diff --git a/20fedorabook/module-setup.sh b/20fedorabook/module-setup.sh new file mode 100755 index 0000000..99a207b --- /dev/null +++ b/20fedorabook/module-setup.sh @@ -0,0 +1,28 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh + +installkernel() { + instmods =drivers/char/tpm +} + +install() { + inst_multiple \ + wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl \ + clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt \ + clevis-luks-unlock clevis-decrypt-tpm2 \ + cryptsetup tail sort pwmake mktemp swapon \ + tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy \ + tpm2_create tpm2_load tpm2_unseal tpm2_takeownership sleep setfiles \ + /usr/lib/systemd/system/clevis-luks-askpass.path \ + /usr/lib/systemd/system/clevis-luks-askpass.service \ + /usr/libexec/clevis-luks-askpass \ + /usr/lib64/libtss2-esys.so.0 \ + /usr/lib64/libtss2-tcti-device.so.0 \ + /sbin/rngd \ + /usr/lib/systemd/system/basic.target.wants/rngd.service \ + ${NULL} + + inst_dir /usr/share/cracklib + inst_hook pre-pivot 80 "$moddir/pre-pivot.sh" +} diff --git a/20fedorabook/pre-pivot.sh b/20fedorabook/pre-pivot.sh new file mode 100644 index 0000000..7c0f7d9 --- /dev/null +++ b/20fedorabook/pre-pivot.sh @@ -0,0 +1,173 @@ +#!/bin/bash + +set -o pipefail + +bootdisk() { + UUID=$({ read -r -n 1 -d '' _; read -n 72 uuid; echo -n ${uuid,,}; } < /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f) + + [[ $UUID ]] || return 1 + echo "/dev/disk/by-partuuid/$UUID" + return 0 +} + +get_disk() { + for dev in /dev/disk/by-path/*; do + [[ $dev -ef $1 ]] || continue + echo ${dev%-part*} + return 0 + done + return 1 +} + +udevadm settle + +BOOTDISK=$(get_disk $(bootdisk)) +[[ $BOOTDISK ]] || die "No boot disk found" + +unset FOUND +for swapdev in $BOOTDISK-part*; do + [[ $(blkid -o value -s PARTLABEL "$swapdev") == "swap" ]] || continue + FOUND=1 + break +done + +if [[ $FOUND ]]; then + if cryptsetup isLuks --type luks2 "$swapdev"; then + luksname=swap + luksdev=/dev/mapper/$luksname + + if ! cryptsetup luksDump "$swapdev" | grep -F -q clevis ; then + export TPM2TOOLS_TCTI_NAME=device + export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0 + + if echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7"}' 2>&1 | vwarn; then + clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev" + echo -n "zero key" | cryptsetup luksRemoveKey "$swapdev" /dev/stdin || die "Failed to remove key from LUKS" + elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7","key":"rsa"}' 2>&1 | vwarn; then + clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev" + echo -n "zero key" | cryptsetup luksRemoveKey "$swapdev" /dev/stdin || die "Failed to remove key from LUKS" + else + warn "Failed to bind swap disk to TPM2" + fi + else + clevis-luks-unlock -d "$swapdev" -n "$luksname" 2>&1 | vinfo || die "Failed to unlock $swapdev" + fi + swapdev="$luksdev" + fi + + swaptype=$(blkid -o value -s TYPE "$swapdev") + [[ $swaptype == "swsuspend" ]] && \ + /usr/lib/systemd/systemd-hibernate-resume "$swapdev" &>/dev/null + + [[ $swaptype != "swap" ]] && \ + mkswap "$swapdev" 2>&1 | vinfo + + swapon "$swapdev" 2>&1 | vinfo +fi + + +unset FOUND +for datadev in $BOOTDISK-part*; do + [[ $(blkid -o value -s PARTLABEL "$datadev") == "data" ]] || continue + FOUND=1 + break +done +[[ $FOUND ]] || die "No data disk found" + +if cryptsetup isLuks --type luks2 "$datadev"; then + #luksname=luks-$(blkid -o value -s UUID "$datadev") + luksname=data + luksdev=/dev/mapper/$luksname + + if ! [[ -b $luksdev ]]; then + if ! cryptsetup luksDump "$datadev" | grep -F -q clevis ; then + export TPM2TOOLS_TCTI_NAME=device + export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0 + + if echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7"}'; then + clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev" + elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then + clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev" + else + warn "Failed to bind disk to TPM2" + echo -n "zero key" | cryptsetup open --type luks2 "$datadev" $luksname --key-file /dev/stdin + fi + else + clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev" + fi + tpm2_pcrextend \ + -T device:/dev/tpmrm0 \ + 7:sha1=f6196dd72e7fad01051cb171ed3e8a29f7217b3a,sha256=6064ec4f91ea49cce638d0b7f9013989c01cba8a62957ac96cd1976bb2e098fa 2>&1 \ + || die "Failed to extend PCR7" + fi + datadev="$luksdev" +fi + +if [[ $(blkid -o value -s TYPE "$datadev") != "xfs" ]]; then + mkfs.xfs -f -L data "$datadev" +fi + +mkdir -p /run/initramfs/mnt + +mount -o discard $datadev /run/initramfs/mnt || die "Failed to mount $datadev" + +for i in var home cfg local; do + if ! [[ -d /run/initramfs/mnt/$i ]]; then + mkdir /run/initramfs/mnt/$i + FIRST_TIME=1 + elif [[ -f /run/initramfs/mnt/$i/.autorelabel ]]; then + RELABEL=1 + fi +done + +mount -o bind /run/initramfs/mnt/var /sysroot/var +mount -o bind /run/initramfs/mnt/home /sysroot/home +mount -o bind /run/initramfs/mnt/cfg /sysroot/cfg +mount -o bind /run/initramfs/mnt/local /sysroot/usr/local +umount -l /run/initramfs/mnt &>/dev/null + +if [[ $FIRST_TIME ]]; then + ln -fs ../run /sysroot/var/run + ln -fs ../run/lock /sysroot/var/lock + + mount -o bind /sys /sysroot/sys + mount -t selinuxfs none /sysroot/sys/fs/selinux + +# if [ -f /etc/machine-id ]; then +# cp /etc/machine-id /sysroot/cfg/machine-id +# else +# R=$(/sysroot/cfg/machine-id +# fi + + chroot /sysroot bash -c ' + /usr/sbin/load_policy -i + /usr/sbin/setfiles -m -F -v \ + /etc/selinux/targeted/contexts/files/file_contexts \ + /cfg /var /home /usr/local + ' &> /dev/null + + umount /sysroot/sys/fs/selinux + umount /sysroot/sys +fi + +if [[ $RELABEL ]]; then + mount -o bind /sys /sysroot/sys + mount -t selinuxfs none /sysroot/sys/fs/selinux + + chroot /sysroot bash -c ' + /usr/sbin/load_policy -i + for i in var home cfg usr/local; do + [[ -e /$i/.autorelabel ]] || continue + rm -f /$i/.autorelabel + /usr/sbin/setfiles -m -F -v \ + /etc/selinux/targeted/contexts/files/file_contexts \ + /$i + done + ' 2>&1 | vwarn + + umount /sysroot/sys/fs/selinux + umount /sysroot/sys +fi + +: \ No newline at end of file diff --git a/clonedisk.sh b/clonedisk.sh index 7797c70..90086d4 100755 --- a/clonedisk.sh +++ b/clonedisk.sh @@ -140,12 +140,12 @@ if ! [[ $UPDATE ]]; then mkfs.fat -nEFI -F32 ${OUT}1 if [[ $USE_CRYPT ]]; then - # ------------------------------------------------------------------------------ + # ------ # swap echo -n "zero key" \ | cryptsetup luksFormat --type luks2 ${OUT}4 /dev/stdin - # ------------------------------------------------------------------------------ + # ------ # data echo -n "zero key" \ | cryptsetup luksFormat --type luks2 ${OUT}5 /dev/stdin @@ -157,24 +157,16 @@ fi mkdir -p boot mount ${OUT}1 boot -mkdir -p boot/EFI/FedoraBook -cp /efi/EFI/FedoraBook/1.efi boot/EFI/FedoraBook/1.efi -[[ -e /efi/Lockdown.efi ]] && cp /efi/Lockdown.efi boot -[[ -e /efi/Shell.efi ]] && cp /efi/Shell.efi boot/EFI/Boot/bootx64.efi +cp -avr /efi/* boot/ umount boot rmdir boot if ! [[ $UPDATE ]]; then - for i in FED1 FED2 FED3 FED4; do - efibootmgr -B -b $i || : - done + efibootmgr -B -b FED1 || : efibootmgr -C -b FED1 -d ${OUT_DEV} -p 1 -L "FedoraBook 1" -l '\efi\fedorabook\1.efi' - efibootmgr -C -b FED2 -d ${OUT_DEV} -p 1 -L "FedoraBook 2" -l '\efi\fedorabook\2.efi' - efibootmgr -C -b FED3 -d ${OUT_DEV} -p 1 -L "FedoraBook Old 1" -l '\efi\fedorabook\_1.efi' - efibootmgr -C -b FED4 -d ${OUT_DEV} -p 1 -L "FedoraBook Old 2" -l '\efi\fedorabook\_2.efi' BOOT_ORDER=$(efibootmgr | grep BootOrder: | { read _ a; echo "$a"; }) if ! [[ $BOOT_ORDER == *FED1* ]]; then - efibootmgr -o "FED1,FED2,FED3,FED4,$BOOT_ORDER" + efibootmgr -o "FED1,$BOOT_ORDER" fi fi diff --git a/pkglist.txt b/pkglist.txt index 4aa077e..9af9633 100644 --- a/pkglist.txt +++ b/pkglist.txt @@ -38,6 +38,7 @@ docbook-dtds docbook-style-xsl elfutils-devel f29-backgrounds-gnome +f29-backgrounds-base fedora-gpg-keys fedora-packager fedora-release diff --git a/pre-pivot.sh b/pre-pivot.sh index 546380f..7c0f7d9 100644 --- a/pre-pivot.sh +++ b/pre-pivot.sh @@ -111,7 +111,7 @@ mkdir -p /run/initramfs/mnt mount -o discard $datadev /run/initramfs/mnt || die "Failed to mount $datadev" -for i in var home cfg; do +for i in var home cfg local; do if ! [[ -d /run/initramfs/mnt/$i ]]; then mkdir /run/initramfs/mnt/$i FIRST_TIME=1 @@ -120,31 +120,54 @@ for i in var home cfg; do fi done -[ -d /run/initramfs/mnt/local ] && mount -o bind /run/initramfs/mnt/local /sysroot/usr/local -mount -o bind /run/initramfs/mnt/var /sysroot/var -mount -o bind /run/initramfs/mnt/home /sysroot/home -mount -o bind /run/initramfs/mnt/cfg /sysroot/cfg +mount -o bind /run/initramfs/mnt/var /sysroot/var +mount -o bind /run/initramfs/mnt/home /sysroot/home +mount -o bind /run/initramfs/mnt/cfg /sysroot/cfg +mount -o bind /run/initramfs/mnt/local /sysroot/usr/local umount -l /run/initramfs/mnt &>/dev/null if [[ $FIRST_TIME ]]; then + ln -fs ../run /sysroot/var/run + ln -fs ../run/lock /sysroot/var/lock + + mount -o bind /sys /sysroot/sys + mount -t selinuxfs none /sysroot/sys/fs/selinux + +# if [ -f /etc/machine-id ]; then +# cp /etc/machine-id /sysroot/cfg/machine-id +# else +# R=$(/sysroot/cfg/machine-id +# fi + chroot /sysroot bash -c ' -for i in /var /home /cfg /usr/local; do - mountpoint -q "$i" || continue - /usr/sbin/setfiles -v -F \ - /etc/selinux/targeted/contexts/files/file_contexts $i -done -' + /usr/sbin/load_policy -i + /usr/sbin/setfiles -m -F -v \ + /etc/selinux/targeted/contexts/files/file_contexts \ + /cfg /var /home /usr/local + ' &> /dev/null + + umount /sysroot/sys/fs/selinux + umount /sysroot/sys fi if [[ $RELABEL ]]; then + mount -o bind /sys /sysroot/sys + mount -t selinuxfs none /sysroot/sys/fs/selinux + chroot /sysroot bash -c ' -for i in var home cfg; do - [[ -e /$i/.autorelabel ]] || continue - rm -f /$i/.autorelabel - /usr/sbin/setfiles -v -F \ - /etc/selinux/targeted/contexts/files/file_contexts /$i -done -' 2>&1 | vwarn + /usr/sbin/load_policy -i + for i in var home cfg usr/local; do + [[ -e /$i/.autorelabel ]] || continue + rm -f /$i/.autorelabel + /usr/sbin/setfiles -m -F -v \ + /etc/selinux/targeted/contexts/files/file_contexts \ + /$i + done + ' 2>&1 | vwarn + + umount /sysroot/sys/fs/selinux + umount /sysroot/sys fi : \ No newline at end of file diff --git a/prepare-root.sh b/prepare-root.sh index 19982b8..373192b 100755 --- a/prepare-root.sh +++ b/prepare-root.sh @@ -1,5 +1,7 @@ #!/bin/bash -ex +export LANG=C + usage() { cat << EOF Usage: $PROGNAME [OPTION] @@ -304,6 +306,7 @@ fi (( $RET == 0 )) + chroot "$sysroot" /usr/bin/systemd-sysusers for i in passwd shadow group gshadow subuid subgid; do @@ -348,9 +351,7 @@ cp "${BASEDIR}/${CRT}" "$sysroot"/etc/pki/${NAME}/crt rpm --root "$sysroot" -qa | sort > "$sysroot"/usr/rpm-list.txt -cp "${BASEDIR}"/pre-pivot.sh "$sysroot"/pre-pivot.sh -cp -avr "${BASEDIR}"/10verity "$sysroot"/usr/lib/dracut/modules.d/ -chmod 0755 "$sysroot"/pre-pivot.sh +cp -avr "${BASEDIR}"/{10verity,20fedorabook} "$sysroot"/usr/lib/dracut/modules.d/ KVER=$(cd "$sysroot"/lib/modules/; ls -1d ??* | tail -1) @@ -368,28 +369,11 @@ fi chroot "$sysroot" \ dracut -N --kver $KVER --force \ --filesystems "squashfs vfat xfs" \ - --add-drivers "=drivers/char/tpm" \ -m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block" \ - -m "udev-rules dracut-systemd base fs-lib shutdown terminfo resume verity" \ - --install "fedorabook-clonedisk wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl" \ - --install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2" \ - --install "cryptsetup tail sort pwmake mktemp swapon" \ - --install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \ - --install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership chcon sleep" \ - --include /pre-pivot.sh /lib/dracut/hooks/pre-pivot/80-pre-pivot.sh \ - --install /usr/lib/systemd/system/clevis-luks-askpass.path \ - --install /usr/lib/systemd/system/clevis-luks-askpass.service \ - --install /usr/libexec/clevis-luks-askpass \ - --include /usr/share/cracklib/ /usr/share/cracklib/ \ - --install /usr/lib64/libtss2-esys.so.0 \ - --install /usr/lib64/libtss2-tcti-device.so.0 \ - --install /sbin/rngd \ - --install /usr/lib/systemd/system/basic.target.wants/rngd.service \ + -m "udev-rules dracut-systemd base fs-lib shutdown terminfo resume verity fedorabook" \ --reproducible \ /lib/modules/$KVER/initrd -rm "$sysroot"/pre-pivot.sh - umount "$sysroot"/var/cache/dnf mkdir -p "$sysroot"/usr/share/factory/{var,cfg} @@ -412,7 +396,11 @@ done #--------------- # nss / passwd /shadow etc.. -#chroot "$sysroot" bash -c 'echo -n admin | passwd --stdin root' +#chroot "$sysroot" bash -c ' +# setfiles -v -F \ +# /etc/selinux/targeted/contexts/files/file_contexts /usr/bin/passwd /etc/shadow /etc/passwd +# echo -n admin | passwd --stdin root +# ' # rpcbind only accepts "files altfiles" # altfiles has no shadow/gshadow support, therefore we need db @@ -441,7 +429,7 @@ chroot "$sysroot" bash -c ' /usr/db/group.db \ && mv /etc/{passwd,shadow,group,gshadow} /lib \ && >/etc/passwd \ - && > /etc/shadow \ + && >/etc/shadow \ && >/etc/group \ && >/etc/gshadow ' @@ -847,6 +835,9 @@ mkdir -p "$sysroot"/{var,home,cfg,net,efi} # ------------------------------------------------------------------------------ # SELinux relabel all the files + +#sed -i -e 's#SELINUX=enforcing#SELINUX=permissive#g' "$sysroot"/etc/selinux/config + chroot "$sysroot" setfiles -v -F \ /etc/selinux/targeted/contexts/files/file_contexts /