From 60283c7e300c00904ef5548bb6b8945c7e84767b Mon Sep 17 00:00:00 2001 From: Hal Emmerich Date: Fri, 20 Sep 2019 23:50:08 -0500 Subject: [PATCH 01/10] Initramfs booting funcitonal, built in using kernel config --- .gitignore | 1 + makefile | 7 +- resources/BuildResources/config | 5 +- resources/BuildResources/initramfs-init | 10 ++- resources/BuildResources/kernel.its | 12 +++ scripts/buildFilesystem.sh | 28 +++++-- scripts/buildInitramFs.sh | 102 ++++++++++++++++++++++++ scripts/buildKernel.sh | 8 ++ scripts/injectKernelIntoFS.sh | 19 ++++- 9 files changed, 177 insertions(+), 15 deletions(-) create mode 100755 scripts/buildInitramFs.sh diff --git a/.gitignore b/.gitignore index d4ed1bf..d3f17d8 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ PrawnOS-Alpha-c201-libre-2GB* PrawnOS-*-Alpha-c201-libre-2GB* tmp.* PrawnOS-Alpha-c201-libre-2GB-git*.img +PrawnOS-initramfs.cpio.gz diff --git a/makefile b/makefile index f06d00b..8d246f8 100644 --- a/makefile +++ b/makefile @@ -70,6 +70,10 @@ clean_all: kernel: scripts/buildKernel.sh $(KVER) +.PHONY: initramfs +initramfs: + scripts/buildInitramFs.sh + #makes the base filesystem image, no kernel only if the base image isnt present .PHONY: filesystem filesystem: @@ -88,8 +92,9 @@ injected_image: #makes a copy of the base image with a new injected kernel .PHONY: image image: make clean_img - make kernel make filesystem + make initramfs + make kernel #Make a new copy of the filesystem image cp $(BASE) $(OUTNAME) make kernel_inject diff --git a/resources/BuildResources/config b/resources/BuildResources/config index f24cc3f..223c4a9 100644 --- a/resources/BuildResources/config +++ b/resources/BuildResources/config @@ -151,13 +151,16 @@ CONFIG_NET_NS=y # CONFIG_SYSFS_DEPRECATED is not set CONFIG_RELAY=y CONFIG_BLK_DEV_INITRD=y -CONFIG_INITRAMFS_SOURCE="" +CONFIG_INITRAMFS_SOURCE="PrawnOS-initramfs.cpio.gz" +CONFIG_INITRAMFS_ROOT_UID=0 +CONFIG_INITRAMFS_ROOT_GID=0 CONFIG_RD_GZIP=y # CONFIG_RD_BZIP2 is not set # CONFIG_RD_LZMA is not set CONFIG_RD_XZ=y # CONFIG_RD_LZO is not set # CONFIG_RD_LZ4 is not set +CONFIG_INITRAMFS_COMPRESSION=".gz" # CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_SYSCTL=y diff --git a/resources/BuildResources/initramfs-init b/resources/BuildResources/initramfs-init index 3576425..0317b4e 100644 --- a/resources/BuildResources/initramfs-init +++ b/resources/BuildResources/initramfs-init @@ -1,6 +1,8 @@ #!/bin/busybox sh +echo In PrawnOS Init + cmdline() { local value value=" $(cat /proc/cmdline) " @@ -21,7 +23,6 @@ rootpartuuid() { mount -n -t proc proc /proc mount -n -t sysfs sysfs /sys mount -n -t devtmpfs devtmpfs /dev -mount -n -t tmpfs tmpfs /run # get the root device, so we can find the boot partiton UNPARSED=$(cmdline root) @@ -35,6 +36,8 @@ ROOT_DEV="${BLKID%1:*}" echo ${ROOT_DEV} +#uncomment for debugging +# exec setsid /bin/sh -c 'exec /bin/sh /dev/tty1 2>&1' # we use this to change what cmdline options get passed into # the next boot stage, aka to enable root encryption @@ -46,6 +49,9 @@ mount ${ROOT_DEV}3 /newroot umount /sys umount /proc +umount /dev + +# exec setsid /bin/sh -c 'exec /bin/sh /dev/tty1 2>&1' #swith to the new rootfs -exec swith_root /newroot "/sbin/init" ${CMDLINE} \ No newline at end of file +exec switch_root /newroot /sbin/init ${CMDLINE} \ No newline at end of file diff --git a/resources/BuildResources/kernel.its b/resources/BuildResources/kernel.its index 549ef9c..ac2967f 100644 --- a/resources/BuildResources/kernel.its +++ b/resources/BuildResources/kernel.its @@ -27,12 +27,24 @@ algo = "sha1"; }; }; + ramdisk@1{ + description = "initrd.img"; + data = /incbin/("PrawnOS-initramfs.cpio.gz"); + type = "ramdisk"; + arch = "arm"; + os = "linux"; + compression = "none"; + hash@1{ + algo = "sha1"; + }; + }; }; configurations { default = "conf"; conf{ kernel = "kernel"; fdt = "fdt"; + ramdisk = "ramdisk@1"; }; }; }; diff --git a/scripts/buildFilesystem.sh b/scripts/buildFilesystem.sh index 8e5aa55..0cb4996 100755 --- a/scripts/buildFilesystem.sh +++ b/scripts/buildFilesystem.sh @@ -163,17 +163,32 @@ chroot $outmnt locale-gen #Install the base packages chroot $outmnt apt update -chroot $outmnt apt install -y initscripts udev kmod net-tools inetutils-ping traceroute iproute2 isc-dhcp-client wpasupplicant iw alsa-utils cgpt vim-tiny less psmisc netcat-openbsd ca-certificates bzip2 xz-utils ifupdown nano apt-utils git kpartx gdisk parted rsync busybox-static +chroot $outmnt apt install -y initscripts udev kmod net-tools inetutils-ping traceroute iproute2 isc-dhcp-client wpasupplicant iw alsa-utils cgpt vim-tiny less psmisc netcat-openbsd ca-certificates bzip2 xz-utils ifupdown nano apt-utils git kpartx gdisk parted rsync busybox-static cryptsetup #make the initramfs image that gets copied to partiton 2 +#this is not yet fully funtional, needs the kernel parts which are +#added in "injectKernelIntoFS.sh" + #make a skeleton filesystem -initramfs_src=$outmnt/usr/src/initramfs -mkdir -p $initramfs_src/ -mkdir ${initramfs_src}/{bin,dev,etc,newroot,proc,sys,sbin,run,lib} +initramfs_src=$outmnt/InstallResources/initramfs_src +mkdir -p $initramfs_src +mkdir $initramfs_src/bin +mkdir $initramfs_src/dev +mkdir $initramfs_src/etc +mkdir $initramfs_src/newroot +mkdir $initramfs_src/proc +mkdir $initramfs_src/sys +mkdir $initramfs_src/sbin +mkdir $initramfs_src/run +mkdir $initramfs_src/lib mkdir $initramfs_src/lib/arm-linux-gnueabihf -#install the few tools we need + +#install the few tools we need, and the supporting libs cp $outmnt/bin/busybox $outmnt/sbin/cryptsetup $initramfs_src/bin/ -cp ${outmnt}/lib/arm-linux-gnueabihf/{libblkid.so.1,libc.so.6,libuuid.so.1} ${initramfs_src}/lib/arm-linux-gnueabihf/ +cp $outmnt/lib/arm-linux-gnueabihf/libblkid.so.1 $initramfs_src/lib/arm-linux-gnueabihf/ +cp $outmnt/lib/arm-linux-gnueabihf/libuuid.so.1 $initramfs_src/lib/arm-linux-gnueabihf/ +cp $outmnt/lib/arm-linux-gnueabihf/libc.so.6 $initramfs_src/lib/arm-linux-gnueabihf/ + cp $outmnt/lib/ld-linux-armhf.so.3 $initramfs_src/lib/ cp $outmnt/sbin/blkid $initramfs_src/bin/ @@ -182,7 +197,6 @@ cp $build_resources/initramfs-init $initramfs_src/init chmod +x $initramfs_src/init #compress and install -#TODO, make this correct find $initramfs_src -print0 | cpio --null --create --verbose --format=newc | gzip --best > $outmnt/boot/PrawnOS-initramfs.cpio.gz diff --git a/scripts/buildInitramFs.sh b/scripts/buildInitramFs.sh new file mode 100755 index 0000000..5f5efcc --- /dev/null +++ b/scripts/buildInitramFs.sh @@ -0,0 +1,102 @@ + +#!/bin/sh -xe + +#Build initramfs image + + +# This file is part of PrawnOS (http://www.prawnos.com) +# Copyright (c) 2018 Hal Emmerich + +# PrawnOS is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 +# as published by the Free Software Foundation. + +# PrawnOS is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with PrawnOS. If not, see . + + +outmnt=$(mktemp -d -p `pwd`) +outdev=/dev/loop7 +KVER=$1 +ROOT_DIR=`pwd` +build_resources=$ROOT_DIR/resources/BuildResources + +if [ ! -f $ROOT_DIR/PrawnOS-*-c201-libre-2GB.img-BASE ] +then + echo "No base filesystem, run 'make filesystem' first" + exit 1 +fi + +#A hacky way to ensure the loops are properly unmounted and the temp files are properly deleted. +#Without this, a reboot is sometimes required to properly clean the loop devices and ensure a clean build +cleanup() { + set +e + + umount -l $outmnt > /dev/null 2>&1 + rmdir $outmnt > /dev/null 2>&1 + losetup -d $outdev > /dev/null 2>&1 + + set +e + + umount -l $outmnt > /dev/null 2>&1 + rmdir $outmnt > /dev/null 2>&1 + losetup -d $outdev > /dev/null 2>&1 +} + +trap cleanup INT TERM EXIT + +losetup -P $outdev $ROOT_DIR/PrawnOS-*-c201-libre-2GB.img-BASE +#mount the root filesystem +mount -o noatime ${outdev}p3 $outmnt +#mount the initramfs partition +mount -o noatime ${outdev}p2 $outmnt/boot + +#make a skeleton filesystem +initramfs_src=$outmnt/InstallResources/initramfs_src +rm -rf $initramfs_src* +mkdir -p $initramfs_src +mkdir $initramfs_src/bin +mkdir $initramfs_src/dev +mkdir $initramfs_src/etc +mkdir $initramfs_src/newroot +mkdir $initramfs_src/proc +mkdir $initramfs_src/sys +mkdir $initramfs_src/sbin +mkdir $initramfs_src/run +mkdir $initramfs_src/lib +mkdir $initramfs_src/lib/arm-linux-gnueabihf + +#install the few tools we need, and the supporting libs +cp $outmnt/bin/busybox $outmnt/sbin/cryptsetup $initramfs_src/bin/ +cp $outmnt/lib/arm-linux-gnueabihf/libblkid.so.1 $initramfs_src/lib/arm-linux-gnueabihf/ +cp $outmnt/lib/arm-linux-gnueabihf/libuuid.so.1 $initramfs_src/lib/arm-linux-gnueabihf/ +cp $outmnt/lib/arm-linux-gnueabihf/libc.so.6 $initramfs_src/lib/arm-linux-gnueabihf/ + +cp $outmnt/lib/ld-linux-armhf.so.3 $initramfs_src/lib/ +cp $outmnt/sbin/blkid $initramfs_src/bin/ + +#add the init script +cp $build_resources/initramfs-init $initramfs_src/init +chmod +x $initramfs_src/init + +#compress and install +rm -rf $outmnt/boot/PrawnOS-initramfs.cpio.gz +cd $initramfs_src +ln -s busybox bin/cat +ln -s busybox bin/mount +ln -s busybox bin/sh +ln -s busybox bin/switch_root +ln -s busybox bin/umount +find . -print0 | cpio --null --create --verbose --format=newc | gzip --best > $outmnt/boot/PrawnOS-initramfs.cpio.gz + +cd $ROOT_DIR + +[ ! -d build ] && mkdir build +cd build +# store for kernel building +cp $outmnt/boot/PrawnOS-initramfs.cpio.gz . diff --git a/scripts/buildKernel.sh b/scripts/buildKernel.sh index 1da323c..93f6259 100755 --- a/scripts/buildKernel.sh +++ b/scripts/buildKernel.sh @@ -29,6 +29,12 @@ ROOT_DIR=`pwd` RESOURCES=$ROOT_DIR/resources/BuildResources [ ! -d build ] && mkdir build cd build +if [ ! -f PrawnOS-initramfs.cpio.gz ] +then + echo "No initramfs image, run 'make initramfs' first" + cd $ROOT_DIR + exit 1 +fi # build AR9271 firmware [ ! -d open-ath9k-htc-firmware ] && git clone --depth 1 https://github.com/qca/open-ath9k-htc-firmware.git cd open-ath9k-htc-firmware @@ -51,6 +57,8 @@ make mrproper [ "$TEST_PATCHES" = true ] && for i in $RESOURCES/patches-untested/kernel/*.patch; do patch -p1 < $i; done [ "$TEST_PATCHES" = true ] && for i in $RESOURCES/patches-untested/DTS/*.patch; do patch -p1 < $i; done +#copy in the initramfs and kernel config +cp $ROOT_DIR/build/PrawnOS-initramfs.cpio.gz . cp $RESOURCES/config .config make -j `grep ^processor /proc/cpuinfo | wc -l` CROSS_COMPILE=arm-none-eabi- ARCH=arm zImage modules dtbs [ ! -h kernel.its ] && ln -s $RESOURCES/kernel.its . diff --git a/scripts/injectKernelIntoFS.sh b/scripts/injectKernelIntoFS.sh index 3198c47..158b2bd 100755 --- a/scripts/injectKernelIntoFS.sh +++ b/scripts/injectKernelIntoFS.sh @@ -53,16 +53,27 @@ trap cleanup INT TERM EXIT #Mount the build filesystem image losetup -P $outdev $2 -mount -o noatime ${outdev}p2 $outmnt +#mount the root filesystem +mount -o noatime ${outdev}p3 $outmnt +#mount the initramfs partition +# mount -o noatime ${outdev}p2 $outmnt/boot # put the kernel in the kernel partition, modules in /lib/modules and AR9271 # firmware in /lib/firmware dd if=$build_resources/blank_kernel of=${outdev}p1 conv=notrunc dd if=build/linux-$KVER/vmlinux.kpart of=${outdev}p1 conv=notrunc make -C build/linux-$KVER ARCH=arm INSTALL_MOD_PATH=$outmnt modules_install -#Dont put ath firmware in filesystem, it is now built into the kernel image -# install -D -m 644 build/open-ath9k-htc-firmware/target_firmware/htc_9271.fw $outmnt/lib/firmware/ath9k_htc/htc_9271-1.4.0.fw -# install -D -m 644 build/open-ath9k-htc-firmware/target_firmware/htc_7010.fw $outmnt/lib/firmware/ath9k_htc/htc_7010-1.4.0.fw + +# put the required kernel items into the initramfs aka the device tree and the kernel image +# TODO: the in-place kernel upgrade script must be changed to copy in new versions of these files +# cp build/linux-$KVER/arch/arm/boot/dts/rk3288-veyron-speedy.dtb $outmnt/boot/rk3288-veyron-speedy.dtb +# cp build/linux-$KVER/vmlinux.kpart $outmnt/boot + +#TODO: do we actually need the kernel in /boot?? I think not. lets test and find out + +# the initramfs is build into the kernel image + +# the ath9k firmware is built into the kernel image, so nothing else must be done umount -l $outmnt > /dev/null 2>&1 rmdir $outmnt > /dev/null 2>&1 From 214ee55580ab30205e6318f75055801678609d79 Mon Sep 17 00:00:00 2001 From: Hal Emmerich Date: Thu, 26 Sep 2019 13:10:47 -0500 Subject: [PATCH 02/10] Testing mmc booting --- resources/BuildResources/initramfs-init | 2 +- resources/BuildResources/kernel.its | 12 ------- resources/InstallResources/mmc.partmap | 3 +- scripts/InstallScripts/InstallToInternal.sh | 39 +++++++++++++++++---- scripts/buildInitramFs.sh | 1 + 5 files changed, 37 insertions(+), 20 deletions(-) diff --git a/resources/BuildResources/initramfs-init b/resources/BuildResources/initramfs-init index 0317b4e..9cad70c 100644 --- a/resources/BuildResources/initramfs-init +++ b/resources/BuildResources/initramfs-init @@ -37,7 +37,7 @@ ROOT_DEV="${BLKID%1:*}" echo ${ROOT_DEV} #uncomment for debugging -# exec setsid /bin/sh -c 'exec /bin/sh /dev/tty1 2>&1' +exec setsid /bin/sh -c 'exec /bin/sh /dev/tty1 2>&1' # we use this to change what cmdline options get passed into # the next boot stage, aka to enable root encryption diff --git a/resources/BuildResources/kernel.its b/resources/BuildResources/kernel.its index ac2967f..549ef9c 100644 --- a/resources/BuildResources/kernel.its +++ b/resources/BuildResources/kernel.its @@ -27,24 +27,12 @@ algo = "sha1"; }; }; - ramdisk@1{ - description = "initrd.img"; - data = /incbin/("PrawnOS-initramfs.cpio.gz"); - type = "ramdisk"; - arch = "arm"; - os = "linux"; - compression = "none"; - hash@1{ - algo = "sha1"; - }; - }; }; configurations { default = "conf"; conf{ kernel = "kernel"; fdt = "fdt"; - ramdisk = "ramdisk@1"; }; }; }; diff --git a/resources/InstallResources/mmc.partmap b/resources/InstallResources/mmc.partmap index 28c33de..14fc283 100644 --- a/resources/InstallResources/mmc.partmap +++ b/resources/InstallResources/mmc.partmap @@ -6,4 +6,5 @@ first-lba: 34 last-lba: 30785502 /dev/mmcblk2p1 : start= 20480, size= 65536, type=FE3A2A5D-4F32-41A7-B725-ACCC3285A309, uuid=89B31CDB-1147-5241-8271-C1ADBB9BBB44, name="Kernel", attrs="GUID:49,51,52,54,56" -/dev/mmcblk2p2 : start= 86016, size= 30699486, type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, uuid=63DB8E49-63C4-984E-90A0-8AC3222C4771, name="Root" +/dev/mmcblk2p2 : start= 86016, size= 976562, name="Boot" +/dev/mmcblk2p3 : start= 1062578, size= 29722924, type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, uuid=63DB8E49-63C4-984E-90A0-8AC3222C4771, name="Root" diff --git a/scripts/InstallScripts/InstallToInternal.sh b/scripts/InstallScripts/InstallToInternal.sh index 01de641..1f46572 100755 --- a/scripts/InstallScripts/InstallToInternal.sh +++ b/scripts/InstallScripts/InstallToInternal.sh @@ -55,19 +55,46 @@ then fi fi dmesg -E + echo Writing kernel partition dd if="$BOOT_DEVICE"1 of=/dev/mmcblk2p1 + + BOOT_DEV_NAME=mmcblk2p2 + ROOT_DEV_NAME=mmcblk2p3 + CRYPTO=false + #Handle full disk encryption + read -p "Would you like to setup full disk encrytion using LUKs/DmCrypt? [Y/n]" -n 1 -r + if [[ $REPLY =~ ^[Yy]$ ]] + then + CRYPTO=true + # Since iteration count is based on cpu power, and the rk3288 isn't as fast as a usual + # desktop cpu, maually supply -i 15000 for security at the cost of a slightly slower unlock + cryptsetup -s 512 luksFormat -i 15000 /dev/mmcblk2p2 + cryptsetup luksOpen /dev/mmcblk2p2 mmcblk2p2-encrypted + ROOT_DEV_NAME=mapper/mmcblk2p2-encrypted + fi + echo Writing Filesystem, this will take about 4 minutes... - mkfs.ext4 -F -b 1024 /dev/mmcblk2p2 + mkfs.ext4 -F -b 1024 /dev/$ROOT_DEV_NAME mkdir -p /mnt/mmc/ - mount /dev/mmcblk2p2 /mnt/mmc + mount /dev/$ROOT_DEV_NAME /mnt/mmc rsync -ah --info=progress2 --info=name0 --numeric-ids -x / /mnt/mmc/ #Remove the live-fstab and install a base fstab rm /mnt/mmc/etc/fstab - echo "/dev/mmcblk2p2 / ext4 defaults,noatime 0 1" > /mnt/mmc/etc/fstab - umount /dev/mmcblk2p2 - echo Running fsck - e2fsck -p -f /dev/mmcblk2p2 + if [ $CRYPTO false] + then + echo "/dev/mmcblk2p2 / ext4 defaults,noatime 0 1" > /mnt/mmc/etc/fstab + umount /dev/mmcblk2p2 + echo Running fsck + e2fsck -p -f /dev/mmcblk2p2 + fi + if [ $CRYPTO true ] + then + # unmount and close encrypted storage + cryptsetup luksClose mmcblk2p2-encrypted + echo Running fsck + #TODO run fsck on luks part + fi echo Rebooting... Please remove the usb drive once shutdown is complete reboot fi diff --git a/scripts/buildInitramFs.sh b/scripts/buildInitramFs.sh index 5f5efcc..79168be 100755 --- a/scripts/buildInitramFs.sh +++ b/scripts/buildInitramFs.sh @@ -83,6 +83,7 @@ cp $outmnt/sbin/blkid $initramfs_src/bin/ #add the init script cp $build_resources/initramfs-init $initramfs_src/init chmod +x $initramfs_src/init +cp $initramfs_src/init $initramfs_src/sbin/init #compress and install rm -rf $outmnt/boot/PrawnOS-initramfs.cpio.gz From e9c3d36dc280f018bfdce17a0ad25259ea63d5c2 Mon Sep 17 00:00:00 2001 From: SolidHal Date: Thu, 26 Sep 2019 11:12:13 -0700 Subject: [PATCH 03/10] Fix fs build requirement --- scripts/buildFilesystem.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/scripts/buildFilesystem.sh b/scripts/buildFilesystem.sh index 0cb4996..dee8916 100755 --- a/scripts/buildFilesystem.sh +++ b/scripts/buildFilesystem.sh @@ -35,8 +35,6 @@ then fi KVER=$1 -[ ! -d build ] && echo "No build folder found, is the kernel built?" && exit - outmnt=$(mktemp -d -p `pwd`) outdev=/dev/loop5 From 59893f5cf02df39b2f3f78796fd12490840f7c03 Mon Sep 17 00:00:00 2001 From: SolidHal Date: Thu, 26 Sep 2019 11:34:59 -0700 Subject: [PATCH 04/10] Fixup initramfs mmc booting --- resources/BuildResources/initramfs-init | 3 +- scripts/InstallScripts/InstallToInternal.sh | 46 ++++++++++----------- 2 files changed, 23 insertions(+), 26 deletions(-) diff --git a/resources/BuildResources/initramfs-init b/resources/BuildResources/initramfs-init index 9cad70c..b7c7c35 100644 --- a/resources/BuildResources/initramfs-init +++ b/resources/BuildResources/initramfs-init @@ -37,7 +37,7 @@ ROOT_DEV="${BLKID%1:*}" echo ${ROOT_DEV} #uncomment for debugging -exec setsid /bin/sh -c 'exec /bin/sh /dev/tty1 2>&1' +# exec setsid /bin/sh -c 'exec /bin/sh /dev/tty1 2>&1' # we use this to change what cmdline options get passed into # the next boot stage, aka to enable root encryption @@ -49,7 +49,6 @@ mount ${ROOT_DEV}3 /newroot umount /sys umount /proc -umount /dev # exec setsid /bin/sh -c 'exec /bin/sh /dev/tty1 2>&1' diff --git a/scripts/InstallScripts/InstallToInternal.sh b/scripts/InstallScripts/InstallToInternal.sh index 1f46572..b886702 100755 --- a/scripts/InstallScripts/InstallToInternal.sh +++ b/scripts/InstallScripts/InstallToInternal.sh @@ -57,22 +57,23 @@ then dmesg -E echo Writing kernel partition + dd if=/dev/zero of=/dev/mmcblk2p1 bs=512 count=65536 dd if="$BOOT_DEVICE"1 of=/dev/mmcblk2p1 BOOT_DEV_NAME=mmcblk2p2 ROOT_DEV_NAME=mmcblk2p3 CRYPTO=false #Handle full disk encryption - read -p "Would you like to setup full disk encrytion using LUKs/DmCrypt? [Y/n]" -n 1 -r - if [[ $REPLY =~ ^[Yy]$ ]] - then - CRYPTO=true - # Since iteration count is based on cpu power, and the rk3288 isn't as fast as a usual - # desktop cpu, maually supply -i 15000 for security at the cost of a slightly slower unlock - cryptsetup -s 512 luksFormat -i 15000 /dev/mmcblk2p2 - cryptsetup luksOpen /dev/mmcblk2p2 mmcblk2p2-encrypted - ROOT_DEV_NAME=mapper/mmcblk2p2-encrypted - fi + # read -p "Would you like to setup full disk encrytion using LUKs/DmCrypt? [Y/n]" -n 1 -r + # if [[ $REPLY =~ ^[Yy]$ ]] + # then + # CRYPTO=true + # # Since iteration count is based on cpu power, and the rk3288 isn't as fast as a usual + # # desktop cpu, maually supply -i 15000 for security at the cost of a slightly slower unlock + # cryptsetup -s 512 luksFormat -i 15000 /dev/mmcblk2p2 + # cryptsetup luksOpen /dev/mmcblk2p2 mmcblk2p2-encrypted + # ROOT_DEV_NAME=mapper/mmcblk2p2-encrypted + # fi echo Writing Filesystem, this will take about 4 minutes... mkfs.ext4 -F -b 1024 /dev/$ROOT_DEV_NAME @@ -81,20 +82,17 @@ then rsync -ah --info=progress2 --info=name0 --numeric-ids -x / /mnt/mmc/ #Remove the live-fstab and install a base fstab rm /mnt/mmc/etc/fstab - if [ $CRYPTO false] - then - echo "/dev/mmcblk2p2 / ext4 defaults,noatime 0 1" > /mnt/mmc/etc/fstab - umount /dev/mmcblk2p2 - echo Running fsck - e2fsck -p -f /dev/mmcblk2p2 - fi - if [ $CRYPTO true ] - then - # unmount and close encrypted storage - cryptsetup luksClose mmcblk2p2-encrypted - echo Running fsck - #TODO run fsck on luks part - fi + echo "/dev/mmcblk2p3 / ext4 defaults,noatime 0 1" > /mnt/mmc/etc/fstab + umount /dev/$ROOT_DEV_NAME + echo Running fsck + e2fsck -p -f /dev/$ROOT_DEV_NAME + # if [ $CRYPTO true ] + # then + # # unmount and close encrypted storage + # cryptsetup luksClose mmcblk2p2-encrypted + # echo Running fsck + # #TODO run fsck on luks part + # fi echo Rebooting... Please remove the usb drive once shutdown is complete reboot fi From cc980dbc71052559adcb294314a2ee138d770b9c Mon Sep 17 00:00:00 2001 From: SolidHal Date: Fri, 27 Sep 2019 13:36:40 -0700 Subject: [PATCH 05/10] Need to grab xsecurelock from sid explicitly --- scripts/InstallScripts/InstallPackages.sh | 2 +- scripts/buildFilesystem.sh | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/InstallScripts/InstallPackages.sh b/scripts/InstallScripts/InstallPackages.sh index a8f50d0..c748699 100755 --- a/scripts/InstallScripts/InstallPackages.sh +++ b/scripts/InstallScripts/InstallPackages.sh @@ -57,7 +57,7 @@ then # is told to sleep at lid close, and activate lock # gnome-screensaver shows the desktop for a fraction of a second at wakeup # xscreensaver works as well, if you prefer that but is less simple - apt install xsecurelock + apt install -t unstable xsecurelock #Install packages not in an apt repo dpkg -i $DIR/xfce-themes/* diff --git a/scripts/buildFilesystem.sh b/scripts/buildFilesystem.sh index dee8916..d2006a1 100755 --- a/scripts/buildFilesystem.sh +++ b/scripts/buildFilesystem.sh @@ -211,8 +211,9 @@ chroot $outmnt apt install -y libinput-tools xdotool build-essential #Package is copied into /InstallResources/packages #Download the packages to be installed by Install.sh: -chroot $outmnt apt-get install -y -d xorg acpi-support lightdm tasksel dpkg librsvg2-common xorg xserver-xorg-input-libinput alsa-utils anacron avahi-daemon eject iw libnss-mdns xdg-utils lxqt crda xfce4 dbus-user-session system-config-printer tango-icon-theme xfce4-power-manager xfce4-terminal xfce4-goodies mousepad vlc libutempter0 xterm numix-gtk-theme dconf-cli dconf-editor plank network-manager-gnome network-manager-openvpn network-manager-openvpn-gnome dtrx emacs25 accountsservice sudo pavucontrol-qt xsecurelock +chroot $outmnt apt-get install -y -t unstable -d xsecurelock +chroot $outmnt apt-get install -y -d xorg acpi-support lightdm tasksel dpkg librsvg2-common xorg xserver-xorg-input-libinput alsa-utils anacron avahi-daemon eject iw libnss-mdns xdg-utils lxqt crda xfce4 dbus-user-session system-config-printer tango-icon-theme xfce4-power-manager xfce4-terminal xfce4-goodies mousepad vlc libutempter0 xterm numix-gtk-theme dconf-cli dconf-editor plank network-manager-gnome network-manager-openvpn network-manager-openvpn-gnome dtrx emacs25 accountsservice sudo pavucontrol-qt if [ "$PRAWNOS_SUITE" = "stretch" ] then From b7e607120c20d5eb79f5453f61413b6eb0f77286 Mon Sep 17 00:00:00 2001 From: SolidHal Date: Fri, 27 Sep 2019 14:05:31 -0700 Subject: [PATCH 06/10] fix iding boot dev on install to internal --- scripts/InstallScripts/InstallToInternal.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/InstallScripts/InstallToInternal.sh b/scripts/InstallScripts/InstallToInternal.sh index b886702..58e4923 100755 --- a/scripts/InstallScripts/InstallToInternal.sh +++ b/scripts/InstallScripts/InstallToInternal.sh @@ -21,7 +21,7 @@ RESOURCES=/InstallResources # Grab the boot device, which is either /dev/sda for usb or /dev/mmcblk0 for an sd card -BOOT_DEVICE=$(mount | head -n 1 | cut -d '2' -f 1) +BOOT_DEVICE=$(mount | head -n 1 | cut -d '3' -f 1) read -p "This will ERASE ALL DATA ON THE INTERNAL STORAGE (EMMC) and reboot when finished, do you want to continue? [Y/n]" -n 1 -r From 69c91abbd28180fa2c659185e5aa942f10207dd5 Mon Sep 17 00:00:00 2001 From: Hal Emmerich Date: Sun, 29 Sep 2019 19:03:16 -0500 Subject: [PATCH 07/10] Dont prompt user to install xsecurelock --- scripts/InstallScripts/InstallPackages.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/InstallScripts/InstallPackages.sh b/scripts/InstallScripts/InstallPackages.sh index c748699..06caba0 100755 --- a/scripts/InstallScripts/InstallPackages.sh +++ b/scripts/InstallScripts/InstallPackages.sh @@ -57,7 +57,7 @@ then # is told to sleep at lid close, and activate lock # gnome-screensaver shows the desktop for a fraction of a second at wakeup # xscreensaver works as well, if you prefer that but is less simple - apt install -t unstable xsecurelock + apt install -y -t unstable xsecurelock #Install packages not in an apt repo dpkg -i $DIR/xfce-themes/* From 01ef15d1a032f46c7e8ad7731a4ff86c4ab53fe7 Mon Sep 17 00:00:00 2001 From: Hal Emmerich Date: Sun, 29 Sep 2019 20:16:30 -0500 Subject: [PATCH 08/10] Addcryptsetup to initramfs, add debug flag --- resources/BuildResources/initramfs-init | 32 ++++++++++++++++------ scripts/buildFilesystem.sh | 35 ------------------------- scripts/buildInitramFs.sh | 22 ++++++++++++++++ 3 files changed, 46 insertions(+), 43 deletions(-) diff --git a/resources/BuildResources/initramfs-init b/resources/BuildResources/initramfs-init index b7c7c35..aed89ae 100644 --- a/resources/BuildResources/initramfs-init +++ b/resources/BuildResources/initramfs-init @@ -1,8 +1,13 @@ #!/bin/busybox sh - echo In PrawnOS Init +#add this to start shell at desired point +rescue_shell() { + [ $1 != "debug" ] && echo "Something went wrong. Dropping to a shell." + exec setsid /bin/sh -c 'exec /bin/sh /dev/tty1 2>&1' +} + cmdline() { local value value=" $(cat /proc/cmdline) " @@ -36,21 +41,32 @@ ROOT_DEV="${BLKID%1:*}" echo ${ROOT_DEV} -#uncomment for debugging -# exec setsid /bin/sh -c 'exec /bin/sh /dev/tty1 2>&1' - # we use this to change what cmdline options get passed into # the next boot stage, aka to enable root encryption CMDLINE='cat /proc/cmdline' -# mount new root -[ -d /newroot ] || mkdir -p /newroot -mount ${ROOT_DEV}3 /newroot +[ -d /boot ] || mkdir -p /boot +mount ${ROOT_DEV}2 /boot + +#Debugging can be facilitated by creating /boot/debug +[ -f /boot/debug ] && rescue_shell debug + +if [ -f /boot/root_encryption ] +then + #decrypt and mount the root filesystem + cryptsetup --tries 5 luksOpen /dev/{ROOT_DEV}3 luksroot || rescue_shell + mount /dev/mapper/luksroot /newroot + #TODO: UPDATE THE CMDLINE?? +else + # mount the unencrypted root filesystem + [ -d /newroot ] || mkdir -p /newroot + mount ${ROOT_DEV}3 /newroot +fi umount /sys umount /proc -# exec setsid /bin/sh -c 'exec /bin/sh /dev/tty1 2>&1' + #swith to the new rootfs exec switch_root /newroot /sbin/init ${CMDLINE} \ No newline at end of file diff --git a/scripts/buildFilesystem.sh b/scripts/buildFilesystem.sh index d2006a1..7e942b7 100755 --- a/scripts/buildFilesystem.sh +++ b/scripts/buildFilesystem.sh @@ -163,41 +163,6 @@ chroot $outmnt locale-gen chroot $outmnt apt update chroot $outmnt apt install -y initscripts udev kmod net-tools inetutils-ping traceroute iproute2 isc-dhcp-client wpasupplicant iw alsa-utils cgpt vim-tiny less psmisc netcat-openbsd ca-certificates bzip2 xz-utils ifupdown nano apt-utils git kpartx gdisk parted rsync busybox-static cryptsetup -#make the initramfs image that gets copied to partiton 2 -#this is not yet fully funtional, needs the kernel parts which are -#added in "injectKernelIntoFS.sh" - -#make a skeleton filesystem -initramfs_src=$outmnt/InstallResources/initramfs_src -mkdir -p $initramfs_src -mkdir $initramfs_src/bin -mkdir $initramfs_src/dev -mkdir $initramfs_src/etc -mkdir $initramfs_src/newroot -mkdir $initramfs_src/proc -mkdir $initramfs_src/sys -mkdir $initramfs_src/sbin -mkdir $initramfs_src/run -mkdir $initramfs_src/lib -mkdir $initramfs_src/lib/arm-linux-gnueabihf - -#install the few tools we need, and the supporting libs -cp $outmnt/bin/busybox $outmnt/sbin/cryptsetup $initramfs_src/bin/ -cp $outmnt/lib/arm-linux-gnueabihf/libblkid.so.1 $initramfs_src/lib/arm-linux-gnueabihf/ -cp $outmnt/lib/arm-linux-gnueabihf/libuuid.so.1 $initramfs_src/lib/arm-linux-gnueabihf/ -cp $outmnt/lib/arm-linux-gnueabihf/libc.so.6 $initramfs_src/lib/arm-linux-gnueabihf/ - -cp $outmnt/lib/ld-linux-armhf.so.3 $initramfs_src/lib/ -cp $outmnt/sbin/blkid $initramfs_src/bin/ - -#add the init script -cp $build_resources/initramfs-init $initramfs_src/init -chmod +x $initramfs_src/init - -#compress and install -find $initramfs_src -print0 | cpio --null --create --verbose --format=newc | gzip --best > $outmnt/boot/PrawnOS-initramfs.cpio.gz - - #add the live-boot fstab cp -f $build_resources/external_fstab $outmnt/etc/fstab chmod 644 /etc/fstab diff --git a/scripts/buildInitramFs.sh b/scripts/buildInitramFs.sh index 79168be..b4dd2a3 100755 --- a/scripts/buildInitramFs.sh +++ b/scripts/buildInitramFs.sh @@ -64,6 +64,7 @@ mkdir $initramfs_src/bin mkdir $initramfs_src/dev mkdir $initramfs_src/etc mkdir $initramfs_src/newroot +mkdir $initramfs_src/boot mkdir $initramfs_src/proc mkdir $initramfs_src/sys mkdir $initramfs_src/sbin @@ -80,6 +81,27 @@ cp $outmnt/lib/arm-linux-gnueabihf/libc.so.6 $initramfs_src/lib/arm-linux-gnueab cp $outmnt/lib/ld-linux-armhf.so.3 $initramfs_src/lib/ cp $outmnt/sbin/blkid $initramfs_src/bin/ +cp $outmnt/usr/sbin/cryptsetup $initramfs_src/bin/ + +cp $outmnt/lib/arm-linux-gnueabihf/libm.so.6 $initramfs_src/lib/arm-linux-gnueabihf/libm.so.6 +cp $outmnt/lib/arm-linux-gnueabihf/libcryptsetup.so.12 $initramfs_src/lib/arm-linux-gnueabihf/libcryptsetup.so.12 +cp $outmnt/lib/arm-linux-gnueabihf/libpopt.so.0 $initramfs_src/lib/arm-linux-gnueabihf/libpopt.so.0 +cp $outmnt/lib/arm-linux-gnueabihf/libuuid.so.1 $initramfs_src/lib/arm-linux-gnueabihf/libuuid.so.1 +cp $outmnt/lib/arm-linux-gnueabihf/libblkid.so.1 $initramfs_src/lib/arm-linux-gnueabihf/libblkid.so.1 +cp $outmnt/lib/arm-linux-gnueabihf/libc.so.6 $initramfs_src/lib/arm-linux-gnueabihf/libc.so.6 +cp $outmnt/lib/ld-linux-armhf.so.3 $initramfs_src/lib/ld-linux-armhf.so.3 +cp $outmnt/lib/arm-linux-gnueabihf/libdevmapper.so.1.02.1 $initramfs_src/lib/arm-linux-gnueabihf/libdevmapper.so.1.02.1 +cp $outmnt/lib/arm-linux-gnueabihf/libssl.so.1.1 $initramfs_src/lib/arm-linux-gnueabihf/libssl.so.1.1 +cp $outmnt/lib/arm-linux-gnueabihf/libcrypto.so.1.1 $initramfs_src/lib/arm-linux-gnueabihf/libcrypto.so.1.1 +cp $outmnt/lib/arm-linux-gnueabihf/libargon2.so.1 $initramfs_src/lib/arm-linux-gnueabihf/libargon2.so.1 +cp $outmnt/lib/arm-linux-gnueabihf/librt.so.1 $initramfs_src/lib/arm-linux-gnueabihf/librt.so.1 +cp $outmnt/lib/arm-linux-gnueabihf/libdl.so.2 $initramfs_src/lib/arm-linux-gnueabihf/libdl.so.2 +cp $outmnt/lib/arm-linux-gnueabihf/libjson-c.so.3 $initramfs_src/lib/arm-linux-gnueabihf/libjson-c.so.3 +cp $outmnt/lib/arm-linux-gnueabihf/libselinux.so.1 $initramfs_src/lib/arm-linux-gnueabihf/libselinux.so.1 +cp $outmnt/lib/arm-linux-gnueabihf/libudev.so.1 $initramfs_src/lib/arm-linux-gnueabihf/libudev.so.1 +cp $outmnt/lib/arm-linux-gnueabihf/libpthread.so.0 $initramfs_src/lib/arm-linux-gnueabihf/libpthread.so.0 +cp $outmnt/lib/arm-linux-gnueabihf/libpcre.so.3 $initramfs_src/lib/arm-linux-gnueabihf/libpcre.so.3 + #add the init script cp $build_resources/initramfs-init $initramfs_src/init chmod +x $initramfs_src/init From 60a0f3d9f4b97ed34216af8e3738a706cd9030b4 Mon Sep 17 00:00:00 2001 From: Hal Emmerich Date: Thu, 3 Oct 2019 00:40:14 -0500 Subject: [PATCH 09/10] Root encryption fully functional, documentation added --- DOCUMENTATION.md | 82 +++++++++++++ README.md | 117 ++++++++++--------- resources/BuildResources/cmdline | 2 +- resources/BuildResources/initramfs-init | 50 +++++--- resources/InstallResources/mmc_type2.partmap | 3 +- scripts/InstallScripts/InstallToInternal.sh | 59 ++++++---- scripts/buildInitramFs.sh | 14 ++- 7 files changed, 229 insertions(+), 98 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index e3fbee5..812c0f1 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -50,3 +50,85 @@ Some additional documentation for PrawnOS that wouldn't fit in the README #### Configured using ~/.xinputrc * alt+left left a word * alt+right right a word + +## Initramfs and Encryption +PrawnOS uses a custom initramfs, custom init script, and dmcrypt/LUKS to enable full root partition encryption + +Because the c201s bootloader, depthcharge, can't be given dynamic cmdline parameters like grub we can't use the "usual" method of setting up an initramfs. Essentially, we can't boot from an initramfs image stored on a /boot partiton + +Either the initramfs needs to be built into the part of the kernel image passed to depthcharge using a kernel.its similar to this one by @ifbizo: +``` +/dts-v1/; + +/ { + description = "Linux-libre kernel image with one or more FDT blobs"; + #address-cells = <1>; + images { + kernel { + description = "vmlinuz"; + data = /incbin/("/boot/vmlinuz-SED_KVER"); + type = "kernel_noload"; + arch = "arm"; + os = "linux"; + compression = "none"; + load = <0>; + entry = <0>; + hash { + algo = "sha1"; + }; + }; + fdt { + description = "dtb"; + data = /incbin/("/boot/rk3288-veyron-speedy.dtb"); + type = "flat_dt"; + arch = "arm"; + compression = "none"; + hash { + algo = "sha1"; + }; + }; + ramdisk@1{ + description = "initrd.img"; + data = /incbin/("/boot/initrd.img-SED_KVER"); + type = "ramdisk"; + arch = "arm"; + os = "linux"; + compression = "none"; + hash@1{ + algo = "sha1"; + }; + }; + }; + configurations { + default = "conf"; + conf{ + kernel = "kernel"; + fdt = "fdt"; + ramdisk = "ramdisk@1"; + }; + }; +}; +``` +Or it needs to be built into the kernel using the kernel config parameter `CONFIG_INITRAMFS_SOURCE="PrawnOS-initramfs.cpio.gz"` + +For PrawnOS I decided to go with building into the kernel to avoid relying on the bootloader, the bootloader may change but the kernel will always support booting an initramfs image. + +The script `buildInitramFs.sh` creates the `PrawnOS-initramfs.cpio.gz` image that is then used by `buildKerenl.sh`, copying all of the tools and libraries the initramfs needs from the built filesystem image. + +The initramfs is what runs initialy at boot, and allows us to enter a password and decrypt the root partiton + +In a normal system, when dmcrypt/LUKS is setup the initramfs image is modified to enable decrypting of the root partiton + +Since we have to have a static initramfs image, and can't change it without recompiling the kernel, we have to be a little crafty to support unencrypted and encrypted root partitons with the same initramfs + +This is achieved by placing flags in the /boot partition, aka `/dev/mmcblk2p2` or `/dev/sda2`. The /boot partiton is empty on an unencrypted system. When root encryption is set up, the file `root_encryption` is created, which the initramfs init script uses to determine that it should try and decrypt the root partiton + +### debugging the init script +A rescue debug shell is entered when the init script encounters a problem, or if the `debug` flag is set + +You can enable the debug flag by mounting /boot and creating a file named `debug` + +To make the system boot normally, from the debug prompt, run `rm /boot/debug` and `exit` to reboot + + + diff --git a/README.md b/README.md index 1a2a562..e6baa2d 100644 --- a/README.md +++ b/README.md @@ -6,12 +6,13 @@ PrawnOS -#### A build system for making blobless Debian and mainline Linux kernel for the Asus c201 Chromebook +#### A build system for making blobless Debian and mainline Linux kernel for the Asus c201 Chromebook with support for dmcrypt/LUKS root partition encryption Build Debian filesystem with: * No blobs, anywhere. * Sources from only main, not contrib or non-free which keeps Debian libre. -* Currently PrawnOS supports xfce and lxqt as choices for desktop enviroment. +* Currently PrawnOS supports xfce and lxqt as choices for desktop enviroment. +* full root filesystem encryption Build a deblobbed mainline kernel with: * Patches for reliable USB. @@ -82,6 +83,60 @@ The second and, recommended, option is to install it on your internal storage (e [click here](#install-to-internal-drive-emmc) * This is faster, and frees up a USB port. +### Install to Internal drive (emmc) +Now on the C201, press `control+u` at boot to boot from the USB drive. + + +If you are running stock coreboot and haven't flashed Libreboot, you will first have to enable developer mode and enable USB booting. A quick search should get you some good guides, but if you're having issues feel free to open an issue here on github. + +At the prompt, login as root. The password is blank. + +WARNING! THIS WILL ERASE YOUR INTERNAL EMMC STORAGE (your Chrome OS install or other Linux install and all of the associated user data) Make sure to back up any data you would like to keep before running this. + +If you would like to install it to the internal emmc storage run: +``` +cd / +./InstallToInternal.sh +``` +_This will show a bunch of scary red warnings that are a result of the emmc (internal storage) being touchy and the kernel message level being set low for debugging. They don't seem to effect anything long-term._ + +#### Setting up root partition encryption +PrawnOS supports encrypting the full root partition with the use of a custom initramfs and dmcrypt/LUKS +Press "Y" at the prompt, type "YES" at the following prompt, then enter the password you would like to use and verify it +You will then be prompted one more time to enter your encryption password to mount and setup the filesystem +If you are curious how the initramfs, and root partition encryption work on PrawnOS check out the Initramfs and Encryption section in [DOCUMENTATION.md](DOCUMENTATION.md) + +The device will then reboot. If you are running the stock coreboot, you will have to press `control+d` or wait 30 seconds past the beep to boot to the internal storage. + +If you are running Libreboot, it should boot to the internal storage by default. If it doesn't, turn off the device and remove the flash drive before turning it on again. + +Now login as root again and run: +``` +cd /InstallResources +./InstallPackages.sh +``` +Which installs either the xfce4 or the lxqt desktop enviroment, sound, trackpad, and Xorg configurations as well as prompts you to make a new user that automatically gets sudo privileges. + + +If it asks you about terminal encoding and/or locale, just hit enter. The default works for both. + +When finished, it will reboot once again placing you at a login screen. + +Congratulations! Your computer is now a Prawn! https://sprorgnsm.bandcamp.com/track/the-prawn-song + +#### Connecting to WiFi in a basic environment +If you just want a basic environment without xfce or lxqt can skip running InstallPackages.sh. You can connect to WiFi using wpa_supplicant by running the following commands: +``` +wpa_passphrase > wpa.conf +wpa_supplicant -i wlan0 -c wpa.conf +``` +Now switch to another tty by pressing ctrl+alt+f2 +Login as root, and run +``` +dhclient wlan0 +``` +When that finishes, you should have access to the internet. + ### Install To USB drive or SD card Now on the C201, press `control+u` at boot to boot from the USB drive. @@ -120,56 +175,6 @@ When finished, it will reboot once again placing you at a login screen. This will take a while; USB 2.0 is slow. Welcome to PrawnOS. If you like it, I would suggest installing it to your internal storage (emmc). - -### Install to Internal drive (emmc) -Now on the C201, press `control+u` at boot to boot from the USB drive. - - -If you are running stock coreboot and haven't flashed Libreboot, you will first have to enable developer mode and enable USB booting. A quick search should get you some good guides, but if you're having issues feel free to open an issue here on github. - -At the prompt, login as root. The password is blank. - -WARNING! THIS WILL ERASE YOUR INTERNAL EMMC STORAGE (your Chrome OS install or other Linux install and all of the associated user data) Make sure to back up any data you would like to keep before running this. - -If you would like to install it to the internal emmc storage run: -``` -cd / -./InstallToInternal.sh -``` -_This will show a bunch of scary red warnings that are a result of the emmc (internal storage) being touchy and the kernel message level being set low for debugging. They don't seem to effect anything long-term._ - -The device will then reboot. If you are running the stock coreboot, you will have to press `control+d` or wait 30 seconds past the beep to boot to the internal storage. - -If you are running Libreboot, it should boot to the internal storage by default. If it doesn't, turn off the device and remove the flash drive before turning it on again. - -Now login as root again and run: -``` -cd /InstallResources -./InstallPackages.sh -``` -Which installs either the xfce4 or the lxqt desktop enviroment, sound, trackpad, and Xorg configurations as well as prompts you to make a new user that automatically gets sudo privileges. - - -If it asks you about terminal encoding and/or locale, just hit enter. The default works for both. - -When finished, it will reboot once again placing you at a login screen. - -Congratulations! Your computer is now a Prawn! https://sprorgnsm.bandcamp.com/track/the-prawn-song - -#### Connecting to WiFi in a basic environment -If you just want a basic environment without xfce or lxqt can skip running InstallPackages.sh. You can connect to WiFi using wpa_supplicant by running the following commands: -``` -wpa_passphrase > wpa.conf -wpa_supplicant -i wlan0 -c wpa.conf -``` -Now switch to another tty by pressing ctrl+alt+f2 -Login as root, and run -``` -dhclient wlan0 -``` -When that finishes, you should have access to the internet. - - ### Upgrading the kernel The script `UpgradeKernel.sh` located in `/InstallResources` can be ran be used to copy the kernel, modules, and ath9k firmware from a newer version of PrawnOS running on a USB drive or SD card onto an older version of PrawnOS installed on the laptops internal emmc storage. @@ -191,12 +196,14 @@ To begin with: `make filesystem` builds the -BASE filesystem image with no kernel -`make image` builds the kernel, builds the filesystem if a -BASE image doesn't exist, and combines the two into a new PrawnOS.img using kernel_inject +`make initramfs` builds the PrawnOS-initramfs.cpio.gz, which can be found in /build + +`make image` builds the initramfs image, builds the kernel, builds the filesystem if a -BASE image doesn't exist, and combines the two into a new PrawnOS.img using kernel_inject `make kernel_inject` Injects a newly built kernel into a previously built PrawnOS.img located in the root of the checkout. Usually, this will be a copy of the -BASE image made by make filesystem. Only use this if you already have a built kernel and filesystem -BASE image. -You can use the environment variable `PRAWNOS_SUITE` to use a Debian suite other than `stretch`. For example, to use Debian Buster, you can build with `sudo PRAWNOS_SUITE=buster make image`. Note that only `stretch` and `buster` have been tested. +You can use the environment variable `PRAWNOS_SUITE` to use a Debian suite other than `Buster`. For example, to use Debian stretch, you can build with `sudo PRAWNOS_SUITE=stretch make image`. Note that only `stretch` and `buster` have been tested. You can use the environment variable `PRAWNOS_DEBOOTSTRAP_MIRROR` to use a non-default Debian mirror with debootstrap. For example, to use [Debian's Tor onion service mirror](https://onion.debian.org/) with debootstrap, you can build with `sudo PRAWNOS_DEBOOTSTRAP_MIRROR=http://vwakviie2ienjx6t.onion/debian make image`. @@ -223,7 +230,7 @@ The pulse audio mixer will only run if you are logged in as a non-root account. Thanks to dimkr for his great devsus scripts for the Chrome OS 3.14 kernel, from which PrawnOS took much inspiration https://github.com/dimkr/devsus -Because PrawnOS started as a fork of devsus-3.14, much of this repo's history can be found at https://github.com/SolidHal/devsus/tree/hybrid_debian +Because PrawnOS started as a fork of devsus-3.14, some of this repo's ancient history can be found at https://github.com/SolidHal/devsus/tree/hybrid_debian PrawnOS is free and unencumbered software released under the terms of the GNU General Public License, version 2; see COPYING for the license text. For a list diff --git a/resources/BuildResources/cmdline b/resources/BuildResources/cmdline index a5469cf..e40e72f 100644 --- a/resources/BuildResources/cmdline +++ b/resources/BuildResources/cmdline @@ -1 +1 @@ -console=tty1 ramdisk_size=51200 initrd=/PrawnOS-initramfs.cpio.gz root=PARTUUID=%U/PARTNROFF=1 rootfstype=ext4 rootwait ro net.ifnames=0 console=ttyS2,115200n8 earlyprintk=ttyS2,115200n8 \ No newline at end of file +root=PARTUUID=%U/PARTNROFF=1 rootfstype=ext4 rootwait ro net.ifnames=0 console=ttyS2,115200n8 earlyprintk=ttyS2,115200n8 console=tty1 diff --git a/resources/BuildResources/initramfs-init b/resources/BuildResources/initramfs-init index aed89ae..dfd3adf 100644 --- a/resources/BuildResources/initramfs-init +++ b/resources/BuildResources/initramfs-init @@ -1,13 +1,32 @@ #!/bin/busybox sh +# This is the init script built into the PrawnOS initramfs + +# This file is part of PrawnOS (http://www.prawnos.com) +# Copyright (c) 2018 Hal Emmerich + +# PrawnOS is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 +# as published by the Free Software Foundation. + +# PrawnOS is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with PrawnOS. If not, see . + echo In PrawnOS Init #add this to start shell at desired point rescue_shell() { - [ $1 != "debug" ] && echo "Something went wrong. Dropping to a shell." + [ "{$1}" != "debug" ] && echo "Something went wrong. Dropping to a shell." > /dev/tty1 + [ "{$1}" == "debug" ] && echo "Debug flag detected, entering debug shell" > /dev/tty1 exec setsid /bin/sh -c 'exec /bin/sh /dev/tty1 2>&1' } +#used to parse the kernel cmdline cmdline() { local value value=" $(cat /proc/cmdline) " @@ -16,6 +35,7 @@ cmdline() { [ "${value}" != "" ] && echo "${value}" } +#used to get the uuid of the root partiton since findfs isn't in debian busybox-static rootpartuuid() { local value value=$1 @@ -32,34 +52,34 @@ mount -n -t devtmpfs devtmpfs /dev # get the root device, so we can find the boot partiton UNPARSED=$(cmdline root) ROOT_PARTUUID=$(rootpartuuid $UNPARSED) -echo ${ROOT_PARTUUID} +echo ${ROOT_PARTUUID} > /dev/tty1 BLKID=$(/bin/blkid | grep $ROOT_PARTUUID ) -echo ${BLKID} -#If its an mmcblk device, the partiton will p1. If it is a usb device, the partiton will just be 1 -#Just want everything before the 1: so this will work +echo ${BLKID} > /dev/tty1 +#If its an mmcblk device, the kernel partiton will p1. If it is a usb device, the partiton will just be 1 +#Just want everything before the 1 ROOT_DEV="${BLKID%1:*}" -echo ${ROOT_DEV} +echo ${ROOT_DEV} > /dev/tty1 -# we use this to change what cmdline options get passed into -# the next boot stage, aka to enable root encryption +# we can use this to change what cmdline options get passed into +# the next boot stage CMDLINE='cat /proc/cmdline' -[ -d /boot ] || mkdir -p /boot +[ -d "/boot" ] || mkdir -p /boot mount ${ROOT_DEV}2 /boot #Debugging can be facilitated by creating /boot/debug -[ -f /boot/debug ] && rescue_shell debug +[ -f "/boot/debug" ] && rescue_shell debug -if [ -f /boot/root_encryption ] +if [ -f "/boot/root_encryption" ] then #decrypt and mount the root filesystem - cryptsetup --tries 5 luksOpen /dev/{ROOT_DEV}3 luksroot || rescue_shell + echo "Opening encrypted root partition, this will take 30s..." + cryptsetup --tries 5 luksOpen ${ROOT_DEV}3 luksroot || rescue_shell debug mount /dev/mapper/luksroot /newroot - #TODO: UPDATE THE CMDLINE?? else # mount the unencrypted root filesystem - [ -d /newroot ] || mkdir -p /newroot + [ -d "/newroot" ] || mkdir -p /newroot mount ${ROOT_DEV}3 /newroot fi @@ -69,4 +89,4 @@ umount /proc #swith to the new rootfs -exec switch_root /newroot /sbin/init ${CMDLINE} \ No newline at end of file +exec switch_root /newroot /sbin/init ${CMDLINE} diff --git a/resources/InstallResources/mmc_type2.partmap b/resources/InstallResources/mmc_type2.partmap index a80bda4..93cd652 100644 --- a/resources/InstallResources/mmc_type2.partmap +++ b/resources/InstallResources/mmc_type2.partmap @@ -7,4 +7,5 @@ first-lba: 34 last-lba: 30777310 /dev/mmcblk2p1 : start= 20480, size= 65536, type=FE3A2A5D-4F32-41A7-B725-ACCC3285A309, uuid=89B31CDB-1147-5241-8271-C1ADBB9BBB44, name="Kernel", attrs="GUID:49,51,52,54,56" -/dev/mmcblk2p2 : start= 86016, size= 30691294, type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, uuid=63DB8E49-63C4-984E-90A0-8AC3222C4771, name="Root" \ No newline at end of file +/dev/mmcblk2p2 : start= 86016, size= 976562, name="Boot" +/dev/mmcblk2p3 : start= 1062578, size= 29714732, type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, uuid=63DB8E49-63C4-984E-90A0-8AC3222C4771, name="Root" \ No newline at end of file diff --git a/scripts/InstallScripts/InstallToInternal.sh b/scripts/InstallScripts/InstallToInternal.sh index 58e4923..51f91c6 100755 --- a/scripts/InstallScripts/InstallToInternal.sh +++ b/scripts/InstallScripts/InstallToInternal.sh @@ -23,13 +23,21 @@ RESOURCES=/InstallResources # Grab the boot device, which is either /dev/sda for usb or /dev/mmcblk0 for an sd card BOOT_DEVICE=$(mount | head -n 1 | cut -d '3' -f 1) - +echo "--------------------------------------------------------------------------------------------------------" +echo "PrawnOS Install To Internal Emmc Script" +echo "Sets up the internal emmc partitions, root encryption, and copies the filesystem from the bootable media" +echo "This script can be quit and re-ran at any point" +echo "--------------------------------------------------------------------------------------------------------" read -p "This will ERASE ALL DATA ON THE INTERNAL STORAGE (EMMC) and reboot when finished, do you want to continue? [Y/n]" -n 1 -r -echo +echo if [[ $REPLY =~ ^[Yy]$ ]] then #disable dmesg, writing the partition map tries to write the the first gpt table, which is unmodifiable dmesg -D + umount /dev/mmcblk2p1 || /bin/true + umount /dev/mmcblk2p2 || /bin/true + umount /dev/mmcblk2p3 || /bin/true + echo Writing partition map DISK_SZ="$(blockdev --getsz /dev/mmcblk2)" echo Total disk size is: $DISK_SZ @@ -63,17 +71,25 @@ then BOOT_DEV_NAME=mmcblk2p2 ROOT_DEV_NAME=mmcblk2p3 CRYPTO=false + + #ready /boot + mkfs.ext4 -F -b 1024 /dev/$BOOT_DEV_NAME + mkdir -p /mnt/boot + mount /dev/$BOOT_DEV_NAME /mnt/boot + #Handle full disk encryption - # read -p "Would you like to setup full disk encrytion using LUKs/DmCrypt? [Y/n]" -n 1 -r - # if [[ $REPLY =~ ^[Yy]$ ]] - # then - # CRYPTO=true - # # Since iteration count is based on cpu power, and the rk3288 isn't as fast as a usual - # # desktop cpu, maually supply -i 15000 for security at the cost of a slightly slower unlock - # cryptsetup -s 512 luksFormat -i 15000 /dev/mmcblk2p2 - # cryptsetup luksOpen /dev/mmcblk2p2 mmcblk2p2-encrypted - # ROOT_DEV_NAME=mapper/mmcblk2p2-encrypted - # fi + read -p "Would you like to setup full disk encrytion using LUKs/DmCrypt? [Y/n]" -n 1 -r + if [[ $REPLY =~ ^[Yy]$ ]] + then + CRYPTO=true + # Since iteration count is based on cpu power, and the rk3288 isn't as fast as a usual + # desktop cpu, maually supply -i 15000 for security at the cost of a slightly slower unlock + cryptsetup -s 512 luksFormat -i 15000 /dev/$ROOT_DEV_NAME + cryptsetup luksOpen /dev/$ROOT_DEV_NAME luksroot + ROOT_DEV_NAME=mapper/luksroot + #set the root encryption flag + touch /mnt/boot/root_encryption + fi echo Writing Filesystem, this will take about 4 minutes... mkfs.ext4 -F -b 1024 /dev/$ROOT_DEV_NAME @@ -82,17 +98,20 @@ then rsync -ah --info=progress2 --info=name0 --numeric-ids -x / /mnt/mmc/ #Remove the live-fstab and install a base fstab rm /mnt/mmc/etc/fstab - echo "/dev/mmcblk2p3 / ext4 defaults,noatime 0 1" > /mnt/mmc/etc/fstab + if [[ $CRYPTO == "true" ]] + then + echo "/dev/mappper/luksroot / ext4 defaults,noatime 0 1" > /mnt/mmc/etc/fstab + else + echo "/dev/mmcblk2p3 / ext4 defaults,noatime 0 1" > /mnt/mmc/etc/fstab + fi umount /dev/$ROOT_DEV_NAME echo Running fsck e2fsck -p -f /dev/$ROOT_DEV_NAME - # if [ $CRYPTO true ] - # then - # # unmount and close encrypted storage - # cryptsetup luksClose mmcblk2p2-encrypted - # echo Running fsck - # #TODO run fsck on luks part - # fi + if [[ $CRYPTO == "true" ]] + then + # unmount and close encrypted storage + cryptsetup luksClose luksroot + fi echo Rebooting... Please remove the usb drive once shutdown is complete reboot fi diff --git a/scripts/buildInitramFs.sh b/scripts/buildInitramFs.sh index b4dd2a3..2e1177e 100755 --- a/scripts/buildInitramFs.sh +++ b/scripts/buildInitramFs.sh @@ -50,6 +50,8 @@ cleanup() { trap cleanup INT TERM EXIT +[ ! -d build ] && mkdir build + losetup -P $outdev $ROOT_DIR/PrawnOS-*-c201-libre-2GB.img-BASE #mount the root filesystem mount -o noatime ${outdev}p3 $outmnt @@ -69,9 +71,12 @@ mkdir $initramfs_src/proc mkdir $initramfs_src/sys mkdir $initramfs_src/sbin mkdir $initramfs_src/run +mkdir $initramfs_src/run/cryptsetup mkdir $initramfs_src/lib mkdir $initramfs_src/lib/arm-linux-gnueabihf +cp -a $outmnt/dev/console $outmnt/dev/tty $initramfs_src/dev/ + #install the few tools we need, and the supporting libs cp $outmnt/bin/busybox $outmnt/sbin/cryptsetup $initramfs_src/bin/ cp $outmnt/lib/arm-linux-gnueabihf/libblkid.so.1 $initramfs_src/lib/arm-linux-gnueabihf/ @@ -101,6 +106,7 @@ cp $outmnt/lib/arm-linux-gnueabihf/libselinux.so.1 $initramfs_src/lib/arm-linux- cp $outmnt/lib/arm-linux-gnueabihf/libudev.so.1 $initramfs_src/lib/arm-linux-gnueabihf/libudev.so.1 cp $outmnt/lib/arm-linux-gnueabihf/libpthread.so.0 $initramfs_src/lib/arm-linux-gnueabihf/libpthread.so.0 cp $outmnt/lib/arm-linux-gnueabihf/libpcre.so.3 $initramfs_src/lib/arm-linux-gnueabihf/libpcre.so.3 +cp $outmnt/lib/arm-linux-gnueabihf/libgcc_s.so.1 $initramfs_src/lib/arm-linux-gnueabihf/libgcc_s.so.1 #add the init script cp $build_resources/initramfs-init $initramfs_src/init @@ -115,11 +121,7 @@ ln -s busybox bin/mount ln -s busybox bin/sh ln -s busybox bin/switch_root ln -s busybox bin/umount -find . -print0 | cpio --null --create --verbose --format=newc | gzip --best > $outmnt/boot/PrawnOS-initramfs.cpio.gz -cd $ROOT_DIR - -[ ! -d build ] && mkdir build -cd build # store for kernel building -cp $outmnt/boot/PrawnOS-initramfs.cpio.gz . +find . -print0 | cpio --null --create --verbose --format=newc | gzip --best > $ROOT_DIR/build/PrawnOS-initramfs.cpio.gz + From 4bbd91699f4709e3a8e545a5264c53124c28e530 Mon Sep 17 00:00:00 2001 From: Hal Emmerich Date: Fri, 4 Oct 2019 09:45:27 -0500 Subject: [PATCH 10/10] clean up old initramfs method notes --- scripts/injectKernelIntoFS.sh | 9 --------- 1 file changed, 9 deletions(-) diff --git a/scripts/injectKernelIntoFS.sh b/scripts/injectKernelIntoFS.sh index 158b2bd..2405882 100755 --- a/scripts/injectKernelIntoFS.sh +++ b/scripts/injectKernelIntoFS.sh @@ -64,15 +64,6 @@ dd if=$build_resources/blank_kernel of=${outdev}p1 conv=notrunc dd if=build/linux-$KVER/vmlinux.kpart of=${outdev}p1 conv=notrunc make -C build/linux-$KVER ARCH=arm INSTALL_MOD_PATH=$outmnt modules_install -# put the required kernel items into the initramfs aka the device tree and the kernel image -# TODO: the in-place kernel upgrade script must be changed to copy in new versions of these files -# cp build/linux-$KVER/arch/arm/boot/dts/rk3288-veyron-speedy.dtb $outmnt/boot/rk3288-veyron-speedy.dtb -# cp build/linux-$KVER/vmlinux.kpart $outmnt/boot - -#TODO: do we actually need the kernel in /boot?? I think not. lets test and find out - -# the initramfs is build into the kernel image - # the ath9k firmware is built into the kernel image, so nothing else must be done umount -l $outmnt > /dev/null 2>&1