aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2013-10-09 22:24:09 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 04:27:30 +0200
commitf9cfa0de8a281328c4e834059b225e9a0f025c2a (patch)
treee2a4090932c08d40d76dbfebfd1bd7612ad04967
parent529eee61e485ad305ae78f4c54ee3377e0bd6b44 (diff)
Use a udeb to partition the disk.
-rw-r--r--fripost-install.template52
-rwxr-xr-xpartition.sh118
-rwxr-xr-xsshfprs.sh25
3 files changed, 118 insertions, 77 deletions
diff --git a/fripost-install.template b/fripost-install.template
deleted file mode 100644
index 6c10976..0000000
--- a/fripost-install.template
+++ /dev/null
@@ -1,52 +0,0 @@
-# Fripost's debconf configuration
-#
-# Copyright 2013 Guilhem Moulin <guilhem@fripost.org>
-#
-# Licensed under the GNU GPL version 3 or higher.
-
-Template: fripost-install/full-disk-encryption
-Type: boolean
-Default: true
-Description: Should the system disk be fully encrypted? (Excluding /boot.)
-
-Template: fripost-install/full-disk-encryption-password
-Type: password
-Default:
-Description: Password for full-disk encryption.
-
-Template: fripost-install/full-disk-encryption-fill
-Type: select
-Default: zero
-Choices: none, zero, urandom, random
-Description: Which kind of data fill the disk with before encryption.
-
-Template: fripost-install/full-disk-encryption-fill_progress_title
-Type: text
-Description: Filling ${DISK} with ${SIZE} ${WHAT}
-
-Template: fripost-install/full-disk-encryption-fill_progress_info
-Type: text
-Description: ${COMMAND}
-
-Template: fripost-install/full-disk-encryption-slurpkey_title
-Type: note
-Description: Waiting for passphrase
-
-Template: fripost-install/full-disk-encryption-slurpkey_text
-Type: text
-Description: Press 'continue' once you have sent the key
- You now need to send the encryption key for LUKS/dm-crypt to
- this special-purpose SSH server:
- .
- ssh -T -p 22 -l root ${IPv4} < /path/to/key
- .
- To defeat MiTM-attacks, please ensure that the server fingerprint matches
- .
- ${SSHFPR_SERVER}
- .
- Key(s) that are granted access have the following fingerprint:
- .
- ${SSHFPR_AUTHORIZED}
- .
- Note: This server is ephemeral, and will be replaced with a full-blown
- one toward the end of the installation.
diff --git a/partition.sh b/partition.sh
new file mode 100755
index 0000000..1618aec
--- /dev/null
+++ b/partition.sh
@@ -0,0 +1,118 @@
+#!/bin/sh
+
+set -ue
+
+. /lib/fripost-partman/base.sh
+
+dev=/dev/sda
+fripost_wipe $dev
+
+grain=$(( 256*32 ))
+offset=`cat /sys/block/${dev#/dev/}/alignment_offset`
+bs=`cat /sys/block/${dev#/dev/}/queue/physical_block_size`
+
+if [ $offset -eq 0 ]; then
+ offset=64
+else
+ offset=$(( $offset / $bs ))
+fi
+
+parted -sm $dev mklabel gpt
+# All offset2's must be multiple of 256*32 = 8192
+if [ -d /proc/efi ] || [ -d /sys/firmware/efi ]; then
+ offset2=$(( 256 * 1024**2 / $bs ))
+ offset2=$(( $offset2 - $offset2 % $grain ))
+ parted -a minimal -sm $dev mkpart uefi ${offset}s $(( $offset2 - 1 ))s
+ offset=$offset2
+ offset2=$(( $offset + 64 * 1024**2 / $bs ))
+ offset2=$(( $offset2 - $offset2 % $grain ))
+ parted -a minimal -sm $dev mkpart boot ${offset}s $(( $offset2 - 1))s
+ parted -sm $dev set 1 boot on
+else
+ offset2=$(( 64 * 1024**2 / $bs ))
+ parted -a minimal -sm $dev mkpart boot ${offset}s $(( $offset2 - 1))s
+fi
+offset=$offset2
+offset2=$(( `cat /sys/block/${dev#/dev/}/size` - 1 ))
+offset2=$(( $offset2 - $offset2 % $grain ))
+parted -a optimal -sm $dev mkpart system ${offset}s $(( $offset2 - 1))s
+system=${dev}$(parted -sm $dev p | grep -m 1 '^[1-9][0-9]*:.*:system:[^:]*;$' | sed 's/:.*//')
+parted -sm $dev align-check opt ${system#$dev}
+#parted -sm $dev set ${system#$dev} lvm on
+
+# Choose the key length and digest depending on the architecture
+# we're on; we use AES128 and SHA-256 on 32-bits platforms, and
+# AES256 and SHA-512 on 64-bits platforms.
+arch=$(uname -m)
+if [ x"$arch" = x"x86_64" ]; then
+ keysize=256
+ hash=sha512
+elif [ x"$arch" = x"i386" -o x"$arch" = x"i686" ]; then
+ keysize=128
+ hash=sha256
+fi
+# Note: XTS requires the key size to be doubled.
+fripost_encrypt $system system_crypt \
+ --align-payload $grain \
+ --cipher aes-xts-plain64 --key-size $(( $keysize * 2 )) --hash $hash \
+ --iter-time 5000 --use-random
+
+
+pvcreate -ff -y /dev/mapper/system_crypt
+vgcreate eilift /dev/mapper/system_crypt
+
+lvcreate -L 5G -n root eilift
+lvcreate -L 1G -n swap eilift
+lvcreate -l 100%FREE -n home eilift
+vgchange -ay eilift
+
+mkfs.ext2 /dev/sda1
+mkfs.ext4 /dev/eilift/root
+mkfs.ext4 /dev/eilift/home
+
+mkdir -p /target/proc
+mkdir -p /target/cdrom
+
+cat > /tmp/fstab <<EOF
+# /etc/fstab: static file system information.
+#
+# <file system> <mount point> <type> <options> <dump> <pass>
+proc /proc proc defaults 0 0
+# TODO: ^ is that needed?
+/dev/cdrom /cdrom iso9660,udf ro,user,noauto 0 0
+# TODO: ^ remove
+EOF
+mkdir -p /target/
+mount -t ext4 /dev/eilift/root /target/
+echo /dev/eilift/root / ext4 noatime,errors=remount-ro 0 1 >> /tmp/fstab
+mkdir -p /target/home
+mount -t ext4 /dev/eilift/home /target/home/
+echo /dev/eilift/home /home/ ext4 noatime 0 2 >> /tmp/fstab
+mkdir -p /target/boot
+mount -t ext2 /dev/sda1 /target/boot/
+echo /dev/sda1 /boot/ ext2 noatime 0 2 >> /tmp/fstab
+
+mkswap /dev/eilift/swap
+swapon /dev/eilift/swap
+echo "/dev/eilift/swap none swap sw 0 0" >> /tmp/fstab
+
+mkdir -p /target/etc
+cp /tmp/fstab /target/etc/fstab
+
+# functions:
+# parted
+# - aligned ([+]256MB)
+# cryptsetup ...
+# - set up SSH daemon
+# - /sbin/cryptsetup -q ... --key-file="$keyfile" luksFormat $system
+# - /sbin/cryptsetup -q --key-file="$keyfile" luksOpen $system system_crypt
+# pvcreate
+# vgcreate
+# vgchange
+# mkfs -t type [fs-options] device
+# mount -t vfstype [-o options] device dir
+# - create mountpoint
+# - add entry to fstab
+# - mount
+
+#+ logs!
diff --git a/sshfprs.sh b/sshfprs.sh
deleted file mode 100755
index a0aaabe..0000000
--- a/sshfprs.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/sh
-
-# Like ssh-keygen -lf, but for a file such as authorized_keys, which
-# may contain multiple keys.
-#
-# Usage: sshfprs.sh file [prefix]
-#
-#
-# Copyright 2013 Guilhem Moulin <guilhem@fripost.org>
-#
-# Licensed under the GNU GPL version 3 or higher.
-
-set -ue
-
-file="$1"
-prefix="${2:-}"
-
-while read pk; do
- # ssh-keygen can't read from STDIN, and ash doesn't have the '<<<'
- # construct, so we save each pubkey in a temporary file
- pkf=$(mktemp)
- echo "$pk" > "$pkf"
- echo "${prefix}$(ssh-keygen -lf $pkf)"
- rm "$pkf"
-done < "$file"