| @@ -0,0 +1,45 | |||
|
|
1 | #!/bin/sh | |
|
|
2 | ||
|
|
3 | PREREQ="dropbear" | |
|
|
4 | ||
|
|
5 | prereqs() { | |
|
|
6 | echo "$PREREQ" | |
|
|
7 | } | |
|
|
8 | ||
|
|
9 | case "$1" in | |
|
|
10 | prereqs) | |
|
|
11 | prereqs | |
|
|
12 | exit 0 | |
|
|
13 | ;; | |
|
|
14 | esac | |
|
|
15 | ||
|
|
16 | . "${CONFDIR}/initramfs.conf" | |
|
|
17 | . /usr/share/initramfs-tools/hook-functions | |
|
|
18 | ||
|
|
19 | if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then | |
|
|
20 | cat > "${DESTDIR}/bin/unlock" << EOF | |
|
|
21 | #!/bin/sh | |
|
|
22 | if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then | |
|
|
23 | kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\` | |
|
|
24 | # following line kill the remote shell right after the passphrase has | |
|
|
25 | # been entered. | |
|
|
26 | kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\` | |
|
|
27 | exit 0 | |
|
|
28 | fi | |
|
|
29 | exit 1 | |
|
|
30 | EOF | |
|
|
31 | ||
|
|
32 | chmod 755 "${DESTDIR}/bin/unlock" | |
|
|
33 | ||
|
|
34 | mkdir -p "${DESTDIR}/lib/unlock" | |
|
|
35 | cat > "${DESTDIR}/lib/unlock/plymouth" << EOF | |
|
|
36 | #!/bin/sh | |
|
|
37 | [ "\$1" == "--ping" ] && exit 1 | |
|
|
38 | /bin/plymouth "\$@" | |
|
|
39 | EOF | |
|
|
40 | ||
|
|
41 | chmod 755 "${DESTDIR}/lib/unlock/plymouth" | |
|
|
42 | ||
|
|
43 | echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd | |
|
|
44 | ||
|
|
45 | fi No newline at end of file | |
| @@ -63,13 +63,13 If you want to change e.g. cross-compiler -> Templates always override defaults | |||
|
|
63 | 63 | |
|
|
64 | 64 | ##### `RPI_MODEL`=2 |
|
|
65 | 65 | Specifiy the target Raspberry Pi hardware model. The script at this time supports the following Raspberry Pi models: |
|
|
66 | `0` = Used for Raspberry Pi 0 and Raspberry Pi 0 W | |
|
|
67 | `1` = Used for Pi 1 model A and B | |
|
|
68 | `1P` = Used for Pi 1 model B+ and A+ | |
|
|
69 | `2` = Used for Pi 2 model B | |
|
|
70 | `3` = Used for Pi 3 model B | |
|
|
71 | `3P` = Used for Pi 3 model B+ | |
|
|
72 | `BUILD_KERNEL`=true will automatically be set if the Raspberry Pi model `3` or `3P` is used. | |
|
|
66 | - `0` = Used for Raspberry Pi 0 and Raspberry Pi 0 W | |
|
|
67 | - `1` = Used for Pi 1 model A and B | |
|
|
68 | - `1P` = Used for Pi 1 model B+ and A+ | |
|
|
69 | - `2` = Used for Pi 2 model B | |
|
|
70 | - `3` = Used for Pi 3 model B | |
|
|
71 | - `3P` = Used for Pi 3 model B+ | |
|
|
72 | - `BUILD_KERNEL`=true will automatically be set if the Raspberry Pi model `3` or `3P` is used. | |
|
|
73 | 73 | |
|
|
74 | 74 | ##### `RELEASE`="buster" |
|
|
75 | 75 | Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases `stretch` and `buster`. |
| @@ -412,6 +412,12 Set cipher specification string. `aes-xts*` ciphers are strongly recommended. | |||
|
|
412 | 412 | ##### `CRYPTFS_XTSKEYSIZE`=512 |
|
|
413 | 413 | Sets key size in bits. The argument has to be a multiple of 8. |
|
|
414 | 414 | |
|
|
415 | ##### `CRYPTFS_DROPBEAR`=false | |
|
|
416 | Enable Dropbear Initramfs support | |
|
|
417 | ||
|
|
418 | ##### `CRYPTFS_DROPBEAR_PUBKEY`="" | |
|
|
419 | Provide path to dropbear Public RSA-OpenSSH Key | |
|
|
420 | ||
|
|
415 | 421 | --- |
|
|
416 | 422 | |
|
|
417 | 423 | #### Build settings: |
| @@ -43,8 +43,39 if [ "$BUILD_KERNEL" = true ] && [ "$ENABLE_INITRAMFS" = true ] ; then | |||
|
|
43 | 43 | install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools" |
|
|
44 | 44 | fi |
|
|
45 | 45 | |
|
|
46 | if [ "$CRYPTFS_DROPBEAR" = true ]; then | |
|
|
47 | if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then | |
|
|
48 | install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}/dropbear-initramfs/id_rsa.pub" | |
|
|
49 | cat /etc/dropbear-initramfs/id_rsa.pub >> /etc/dropbear-initramfs/authorized_keys | |
|
|
50 | else | |
|
|
51 | # Create key | |
|
|
52 | chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear | |
|
|
53 | ||
|
|
54 | # Convert dropbear key to openssh key | |
|
|
55 | chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa | |
|
|
56 | ||
|
|
57 | # Get Public Key Part | |
|
|
58 | touch /etc/dropbear-initramfs/id_rsa.pub | |
|
|
59 | chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub | |
|
|
60 | ||
|
|
61 | # Delete unwanted lines | |
|
|
62 | sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub | |
|
|
63 | sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub | |
|
|
64 | ||
|
|
65 | # Trust the new key | |
|
|
66 | touch "${ETC_DIR}"/dropbear-initramfs/authorized_keys | |
|
|
67 | cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub | chroot_exec tee -a "${ETC_DIR}"/dropbear-initramfs/authorized_keys | |
|
|
68 | ||
|
|
69 | # Save Keys - convert with putty from rsa/openssh to puttkey | |
|
|
70 | cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa | |
|
|
71 | ||
|
|
72 | #Get unlock script | |
|
|
73 | install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}/initramfs-tools/hooks/crypt_unlock.sh" | |
|
|
74 | fi | |
|
|
75 | else | |
|
|
46 | 76 |
|
|
|
47 | 77 |
|
|
|
78 | fi | |
|
|
48 | 79 | |
|
|
49 | 80 | # Add cryptsetup modules to initramfs |
|
|
50 | 81 | printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook" |
| @@ -198,6 +198,10 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""} | |||
|
|
198 | 198 | CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"} |
|
|
199 | 199 | CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"} |
|
|
200 | 200 | CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512} |
|
|
201 | #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup | |
|
|
202 | CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=true} | |
|
|
203 | #Provide your own Dropbear Public RSA-OpenSSH Key otherwise it will be generated | |
|
|
204 | CRYPTFS_DROPBEAR_PUBKEY=${CRYPTFS_DROPBEAR_PUBKEY:=""} | |
|
|
201 | 205 | |
|
|
202 | 206 | # Chroot scripts directory |
|
|
203 | 207 | CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""} |
| @@ -378,6 +382,11 if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then | |||
|
|
378 | 382 | REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup" |
|
|
379 | 383 | APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup" |
|
|
380 | 384 | |
|
|
385 | #If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package | |
|
|
386 | if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then | |
|
|
387 | APT_INCLUDES="${APT_INCLUDES},dropbear-initramfs" | |
|
|
388 | fi | |
|
|
389 | ||
|
|
381 | 390 | if [ -z "$CRYPTFS_PASSWORD" ] ; then |
|
|
382 | 391 | echo "error: no password defined (CRYPTFS_PASSWORD)!" |
|
|
383 | 392 | exit 1 |
| @@ -472,7 +481,7 if [ -n "$FBTURBOSRC_DIR" ] && [ ! -d "$FBTURBOSRC_DIR" ] ; then | |||
|
|
472 | 481 | exit 1 |
|
|
473 | 482 | fi |
|
|
474 | 483 | |
|
|
475 |
# Check if specified |
|
|
|
484 | # Check if specified NEXMON_DIR directory exists | |
|
|
476 | 485 | if [ -n "$NEXMON_DIR" ] && [ ! -d "$NEXMON_DIR" ] ; then |
|
|
477 | 486 | echo "error: '${NEXMON_DIR}' specified directory not found (NEXMON_DIR)!" |
|
|
478 | 487 | exit 1 |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant
