harald/VerityBook
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

cleanup

Browse source
This commit is contained in:
Harald Hoyer 2018-11-20 15:59:04 +01:00
parent 26ccbc61b6
commit 1a80bf6938
6 changed files with 262 additions and 54 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
20fedorabook/module-setup.sh Executable file
View file

@ -0,0 +1,28 @@
#!/bin/bash
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
installkernel() {
instmods =drivers/char/tpm
}
install() {
inst_multiple \
wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl \
clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt \
clevis-luks-unlock clevis-decrypt-tpm2 \
cryptsetup tail sort pwmake mktemp swapon \
tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy \
tpm2_create tpm2_load tpm2_unseal tpm2_takeownership sleep setfiles \
/usr/lib/systemd/system/clevis-luks-askpass.path \
/usr/lib/systemd/system/clevis-luks-askpass.service \
/usr/libexec/clevis-luks-askpass \
/usr/lib64/libtss2-esys.so.0 \
/usr/lib64/libtss2-tcti-device.so.0 \
/sbin/rngd \
/usr/lib/systemd/system/basic.target.wants/rngd.service \
${NULL}
inst_dir /usr/share/cracklib
inst_hook pre-pivot 80 "$moddir/pre-pivot.sh"
}

173
20fedorabook/pre-pivot.sh Normal file
View file

@ -0,0 +1,173 @@
#!/bin/bash
set -o pipefail
bootdisk() {
UUID=$({ read -r -n 1 -d '' _; read -n 72 uuid; echo -n ${uuid,,}; } < /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f)
[[ $UUID ]] || return 1
echo "/dev/disk/by-partuuid/$UUID"
return 0
}
get_disk() {
for dev in /dev/disk/by-path/*; do
[[ $dev -ef $1 ]] || continue
echo ${dev%-part*}
return 0
done
return 1
}
udevadm settle
BOOTDISK=$(get_disk $(bootdisk))
[[ $BOOTDISK ]] || die "No boot disk found"
unset FOUND
for swapdev in $BOOTDISK-part*; do
[[ $(blkid -o value -s PARTLABEL "$swapdev") == "swap" ]] || continue
FOUND=1
break
done
if [[ $FOUND ]]; then
if cryptsetup isLuks --type luks2 "$swapdev"; then
luksname=swap
luksdev=/dev/mapper/$luksname
if ! cryptsetup luksDump "$swapdev" | grep -F -q clevis ; then
export TPM2TOOLS_TCTI_NAME=device
export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
if echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7"}' 2>&1 | vwarn; then
clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
echo -n "zero key" | cryptsetup luksRemoveKey "$swapdev" /dev/stdin || die "Failed to remove key from LUKS"
elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7","key":"rsa"}' 2>&1 | vwarn; then
clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
echo -n "zero key" | cryptsetup luksRemoveKey "$swapdev" /dev/stdin || die "Failed to remove key from LUKS"
else
warn "Failed to bind swap disk to TPM2"
fi
else
clevis-luks-unlock -d "$swapdev" -n "$luksname" 2>&1 | vinfo || die "Failed to unlock $swapdev"
fi
swapdev="$luksdev"
fi
swaptype=$(blkid -o value -s TYPE "$swapdev")
[[ $swaptype == "swsuspend" ]] && \
/usr/lib/systemd/systemd-hibernate-resume "$swapdev" &>/dev/null
[[ $swaptype != "swap" ]] && \
mkswap "$swapdev" 2>&1 | vinfo
swapon "$swapdev" 2>&1 | vinfo
fi
unset FOUND
for datadev in $BOOTDISK-part*; do
[[ $(blkid -o value -s PARTLABEL "$datadev") == "data" ]] || continue
FOUND=1
break
done
[[ $FOUND ]] || die "No data disk found"
if cryptsetup isLuks --type luks2 "$datadev"; then
#luksname=luks-$(blkid -o value -s UUID "$datadev")
luksname=data
luksdev=/dev/mapper/$luksname
if ! [[ -b $luksdev ]]; then
if ! cryptsetup luksDump "$datadev" | grep -F -q clevis ; then
export TPM2TOOLS_TCTI_NAME=device
export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
if echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7"}'; then
clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then
clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
else
warn "Failed to bind disk to TPM2"
echo -n "zero key" | cryptsetup open --type luks2 "$datadev" $luksname --key-file /dev/stdin
fi
else
clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
fi
tpm2_pcrextend \
-T device:/dev/tpmrm0 \
7:sha1=f6196dd72e7fad01051cb171ed3e8a29f7217b3a,sha256=6064ec4f91ea49cce638d0b7f9013989c01cba8a62957ac96cd1976bb2e098fa 2>&1 \
|| die "Failed to extend PCR7"
fi
datadev="$luksdev"
fi
if [[ $(blkid -o value -s TYPE "$datadev") != "xfs" ]]; then
mkfs.xfs -f -L data "$datadev"
fi
mkdir -p /run/initramfs/mnt
mount -o discard $datadev /run/initramfs/mnt || die "Failed to mount $datadev"
for i in var home cfg local; do
if ! [[ -d /run/initramfs/mnt/$i ]]; then
mkdir /run/initramfs/mnt/$i
FIRST_TIME=1
elif [[ -f /run/initramfs/mnt/$i/.autorelabel ]]; then
RELABEL=1
fi
done
mount -o bind /run/initramfs/mnt/var /sysroot/var
mount -o bind /run/initramfs/mnt/home /sysroot/home
mount -o bind /run/initramfs/mnt/cfg /sysroot/cfg
mount -o bind /run/initramfs/mnt/local /sysroot/usr/local
umount -l /run/initramfs/mnt &>/dev/null
if [[ $FIRST_TIME ]]; then
ln -fs ../run /sysroot/var/run
ln -fs ../run/lock /sysroot/var/lock
mount -o bind /sys /sysroot/sys
mount -t selinuxfs none /sysroot/sys/fs/selinux
# if [ -f /etc/machine-id ]; then
# cp /etc/machine-id /sysroot/cfg/machine-id
# else
# R=$(</proc/sys/kernel/random/uuid)
# echo ${R//-} >/sysroot/cfg/machine-id
# fi
chroot /sysroot bash -c '
/usr/sbin/load_policy -i
/usr/sbin/setfiles -m -F -v \
/etc/selinux/targeted/contexts/files/file_contexts \
/cfg /var /home /usr/local
' &> /dev/null
umount /sysroot/sys/fs/selinux
umount /sysroot/sys
fi
if [[ $RELABEL ]]; then
mount -o bind /sys /sysroot/sys
mount -t selinuxfs none /sysroot/sys/fs/selinux
chroot /sysroot bash -c '
/usr/sbin/load_policy -i
for i in var home cfg usr/local; do
[[ -e /$i/.autorelabel ]] || continue
rm -f /$i/.autorelabel
/usr/sbin/setfiles -m -F -v \
/etc/selinux/targeted/contexts/files/file_contexts \
/$i
done
' 2>&1 | vwarn
umount /sysroot/sys/fs/selinux
umount /sysroot/sys
fi
:

18
clonedisk.sh
View file

@ -140,12 +140,12 @@ if ! [[ $UPDATE ]]; then
mkfs.fat -nEFI -F32 ${OUT}1 mkfs.fat -nEFI -F32 ${OUT}1
if [[ $USE_CRYPT ]]; then if [[ $USE_CRYPT ]]; then
# ------------------------------------------------------------------------------ # ------
# swap # swap
echo -n "zero key" \ echo -n "zero key" \
| cryptsetup luksFormat --type luks2 ${OUT}4 /dev/stdin | cryptsetup luksFormat --type luks2 ${OUT}4 /dev/stdin
# ------------------------------------------------------------------------------ # ------
# data # data
echo -n "zero key" \ echo -n "zero key" \
| cryptsetup luksFormat --type luks2 ${OUT}5 /dev/stdin | cryptsetup luksFormat --type luks2 ${OUT}5 /dev/stdin
@ -157,24 +157,16 @@ fi
mkdir -p boot mkdir -p boot
mount ${OUT}1 boot mount ${OUT}1 boot
mkdir -p boot/EFI/FedoraBook cp -avr /efi/* boot/
cp /efi/EFI/FedoraBook/1.efi boot/EFI/FedoraBook/1.efi
[[ -e /efi/Lockdown.efi ]] && cp /efi/Lockdown.efi boot
[[ -e /efi/Shell.efi ]] && cp /efi/Shell.efi boot/EFI/Boot/bootx64.efi
umount boot umount boot
rmdir boot rmdir boot
if ! [[ $UPDATE ]]; then if ! [[ $UPDATE ]]; then
for i in FED1 FED2 FED3 FED4; do efibootmgr -B -b FED1 || :
efibootmgr -B -b $i || :
done
efibootmgr -C -b FED1 -d ${OUT_DEV} -p 1 -L "FedoraBook 1" -l '\efi\fedorabook\1.efi' efibootmgr -C -b FED1 -d ${OUT_DEV} -p 1 -L "FedoraBook 1" -l '\efi\fedorabook\1.efi'
efibootmgr -C -b FED2 -d ${OUT_DEV} -p 1 -L "FedoraBook 2" -l '\efi\fedorabook\2.efi'
efibootmgr -C -b FED3 -d ${OUT_DEV} -p 1 -L "FedoraBook Old 1" -l '\efi\fedorabook\_1.efi'
efibootmgr -C -b FED4 -d ${OUT_DEV} -p 1 -L "FedoraBook Old 2" -l '\efi\fedorabook\_2.efi'
BOOT_ORDER=$(efibootmgr | grep BootOrder: | { read _ a; echo "$a"; }) BOOT_ORDER=$(efibootmgr | grep BootOrder: | { read _ a; echo "$a"; })
if ! [[ $BOOT_ORDER == *FED1* ]]; then if ! [[ $BOOT_ORDER == *FED1* ]]; then
efibootmgr -o "FED1,FED2,FED3,FED4,$BOOT_ORDER" efibootmgr -o "FED1,$BOOT_ORDER"
fi fi
fi fi

1
pkglist.txt
View file

@ -38,6 +38,7 @@ docbook-dtds
docbook-style-xsl docbook-style-xsl
elfutils-devel elfutils-devel
f29-backgrounds-gnome f29-backgrounds-gnome
f29-backgrounds-base
fedora-gpg-keys fedora-gpg-keys
fedora-packager fedora-packager
fedora-release fedora-release

59
pre-pivot.sh
View file

@ -111,7 +111,7 @@ mkdir -p /run/initramfs/mnt
mount -o discard $datadev /run/initramfs/mnt || die "Failed to mount $datadev" mount -o discard $datadev /run/initramfs/mnt || die "Failed to mount $datadev"
for i in var home cfg; do for i in var home cfg local; do
if ! [[ -d /run/initramfs/mnt/$i ]]; then if ! [[ -d /run/initramfs/mnt/$i ]]; then
mkdir /run/initramfs/mnt/$i mkdir /run/initramfs/mnt/$i
FIRST_TIME=1 FIRST_TIME=1
@ -120,31 +120,54 @@ for i in var home cfg; do
fi fi
done done
[ -d /run/initramfs/mnt/local ] && mount -o bind /run/initramfs/mnt/local /sysroot/usr/local mount -o bind /run/initramfs/mnt/var /sysroot/var
mount -o bind /run/initramfs/mnt/var /sysroot/var mount -o bind /run/initramfs/mnt/home /sysroot/home
mount -o bind /run/initramfs/mnt/home /sysroot/home mount -o bind /run/initramfs/mnt/cfg /sysroot/cfg
mount -o bind /run/initramfs/mnt/cfg /sysroot/cfg mount -o bind /run/initramfs/mnt/local /sysroot/usr/local
umount -l /run/initramfs/mnt &>/dev/null umount -l /run/initramfs/mnt &>/dev/null
if [[ $FIRST_TIME ]]; then if [[ $FIRST_TIME ]]; then
ln -fs ../run /sysroot/var/run
ln -fs ../run/lock /sysroot/var/lock
mount -o bind /sys /sysroot/sys
mount -t selinuxfs none /sysroot/sys/fs/selinux
# if [ -f /etc/machine-id ]; then
# cp /etc/machine-id /sysroot/cfg/machine-id
# else
# R=$(</proc/sys/kernel/random/uuid)
# echo ${R//-} >/sysroot/cfg/machine-id
# fi
chroot /sysroot bash -c ' chroot /sysroot bash -c '
for i in /var /home /cfg /usr/local; do /usr/sbin/load_policy -i
mountpoint -q "$i" || continue /usr/sbin/setfiles -m -F -v \
/usr/sbin/setfiles -v -F \ /etc/selinux/targeted/contexts/files/file_contexts \
/etc/selinux/targeted/contexts/files/file_contexts $i /cfg /var /home /usr/local
done ' &> /dev/null
'
umount /sysroot/sys/fs/selinux
umount /sysroot/sys
fi fi
if [[ $RELABEL ]]; then if [[ $RELABEL ]]; then
mount -o bind /sys /sysroot/sys
mount -t selinuxfs none /sysroot/sys/fs/selinux
chroot /sysroot bash -c ' chroot /sysroot bash -c '
for i in var home cfg; do /usr/sbin/load_policy -i
[[ -e /$i/.autorelabel ]] || continue for i in var home cfg usr/local; do
rm -f /$i/.autorelabel [[ -e /$i/.autorelabel ]] || continue
/usr/sbin/setfiles -v -F \ rm -f /$i/.autorelabel
/etc/selinux/targeted/contexts/files/file_contexts /$i /usr/sbin/setfiles -m -F -v \
done /etc/selinux/targeted/contexts/files/file_contexts \
' 2>&1 | vwarn /$i
done
' 2>&1 | vwarn
umount /sysroot/sys/fs/selinux
umount /sysroot/sys
fi fi
: :

37
prepare-root.sh
View file

@ -1,5 +1,7 @@
#!/bin/bash -ex #!/bin/bash -ex
export LANG=C
usage() { usage() {
cat << EOF cat << EOF
Usage: $PROGNAME [OPTION] Usage: $PROGNAME [OPTION]
@ -304,6 +306,7 @@ fi
(( $RET == 0 )) (( $RET == 0 ))
chroot "$sysroot" /usr/bin/systemd-sysusers chroot "$sysroot" /usr/bin/systemd-sysusers
for i in passwd shadow group gshadow subuid subgid; do for i in passwd shadow group gshadow subuid subgid; do
@ -348,9 +351,7 @@ cp "${BASEDIR}/${CRT}" "$sysroot"/etc/pki/${NAME}/crt
rpm --root "$sysroot" -qa | sort > "$sysroot"/usr/rpm-list.txt rpm --root "$sysroot" -qa | sort > "$sysroot"/usr/rpm-list.txt
cp "${BASEDIR}"/pre-pivot.sh "$sysroot"/pre-pivot.sh cp -avr "${BASEDIR}"/{10verity,20fedorabook} "$sysroot"/usr/lib/dracut/modules.d/
cp -avr "${BASEDIR}"/10verity "$sysroot"/usr/lib/dracut/modules.d/
chmod 0755 "$sysroot"/pre-pivot.sh
KVER=$(cd "$sysroot"/lib/modules/; ls -1d ??* | tail -1) KVER=$(cd "$sysroot"/lib/modules/; ls -1d ??* | tail -1)
@ -368,28 +369,11 @@ fi
chroot "$sysroot" \ chroot "$sysroot" \
dracut -N --kver $KVER --force \ dracut -N --kver $KVER --force \
--filesystems "squashfs vfat xfs" \ --filesystems "squashfs vfat xfs" \
--add-drivers "=drivers/char/tpm" \
-m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block" \ -m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block" \
-m "udev-rules dracut-systemd base fs-lib shutdown terminfo resume verity" \ -m "udev-rules dracut-systemd base fs-lib shutdown terminfo resume verity fedorabook" \
--install "fedorabook-clonedisk wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl" \
--install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2" \
--install "cryptsetup tail sort pwmake mktemp swapon" \
--install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \
--install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership chcon sleep" \
--include /pre-pivot.sh /lib/dracut/hooks/pre-pivot/80-pre-pivot.sh \
--install /usr/lib/systemd/system/clevis-luks-askpass.path \
--install /usr/lib/systemd/system/clevis-luks-askpass.service \
--install /usr/libexec/clevis-luks-askpass \
--include /usr/share/cracklib/ /usr/share/cracklib/ \
--install /usr/lib64/libtss2-esys.so.0 \
--install /usr/lib64/libtss2-tcti-device.so.0 \
--install /sbin/rngd \
--install /usr/lib/systemd/system/basic.target.wants/rngd.service \
--reproducible \ --reproducible \
/lib/modules/$KVER/initrd /lib/modules/$KVER/initrd
rm "$sysroot"/pre-pivot.sh
umount "$sysroot"/var/cache/dnf umount "$sysroot"/var/cache/dnf
mkdir -p "$sysroot"/usr/share/factory/{var,cfg} mkdir -p "$sysroot"/usr/share/factory/{var,cfg}
@ -412,7 +396,11 @@ done
#--------------- #---------------
# nss / passwd /shadow etc.. # nss / passwd /shadow etc..
#chroot "$sysroot" bash -c 'echo -n admin | passwd --stdin root' #chroot "$sysroot" bash -c '
# setfiles -v -F \
# /etc/selinux/targeted/contexts/files/file_contexts /usr/bin/passwd /etc/shadow /etc/passwd
# echo -n admin | passwd --stdin root
# '
# rpcbind only accepts "files altfiles" # rpcbind only accepts "files altfiles"
# altfiles has no shadow/gshadow support, therefore we need db # altfiles has no shadow/gshadow support, therefore we need db
@ -441,7 +429,7 @@ chroot "$sysroot" bash -c '
/usr/db/group.db \ /usr/db/group.db \
&& mv /etc/{passwd,shadow,group,gshadow} /lib \ && mv /etc/{passwd,shadow,group,gshadow} /lib \
&& >/etc/passwd \ && >/etc/passwd \
&& > /etc/shadow \ && >/etc/shadow \
&& >/etc/group \ && >/etc/group \
&& >/etc/gshadow && >/etc/gshadow
' '
@ -847,6 +835,9 @@ mkdir -p "$sysroot"/{var,home,cfg,net,efi}
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# SELinux relabel all the files # SELinux relabel all the files
#sed -i -e 's#SELINUX=enforcing#SELINUX=permissive#g' "$sysroot"/etc/selinux/config
chroot "$sysroot" setfiles -v -F \ chroot "$sysroot" setfiles -v -F \
/etc/selinux/targeted/contexts/files/file_contexts / /etc/selinux/targeted/contexts/files/file_contexts /