VerityBook/pre-pivot.sh

#!/bin/bash

set -o pipefail

bootdisk() {
    UUID=$({ read -r -n 1 -d '' _; read -n 72 uuid; echo -n ${uuid,,}; } < /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f)

    [[ $UUID ]] || return 1
    echo "/dev/disk/by-partuuid/$UUID"
    return 0
}

get_disk() {
    for dev in /dev/disk/by-path/*; do
        [[ $dev -ef $1 ]] || continue
        echo ${dev%-part*}
        return 0
    done
    return 1
}

udevadm settle

BOOTDISK=$(get_disk $(bootdisk))
[[ $BOOTDISK ]] || die "No boot disk found"

unset FOUND
for swapdev in $BOOTDISK-part*; do
    [[ $(blkid -o value -s PARTLABEL "$swapdev") == "swap" ]] || continue
    FOUND=1
    break
done

if [[ $FOUND ]]; then
    if cryptsetup isLuks --type luks2 "$swapdev"; then
        luksname=swap
        luksdev=/dev/mapper/$luksname

        if ! cryptsetup luksDump "$swapdev" | grep -F -q clevis ; then
            export TPM2TOOLS_TCTI_NAME=device
            export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0

            if echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7"}' 2>&1 | vwarn; then
                clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
                echo -n "zero key" | cryptsetup luksRemoveKey "$swapdev" /dev/stdin || die "Failed to remove key from LUKS"
            elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7","key":"rsa"}' 2>&1 | vwarn; then
                clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
                echo -n "zero key" | cryptsetup luksRemoveKey "$swapdev" /dev/stdin || die "Failed to remove key from LUKS"
            else
                warn "Failed to bind swap disk to TPM2"
            fi
        else
            clevis-luks-unlock -d "$swapdev" -n "$luksname"  2>&1 | vinfo || die "Failed to unlock $swapdev"
        fi
        swapdev="$luksdev"
    fi

    swaptype=$(blkid -o value -s TYPE "$swapdev")
    [[ $swaptype == "swsuspend" ]] && \
        /usr/lib/systemd/systemd-hibernate-resume "$swapdev"  &>/dev/null

    [[ $swaptype != "swap" ]] && \
        mkswap "$swapdev" 2>&1 | vinfo

    swapon "$swapdev" 2>&1 | vinfo
fi


unset FOUND
for datadev in $BOOTDISK-part*; do
    [[ $(blkid -o value -s PARTLABEL "$datadev") == "data" ]] || continue
    FOUND=1
    break
done
[[ $FOUND ]] || die "No data disk found"

if cryptsetup isLuks --type luks2 "$datadev"; then
    #luksname=luks-$(blkid -o value -s UUID "$datadev")
    luksname=data
    luksdev=/dev/mapper/$luksname

    if ! [[ -b $luksdev ]]; then
        if ! cryptsetup luksDump "$datadev" | grep -F -q clevis ; then
            export TPM2TOOLS_TCTI_NAME=device
            export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0

            if echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7"}'; then
                clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
            elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then
                clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
            else
                warn "Failed to bind disk to TPM2"
                echo -n "zero key" | cryptsetup open --type luks2 "$datadev" $luksname --key-file /dev/stdin
            fi
        else
            clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
        fi
        tpm2_pcrextend \
            -T device:/dev/tpmrm0 \
            7:sha1=f6196dd72e7fad01051cb171ed3e8a29f7217b3a,sha256=6064ec4f91ea49cce638d0b7f9013989c01cba8a62957ac96cd1976bb2e098fa 2>&1 \
            || die "Failed to extend PCR7"
    fi
    datadev="$luksdev"
fi

if [[ $(blkid -o value -s TYPE "$datadev") != "xfs" ]]; then
    mkfs.xfs -f -L data "$datadev"
fi

mkdir -p /run/initramfs/mnt

mount -o discard $datadev /run/initramfs/mnt || die "Failed to mount $datadev"

for i in var home cfg; do
    if ! [[ -d /run/initramfs/mnt/$i ]]; then
        mkdir /run/initramfs/mnt/$i
        FIRST_TIME=1
    elif [[ -f /run/initramfs/mnt/$i/.autorelabel ]]; then
        RELABEL=1
    fi
done

mount -o bind /run/initramfs/mnt/var /sysroot/var
mount -o bind /run/initramfs/mnt/home /sysroot/home
mount -o bind /run/initramfs/mnt/cfg /sysroot/cfg
umount -l /run/initramfs/mnt &>/dev/null

if [[ $FIRST_TIME ]]; then
    mount -o bind /sys /sysroot/sys
    mount -t selinuxfs none /sysroot/sys/fs/selinux
    chroot /sysroot bash -c '
/usr/sbin/load_policy -i
/sbin/restorecon -m -F -v /cfg /var /home
'
    umount /sysroot/sys/fs/selinux
    umount /sysroot/sys
fi

if [[ $RELABEL ]]; then
    mount -o bind /sys /sysroot/sys
    mount -t selinuxfs none /sysroot/sys/fs/selinux
    chroot /sysroot bash -c '
/usr/sbin/load_policy -i
for i in var home cfg; do
    [[ -e /$i/.autorelabel ]] || continue
    rm -f /$i/.autorelabel
    /sbin/restorecon -m -F -v -R /$i
done
' 2>&1 | vwarn
    umount /sysroot/sys/fs/selinux
    umount /sysroot/sys
fi

:
initial commit 2018-08-28 09:25:03 +02:00			`#!/bin/bash`

pre-pivot.sh: udevadm settle wait for udev to settle to mount the correct data disk 2018-09-12 16:40:53 +02:00			`set -o pipefail`

use single image for squashfs and dmverity 2018-09-11 16:47:20 +02:00			`bootdisk() {`
			`UUID=$({ read -r -n 1 -d '' _; read -n 72 uuid; echo -n ${uuid,,}; } < /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f)`
initial commit 2018-08-28 09:25:03 +02:00
use single image for squashfs and dmverity 2018-09-11 16:47:20 +02:00			`[[ $UUID ]] \|\| return 1`
			`echo "/dev/disk/by-partuuid/$UUID"`
			`return 0`
			`}`
initial commit 2018-08-28 09:25:03 +02:00
use single image for squashfs and dmverity 2018-09-11 16:47:20 +02:00			`get_disk() {`
			`for dev in /dev/disk/by-path/*; do`
			`[[ $dev -ef $1 ]] \|\| continue`
			`echo ${dev%-part*}`
			`return 0`
			`done`
			`return 1`
			`}`
initial commit 2018-08-28 09:25:03 +02:00
pre-pivot.sh: udevadm settle wait for udev to settle to mount the correct data disk 2018-09-12 16:40:53 +02:00			`udevadm settle`

move everything configurable to /cfg and try selinux 2018-09-17 17:32:13 +02:00			`BOOTDISK=$(get_disk $(bootdisk))`
use single image for squashfs and dmverity 2018-09-11 16:47:20 +02:00			`[[ $BOOTDISK ]] \|\| die "No boot disk found"`
initial commit 2018-08-28 09:25:03 +02:00
update 2018-09-07 16:47:54 +02:00			`unset FOUND`
use single image for squashfs and dmverity 2018-09-11 16:47:20 +02:00			`for swapdev in $BOOTDISK-part*; do`
update 2018-09-07 16:47:54 +02:00			`[[ $(blkid -o value -s PARTLABEL "$swapdev") == "swap" ]] \|\| continue`
			`FOUND=1`
			`break`
			`done`

			`if [[ $FOUND ]]; then`
			`if cryptsetup isLuks --type luks2 "$swapdev"; then`
			`luksname=swap`
			`luksdev=/dev/mapper/$luksname`

			`if ! cryptsetup luksDump "$swapdev" \| grep -F -q clevis ; then`
			`export TPM2TOOLS_TCTI_NAME=device`
			`export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0`

update 2018-09-11 11:37:47 +02:00			`if echo -n "zero key" \| clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7"}' 2>&1 \| vwarn; then`
update 2018-09-07 16:47:54 +02:00			`clevis-luks-unlock -d "$swapdev" -n "$luksname" \|\| die "Failed to unlock $swapdev"`
			`echo -n "zero key" \| cryptsetup luksRemoveKey "$swapdev" /dev/stdin \|\| die "Failed to remove key from LUKS"`
update 2018-09-11 11:37:47 +02:00			`elif echo -n "zero key" \| clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7","key":"rsa"}' 2>&1 \| vwarn; then`
update 2018-09-07 16:47:54 +02:00			`clevis-luks-unlock -d "$swapdev" -n "$luksname" \|\| die "Failed to unlock $swapdev"`
			`echo -n "zero key" \| cryptsetup luksRemoveKey "$swapdev" /dev/stdin \|\| die "Failed to remove key from LUKS"`
			`else`
			`warn "Failed to bind swap disk to TPM2"`
			`fi`
			`else`
update 2018-09-11 11:37:47 +02:00			`clevis-luks-unlock -d "$swapdev" -n "$luksname" 2>&1 \| vinfo \|\| die "Failed to unlock $swapdev"`
update 2018-09-07 16:47:54 +02:00			`fi`
			`swapdev="$luksdev"`
			`fi`

			`swaptype=$(blkid -o value -s TYPE "$swapdev")`
			`[[ $swaptype == "swsuspend" ]] && \`
update 2018-09-11 11:37:47 +02:00			`/usr/lib/systemd/systemd-hibernate-resume "$swapdev" &>/dev/null`
update 2018-09-07 16:47:54 +02:00
			`[[ $swaptype != "swap" ]] && \`
update 2018-09-11 11:37:47 +02:00			`mkswap "$swapdev" 2>&1 \| vinfo`
update 2018-09-07 16:47:54 +02:00
update 2018-09-11 11:37:47 +02:00			`swapon "$swapdev" 2>&1 \| vinfo`
update 2018-09-07 16:47:54 +02:00			`fi`


initial commit 2018-08-28 09:25:03 +02:00			`unset FOUND`
use single image for squashfs and dmverity 2018-09-11 16:47:20 +02:00			`for datadev in $BOOTDISK-part*; do`
initial commit 2018-08-28 09:25:03 +02:00			`[[ $(blkid -o value -s PARTLABEL "$datadev") == "data" ]] \|\| continue`
			`FOUND=1`
			`break`
			`done`
update 2018-09-07 16:47:54 +02:00			`[[ $FOUND ]] \|\| die "No data disk found"`
initial commit 2018-08-28 09:25:03 +02:00
			`if cryptsetup isLuks --type luks2 "$datadev"; then`
use /dev/mapper/data and a /etc/fstab on the real root 2018-09-05 15:07:46 +02:00			`#luksname=luks-$(blkid -o value -s UUID "$datadev")`
			`luksname=data`
			`luksdev=/dev/mapper/$luksname`
initial commit 2018-08-28 09:25:03 +02:00
use /dev/mapper/data and a /etc/fstab on the real root 2018-09-05 15:07:46 +02:00			`if ! [[ -b $luksdev ]]; then`
extend PCR7 after using it to unlock the LUKS 2018-09-05 15:23:03 +02:00			`if ! cryptsetup luksDump "$datadev" \| grep -F -q clevis ; then`
			`export TPM2TOOLS_TCTI_NAME=device`
			`export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0`

			`if echo -n "zero key" \| clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7"}'; then`
			`clevis-luks-unlock -d "$datadev" -n "$luksname" \|\| die "Failed to unlock $datadev"`
			`elif echo -n "zero key" \| clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then`
			`clevis-luks-unlock -d "$datadev" -n "$luksname" \|\| die "Failed to unlock $datadev"`
			`else`
			`warn "Failed to bind disk to TPM2"`
			`echo -n "zero key" \| cryptsetup open --type luks2 "$datadev" $luksname --key-file /dev/stdin`
			`fi`
			`else`
			`clevis-luks-unlock -d "$datadev" -n "$luksname" \|\| die "Failed to unlock $datadev"`
			`fi`
			`tpm2_pcrextend \`
			`-T device:/dev/tpmrm0 \`
			`7:sha1=f6196dd72e7fad01051cb171ed3e8a29f7217b3a,sha256=6064ec4f91ea49cce638d0b7f9013989c01cba8a62957ac96cd1976bb2e098fa 2>&1 \`
			`\|\| die "Failed to extend PCR7"`
initial commit 2018-08-28 09:25:03 +02:00			`fi`
use /dev/mapper/data and a /etc/fstab on the real root 2018-09-05 15:07:46 +02:00			`datadev="$luksdev"`
initial commit 2018-08-28 09:25:03 +02:00			`fi`

use /dev/mapper/data and a /etc/fstab on the real root 2018-09-05 15:07:46 +02:00			`if [[ $(blkid -o value -s TYPE "$datadev") != "xfs" ]]; then`
			`mkfs.xfs -f -L data "$datadev"`
initial commit 2018-08-28 09:25:03 +02:00			`fi`

pre-pivot.sh: mount data partition in /run first 2018-09-18 10:44:32 +02:00			`mkdir -p /run/initramfs/mnt`

			`mount -o discard $datadev /run/initramfs/mnt \|\| die "Failed to mount $datadev"`
initial commit 2018-08-28 09:25:03 +02:00
move everything configurable to /cfg and try selinux 2018-09-17 17:32:13 +02:00			`for i in var home cfg; do`
pre-pivot.sh: mount data partition in /run first 2018-09-18 10:44:32 +02:00			`if ! [[ -d /run/initramfs/mnt/$i ]]; then`
			`mkdir /run/initramfs/mnt/$i`
move everything configurable to /cfg and try selinux 2018-09-17 17:32:13 +02:00			`FIRST_TIME=1`
SELINUX=1 enforcing 2018-09-20 07:24:26 +02:00			`elif [[ -f /run/initramfs/mnt/$i/.autorelabel ]]; then`
			`RELABEL=1`
move everything configurable to /cfg and try selinux 2018-09-17 17:32:13 +02:00			`fi`
initial commit 2018-08-28 09:25:03 +02:00			`done`

pre-pivot.sh: mount data partition in /run first 2018-09-18 10:44:32 +02:00			`mount -o bind /run/initramfs/mnt/var /sysroot/var`
			`mount -o bind /run/initramfs/mnt/home /sysroot/home`
			`mount -o bind /run/initramfs/mnt/cfg /sysroot/cfg`
SELINUX=1 enforcing 2018-09-20 07:24:26 +02:00			`umount -l /run/initramfs/mnt &>/dev/null`
move everything configurable to /cfg and try selinux 2018-09-17 17:32:13 +02:00
			`if [[ $FIRST_TIME ]]; then`
pre-pivot.sh: do it all by hand 2018-09-18 19:05:20 +02:00			`mount -o bind /sys /sysroot/sys`
selinux 2018-09-19 08:02:18 +02:00			`mount -t selinuxfs none /sysroot/sys/fs/selinux`
SELINUX=1 enforcing 2018-09-20 07:24:26 +02:00			`chroot /sysroot bash -c '`
			`/usr/sbin/load_policy -i`
			`/sbin/restorecon -m -F -v /cfg /var /home`
			`'`
pre-pivot.sh: do it all by hand 2018-09-18 19:05:20 +02:00			`umount /sysroot/sys/fs/selinux`
			`umount /sysroot/sys`
move everything configurable to /cfg and try selinux 2018-09-17 17:32:13 +02:00			`fi`
selinux 2018-09-19 08:02:18 +02:00
SELINUX=1 enforcing 2018-09-20 07:24:26 +02:00			`if [[ $RELABEL ]]; then`
			`mount -o bind /sys /sysroot/sys`
			`mount -t selinuxfs none /sysroot/sys/fs/selinux`
			`chroot /sysroot bash -c '`
			`/usr/sbin/load_policy -i`
			`for i in var home cfg; do`
			`[[ -e /$i/.autorelabel ]] \|\| continue`
			`rm -f /$i/.autorelabel`
			`/sbin/restorecon -m -F -v -R /$i`
			`done`
			`' 2>&1 \| vwarn`
			`umount /sysroot/sys/fs/selinux`
			`umount /sysroot/sys`
			`fi`

			`:`