VerityBook/pre-pivot.sh
2018-09-05 11:49:57 +02:00

96 lines
3 KiB
Bash

#!/bin/bash
root=$(getarg systemd.verity_root_hash)
case "$root" in
block:LABEL=*|LABEL=*)
root="${root#block:}"
root="$(echo $root | sed 's,/,\\x2f,g')"
root="/dev/disk/by-label/${root#LABEL=}"
rootok=1 ;;
block:UUID=*|UUID=*)
root="${root#block:}"
root="${root#UUID=}"
root="$(echo $root | tr "[:upper:]" "[:lower:]")"
root="/dev/disk/by-uuid/${root#UUID=}"
rootok=1 ;;
block:PARTUUID=*|PARTUUID=*)
root="${root#block:}"
root="${root#PARTUUID=}"
root="$(echo $root | tr "[:upper:]" "[:lower:]")"
root="/dev/disk/by-partuuid/${root}"
rootok=1 ;;
block:PARTLABEL=*|PARTLABEL=*)
root="${root#block:}"
root="/dev/disk/by-partlabel/${root#PARTLABEL=}"
rootok=1 ;;
/dev/*)
rootok=1 ;;
esac
udevadm settle --exit-if-exists=/dev/tpmrm0
udevadm settle --exit-if-exists="$root"
unset FOUND
for d in /dev/disk/by-path/*; do
[[ $d -ef $root ]] || continue
FOUND=1
break
done
[[ $FOUND ]] || die "No boot disk found"
disk=${d%-part*}
unset FOUND
for datadev in $disk*; do
[[ $(blkid -o value -s PARTLABEL "$datadev") == "data" ]] || continue
FOUND=1
break
done
if cryptsetup isLuks --type luks2 "$datadev"; then
export TPM2TOOLS_TCTI_NAME=device
export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
luksname=luks-$(blkid -o value -s UUID "$datadev")
mapdev=/dev/mapper/$luksname
if ! [[ -b $mapdev ]]; then
if ! cryptsetup luksDump "$datadev" | grep -F -q clevis ; then
if echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7"}'; then
echo -n "zero key" | cryptsetup luksRemoveKey "$datadev" /dev/stdin || die "Failed to remove key from LUKS"
clevis-luks-unlock -d "$datadev" || die "Failed to unlock $datadev"
elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then
echo -n "zero key" | cryptsetup luksRemoveKey "$datadev" /dev/stdin || die "Failed to remove key from LUKS"
clevis-luks-unlock -d "$datadev" || die "Failed to unlock $datadev"
else
warn "Failed to bind disk to TPM2"
echo -n "zero key" | cryptsetup open --type luks2 "$datadev" $luksname --key-file /dev/stdin
fi
else
clevis-luks-unlock -d "$datadev" || die "Failed to unlock $datadev"
fi
fi
else
mapdev="$datadev"
fi
if [[ $(blkid -o value -s TYPE "$mapdev") != "xfs" ]]; then
mkfs.xfs -f -L data "$mapdev"
fi
mount $mapdev /sysroot/data || die "Failed to mount $mapdev"
[[ -d /sysroot/data/var ]] || mkdir /sysroot/data/var
[[ -d /sysroot/data/home ]] || mkdir /sysroot/data/home
mount -o bind /sysroot/data/var /sysroot/var
mount -o bind /sysroot/data/home /sysroot/home
for i in passwd shadow group gshadow subuid subgid; do
[[ -f /sysroot/data/var/$i ]] && continue
cp -a /sysroot/usr/share/factory/data/var/$i /sysroot/data/var/$i
done
chroot /sysroot /usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev --exclude-prefix=/run --exclude-prefix=/tmp --exclude-prefix=/etc 2>&1 | vinfo