blob: 1618aecaf898c79ed5c481bb7a2a928b47084773 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
#!/bin/sh
set -ue
. /lib/fripost-partman/base.sh
dev=/dev/sda
fripost_wipe $dev
grain=$(( 256*32 ))
offset=`cat /sys/block/${dev#/dev/}/alignment_offset`
bs=`cat /sys/block/${dev#/dev/}/queue/physical_block_size`
if [ $offset -eq 0 ]; then
offset=64
else
offset=$(( $offset / $bs ))
fi
parted -sm $dev mklabel gpt
# All offset2's must be multiple of 256*32 = 8192
if [ -d /proc/efi ] || [ -d /sys/firmware/efi ]; then
offset2=$(( 256 * 1024**2 / $bs ))
offset2=$(( $offset2 - $offset2 % $grain ))
parted -a minimal -sm $dev mkpart uefi ${offset}s $(( $offset2 - 1 ))s
offset=$offset2
offset2=$(( $offset + 64 * 1024**2 / $bs ))
offset2=$(( $offset2 - $offset2 % $grain ))
parted -a minimal -sm $dev mkpart boot ${offset}s $(( $offset2 - 1))s
parted -sm $dev set 1 boot on
else
offset2=$(( 64 * 1024**2 / $bs ))
parted -a minimal -sm $dev mkpart boot ${offset}s $(( $offset2 - 1))s
fi
offset=$offset2
offset2=$(( `cat /sys/block/${dev#/dev/}/size` - 1 ))
offset2=$(( $offset2 - $offset2 % $grain ))
parted -a optimal -sm $dev mkpart system ${offset}s $(( $offset2 - 1))s
system=${dev}$(parted -sm $dev p | grep -m 1 '^[1-9][0-9]*:.*:system:[^:]*;$' | sed 's/:.*//')
parted -sm $dev align-check opt ${system#$dev}
#parted -sm $dev set ${system#$dev} lvm on
# Choose the key length and digest depending on the architecture
# we're on; we use AES128 and SHA-256 on 32-bits platforms, and
# AES256 and SHA-512 on 64-bits platforms.
arch=$(uname -m)
if [ x"$arch" = x"x86_64" ]; then
keysize=256
hash=sha512
elif [ x"$arch" = x"i386" -o x"$arch" = x"i686" ]; then
keysize=128
hash=sha256
fi
# Note: XTS requires the key size to be doubled.
fripost_encrypt $system system_crypt \
--align-payload $grain \
--cipher aes-xts-plain64 --key-size $(( $keysize * 2 )) --hash $hash \
--iter-time 5000 --use-random
pvcreate -ff -y /dev/mapper/system_crypt
vgcreate eilift /dev/mapper/system_crypt
lvcreate -L 5G -n root eilift
lvcreate -L 1G -n swap eilift
lvcreate -l 100%FREE -n home eilift
vgchange -ay eilift
mkfs.ext2 /dev/sda1
mkfs.ext4 /dev/eilift/root
mkfs.ext4 /dev/eilift/home
mkdir -p /target/proc
mkdir -p /target/cdrom
cat > /tmp/fstab <<EOF
# /etc/fstab: static file system information.
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
# TODO: ^ is that needed?
/dev/cdrom /cdrom iso9660,udf ro,user,noauto 0 0
# TODO: ^ remove
EOF
mkdir -p /target/
mount -t ext4 /dev/eilift/root /target/
echo /dev/eilift/root / ext4 noatime,errors=remount-ro 0 1 >> /tmp/fstab
mkdir -p /target/home
mount -t ext4 /dev/eilift/home /target/home/
echo /dev/eilift/home /home/ ext4 noatime 0 2 >> /tmp/fstab
mkdir -p /target/boot
mount -t ext2 /dev/sda1 /target/boot/
echo /dev/sda1 /boot/ ext2 noatime 0 2 >> /tmp/fstab
mkswap /dev/eilift/swap
swapon /dev/eilift/swap
echo "/dev/eilift/swap none swap sw 0 0" >> /tmp/fstab
mkdir -p /target/etc
cp /tmp/fstab /target/etc/fstab
# functions:
# parted
# - aligned ([+]256MB)
# cryptsetup ...
# - set up SSH daemon
# - /sbin/cryptsetup -q ... --key-file="$keyfile" luksFormat $system
# - /sbin/cryptsetup -q --key-file="$keyfile" luksOpen $system system_crypt
# pvcreate
# vgcreate
# vgchange
# mkfs -t type [fs-options] device
# mount -t vfstype [-o options] device dir
# - create mountpoint
# - add entry to fstab
# - mount
#+ logs!
|
