From 459a6f58952055824ec4f8dbde8416d2b08cd880 Mon Sep 17 00:00:00 2001 From: Igor Pecovnik Date: Fri, 31 Aug 2018 22:17:35 +0200 Subject: [PATCH] A few adjustements to recent crypto root implementation https://github.com/armbian/build/pull/1069 from @zciendor --- lib/configuration.sh | 12 +++--------- lib/debootstrap-ng.sh | 21 +++++++++++---------- lib/distributions.sh | 20 +++++++++++++++----- 3 files changed, 29 insertions(+), 24 deletions(-) diff --git a/lib/configuration.sh b/lib/configuration.sh index 4e391f84df..99eb62b3b3 100644 --- a/lib/configuration.sh +++ b/lib/configuration.sh @@ -65,7 +65,6 @@ SERIALCON=ttyS0 CAN_BUILD_STRETCH=yes [[ -z $CRYPTROOT_SSH_UNLOCK ]] && CRYPTROOT_SSH_UNLOCK=yes [[ -z $CRYPTROOT_SSH_UNLOCK_PORT ]] && CRYPTROOT_SSH_UNLOCK_PORT=2022 -CRYPTROOT_SSH_UNLOCK_KEY_NAME=id_ecdsa_cryptroot-unlock # single ext4 partition is the default and preferred configuration #BOOTFS_TYPE='' @@ -85,6 +84,9 @@ if [[ -f $SRC/userpatches/sources/$LINUXFAMILY.conf ]]; then source $SRC/userpatches/sources/$LINUXFAMILY.conf fi +# dropbear needs to be configured differently +[[ $CRYPTROOT_ENABLE == yes && ($RELEASE == jessie || $RELEASE == xenial) ]] && exit_with_error "Encrypted rootfs is not supported in Jessie or Xenial" + [[ $RELEASE == stretch && $CAN_BUILD_STRETCH != yes ]] && exit_with_error "Building Debian Stretch images with selected kernel is not supported" [[ $RELEASE == bionic && $CAN_BUILD_STRETCH != yes ]] && exit_with_error "Building Ubuntu Bionic images with selected kernel is not supported" [[ $RELEASE == bionic && $(lsb_release -sc) == xenial ]] && exit_with_error "Building Ubuntu Bionic images requires a Bionic build host. Please upgrade your host or select a different target OS" @@ -153,14 +155,6 @@ PACKAGE_LIST_DESKTOP="xserver-xorg xserver-xorg-video-fbdev gvfs-backends gvfs-f PACKAGE_LIST_DESKTOP_RECOMMENDS="mirage galculator hexchat xfce4-screenshooter network-manager-openvpn-gnome mpv fbi cups-pk-helper \ cups geany atril xarchiver leafpad" -# rootfs encryption related packages -if [[ $CRYPTROOT_ENABLE == yes ]]; then - PACKAGE_LIST="$PACKAGE_LIST cryptsetup" - if [[ $CRYPTROOT_SSH_UNLOCK == yes ]]; then - PACKAGE_LIST="$PACKAGE_LIST dropbear-initramfs" - fi -fi - case $DISPLAY_MANAGER in nodm) PACKAGE_LIST_DISPLAY_MANAGER="nodm" diff --git a/lib/debootstrap-ng.sh b/lib/debootstrap-ng.sh index 7905c21439..3f14f89e7b 100644 --- a/lib/debootstrap-ng.sh +++ b/lib/debootstrap-ng.sh @@ -416,7 +416,7 @@ prepare_partitions() rm -f $SDCARD/etc/fstab if [[ -n $rootpart ]]; then local rootdevice="${LOOP}p${rootpart}" - + if [[ $CRYPTROOT_ENABLE == yes ]]; then display_alert "Encrypting root partition with LUKS..." "cryptsetup luksFormat $rootdevice" "" echo -n $CRYPTROOT_PASSPHRASE | cryptsetup luksFormat $rootdevice - @@ -425,7 +425,7 @@ prepare_partitions() # TODO: pass /dev/mapper to Docker rootdevice=/dev/mapper/$ROOT_MAPPER # used by `mkfs` and `mount` commands fi - + check_loop_device "$rootdevice" display_alert "Creating rootfs" "$ROOTFS_TYPE on $rootdevice" mkfs.${mkfs[$ROOTFS_TYPE]} ${mkopts[$ROOTFS_TYPE]} $rootdevice @@ -488,7 +488,7 @@ prepare_partitions() # update_initramfs # # this should be invoked as late as possible for any modifications by -# customize_image (userpatches) and prepare_partitions to be reflected in the +# customize_image (userpatches) and prepare_partitions to be reflected in the # final initramfs # # especially, this needs to be invoked after /etc/crypttab has been created @@ -496,15 +496,15 @@ prepare_partitions() # https://serverfault.com/questions/907254/cryproot-unlock-with-dropbear-timeout-while-waiting-for-askpass # update_initramfs() { - + update_initramfs_cmd="update-initramfs -uv -k ${VER}-${LINUXFAMILY}" display_alert "Updating initramfs..." "$update_initramfs_cmd" "" cp /usr/bin/$QEMU_BINARY $SDCARD/usr/bin/ mount_chroot "$SDCARD/" - - chroot $SDCARD /bin/bash -c "$update_initramfs_cmd" >> $DEST/debug/debootstrap.log - display_alert "Updated initramfs." "for details see: $DEST/debug/debootstrap.log" "ext" - + + chroot $SDCARD /bin/bash -c "$update_initramfs_cmd" >> $DEST/debug/install.log 2>&1 + display_alert "Updated initramfs." "for details see: $DEST/debug/install.log" "ext" + umount_chroot "$SDCARD/" rm $SDCARD/usr/bin/$QEMU_BINARY @@ -553,7 +553,7 @@ create_image() [[ $BOOTSIZE != 0 ]] && umount -l $MOUNT/boot [[ $ROOTFS_TYPE != nfs ]] && umount -l $MOUNT [[ $CRYPTROOT_ENABLE == yes ]] && cryptsetup luksClose $ROOT_MAPPER - + losetup -d $LOOP rm -rf --one-file-system $DESTIMG $MOUNT mkdir -p $DESTIMG @@ -561,6 +561,7 @@ create_image() mv ${SDCARD}.raw $DESTIMG/${version}.img if [[ $COMPRESS_OUTPUTIMAGE == yes && $BUILD_ALL != yes ]]; then + [[ -f $DEST/images/$CRYPTROOT_SSH_UNLOCK_KEY_NAME ]] && cp $DEST/images/$CRYPTROOT_SSH_UNLOCK_KEY_NAME $DESTIMG/ # compress image cd $DESTIMG sha256sum -b ${version}.img > sha256sum.sha @@ -568,7 +569,7 @@ create_image() echo $GPG_PASS | gpg --passphrase-fd 0 --armor --detach-sign --pinentry-mode loopback --batch --yes ${version}.img fi display_alert "Compressing" "$DEST/images/${version}.img" "info" - 7za a -t7z -bd -m0=lzma2 -mx=3 -mfb=64 -md=32m -ms=on $DEST/images/${version}.7z ${version}.img armbian.txt *.asc sha256sum.sha >/dev/null 2>&1 + 7za a -t7z -bd -m0=lzma2 -mx=3 -mfb=64 -md=32m -ms=on $DEST/images/${version}.7z ${version}.key ${version}.img armbian.txt *.asc sha256sum.sha >/dev/null 2>&1 fi # if [[ $BUILD_ALL != yes ]]; then diff --git a/lib/distributions.sh b/lib/distributions.sh index d260bbf0ca..91951f103f 100644 --- a/lib/distributions.sh +++ b/lib/distributions.sh @@ -16,6 +16,16 @@ install_common() { display_alert "Applying common tweaks" "" "info" + # install rootfs encryption related packages separate to not break packages cache + if [[ $CRYPTROOT_ENABLE == yes ]]; then + display_alert "Installing rootfs encryption related packages" "cryptsetup" "info" + chroot $SDCARD /bin/bash -c "apt -y -qq --no-install-recommends install cryptsetup" >> $DEST/debug/install.log 2>&1 + if [[ $CRYPTROOT_SSH_UNLOCK == yes ]]; then + display_alert "Installing rootfs encryption related packages" "dropbear-initramfs" "info" + chroot $SDCARD /bin/bash -c "apt -y -qq --no-install-recommends install dropbear-initramfs " >> $DEST/debug/install.log 2>&1 + fi + + fi # define ARCH within global environment variables [[ -f $SDCARD/etc/environment ]] && echo "ARCH=${ARCH//hf}" >> $SDCARD/etc/environment @@ -23,14 +33,14 @@ install_common() echo "/dev/mmcblk0p1 / $ROOTFS_TYPE defaults 0 1" >> $SDCARD/etc/fstab # required for initramfs-tools-core on Stretch since it ignores the / fstab entry echo "/dev/mmcblk0p2 /usr $ROOTFS_TYPE defaults 0 2" >> $SDCARD/etc/fstab - + # adjust initramfs dropbear configuration # needs to be done before kernel installation, else it won't be in the initrd image if [[ $CRYPTROOT_ENABLE == yes && $CRYPTROOT_SSH_UNLOCK == yes ]]; then # Set the port of the dropbear ssh deamon in the initramfs to a different one if configured # this avoids the typical 'host key changed warning' - `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!` [[ -f $SDCARD/etc/dropbear-initramfs/config ]] && sed -i 's/^#DROPBEAR_OPTIONS=/DROPBEAR_OPTIONS="-p '$CRYPTROOT_SSH_UNLOCK_PORT'"/' $SDCARD/etc/dropbear-initramfs/config - + # setup dropbear authorized_keys, either provided by userpatches or generated if [[ -f $SRC/userpatches/dropbear_authorized_keys ]]; then cp $SRC/userpatches/dropbear_authorized_keys $SDCARD/etc/dropbear-initramfs/authorized_keys @@ -38,12 +48,12 @@ install_common() # generate a default ssh key for login on dropbear in initramfs # this key should be changed by the user on first login display_alert "Generating a new SSH key pair for dropbear (initramfs)" "" "" - ssh-keygen -t ecdsa -f $SDCARD/etc/dropbear-initramfs/id_ecdsa -N '' -O force-command=cryptroot-unlock -C 'AUTOGENERATED_BY_ARMBIAN_BUILD' - + ssh-keygen -t ecdsa -f $SDCARD/etc/dropbear-initramfs/id_ecdsa -N '' -O force-command=cryptroot-unlock -C 'AUTOGENERATED_BY_ARMBIAN_BUILD' >> $DEST/debug/install.log 2>&1 + # /usr/share/initramfs-tools/hooks/dropbear will automatically add 'id_ecdsa.pub' to authorized_keys file # during mkinitramfs of update-initramfs #cat $SDCARD/etc/dropbear-initramfs/id_ecdsa.pub > $SDCARD/etc/dropbear-initramfs/authorized_keys - + CRYPTROOT_SSH_UNLOCK_KEY_NAME="Armbian_${REVISION}_${BOARD^}_${DISTRIBUTION}_${RELEASE}_${BRANCH}_${VER/-$LINUXFAMILY/}".key # copy dropbear ssh key to image output dir for convenience cp $SDCARD/etc/dropbear-initramfs/id_ecdsa $DEST/images/$CRYPTROOT_SSH_UNLOCK_KEY_NAME display_alert "SSH private key for dropbear (initramfs) has been copied to:" "$DEST/images/$CRYPTROOT_SSH_UNLOCK_KEY_NAME" "info"