Add initramfs to image to enable root encryption

This commit is contained in:
Hal Emmerich 2019-09-17 20:50:27 -05:00
parent d16b6ce588
commit a61a66718f
4 changed files with 95 additions and 10 deletions

View File

@ -1 +1 @@
console=tty1 init=/sbin/init root=PARTUUID=%U/PARTNROFF=1 rootfstype=ext4 rootwait ro net.ifnames=0 console=ttyS2,115200n8 earlyprintk=ttyS2,115200n8
console=tty1 ramdisk_size=51200 initrd=/PrawnOS-initramfs.cpio.gz root=PARTUUID=%U/PARTNROFF=1 rootfstype=ext4 rootwait ro net.ifnames=0 console=ttyS2,115200n8 earlyprintk=ttyS2,115200n8

View File

@ -1464,10 +1464,12 @@ CONFIG_ZRAM=y
# CONFIG_ZRAM_MEMORY_TRACKING is not set
CONFIG_BLK_DEV_LOOP=y
CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
# CONFIG_BLK_DEV_CRYPTOLOOP is not set
CONFIG_BLK_DEV_CRYPTOLOOP=y
# CONFIG_BLK_DEV_DRBD is not set
# CONFIG_BLK_DEV_NBD is not set
# CONFIG_BLK_DEV_RAM is not set
CONFIG_BLK_DEV_RAM=y
CONFIG_BLK_DEV_RAM_COUNT=16
CONFIG_BLK_DEV_RAM_SIZE=4096
# CONFIG_CDROM_PKTCDVD is not set
# CONFIG_ATA_OVER_ETH is not set
# CONFIG_BLK_DEV_RBD is not set

View File

@ -0,0 +1,51 @@
#!/bin/busybox sh
cmdline() {
local value
value=" $(cat /proc/cmdline) "
value="${value##* ${1}=}"
value="${value%% *}"
[ "${value}" != "" ] && echo "${value}"
}
rootpartuuid() {
local value
value=$1
value="${value%/*}"
value="${value#*=}"
[ "${value}" != "" ] && echo "${value}"
}
# mount the bare necesities
mount -n -t proc proc /proc
mount -n -t sysfs sysfs /sys
mount -n -t devtmpfs devtmpfs /dev
mount -n -t tmpfs tmpfs /run
# get the root device, so we can find the boot partiton
UNPARSED=$(cmdline root)
ROOT_PARTUUID=$(rootpartuuid $UNPARSED)
echo ${ROOT_PARTUUID}
BLKID=$(/bin/blkid | grep $ROOT_PARTUUID )
echo ${BLKID}
#If its an mmcblk device, the partiton will p1. If it is a usb device, the partiton will just be 1
#Just want everything before the 1: so this will work
ROOT_DEV="${BLKID%1:*}"
echo ${ROOT_DEV}
# we use this to change what cmdline options get passed into
# the next boot stage, aka to enable root encryption
CMDLINE='cat /proc/cmdline'
# mount new root
[ -d /newroot ] || mkdir -p /newroot
mount ${ROOT_DEV}3 /newroot
umount /sys
umount /proc
#swith to the new rootfs
exec swith_root /newroot "/sbin/init" ${CMDLINE}

View File

@ -62,23 +62,35 @@ cleanup() {
trap cleanup INT TERM EXIT
#layout the partitons and write filesystem information
create_image() {
# it's a sparse file - that's how we fit a 16GB image inside a 3GB one
dd if=/dev/zero of=$1 bs=$3 count=$4 conv=sparse
parted --script $1 mklabel gpt
cgpt create $1
cgpt add -i 1 -t kernel -b 8192 -s 65536 -l Kernel -S 1 -T 5 -P 10 $1
start=$((8192 + 65536))
boot_start=$((8192 + 65536))
boot_end=`cgpt show $1 | grep 'Sec GPT table' | awk '{print $1}'`
size=$(($boot_end - $boot_start))
#create the initramfs partiton, aka /boot
boot_start=$(($start + $size))
boot_size=409600 # 200 MB
cgpt add -i 2 -t data -b $boot_start -s $boot_size -l Boot $1
#Now the main filesystem
root_start=$(($boot_start + $boot_size))
end=`cgpt show $1 | grep 'Sec GPT table' | awk '{print $1}'`
size=$(($end - $start))
cgpt add -i 2 -t data -b $start -s $size -l Root $1
root_size=$(($end - $root_start))
cgpt add -i 3 -t data -b $start -s $size -l Root $1
# $size is in 512 byte blocks while ext4 uses a block size of 1024 bytes
losetup -P $2 $1
mkfs.ext4 -F -b 1024 -m 0 ${2}p2 $(($size / 2))
mkfs.ext4 -F -b 1024 -m 0 ${2}p2 $(($boot_size / 2))
mkfs.ext4 -F -b 1024 -m 0 ${2}p3 $(($root_size / 2))
# mount the / partition
mount -o noatime ${2}p2 $5
# mount the /boot partiton
mkdir -p $5/boot
mount -o noatime ${2}p2 $5/boot
}
# use buster if no suite is specified
@ -152,7 +164,27 @@ chroot $outmnt locale-gen
#Install the base packages
chroot $outmnt apt update
chroot $outmnt apt install -y initscripts udev kmod net-tools inetutils-ping traceroute iproute2 isc-dhcp-client wpasupplicant iw alsa-utils cgpt vim-tiny less psmisc netcat-openbsd ca-certificates bzip2 xz-utils ifupdown nano apt-utils git kpartx gdisk parted rsync
chroot $outmnt apt install -y initscripts udev kmod net-tools inetutils-ping traceroute iproute2 isc-dhcp-client wpasupplicant iw alsa-utils cgpt vim-tiny less psmisc netcat-openbsd ca-certificates bzip2 xz-utils ifupdown nano apt-utils git kpartx gdisk parted rsync busybox-static
#make the initramfs image that gets copied to partiton 2
#make a skeleton filesystem
initramfs_src=/usr/src/initramfs
chroot $outmnt mkdir -p $initramfs_src
chroot $outmnt mkdir $initramfs_src/{bin,dev,etc,newroot,proc,sys,sbin,run,lib,lib/arm-linux-gnueabihf}
#install the few tools we need
chroot $outmnt cp /bin/busybox /sbin/cryptsetup $initramfs_src/bin/
chroot $outmnt cp /lib/arm-linux-gnueabihf/{libblkid.so.1,libc.so.6,libuuid.so.1} $initramfs_src/lib/arm-linux-gnueabihf/
chroot $outmnt cp /lib/ld-linux-armhf.so.3 $initramfs_src/lib/
chroot $outmnt cp /sbin/blkid $initramfs_src/bin/
#add the init script
cp $build_resources/initramfs-init $outmnt/$initramfs_src/init
chroot $outmnt chmod +x $initramfs_src/init
#compress and install
#TODO, make this correct
chroot $outmnt find $initramfs_src -print0 | cpio --null --create --verbose --format=newc | gzip --best > /boot/PrawnOS-initramfs.cpio.gz
#add the live-boot fstab
cp -f $build_resources/external_fstab $outmnt/etc/fstab