Root encryption fully functional, documentation added

DOCUMENTATION.md

@@ -50,3 +50,85 @@ Some additional documentation for PrawnOS that wouldn't fit in the README
 #### Configured using ~/.xinputrc
 * alt+left                     left a word
 * alt+right                    right a word
+
+## Initramfs and Encryption
+PrawnOS uses a custom initramfs, custom init script, and dmcrypt/LUKS to enable full root partition encryption
+
+Because the c201s bootloader, depthcharge, can't be given dynamic cmdline parameters like grub we can't use the "usual" method of setting up an initramfs. Essentially, we can't boot from an initramfs image stored on a /boot partiton
+
+Either the initramfs needs to be built into the part of the kernel image passed to depthcharge using a kernel.its similar to this one by @ifbizo:
+```
+/dts-v1/;
+
+/ {
+	description = "Linux-libre kernel image with one or more FDT blobs";
+	#address-cells = <1>;
+	images {
+		kernel {
+			description = "vmlinuz";
+			data = /incbin/("/boot/vmlinuz-SED_KVER");
+			type = "kernel_noload";
+			arch = "arm";
+			os = "linux";
+			compression = "none";
+			load = <0>;
+			entry = <0>;
+			hash {
+				algo = "sha1";
+			};
+		};
+		fdt {
+			description = "dtb";
+			data = /incbin/("/boot/rk3288-veyron-speedy.dtb");
+			type = "flat_dt";
+			arch = "arm";
+			compression = "none";
+			hash {
+				algo = "sha1";
+			};
+		};
+		ramdisk@1{
+			description = "initrd.img";
+			data = /incbin/("/boot/initrd.img-SED_KVER");
+			type = "ramdisk";
+			arch = "arm";
+			os = "linux";
+			compression = "none";
+			hash@1{
+				algo = "sha1";
+			};
+		};
+	};
+	configurations {
+		default = "conf";
+		conf{
+			kernel = "kernel";
+			fdt = "fdt";
+			ramdisk = "ramdisk@1";
+		};
+	};
+};
+```
+Or it needs to be built into the kernel using the kernel config parameter `CONFIG_INITRAMFS_SOURCE="PrawnOS-initramfs.cpio.gz"`
+
+For PrawnOS I decided to go with building into the kernel to avoid relying on the bootloader, the bootloader may change but the kernel will always support booting an initramfs image.
+
+The script `buildInitramFs.sh` creates the `PrawnOS-initramfs.cpio.gz` image that is then used by `buildKerenl.sh`, copying all of the tools and libraries the initramfs needs from the built filesystem image.
+
+The initramfs is what runs initialy at boot, and allows us to enter a password and decrypt the root partiton
+
+In a normal system, when dmcrypt/LUKS is setup the initramfs image is modified to enable decrypting of the root partiton
+
+Since we have to have a static initramfs image, and can't change it without recompiling the kernel, we have to be a little crafty to support unencrypted and encrypted root partitons with the same initramfs
+
+This is achieved by placing flags in the /boot partition, aka `/dev/mmcblk2p2` or `/dev/sda2`. The /boot partiton is empty on an unencrypted system. When root encryption is set up, the file `root_encryption` is created, which the initramfs init script uses to determine that it should try and decrypt the root partiton 
+
+### debugging the init script
+A rescue debug shell is entered when the init script encounters a problem, or if the `debug` flag is set
+
+You can enable the debug flag by mounting /boot and creating a file named `debug`
+
+To make the system boot normally, from the debug prompt, run `rm /boot/debug` and `exit` to reboot
+
+
+

README.md

@@ -6,12 +6,13 @@ PrawnOS
 </h1>
 
 
-#### A build system for making blobless Debian and mainline Linux kernel for the Asus c201 Chromebook
+#### A build system for making blobless Debian and mainline Linux kernel for the Asus c201 Chromebook with support for dmcrypt/LUKS root partition encryption
 
 Build Debian filesystem with:
 * No blobs, anywhere. 
 * Sources from only main, not contrib or non-free which keeps Debian libre.
-* Currently PrawnOS supports xfce and lxqt as choices for desktop enviroment. 
+* Currently PrawnOS supports xfce and lxqt as choices for desktop enviroment.
+* full root filesystem encryption
 
 Build a deblobbed mainline kernel with:
 * Patches for reliable USB.
@@ -82,45 +83,6 @@ The second and, recommended, option is to install it on your internal storage (e
 [click here](#install-to-internal-drive-emmc)
 * This is faster, and frees up a USB port. 
 
-### Install To USB drive or SD card
-Now on the C201, press `control+u` at boot to boot from the USB drive. 
-
-If you are running stock coreboot and haven't flashed Libreboot, you will first have to enable developer mode and enable USB booting. A quick search should get you some good guides, but if you're having issues feel free to open an issue here on github. 
-
-
-When it boots, login as root. The password is blank. 
-
-#### If you simply want a basic Linux environment with no desktop environment or window manager:
-Make sure it's the only storage device plugged in, and run this script to expand the partition and filesystem to the full USB drive. This will reboot when complete, so you'll have to press `control+u` again to boot to the external media. 
-```
-cd /InstallResources/
-./ExpandExternalInstall.sh
-```
-Congratulations: you are done! Welcome to PrawnOS. You should probably change the root password and make a user, but I'm not your boss or anything so I'll leave that to you. 
-If you want a quick guide on how to connect to WiFi, check out [this down below](#connecting-to-wifi-in-a-basic-environment)
-
-#### For everyone else, two scripts need to be run. 
-
-The first expands the partition and filesystem to use the entire drive.
-Make sure you only have one USB or SD storage device plugged into the machine.
-This will reboot when complete, so you'll have to press `control+u` again to boot to the external media. 
-Run:
-```
-cd /InstallResources/
-./ExpandExternalInstall.sh
-```
-You can verify it worked by running `df -h` after the reboot. The original `/dev/root/` filesystem was only ~2GB
-Then run this script which installs either the xfce4 or the lxqt desktop enviroment, sound, trackpad, and Xorg configurations as well as prompts you to make a new user that automatically gets sudo privileges.
-
-If it asks you about terminal encoding and/or locale, just hit enter. The default works for both.  
-When finished, it will reboot once again placing you at a login screen. 
-```
-./InstallPackages.sh
-```
-This will take a while; USB 2.0 is slow.
-Welcome to PrawnOS. If you like it, I would suggest installing it to your internal storage (emmc).
-
-
 ### Install to Internal drive (emmc)
 Now on the C201, press `control+u` at boot to boot from the USB drive. 
 
@@ -138,6 +100,12 @@ cd /
 ```
 _This will show a bunch of scary red warnings that are a result of the emmc (internal storage) being touchy and the kernel message level being set low for debugging. They don't seem to effect anything long-term._
 
+#### Setting up root partition encryption
+PrawnOS supports encrypting the full root partition with the use of a custom initramfs and dmcrypt/LUKS
+Press "Y" at the prompt, type "YES" at the following prompt, then enter the password you would like to use and verify it
+You will then be prompted one more time to enter your encryption password to mount and setup the filesystem
+If you are curious how the initramfs, and root partition encryption work on PrawnOS check out the Initramfs and Encryption section in [DOCUMENTATION.md](DOCUMENTATION.md)
+
 The device will then reboot. If you are running the stock coreboot, you will have to press `control+d` or wait 30 seconds past the beep to boot to the internal storage.
 
 If you are running Libreboot, it should boot to the internal storage by default. If it doesn't, turn off the device and remove the flash drive before turning it on again. 
@@ -169,6 +137,43 @@ dhclient wlan0
 ```
 When that finishes, you should have access to the internet. 
 
+### Install To USB drive or SD card
+Now on the C201, press `control+u` at boot to boot from the USB drive. 
+
+If you are running stock coreboot and haven't flashed Libreboot, you will first have to enable developer mode and enable USB booting. A quick search should get you some good guides, but if you're having issues feel free to open an issue here on github. 
+
+
+When it boots, login as root. The password is blank. 
+
+#### If you simply want a basic Linux environment with no desktop environment or window manager:
+Make sure it's the only storage device plugged in, and run this script to expand the partition and filesystem to the full USB drive. This will reboot when complete, so you'll have to press `control+u` again to boot to the external media. 
+```
+cd /InstallResources/
+./ExpandExternalInstall.sh
+```
+Congratulations: you are done! Welcome to PrawnOS. You should probably change the root password and make a user, but I'm not your boss or anything so I'll leave that to you. 
+If you want a quick guide on how to connect to WiFi, check out [this down below](#connecting-to-wifi-in-a-basic-environment)
+
+#### For everyone else, two scripts need to be run. 
+
+The first expands the partition and filesystem to use the entire drive.
+Make sure you only have one USB or SD storage device plugged into the machine.
+This will reboot when complete, so you'll have to press `control+u` again to boot to the external media. 
+Run:
+```
+cd /InstallResources/
+./ExpandExternalInstall.sh
+```
+You can verify it worked by running `df -h` after the reboot. The original `/dev/root/` filesystem was only ~2GB
+Then run this script which installs either the xfce4 or the lxqt desktop enviroment, sound, trackpad, and Xorg configurations as well as prompts you to make a new user that automatically gets sudo privileges.
+
+If it asks you about terminal encoding and/or locale, just hit enter. The default works for both.  
+When finished, it will reboot once again placing you at a login screen. 
+```
+./InstallPackages.sh
+```
+This will take a while; USB 2.0 is slow.
+Welcome to PrawnOS. If you like it, I would suggest installing it to your internal storage (emmc).
 
 ### Upgrading the kernel
 
@@ -191,12 +196,14 @@ To begin with:
 
 `make filesystem` builds the -BASE filesystem image with no kernel
 
-`make image` builds the kernel, builds the filesystem if a -BASE image doesn't exist, and combines the two into a new PrawnOS.img using kernel_inject
+`make initramfs` builds the PrawnOS-initramfs.cpio.gz, which can be found in /build
+
+`make image` builds the initramfs image, builds the kernel, builds the filesystem if a -BASE image doesn't exist, and combines the two into a new PrawnOS.img using kernel_inject
 
 `make kernel_inject` Injects a newly built kernel into a previously built PrawnOS.img located in the root of the checkout. Usually, this will be a copy of the -BASE image made by make filesystem. Only use this if you already have a built kernel and filesystem -BASE image. 
 
 
-You can use the environment variable `PRAWNOS_SUITE` to use a Debian suite other than `stretch`.  For example, to use Debian Buster, you can build with `sudo PRAWNOS_SUITE=buster make image`.  Note that only `stretch` and `buster` have been tested.
+You can use the environment variable `PRAWNOS_SUITE` to use a Debian suite other than `Buster`.  For example, to use Debian stretch, you can build with `sudo PRAWNOS_SUITE=stretch make image`.  Note that only `stretch` and `buster` have been tested.
 
 You can use the environment variable `PRAWNOS_DEBOOTSTRAP_MIRROR` to use a non-default Debian mirror with debootstrap.  For example, to use [Debian's Tor onion service mirror](https://onion.debian.org/) with debootstrap, you can build with `sudo PRAWNOS_DEBOOTSTRAP_MIRROR=http://vwakviie2ienjx6t.onion/debian make image`.
 
@@ -223,7 +230,7 @@ The pulse audio mixer will only run if you are logged in as a non-root account.
 Thanks to dimkr for his great devsus scripts for the Chrome OS 3.14 kernel, from which PrawnOS took much inspiration
 https://github.com/dimkr/devsus
 
-Because PrawnOS started as a fork of devsus-3.14, much of this repo's history can be found at https://github.com/SolidHal/devsus/tree/hybrid_debian
+Because PrawnOS started as a fork of devsus-3.14, some of this repo's ancient history can be found at https://github.com/SolidHal/devsus/tree/hybrid_debian
 
 PrawnOS is free and unencumbered software released under the terms of the GNU
 General Public License, version 2; see COPYING for the license text. For a list

resources/BuildResources/cmdline

@@ -1 +1 @@
-console=tty1 ramdisk_size=51200 initrd=/PrawnOS-initramfs.cpio.gz root=PARTUUID=%U/PARTNROFF=1 rootfstype=ext4 rootwait ro net.ifnames=0 console=ttyS2,115200n8 earlyprintk=ttyS2,115200n8
+root=PARTUUID=%U/PARTNROFF=1 rootfstype=ext4 rootwait ro net.ifnames=0 console=ttyS2,115200n8 earlyprintk=ttyS2,115200n8 console=tty1

resources/BuildResources/initramfs-init

@@ -1,13 +1,32 @@
 #!/bin/busybox sh
 
+# This is the init script built into the PrawnOS initramfs
+
+# This file is part of PrawnOS (http://www.prawnos.com)
+# Copyright (c) 2018 Hal Emmerich <hal@halemmerich.com>
+
+# PrawnOS is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# as published by the Free Software Foundation.
+
+# PrawnOS is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with PrawnOS.  If not, see <https://www.gnu.org/licenses/>.
+
 echo In PrawnOS Init
 
 #add this to start shell at desired point
 rescue_shell() {
-    [ $1 != "debug" ] && echo "Something went wrong. Dropping to a shell."
+    [ "{$1}" != "debug" ] && echo "Something went wrong. Dropping to a shell." > /dev/tty1
+    [ "{$1}" == "debug" ] && echo "Debug flag detected, entering debug shell" > /dev/tty1
     exec setsid /bin/sh -c 'exec /bin/sh </dev/tty1 >/dev/tty1 2>&1'
 }
 
+#used to parse the kernel cmdline
 cmdline() {
     local value
     value=" $(cat /proc/cmdline) "
@@ -16,6 +35,7 @@ cmdline() {
     [ "${value}" != "" ] && echo "${value}"
 }
 
+#used to get the uuid of the root partiton since findfs isn't in debian busybox-static
 rootpartuuid() {
     local value
     value=$1
@@ -32,34 +52,34 @@ mount -n -t devtmpfs devtmpfs  /dev
 # get the root device, so we can find the boot partiton
 UNPARSED=$(cmdline root)
 ROOT_PARTUUID=$(rootpartuuid $UNPARSED)
-echo ${ROOT_PARTUUID}
+echo ${ROOT_PARTUUID} > /dev/tty1
 BLKID=$(/bin/blkid | grep $ROOT_PARTUUID )
-echo ${BLKID}
-#If its an mmcblk device, the partiton will p1. If it is a usb device, the partiton will just be 1
-#Just want everything before the 1: so this will work
+echo ${BLKID} > /dev/tty1
+#If its an mmcblk device, the kernel partiton will p1. If it is a usb device, the partiton will just be 1
+#Just want everything before the 1
 ROOT_DEV="${BLKID%1:*}"
 
-echo ${ROOT_DEV}
+echo ${ROOT_DEV} > /dev/tty1
 
-# we use this to change what cmdline options get passed into
-# the next boot stage, aka to enable root encryption
+# we can use this to change what cmdline options get passed into
+# the next boot stage
 CMDLINE='cat /proc/cmdline'
 
-[ -d /boot ] || mkdir -p /boot
+[ -d "/boot" ] || mkdir -p /boot
 mount ${ROOT_DEV}2 /boot
 
 #Debugging can be facilitated by creating /boot/debug
-[ -f /boot/debug ] && rescue_shell debug
+[ -f "/boot/debug" ] && rescue_shell debug
 
-if [ -f /boot/root_encryption ]
+if [ -f "/boot/root_encryption" ]
 then
     #decrypt and mount the root filesystem
-    cryptsetup --tries 5 luksOpen /dev/{ROOT_DEV}3 luksroot || rescue_shell
+    echo "Opening encrypted root partition, this will take 30s..."
+    cryptsetup --tries 5 luksOpen ${ROOT_DEV}3 luksroot || rescue_shell debug
     mount /dev/mapper/luksroot /newroot
-    #TODO: UPDATE THE CMDLINE??
 else
     # mount the unencrypted root filesystem
-    [ -d /newroot ] || mkdir -p /newroot
+    [ -d "/newroot" ] || mkdir -p /newroot
     mount ${ROOT_DEV}3 /newroot
 fi
 
@@ -69,4 +89,4 @@ umount /proc
 
 
 #swith to the new rootfs
-exec switch_root /newroot /sbin/init ${CMDLINE}
+exec switch_root /newroot /sbin/init ${CMDLINE}

resources/InstallResources/mmc_type2.partmap

@@ -7,4 +7,5 @@ first-lba: 34
 last-lba: 30777310
 
 /dev/mmcblk2p1 : start=       20480, size=       65536, type=FE3A2A5D-4F32-41A7-B725-ACCC3285A309, uuid=89B31CDB-1147-5241-8271-C1ADBB9BBB44, name="Kernel", attrs="GUID:49,51,52,54,56"
-/dev/mmcblk2p2 : start=       86016, size=    30691294, type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, uuid=63DB8E49-63C4-984E-90A0-8AC3222C4771, name="Root"
+/dev/mmcblk2p2 : start=       86016, size=      976562, name="Boot"
+/dev/mmcblk2p3 : start=       1062578, size=    29714732, type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, uuid=63DB8E49-63C4-984E-90A0-8AC3222C4771, name="Root"

scripts/InstallScripts/InstallToInternal.sh

@@ -23,13 +23,21 @@ RESOURCES=/InstallResources
 # Grab the boot device, which is either /dev/sda for usb or /dev/mmcblk0 for an sd card
 BOOT_DEVICE=$(mount | head -n 1 | cut -d '3' -f 1)
 
-
+echo "--------------------------------------------------------------------------------------------------------"
+echo "PrawnOS Install To Internal Emmc Script"
+echo "Sets up the internal emmc partitions, root encryption, and copies the filesystem from the bootable media"
+echo "This script can be quit and re-ran at any point"
+echo "--------------------------------------------------------------------------------------------------------"
 read -p "This will ERASE ALL DATA ON THE INTERNAL STORAGE (EMMC) and reboot when finished, do you want to continue? [Y/n]" -n 1 -r
-echo 
+echo
 if [[ $REPLY =~ ^[Yy]$ ]]
 then
     #disable dmesg, writing the partition map tries to write the the first gpt table, which is unmodifiable
     dmesg -D
+    umount /dev/mmcblk2p1 || /bin/true
+    umount /dev/mmcblk2p2 || /bin/true
+    umount /dev/mmcblk2p3 || /bin/true
+
     echo Writing partition map
     DISK_SZ="$(blockdev --getsz /dev/mmcblk2)"
     echo Total disk size is: $DISK_SZ
@@ -63,17 +71,25 @@ then
     BOOT_DEV_NAME=mmcblk2p2
     ROOT_DEV_NAME=mmcblk2p3
     CRYPTO=false
+
+    #ready /boot
+    mkfs.ext4 -F -b 1024 /dev/$BOOT_DEV_NAME
+    mkdir -p /mnt/boot
+    mount /dev/$BOOT_DEV_NAME /mnt/boot
+
     #Handle full disk encryption
-    # read -p "Would you like to setup full disk encrytion using LUKs/DmCrypt? [Y/n]" -n 1 -r
-    # if [[ $REPLY =~ ^[Yy]$ ]]
-    # then
-    #     CRYPTO=true
-    #     # Since iteration count is based on cpu power, and the rk3288 isn't as fast as a usual
-    #     # desktop cpu, maually supply -i 15000 for security at the cost of a slightly slower unlock
-    #     cryptsetup -s 512 luksFormat -i 15000 /dev/mmcblk2p2
-    #     cryptsetup luksOpen /dev/mmcblk2p2 mmcblk2p2-encrypted
-    #     ROOT_DEV_NAME=mapper/mmcblk2p2-encrypted
-    # fi
+    read -p "Would you like to setup full disk encrytion using LUKs/DmCrypt? [Y/n]" -n 1 -r
+    if [[ $REPLY =~ ^[Yy]$ ]]
+    then
+        CRYPTO=true
+        # Since iteration count is based on cpu power, and the rk3288 isn't as fast as a usual
+        # desktop cpu, maually supply -i 15000 for security at the cost of a slightly slower unlock
+        cryptsetup -s 512 luksFormat -i 15000 /dev/$ROOT_DEV_NAME
+        cryptsetup luksOpen /dev/$ROOT_DEV_NAME luksroot
+        ROOT_DEV_NAME=mapper/luksroot
+        #set the root encryption flag
+        touch /mnt/boot/root_encryption
+    fi
 
     echo Writing Filesystem, this will take about 4 minutes...
     mkfs.ext4 -F -b 1024 /dev/$ROOT_DEV_NAME
@@ -82,17 +98,20 @@ then
     rsync -ah --info=progress2 --info=name0 --numeric-ids -x / /mnt/mmc/
     #Remove the live-fstab and install a base fstab
     rm /mnt/mmc/etc/fstab
-    echo "/dev/mmcblk2p3 / ext4 defaults,noatime 0 1" > /mnt/mmc/etc/fstab
+    if [[ $CRYPTO == "true" ]]
+    then
+        echo "/dev/mappper/luksroot / ext4 defaults,noatime 0 1" > /mnt/mmc/etc/fstab
+    else
+        echo "/dev/mmcblk2p3 / ext4 defaults,noatime 0 1" > /mnt/mmc/etc/fstab
+    fi
     umount /dev/$ROOT_DEV_NAME
     echo Running fsck
     e2fsck -p -f /dev/$ROOT_DEV_NAME
-    # if [ $CRYPTO true ]
-    # then
-    #     # unmount and close encrypted storage
-    #     cryptsetup luksClose mmcblk2p2-encrypted
-    #     echo Running fsck
-    #     #TODO run fsck on luks part
-    # fi
+    if [[ $CRYPTO == "true" ]]
+    then
+        # unmount and close encrypted storage
+        cryptsetup luksClose luksroot
+    fi
     echo Rebooting... Please remove the usb drive once shutdown is complete
     reboot
 fi

scripts/buildInitramFs.sh

@@ -50,6 +50,8 @@ cleanup() {
 
 trap cleanup INT TERM EXIT
 
+[ ! -d build ] && mkdir build
+
 losetup -P $outdev $ROOT_DIR/PrawnOS-*-c201-libre-2GB.img-BASE
 #mount the root filesystem
 mount -o noatime ${outdev}p3 $outmnt
@@ -69,9 +71,12 @@ mkdir $initramfs_src/proc
 mkdir $initramfs_src/sys
 mkdir $initramfs_src/sbin
 mkdir $initramfs_src/run
+mkdir $initramfs_src/run/cryptsetup
 mkdir $initramfs_src/lib
 mkdir $initramfs_src/lib/arm-linux-gnueabihf
 
+cp -a $outmnt/dev/console $outmnt/dev/tty $initramfs_src/dev/
+
 #install the few tools we need, and the supporting libs
 cp $outmnt/bin/busybox $outmnt/sbin/cryptsetup $initramfs_src/bin/
 cp $outmnt/lib/arm-linux-gnueabihf/libblkid.so.1 $initramfs_src/lib/arm-linux-gnueabihf/
@@ -101,6 +106,7 @@ cp $outmnt/lib/arm-linux-gnueabihf/libselinux.so.1 $initramfs_src/lib/arm-linux-
 cp $outmnt/lib/arm-linux-gnueabihf/libudev.so.1 $initramfs_src/lib/arm-linux-gnueabihf/libudev.so.1
 cp $outmnt/lib/arm-linux-gnueabihf/libpthread.so.0 $initramfs_src/lib/arm-linux-gnueabihf/libpthread.so.0
 cp $outmnt/lib/arm-linux-gnueabihf/libpcre.so.3 $initramfs_src/lib/arm-linux-gnueabihf/libpcre.so.3
+cp $outmnt/lib/arm-linux-gnueabihf/libgcc_s.so.1 $initramfs_src/lib/arm-linux-gnueabihf/libgcc_s.so.1
 
 #add the init script
 cp $build_resources/initramfs-init $initramfs_src/init
@@ -115,11 +121,7 @@ ln -s busybox bin/mount
 ln -s busybox bin/sh
 ln -s busybox bin/switch_root
 ln -s busybox bin/umount
-find . -print0 | cpio --null --create --verbose --format=newc | gzip --best > $outmnt/boot/PrawnOS-initramfs.cpio.gz 
 
-cd $ROOT_DIR
-
-[ ! -d build ] && mkdir build
-cd build
 # store for kernel building
-cp $outmnt/boot/PrawnOS-initramfs.cpio.gz .
+find . -print0 | cpio --null --create --verbose --format=newc | gzip --best > $ROOT_DIR/build/PrawnOS-initramfs.cpio.gz
+