harald/VerityBook
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

update

Browse source
This commit is contained in:
Harald Hoyer 2018-09-06 15:56:53 +02:00
parent 6910172911
commit 5d5ec9682e
8 changed files with 270 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

89
clonedisk.sh
View file

@ -1,6 +1,67 @@
#!/bin/bash
#!/bin/bash -ex
set -ex
usage() {
cat << EOF
Usage: $PROGNAME [OPTION]
-h, --help Display this help
--crypt Use Luks2 to encrypt the data partition (default PW: 1)
--crypttpm2 as --crypt, but additionally auto-open with the use of a TPM2
--simple do not use dual-boot layout (e.g. for USB install media)
--update do not clear the data partition
EOF
}
TEMP=$(
getopt -o '' \
--long crypt \
--long crypttpm2 \
--long simple \
--long update \
--long help \
-- "$@"
)
if (( $? != 0 )); then
usage >&2
exit 1
fi
eval set -- "$TEMP"
unset TEMP
while true; do
case "$1" in
'--crypt')
USE_CRYPT="y"
shift 1; continue
;;
'--crypttpm2')
USE_TPM="y"
shift 1; continue
;;
'--simple')
SIMPLE="y"
shift 1; continue
;;
'--update')
UPDATE="y"
shift 1; continue
;;
'--help')
usage
exit 0
;;
'--')
shift
break
;;
*)
echo 'Internal error!' >&2
exit 1
;;
esac
done
[[ $TMPDIR ]] || TMPDIR=/var/tmp
readonly TMPDIR="$(realpath -e "$TMPDIR")"
@ -44,9 +105,11 @@ if [[ ${IN#/dev/loop} != $IN ]]; then
IN="${IN}p"
fi
wipefs --all "$OUT"
if ! [[ $UPDATE ]]; then
sfdisk -W always -w always "$OUT" << EOF
wipefs --all "$OUT"
sfdisk -W always -w always "$OUT" << EOF
label: gpt
size=512MiB, type=c12a7328-f81f-11d2-ba4b-00a0c93ec93b, name="ESP System Partition"
size=256M, type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver1", uuid=$(blkid -o value -s PARTUUID ${IN}2)
@ -56,6 +119,9 @@ label: gpt
size=${mem}GiB, type=0657fd6d-a4ab-43c4-84e5-0933c84b4f4f, name="swap"
type=3b8f8425-20e0-4f3b-907f-1a25a76f98e9, name="data"
EOF
fi
OUT_DEV=$OUT
if [[ ${OUT#/dev/loop} != $OUT ]]; then
OUT="${OUT}p"
@ -66,13 +132,16 @@ fi
for i in 1 2 3; do
dd if=${IN}${i} of=${OUT}${i} status=progress
sfdisk --part-uuid ${OUT_DEV} $i $(blkid -o value -s PARTUUID ${IN}${i})
done
# ------------------------------------------------------------------------------
# swap
mkswap -L swap ${OUT}6
if ! [[ $UPDATE ]]; then
# ------------------------------------------------------------------------------
# swap
mkswap -L swap ${OUT}6
# ------------------------------------------------------------------------------
# data
echo -n "zero key" \
# ------------------------------------------------------------------------------
# data
echo -n "zero key" \
| cryptsetup luksFormat --type luks2 ${OUT}7 /dev/stdin
fi

3
excludelist.txt
View file

@ -4,7 +4,6 @@ grubby
grub*
plymouth
device-mapper-multipath
libvirt-daemon
selinux-policy-targeted
libselinux-utils
httpd

39
mkimage.sh
View file

@ -17,6 +17,7 @@ Usage: $PROGNAME [OPTION]
--crypt Use Luks2 to encrypt the data partition (default PW: 1)
--crypttpm2 as --crypt, but additionally auto-open with the use of a TPM2
--simple do not use dual-boot layout (e.g. for USB install media)
--update do not clear the data partition
EOF
}
@ -24,6 +25,8 @@ TEMP=$(
getopt -o '' \
--long crypt \
--long crypttpm2 \
--long simple \
--long update \
--long help \
-- "$@"
)
@ -47,6 +50,14 @@ while true; do
USE_TPM="y"
shift 1; continue
;;
'--simple')
SIMPLE="y"
shift 1; continue
;;
'--update')
UPDATE="y"
shift 1; continue
;;
'--help')
usage
exit 0
@ -109,8 +120,10 @@ HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-
# create GPT table with EFI System Partition
if ! [[ -b "${IMAGE}" ]]; then
if ! [[ $UPDATE ]]; then
rm -f "${IMAGE}"
dd if=/dev/null of="${IMAGE}" bs=1MiB seek=$((15*1024)) count=1
fi
readonly DEV=$(losetup --show -f -P "${IMAGE}")
readonly DEV_PART=${DEV}p
else
@ -118,13 +131,16 @@ else
umount "$i" || :
done
if ! [[ $UPDATE ]]; then
wipefs --force --all "${IMAGE}"
fi
readonly DEV="${IMAGE}"
readonly DEV_PART="${IMAGE}"
fi
udevadm settle
sfdisk "${DEV}" << EOF
if ! [[ $UPDATE ]]; then
sfdisk "${DEV}" << EOF
label: gpt
size=512MiB, type=c12a7328-f81f-11d2-ba4b-00a0c93ec93b, name="ESP System Partition"
size=64MiB, type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver1", uuid=$HASH_UUID
@ -132,15 +148,21 @@ label: gpt
type=3b8f8425-20e0-4f3b-907f-1a25a76f98e9, name="data"
EOF
udevadm settle
for i in 1 2 3 4; do
udevadm settle
for i in 1 2 3 4; do
wipefs --force --all ${DEV_PART}${i}
done
udevadm settle
done
udevadm settle
else
sfdisk --part-uuid ${DEV} 2 ${HASH_UUID}
sfdisk --part-uuid ${DEV} 3 ${ROOT_UUID}
fi
# ------------------------------------------------------------------------------
# ESP
mkfs.fat -nEFI -F32 ${DEV_PART}1
if ! [[ $UPDATE ]]; then
mkfs.fat -nEFI -F32 ${DEV_PART}1
fi
mkdir "$MY_TMPDIR"/boot
mount ${DEV_PART}1 "$MY_TMPDIR"/boot
@ -158,8 +180,9 @@ dd if="$SOURCE"/root.squashfs.img of=${DEV_PART}3 status=progress
# ------------------------------------------------------------------------------
# data
mkfs.xfs -L data ${DEV_PART}4
if ! [[ $UPDATE ]]; then
mkfs.xfs -L data ${DEV_PART}4
fi
# ------------------------------------------------------------------------------
# DONE

5
pkglist.txt
View file

@ -10,7 +10,6 @@ NetworkManager-vpnc
NetworkManager-vpnc-gnome
NetworkManager-wifi
firefox
emacs
vim-enhanced
pigz
flatpak
@ -63,3 +62,7 @@ fedora-gpg-keys
bind-utils
bash-completion
nss-mdns
@development-tools
@development-libs
@c-development

45
prepare-root.sh
View file

@ -44,6 +44,7 @@ fi
eval set -- "$TEMP"
unset TEMP
. /etc/os-release
unset NAME
while true; do
case "$1" in
@ -97,8 +98,8 @@ done
[[ $EXCLUDELIST ]] || [[ -f excludelist.txt ]] && EXCLUDELIST=$(<excludelist.txt)
NAME=${NAME:-"FedoraBook"}
RELEASEVER=${RELEASEVER:-$VERSION_ID}
OUTDIR=${OUTDIR:-"${CURDIR}/${NAME}-${VERSION_ID}"}
VERSION_ID="${RELEASEVER}.$(date -u +'%Y%m%d%H%M%S')"
OUTDIR=${OUTDIR:-"${CURDIR}/${NAME}-${VERSION_ID}"}
[[ $TMPDIR ]] || TMPDIR=/var/tmp
readonly TMPDIR="$(realpath -e "$TMPDIR")"
@ -142,6 +143,13 @@ mount -t devtmpfs devtmpfs "$sysroot/dev"
mkdir -p "$sysroot"/var/cache/dnf
mount --bind /var/cache/dnf "$sysroot"/var/cache/dnf
# We need to preserve old uid/gid
mkdir -p "$sysroot"/etc
for i in passwd shadow group gshadow subuid subgid; do
[[ -e "${BASEDIR}/${NAME}/$i" ]] || continue
cp "${BASEDIR}/${NAME}/$i" "$sysroot"/etc/"$i"
done
dnf -v --nogpgcheck --installroot "$sysroot"/ --releasever "$RELEASEVER" --disablerepo='*' \
--enablerepo=fedora \
${WITH_UPDATES:+--enablerepo=updates} \
@ -179,9 +187,18 @@ dnf -v --nogpgcheck --installroot "$sysroot"/ --releasever "$RELEASEVER" --disab
tpm2-tss \
ncurses-base \
dbus-broker \
tar \
gzip \
$PKGLIST
# We need to preserve old uid/gid
mkdir -p ${BASEDIR}/${NAME}
for i in passwd shadow group gshadow subuid subgid; do
cp "$sysroot"/etc/"$i" ${BASEDIR}/${NAME}
done
cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk
cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update
rpm --root "$sysroot" -qa | sort > "$sysroot"/usr/rpm-list.txt
mkdir -p "$sysroot"/overlay/efi
@ -243,6 +260,9 @@ ln -fsnr "$sysroot"/usr/lib/systemd/system/dbus-broker.service "$sysroot"/etc/sy
if [[ -d "$sysroot"/etc/ssh ]]; then
mv "$sysroot"/etc/ssh "$sysroot"/usr/share/factory/var/etc/ssh
ln -sfnr "$sysroot"/var/etc/ssh "$sysroot"/etc/ssh
cat >> "$sysroot"/usr/lib/tmpfiles.d/ssh.conf <<EOF
C /var/etc/ssh - - - - -
EOF
fi
#---------------
@ -267,6 +287,16 @@ EOF
rm -fr "$sysroot"/usr/lib64/NetworkManager/*/libnm-settings-plugin-ifcfg-rh.so
fi
#---------------
# libvirt
if [[ -d "$sysroot"/etc/libvirt ]]; then
mv "$sysroot"/etc/libvirt "$sysroot"/usr/share/factory/var/etc/
ln -fsnr "$sysroot"/var/etc/libvirt "$sysroot"/etc/libvirt
cat >> "$sysroot"/usr/lib/tmpfiles.d/libvirt.conf <<EOF
C /var/etc/libvirt - - - - -
EOF
fi
. "${BASEDIR}"/quirks/nss_db.sh
#---------------
@ -300,6 +330,13 @@ if [[ -d "$sysroot"/usr/share/flatpak ]]; then
chroot "$sysroot" bash -c '/usr/bin/flatpak remote-add --if-not-exists flathub /usr/share/flatpak/flathub.flatpakrepo'
fi
#---------------
# inotify
mkdir -p "$sysroot"/etc/sysctl.d
cat > "$sysroot"/etc/sysctl.d/inotify.conf <<EOF
fs.inotify.max_user_watches = $((8192*10))
EOF
cat >"$sysroot"/etc/fstab <<EOF
LABEL=data /data xfs defaults,discard 0 0
/data/var /var - bind 0 0
@ -323,6 +360,7 @@ chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do echo "C /d
mv "$sysroot"/lib/tmpfiles.d-var.conf "$sysroot"/lib/tmpfiles.d/var.conf
sed -i -e "s#VERSION_ID=.*#VERSION_ID=$VERSION_ID#" "$sysroot"/etc/os-release
sed -i -e "s#NAME=.*#NAME=$NAME#" "$sysroot"/etc/os-release
mv -v "$sysroot"/boot/*/*/initrd "$MY_TMPDIR"/
mv -v "$sysroot"/lib/modules/*/vmlinuz "$MY_TMPDIR"/linux
@ -357,7 +395,7 @@ HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-
# ------------------------------------------------------------------------------
# make bootx64.efi
echo -n "rd.shell=0 quiet video=efifb:nobgrt audit=0 selinux=0 roothash=$ROOT_HASH systemd.verity_root_data=PARTUUID=$ROOT_UUID systemd.verity_root_hash=PARTUUID=$HASH_UUID resume=PARTLABEL=swap raid=noautodetect" > "$MY_TMPDIR"/options.txt
echo -n "$NAME $VERSION_ID" > "$MY_TMPDIR"/release.txt
echo -n "${NAME}-${VERSION_ID}" > "$MY_TMPDIR"/release.txt
objcopy \
--add-section .release="$MY_TMPDIR"/release.txt --change-section-vma .release=0x20000 \
--add-section .cmdline="$MY_TMPDIR"/options.txt --change-section-vma .cmdline=0x30000 \
@ -377,3 +415,6 @@ mv "$MY_TMPDIR"/root-hash.txt \
"$MY_TMPDIR"/linux \
"$MY_TMPDIR"/initrd \
"$OUTDIR"
tar cf - -C "${OUTDIR%/*}" "${OUTDIR##*/}" | pigz -c > "$OUTDIR".tgz
echo "$ROOT_HASH ${NAME}-${VERSION_ID}" > "${OUTDIR%/*}/${NAME}-latest.txt"

1
quirks/nss_db.sh
View file

@ -1,4 +1,3 @@
sed -i -e 's#files#files db#g' "$sysroot"/etc/nsswitch.conf
mkdir -p "$sysroot"/usr/db
sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib64/libnss_db-2*.so "$sysroot"/var/db/Makefile

26
systemd-udev-settle-dri.service Normal file
View file

@ -0,0 +1,26 @@
# SPDX-License-Identifier: LGPL-2.1+
#
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# This service can dynamically be pulled-in by legacy services which
# cannot reliably cope with dynamic device configurations, and wrongfully
# expect a populated /dev during bootup.
[Unit]
Description=udev Wait for /dev/dri/card0 Device Initialization
Documentation=man:udev(7) man:systemd-udevd.service(8)
Wants=systemd-udevd.service
After=systemd-udev-trigger.service
Before=display-manager.service
ConditionPathIsReadWrite=/sys
[Service]
Type=oneshot
TimeoutSec=180
RemainAfterExit=yes
ExecStart=/usr/bin/udevadm settle --exit-if-exists=/dev/dri/card0

80
update.sh Executable file
View file

@ -0,0 +1,80 @@
#!/bin/bash -ex
BASEURL="$1"
. /etc/os-release
CURRENT_ROOT_HASH=$(</proc/cmdline)
CURRENT_ROOT_HASH=${CURRENT_ROOT_HASH#*roothash=}
CURRENT_ROOT_HASH=${CURRENT_ROOT_HASH%% *}
CURRENT_ROOT_UUID=${CURRENT_ROOT_HASH:32:8}-${CURRENT_ROOT_HASH:40:4}-${CURRENT_ROOT_HASH:44:4}-${CURRENT_ROOT_HASH:48:4}-${CURRENT_ROOT_HASH:52:12}
CURRENT_HASH_UUID=${CURRENT_ROOT_HASH:0:8}-${CURRENT_ROOT_HASH:8:4}-${CURRENT_ROOT_HASH:12:4}-${CURRENT_ROOT_HASH:16:4}-${CURRENT_ROOT_HASH:20:12}
[[ /dev/disk/by-partlabel/root1 -ef /dev/disk/by-partuuid/${CURRENT_ROOT_UUID} ]] \
&& [[ /dev/disk/by-partlabel/ver1 -ef /dev/disk/by-partuuid/${CURRENT_HASH_UUID} ]] \
&& NEW_ROOT_NUM=2
[[ /dev/disk/by-partlabel/root2 -ef /dev/disk/by-partuuid/${CURRENT_ROOT_UUID} ]] \
&& [[ /dev/disk/by-partlabel/ver2 -ef /dev/disk/by-partuuid/${CURRENT_HASH_UUID} ]] \
&& NEW_ROOT_NUM=1
if ! [[ $NEW_ROOT_NUM ]]; then
echo "Current partitions booted from not found!"
exit 1
fi
## find base device and partition number
for dev in /dev/disk/by-path/*; do
if ! [[ $VER_PARTNO ]] && [[ /dev/disk/by-partlabel/ver${NEW_ROOT_NUM} -ef $dev ]]; then
VER_PARTNO=${dev##*-part}
ROOT_DEV=${dev%-part*}
fi
if ! [[ $ROOT_PARTNO ]] && [[ /dev/disk/by-partlabel/root${NEW_ROOT_NUM} -ef $dev ]]; then
ROOT_PARTNO=${dev##*-part}
ROOT_DEV=${dev%-part*}
fi
[[ $ROOT_PARTNO ]] && [[ $VER_PARTNO ]] && break
done
if ! [[ $ROOT_PARTNO ]] || ! [[ $VER_PARTNO ]] || ! [[ $ROOT_DEV ]]; then
echo "Couldn't find partition numbers"
exit 1
fi
mkdir -p /var/cache/${NAME}
cd /var/cache/${NAME}
curl ${BASEURL}/${NAME}-latest.txt --output ${NAME}-latest.txt
RELEASE=$(read a b <${NAME}-latest.txt ; echo -n $b)
ROOT_HASH=$(read a b <${NAME}-latest.txt; echo -n $a)
ROOT_UUID=${ROOT_HASH:32:8}-${ROOT_HASH:40:4}-${ROOT_HASH:44:4}-${ROOT_HASH:48:4}-${ROOT_HASH:52:12}
HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-${ROOT_HASH:20:12}
if [[ $CURRENT_ROOT_HASH == $ROOT_HASH ]] || [[ ${NAME}-${VERSION_ID} == $RELEASE ]]; then
echo "Already up2date"
exit 1
fi
curl ${BASEURL}/${RELEASE}.tgz | tar xzf -
[[ -d ${RELEASE} ]]
cd ${RELEASE}
dd status=progress if=root.verity.img of=/dev/disk/by-partlabel/ver${NEW_ROOT_NUM}
dd status=progress if=root.squashfs.img of=/dev/disk/by-partlabel/root${NEW_ROOT_NUM}
# set the new partition uuids
sfdisk --part-uuid ${ROOT_DEV} ${VER_PARTNO} ${HASH_UUID}
sfdisk --part-uuid ${ROOT_DEV} ${ROOT_PARTNO} ${ROOT_UUID}
# install to /efi
mkdir -p /efi/EFI/${NAME}
cp bootx64.efi /efi/EFI/${NAME}/${NEW_ROOT_NUM}.efi
## unless proper boot entries set, just force copy to default boot loader
cp bootx64.efi /efi/EFI/Boot/new_bootx64.efi
mv --backup=numbered /efi/EFI/Boot/new_bootx64.efi /efi/EFI/Boot/bootx64.efi