jul 3 16:24:44 2023 # Fri Jul 21 14:38:54 2023
# #
CONFIG_HAVE_DOT_CONFIG=y CONFIG_HAVE_DOT_CONFIG=y
@ -93,10 +93,16 @@ CONFIG_FEATURE_BUFFERS_USE_MALLOC=y
# CONFIG_FEATURE_BUFFERS_GO_IN_BSS is not set # CONFIG_FEATURE_BUFFERS_GO_IN_BSS is not set
CONFIG_PASSWORD_MINLEN=6 CONFIG_PASSWORD_MINLEN=6
CONFIG_MD5_SMALL=1 CONFIG_MD5_SMALL=1
CONFIG_SHA1_SMALL=3
CONFIG_SHA1_HWACCEL=y
CONFIG_SHA256_HWACCEL=y
CONFIG_SHA3_SMALL=1 CONFIG_SHA3_SMALL=1
# CONFIG_FEATURE_FAST_TOP is not set CONFIG_FEATURE_NON_POSIX_CP=y
# CONFIG_FEATURE_ETC_NETWORKS is not set # CONFIG_FEATURE_VERBOSE_CP_MESSAGE is not set
# CONFIG_FEATURE_ETC_SERVICES is not set CONFIG_FEATURE_USE_SENDFILE=y
CONFIG_FEATURE_COPYBUF_KB=4
CONFIG_MONOTONIC_SYSCALL=y
CONFIG_IOCTL_HEX2STR_ERROR=y
CONFIG_FEATURE_EDITING=y CONFIG_FEATURE_EDITING=y
CONFIG_FEATURE_EDITING_MAX_LEN=1024 CONFIG_FEATURE_EDITING_MAX_LEN=1024
# CONFIG_FEATURE_EDITING_VI is not set # CONFIG_FEATURE_EDITING_VI is not set
@ -120,14 +126,9 @@ CONFIG_LAST_SUPPORTED_WCHAR=767
# CONFIG_UNICODE_BIDI_SUPPORT is not set # CONFIG_UNICODE_BIDI_SUPPORT is not set
# CONFIG_UNICODE_NEUTRAL_TABLE is not set # CONFIG_UNICODE_NEUTRAL_TABLE is not set
# CONFIG_UNICODE_PRESERVE_BROKEN is not set # CONFIG_UNICODE_PRESERVE_BROKEN is not set
CONFIG_FEATURE_NON_POSIX_CP=y # CONFIG_LOOP_CONFIGURE is not set
# CONFIG_FEATURE_VERBOSE_CP_MESSAGE is not set # CONFIG_NO_LOOP_CONFIGURE is not set
CONFIG_FEATURE_USE_SENDFILE=y CONFIG_TRY_LOOP_CONFIGURE=y
CONFIG_FEATURE_COPYBUF_KB=4
CONFIG_FEATURE_SKIP_ROOTFS=y
CONFIG_MONOTONIC_SYSCALL=y
CONFIG_IOCTL_HEX2STR_ERROR=y
CONFIG_FEATURE_HWIB=y
# #
# Applets # Applets
@ -162,6 +163,8 @@ CONFIG_FEATURE_BZIP2_DECOMPRESS=y
CONFIG_CPIO=y CONFIG_CPIO=y
CONFIG_FEATURE_CPIO_O=y CONFIG_FEATURE_CPIO_O=y
CONFIG_FEATURE_CPIO_P=y CONFIG_FEATURE_CPIO_P=y
CONFIG_FEATURE_CPIO_IGNORE_DEVNO=y
CONFIG_FEATURE_CPIO_RENUMBER_INODES=y
# CONFIG_DPKG is not set # CONFIG_DPKG is not set
# CONFIG_DPKG_DEB is not set # CONFIG_DPKG_DEB is not set
CONFIG_GZIP=y CONFIG_GZIP=y
@ -197,6 +200,22 @@ CONFIG_FEATURE_LZMA_FAST=y
# #
# Coreutils # Coreutils
# #
CONFIG_FEATURE_VERBOSE=y
#
# Common options for date and touch
#
# CONFIG_FEATURE_TIMEZONE is not set
#
# Common options for cp and mv
#
CONFIG_FEATURE_PRESERVE_HARDLINKS=y
#
# Common options for df, du, ls
#
CONFIG_FEATURE_HUMAN_READABLE=y
CONFIG_BASENAME=y CONFIG_BASENAME=y
CONFIG_CAT=y CONFIG_CAT=y
CONFIG_FEATURE_CATN=y CONFIG_FEATURE_CATN=y
@ -207,11 +226,13 @@ CONFIG_CHMOD=y
# CONFIG_FEATURE_CHOWN_LONG_OPTIONS is not set # CONFIG_FEATURE_CHOWN_LONG_OPTIONS is not set
CONFIG_CHROOT=y CONFIG_CHROOT=y
# CONFIG_CKSUM is not set # CONFIG_CKSUM is not set
CONFIG_CRC32=y
# CONFIG_COMM is not set # CONFIG_COMM is not set
CONFIG_CP=y CONFIG_CP=y
CONFIG_FEATURE_CP_LONG_OPTIONS=y CONFIG_FEATURE_CP_LONG_OPTIONS=y
CONFIG_FEATURE_CP_REFLINK=y CONFIG_FEATURE_CP_REFLINK=y
CONFIG_CUT=y CONFIG_CUT=y
CONFIG_FEATURE_CUT_REGEX=y
CONFIG_DATE=y CONFIG_DATE=y
CONFIG_FEATURE_DATE_ISOFMT=y CONFIG_FEATURE_DATE_ISOFMT=y
# CONFIG_FEATURE_DATE_NANO is not set # CONFIG_FEATURE_DATE_NANO is not set
@ -223,6 +244,7 @@ CONFIG_FEATURE_DD_IBS_OBS=y
CONFIG_FEATURE_DD_STATUS=y CONFIG_FEATURE_DD_STATUS=y
CONFIG_DF=y CONFIG_DF=y
CONFIG_FEATURE_DF_FANCY=y CONFIG_FEATURE_DF_FANCY=y
CONFIG_FEATURE_SKIP_ROOTFS=y
CONFIG_DIRNAME=y CONFIG_DIRNAME=y
# CONFIG_DOS2UNIX is not set # CONFIG_DOS2UNIX is not set
# CONFIG_UNIX2DOS is not set # CONFIG_UNIX2DOS is not set
@ -316,13 +338,13 @@ CONFIG_TEST2=y
CONFIG_FEATURE_TEST_64=y CONFIG_FEATURE_TEST_64=y
# CONFIG_TIMEOUT is not set # CONFIG_TIMEOUT is not set
CONFIG_TOUCH=y CONFIG_TOUCH=y
CONFIG_FEATURE_TOUCH_NODEREF=y
CONFIG_FEATURE_TOUCH_SUSV3=y CONFIG_FEATURE_TOUCH_SUSV3=y
CONFIG_TR=y CONFIG_TR=y
CONFIG_FEATURE_TR_CLASSES=y CONFIG_FEATURE_TR_CLASSES=y
CONFIG_FEATURE_TR_EQUIV=y CONFIG_FEATURE_TR_EQUIV=y
CONFIG_TRUE=y CONFIG_TRUE=y
CONFIG_TRUNCATE=y CONFIG_TRUNCATE=y
CONFIG_TSORT=y
CONFIG_TTY=y CONFIG_TTY=y
CONFIG_UNAME=y CONFIG_UNAME=y
CONFIG_UNAME_OSNAME="GNU/Linux" CONFIG_UNAME_OSNAME="GNU/Linux"
@ -342,21 +364,6 @@ CONFIG_FEATURE_WC_LARGE=y
# CONFIG_WHOAMI is not set # CONFIG_WHOAMI is not set
# CONFIG_YES is not set # CONFIG_YES is not set
#
# Common options
#
CONFIG_FEATURE_VERBOSE=y
#
# Common options for cp and mv
#
CONFIG_FEATURE_PRESERVE_HARDLINKS=y
#
# Common options for df, du, ls
#
CONFIG_FEATURE_HUMAN_READABLE=y
# #
# Console Utilities # Console Utilities
# #
@ -420,6 +427,7 @@ CONFIG_VI=y
CONFIG_FEATURE_VI_MAX_LEN=4096 CONFIG_FEATURE_VI_MAX_LEN=4096
# CONFIG_FEATURE_VI_8BIT is not set # CONFIG_FEATURE_VI_8BIT is not set
CONFIG_FEATURE_VI_COLON=y CONFIG_FEATURE_VI_COLON=y
CONFIG_FEATURE_VI_COLON_EXPAND=y
CONFIG_FEATURE_VI_YANKMARK=y CONFIG_FEATURE_VI_YANKMARK=y
CONFIG_FEATURE_VI_SEARCH=y CONFIG_FEATURE_VI_SEARCH=y
# CONFIG_FEATURE_VI_REGEX_SEARCH is not set # CONFIG_FEATURE_VI_REGEX_SEARCH is not set
@ -433,6 +441,7 @@ CONFIG_FEATURE_VI_ASK_TERMINAL=y
CONFIG_FEATURE_VI_UNDO=y CONFIG_FEATURE_VI_UNDO=y
CONFIG_FEATURE_VI_UNDO_QUEUE=y CONFIG_FEATURE_VI_UNDO_QUEUE=y
CONFIG_FEATURE_VI_UNDO_QUEUE_MAX=256 CONFIG_FEATURE_VI_UNDO_QUEUE_MAX=256
CONFIG_FEATURE_VI_VERBOSE_STATUS=y
CONFIG_FEATURE_ALLOW_EXEC=y CONFIG_FEATURE_ALLOW_EXEC=y
# #
@ -441,7 +450,11 @@ CONFIG_FEATURE_ALLOW_EXEC=y
CONFIG_FIND=y CONFIG_FIND=y
CONFIG_FEATURE_FIND_PRINT0=y CONFIG_FEATURE_FIND_PRINT0=y
CONFIG_FEATURE_FIND_MTIME=y CONFIG_FEATURE_FIND_MTIME=y
CONFIG_FEATURE_FIND_ATIME=y
CONFIG_FEATURE_FIND_CTIME=y
CONFIG_FEATURE_FIND_MMIN=y CONFIG_FEATURE_FIND_MMIN=y
CONFIG_FEATURE_FIND_AMIN=y
CONFIG_FEATURE_FIND_CMIN=y
CONFIG_FEATURE_FIND_PERM=y CONFIG_FEATURE_FIND_PERM=y
CONFIG_FEATURE_FIND_TYPE=y CONFIG_FEATURE_FIND_TYPE=y
CONFIG_FEATURE_FIND_EXECUTABLE=y CONFIG_FEATURE_FIND_EXECUTABLE=y
@ -449,6 +462,7 @@ CONFIG_FEATURE_FIND_XDEV=y
CONFIG_FEATURE_FIND_MAXDEPTH=y CONFIG_FEATURE_FIND_MAXDEPTH=y
CONFIG_FEATURE_FIND_NEWER=y CONFIG_FEATURE_FIND_NEWER=y
CONFIG_FEATURE_FIND_INUM=y CONFIG_FEATURE_FIND_INUM=y
CONFIG_FEATURE_FIND_SAMEFILE=y
CONFIG_FEATURE_FIND_EXEC=y CONFIG_FEATURE_FIND_EXEC=y
CONFIG_FEATURE_FIND_EXEC_PLUS=y CONFIG_FEATURE_FIND_EXEC_PLUS=y
CONFIG_FEATURE_FIND_USER=y CONFIG_FEATURE_FIND_USER=y
@ -641,7 +655,7 @@ CONFIG_LSUSB=y
# CONFIG_FEATURE_MDEV_DAEMON is not set # CONFIG_FEATURE_MDEV_DAEMON is not set
# CONFIG_MESG is not set # CONFIG_MESG is not set
# CONFIG_FEATURE_MESG_ENABLE_ONLY_GROUP is not set # CONFIG_FEATURE_MESG_ENABLE_ONLY_GROUP is not set
CONFIG_MKE2FS=y # CONFIG_MKE2FS is not set
# CONFIG_MKFS_EXT2 is not set # CONFIG_MKFS_EXT2 is not set
# CONFIG_MKFS_MINIX is not set # CONFIG_MKFS_MINIX is not set
# CONFIG_FEATURE_MINIX2 is not set # CONFIG_FEATURE_MINIX2 is not set
@ -739,6 +753,7 @@ CONFIG_FEATURE_VOLUMEID_XFS=y
# Miscellaneous Utilities # Miscellaneous Utilities
# #
# CONFIG_ADJTIMEX is not set # CONFIG_ADJTIMEX is not set
CONFIG_ASCII=y
# CONFIG_BBCONFIG is not set # CONFIG_BBCONFIG is not set
# CONFIG_FEATURE_COMPRESS_BBCONFIG is not set # CONFIG_FEATURE_COMPRESS_BBCONFIG is not set
# CONFIG_BC is not set # CONFIG_BC is not set
@ -819,10 +834,12 @@ CONFIG_PARTPROBE=y
# CONFIG_RFKILL is not set # CONFIG_RFKILL is not set
# CONFIG_RUNLEVEL is not set # CONFIG_RUNLEVEL is not set
# CONFIG_RX is not set # CONFIG_RX is not set
CONFIG_SEEDRNG=y
CONFIG_SETFATTR=y CONFIG_SETFATTR=y
CONFIG_SETSERIAL=y CONFIG_SETSERIAL=y
CONFIG_STRINGS=y CONFIG_STRINGS=y
CONFIG_TIME=y CONFIG_TIME=y
CONFIG_TREE=y
# CONFIG_TS is not set # CONFIG_TS is not set
# CONFIG_TTYSIZE is not set # CONFIG_TTYSIZE is not set
# CONFIG_UBIATTACH is not set # CONFIG_UBIATTACH is not set
@ -834,6 +851,7 @@ CONFIG_TIME=y
# CONFIG_UBIRENAME is not set # CONFIG_UBIRENAME is not set
# CONFIG_VOLNAME is not set # CONFIG_VOLNAME is not set
# CONFIG_WATCHDOG is not set # CONFIG_WATCHDOG is not set
# CONFIG_FEATURE_WATCHDOG_OPEN_TWICE is not set
# #
# Networking Utilities # Networking Utilities
@ -842,6 +860,9 @@ CONFIG_TIME=y
# CONFIG_FEATURE_UNIX_LOCAL is not set # CONFIG_FEATURE_UNIX_LOCAL is not set
# CONFIG_FEATURE_PREFER_IPV4_ADDRESS is not set # CONFIG_FEATURE_PREFER_IPV4_ADDRESS is not set
# CONFIG_VERBOSE_RESOLUTION_ERRORS is not set # CONFIG_VERBOSE_RESOLUTION_ERRORS is not set
# CONFIG_FEATURE_ETC_NETWORKS is not set
# CONFIG_FEATURE_ETC_SERVICES is not set
CONFIG_FEATURE_HWIB=y
# CONFIG_FEATURE_TLS_SHA1 is not set # CONFIG_FEATURE_TLS_SHA1 is not set
CONFIG_ARP=y CONFIG_ARP=y
# CONFIG_ARPING is not set # CONFIG_ARPING is not set
@ -860,6 +881,7 @@ CONFIG_ARP=y
# CONFIG_HOSTNAME is not set # CONFIG_HOSTNAME is not set
# CONFIG_DNSDOMAINNAME is not set # CONFIG_DNSDOMAINNAME is not set
# CONFIG_HTTPD is not set # CONFIG_HTTPD is not set
CONFIG_FEATURE_HTTPD_PORT_DEFAULT=0
# CONFIG_FEATURE_HTTPD_RANGES is not set # CONFIG_FEATURE_HTTPD_RANGES is not set
# CONFIG_FEATURE_HTTPD_SETUID is not set # CONFIG_FEATURE_HTTPD_SETUID is not set
# CONFIG_FEATURE_HTTPD_BASIC_AUTH is not set # CONFIG_FEATURE_HTTPD_BASIC_AUTH is not set
@ -952,6 +974,7 @@ CONFIG_SSL_CLIENT=y
# CONFIG_FEATURE_TELNET_WIDTH is not set # CONFIG_FEATURE_TELNET_WIDTH is not set
# CONFIG_TELNETD is not set # CONFIG_TELNETD is not set
# CONFIG_FEATURE_TELNETD_STANDALONE is not set # CONFIG_FEATURE_TELNETD_STANDALONE is not set
CONFIG_FEATURE_TELNETD_PORT_DEFAULT=0
# CONFIG_FEATURE_TELNETD_INETD_WAIT is not set # CONFIG_FEATURE_TELNETD_INETD_WAIT is not set
CONFIG_TFTP=y CONFIG_TFTP=y
CONFIG_FEATURE_TFTP_PROGRESS_BAR=y CONFIG_FEATURE_TFTP_PROGRESS_BAR=y
@ -972,6 +995,7 @@ CONFIG_VCONFIG=y
CONFIG_WGET=y CONFIG_WGET=y
CONFIG_FEATURE_WGET_LONG_OPTIONS=y CONFIG_FEATURE_WGET_LONG_OPTIONS=y
# CONFIG_FEATURE_WGET_STATUSBAR is not set # CONFIG_FEATURE_WGET_STATUSBAR is not set
CONFIG_FEATURE_WGET_FTP=y
# CONFIG_FEATURE_WGET_AUTHENTICATION is not set # CONFIG_FEATURE_WGET_AUTHENTICATION is not set
CONFIG_FEATURE_WGET_TIMEOUT=y CONFIG_FEATURE_WGET_TIMEOUT=y
CONFIG_FEATURE_WGET_HTTPS=y CONFIG_FEATURE_WGET_HTTPS=y
@ -988,6 +1012,7 @@ CONFIG_UDHCPC=y
CONFIG_FEATURE_UDHCPC_ARPING=y CONFIG_FEATURE_UDHCPC_ARPING=y
CONFIG_FEATURE_UDHCPC_SANITIZEOPT=y CONFIG_FEATURE_UDHCPC_SANITIZEOPT=y
CONFIG_UDHCPC_DEFAULT_SCRIPT="/sbin/config-dhcp.sh" CONFIG_UDHCPC_DEFAULT_SCRIPT="/sbin/config-dhcp.sh"
CONFIG_UDHCPC6_DEFAULT_SCRIPT=""
# CONFIG_UDHCPC6 is not set # CONFIG_UDHCPC6 is not set
# CONFIG_FEATURE_UDHCPC6_RFC3646 is not set # CONFIG_FEATURE_UDHCPC6_RFC3646 is not set
# CONFIG_FEATURE_UDHCPC6_RFC4704 is not set # CONFIG_FEATURE_UDHCPC6_RFC4704 is not set
@ -997,6 +1022,7 @@ CONFIG_UDHCPC_DEFAULT_SCRIPT="/sbin/config-dhcp.sh"
# #
# Common options for DHCP applets # Common options for DHCP applets
# #
CONFIG_UDHCPC_DEFAULT_INTERFACE="eth0"
# CONFIG_FEATURE_UDHCP_PORT is not set # CONFIG_FEATURE_UDHCP_PORT is not set
CONFIG_UDHCP_DEBUG=9 CONFIG_UDHCP_DEBUG=9
CONFIG_UDHCPC_SLACK_FOR_BUGGY_SERVERS=80 CONFIG_UDHCPC_SLACK_FOR_BUGGY_SERVERS=80
@ -1014,17 +1040,19 @@ CONFIG_IFUPDOWN_UDHCPC_CMD_OPTIONS=""
# #
# Mail Utilities # Mail Utilities
# #
CONFIG_FEATURE_MIME_CHARSET=""
# CONFIG_MAKEMIME is not set # CONFIG_MAKEMIME is not set
# CONFIG_POPMAILDIR is not set # CONFIG_POPMAILDIR is not set
# CONFIG_FEATURE_POPMAILDIR_DELIVERY is not set # CONFIG_FEATURE_POPMAILDIR_DELIVERY is not set
# CONFIG_REFORMIME is not set # CONFIG_REFORMIME is not set
# CONFIG_FEATURE_REFORMIME_COMPAT is not set # CONFIG_FEATURE_REFORMIME_COMPAT is not set
# CONFIG_SENDMAIL is not set # CONFIG_SENDMAIL is not set
CONFIG_FEATURE_MIME_CHARSET=""
# #
# Process Utilities # Process Utilities
# #
# CONFIG_FEATURE_FAST_TOP is not set
CONFIG_FEATURE_SHOW_THREADS=y
# CONFIG_FREE is not set # CONFIG_FREE is not set
# CONFIG_FUSER is not set # CONFIG_FUSER is not set
# CONFIG_IOSTAT is not set # CONFIG_IOSTAT is not set
@ -1063,7 +1091,6 @@ CONFIG_FEATURE_TOPMEM=y
# CONFIG_UPTIME is not set # CONFIG_UPTIME is not set
# CONFIG_FEATURE_UPTIME_UTMP_SUPPORT is not set # CONFIG_FEATURE_UPTIME_UTMP_SUPPORT is not set
# CONFIG_WATCH is not set # CONFIG_WATCH is not set
CONFIG_FEATURE_SHOW_THREADS=y
# #
# Runit Utilities # Runit Utilities
@ -1120,6 +1147,7 @@ CONFIG_ASH_EXPAND_PRMT=y
CONFIG_ASH_ECHO=y CONFIG_ASH_ECHO=y
CONFIG_ASH_PRINTF=y CONFIG_ASH_PRINTF=y
CONFIG_ASH_TEST=y CONFIG_ASH_TEST=y
CONFIG_ASH_SLEEP=y
CONFIG_ASH_HELP=y CONFIG_ASH_HELP=y
CONFIG_ASH_GETOPTS=y CONFIG_ASH_GETOPTS=y
CONFIG_ASH_CMDCMD=y CONFIG_ASH_CMDCMD=y
@ -1128,8 +1156,8 @@ CONFIG_ASH_CMDCMD=y
# CONFIG_SHELL_HUSH is not set # CONFIG_SHELL_HUSH is not set
# CONFIG_HUSH_BASH_COMPAT is not set # CONFIG_HUSH_BASH_COMPAT is not set
# CONFIG_HUSH_BRACE_EXPANSION is not set # CONFIG_HUSH_BRACE_EXPANSION is not set
# CONFIG_HUSH_LINENO_VAR is not set
# CONFIG_HUSH_BASH_SOURCE_CURDIR is not set # CONFIG_HUSH_BASH_SOURCE_CURDIR is not set
# CONFIG_HUSH_LINENO_VAR is not set
# CONFIG_HUSH_INTERACTIVE is not set # CONFIG_HUSH_INTERACTIVE is not set
# CONFIG_HUSH_SAVEHISTORY is not set # CONFIG_HUSH_SAVEHISTORY is not set
# CONFIG_HUSH_JOB is not set # CONFIG_HUSH_JOB is not set

60
config/linux-talos-2.config
View File

@ -1,6 +1,6 @@
# #
# Automatically generated file; DO NOT EDIT. # Automatically generated file; DO NOT EDIT.
# Linux/powerpc 5.5.0-openpower1 Kernel Configuration # Linux/powerpc 5.5.0 Kernel Configuration
# #
# #
@ -415,24 +415,6 @@ CONFIG_ARCH_RANDOM=y
# CONFIG_VIRTUALIZATION is not set # CONFIG_VIRTUALIZATION is not set
CONFIG_HAVE_LIVEPATCH=y CONFIG_HAVE_LIVEPATCH=y
#
# Firmware Drivers
#
# CONFIG_FIRMWARE_MEMMAP is not set
CONFIG_GOOGLE_FIRMWARE=y
CONFIG_GOOGLE_COREBOOT_TABLE=y
CONFIG_GOOGLE_COREBOOT_CBMEM=y
CONFIG_GOOGLE_MEMCONSOLE=y
CONFIG_GOOGLE_MEMCONSOLE_COREBOOT=y
# CONFIG_GOOGLE_VPD is not set
CONFIG_EFI_EARLYCON=y
#
# Tegra firmware driver
#
# end of Tegra firmware driver
# end of Firmware Drivers
# #
# General architecture-dependent options # General architecture-dependent options
# #
@ -504,7 +486,6 @@ CONFIG_ARCH_OPTIONAL_KERNEL_RWX=y
CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y
CONFIG_STRICT_KERNEL_RWX=y CONFIG_STRICT_KERNEL_RWX=y
CONFIG_ARCH_HAS_PHYS_TO_DMA=y CONFIG_ARCH_HAS_PHYS_TO_DMA=y
CONFIG_ARCH_USE_MEMREMAP_PROT=y
# CONFIG_LOCK_EVENT_COUNTS is not set # CONFIG_LOCK_EVENT_COUNTS is not set
# #
@ -2431,7 +2412,44 @@ CONFIG_VIRTIO_PCI_LEGACY=y
# end of Microsoft Hyper-V guest support # end of Microsoft Hyper-V guest support
# CONFIG_GREYBUS is not set # CONFIG_GREYBUS is not set
# CONFIG_STAGING is not set CONFIG_STAGING=y
# CONFIG_COMEDI is not set
# CONFIG_RTS5208 is not set
# CONFIG_FB_SM750 is not set
#
# Speakup console speech
#
# CONFIG_SPEAKUP is not set
# end of Speakup console speech
# CONFIG_STAGING_MEDIA is not set
#
# Android
#
# end of Android
# CONFIG_LTE_GDM724X is not set
# CONFIG_GS_FPGABOOT is not set
# CONFIG_UNISYSSPAR is not set
#
# Gasket devices
#
# end of Gasket devices
# CONFIG_XIL_AXIS_FIFO is not set
# CONFIG_FIELDBUS_DEV is not set
# CONFIG_USB_WUSB_CBAF is not set
# CONFIG_UWB is not set
CONFIG_EXFAT_FS=y
CONFIG_EXFAT_DISCARD=y
# CONFIG_EXFAT_DELAYED_SYNC is not set
# CONFIG_EXFAT_KERNEL_DEBUG is not set
# CONFIG_EXFAT_DEBUG_MSG is not set
CONFIG_EXFAT_DEFAULT_CODEPAGE=437
CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
# CONFIG_GOLDFISH is not set # CONFIG_GOLDFISH is not set
# CONFIG_HWSPINLOCK is not set # CONFIG_HWSPINLOCK is not set

216
initrd/bin/mount-usb
View File

@ -1,16 +1,84 @@
#!/bin/bash #!/bin/bash
# Mount a USB device # Mount a USB device
. /etc/functions . /etc/functions
. /etc/luks-functions
TRACE "Under /bin/mount-usb" TRACE "Under /bin/mount-usb"
function usage() {
cat <<USAGE_END
usage: $0 [options...] <--mode [ro|rw]> <--device device> <--mountpoint mountpoint> <--pass passphrase>
$0 --help
parameters:
--mode: ro or rw (default ro)
--device: device to mount (default: first USB device found)
--mountpoint: where to mount the device (default: /media)
--pass: passphrase for LUKS device (default: none)
--help: Show this help
USAGE_END
}
MODE="ro"
DEVICE=""
MOUNTPOINT="/media"
PASS=""
#Only assign --mode, --device, --mountpoint and --pass parameters only if variables following them are not empty
while [ $# -gt 0 ]; do
case "$1" in
--mode)
if [ -n "$2" ]; then
MODE="$2"
shift
shift
fi
;;
--device)
if [ -n "$2" ]; then
DEVICE="$2"
shift
shift
fi
;;
--mountpoint)
if [ -n "$2" ]; then
MOUNTPOINT="$2"
shift
shift
fi
;;
--pass)
if [ -n "$2" ]; then
PASS="$2"
shift
shift
fi
;;
*)
usage
exit 1
;;
esac
done
#Show parameters content but not LUKS passphrase: if empty, show "empty", if provided, show "provided"
DEBUG "Parameters: --mode=$MODE, --device=${DEVICE:-empty}, --mountpoint=$MOUNTPOINT, --pass=${PASS:+provided}"
enable_usb enable_usb
enable_usb_storage enable_usb_storage
if [ ! -d /media ]; then if [ ! -d "$MOUNTPOINT" ]; then
mkdir /media DEBUG "Creating $MOUNTPOINT directory"
mkdir -p "$MOUNTPOINT" > /dev/null 2>&1
else
DEBUG "Cleaning $MOUNTPOINT directory"
umount "$MOUNTPOINT" > /dev/null 2>&1 || true
fi fi
list_usb_storage > /tmp/usb_block_devices list_usb_storage > /tmp/usb_block_devices
if [ -z "$(cat /tmp/usb_block_devices)" ]; then if [ -z "$(cat /tmp/usb_block_devices)" ]; then
if [ -x /bin/whiptail ]; then if [ -x /bin/whiptail ]; then
@ -34,56 +102,102 @@ if [ -z "$(cat /tmp/usb_block_devices)" ]; then
fi fi
USB_MOUNT_DEVICE="" USB_MOUNT_DEVICE=""
# Check for the common case: a single USB disk with one partition # Check if the user has specified a USB device
if [ `cat /tmp/usb_block_devices | wc -l` -eq 1 ]; then if [ -n "$DEVICE" ]; then
USB_MOUNT_DEVICE=`cat /tmp/usb_block_devices` DEBUG "Checking if "$DEVICE" is a USB detected block device"
fi if grep -q "$DEVICE" /tmp/usb_block_devices; then
# otherwise, let the user pick DEBUG "Selected device is a USB block device"
if [ -z ${USB_MOUNT_DEVICE} ]; then USB_MOUNT_DEVICE="$DEVICE"
> /tmp/usb_disk_list
for i in `cat /tmp/usb_block_devices`; do
echo $i $(blkid | grep $i | grep -o 'LABEL=".*"' | cut -f2 -d '"') >> /tmp/usb_disk_list
done
if [ -x /bin/whiptail ]; then
MENU_OPTIONS=""
n=0
while read option
do
n=`expr $n + 1`
option=$(echo $option | tr " " "_")
MENU_OPTIONS="$MENU_OPTIONS $n ${option}"
done < /tmp/usb_disk_list
MENU_OPTIONS="$MENU_OPTIONS a Abort"
whiptail $BG_COLOR --title "Select your USB disk" \
--menu "Choose your USB disk [1-$n, a to abort]:" 0 80 8 \
-- $MENU_OPTIONS \
2>/tmp/whiptail
option_index=$(cat /tmp/whiptail)
else else
echo "+++ Select your USB disk:" die "ERROR: Selected $DEVICE is not a USB block device"
n=0
while read option
do
n=`expr $n + 1`
echo "$n. $option"
done < /tmp/usb_disk_list
read \
-p "Choose your USB disk [1-$n, a to abort]: " \
option_index
fi fi
if [ "$option_index" = "a" ]; then
exit 5
fi
USB_MOUNT_DEVICE=`head -n $option_index /tmp/usb_disk_list | tail -1 | sed 's/\ .*$//'`
fi
if [ "$1" = "rw" ]; then
mount -o rw $USB_MOUNT_DEVICE /media
else else
mount -o ro $USB_MOUNT_DEVICE /media # Check for the common case: a single USB disk with one partition
if [ $(cat /tmp/usb_block_devices | wc -l) -eq 1 ]; then
USB_MOUNT_DEVICE="$(cat /tmp/usb_block_devices)"
fi
# otherwise, let the user pick
if [ -z ${USB_MOUNT_DEVICE} ]; then
> /tmp/usb_disk_list
for i in $(cat /tmp/usb_block_devices); do
#appends label to the device name
echo $i $(blkid | grep $i | grep -o 'LABEL=".*"' | cut -f2 -d '"') >> /tmp/usb_disk_list
done
if [ -x /bin/whiptail ]; then
MENU_OPTIONS=""
n=0
while read option
do
n=$(expr $n + 1)
option=$(echo $option | tr " " "_")
MENU_OPTIONS="$MENU_OPTIONS $n ${option}"
done < /tmp/usb_disk_list
MENU_OPTIONS="$MENU_OPTIONS a Abort"
whiptail $BG_COLOR --title "Select your USB disk" \
--menu "Choose your USB disk [1-$n, a to abort]:" 0 80 8 \
-- $MENU_OPTIONS \
2>/tmp/whiptail
if [ $? -ne 0 ]; then
die "ERROR: Selecting USB disk/partition aborted."
fi
option_index=$(cat /tmp/whiptail)
else
echo "+++ Select your USB disk:"
n=0
while read option
do
n=$(expr $n + 1)
echo "$n. $option"
done < /tmp/usb_disk_list
read \
-p "Choose your USB disk [1-$n, a to abort]: " \
option_index
fi
if [ "$option_index" = "a" ]; then
exit 5
fi
USB_MOUNT_DEVICE=$(head -n $option_index /tmp/usb_disk_list | tail -1 | sed 's/\ .*$//')
fi
fi
DEBUG "Checking if $USB_MOUNT_DEVICE is a LUKS device/partition"
if cryptsetup isLuks "$USB_MOUNT_DEVICE"; then
DEBUG "Selected USB partition is a LUKS device"
#Selected USB partition is a LUKS device
if [ -e /dev/mapper/"usb_mount_$(basename "$USB_MOUNT_DEVICE")" ]; then
DEBUG "Closing currently mapped LUKS device"
cryptsetup close "usb_mount_$(basename "$USB_MOUNT_DEVICE")"
fi
DEBUG "Opening LUKS device $USB_MOUNT_DEVICE"
#Pass LUKS passphrase to cryptsetup only if we received one
if [ -z "$PASS" ]; then
#We haven't received a passphrase
cryptsetup open "$USB_MOUNT_DEVICE" "usb_mount_$(basename "$USB_MOUNT_DEVICE")" \
|| die "ERROR: Failed to open ${USB_MOUNT_DEVICE} LUKS device"
else
#We received a pasphrase
cryptsetup open "$USB_MOUNT_DEVICE" "usb_mount_$(basename "$USB_MOUNT_DEVICE")" --key-file <(echo -n "${PASS}") \
|| die "ERROR: Failed to open ${USB_MOUNT_DEVICE} LUKS device"
fi
warn "Note that you cannot boot from a mounted encrypted device."
DEBUG "Setting USB_MOUNT_DEVICE=/dev/mapper/"usb_mount_$(basename "$USB_MOUNT_DEVICE")""
USB_MOUNT_DEVICE="/dev/mapper/"usb_mount_$(basename "$USB_MOUNT_DEVICE")""
else
# Selected USB partition is not a LUKS device
DEBUG "Selected USB partition is not a LUKS device, continuing..."
fi
# Mount the USB device
if [ "$MODE" = "rw" ]; then
DEBUG "Mounting $USB_MOUNT_DEVICE as read-write"
mount -o rw "$USB_MOUNT_DEVICE" "$MOUNTPOINT" || die "ERROR: Failed to mount ${USB_MOUNT_DEVICE} as read-write"
else
DEBUG "Mounting $USB_MOUNT_DEVICE as read-only"
mount -o ro "$USB_MOUNT_DEVICE" "$MOUNTPOINT" || die "ERROR: Failed to mount ${USB_MOUNT_DEVICE} as read-only"
fi fi

2
initrd/bin/oem-factory-reset
View File

@ -546,7 +546,7 @@ if [ "$prompt_output" == "y" \
# mount USB over /media only if not already mounted # mount USB over /media only if not already mounted
if ! grep -q /media /proc/mounts ; then if ! grep -q /media /proc/mounts ; then
# mount USB in rw # mount USB in rw
if ! mount-usb rw 2>/tmp/error; then if ! mount-usb -mode rw 2>/tmp/error; then
ERROR=$(tail -n 1 /tmp/error | fold -s) ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Unable to mount USB on /media:\n\n${ERROR}" whiptail_error_die "Unable to mount USB on /media:\n\n${ERROR}"
fi fi

6
initrd/bin/root-hashes-gui.sh
View File

@ -171,7 +171,7 @@ detect_root_device()
# check $CONFIG_ROOT_DEV if set/valid # check $CONFIG_ROOT_DEV if set/valid
if [ -e "$CONFIG_ROOT_DEV" ]; then if [ -e "$CONFIG_ROOT_DEV" ]; then
if cryptsetup isLuks $CONFIG_ROOT_DEV >/dev/null 2>&1; then if cryptsetup isLuks $CONFIG_ROOT_DEV >/dev/null 2>&1; then
if cryptsetup luksOpen $CONFIG_ROOT_DEV rootdisk; then if cryptsetup open $CONFIG_ROOT_DEV rootdisk; then
if mount -o ro /dev/mapper/rootdisk $ROOT_MOUNT >/dev/null 2>&1; then if mount -o ro /dev/mapper/rootdisk $ROOT_MOUNT >/dev/null 2>&1; then
if cd $ROOT_MOUNT && ls -d $CONFIG_ROOT_DIRLIST >/dev/null 2>&1; then # CONFIG_ROOT_DEV is valid device and contains an installed OS if cd $ROOT_MOUNT && ls -d $CONFIG_ROOT_DIRLIST >/dev/null 2>&1; then # CONFIG_ROOT_DEV is valid device and contains an installed OS
return 0 return 0
@ -199,7 +199,7 @@ detect_root_device()
# iterate thru possible options and check for LUKS # iterate thru possible options and check for LUKS
for i in `cat /tmp_root_device_list`; do for i in `cat /tmp_root_device_list`; do
if cryptsetup isLuks $i >/dev/null 2>&1; then if cryptsetup isLuks $i >/dev/null 2>&1; then
if cryptsetup luksOpen $i rootdisk; then if cryptsetup open $i rootdisk; then
if mount -o ro /dev/mapper/rootdisk $ROOT_MOUNT >/dev/null 2>&1; then if mount -o ro /dev/mapper/rootdisk $ROOT_MOUNT >/dev/null 2>&1; then
if cd $ROOT_MOUNT && ls -d $CONFIG_ROOT_DIRLIST >/dev/null 2>&1; then if cd $ROOT_MOUNT && ls -d $CONFIG_ROOT_DIRLIST >/dev/null 2>&1; then
# CONFIG_ROOT_DEV is valid device and contains an installed OS # CONFIG_ROOT_DEV is valid device and contains an installed OS
@ -220,7 +220,7 @@ unmount_root_device()
{ {
cd / cd /
umount $ROOT_MOUNT 2>/dev/null umount $ROOT_MOUNT 2>/dev/null
cryptsetup luksClose rootdisk cryptsetup close rootdisk
} }
checkonly="n" checkonly="n"

18
initrd/etc/functions
View File

@ -102,6 +102,15 @@ enable_usb_storage()
list_usb_storage() list_usb_storage()
{ {
TRACE "Under /etc/functions:list_usb_storage" TRACE "Under /etc/functions:list_usb_storage"
# List all USB storage devices, including partitions unless we received argument stating we want drives only
# The output is a list of device names, one per line.
if [ "$1" = "disks" ]; then
DEBUG "Listing USB storage devices (disks only) since list_usb_storage was called with 'disks' argument"
else
DEBUG "Listing USB storage devices (including partitions)"
fi
stat -c %N /sys/block/sd* 2>/dev/null | grep usb | stat -c %N /sys/block/sd* 2>/dev/null | grep usb |
cut -f1 -d ' ' | cut -f1 -d ' ' |
sed "s/[']//g" | sed "s/[']//g" |
@ -109,6 +118,7 @@ list_usb_storage()
# Ignore devices of size 0, such as empty SD card # Ignore devices of size 0, such as empty SD card
# readers on laptops attached via USB. # readers on laptops attached via USB.
if [ "$(cat "$b/size")" -gt 0 ]; then if [ "$(cat "$b/size")" -gt 0 ]; then
DEBUG "USB storage device of size greater then 0: $b"
echo "$b" echo "$b"
fi fi
done | done |
@ -131,9 +141,17 @@ list_usb_storage()
DISK_DATA=$(fdisk -l "$b") DISK_DATA=$(fdisk -l "$b")
if echo "$DISK_DATA" | grep -q "doesn't contain a valid partition table" || [ $(echo "$DISK_DATA" | wc -l) -eq 5 ]; then if echo "$DISK_DATA" | grep -q "doesn't contain a valid partition table" || [ $(echo "$DISK_DATA" | wc -l) -eq 5 ]; then
# No partition table, include this device # No partition table, include this device
DEBUG "USB storage device without partition table: $b"
echo "$b"
#Bypass the check for partitions if we want only disks
elif [ "$1" = "disks" ]; then
# disks only were requested, so we don't list partitions
DEBUG "USB storage device with partition table: $b"
DEBUG "We asked for disks only, so we don't want to list partitions"
echo "$b" echo "$b"
else else
# Has a partition table, include partitions # Has a partition table, include partitions
DEBUG "USB storage device with partition table: $b"
ls -1 "$b"* | awk 'NR!=1 {print $0}' ls -1 "$b"* | awk 'NR!=1 {print $0}'
fi fi
done done

243
initrd/etc/luks-functions
View File

@ -1,19 +1,240 @@
#!/bin/bash #!/bin/bash
# Reencrypt LUKS container and change Disk Recovery Key associated passphrase (Slot 0: main slot) # LUKS related functions
. /etc/functions . /etc/functions
. /etc/gui_functions . /etc/gui_functions
. /tmp/config . /tmp/config
#List all LUKS devices on the system
list_luks_devices()
{
#generate a list of devices to choose from that contain a LUKS header
lvm vgscan||true
blkid | cut -d ':' -f 1 | while read device
do cryptsetup isLuks $device
if [ $? -eq 0 ]; then
echo "$device"
fi
done | sort
}
#Whiptail prompt asking user to select ratio of device to use for LUKS container between: 10, 25, 50, 75
select_luks_container_size_percent()
{
TRACE "Under /etc/luks-functions:select_luks_container_size_percent()"
if [ -x /bin/whiptail ]; then
#whiptail prompt asking user to select ratio of device to use for LUKS container between: 10, 25, 50, 75
#whiptail returns the percentage of the device to use for LUKS container
whiptail --title "Select LUKS container size percentage of device" --menu \
"Select LUKS container size percentage of device:" 0 80 10 \
"10" "10%" \
"25" "25%" \
"50" "50%" \
"75" "75%" \
2> /tmp/luks_container_size_percent \
|| die "Error selecting LUKS container size percentage of device"
else
#console prompt asking user to select ratio of device to use for LUKS container between: 10, 25, 50, 75
#console prompt returns the percentage of the device to use for LUKS container
echo "Select LUKS container size percentage of device:"
echo "1. 10%"
echo "2. 25%"
echo "3. 50%"
echo "4. 75%"
read -p "Choose your LUKS container size percentage of device [1-3]: " option_index
if [ "$option_index" = "1" ]; then
echo "10" > /tmp/luks_container_size_percent
elif [ "$option_index" = "2" ]; then
echo "25" > /tmp/luks_container_size_percent
elif [ "$option_index" = "3" ]; then
echo "50" > /tmp/luks_container_size_percent
elif [ "$option_index" = "4" ]; then
echo "75" > /tmp/luks_container_size_percent
else
die "Error selecting LUKS container size percentage of device"
fi
fi
}
#Partition a device with two partitions: a first one being a LUKS container containing private ext4 partition and second public exfat partition
# Size provisioning is done by percentage of the device
prepare_thumb_drive()
{
TRACE "Under /etc/luks-functions:prepare_thumb_drive()"
#Refactoring: only one parameter needed to be prompted for: the passphrase for LUKS container if not coming from oem-provisioning
#If no passphrase was provided, ask user to select passphrase for LUKS container
# if no device provided as parameter, we will ask user to select device to partition
# if no percentage provided as parameter, we will default to 10% of device to use for LUKS container
# we will validate parameters and not make them positional and print a usage function first
#Set defaults
DEVICE="" #Will list all usb storage devices if not provided as parameter
PERCENTAGE="10" #default to 10% of device to use for LUKS container (requires a LUKS partition bigger then 32mb!)
PASSPHRASE="" #Will prompt user for passphrase if not provided as parameter
#Parse parameters
while [ $# -gt 0 ]; do
case "$1" in
--device)
DEVICE=$2
shift 2
;;
--percentage)
PERCENTAGE=$2
shift 2
;;
--passphrase)
PASSPHRASE=$2
shift 2
;;
*)
echo "usage: prepare_thumb_drive [--device device] [--percentage percentage] [--passphrase passphrase]"
;;
esac
done
DEBUG "DEVICE to partition: $DEVICE"
DEBUG "PERCENTAGE of device that will be used for LUKS container: $PERCENTAGE"
#Output provided if passphrase is provided as parameter
DEBUG "PASSPHRASE for LUKS container: ${PASSPHRASE:+provided}"
#Prompt for passphrase if not provided as parameter
if [ -z "$PASSPHRASE" ]; then
#If no passphrase was provided, ask user to select passphrase for LUKS container
#console based no whiptail
while [[ ${#PASSPHRASE} -lt 8 ]]; do
{
echo -e "\nEnter passphrase for LUKS container (At least 8 characters long):"
#hide passphrase input from read command
read -r -s PASSPHRASE
#skip confirmation if passphrase is less then 8 characters long (continue)
if [[ ${#PASSPHRASE} -lt 8 ]]; then
echo -e "\nPassphrase must be at least 8 characters long. Please try again."
unset PASSPHRASE
continue
fi
#validate passphrase and ask user to re-enter if not at least 8 characters long
#confirm passphrase
echo -e "\nConfirm passphrase for LUKS container:"
#hide passphrase input from read command
read -r -s PASSPHRASE_CONFIRM
#compare passphrase and passphrase confirmation
if [ "$PASSPHRASE" != "$PASSPHRASE_CONFIRM" ]; then
echo -e "\nPassphrases do not match. Please try again."
unset PASSPHRASE
unset PASSPHRASE_CONFIRM
fi
};done
fi
#If no device was provided, ask user to select device to partition
if [ -z "$DEVICE" ]; then
#warn user to disconnect all external drives
if [ -x /bin/whiptail ]; then
whiptail $BG_COLOR_WARNING --title "WARNING: Disconnect all external drives" --msgbox \
"WARNING: Please disconnect all external drives before proceeding.\n\nHit Enter to continue." 0 80 \
|| die "User cancelled wiping and repartitioning of $DEVICE"
else
echo -e -n "Warning: Please disconnect all external drives before proceeding.\n\nHit Enter to continue?"
read -r -p " [Y/n] " response
#transform response to uppercase with bash parameter expansion
response=${response^^}
#continue if response different then uppercase N
if [[ $response =~ ^(N)$ ]]; then
die "User cancelled wiping and repartitioning of $DEVICE"
fi
fi
#enable usb
enable_usb
#enable usb storage
enable_usb_storage
#list all usb storage devices
list_usb_storage disks > /tmp/devices.txt
if [ $(cat /tmp/devices.txt | wc -l) -gt 0 ]; then
file_selector "/tmp/devices.txt" "Select device to partition"
if [ "$FILE" == "" ]; then
die "Error: No device selected"
else
DEVICE=$FILE
fi
else
die "Error: No device found"
fi
fi
#Check if device is a block device
if [ ! -b $DEVICE ]; then
die "Error: $DEVICE is not a block device"
fi
if [ -z "$PERCENTAGE" ]; then
#If no percentage was provided, ask user to select percentage of device to use for LUKS container
select_luks_container_size_percent
PERCENTAGE=$(cat /tmp/luks_container_size_percent)
fi
#Get disk size in bytes from fdisk
DISK_SIZE_BYTES="$(blockdev --getsize64 "$DEVICE")"
#Convert disk size to MB
DISK_SIZE_MB=$((DISK_SIZE_BYTES/1024/1024))
#Get size in bytes from percentage and apply percentage to DISK_SIZE_MB
PERCENTAGE_MB="$((DISK_SIZE_MB*PERCENTAGE/100))"
#Console and whiptail $BG_COLOR_WARNING prompt (Y/n) validate one last time wiping and repartitioning of $device of total size $DISK_SIZE_MB with $PERCENTAGE_MB assigned to LUKS encrypted private partition
if [ -x /bin/whiptail ]; then
whiptail $BG_COLOR_WARNING --title "WARNING: Wiping and repartitioning $DEVICE of $DISK_SIZE_MB MB" --yesno \
"WARNING: Wiping and repartitioning $DEVICE with $PERCENTAGE_MB MB assigned to private LUKS contained private ext4 partition, rest assigned to extfat public partition.\n\nAre you sure you want to continue?" 0 80 \
|| die "User cancelled wiping and repartitioning of $DEVICE"
else
echo -e -n "Warning: Wiping and repartitioning $DEVICE with $PERCENTAGE_MB MB assigned to private LUKS contained private ext4 partition, rest assigned to extfat public partition.\n\nAre you sure you want to continue?"
read -r -p " [Y/n] " response
#transform response to uppercase with bash parameter expansion
response=${response^^}
#continue if response different then uppercase N
if [[ $response =~ ^(N)$ ]]; then
die "User cancelled wiping and repartitioning of $DEVICE"
fi
fi
echo -e "Preparing $DEVICE with $PERCENTAGE_MB MB for private LUKS container and rest of disk with exfat\
\n for public partition (This may take a while)..." | fold -s
DEBUG "Creating empty DOS partition table on device through fdisk to start clean"
echo -e "o\nw\n" | fdisk $DEVICE > /dev/null 2>&1 || die "Error creating partition table"
DEBUG "partition device with two partitions: first one being the percent applied and rest for second partition through fdisk"
echo -e "n\np\n1\n\n+"$PERCENTAGE_MB"M\nn\np\n2\n\n\nw\n" | fdisk $DEVICE > /dev/null 2>&1 || die "Error partitioning device"
DEBUG "cryptsetup luksFormat first partition with LUKS container aes-xts-plain64 cipher with sha256 hash and 512 bit key"
DEBUG "Creating ${PERCENTAGE_MB}MB LUKS container on ${DEVICE}1..."
DO_WITH_DEBUG cryptsetup --batch-mode -c aes-xts-plain64 -h sha256 -s 512 -y luksFormat ${DEVICE}1 \
--key-file <(echo -n "${PASSPHRASE}") > /dev/null 2>&1 \
|| die "Error formatting LUKS container"
DEBUG "Opening LUKS device and mapping under /dev/mapper/private..."
DO_WITH_DEBUG cryptsetup open ${DEVICE}1 private --key-file <(echo -n "${PASSPHRASE}") > /dev/null 2>&1 \
|| die "Error opening LUKS container"
DEBUG "Formatting LUKS container mapped under /dev/mapper/private as an ext4 partition..."
mke2fs -t ext4 -L private /dev/mapper/private > /dev/null 2>&1 || die "Error formatting LUKS container's ext4 filesystem"
DEBUG "Closing LUKS device /dev/mapper/private..."
cryptsetup close private > /dev/null 2>&1 || die "Error closing LUKS container"
DEBUG "Formatting second partition ${DEVICE}2 with exfat filesystem..."
mkfs.exfat -L public ${DEVICE}2 > /dev/null 2>&1 || die "Error formatting second partition with exfat filesystem"
echo "Done."
}
select_luks_container() select_luks_container()
{ {
TRACE "Under /etc/luks-functions:select_luks_container()"
if [ -s /boot/kexec_key_devices.txt ]; then if [ -s /boot/kexec_key_devices.txt ]; then
DEBUG "Reusing known good LUKS container device from /boot/kexec_key_devices.txt"
DEBUG "LUKS container device: $(cut -d ' ' -f1 /boot/kexec_key_devices.txt)"
LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt) LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt)
else else
#generate a list of devices to choose from that contain a LUKS header list_luks_devices > /tmp/luks_devices.txt
lvm vgscan||true #if /tmp/luks_devices.txt exists and is not empty
blkid | cut -d ':' -f 1 | while read device;do cryptsetup isLuks $device;if [ $(echo $?) == 0 ]; then echo $device;fi; done | sort > /tmp/luks_devices.txt if [ -s /tmp/luks_devices.txt ]; then
if [ $(cat /tmp/luks_devices.txt | wc -l) -gt 0 ]; then
file_selector "/tmp/luks_devices.txt" "Select LUKS container device" file_selector "/tmp/luks_devices.txt" "Select LUKS container device"
if [ "$FILE" == "" ]; then if [ "$FILE" == "" ]; then
return 1 return 1
@ -25,6 +246,7 @@ select_luks_container()
mount -o remount,ro /boot mount -o remount,ro /boot
fi fi
else else
warn "No encrypted device found." warn "No encrypted device found."
return 1 return 1
fi fi
@ -33,6 +255,7 @@ select_luks_container()
test_luks_current_disk_recovery_key_passphrase() test_luks_current_disk_recovery_key_passphrase()
{ {
TRACE "Under /etc/luks-functions:test_luks_current_disk_recovery_key_passphrase()"
while : ; do while : ; do
select_luks_container || return 1 select_luks_container || return 1
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
@ -41,14 +264,14 @@ test_luks_current_disk_recovery_key_passphrase()
read -r luks_current_Disk_Recovery_Key_passphrase read -r luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..." warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
cryptsetup luksOpen $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
else else
echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..." warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
cryptsetup luksOpen $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
fi fi
#Validate past cryptsetup-reencrypt attempts #Validate past cryptsetup-reencrypt attempts
if [ $(echo $?) -ne 0 ]; then if [ $? -eq 0 ]; then
whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \ whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
"If you previously changed it and do not remember it, you will have to\n reinstall OS from a an external drive.\n\nTo do so, place ISO file and its signature file on root of external drive,\n and select Options-> Boot from USB \n\nHit Enter to retry." 30 60 "If you previously changed it and do not remember it, you will have to\n reinstall OS from a an external drive.\n\nTo do so, place ISO file and its signature file on root of external drive,\n and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2> /dev/null shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2> /dev/null
@ -65,7 +288,7 @@ test_luks_current_disk_recovery_key_passphrase()
#Exporting successfully used passphrase possibly reused by oem-factory-reset #Exporting successfully used passphrase possibly reused by oem-factory-reset
#We close the volume #We close the volume
cryptsetup luksClose test cryptsetup close test
export luks_current_Disk_Recovery_Key_passphrase export luks_current_Disk_Recovery_Key_passphrase
break; break;
fi fi
@ -73,6 +296,7 @@ test_luks_current_disk_recovery_key_passphrase()
} }
luks_reencrypt(){ luks_reencrypt(){
TRACE "Under /etc/luks-functions:luks_reencrypt()"
while : ; do while : ; do
select_luks_container || return 1 select_luks_container || return 1
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
@ -113,6 +337,7 @@ done
luks_change_passphrase() luks_change_passphrase()
{ {
TRACE "Under /etc/luks-functions:luks_change_passphrase()"
while : ; do while : ; do
select_luks_container || return 1 select_luks_container || return 1
#if actual or new Disk Recovery Key is not provisioned by oem-provisioning file #if actual or new Disk Recovery Key is not provisioned by oem-provisioning file

45
initrd/etc/mke2fs.conf Normal file
View File

@ -0,0 +1,45 @@
[defaults]
base_features = sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr
default_mntopts = acl,user_xattr
enable_periodic_fsck = 0
blocksize = 4096
inode_size = 256
inode_ratio = 16384
[fs_types]
ext3 = {
features = has_journal
}
ext4 = {
features = has_journal,extent,huge_file,flex_bg,metadata_csum,metadata_csum_seed,64bit,dir_nlink,extra_isize,orphan_file
}
small = {
blocksize = 1024
inode_ratio = 4096
}
floppy = {
blocksize = 1024
inode_ratio = 8192
}
big = {
inode_ratio = 32768
}
huge = {
inode_ratio = 65536
}
news = {
inode_ratio = 4096
}
largefile = {
inode_ratio = 1048576
blocksize = -1
}
largefile4 = {
inode_ratio = 4194304
blocksize = -1
}
hurd = {
blocksize = 4096
inode_size = 128
warn_y2038_dates = 0
}

4
modules/busybox
View File

@ -2,11 +2,11 @@
CONFIG_BUSYBOX ?= y CONFIG_BUSYBOX ?= y
modules-$(CONFIG_BUSYBOX) += busybox modules-$(CONFIG_BUSYBOX) += busybox
busybox_version := 1.33.2 busybox_version := 1.36.1
busybox_dir := busybox-$(busybox_version) busybox_dir := busybox-$(busybox_version)
busybox_tar := busybox-$(busybox_version).tar.bz2 busybox_tar := busybox-$(busybox_version).tar.bz2
busybox_url := https://busybox.net/downloads/$(busybox_tar) busybox_url := https://busybox.net/downloads/$(busybox_tar)
busybox_hash := 6843ba7977081e735fa0fdb05893e3c002c8c5ad7c9c80da206e603cc0ac47e7 busybox_hash := b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314
busybox_configure := $(MAKE) CC="$(heads_cc)" oldconfig busybox_configure := $(MAKE) CC="$(heads_cc)" oldconfig
busybox_config := config/busybox.config busybox_config := config/busybox.config

34
modules/e2fsprogs Normal file
View File

@ -0,0 +1,34 @@
#Module is included unless defined in board to "n"
CONFIG_E2FSPROGS ?= y
modules-$(CONFIG_E2FSPROGS) += e2fsprogs
e2fsprogs_version := 1.47.0
e2fsprogs_dir := e2fsprogs-$(e2fsprogs_version)
e2fsprogs_tar := e2fsprogs-$(e2fsprogs_version).tar.xz
e2fsprogs_url := https://mirrors.edge.kernel.org/pub/linux/kernel/people/tytso/e2fsprogs/v$(e2fsprogs_version)/$(e2fsprogs_tar)
e2fsprogs_hash := 144af53f2bbd921cef6f8bea88bb9faddca865da3fbc657cc9b4d2001097d5db
# For reproducibility reasons we have to override the exec_prefix
# and datarootdir on the configure line so that the Makefiles will
# be generated with the correct paths, but then re-write them when
# we use the install target so that they will be copied to the correct
# location.
e2fsprogs_configure := \
$(CROSS_TOOLS) \
CFLAGS="-Os" \
./configure \
--host $(MUSL_ARCH)-linux-musl \
--prefix "" \
--libexecdir "/bin" \
# Run one build to generate the executables with the pre-defined
# exec_prefix and datarootdir, then a second make to install the binaries
# into our actual target location
e2fsprogs_target := $(MAKE_JOBS) \
&& $(MAKE) -C $(build)/$(e2fsprogs_dir) \
DESTDIR="$(INSTALL)" \
install
e2fsprogs_output := misc/mke2fs
e2fsprogs_depends := $(musl_dep)

34
modules/exfatprogs Normal file
View File

@ -0,0 +1,34 @@
#Module is included unless defined in board to "n"
CONFIG_EXFATPROGS ?= y
modules-$(CONFIG_EXFATPROGS) += exfatprogs
exfatprogs_version := 1.2.1
exfatprogs_dir := exfatprogs-$(exfatprogs_version)
exfatprogs_tar := exfatprogs-$(exfatprogs_version).tar.xz
exfatprogs_url := https://github.com/exfatprogs/exfatprogs/releases/download/$(exfatprogs_version)/$(exfatprogs_tar)
exfatprogs_hash := a6f3b1fb4bd37835c8f8cb421aac4eb75b880a51342b29850c4063973162227b
# For reproducibility reasons we have to override the exec_prefix
# and datarootdir on the configure line so that the Makefiles will
# be generated with the correct paths, but then re-write them when
# we use the install target so that they will be copied to the correct
# location.
exfatprogs_configure := \
$(CROSS_TOOLS) \
CFLAGS="-Os" \
./configure \
--host $(MUSL_ARCH)-linux-musl \
--prefix "" \
--libexecdir "/bin" \
# Run one build to generate the executables with the pre-defined
# exec_prefix and datarootdir, then a second make to install the binaries
# into our actual target location
exfatprogs_target := $(MAKE_JOBS) \
&& $(MAKE) -C $(build)/$(exfatprogs_dir) \
DESTDIR="$(INSTALL)" \
install
exfatprogs_output := fsck/fsck.exfat mkfs/mkfs.exfat
exfatprogs_depends := $(musl_dep)

0
patches/busybox-1.33.2.patch → patches/busybox-1.36.1.patch
View File