From f9cfa0de8a281328c4e834059b225e9a0f025c2a Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Oct 2013 22:24:09 +0200 Subject: Use a udeb to partition the disk. --- fripost-install.template | 52 --------------------- partition.sh | 118 +++++++++++++++++++++++++++++++++++++++++++++++ sshfprs.sh | 25 ---------- 3 files changed, 118 insertions(+), 77 deletions(-) delete mode 100644 fripost-install.template create mode 100755 partition.sh delete mode 100755 sshfprs.sh diff --git a/fripost-install.template b/fripost-install.template deleted file mode 100644 index 6c10976..0000000 --- a/fripost-install.template +++ /dev/null @@ -1,52 +0,0 @@ -# Fripost's debconf configuration -# -# Copyright 2013 Guilhem Moulin -# -# Licensed under the GNU GPL version 3 or higher. - -Template: fripost-install/full-disk-encryption -Type: boolean -Default: true -Description: Should the system disk be fully encrypted? (Excluding /boot.) - -Template: fripost-install/full-disk-encryption-password -Type: password -Default: -Description: Password for full-disk encryption. - -Template: fripost-install/full-disk-encryption-fill -Type: select -Default: zero -Choices: none, zero, urandom, random -Description: Which kind of data fill the disk with before encryption. - -Template: fripost-install/full-disk-encryption-fill_progress_title -Type: text -Description: Filling ${DISK} with ${SIZE} ${WHAT} - -Template: fripost-install/full-disk-encryption-fill_progress_info -Type: text -Description: ${COMMAND} - -Template: fripost-install/full-disk-encryption-slurpkey_title -Type: note -Description: Waiting for passphrase - -Template: fripost-install/full-disk-encryption-slurpkey_text -Type: text -Description: Press 'continue' once you have sent the key - You now need to send the encryption key for LUKS/dm-crypt to - this special-purpose SSH server: - . - ssh -T -p 22 -l root ${IPv4} < /path/to/key - . - To defeat MiTM-attacks, please ensure that the server fingerprint matches - . - ${SSHFPR_SERVER} - . - Key(s) that are granted access have the following fingerprint: - . - ${SSHFPR_AUTHORIZED} - . - Note: This server is ephemeral, and will be replaced with a full-blown - one toward the end of the installation. diff --git a/partition.sh b/partition.sh new file mode 100755 index 0000000..1618aec --- /dev/null +++ b/partition.sh @@ -0,0 +1,118 @@ +#!/bin/sh + +set -ue + +. /lib/fripost-partman/base.sh + +dev=/dev/sda +fripost_wipe $dev + +grain=$(( 256*32 )) +offset=`cat /sys/block/${dev#/dev/}/alignment_offset` +bs=`cat /sys/block/${dev#/dev/}/queue/physical_block_size` + +if [ $offset -eq 0 ]; then + offset=64 +else + offset=$(( $offset / $bs )) +fi + +parted -sm $dev mklabel gpt +# All offset2's must be multiple of 256*32 = 8192 +if [ -d /proc/efi ] || [ -d /sys/firmware/efi ]; then + offset2=$(( 256 * 1024**2 / $bs )) + offset2=$(( $offset2 - $offset2 % $grain )) + parted -a minimal -sm $dev mkpart uefi ${offset}s $(( $offset2 - 1 ))s + offset=$offset2 + offset2=$(( $offset + 64 * 1024**2 / $bs )) + offset2=$(( $offset2 - $offset2 % $grain )) + parted -a minimal -sm $dev mkpart boot ${offset}s $(( $offset2 - 1))s + parted -sm $dev set 1 boot on +else + offset2=$(( 64 * 1024**2 / $bs )) + parted -a minimal -sm $dev mkpart boot ${offset}s $(( $offset2 - 1))s +fi +offset=$offset2 +offset2=$(( `cat /sys/block/${dev#/dev/}/size` - 1 )) +offset2=$(( $offset2 - $offset2 % $grain )) +parted -a optimal -sm $dev mkpart system ${offset}s $(( $offset2 - 1))s +system=${dev}$(parted -sm $dev p | grep -m 1 '^[1-9][0-9]*:.*:system:[^:]*;$' | sed 's/:.*//') +parted -sm $dev align-check opt ${system#$dev} +#parted -sm $dev set ${system#$dev} lvm on + +# Choose the key length and digest depending on the architecture +# we're on; we use AES128 and SHA-256 on 32-bits platforms, and +# AES256 and SHA-512 on 64-bits platforms. +arch=$(uname -m) +if [ x"$arch" = x"x86_64" ]; then + keysize=256 + hash=sha512 +elif [ x"$arch" = x"i386" -o x"$arch" = x"i686" ]; then + keysize=128 + hash=sha256 +fi +# Note: XTS requires the key size to be doubled. +fripost_encrypt $system system_crypt \ + --align-payload $grain \ + --cipher aes-xts-plain64 --key-size $(( $keysize * 2 )) --hash $hash \ + --iter-time 5000 --use-random + + +pvcreate -ff -y /dev/mapper/system_crypt +vgcreate eilift /dev/mapper/system_crypt + +lvcreate -L 5G -n root eilift +lvcreate -L 1G -n swap eilift +lvcreate -l 100%FREE -n home eilift +vgchange -ay eilift + +mkfs.ext2 /dev/sda1 +mkfs.ext4 /dev/eilift/root +mkfs.ext4 /dev/eilift/home + +mkdir -p /target/proc +mkdir -p /target/cdrom + +cat > /tmp/fstab < +proc /proc proc defaults 0 0 +# TODO: ^ is that needed? +/dev/cdrom /cdrom iso9660,udf ro,user,noauto 0 0 +# TODO: ^ remove +EOF +mkdir -p /target/ +mount -t ext4 /dev/eilift/root /target/ +echo /dev/eilift/root / ext4 noatime,errors=remount-ro 0 1 >> /tmp/fstab +mkdir -p /target/home +mount -t ext4 /dev/eilift/home /target/home/ +echo /dev/eilift/home /home/ ext4 noatime 0 2 >> /tmp/fstab +mkdir -p /target/boot +mount -t ext2 /dev/sda1 /target/boot/ +echo /dev/sda1 /boot/ ext2 noatime 0 2 >> /tmp/fstab + +mkswap /dev/eilift/swap +swapon /dev/eilift/swap +echo "/dev/eilift/swap none swap sw 0 0" >> /tmp/fstab + +mkdir -p /target/etc +cp /tmp/fstab /target/etc/fstab + +# functions: +# parted +# - aligned ([+]256MB) +# cryptsetup ... +# - set up SSH daemon +# - /sbin/cryptsetup -q ... --key-file="$keyfile" luksFormat $system +# - /sbin/cryptsetup -q --key-file="$keyfile" luksOpen $system system_crypt +# pvcreate +# vgcreate +# vgchange +# mkfs -t type [fs-options] device +# mount -t vfstype [-o options] device dir +# - create mountpoint +# - add entry to fstab +# - mount + +#+ logs! diff --git a/sshfprs.sh b/sshfprs.sh deleted file mode 100755 index a0aaabe..0000000 --- a/sshfprs.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh - -# Like ssh-keygen -lf, but for a file such as authorized_keys, which -# may contain multiple keys. -# -# Usage: sshfprs.sh file [prefix] -# -# -# Copyright 2013 Guilhem Moulin -# -# Licensed under the GNU GPL version 3 or higher. - -set -ue - -file="$1" -prefix="${2:-}" - -while read pk; do - # ssh-keygen can't read from STDIN, and ash doesn't have the '<<<' - # construct, so we save each pubkey in a temporary file - pkf=$(mktemp) - echo "$pk" > "$pkf" - echo "${prefix}$(ssh-keygen -lf $pkf)" - rm "$pkf" -done < "$file" -- cgit v1.2.3