A few adjustements to recent crypto root implementation https://github.com/armbian/build/pull/1069 from @zciendor
This commit is contained in:
Igor Pecovnik
parent
51b5cfdc42
commit
459a6f5895
@ -65,7 +65,6 @@ SERIALCON=ttyS0
|
||||
CAN_BUILD_STRETCH=yes
|
||||
[[ -z $CRYPTROOT_SSH_UNLOCK ]] && CRYPTROOT_SSH_UNLOCK=yes
|
||||
[[ -z $CRYPTROOT_SSH_UNLOCK_PORT ]] && CRYPTROOT_SSH_UNLOCK_PORT=2022
|
||||
CRYPTROOT_SSH_UNLOCK_KEY_NAME=id_ecdsa_cryptroot-unlock
|
||||
|
||||
# single ext4 partition is the default and preferred configuration
|
||||
#BOOTFS_TYPE=''
|
||||
@ -85,6 +84,9 @@ if [[ -f $SRC/userpatches/sources/$LINUXFAMILY.conf ]]; then
|
||||
source $SRC/userpatches/sources/$LINUXFAMILY.conf
|
||||
fi
|
||||
|
||||
# dropbear needs to be configured differently
|
||||
[[ $CRYPTROOT_ENABLE == yes && ($RELEASE == jessie || $RELEASE == xenial) ]] && exit_with_error "Encrypted rootfs is not supported in Jessie or Xenial"
|
||||
|
||||
[[ $RELEASE == stretch && $CAN_BUILD_STRETCH != yes ]] && exit_with_error "Building Debian Stretch images with selected kernel is not supported"
|
||||
[[ $RELEASE == bionic && $CAN_BUILD_STRETCH != yes ]] && exit_with_error "Building Ubuntu Bionic images with selected kernel is not supported"
|
||||
[[ $RELEASE == bionic && $(lsb_release -sc) == xenial ]] && exit_with_error "Building Ubuntu Bionic images requires a Bionic build host. Please upgrade your host or select a different target OS"
|
||||
@ -153,14 +155,6 @@ PACKAGE_LIST_DESKTOP="xserver-xorg xserver-xorg-video-fbdev gvfs-backends gvfs-f
|
||||
PACKAGE_LIST_DESKTOP_RECOMMENDS="mirage galculator hexchat xfce4-screenshooter network-manager-openvpn-gnome mpv fbi cups-pk-helper \
|
||||
cups geany atril xarchiver leafpad"
|
||||
|
||||
# rootfs encryption related packages
|
||||
if [[ $CRYPTROOT_ENABLE == yes ]]; then
|
||||
PACKAGE_LIST="$PACKAGE_LIST cryptsetup"
|
||||
if [[ $CRYPTROOT_SSH_UNLOCK == yes ]]; then
|
||||
PACKAGE_LIST="$PACKAGE_LIST dropbear-initramfs"
|
||||
fi
|
||||
fi
|
||||
|
||||
case $DISPLAY_MANAGER in
|
||||
nodm)
|
||||
PACKAGE_LIST_DISPLAY_MANAGER="nodm"
|
||||
|
||||
@ -416,7 +416,7 @@ prepare_partitions()
|
||||
rm -f $SDCARD/etc/fstab
|
||||
if [[ -n $rootpart ]]; then
|
||||
local rootdevice="${LOOP}p${rootpart}"
|
||||
|
||||
|
||||
if [[ $CRYPTROOT_ENABLE == yes ]]; then
|
||||
display_alert "Encrypting root partition with LUKS..." "cryptsetup luksFormat $rootdevice" ""
|
||||
echo -n $CRYPTROOT_PASSPHRASE | cryptsetup luksFormat $rootdevice -
|
||||
@ -425,7 +425,7 @@ prepare_partitions()
|
||||
# TODO: pass /dev/mapper to Docker
|
||||
rootdevice=/dev/mapper/$ROOT_MAPPER # used by `mkfs` and `mount` commands
|
||||
fi
|
||||
|
||||
|
||||
check_loop_device "$rootdevice"
|
||||
display_alert "Creating rootfs" "$ROOTFS_TYPE on $rootdevice"
|
||||
mkfs.${mkfs[$ROOTFS_TYPE]} ${mkopts[$ROOTFS_TYPE]} $rootdevice
|
||||
@ -488,7 +488,7 @@ prepare_partitions()
|
||||
# update_initramfs
|
||||
#
|
||||
# this should be invoked as late as possible for any modifications by
|
||||
# customize_image (userpatches) and prepare_partitions to be reflected in the
|
||||
# customize_image (userpatches) and prepare_partitions to be reflected in the
|
||||
# final initramfs
|
||||
#
|
||||
# especially, this needs to be invoked after /etc/crypttab has been created
|
||||
@ -496,15 +496,15 @@ prepare_partitions()
|
||||
# https://serverfault.com/questions/907254/cryproot-unlock-with-dropbear-timeout-while-waiting-for-askpass
|
||||
#
|
||||
update_initramfs() {
|
||||
|
||||
|
||||
update_initramfs_cmd="update-initramfs -uv -k ${VER}-${LINUXFAMILY}"
|
||||
display_alert "Updating initramfs..." "$update_initramfs_cmd" ""
|
||||
cp /usr/bin/$QEMU_BINARY $SDCARD/usr/bin/
|
||||
mount_chroot "$SDCARD/"
|
||||
|
||||
chroot $SDCARD /bin/bash -c "$update_initramfs_cmd" >> $DEST/debug/debootstrap.log
|
||||
display_alert "Updated initramfs." "for details see: $DEST/debug/debootstrap.log" "ext"
|
||||
|
||||
|
||||
chroot $SDCARD /bin/bash -c "$update_initramfs_cmd" >> $DEST/debug/install.log 2>&1
|
||||
display_alert "Updated initramfs." "for details see: $DEST/debug/install.log" "ext"
|
||||
|
||||
umount_chroot "$SDCARD/"
|
||||
rm $SDCARD/usr/bin/$QEMU_BINARY
|
||||
|
||||
@ -553,7 +553,7 @@ create_image()
|
||||
[[ $BOOTSIZE != 0 ]] && umount -l $MOUNT/boot
|
||||
[[ $ROOTFS_TYPE != nfs ]] && umount -l $MOUNT
|
||||
[[ $CRYPTROOT_ENABLE == yes ]] && cryptsetup luksClose $ROOT_MAPPER
|
||||
|
||||
|
||||
losetup -d $LOOP
|
||||
rm -rf --one-file-system $DESTIMG $MOUNT
|
||||
mkdir -p $DESTIMG
|
||||
@ -561,6 +561,7 @@ create_image()
|
||||
mv ${SDCARD}.raw $DESTIMG/${version}.img
|
||||
|
||||
if [[ $COMPRESS_OUTPUTIMAGE == yes && $BUILD_ALL != yes ]]; then
|
||||
[[ -f $DEST/images/$CRYPTROOT_SSH_UNLOCK_KEY_NAME ]] && cp $DEST/images/$CRYPTROOT_SSH_UNLOCK_KEY_NAME $DESTIMG/
|
||||
# compress image
|
||||
cd $DESTIMG
|
||||
sha256sum -b ${version}.img > sha256sum.sha
|
||||
@ -568,7 +569,7 @@ create_image()
|
||||
echo $GPG_PASS | gpg --passphrase-fd 0 --armor --detach-sign --pinentry-mode loopback --batch --yes ${version}.img
|
||||
fi
|
||||
display_alert "Compressing" "$DEST/images/${version}.img" "info"
|
||||
7za a -t7z -bd -m0=lzma2 -mx=3 -mfb=64 -md=32m -ms=on $DEST/images/${version}.7z ${version}.img armbian.txt *.asc sha256sum.sha >/dev/null 2>&1
|
||||
7za a -t7z -bd -m0=lzma2 -mx=3 -mfb=64 -md=32m -ms=on $DEST/images/${version}.7z ${version}.key ${version}.img armbian.txt *.asc sha256sum.sha >/dev/null 2>&1
|
||||
fi
|
||||
#
|
||||
if [[ $BUILD_ALL != yes ]]; then
|
||||
|
||||
@ -16,6 +16,16 @@ install_common()
|
||||
{
|
||||
display_alert "Applying common tweaks" "" "info"
|
||||
|
||||
# install rootfs encryption related packages separate to not break packages cache
|
||||
if [[ $CRYPTROOT_ENABLE == yes ]]; then
|
||||
display_alert "Installing rootfs encryption related packages" "cryptsetup" "info"
|
||||
chroot $SDCARD /bin/bash -c "apt -y -qq --no-install-recommends install cryptsetup" >> $DEST/debug/install.log 2>&1
|
||||
if [[ $CRYPTROOT_SSH_UNLOCK == yes ]]; then
|
||||
display_alert "Installing rootfs encryption related packages" "dropbear-initramfs" "info"
|
||||
chroot $SDCARD /bin/bash -c "apt -y -qq --no-install-recommends install dropbear-initramfs " >> $DEST/debug/install.log 2>&1
|
||||
fi
|
||||
|
||||
fi
|
||||
# define ARCH within global environment variables
|
||||
[[ -f $SDCARD/etc/environment ]] && echo "ARCH=${ARCH//hf}" >> $SDCARD/etc/environment
|
||||
|
||||
@ -23,14 +33,14 @@ install_common()
|
||||
echo "/dev/mmcblk0p1 / $ROOTFS_TYPE defaults 0 1" >> $SDCARD/etc/fstab
|
||||
# required for initramfs-tools-core on Stretch since it ignores the / fstab entry
|
||||
echo "/dev/mmcblk0p2 /usr $ROOTFS_TYPE defaults 0 2" >> $SDCARD/etc/fstab
|
||||
|
||||
|
||||
# adjust initramfs dropbear configuration
|
||||
# needs to be done before kernel installation, else it won't be in the initrd image
|
||||
if [[ $CRYPTROOT_ENABLE == yes && $CRYPTROOT_SSH_UNLOCK == yes ]]; then
|
||||
# Set the port of the dropbear ssh deamon in the initramfs to a different one if configured
|
||||
# this avoids the typical 'host key changed warning' - `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!`
|
||||
[[ -f $SDCARD/etc/dropbear-initramfs/config ]] && sed -i 's/^#DROPBEAR_OPTIONS=/DROPBEAR_OPTIONS="-p '$CRYPTROOT_SSH_UNLOCK_PORT'"/' $SDCARD/etc/dropbear-initramfs/config
|
||||
|
||||
|
||||
# setup dropbear authorized_keys, either provided by userpatches or generated
|
||||
if [[ -f $SRC/userpatches/dropbear_authorized_keys ]]; then
|
||||
cp $SRC/userpatches/dropbear_authorized_keys $SDCARD/etc/dropbear-initramfs/authorized_keys
|
||||
@ -38,12 +48,12 @@ install_common()
|
||||
# generate a default ssh key for login on dropbear in initramfs
|
||||
# this key should be changed by the user on first login
|
||||
display_alert "Generating a new SSH key pair for dropbear (initramfs)" "" ""
|
||||
ssh-keygen -t ecdsa -f $SDCARD/etc/dropbear-initramfs/id_ecdsa -N '' -O force-command=cryptroot-unlock -C 'AUTOGENERATED_BY_ARMBIAN_BUILD'
|
||||
|
||||
ssh-keygen -t ecdsa -f $SDCARD/etc/dropbear-initramfs/id_ecdsa -N '' -O force-command=cryptroot-unlock -C 'AUTOGENERATED_BY_ARMBIAN_BUILD' >> $DEST/debug/install.log 2>&1
|
||||
|
||||
# /usr/share/initramfs-tools/hooks/dropbear will automatically add 'id_ecdsa.pub' to authorized_keys file
|
||||
# during mkinitramfs of update-initramfs
|
||||
#cat $SDCARD/etc/dropbear-initramfs/id_ecdsa.pub > $SDCARD/etc/dropbear-initramfs/authorized_keys
|
||||
|
||||
CRYPTROOT_SSH_UNLOCK_KEY_NAME="Armbian_${REVISION}_${BOARD^}_${DISTRIBUTION}_${RELEASE}_${BRANCH}_${VER/-$LINUXFAMILY/}".key
|
||||
# copy dropbear ssh key to image output dir for convenience
|
||||
cp $SDCARD/etc/dropbear-initramfs/id_ecdsa $DEST/images/$CRYPTROOT_SSH_UNLOCK_KEY_NAME
|
||||
display_alert "SSH private key for dropbear (initramfs) has been copied to:" "$DEST/images/$CRYPTROOT_SSH_UNLOCK_KEY_NAME" "info"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user