From a61a66718fc4df5ec53dae0c38f2d41b02605e3f Mon Sep 17 00:00:00 2001 From: Hal Emmerich Date: Tue, 17 Sep 2019 20:50:27 -0500 Subject: [PATCH] Add initramfs to image to enable root encryption --- resources/BuildResources/cmdline | 2 +- resources/BuildResources/config | 6 ++- resources/BuildResources/initramfs-init | 51 +++++++++++++++++++++++++ scripts/buildFilesystem.sh | 46 ++++++++++++++++++---- 4 files changed, 95 insertions(+), 10 deletions(-) create mode 100644 resources/BuildResources/initramfs-init diff --git a/resources/BuildResources/cmdline b/resources/BuildResources/cmdline index 03de9f1..a5469cf 100644 --- a/resources/BuildResources/cmdline +++ b/resources/BuildResources/cmdline @@ -1 +1 @@ -console=tty1 init=/sbin/init root=PARTUUID=%U/PARTNROFF=1 rootfstype=ext4 rootwait ro net.ifnames=0 console=ttyS2,115200n8 earlyprintk=ttyS2,115200n8 \ No newline at end of file +console=tty1 ramdisk_size=51200 initrd=/PrawnOS-initramfs.cpio.gz root=PARTUUID=%U/PARTNROFF=1 rootfstype=ext4 rootwait ro net.ifnames=0 console=ttyS2,115200n8 earlyprintk=ttyS2,115200n8 \ No newline at end of file diff --git a/resources/BuildResources/config b/resources/BuildResources/config index 544e87e..f24cc3f 100644 --- a/resources/BuildResources/config +++ b/resources/BuildResources/config @@ -1464,10 +1464,12 @@ CONFIG_ZRAM=y # CONFIG_ZRAM_MEMORY_TRACKING is not set CONFIG_BLK_DEV_LOOP=y CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 -# CONFIG_BLK_DEV_CRYPTOLOOP is not set +CONFIG_BLK_DEV_CRYPTOLOOP=y # CONFIG_BLK_DEV_DRBD is not set # CONFIG_BLK_DEV_NBD is not set -# CONFIG_BLK_DEV_RAM is not set +CONFIG_BLK_DEV_RAM=y +CONFIG_BLK_DEV_RAM_COUNT=16 +CONFIG_BLK_DEV_RAM_SIZE=4096 # CONFIG_CDROM_PKTCDVD is not set # CONFIG_ATA_OVER_ETH is not set # CONFIG_BLK_DEV_RBD is not set diff --git a/resources/BuildResources/initramfs-init b/resources/BuildResources/initramfs-init new file mode 100644 index 0000000..3576425 --- /dev/null +++ b/resources/BuildResources/initramfs-init @@ -0,0 +1,51 @@ +#!/bin/busybox sh + + +cmdline() { + local value + value=" $(cat /proc/cmdline) " + value="${value##* ${1}=}" + value="${value%% *}" + [ "${value}" != "" ] && echo "${value}" +} + +rootpartuuid() { + local value + value=$1 + value="${value%/*}" + value="${value#*=}" + [ "${value}" != "" ] && echo "${value}" +} + +# mount the bare necesities +mount -n -t proc proc /proc +mount -n -t sysfs sysfs /sys +mount -n -t devtmpfs devtmpfs /dev +mount -n -t tmpfs tmpfs /run + +# get the root device, so we can find the boot partiton +UNPARSED=$(cmdline root) +ROOT_PARTUUID=$(rootpartuuid $UNPARSED) +echo ${ROOT_PARTUUID} +BLKID=$(/bin/blkid | grep $ROOT_PARTUUID ) +echo ${BLKID} +#If its an mmcblk device, the partiton will p1. If it is a usb device, the partiton will just be 1 +#Just want everything before the 1: so this will work +ROOT_DEV="${BLKID%1:*}" + +echo ${ROOT_DEV} + + +# we use this to change what cmdline options get passed into +# the next boot stage, aka to enable root encryption +CMDLINE='cat /proc/cmdline' + +# mount new root +[ -d /newroot ] || mkdir -p /newroot +mount ${ROOT_DEV}3 /newroot + +umount /sys +umount /proc + +#swith to the new rootfs +exec swith_root /newroot "/sbin/init" ${CMDLINE} \ No newline at end of file diff --git a/scripts/buildFilesystem.sh b/scripts/buildFilesystem.sh index fb5a40c..5ce6834 100755 --- a/scripts/buildFilesystem.sh +++ b/scripts/buildFilesystem.sh @@ -62,23 +62,35 @@ cleanup() { trap cleanup INT TERM EXIT - +#layout the partitons and write filesystem information create_image() { - # it's a sparse file - that's how we fit a 16GB image inside a 3GB one dd if=/dev/zero of=$1 bs=$3 count=$4 conv=sparse parted --script $1 mklabel gpt cgpt create $1 cgpt add -i 1 -t kernel -b 8192 -s 65536 -l Kernel -S 1 -T 5 -P 10 $1 - start=$((8192 + 65536)) + boot_start=$((8192 + 65536)) + boot_end=`cgpt show $1 | grep 'Sec GPT table' | awk '{print $1}'` + size=$(($boot_end - $boot_start)) + #create the initramfs partiton, aka /boot + boot_start=$(($start + $size)) + boot_size=409600 # 200 MB + cgpt add -i 2 -t data -b $boot_start -s $boot_size -l Boot $1 + #Now the main filesystem + root_start=$(($boot_start + $boot_size)) end=`cgpt show $1 | grep 'Sec GPT table' | awk '{print $1}'` - size=$(($end - $start)) - cgpt add -i 2 -t data -b $start -s $size -l Root $1 + root_size=$(($end - $root_start)) + cgpt add -i 3 -t data -b $start -s $size -l Root $1 # $size is in 512 byte blocks while ext4 uses a block size of 1024 bytes losetup -P $2 $1 - mkfs.ext4 -F -b 1024 -m 0 ${2}p2 $(($size / 2)) + mkfs.ext4 -F -b 1024 -m 0 ${2}p2 $(($boot_size / 2)) + mkfs.ext4 -F -b 1024 -m 0 ${2}p3 $(($root_size / 2)) # mount the / partition mount -o noatime ${2}p2 $5 + + # mount the /boot partiton + mkdir -p $5/boot + mount -o noatime ${2}p2 $5/boot } # use buster if no suite is specified @@ -152,7 +164,27 @@ chroot $outmnt locale-gen #Install the base packages chroot $outmnt apt update -chroot $outmnt apt install -y initscripts udev kmod net-tools inetutils-ping traceroute iproute2 isc-dhcp-client wpasupplicant iw alsa-utils cgpt vim-tiny less psmisc netcat-openbsd ca-certificates bzip2 xz-utils ifupdown nano apt-utils git kpartx gdisk parted rsync +chroot $outmnt apt install -y initscripts udev kmod net-tools inetutils-ping traceroute iproute2 isc-dhcp-client wpasupplicant iw alsa-utils cgpt vim-tiny less psmisc netcat-openbsd ca-certificates bzip2 xz-utils ifupdown nano apt-utils git kpartx gdisk parted rsync busybox-static + +#make the initramfs image that gets copied to partiton 2 +#make a skeleton filesystem +initramfs_src=/usr/src/initramfs +chroot $outmnt mkdir -p $initramfs_src +chroot $outmnt mkdir $initramfs_src/{bin,dev,etc,newroot,proc,sys,sbin,run,lib,lib/arm-linux-gnueabihf} +#install the few tools we need +chroot $outmnt cp /bin/busybox /sbin/cryptsetup $initramfs_src/bin/ +chroot $outmnt cp /lib/arm-linux-gnueabihf/{libblkid.so.1,libc.so.6,libuuid.so.1} $initramfs_src/lib/arm-linux-gnueabihf/ +chroot $outmnt cp /lib/ld-linux-armhf.so.3 $initramfs_src/lib/ +chroot $outmnt cp /sbin/blkid $initramfs_src/bin/ + +#add the init script +cp $build_resources/initramfs-init $outmnt/$initramfs_src/init +chroot $outmnt chmod +x $initramfs_src/init + +#compress and install +#TODO, make this correct +chroot $outmnt find $initramfs_src -print0 | cpio --null --create --verbose --format=newc | gzip --best > /boot/PrawnOS-initramfs.cpio.gz + #add the live-boot fstab cp -f $build_resources/external_fstab $outmnt/etc/fstab