@@ -0,0 +1,45 | |||||
|
1 | #!/bin/sh | |||
|
2 | ||||
|
3 | PREREQ="dropbear" | |||
|
4 | ||||
|
5 | prereqs() { | |||
|
6 | echo "$PREREQ" | |||
|
7 | } | |||
|
8 | ||||
|
9 | case "$1" in | |||
|
10 | prereqs) | |||
|
11 | prereqs | |||
|
12 | exit 0 | |||
|
13 | ;; | |||
|
14 | esac | |||
|
15 | ||||
|
16 | . "${CONFDIR}/initramfs.conf" | |||
|
17 | . /usr/share/initramfs-tools/hook-functions | |||
|
18 | ||||
|
19 | if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then | |||
|
20 | cat > "${DESTDIR}/bin/unlock" << EOF | |||
|
21 | #!/bin/sh | |||
|
22 | if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then | |||
|
23 | kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\` | |||
|
24 | # following line kill the remote shell right after the passphrase has | |||
|
25 | # been entered. | |||
|
26 | kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\` | |||
|
27 | exit 0 | |||
|
28 | fi | |||
|
29 | exit 1 | |||
|
30 | EOF | |||
|
31 | ||||
|
32 | chmod 755 "${DESTDIR}/bin/unlock" | |||
|
33 | ||||
|
34 | mkdir -p "${DESTDIR}/lib/unlock" | |||
|
35 | cat > "${DESTDIR}/lib/unlock/plymouth" << EOF | |||
|
36 | #!/bin/sh | |||
|
37 | [ "\$1" == "--ping" ] && exit 1 | |||
|
38 | /bin/plymouth "\$@" | |||
|
39 | EOF | |||
|
40 | ||||
|
41 | chmod 755 "${DESTDIR}/lib/unlock/plymouth" | |||
|
42 | ||||
|
43 | echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd | |||
|
44 | ||||
|
45 | fi No newline at end of file |
@@ -63,13 +63,13 If you want to change e.g. cross-compiler -> Templates always override defaults | |||||
63 |
|
63 | |||
64 | ##### `RPI_MODEL`=2 |
|
64 | ##### `RPI_MODEL`=2 | |
65 | Specifiy the target Raspberry Pi hardware model. The script at this time supports the following Raspberry Pi models: |
|
65 | Specifiy the target Raspberry Pi hardware model. The script at this time supports the following Raspberry Pi models: | |
66 | `0` = Used for Raspberry Pi 0 and Raspberry Pi 0 W |
|
66 | - `0` = Used for Raspberry Pi 0 and Raspberry Pi 0 W | |
67 | `1` = Used for Pi 1 model A and B |
|
67 | - `1` = Used for Pi 1 model A and B | |
68 | `1P` = Used for Pi 1 model B+ and A+ |
|
68 | - `1P` = Used for Pi 1 model B+ and A+ | |
69 | `2` = Used for Pi 2 model B |
|
69 | - `2` = Used for Pi 2 model B | |
70 | `3` = Used for Pi 3 model B |
|
70 | - `3` = Used for Pi 3 model B | |
71 | `3P` = Used for Pi 3 model B+ |
|
71 | - `3P` = Used for Pi 3 model B+ | |
72 | `BUILD_KERNEL`=true will automatically be set if the Raspberry Pi model `3` or `3P` is used. |
|
72 | - `BUILD_KERNEL`=true will automatically be set if the Raspberry Pi model `3` or `3P` is used. | |
73 |
|
73 | |||
74 | ##### `RELEASE`="buster" |
|
74 | ##### `RELEASE`="buster" | |
75 | Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases `stretch` and `buster`. |
|
75 | Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases `stretch` and `buster`. | |
@@ -412,6 +412,12 Set cipher specification string. `aes-xts*` ciphers are strongly recommended. | |||||
412 | ##### `CRYPTFS_XTSKEYSIZE`=512 |
|
412 | ##### `CRYPTFS_XTSKEYSIZE`=512 | |
413 | Sets key size in bits. The argument has to be a multiple of 8. |
|
413 | Sets key size in bits. The argument has to be a multiple of 8. | |
414 |
|
414 | |||
|
415 | ##### `CRYPTFS_DROPBEAR`=false | |||
|
416 | Enable Dropbear Initramfs support | |||
|
417 | ||||
|
418 | ##### `CRYPTFS_DROPBEAR_PUBKEY`="" | |||
|
419 | Provide path to dropbear Public RSA-OpenSSH Key | |||
|
420 | ||||
415 | --- |
|
421 | --- | |
416 |
|
422 | |||
417 | #### Build settings: |
|
423 | #### Build settings: |
@@ -43,8 +43,39 if [ "$BUILD_KERNEL" = true ] && [ "$ENABLE_INITRAMFS" = true ] ; then | |||||
43 | install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools" |
|
43 | install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools" | |
44 | fi |
|
44 | fi | |
45 |
|
45 | |||
|
46 | if [ "$CRYPTFS_DROPBEAR" = true ]; then | |||
|
47 | if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then | |||
|
48 | install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}/dropbear-initramfs/id_rsa.pub" | |||
|
49 | cat /etc/dropbear-initramfs/id_rsa.pub >> /etc/dropbear-initramfs/authorized_keys | |||
|
50 | else | |||
|
51 | # Create key | |||
|
52 | chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear | |||
|
53 | ||||
|
54 | # Convert dropbear key to openssh key | |||
|
55 | chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa | |||
|
56 | ||||
|
57 | # Get Public Key Part | |||
|
58 | touch /etc/dropbear-initramfs/id_rsa.pub | |||
|
59 | chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub | |||
|
60 | ||||
|
61 | # Delete unwanted lines | |||
|
62 | sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub | |||
|
63 | sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub | |||
|
64 | ||||
|
65 | # Trust the new key | |||
|
66 | touch "${ETC_DIR}"/dropbear-initramfs/authorized_keys | |||
|
67 | cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub | chroot_exec tee -a "${ETC_DIR}"/dropbear-initramfs/authorized_keys | |||
|
68 | ||||
|
69 | # Save Keys - convert with putty from rsa/openssh to puttkey | |||
|
70 | cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa | |||
|
71 | ||||
|
72 | #Get unlock script | |||
|
73 | install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}/initramfs-tools/hooks/crypt_unlock.sh" | |||
|
74 | fi | |||
|
75 | else | |||
46 |
|
|
76 | # Disable SSHD inside initramfs | |
47 |
|
|
77 | printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf" | |
|
78 | fi | |||
48 |
|
79 | |||
49 | # Add cryptsetup modules to initramfs |
|
80 | # Add cryptsetup modules to initramfs | |
50 | printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook" |
|
81 | printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook" |
@@ -198,6 +198,10 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""} | |||||
198 | CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"} |
|
198 | CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"} | |
199 | CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"} |
|
199 | CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"} | |
200 | CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512} |
|
200 | CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512} | |
|
201 | #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup | |||
|
202 | CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=true} | |||
|
203 | #Provide your own Dropbear Public RSA-OpenSSH Key otherwise it will be generated | |||
|
204 | CRYPTFS_DROPBEAR_PUBKEY=${CRYPTFS_DROPBEAR_PUBKEY:=""} | |||
201 |
|
205 | |||
202 | # Chroot scripts directory |
|
206 | # Chroot scripts directory | |
203 | CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""} |
|
207 | CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""} | |
@@ -378,6 +382,11 if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then | |||||
378 | REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup" |
|
382 | REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup" | |
379 | APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup" |
|
383 | APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup" | |
380 |
|
384 | |||
|
385 | #If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package | |||
|
386 | if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then | |||
|
387 | APT_INCLUDES="${APT_INCLUDES},dropbear-initramfs" | |||
|
388 | fi | |||
|
389 | ||||
381 | if [ -z "$CRYPTFS_PASSWORD" ] ; then |
|
390 | if [ -z "$CRYPTFS_PASSWORD" ] ; then | |
382 | echo "error: no password defined (CRYPTFS_PASSWORD)!" |
|
391 | echo "error: no password defined (CRYPTFS_PASSWORD)!" | |
383 | exit 1 |
|
392 | exit 1 | |
@@ -472,7 +481,7 if [ -n "$FBTURBOSRC_DIR" ] && [ ! -d "$FBTURBOSRC_DIR" ] ; then | |||||
472 | exit 1 |
|
481 | exit 1 | |
473 | fi |
|
482 | fi | |
474 |
|
483 | |||
475 |
# Check if specified |
|
484 | # Check if specified NEXMON_DIR directory exists | |
476 | if [ -n "$NEXMON_DIR" ] && [ ! -d "$NEXMON_DIR" ] ; then |
|
485 | if [ -n "$NEXMON_DIR" ] && [ ! -d "$NEXMON_DIR" ] ; then | |
477 | echo "error: '${NEXMON_DIR}' specified directory not found (NEXMON_DIR)!" |
|
486 | echo "error: '${NEXMON_DIR}' specified directory not found (NEXMON_DIR)!" | |
478 | exit 1 |
|
487 | exit 1 |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant