Merge branch 'optional_full_disk_encryption' of https://github.com/PabloCastellano/pmbootstrap into optional-fde

2017-06-28 17:16:56 +02:00 · 2017-06-28 17:16:56 +02:00 · 86cb9f5ec8
parent 28a0e10e56 920d4c8198
commit 86cb9f5ec8
7 changed files with 64 additions and 31 deletions
--- a/aports/postmarketos-mkinitfs/10-usb-unlock.sh
+++ b/aports/postmarketos-mkinitfs/10-usb-unlock.sh
@ -2,6 +2,10 @@
 IP=172.16.42.1
 TELNET_PORT=23

+. /init_functions.sh
+
+log "info" "show_splash $partition"
+
 usb_setup_android() {
 	SYS=/sys/class/android_usb/android0
 	[ -e "$SYS" ] || return
@ -46,6 +50,13 @@ telnetd_start()
 	telnetd -b "${IP}:${TELNET_PORT}" -l /telnet_connect.sh
 }

+partition=$(find_root_partition)
+
 usb_setup_android
 dhcpcd_start
-telnetd_start
+
+if $(cryptsetup isLuks "$partition"); then
+	log "info" "password needed to decrypt $partition, launching telnetd"
+	telnetd_start
+fi
+
--- a/aports/postmarketos-mkinitfs/APKBUILD
+++ b/aports/postmarketos-mkinitfs/APKBUILD
@ -1,6 +1,6 @@
 pkgname=postmarketos-mkinitfs
 pkgver=0.0.5
-pkgrel=4
+pkgrel=5
 pkgdesc="Tool to generate initramfs images for postmarketOS"
 url="https://github.com/postmarketOS"
 # multipath-tools: kpartx
@ -27,9 +27,9 @@ package() {
 	install -Dm644 "$srcdir/10-usb-unlock.sh" \
 		"$pkgdir/etc/postmarketos-mkinitfs/hooks/"
 }
-sha512sums="2f45dee1ad9ef75166d614774e0ee2a6856950990c063bce7d0e98ed27599d2f8040c6118a9381aab4a69c79f96a30eb044b6b29ef2afb2a9374bac5f5a398da  init.sh.in
-3ebc5fa2220a8da920ebca67f14c38b0c296eafdbcf312997b442a020d1683bd622a42a946a61b4d80cbecf28853c915480e26ffe59eda57769855303b67bbdf  init_functions.sh
+sha512sums="6f4d96b5b5e19811d7b03a5f20e6ee766d22047c182e9b21c56e99634b2300978d8c98f42f9a889e356a295bb968053d1d289a8ebddf52a696b4630df6839b45  init.sh.in
+6795e225e0576b003ea492a05d83d28092753af7cc4dd6a8b75ae2d2ca3555f951d632c7ee5ee7db3a7b606bb77cc9a035804a81a1f5b4fdad6a7aac5a0ee6b4  init_functions.sh
 dd3c86c6ba4f91e20b72f4180049960a58dc01002f69ad9e5d98c752da3b34711c2bbe6e0c7d003eb6a4a8d9e185796aa2fe84c0231a3057b204912c439140f7  mkinitfs.sh
-82f0b9927bfef919c6561d67283a0e77c36ef8f8d11000a6153b52e39731ceaa65b9a34c682e737881dc676cc8bfc97dfbbfdeb2ca03594b8f9beef9e49a754d  10-usb-unlock.sh
+bea0eae6852f4a401347bbbd6c376ea8cc5bfa4817d2c87170a4f2a916e25f155769eb8e97e16d39bf2eac84e3fdaf6f8c7a0564ec561a96e32407daa1d71e1c  10-usb-unlock.sh
 35a8eabad947347afec7e3f5860d31ab9e3534972c0960ccf553c7e1cc9262316bfdddb8d61d3588db1ee2261077597617806080b9956798b3e5088d6f9b596b  splash1.ppm.gz
 bf11d8b3a50db984cfbb2cafe6687de327242c1f6f56c6fdd02ca579b05213f9c886aa1c0527530fdec21b16e65e68962e40a600c4ce155819df2f610b435087  splash2.ppm.gz"
--- a/aports/postmarketos-mkinitfs/TODO
+++ b/aports/postmarketos-mkinitfs/TODO
@ -1,6 +1,3 @@
- use device labels or uuids inside init to properly detect the right
-	partition
-
 - support for adding files/modules in hooks (one file per hook):
 	- add build() function
 		- should have add_module and add_file functions
--- a/aports/postmarketos-mkinitfs/init.sh.in
+++ b/aports/postmarketos-mkinitfs/init.sh.in
@ -30,7 +30,7 @@ unlock_root_partition
 # switch root
 show_splash /splash2.ppm.gz
 killall telnetd mdev 2&> /dev/null
-mount -w -t ext4 /dev/mapper/root /sysroot
+mount -w -t ext4 $(find_root_partition) /sysroot
 umount /proc
 umount /sys
 umount /dev/pts
--- a/aports/postmarketos-mkinitfs/init_functions.sh
+++ b/aports/postmarketos-mkinitfs/init_functions.sh
@ -1,6 +1,11 @@
 #!/bin/sh
 # This file will be in /init_functions.sh inside the initramfs.

+log()
+{
+	echo "[$1] $2" >> /tmp/boot.log
+}
+
 mount_subpartitions()
 {
 	for i in /dev/mmcblk*; do
@ -19,24 +24,35 @@ mount_subpartitions()

 find_root_partition()
 {
-	for i in /dev/mapper/* /dev/mmcblk*; do
-		cryptsetup isLuks "$i" || continue
-		echo "$i"
-		break
-	done
+	DEVICE=$(blkid | grep "crypto_LUKS" | tail -1 | cut -d ":" -f 1)
+
+	if [ -z "$DEVICE" ]; then
+		DEVICE=$(blkid | grep "pmOS_root" | tail -1 | cut -d ":" -f 1)
+	fi
+
+	log "info" "root partition is $DEVICE"
+
+	echo $DEVICE
 }

 unlock_root_partition()
 {
+	log "info" "unlock_root_partition()"
 	while ! [ -e /dev/mapper/root ]; do
 		partition="$(find_root_partition)"
 		if [ -z "$partition" ]; then
-			echo "Could not find cryptsetup partition."
+			echo "Could not find the root partition."
 			echo "Maybe you need to insert the sdcard, if your device has"
 			echo "any? Trying again in one second..."
 			sleep 1
 		else
-			cryptsetup luksOpen "$partition" root
+			if $(cryptsetup isLuks "$partition"); then
+				cryptsetup luksOpen "$partition" root
+				log "info" "decrypted $partition"
+			else
+				log "info" "unencrypted $partition"
+				break
+			fi
 		fi
 	done
 }
@ -44,6 +60,7 @@ unlock_root_partition()
 # $1: path to ppm.gz file
 show_splash()
 {
+	log "info" "show_splash $1"
 	gzip -c -d "$1" > /tmp/splash.ppm
 	fbsplash -s /tmp/splash.ppm
 }
--- a/pmb/install/format.py
+++ b/pmb/install/format.py
@ -23,33 +23,39 @@ import pmb.chroot

 def format_and_mount_boot(args):
    mountpoint = "/mnt/install/boot"
-    logging.info("(native) format /dev/installp1 (boot, ext2), mount to " +
+    device = "/dev/installp1"
+    logging.info("(native) format " + device + " (boot, ext2), mount to " +
                 mountpoint)
-    pmb.chroot.root(args, ["mkfs.ext2", "-F", "-q", "/dev/installp1"])
+    pmb.chroot.root(args, ["mkfs.ext2", "-F", "-q", "-L", "pmOS_boot", device])
    pmb.chroot.root(args, ["mkdir", "-p", mountpoint])
-    pmb.chroot.root(args, ["mount", "/dev/installp1", mountpoint])
+    pmb.chroot.root(args, ["mount", device, mountpoint])


 def format_and_mount_root(args):
    mountpoint = "/dev/mapper/pm_crypt"
-    logging.info("(native) format /dev/installp2 (root, luks), mount to " +
-                 mountpoint)
-    pmb.chroot.root(args, ["cryptsetup", "luksFormat", "--use-urandom",
-                           "--cipher", args.cipher, "-q", "/dev/installp2"], log=False)
-    pmb.chroot.root(args, ["cryptsetup", "luksOpen", "/dev/installp2",
-                           "pm_crypt"], log=False)
-    if not os.path.exists(args.work + "/chroot_native" + mountpoint):
-        raise RuntimeError("Failed to open cryptdevice!")
+    device = "/dev/installp2"
+    if not args.no_fde:
+        logging.info("(native) format " + device + " (root, luks), mount to " +
+                     mountpoint)
+        pmb.chroot.root(args, ["cryptsetup", "luksFormat", "--use-urandom",
+                        "--cipher", args.cipher, "-q", device], log=False)
+        pmb.chroot.root(args, ["cryptsetup", "luksOpen", device,
+                        "pm_crypt"], log=False)
+        if not os.path.exists(args.work + "/chroot_native" + mountpoint):
+            raise RuntimeError("Failed to open cryptdevice!")


 def format_and_mount_pm_crypt(args):
-    cryptdevice = "/dev/mapper/pm_crypt"
+    if args.no_fde:
+        device = "/dev/installp2"
+    else:
+        device = "/dev/mapper/pm_crypt"
    mountpoint = "/mnt/install"
-    logging.info("(native) format " + cryptdevice + " (ext4), mount to " +
+    logging.info("(native) format " + device + " (ext4), mount to " +
                 mountpoint)
-    pmb.chroot.root(args, ["mkfs.ext4", "-F", "-q", cryptdevice])
+    pmb.chroot.root(args, ["mkfs.ext4", "-F", "-q", "-L", "pmOS_root", device])
    pmb.chroot.root(args, ["mkdir", "-p", mountpoint])
-    pmb.chroot.root(args, ["mount", cryptdevice, mountpoint])
+    pmb.chroot.root(args, ["mount", device, mountpoint])


 def format(args):
--- a/pmb/parse/arguments.py
+++ b/pmb/parse/arguments.py
@ -154,6 +154,8 @@ def arguments():
                         " encrypt the system partition, eg. aes-xts-plain64")
    install.add_argument("--add", help="comma separated list of packages to be"
                         " added to the rootfs (e.g. 'vim,gcc')")
+    install.add_argument("--no-fde", help="do not use full disk encryption",
+                         action="store_true")

    # Action: build / checksum / menuconfig / parse_apkbuild / aportgen
    menuconfig = sub.add_parser("menuconfig", help="run menuconfig on"