diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2015-05-08 17:14:13 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 04:28:18 +0200 |
| commit | cdec2e76b4b1af00e10ce3bb72ee74e33d52083b (patch) | |
| tree | 34e49f062ea50d0428d56dfb93cc953fde940a6c | |
| parent | 61bb46a89b9f73055102b369451b6e64f63d45df (diff) | |
Make the encrypted installation work with Jessie.
| -rwxr-xr-x | include/partition.sh | 34 | ||||
| -rw-r--r-- | src/fripost-partman-udeb/base.sh | 14 | ||||
| -rwxr-xr-x | src/fripost-postinst-udeb/finish-install.d/07fripost | 15 |
3 files changed, 35 insertions, 28 deletions
diff --git a/include/partition.sh b/include/partition.sh index 35f259a..02695f5 100755 --- a/include/partition.sh +++ b/include/partition.sh @@ -91,9 +91,11 @@ part_swap= part_system= # Create boot and system partitions for d in $device; do - p=$( fripost_mkpart $d boot 64M ) - part_boot="${part_boot:+$part_boot }$p" - + if [ $encrypt = true ]; then + # Don't use a separate partition for /boot if the disk is unencrypted + p=$( fripost_mkpart $d boot 256M ) + part_boot="${part_boot:+$part_boot }$p" + fi p=$( fripost_mkpart $d swap 1G ) # FIXME part_swap="${part_swap:+$part_swap }$p" /sbin/parted -s $d align-check opt ${p#$d} \ @@ -111,10 +113,12 @@ done if [ ${raidLevel:-} ]; then [ -d /dev/md ] || mkdir /dev/md - devices="$part_boot" - part_boot=/dev/md/boot - fripost_mdadm_create "$part_boot" -f -R -l $raidLevel \ - ${raidNumActiveDevices:+-n $raidNumActiveDevices} $devices + if [ "${part_boot:-}" ]; then + devices="$part_boot" + part_boot=/dev/md/boot + fripost_mdadm_create "$part_boot" -f -R -l $raidLevel \ + ${raidNumActiveDevices:+-n $raidNumActiveDevices} $devices + fi devices="$part_swap" part_swap=/dev/md/swap @@ -156,10 +160,18 @@ if [ $encrypt = true ]; then hash=sha256 fi # Note: XTS requires the key size to be doubled. - fripost_encrypt $part_system system_crypt \ - --cipher aes-xts-plain64 --key-size $(( $keysize * 2 )) --hash $hash \ - --iter-time 5000 --use-random - part_system=/dev/mapper/system_crypt + fripost_encrypt $part_system luksRoot \ + --cipher=aes-xts-plain64 --key-size=$(( $keysize * 2 )) --hash=$hash \ + --iter-time=5000 --use-random + part_system=/dev/mapper/luksRoot + + /lib/cryptsetup/scripts/decrypt_derived luksRoot \ + | cryptsetup luksFormat $part_swap --cipher=aes-xts-plain64 --hash=$hash --key-file=- + /lib/cryptsetup/scripts/decrypt_derived luksRoot \ + | cryptsetup luksOpen $part_swap luksSwap --key-file=- + + fripost_crypttab_addentry luksSwap "$part_swap" luksRoot luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived + part_swap=/dev/mapper/luksSwap fi diff --git a/src/fripost-partman-udeb/base.sh b/src/fripost-partman-udeb/base.sh index 23fcdeb..0155569 100644 --- a/src/fripost-partman-udeb/base.sh +++ b/src/fripost-partman-udeb/base.sh @@ -364,16 +364,14 @@ fripost_encrypt() { rm -f "$keyfile" # We are on a ramdisk, so it's good enough to unlink(2) # Add an entry to the crypttab - printf "%-15s %-41s %-15s %s\n" \ - "$name" UUID=$(/bin/block-attr --uuid "$device") none luks \ - >> /tmp/crypttab + fripost_crypttab_addentry "$name" "$device" none luks local m _ [ -d /var/lib/fripost ] || mkdir /var/lib/fripost # The modules required to fire up dropbear and start cryptsetup in the ramdisk. - echo dm_crypt > /tmp/initramfs-modules + echo dm_crypt >> /var/lib/fripost/initrd-modules while read m _; do /sbin/modinfo -F filename "$m"; done < /proc/modules \ - | sed -nr "s@^/lib/modules/`uname -r`/kernel/((arch/[^/]+/)?crypto|drivers/(ata|scsi))(/.*)?/([^/]+)\.ko\$@\5@p" \ + | sed -nr "s@^/lib/modules/`uname -r`/kernel/((arch/[^/]+/)?crypto|drivers/(ata|scsi|net))(/.*)?/([^/]+)\.ko\$@\5@p" \ >> /var/lib/fripost/initrd-modules /bin/apt-install busybox cryptsetup || true @@ -381,6 +379,12 @@ fripost_encrypt() { } +fripost_crypttab_addentry() { + local name="$1" uuid=$(/bin/block-attr --uuid "$2") keyfile="$3" options="$4" + printf "%-15s %-41s %-15s %s\n" "$name" "UUID=$uuid" "$keyfile" "$options" >>/tmp/crypttab +} + + # Like ssh-keygen -lf, but for a file such as authorized_keys, which # may contain multiple keys. Also, use the comment associated with the # key rather than the filename. diff --git a/src/fripost-postinst-udeb/finish-install.d/07fripost b/src/fripost-postinst-udeb/finish-install.d/07fripost index e583d5a..90df7b8 100755 --- a/src/fripost-postinst-udeb/finish-install.d/07fripost +++ b/src/fripost-postinst-udeb/finish-install.d/07fripost @@ -109,19 +109,10 @@ if [ "$encrypt" = true ]; then port=$(/target/usr/bin/od -An -N2 -i /dev/urandom) port=$(( $port % ($max + 1 - $min) + $min )) fi - # See dropbear(8) for the list of options. Failure to read a keyfile - # makes dropbear disable the corresponding algorithm (including - # key-based authentication), in our case DSS/DSA. - # XXX This is a dirty fix for bug #614981 + + # See dropbear(8) for the list of options. log "Changing dropbear's options; port $port" - sed -i "s@^\s*/sbin/dropbear\$@& -d '' -sgjk -p $port@" \ - /target/usr/share/initramfs-tools/scripts/init-premount/dropbear - - # Sadly /usr/lib/finish-install.d/10update-initramfs only updates - # the ramdisk if both cryptsetup *and* console-setup are installed. - # (Cf. #694156 and #696773.) So we perform the update manually here. - progress "Generating new initramfs image" - /bin/in-target /usr/sbin/update-initramfs -u -t + echo "PKGOPTION_dropbear_OPTION=\"-sgjk -p $port\"" >>/target/etc/initramfs-tools/initramfs.conf fi |