mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-30 01:38:56 +00:00
f6eed42208
prepare_thumb_drive: default to creating 10% LUKS container on usb drive, prompts for passphrase is not provided and scan drives if no --device specified NOTE: qemu usb_thumb drive of 128 mb are not big enough so that 10% of it (12mb) can be used to create thumb drive. Adds: - e2fsprogs to support ext4 filesystem creation through mke2fs - add /etc/mke2fs.conf so that mke2fs knows how to handle ext2/ext3/ext4 - removes mke2fs support from busybox - bump busybox to latest version which adds cpu accelerated hash functions (not needed per se here) - Adds exfatprogs to have mkfs.exfat and fsck.exfat - Adds prepare_thumb_drive /etc/luks-functions to be able to prepare a thumb drive with percentage of drive assigned to LUKS, rest to exfat - Modify most board configs to test space requirements failing - Talos2 linux config: add staging Exfat support - Make e2fsprogs and exfatprogs included by default unless explicitely deactivate in board configs - Change cryptsetup calls : luksOpen to open and luksClose to close to addresss review - etc/luks_functions: cleanup GOAL here is to have secure thumb drive creation which Heads will be able to use to backup/restore/use generated GPG key material in the future (next PR)
204 lines
5.9 KiB
Bash
Executable File
204 lines
5.9 KiB
Bash
Executable File
#!/bin/bash
|
|
# Mount a USB device
|
|
. /etc/functions
|
|
. /etc/luks-functions
|
|
|
|
TRACE "Under /bin/mount-usb"
|
|
|
|
function usage() {
|
|
cat <<USAGE_END
|
|
usage: $0 [options...] <--mode [ro|rw]> <--device device> <--mountpoint mountpoint> <--pass passphrase>
|
|
$0 --help
|
|
|
|
parameters:
|
|
--mode: ro or rw (default ro)
|
|
--device: device to mount (default: first USB device found)
|
|
--mountpoint: where to mount the device (default: /media)
|
|
--pass: passphrase for LUKS device (default: none)
|
|
--help: Show this help
|
|
USAGE_END
|
|
}
|
|
|
|
MODE="ro"
|
|
DEVICE=""
|
|
MOUNTPOINT="/media"
|
|
PASS=""
|
|
|
|
|
|
#Only assign --mode, --device, --mountpoint and --pass parameters only if variables following them are not empty
|
|
while [ $# -gt 0 ]; do
|
|
case "$1" in
|
|
--mode)
|
|
if [ -n "$2" ]; then
|
|
MODE="$2"
|
|
shift
|
|
shift
|
|
fi
|
|
;;
|
|
--device)
|
|
if [ -n "$2" ]; then
|
|
DEVICE="$2"
|
|
shift
|
|
shift
|
|
fi
|
|
;;
|
|
--mountpoint)
|
|
if [ -n "$2" ]; then
|
|
MOUNTPOINT="$2"
|
|
shift
|
|
shift
|
|
fi
|
|
;;
|
|
--pass)
|
|
if [ -n "$2" ]; then
|
|
PASS="$2"
|
|
shift
|
|
shift
|
|
fi
|
|
;;
|
|
*)
|
|
usage
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
|
|
#Show parameters content but not LUKS passphrase: if empty, show "empty", if provided, show "provided"
|
|
DEBUG "Parameters: --mode=$MODE, --device=${DEVICE:-empty}, --mountpoint=$MOUNTPOINT, --pass=${PASS:+provided}"
|
|
|
|
enable_usb
|
|
enable_usb_storage
|
|
|
|
if [ ! -d "$MOUNTPOINT" ]; then
|
|
DEBUG "Creating $MOUNTPOINT directory"
|
|
mkdir -p "$MOUNTPOINT" > /dev/null 2>&1
|
|
else
|
|
DEBUG "Cleaning $MOUNTPOINT directory"
|
|
umount "$MOUNTPOINT" > /dev/null 2>&1 || true
|
|
fi
|
|
|
|
|
|
list_usb_storage > /tmp/usb_block_devices
|
|
if [ -z "$(cat /tmp/usb_block_devices)" ]; then
|
|
if [ -x /bin/whiptail ]; then
|
|
whiptail $BG_COLOR --title 'USB Drive Missing' \
|
|
--msgbox "Insert your USB drive and press Enter to continue." 0 80
|
|
else
|
|
echo "+++ USB Drive Missing! Insert your USB drive and press Enter to continue."
|
|
read
|
|
fi
|
|
sleep 1
|
|
list_usb_storage > /tmp/usb_block_devices
|
|
if [ -z "$(cat /tmp/usb_block_devices)" ]; then
|
|
if [ -x /bin/whiptail ]; then
|
|
whiptail $BG_COLOR_ERROR --title 'ERROR: USB Drive Missing' \
|
|
--msgbox "USB Drive Missing! Aborting mount attempt.\n\nPress Enter to continue." 0 80
|
|
else
|
|
echo "!!! ERROR: USB Drive Missing! Aborting mount. Press Enter to continue."
|
|
fi
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
USB_MOUNT_DEVICE=""
|
|
# Check if the user has specified a USB device
|
|
if [ -n "$DEVICE" ]; then
|
|
DEBUG "Checking if "$DEVICE" is a USB detected block device"
|
|
if grep -q "$DEVICE" /tmp/usb_block_devices; then
|
|
DEBUG "Selected device is a USB block device"
|
|
USB_MOUNT_DEVICE="$DEVICE"
|
|
else
|
|
die "ERROR: Selected $DEVICE is not a USB block device"
|
|
fi
|
|
else
|
|
# Check for the common case: a single USB disk with one partition
|
|
if [ $(cat /tmp/usb_block_devices | wc -l) -eq 1 ]; then
|
|
USB_MOUNT_DEVICE="$(cat /tmp/usb_block_devices)"
|
|
fi
|
|
# otherwise, let the user pick
|
|
if [ -z ${USB_MOUNT_DEVICE} ]; then
|
|
> /tmp/usb_disk_list
|
|
for i in $(cat /tmp/usb_block_devices); do
|
|
#appends label to the device name
|
|
echo $i $(blkid | grep $i | grep -o 'LABEL=".*"' | cut -f2 -d '"') >> /tmp/usb_disk_list
|
|
done
|
|
|
|
if [ -x /bin/whiptail ]; then
|
|
MENU_OPTIONS=""
|
|
n=0
|
|
while read option
|
|
do
|
|
n=$(expr $n + 1)
|
|
option=$(echo $option | tr " " "_")
|
|
MENU_OPTIONS="$MENU_OPTIONS $n ${option}"
|
|
done < /tmp/usb_disk_list
|
|
|
|
MENU_OPTIONS="$MENU_OPTIONS a Abort"
|
|
whiptail $BG_COLOR --title "Select your USB disk" \
|
|
--menu "Choose your USB disk [1-$n, a to abort]:" 0 80 8 \
|
|
-- $MENU_OPTIONS \
|
|
2>/tmp/whiptail
|
|
if [ $? -ne 0 ]; then
|
|
die "ERROR: Selecting USB disk/partition aborted."
|
|
fi
|
|
option_index=$(cat /tmp/whiptail)
|
|
else
|
|
echo "+++ Select your USB disk:"
|
|
n=0
|
|
while read option
|
|
do
|
|
n=$(expr $n + 1)
|
|
echo "$n. $option"
|
|
done < /tmp/usb_disk_list
|
|
|
|
read \
|
|
-p "Choose your USB disk [1-$n, a to abort]: " \
|
|
option_index
|
|
fi
|
|
|
|
if [ "$option_index" = "a" ]; then
|
|
exit 5
|
|
fi
|
|
USB_MOUNT_DEVICE=$(head -n $option_index /tmp/usb_disk_list | tail -1 | sed 's/\ .*$//')
|
|
fi
|
|
fi
|
|
|
|
DEBUG "Checking if $USB_MOUNT_DEVICE is a LUKS device/partition"
|
|
if cryptsetup isLuks "$USB_MOUNT_DEVICE"; then
|
|
DEBUG "Selected USB partition is a LUKS device"
|
|
#Selected USB partition is a LUKS device
|
|
if [ -e /dev/mapper/"usb_mount_$(basename "$USB_MOUNT_DEVICE")" ]; then
|
|
DEBUG "Closing currently mapped LUKS device"
|
|
cryptsetup close "usb_mount_$(basename "$USB_MOUNT_DEVICE")"
|
|
fi
|
|
DEBUG "Opening LUKS device $USB_MOUNT_DEVICE"
|
|
#Pass LUKS passphrase to cryptsetup only if we received one
|
|
if [ -z "$PASS" ]; then
|
|
#We haven't received a passphrase
|
|
cryptsetup open "$USB_MOUNT_DEVICE" "usb_mount_$(basename "$USB_MOUNT_DEVICE")" \
|
|
|| die "ERROR: Failed to open ${USB_MOUNT_DEVICE} LUKS device"
|
|
else
|
|
#We received a pasphrase
|
|
cryptsetup open "$USB_MOUNT_DEVICE" "usb_mount_$(basename "$USB_MOUNT_DEVICE")" --key-file <(echo -n "${PASS}") \
|
|
|| die "ERROR: Failed to open ${USB_MOUNT_DEVICE} LUKS device"
|
|
fi
|
|
|
|
warn "Note that you cannot boot from a mounted encrypted device."
|
|
DEBUG "Setting USB_MOUNT_DEVICE=/dev/mapper/"usb_mount_$(basename "$USB_MOUNT_DEVICE")""
|
|
USB_MOUNT_DEVICE="/dev/mapper/"usb_mount_$(basename "$USB_MOUNT_DEVICE")""
|
|
else
|
|
# Selected USB partition is not a LUKS device
|
|
DEBUG "Selected USB partition is not a LUKS device, continuing..."
|
|
fi
|
|
|
|
|
|
# Mount the USB device
|
|
if [ "$MODE" = "rw" ]; then
|
|
DEBUG "Mounting $USB_MOUNT_DEVICE as read-write"
|
|
mount -o rw "$USB_MOUNT_DEVICE" "$MOUNTPOINT" || die "ERROR: Failed to mount ${USB_MOUNT_DEVICE} as read-write"
|
|
else
|
|
DEBUG "Mounting $USB_MOUNT_DEVICE as read-only"
|
|
mount -o ro "$USB_MOUNT_DEVICE" "$MOUNTPOINT" || die "ERROR: Failed to mount ${USB_MOUNT_DEVICE} as read-only"
|
|
fi
|