From: "Robin H. Johnson" <robbat2@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/genkernel:master commit in: /, defaults/
Date: Sat, 7 Jan 2017 23:50:32 +0000 (UTC) [thread overview]
Message-ID: <1483832985.11a3470508a6475a5fee00f26ccbd7a98b4f9e01.robbat2@gentoo> (raw)
commit: 11a3470508a6475a5fee00f26ccbd7a98b4f9e01
Author: Sebastian Bauer <sebastian.j.bauer <AT> gmail <DOT> com>
AuthorDate: Thu Aug 21 21:19:16 2014 +0000
Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
CommitDate: Sat Jan 7 23:49:45 2017 +0000
URL: https://gitweb.gentoo.org/proj/genkernel.git/commit/?id=11a34705
FL-1476: Add support for remote decryption of luks devices via dropbear
(cherry picked from commit 1886bbafecca1c225646e8d297bbb522caedfd9b)
Closes: https://bugs.gentoo.org/show_bug.cgi?id=440126
Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org>
defaults/initrd.scripts | 42 ++++++++++++++--
defaults/login-remote.sh | 127 +++++++++++++++++++++++++++++++++++++++++++++++
gen_initramfs.sh | 72 +++++++++++++++++++++++++++
genkernel.conf | 3 ++
4 files changed, 241 insertions(+), 3 deletions(-)
diff --git a/defaults/initrd.scripts b/defaults/initrd.scripts
index 1ee1699..17166e4 100644
--- a/defaults/initrd.scripts
+++ b/defaults/initrd.scripts
@@ -752,7 +752,7 @@ prompt_user(){
bad_msg '- type "shell" for a shell'
bad_msg '- type "q" to skip...'
printf "%s" "${2}(${oldvalue}) :: "
- read ${1}
+ read -t 10 ${1}
case `eval echo '$'${1}` in
'q')
eval ${1}'='${oldvalue}
@@ -1169,7 +1169,7 @@ openLUKS() {
eval local LUKS_DEVICE='"${CRYPT_'${TYPE}'}"' LUKS_NAME="$1" LUKS_KEY='"${CRYPT_'${TYPE}'_KEY}"' LUKS_KEYDEV='"${CRYPT_'${TYPE}'_KEYDEV}"' LUKS_TRIM='"${CRYPT_'${TYPE}'_TRIM}"'
local DEV_ERROR=0 KEY_ERROR=0 KEYDEV_ERROR=0
- local mntkey="/mnt/key/" cryptsetup_options=''
+ local mntkey="/mnt/key/" cryptsetup_options='' flag_opened="/${TYPE}.decrypted"
[ ! -e /sbin/cryptsetup ] && bad_msg "The ramdisk does not support LUKS" && exit 1
while [ 1 ]
@@ -1191,6 +1191,10 @@ openLUKS() {
then
prompt_user "LUKS_KEYDEV" "${LUKS_NAME} key device"
KEYDEV_ERROR=0
+ elif [ -e ${flag_opened} ]
+ then
+ good_msg "The LUKS device ${LUKS_DEVICE} meanwhile was opened by someone else."
+ break
else
LUKS_DEVICE=$(find_real_device "${LUKS_DEVICE}")
@@ -1284,6 +1288,8 @@ openLUKS() {
crypt_filter "${gpg_cmd}cryptsetup ${cryptsetup_options} luksOpen ${LUKS_DEVICE} ${LUKS_NAME}"
crypt_filter_ret=$?
+ touch ${flag_opened}
+
[ -e /dev/tty.org ] \
&& rm -f /dev/tty \
&& mv /dev/tty.org /dev/tty
@@ -1307,7 +1313,12 @@ openLUKS() {
startLUKS() {
- # if key is set but key device isn't, find it
+ # if key is set but neither ssh enabled or key device is given, find
+ # the key device
+
+ if [ -e "/usr/sbin/dropbear" ]; then
+ startdropbear
+ fi
[ -n "${CRYPT_ROOT_KEY}" ] && [ -z "${CRYPT_ROOT_KEYDEV}" ] \
&& sleep 6 && bootstrapKey "ROOT"
@@ -1335,6 +1346,31 @@ startLUKS() {
REAL_RESUME="/dev/mapper/swap"
fi
fi
+
+ if [ -e "/usr/sbin/dropbear" ]; then
+ /bin/kill $(cat /var/run/dropbear.pid)
+ /sbin/ifconfig $(echo "${IP}" | awk -F":" '{print $6}' ) 0.0.0.0
+ fi
+
+ if [ -e /root.decrypted ]; then
+ rm /root.decrypted
+ fi
+
+ if [ -e /swap.decrypted ]; then
+ rm /swap.decrypted
+ fi
+}
+
+startdropbear() {
+ if [ "${IP}" == '' ] ; then
+ busybox udhcpc -n -T 15 -q
+ fi
+
+ # setup environment variables for the ssh login shell
+ echo "CRYPT_ROOT=${CRYPT_ROOT}" > /etc/login-remote.conf
+ echo "CRYPT_SWAP=${CRYPT_SWAP}" >> /etc/login-remote.conf
+ touch /var/log/lastlog
+ /usr/sbin/dropbear
}
sdelay() {
diff --git a/defaults/login-remote.sh b/defaults/login-remote.sh
new file mode 100644
index 0000000..630d484
--- /dev/null
+++ b/defaults/login-remote.sh
@@ -0,0 +1,127 @@
+#!/bin/sh
+
+. /etc/login-remote.conf
+. /etc/initrd.defaults
+. /etc/initrd.scripts
+KEYFILE_ROOT="/tmp/root.key"
+KEYFILE_SWAP="/tmp/swap.key"
+
+splash() {
+ return 0
+}
+
+[ -e /etc/initrd.splash ] && . /etc/initrd.splash
+
+receivefile() {
+ case ${1} in
+ root)
+ file=${KEYFILE_ROOT}
+ ;;
+ swap)
+ file=${KEYFILE_SWAP}
+ ;;
+ esac
+ # limit maximum stored bytes to 1M to avoid killing the server
+ dd of=${file} count=1k bs=1k 2>/dev/null
+ exit $?
+}
+
+openLUKSremote() {
+ case $1 in
+ root)
+ local TYPE=ROOT
+ ;;
+ swap)
+ local TYPE=SWAP
+ ;;
+ esac
+
+ [ ! -d /tmp/key ] && mkdir -p /tmp/key
+
+ eval local LUKS_DEVICE='"${CRYPT_'${TYPE}'}"' LUKS_NAME="$1" LUKS_KEY='"${KEYFILE_'${TYPE}'}"'
+ local DEV_ERROR=0 KEY_ERROR=0
+ local input="" cryptsetup_options="" flag_opened="/${TYPE}.decrypted"
+ while [ 1 ]
+ do
+ local gpg_cmd="" crypt_filter_ret=42
+ echo $-
+ sleep 1
+
+ if [ -e ${flag_opened} ]
+ then
+ good_msg "The LUKS device ${LUKS_DEVICE} meanwhile was opened by someone else."
+ break
+ elif [ ${DEV_ERROR} -eq 1 ]
+ then
+ prompt_user "LUKS_DEVICE" "${LUKS_NAME}"
+ DEV_ERROR=0
+ else
+ LUKS_DEVICE=$(find_real_device "${LUKS_DEVICE}")
+
+ setup_md_device ${LUKS_DEVICE}
+ cryptsetup isLuks ${LUKS_DEVICE}
+ if [ $? -ne 0 ]
+ then
+ bad_msg "The LUKS device ${LUKS_DEVICE} does not contain a LUKS header" ${CRYPT_SILENT}
+ DEV_ERROR=1
+ continue
+ else
+ # Handle keys
+ if [ "x${LUKS_TRIM}" = "xyes" ]
+ then
+ good_msg "Enabling TRIM support for ${LUKS_NAME}." ${CRYPT_SILENT}
+ cryptsetup_options="${cryptsetup_options} --allow-discards"
+ fi
+
+ if [ ${crypt_filter_ret} -ne 0 ]
+ then
+ # 1st try: unencrypted keyfile
+ crypt_filter "cryptsetup ${cryptsetup_options} --key-file ${LUKS_KEY} luksOpen ${LUKS_DEVICE} ${LUKS_NAME}"
+ crypt_filter_ret=$?
+
+ if [ ${crypt_filter_ret} -ne 0 ]
+ then
+ # 2nd try: gpg-encrypted keyfile
+ [ -e /dev/tty ] && mv /dev/tty /dev/tty.org
+ mknod /dev/tty c 5 1
+ gpg_cmd="/sbin/gpg --logger-file /dev/null --quiet --decrypt ${LUKS_KEY} |"
+ crypt_filter "${gpg_cmd}cryptsetup ${cryptsetup_options} --key-file ${LUKS_KEY} luksOpen ${LUKS_DEVICE} ${LUKS_NAME}"
+ crypt_filter_ret=$?
+
+ [ -e /dev/tty.org ] \
+ && rm -f /dev/tty \
+ && mv /dev/tty.org /dev/tty
+ fi
+ fi
+
+ if [ ${crypt_filter_ret} -eq 0 ]
+ then
+ touch ${flag_opened}
+ good_msg "LUKS device ${LUKS_DEVICE} opened" ${CRYPT_SILENT}
+ break
+ else
+ bad_msg "Failed to open LUKS device ${LUKS_DEVICE}" ${CRYPT_SILENT}
+ DEV_ERROR=1
+ fi
+ fi
+ fi
+ done
+ rm -f ${LUKS_KEY}
+ cd /
+ rmdir -p tmp/key
+}
+
+if [ "x${1}" = "x-c" ]
+then
+ command=$(echo ${2} | awk -F" " '{print $1}')
+ type=$(echo ${2} | awk -F" " '{print $2}')
+
+ case ${command} in
+ post)
+ receivefile ${type}
+ ;;
+ esac
+else
+ [ -n "${CRYPT_ROOT}" ] && openLUKSremote root
+ [ -n "${CRYPT_SWAP}" ] && openLUKSremote swap
+fi
diff --git a/gen_initramfs.sh b/gen_initramfs.sh
index 10108fb..e81b477 100755
--- a/gen_initramfs.sh
+++ b/gen_initramfs.sh
@@ -632,6 +632,77 @@ append_luks() {
rm -r "${TEMP}/initramfs-luks-temp/"
}
+append_dropbear(){
+ if [ -d "${TEMP}"/initramfs-dropbear-temp ]
+ then
+ rm -r "${TEMP}"/initramfs-dropbear-temp
+ fi
+
+ if [ ! -d /etc/dropbear ]
+ then
+ mkdir /etc/dropbear
+ fi
+ if [ ! -e /etc/dropbear/dropbear_rsa_host_key ]
+ then
+ if [ -e /usr/bin/dropbearconvert -a /etc/ssh/ssh_host_rsa_key ]
+ then
+ /usr/bin/dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key
+ else
+ /usr/bin/dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key -s 4096 > /dev/null
+ fi
+ fi
+
+ if [ ! -e /etc/dropbear/dropbear_dss_host_key ]
+ then
+ /usr/bin/dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key > /dev/null
+ fi
+
+ cd "${TEMP}" \
+ || gen_die "cd '${TEMP}' failed"
+ mkdir -p ${TEMP}/initramfs-dropbear-temp/var/run
+ mkdir -p ${TEMP}/initramfs-dropbear-temp/var/log
+ mkdir -p ${TEMP}/initramfs-dropbear-temp/etc/dropbear
+ mkdir -p ${TEMP}/initramfs-dropbear-temp/bin
+ mkdir -p ${TEMP}/initramfs-dropbear-temp/root/.ssh
+
+ cp -L ${GK_SHARE}/defaults/login-remote.sh ${TEMP}/initramfs-dropbear-temp/bin/
+ cp -L /etc/dropbear/{dropbear_rsa_host_key,dropbear_dss_host_key} ${TEMP}/initramfs-dropbear-temp/etc/dropbear/
+ cp -L /etc/dropbear/authorized_keys ${TEMP}/initramfs-dropbear-temp/root/.ssh
+ cp -L /etc/localtime ${TEMP}/initramfs-dropbear-temp/etc/
+ if [ ${ARCH} = "x86_64" ]
+ then
+ mkdir -p ${TEMP}/initramfs-dropbear-temp/lib64
+ cp -L /lib64/libnss_files.so.2 ${TEMP}/initramfs-dropbear-temp/lib64/
+ else
+ mkdir -p ${TEMP}/initramfs-dropbear-temp/lib
+ cp -L /lib/libnss_files.so.2 ${TEMP}/initramfs-dropbear-temp/lib/
+ fi
+
+ sed "s/compat/files/g" /etc/nsswitch.conf > ${TEMP}/initramfs-dropbear-temp/etc/nsswitch.conf
+ echo "root:x:0:0:root:/root:/bin/login-remote.sh" > ${TEMP}/initramfs-dropbear-temp/etc/passwd
+ echo "/bin/login-remote.sh" > ${TEMP}/initramfs-dropbear-temp/etc/shells
+ echo "root:!:0:0:99999:7:::" > ${TEMP}/initramfs-dropbear-temp/etc/shadow
+ echo "root:x:0:root" > ${TEMP}/initramfs-dropbear-temp/etc/group
+ echo "" > ${TEMP}/initramfs-dropbear-temp/var/log/lastlog
+
+ chmod 0755 ${TEMP}/initramfs-dropbear-temp/bin/login-remote.sh
+ chmod 0700 ${TEMP}/initramfs-dropbear-temp/root/.ssh
+ chmod 0640 ${TEMP}/initramfs-dropbear-temp/etc/shadow
+ chmod 0644 ${TEMP}/initramfs-dropbear-temp/etc/passwd
+ chmod 0644 ${TEMP}/initramfs-dropbear-temp/etc/group
+ mkfifo ${TEMP}/initramfs-dropbear-temp/etc/dropbear/fifo_root
+ mkfifo ${TEMP}/initramfs-dropbear-temp/etc/dropbear/fifo_swap
+
+ copy_binaries "${TEMP}"/initramfs-dropbear-temp/ /usr/sbin/dropbear \
+ /bin/login /usr/bin/passwd
+
+ log_future_cpio_content
+ cd "${TEMP}"/initramfs-dropbear-temp \
+ || gen_die "cd '${TEMP}/initramfs-dropbear-temp' failed"
+ find . -print | cpio ${CPIO_ARGS} --append -F "${CPIO}"
+ rm -rf "${TEMP}"/initramfs-dropbear-temp > /dev/null
+}
+
append_firmware() {
if [ -z "${FIRMWARE_FILES}" -a ! -d "${FIRMWARE_DIR}" ]
then
@@ -882,6 +953,7 @@ create_initramfs() {
append_data 'iscsi' "${ISCSI}"
append_data 'mdadm' "${MDADM}"
append_data 'luks' "${LUKS}"
+ append_data 'dropbear' "${SSH}"
append_data 'multipath' "${MULTIPATH}"
append_data 'gpg' "${GPG}"
diff --git a/genkernel.conf b/genkernel.conf
index a95978d..d8f4ede 100644
--- a/genkernel.conf
+++ b/genkernel.conf
@@ -83,6 +83,9 @@ USECOLOR="yes"
# Add DMRAID support.
#DMRAID="no"
+# Add SSH support.
+#SSH="no"
+
# Include (or suppresses the inclusion of) busybox in the initrd or initramfs.
# If included, busybox is rebuilt if the cached copy is out of date.
#BUSYBOX="yes"
next reply other threads:[~2017-01-07 23:50 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-07 23:50 Robin H. Johnson [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-07-23 23:57 [gentoo-commits] proj/genkernel:master commit in: /, defaults/ Thomas Deutschmann
2019-11-26 13:50 Thomas Deutschmann
2019-07-21 16:26 Thomas Deutschmann
2017-09-04 5:36 Robin H. Johnson
2017-01-08 1:57 Robin H. Johnson
2017-01-02 23:25 Robin H. Johnson
2016-05-16 6:55 Robin H. Johnson
2016-01-05 19:39 Robin H. Johnson
2016-01-05 19:39 Robin H. Johnson
2013-06-06 3:36 [gentoo-commits] proj/genkernel:ryao " Richard Yao
2013-06-03 23:49 ` [gentoo-commits] proj/genkernel:master " Richard Yao
2013-04-25 6:22 Fabio Erculiani
2012-10-16 0:03 Robin H. Johnson
2012-10-03 16:24 Sebastian Pipping
2012-08-30 16:20 Fabio Erculiani
2012-08-12 19:04 Sebastian Pipping
2012-07-24 18:01 Robin H. Johnson
2012-07-24 17:29 Robin H. Johnson
2012-07-24 8:29 Robin H. Johnson
2012-07-19 20:12 Richard Yao
2012-07-09 17:51 Sebastian Pipping
2012-07-08 17:05 Sebastian Pipping
2012-05-17 18:34 Sebastian Pipping
2012-03-17 1:27 Sebastian Pipping
2012-03-17 1:27 Sebastian Pipping
2012-03-17 1:27 Sebastian Pipping
2012-03-17 1:27 Sebastian Pipping
2012-02-20 6:58 Robin H. Johnson
2012-02-09 7:42 Robin H. Johnson
2012-02-06 9:35 Robin H. Johnson
2012-02-06 8:19 Robin H. Johnson
2012-01-14 23:22 Sebastian Pipping
2012-01-13 23:19 Sebastian Pipping
2012-01-13 23:19 Sebastian Pipping
2012-01-06 6:37 Robin H. Johnson
2011-11-08 17:21 Sebastian Pipping
2011-10-08 21:22 Fabio Erculiani
2011-09-13 9:54 Fabio Erculiani
2011-09-11 7:40 Fabio Erculiani
2011-08-30 15:34 Sebastian Pipping
2011-07-27 17:38 Sebastian Pipping
2011-05-31 10:58 Sebastian Pipping
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1483832985.11a3470508a6475a5fee00f26ccbd7a98b4f9e01.robbat2@gentoo \
--to=robbat2@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox