##// END OF EJS Templates
add dropbear
Unknown -
r447:0958808353fc
parent child
Show More
@@ -0,0 +1,45
1 #!/bin/sh
2
3 PREREQ="dropbear"
4
5 prereqs() {
6 echo "$PREREQ"
7 }
8
9 case "$1" in
10 prereqs)
11 prereqs
12 exit 0
13 ;;
14 esac
15
16 . "${CONFDIR}/initramfs.conf"
17 . /usr/share/initramfs-tools/hook-functions
18
19 if [ "${DROPBEAR}" != "n" ] && [ -r "/etc/crypttab" ] ; then
20 cat > "${DESTDIR}/bin/unlock" << EOF
21 #!/bin/sh
22 if PATH=/lib/unlock:/bin:/sbin /scripts/local-top/cryptroot; then
23 kill \`ps | grep cryptroot | grep -v "grep" | awk '{print \$1}'\`
24 # following line kill the remote shell right after the passphrase has
25 # been entered.
26 kill -9 \`ps | grep "\-sh" | grep -v "grep" | awk '{print \$1}'\`
27 exit 0
28 fi
29 exit 1
30 EOF
31
32 chmod 755 "${DESTDIR}/bin/unlock"
33
34 mkdir -p "${DESTDIR}/lib/unlock"
35 cat > "${DESTDIR}/lib/unlock/plymouth" << EOF
36 #!/bin/sh
37 [ "\$1" == "--ping" ] && exit 1
38 /bin/plymouth "\$@"
39 EOF
40
41 chmod 755 "${DESTDIR}/lib/unlock/plymouth"
42
43 echo To unlock root-partition run "unlock" >> ${DESTDIR}/etc/motd
44
45 fi No newline at end of file
@@ -63,13 +63,13 If you want to change e.g. cross-compiler -> Templates always override defaults
63 63
64 64 ##### `RPI_MODEL`=2
65 65 Specifiy the target Raspberry Pi hardware model. The script at this time supports the following Raspberry Pi models:
66 `0` = Used for Raspberry Pi 0 and Raspberry Pi 0 W
67 `1` = Used for Pi 1 model A and B
68 `1P` = Used for Pi 1 model B+ and A+
69 `2` = Used for Pi 2 model B
70 `3` = Used for Pi 3 model B
71 `3P` = Used for Pi 3 model B+
72 `BUILD_KERNEL`=true will automatically be set if the Raspberry Pi model `3` or `3P` is used.
66 - `0` = Used for Raspberry Pi 0 and Raspberry Pi 0 W
67 - `1` = Used for Pi 1 model A and B
68 - `1P` = Used for Pi 1 model B+ and A+
69 - `2` = Used for Pi 2 model B
70 - `3` = Used for Pi 3 model B
71 - `3P` = Used for Pi 3 model B+
72 - `BUILD_KERNEL`=true will automatically be set if the Raspberry Pi model `3` or `3P` is used.
73 73
74 74 ##### `RELEASE`="buster"
75 75 Set the desired Debian release name. The script at this time supports the bootstrapping of the Debian releases `stretch` and `buster`.
@@ -412,6 +412,12 Set cipher specification string. `aes-xts*` ciphers are strongly recommended.
412 412 ##### `CRYPTFS_XTSKEYSIZE`=512
413 413 Sets key size in bits. The argument has to be a multiple of 8.
414 414
415 ##### `CRYPTFS_DROPBEAR`=false
416 Enable Dropbear Initramfs support
417
418 ##### `CRYPTFS_DROPBEAR_PUBKEY`=""
419 Provide path to dropbear Public RSA-OpenSSH Key
420
415 421 ---
416 422
417 423 #### Build settings:
@@ -43,8 +43,39 if [ "$BUILD_KERNEL" = true ] && [ "$ENABLE_INITRAMFS" = true ] ; then
43 43 install_exec files/initramfs/expand-tools "${ETC_DIR}/initramfs-tools/hooks/expand-tools"
44 44 fi
45 45
46 if [ "$CRYPTFS_DROPBEAR" = true ]; then
47 if [ -n "$CRYPTFS_DROPBEAR_PUBKEY" ] && [ -f "$CRYPTFS_DROPBEAR_PUBKEY" ] ; then
48 install_readonly "${CRYPTFS_DROPBEAR_PUBKEY}" "${ETC_DIR}/dropbear-initramfs/id_rsa.pub"
49 cat /etc/dropbear-initramfs/id_rsa.pub >> /etc/dropbear-initramfs/authorized_keys
50 else
51 # Create key
52 chroot_exec /usr/bin/dropbearkey -t rsa -f /etc/dropbear-initramfs/id_rsa.dropbear
53
54 # Convert dropbear key to openssh key
55 chroot_exec /usr/lib/dropbear/dropbearconvert dropbear openssh /etc/dropbear-initramfs/id_rsa.dropbear /etc/dropbear-initramfs/id_rsa
56
57 # Get Public Key Part
58 touch /etc/dropbear-initramfs/id_rsa.pub
59 chroot_exec /usr/bin/dropbearkey -y -f /etc/dropbear-initramfs/id_rsa.dropbear | chroot_exec tee /etc/dropbear-initramfs/id_rsa.pub
60
61 # Delete unwanted lines
62 sed -i '/Public/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
63 sed -i '/Fingerprint/d' "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub
64
65 # Trust the new key
66 touch "${ETC_DIR}"/dropbear-initramfs/authorized_keys
67 cat "${ETC_DIR}"/dropbear-initramfs/id_rsa.pub | chroot_exec tee -a "${ETC_DIR}"/dropbear-initramfs/authorized_keys
68
69 # Save Keys - convert with putty from rsa/openssh to puttkey
70 cp -f "${ETC_DIR}"/dropbear-initramfs/id_rsa "${BASEDIR}"/dropbear_initramfs_key.rsa
71
72 #Get unlock script
73 install_exec files/initramfs/crypt_unlock.sh "${ETC_DIR}/initramfs-tools/hooks/crypt_unlock.sh"
74 fi
75 else
46 76 # Disable SSHD inside initramfs
47 77 printf "#\n# DROPBEAR: [ y | n ]\n#\n\nDROPBEAR=n\n" >> "${ETC_DIR}/initramfs-tools/initramfs.conf"
78 fi
48 79
49 80 # Add cryptsetup modules to initramfs
50 81 printf "#\n# CRYPTSETUP: [ y | n ]\n#\n\nCRYPTSETUP=y\n" >> "${ETC_DIR}/initramfs-tools/conf-hook"
@@ -198,6 +198,10 CRYPTFS_PASSWORD=${CRYPTFS_PASSWORD:=""}
198 198 CRYPTFS_MAPPING=${CRYPTFS_MAPPING:="secure"}
199 199 CRYPTFS_CIPHER=${CRYPTFS_CIPHER:="aes-xts-plain64:sha512"}
200 200 CRYPTFS_XTSKEYSIZE=${CRYPTFS_XTSKEYSIZE:=512}
201 #Dropbear-initramfs supports unlocking encrypted filesystem via SSH on bootup
202 CRYPTFS_DROPBEAR=${CRYPTFS_DROPBEAR:=true}
203 #Provide your own Dropbear Public RSA-OpenSSH Key otherwise it will be generated
204 CRYPTFS_DROPBEAR_PUBKEY=${CRYPTFS_DROPBEAR_PUBKEY:=""}
201 205
202 206 # Chroot scripts directory
203 207 CHROOT_SCRIPTS=${CHROOT_SCRIPTS:=""}
@@ -378,6 +382,11 if [ "$ENABLE_CRYPTFS" = true ] && [ "$BUILD_KERNEL" = true ] ; then
378 382 REQUIRED_PACKAGES="${REQUIRED_PACKAGES} cryptsetup"
379 383 APT_INCLUDES="${APT_INCLUDES},cryptsetup,busybox,console-setup"
380 384
385 #If cryptfs,dropbear and initramfs are enabled include dropbear-initramfs package
386 if [ "$CRYPTFS_DROPBEAR" = true ] && [ "$ENABLE_INITRAMFS" = true ]; then
387 APT_INCLUDES="${APT_INCLUDES},dropbear-initramfs"
388 fi
389
381 390 if [ -z "$CRYPTFS_PASSWORD" ] ; then
382 391 echo "error: no password defined (CRYPTFS_PASSWORD)!"
383 392 exit 1
@@ -472,7 +481,7 if [ -n "$FBTURBOSRC_DIR" ] && [ ! -d "$FBTURBOSRC_DIR" ] ; then
472 481 exit 1
473 482 fi
474 483
475 # Check if specified FBTURBOSRC_DIR directory exists
484 # Check if specified NEXMON_DIR directory exists
476 485 if [ -n "$NEXMON_DIR" ] && [ ! -d "$NEXMON_DIR" ] ; then
477 486 echo "error: '${NEXMON_DIR}' specified directory not found (NEXMON_DIR)!"
478 487 exit 1
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant