Fix caching of cryptroot packages. Also moved the crypt code to extension
This commit is contained in:
Gunjan Gupta
parent
400da79efd
commit
909fa47b7e
@ -5,4 +5,49 @@
|
||||
function add_host_dependencies__add_cryptroot_tooling() {
|
||||
display_alert "Adding cryptroot to host dependencies" "cryptsetup LUKS" "debug"
|
||||
EXTRA_BUILD_DEPS="${EXTRA_BUILD_DEPS} cryptsetup openssh-client" # @TODO: convert to array later
|
||||
|
||||
display_alert "Adding rootfs encryption related packages" "cryptsetup cryptsetup-initramfs" "info"
|
||||
add_packages_to_rootfs cryptsetup cryptsetup-initramfs
|
||||
|
||||
if [[ $CRYPTROOT_SSH_UNLOCK == yes ]]; then
|
||||
display_alert "Adding rootfs encryption related packages" "dropbear-initramfs" "info"
|
||||
add_packages_to_rootfs dropbear-initramfs
|
||||
fi
|
||||
}
|
||||
|
||||
function pre_install_kernel_debs__adjust_dropbear_configuration() {
|
||||
# Adjust initramfs dropbear configuration
|
||||
# Needs to be done before kernel installation, else it won't be in the initrd image
|
||||
if [[ $CRYPTROOT_SSH_UNLOCK == yes ]]; then
|
||||
# Set the port of the dropbear ssh daemon in the initramfs to a different one if configured
|
||||
# this avoids the typical 'host key changed warning' - `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!`
|
||||
[[ -f "${SDCARD}"/etc/dropbear-initramfs/config ]] &&
|
||||
sed -i 's/^#DROPBEAR_OPTIONS=/DROPBEAR_OPTIONS="-p '"${CRYPTROOT_SSH_UNLOCK_PORT}"'"/' \
|
||||
"${SDCARD}"/etc/dropbear-initramfs/config
|
||||
|
||||
# setup dropbear authorized_keys, either provided by userpatches or generated
|
||||
if [[ -f $USERPATCHES_PATH/dropbear_authorized_keys ]]; then
|
||||
cp "$USERPATCHES_PATH"/dropbear_authorized_keys "${SDCARD}"/etc/dropbear-initramfs/authorized_keys
|
||||
else
|
||||
# generate a default ssh key for login on dropbear in initramfs
|
||||
# this key should be changed by the user on first login
|
||||
display_alert "Generating a new SSH key pair for dropbear (initramfs)" "" ""
|
||||
|
||||
# Make sure that the relevant directory exists
|
||||
[[ -d "${SDCARD}"/etc/dropbear-initramfs ]] || mkdir "${SDCARD}"/etc/dropbear-initramfs
|
||||
|
||||
# Generate the SSH keys
|
||||
ssh-keygen -t ecdsa -f "${SDCARD}"/etc/dropbear-initramfs/id_ecdsa \
|
||||
-N '' -O force-command=cryptroot-unlock -C 'AUTOGENERATED_BY_ARMBIAN_BUILD' 2>&1
|
||||
|
||||
# /usr/share/initramfs-tools/hooks/dropbear will automatically add 'id_ecdsa.pub' to authorized_keys file
|
||||
# during mkinitramfs of update-initramfs
|
||||
#cat "${SDCARD}"/etc/dropbear-initramfs/id_ecdsa.pub > "${SDCARD}"/etc/dropbear-initramfs/authorized_keys
|
||||
CRYPTROOT_SSH_UNLOCK_KEY_NAME="${VENDOR}_${REVISION}_${BOARD^}_${RELEASE}_${BRANCH}_${DESKTOP_ENVIRONMENT}".key
|
||||
# copy dropbear ssh key to image output dir for convenience
|
||||
cp "${SDCARD}"/etc/dropbear-initramfs/id_ecdsa "${DEST}/images/${CRYPTROOT_SSH_UNLOCK_KEY_NAME}"
|
||||
display_alert "SSH private key for dropbear (initramfs) has been copied to:" \
|
||||
"$DEST/images/$CRYPTROOT_SSH_UNLOCK_KEY_NAME" "info"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
@ -10,18 +10,6 @@
|
||||
function install_distribution_agnostic() {
|
||||
display_alert "Installing distro-agnostic part of rootfs" "install_distribution_agnostic" "debug"
|
||||
|
||||
# install rootfs encryption related packages separate to not break packages cache
|
||||
# @TODO: terrible, this does not use apt-cacher, extract to extension and fix
|
||||
if [[ $CRYPTROOT_ENABLE == yes ]]; then
|
||||
display_alert "Installing rootfs encryption related packages" "cryptsetup" "info"
|
||||
chroot_sdcard_apt_get_install cryptsetup
|
||||
if [[ $CRYPTROOT_SSH_UNLOCK == yes ]]; then
|
||||
display_alert "Installing rootfs encryption related packages" "dropbear-initramfs" "info"
|
||||
chroot_sdcard_apt_get_install dropbear-initramfs cryptsetup-initramfs
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
# Bail if $ROOTFS_TYPE not set
|
||||
[[ -z $ROOTFS_TYPE ]] && exit_with_error "ROOTFS_TYPE not set" "install_distribution_agnostic"
|
||||
|
||||
@ -30,42 +18,6 @@ function install_distribution_agnostic() {
|
||||
# required for initramfs-tools-core on Stretch since it ignores the / fstab entry
|
||||
echo "/dev/mmcblk0p2 /usr $ROOTFS_TYPE defaults 0 2" >> "${SDCARD}"/etc/fstab
|
||||
|
||||
# @TODO: refacctor this into cryptroot extension
|
||||
# adjust initramfs dropbear configuration
|
||||
# needs to be done before kernel installation, else it won't be in the initrd image
|
||||
if [[ $CRYPTROOT_ENABLE == yes && $CRYPTROOT_SSH_UNLOCK == yes ]]; then
|
||||
# Set the port of the dropbear ssh daemon in the initramfs to a different one if configured
|
||||
# this avoids the typical 'host key changed warning' - `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!`
|
||||
[[ -f "${SDCARD}"/etc/dropbear-initramfs/config ]] &&
|
||||
sed -i 's/^#DROPBEAR_OPTIONS=/DROPBEAR_OPTIONS="-p '"${CRYPTROOT_SSH_UNLOCK_PORT}"'"/' \
|
||||
"${SDCARD}"/etc/dropbear-initramfs/config
|
||||
|
||||
# setup dropbear authorized_keys, either provided by userpatches or generated
|
||||
if [[ -f $USERPATCHES_PATH/dropbear_authorized_keys ]]; then
|
||||
cp "$USERPATCHES_PATH"/dropbear_authorized_keys "${SDCARD}"/etc/dropbear-initramfs/authorized_keys
|
||||
else
|
||||
# generate a default ssh key for login on dropbear in initramfs
|
||||
# this key should be changed by the user on first login
|
||||
display_alert "Generating a new SSH key pair for dropbear (initramfs)" "" ""
|
||||
|
||||
# Make sure that the relevant directory exists
|
||||
[[ -d "${SDCARD}"/etc/dropbear-initramfs ]] || mkdir "${SDCARD}"/etc/dropbear-initramfs
|
||||
|
||||
# Generate the SSH keys
|
||||
ssh-keygen -t ecdsa -f "${SDCARD}"/etc/dropbear-initramfs/id_ecdsa \
|
||||
-N '' -O force-command=cryptroot-unlock -C 'AUTOGENERATED_BY_ARMBIAN_BUILD' 2>&1
|
||||
|
||||
# /usr/share/initramfs-tools/hooks/dropbear will automatically add 'id_ecdsa.pub' to authorized_keys file
|
||||
# during mkinitramfs of update-initramfs
|
||||
#cat "${SDCARD}"/etc/dropbear-initramfs/id_ecdsa.pub > "${SDCARD}"/etc/dropbear-initramfs/authorized_keys
|
||||
CRYPTROOT_SSH_UNLOCK_KEY_NAME="${VENDOR}_${REVISION}_${BOARD^}_${RELEASE}_${BRANCH}_${DESKTOP_ENVIRONMENT}".key
|
||||
# copy dropbear ssh key to image output dir for convenience
|
||||
cp "${SDCARD}"/etc/dropbear-initramfs/id_ecdsa "${DEST}/images/${CRYPTROOT_SSH_UNLOCK_KEY_NAME}"
|
||||
display_alert "SSH private key for dropbear (initramfs) has been copied to:" \
|
||||
"$DEST/images/$CRYPTROOT_SSH_UNLOCK_KEY_NAME" "info"
|
||||
fi
|
||||
fi
|
||||
|
||||
# create modules file
|
||||
local modules=MODULES_${BRANCH^^}
|
||||
if [[ -n "${!modules}" ]]; then
|
||||
|
||||
Loading…
Reference in New Issue
Block a user