From f2b59207efa677c4b1e2eac1be406a604be40e7b 2018-12-07 18:18:18 From: drtyhlpr Date: 2018-12-07 18:18:18 Subject: [PATCH] Merge pull request #169 from burnbabyburn/dropbear Dropbear --- diff --git a/README.md b/README.md index 52c08dc..7318217 100644 --- a/README.md +++ b/README.md @@ -418,6 +418,12 @@ Set cipher specification string. `aes-xts*` ciphers are strongly recommended. ##### `CRYPTFS_XTSKEYSIZE`=512 Sets key size in bits. The argument has to be a multiple of 8. +##### `CRYPTFS_DROPBEAR`=false +Enable Dropbear Initramfs support + +##### `CRYPTFS_DROPBEAR_PUBKEY`="" +Provide path to dropbear Public RSA-OpenSSH Key + --- #### Build settings: diff --git a/bootstrap.d/14-fstab.sh b/bootstrap.d/14-fstab.sh index e94fd5d..4ecba25 100644 --- a/bootstrap.d/14-fstab.sh +++ b/bootstrap.d/14-fstab.sh @@ -43,8 +43,43 @@ if [ "$ENABLE_INITRAMFS" = true ] ; then install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools" fi - # Disable SSHD inside initramfs - printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" + if [ "$CRYPTFS_DROPBEAR" = true ]; then + if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then + install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub + cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub >> "${ETC_DIR}"/dropbear-initramfs/authorized_keys + else + # Create key + chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear + + # Convert dropbear key to openssh key + chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa + + # Get Public Key Part + chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub + + # Delete unwanted lines + sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub + sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub + + # Trust the new key + cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub > "${ETC_DIR}"/dropbear-initramfs/authorized_keys + + # Save Keys - convert with putty from rsa/openssh to puttkey + cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa + + # Get unlock script + install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}"/initramfs-tools/hooks/crypt_unlock.sh + + # Enable Dropbear inside initramfs + printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=y\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" + + # Enable Dropbear inside initramfs + sed -i "54 i sleep 5" "${R}"/usr/share/initramfs-tools/scripts/init-premount/dropbear + fi + else + # Disable SSHD inside initramfs + printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" + fi # Add cryptsetup modules to initramfs printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook" diff --git a/bootstrap.d/15-rpi-config.sh b/bootstrap.d/15-rpi-config.sh index b3fb928..d7d0239 100644 --- a/bootstrap.d/15-rpi-config.sh +++ b/bootstrap.d/15-rpi-config.sh @@ -85,10 +85,7 @@ if [ "$ENABLE_TURBO" = true ] ; then fi if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then - - # RPI0,3,3P Use default ttyS0 (mini-UART)as serial interface - SET_SERIAL="ttyS0" - + # Bluetooth enabled if [ "$ENABLE_BLUETOOTH" = true ] ; then # Create temporary directory for Bluetooth sources @@ -111,6 +108,10 @@ if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then install_readonly "${R}/tmp/pi-bluetooth/usr/bin/btuart" "${R}/usr/bin/btuart" install_readonly "${R}/tmp/pi-bluetooth/usr/bin/bthelper" "${R}/usr/bin/bthelper" + # make scripts executable + chmod +x "${R}/usr/bin/bthelper" + chmod +x "${R}/usr/bin/btuart" + # Install bluetooth udev rule install_readonly "${R}/tmp/pi-bluetooth/lib/udev/rules.d/90-pi-bluetooth.rules" "${LIB_DIR}/udev/rules.d/90-pi-bluetooth.rules" @@ -120,13 +121,13 @@ if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then install_readonly "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" "${BLUETOOTH_FIRMWARE_DIR}/LICENCE.broadcom_bcm43xx" install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.bthelper@.service" "${ETC_DIR}/systemd/system/pi-bluetooth.bthelper@.service" install_readonly "${R}/tmp/pi-bluetooth/debian/pi-bluetooth.hciuart.service" "${ETC_DIR}/systemd/system/pi-bluetooth.hciuart.service" - - # Remove temporary directory + + # Remove temporary directories rm -fr "${temp_dir}" - + rm -fr "${R}"/tmp/pi-bluetooth + # Switch Pi3 Bluetooth function to use the mini-UART (ttyS0) and restore UART0/ttyAMA0 over GPIOs 14 & 15. Slow Bluetooth and slow cpu. Use /dev/ttyS0 instead of /dev/ttyAMA0 if [ "$ENABLE_MINIUART_OVERLAY" = true ] ; then - SET_SERIAL="ttyAMA0" # set overlay to swap ttyAMA0 and ttyS0 echo "dtoverlay=pi3-miniuart-bt" >> "${BOOT_DIR}/config.txt" @@ -135,23 +136,15 @@ if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then if [ "$ENABLE_TURBO" = false ] ; then echo "core_freq=250" >> "${BOOT_DIR}/config.txt" fi - - # Activate services - chroot_exec systemctl enable pi-bluetooth.hciuart.service - #chroot_exec systemctl enable pi-bluetooth.bthelper@.service - else - chroot_exec systemctl enable pi-bluetooth.hciuart.service - #chroot_exec systemctl enable pi-bluetooth.bthelper@.service fi - + + # Activate services + chroot_exec systemctl enable pi-bluetooth.hciuart.service + else # if ENABLE_BLUETOOTH = false # set overlay to disable bluetooth echo "dtoverlay=pi3-disable-bt" >> "${BOOT_DIR}/config.txt" fi # ENABLE_BLUETOOTH end - -else - # RPI1,1P,2 Use default ttyAMA0 (full UART) as serial interface - SET_SERIAL="ttyAMA0" fi # may need sudo systemctl disable hciuart @@ -159,11 +152,12 @@ if [ "$ENABLE_CONSOLE" = true ] ; then echo "enable_uart=1" >> "${BOOT_DIR}/config.txt" # add string to cmdline CMDLINE="${CMDLINE} console=serial0,115200" - + # Enable serial console systemd style - chroot_exec systemctl enable serial-getty\@"$SET_SERIAL".service + chroot_exec systemctl enable serial-getty\@serial0.service else echo "enable_uart=0" >> "${BOOT_DIR}/config.txt" + # disable serial console systemd style chroot_exec systemctl disable serial-getty\@"$SET_SERIAL".service fi @@ -204,9 +198,10 @@ else CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4" fi fi - if [ "$KERNEL_SECURITY" = true ] ; then - CMDLINE="${CMDLINE} apparmor=1 security=apparmor" - fi + +if [ "$KERNEL_SECURITY" = true ] ; then + CMDLINE="${CMDLINE} apparmor=1 security=apparmor" +fi # Install firmware boot cmdline echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt" diff --git a/bootstrap.d/20-networking.sh b/bootstrap.d/20-networking.sh index 3aca05f..4e001fe 100644 --- a/bootstrap.d/20-networking.sh +++ b/bootstrap.d/20-networking.sh @@ -57,6 +57,20 @@ else # ENABLE_DHCP=false -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_1}|"\ -e "0,/NTP=\$/ s|NTP=\$|NTP=${NET_NTP_2}|"\ "${ETC_DIR}/systemd/network/eth.network" + + if [ "$CRYPTFS_DROPBEAR" = true ] ; then + # Get cdir from NET_ADDRESS e.g. 24 + cdir=$(${NET_ADDRESS} | cut -d '/' -f2) + + # Convert cdir ro netmask e.g. 24 to 255.255.255.0 + NET_MASK=$(cdr2mask "$cdir") + + # Write static ip settings to "${ETC_DIR}"/initramfs-tools/initramfs.conf + sed -i "\$aIP=${NET_ADDRESS}::${NET_GATEWAY}:${NET_MASK}:${HOSTNAME}:" "${ETC_DIR}"/initramfs-tools/initramfs.conf + + # Regenerate initramfs + chroot_exec mkinitramfs -o "/boot/firmware/initramfs-${KERNEL_VERSION}" "${KERNEL_VERSION}" + fi fi # Remove empty settings from network configuration diff --git a/bootstrap.d/21-firewall.sh b/bootstrap.d/21-firewall.sh index 164033c..91b6e26 100644 --- a/bootstrap.d/21-firewall.sh +++ b/bootstrap.d/21-firewall.sh @@ -29,9 +29,10 @@ if [ "$ENABLE_IPTABLES" = true ] ; then if [ "$ENABLE_IPV6" = true ] ; then if [ "$KERNEL_NF" = false ] ; then - #iptables-save and -restore are slaves of iptables and thus are set accordingly - chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy - fi + #iptables-save and -restore are slaves of iptables and thus are set accordingly + chroot_exec update-alternatives --verbose --set ip6tables /usr/sbin/ip6tables-legacy + fi + # Install ip6tables systemd service install_readonly files/iptables/ip6tables.service "${ETC_DIR}/systemd/system/ip6tables.service" diff --git a/bootstrap.d/30-security.sh b/bootstrap.d/30-security.sh index 8ad8275..75e3625 100644 --- a/bootstrap.d/30-security.sh +++ b/bootstrap.d/30-security.sh @@ -22,8 +22,3 @@ else # Set no root password to disable root login chroot_exec usermod -p \'!\' root fi - -# Enable serial console systemd style -if [ "$ENABLE_CONSOLE" = true ] ; then - chroot_exec systemctl enable serial-getty\@ttyAMA0.service -fi diff --git a/bootstrap.d/43-videocore.sh b/bootstrap.d/43-videocore.sh index b8ff518..344965c 100644 --- a/bootstrap.d/43-videocore.sh +++ b/bootstrap.d/43-videocore.sh @@ -50,4 +50,7 @@ if [ "$ENABLE_VIDEOCORE" = true ] ; then #back to root of scriptdir cd "${WORKDIR}" + + # Remove videocore sources + rm -fr "${R}"/tmp/userland/ fi diff --git a/files/firstboot/23-regenerate-initramfs.sh b/files/firstboot/23-regenerate-initramfs.sh index 78e2922..1c4f03c 100644 --- a/files/firstboot/23-regenerate-initramfs.sh +++ b/files/firstboot/23-regenerate-initramfs.sh @@ -8,6 +8,7 @@ INITRAMFS_UBOOT="${INITRAMFS}.uboot" # Extract kernel arch case "${KERNEL_ARCH}" in arm*) KERNEL_ARCH=arm ;; + aarch64) KERNEL_ARCH=arm64 ;; esac # Regenerate initramfs diff --git a/files/initramfs/crypt_unlock.sh b/files/initramfs/crypt_unlock.sh new file mode 100644 index 0000000..47b6a8b --- /dev/null +++ b/files/initramfs/crypt_unlock.sh @@ -0,0 +1,45 @@ +#!/bin/sh + +PREREQ="dropbear" + +prereqs() { +echo "$PREREQ" +} + +case "$1" in +prereqs) +prereqs +exit 0 +;; +esac + +. "${CONFDIR}/initramfs.conf" +. /usr/share/initramfs-tools/hook-functions + +if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then +cat > "${DESTDIR}/bin/unlock" << EOF +#!/bin/sh +if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then +kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\` +# following line kill the remote shell right after the passphrase has +# been entered. +kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\` +exit 0 +fi +exit 1 +EOF + +chmod 755 "${DESTDIR}/bin/unlock" + +mkdir -p "${DESTDIR}/lib/unlock" +cat > "${DESTDIR}/lib/unlock/plymouth" << EOF +#!/bin/sh +[ "\$1" == "--ping" ] && exit 1 +/bin/plymouth "\$@" +EOF + +chmod 755 "${DESTDIR}/lib/unlock/plymouth" + +echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd + +fi \ No newline at end of file diff --git a/functions.sh b/functions.sh index bc10b49..4733375 100644 --- a/functions.sh +++ b/functions.sh @@ -74,18 +74,28 @@ chroot_install_cc() { # Install c/c++ build environment inside the chroot if [ -z "${COMPILER_PACKAGES}" ] ; then COMPILER_PACKAGES=$(chroot_exec apt-get -s install g++ make bc | grep "^Inst " | awk -v ORS=" " '{ print $2 }') - # Install COMPILER_PACKAGES in chroot - chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install "${COMPILER_PACKAGES}" + # Install COMPILER_PACKAGES in chroot - NEVER do "${COMPILER_PACKAGES}" -> breaks uboot + chroot_exec apt-get -q -y --allow-unauthenticated --no-install-recommends install ${COMPILER_PACKAGES} fi } chroot_remove_cc() { # Remove c/c++ build environment from the chroot if [ -n "${COMPILER_PACKAGES}" ] ; then - chroot_exec apt-get -qq -y --auto-remove purge "${COMPILER_PACKAGES}" + chroot_exec apt-get -qq -y --auto-remove purge ${COMPILER_PACKAGES} COMPILER_PACKAGES="" fi } + +# https://serverfault.com/a/682849 - converts e.g. /24 to 255.255.255.0 +cdr2mask () +{ + # Number of args to shift, 255..255, first non-255 byte, zeroes + set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0 + [ $1 -gt 1 ] && shift $1 || shift + echo ${1-0}.${2-0}.${3-0}.${4-0} +} + # GPL v2.0 - #https://github.com/sakaki-/bcmrpi3-kernel-bis/blob/master/conform_config.sh set_kernel_config() { # flag as $1, value to set as $2, config must exist at "./.config" @@ -97,6 +107,7 @@ set_kernel_config() { echo "${TGT}"="${2}" >> .config fi } + # unset kernel config parameter unset_kernel_config() { # unsets flag with the value of $1, config must exist at "./.config" diff --git a/rpi23-gen-image.sh b/rpi23-gen-image.sh index c017612..2ea5bcb 100755 --- a/rpi23-gen-image.sh +++ b/rpi23-gen-image.sh @@ -209,6 +209,10 @@ CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""} CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"} CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"} CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512} +#Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup +CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=false} +#Provide your own Dropbear Public RSA-OpenSSH Key otherwise it will be generated +CRYPTFS_DROPBEAR_PUBKEY=${CRYPTFS_DROPBEAR_PUBKEY:=""} # Chroot scripts directory CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""} @@ -227,11 +231,9 @@ MISSING_PACKAGES="" # Packages installed for c/c++ build environment in chroot (keep empty) COMPILER_PACKAGES="" -set +x - -#Check if apt-cacher-ng has port 3142 open and set APT_PROXY -APT_CACHER_RUNNING=$(lsof -i :3142 | grep apt-cacher-ng | cut -d ' ' -f3 | uniq) -if [ -n "${APT_CACHER_RUNNING}" ] ; then +# Check if apt-cacher-ng has port 3142 open and set APT_PROXY +APT_CACHER_RUNNING=$(lsof -i :3142 | cut -d ' ' -f3 | uniq | sed '/^\s*$/d') +if [ "${APT_CACHER_RUNNING}" = "apt-cacher-ng" ] ; then APT_PROXY=http://127.0.0.1:3142/ fi @@ -393,6 +395,11 @@ if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup" APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup" + # If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package + if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then + APT_INCLUDES="${APT_INCLUDES},dropbear-initramfs" + fi + if [ -z "$CRYPTFS_PASSWORD" ] ; then echo "error: no password defined (CRYPTFS_PASSWORD)!" exit 1