From f6eed4220861bece9c09b6fe8f3feef4f236364c Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 19 Jul 2023 18:48:03 -0400 Subject: [PATCH 1/3] Add external/usb disk encryption (adds exfatprogs and e2fsprogs) prepare_thumb_drive: default to creating 10% LUKS container on usb drive, prompts for passphrase is not provided and scan drives if no --device specified NOTE: qemu usb_thumb drive of 128 mb are not big enough so that 10% of it (12mb) can be used to create thumb drive. Adds: - e2fsprogs to support ext4 filesystem creation through mke2fs - add /etc/mke2fs.conf so that mke2fs knows how to handle ext2/ext3/ext4 - removes mke2fs support from busybox - bump busybox to latest version which adds cpu accelerated hash functions (not needed per se here) - Adds exfatprogs to have mkfs.exfat and fsck.exfat - Adds prepare_thumb_drive /etc/luks-functions to be able to prepare a thumb drive with percentage of drive assigned to LUKS, rest to exfat - Modify most board configs to test space requirements failing - Talos2 linux config: add staging Exfat support - Make e2fsprogs and exfatprogs included by default unless explicitely deactivate in board configs - Change cryptsetup calls : luksOpen to open and luksClose to close to addresss review - etc/luks_functions: cleanup GOAL here is to have secure thumb drive creation which Heads will be able to use to backup/restore/use generated GPG key material in the future (next PR) --- Makefile | 2 + config/busybox.config | 94 ++++--- config/linux-talos-2.config | 60 +++-- initrd/bin/mount-usb | 208 +++++++++++---- initrd/bin/oem-factory-reset | 2 +- initrd/bin/root-hashes-gui.sh | 6 +- initrd/etc/functions | 18 ++ initrd/etc/luks-functions | 243 +++++++++++++++++- initrd/etc/mke2fs.conf | 45 ++++ modules/busybox | 4 +- modules/e2fsprogs | 34 +++ modules/exfatprogs | 34 +++ ...ybox-1.33.2.patch => busybox-1.36.1.patch} | 0 13 files changed, 634 insertions(+), 116 deletions(-) create mode 100644 initrd/etc/mke2fs.conf create mode 100644 modules/e2fsprogs create mode 100644 modules/exfatprogs rename patches/{busybox-1.33.2.patch => busybox-1.36.1.patch} (100%) diff --git a/Makefile b/Makefile index cf1052a47..cff4d5f03 100644 --- a/Makefile +++ b/Makefile @@ -525,6 +525,8 @@ bin_modules-$(CONFIG_IO386) += io386 bin_modules-$(CONFIG_IOPORT) += ioport bin_modules-$(CONFIG_KBD) += kbd bin_modules-$(CONFIG_ZSTD) += zstd +bin_modules-$(CONFIG_E2FSPROGS) += e2fsprogs +bin_modules-$(CONFIG_EXFATPROGS) += exfatprogs $(foreach m, $(bin_modules-y), \ $(call map,initrd_bin_add,$(call bins,$m)) \ diff --git a/config/busybox.config b/config/busybox.config index c5891f256..3701311c9 100644 --- a/config/busybox.config +++ b/config/busybox.config @@ -1,7 +1,7 @@ # # Automatically generated make config: don't edit -# Busybox version: 1.33.2 -# Mon Jul 3 16:24:44 2023 +# Busybox version: 1.36.1 +# Fri Jul 21 14:38:54 2023 # CONFIG_HAVE_DOT_CONFIG=y @@ -93,10 +93,16 @@ CONFIG_FEATURE_BUFFERS_USE_MALLOC=y # CONFIG_FEATURE_BUFFERS_GO_IN_BSS is not set CONFIG_PASSWORD_MINLEN=6 CONFIG_MD5_SMALL=1 +CONFIG_SHA1_SMALL=3 +CONFIG_SHA1_HWACCEL=y +CONFIG_SHA256_HWACCEL=y CONFIG_SHA3_SMALL=1 -# CONFIG_FEATURE_FAST_TOP is not set -# CONFIG_FEATURE_ETC_NETWORKS is not set -# CONFIG_FEATURE_ETC_SERVICES is not set +CONFIG_FEATURE_NON_POSIX_CP=y +# CONFIG_FEATURE_VERBOSE_CP_MESSAGE is not set +CONFIG_FEATURE_USE_SENDFILE=y +CONFIG_FEATURE_COPYBUF_KB=4 +CONFIG_MONOTONIC_SYSCALL=y +CONFIG_IOCTL_HEX2STR_ERROR=y CONFIG_FEATURE_EDITING=y CONFIG_FEATURE_EDITING_MAX_LEN=1024 # CONFIG_FEATURE_EDITING_VI is not set @@ -120,14 +126,9 @@ CONFIG_LAST_SUPPORTED_WCHAR=767 # CONFIG_UNICODE_BIDI_SUPPORT is not set # CONFIG_UNICODE_NEUTRAL_TABLE is not set # CONFIG_UNICODE_PRESERVE_BROKEN is not set -CONFIG_FEATURE_NON_POSIX_CP=y -# CONFIG_FEATURE_VERBOSE_CP_MESSAGE is not set -CONFIG_FEATURE_USE_SENDFILE=y -CONFIG_FEATURE_COPYBUF_KB=4 -CONFIG_FEATURE_SKIP_ROOTFS=y -CONFIG_MONOTONIC_SYSCALL=y -CONFIG_IOCTL_HEX2STR_ERROR=y -CONFIG_FEATURE_HWIB=y +# CONFIG_LOOP_CONFIGURE is not set +# CONFIG_NO_LOOP_CONFIGURE is not set +CONFIG_TRY_LOOP_CONFIGURE=y # # Applets @@ -162,6 +163,8 @@ CONFIG_FEATURE_BZIP2_DECOMPRESS=y CONFIG_CPIO=y CONFIG_FEATURE_CPIO_O=y CONFIG_FEATURE_CPIO_P=y +CONFIG_FEATURE_CPIO_IGNORE_DEVNO=y +CONFIG_FEATURE_CPIO_RENUMBER_INODES=y # CONFIG_DPKG is not set # CONFIG_DPKG_DEB is not set CONFIG_GZIP=y @@ -197,6 +200,22 @@ CONFIG_FEATURE_LZMA_FAST=y # # Coreutils # +CONFIG_FEATURE_VERBOSE=y + +# +# Common options for date and touch +# +# CONFIG_FEATURE_TIMEZONE is not set + +# +# Common options for cp and mv +# +CONFIG_FEATURE_PRESERVE_HARDLINKS=y + +# +# Common options for df, du, ls +# +CONFIG_FEATURE_HUMAN_READABLE=y CONFIG_BASENAME=y CONFIG_CAT=y CONFIG_FEATURE_CATN=y @@ -207,11 +226,13 @@ CONFIG_CHMOD=y # CONFIG_FEATURE_CHOWN_LONG_OPTIONS is not set CONFIG_CHROOT=y # CONFIG_CKSUM is not set +CONFIG_CRC32=y # CONFIG_COMM is not set CONFIG_CP=y CONFIG_FEATURE_CP_LONG_OPTIONS=y CONFIG_FEATURE_CP_REFLINK=y CONFIG_CUT=y +CONFIG_FEATURE_CUT_REGEX=y CONFIG_DATE=y CONFIG_FEATURE_DATE_ISOFMT=y # CONFIG_FEATURE_DATE_NANO is not set @@ -223,6 +244,7 @@ CONFIG_FEATURE_DD_IBS_OBS=y CONFIG_FEATURE_DD_STATUS=y CONFIG_DF=y CONFIG_FEATURE_DF_FANCY=y +CONFIG_FEATURE_SKIP_ROOTFS=y CONFIG_DIRNAME=y # CONFIG_DOS2UNIX is not set # CONFIG_UNIX2DOS is not set @@ -316,13 +338,13 @@ CONFIG_TEST2=y CONFIG_FEATURE_TEST_64=y # CONFIG_TIMEOUT is not set CONFIG_TOUCH=y -CONFIG_FEATURE_TOUCH_NODEREF=y CONFIG_FEATURE_TOUCH_SUSV3=y CONFIG_TR=y CONFIG_FEATURE_TR_CLASSES=y CONFIG_FEATURE_TR_EQUIV=y CONFIG_TRUE=y CONFIG_TRUNCATE=y +CONFIG_TSORT=y CONFIG_TTY=y CONFIG_UNAME=y CONFIG_UNAME_OSNAME="GNU/Linux" @@ -342,21 +364,6 @@ CONFIG_FEATURE_WC_LARGE=y # CONFIG_WHOAMI is not set # CONFIG_YES is not set -# -# Common options -# -CONFIG_FEATURE_VERBOSE=y - -# -# Common options for cp and mv -# -CONFIG_FEATURE_PRESERVE_HARDLINKS=y - -# -# Common options for df, du, ls -# -CONFIG_FEATURE_HUMAN_READABLE=y - # # Console Utilities # @@ -420,6 +427,7 @@ CONFIG_VI=y CONFIG_FEATURE_VI_MAX_LEN=4096 # CONFIG_FEATURE_VI_8BIT is not set CONFIG_FEATURE_VI_COLON=y +CONFIG_FEATURE_VI_COLON_EXPAND=y CONFIG_FEATURE_VI_YANKMARK=y CONFIG_FEATURE_VI_SEARCH=y # CONFIG_FEATURE_VI_REGEX_SEARCH is not set @@ -433,6 +441,7 @@ CONFIG_FEATURE_VI_ASK_TERMINAL=y CONFIG_FEATURE_VI_UNDO=y CONFIG_FEATURE_VI_UNDO_QUEUE=y CONFIG_FEATURE_VI_UNDO_QUEUE_MAX=256 +CONFIG_FEATURE_VI_VERBOSE_STATUS=y CONFIG_FEATURE_ALLOW_EXEC=y # @@ -441,7 +450,11 @@ CONFIG_FEATURE_ALLOW_EXEC=y CONFIG_FIND=y CONFIG_FEATURE_FIND_PRINT0=y CONFIG_FEATURE_FIND_MTIME=y +CONFIG_FEATURE_FIND_ATIME=y +CONFIG_FEATURE_FIND_CTIME=y CONFIG_FEATURE_FIND_MMIN=y +CONFIG_FEATURE_FIND_AMIN=y +CONFIG_FEATURE_FIND_CMIN=y CONFIG_FEATURE_FIND_PERM=y CONFIG_FEATURE_FIND_TYPE=y CONFIG_FEATURE_FIND_EXECUTABLE=y @@ -449,6 +462,7 @@ CONFIG_FEATURE_FIND_XDEV=y CONFIG_FEATURE_FIND_MAXDEPTH=y CONFIG_FEATURE_FIND_NEWER=y CONFIG_FEATURE_FIND_INUM=y +CONFIG_FEATURE_FIND_SAMEFILE=y CONFIG_FEATURE_FIND_EXEC=y CONFIG_FEATURE_FIND_EXEC_PLUS=y CONFIG_FEATURE_FIND_USER=y @@ -641,7 +655,7 @@ CONFIG_LSUSB=y # CONFIG_FEATURE_MDEV_DAEMON is not set # CONFIG_MESG is not set # CONFIG_FEATURE_MESG_ENABLE_ONLY_GROUP is not set -CONFIG_MKE2FS=y +# CONFIG_MKE2FS is not set # CONFIG_MKFS_EXT2 is not set # CONFIG_MKFS_MINIX is not set # CONFIG_FEATURE_MINIX2 is not set @@ -739,6 +753,7 @@ CONFIG_FEATURE_VOLUMEID_XFS=y # Miscellaneous Utilities # # CONFIG_ADJTIMEX is not set +CONFIG_ASCII=y # CONFIG_BBCONFIG is not set # CONFIG_FEATURE_COMPRESS_BBCONFIG is not set # CONFIG_BC is not set @@ -819,10 +834,12 @@ CONFIG_PARTPROBE=y # CONFIG_RFKILL is not set # CONFIG_RUNLEVEL is not set # CONFIG_RX is not set +CONFIG_SEEDRNG=y CONFIG_SETFATTR=y CONFIG_SETSERIAL=y CONFIG_STRINGS=y CONFIG_TIME=y +CONFIG_TREE=y # CONFIG_TS is not set # CONFIG_TTYSIZE is not set # CONFIG_UBIATTACH is not set @@ -834,6 +851,7 @@ CONFIG_TIME=y # CONFIG_UBIRENAME is not set # CONFIG_VOLNAME is not set # CONFIG_WATCHDOG is not set +# CONFIG_FEATURE_WATCHDOG_OPEN_TWICE is not set # # Networking Utilities @@ -842,6 +860,9 @@ CONFIG_TIME=y # CONFIG_FEATURE_UNIX_LOCAL is not set # CONFIG_FEATURE_PREFER_IPV4_ADDRESS is not set # CONFIG_VERBOSE_RESOLUTION_ERRORS is not set +# CONFIG_FEATURE_ETC_NETWORKS is not set +# CONFIG_FEATURE_ETC_SERVICES is not set +CONFIG_FEATURE_HWIB=y # CONFIG_FEATURE_TLS_SHA1 is not set CONFIG_ARP=y # CONFIG_ARPING is not set @@ -860,6 +881,7 @@ CONFIG_ARP=y # CONFIG_HOSTNAME is not set # CONFIG_DNSDOMAINNAME is not set # CONFIG_HTTPD is not set +CONFIG_FEATURE_HTTPD_PORT_DEFAULT=0 # CONFIG_FEATURE_HTTPD_RANGES is not set # CONFIG_FEATURE_HTTPD_SETUID is not set # CONFIG_FEATURE_HTTPD_BASIC_AUTH is not set @@ -952,6 +974,7 @@ CONFIG_SSL_CLIENT=y # CONFIG_FEATURE_TELNET_WIDTH is not set # CONFIG_TELNETD is not set # CONFIG_FEATURE_TELNETD_STANDALONE is not set +CONFIG_FEATURE_TELNETD_PORT_DEFAULT=0 # CONFIG_FEATURE_TELNETD_INETD_WAIT is not set CONFIG_TFTP=y CONFIG_FEATURE_TFTP_PROGRESS_BAR=y @@ -972,6 +995,7 @@ CONFIG_VCONFIG=y CONFIG_WGET=y CONFIG_FEATURE_WGET_LONG_OPTIONS=y # CONFIG_FEATURE_WGET_STATUSBAR is not set +CONFIG_FEATURE_WGET_FTP=y # CONFIG_FEATURE_WGET_AUTHENTICATION is not set CONFIG_FEATURE_WGET_TIMEOUT=y CONFIG_FEATURE_WGET_HTTPS=y @@ -988,6 +1012,7 @@ CONFIG_UDHCPC=y CONFIG_FEATURE_UDHCPC_ARPING=y CONFIG_FEATURE_UDHCPC_SANITIZEOPT=y CONFIG_UDHCPC_DEFAULT_SCRIPT="/sbin/config-dhcp.sh" +CONFIG_UDHCPC6_DEFAULT_SCRIPT="" # CONFIG_UDHCPC6 is not set # CONFIG_FEATURE_UDHCPC6_RFC3646 is not set # CONFIG_FEATURE_UDHCPC6_RFC4704 is not set @@ -997,6 +1022,7 @@ CONFIG_UDHCPC_DEFAULT_SCRIPT="/sbin/config-dhcp.sh" # # Common options for DHCP applets # +CONFIG_UDHCPC_DEFAULT_INTERFACE="eth0" # CONFIG_FEATURE_UDHCP_PORT is not set CONFIG_UDHCP_DEBUG=9 CONFIG_UDHCPC_SLACK_FOR_BUGGY_SERVERS=80 @@ -1014,17 +1040,19 @@ CONFIG_IFUPDOWN_UDHCPC_CMD_OPTIONS="" # # Mail Utilities # +CONFIG_FEATURE_MIME_CHARSET="" # CONFIG_MAKEMIME is not set # CONFIG_POPMAILDIR is not set # CONFIG_FEATURE_POPMAILDIR_DELIVERY is not set # CONFIG_REFORMIME is not set # CONFIG_FEATURE_REFORMIME_COMPAT is not set # CONFIG_SENDMAIL is not set -CONFIG_FEATURE_MIME_CHARSET="" # # Process Utilities # +# CONFIG_FEATURE_FAST_TOP is not set +CONFIG_FEATURE_SHOW_THREADS=y # CONFIG_FREE is not set # CONFIG_FUSER is not set # CONFIG_IOSTAT is not set @@ -1063,7 +1091,6 @@ CONFIG_FEATURE_TOPMEM=y # CONFIG_UPTIME is not set # CONFIG_FEATURE_UPTIME_UTMP_SUPPORT is not set # CONFIG_WATCH is not set -CONFIG_FEATURE_SHOW_THREADS=y # # Runit Utilities @@ -1120,6 +1147,7 @@ CONFIG_ASH_EXPAND_PRMT=y CONFIG_ASH_ECHO=y CONFIG_ASH_PRINTF=y CONFIG_ASH_TEST=y +CONFIG_ASH_SLEEP=y CONFIG_ASH_HELP=y CONFIG_ASH_GETOPTS=y CONFIG_ASH_CMDCMD=y @@ -1128,8 +1156,8 @@ CONFIG_ASH_CMDCMD=y # CONFIG_SHELL_HUSH is not set # CONFIG_HUSH_BASH_COMPAT is not set # CONFIG_HUSH_BRACE_EXPANSION is not set -# CONFIG_HUSH_LINENO_VAR is not set # CONFIG_HUSH_BASH_SOURCE_CURDIR is not set +# CONFIG_HUSH_LINENO_VAR is not set # CONFIG_HUSH_INTERACTIVE is not set # CONFIG_HUSH_SAVEHISTORY is not set # CONFIG_HUSH_JOB is not set diff --git a/config/linux-talos-2.config b/config/linux-talos-2.config index b22324272..9c1fabadd 100644 --- a/config/linux-talos-2.config +++ b/config/linux-talos-2.config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/powerpc 5.5.0-openpower1 Kernel Configuration +# Linux/powerpc 5.5.0 Kernel Configuration # # @@ -415,24 +415,6 @@ CONFIG_ARCH_RANDOM=y # CONFIG_VIRTUALIZATION is not set CONFIG_HAVE_LIVEPATCH=y -# -# Firmware Drivers -# -# CONFIG_FIRMWARE_MEMMAP is not set -CONFIG_GOOGLE_FIRMWARE=y -CONFIG_GOOGLE_COREBOOT_TABLE=y -CONFIG_GOOGLE_COREBOOT_CBMEM=y -CONFIG_GOOGLE_MEMCONSOLE=y -CONFIG_GOOGLE_MEMCONSOLE_COREBOOT=y -# CONFIG_GOOGLE_VPD is not set -CONFIG_EFI_EARLYCON=y - -# -# Tegra firmware driver -# -# end of Tegra firmware driver -# end of Firmware Drivers - # # General architecture-dependent options # @@ -504,7 +486,6 @@ CONFIG_ARCH_OPTIONAL_KERNEL_RWX=y CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y CONFIG_STRICT_KERNEL_RWX=y CONFIG_ARCH_HAS_PHYS_TO_DMA=y -CONFIG_ARCH_USE_MEMREMAP_PROT=y # CONFIG_LOCK_EVENT_COUNTS is not set # @@ -2431,7 +2412,44 @@ CONFIG_VIRTIO_PCI_LEGACY=y # end of Microsoft Hyper-V guest support # CONFIG_GREYBUS is not set -# CONFIG_STAGING is not set +CONFIG_STAGING=y +# CONFIG_COMEDI is not set +# CONFIG_RTS5208 is not set +# CONFIG_FB_SM750 is not set + +# +# Speakup console speech +# +# CONFIG_SPEAKUP is not set +# end of Speakup console speech + +# CONFIG_STAGING_MEDIA is not set + +# +# Android +# +# end of Android + +# CONFIG_LTE_GDM724X is not set +# CONFIG_GS_FPGABOOT is not set +# CONFIG_UNISYSSPAR is not set + +# +# Gasket devices +# +# end of Gasket devices + +# CONFIG_XIL_AXIS_FIFO is not set +# CONFIG_FIELDBUS_DEV is not set +# CONFIG_USB_WUSB_CBAF is not set +# CONFIG_UWB is not set +CONFIG_EXFAT_FS=y +CONFIG_EXFAT_DISCARD=y +# CONFIG_EXFAT_DELAYED_SYNC is not set +# CONFIG_EXFAT_KERNEL_DEBUG is not set +# CONFIG_EXFAT_DEBUG_MSG is not set +CONFIG_EXFAT_DEFAULT_CODEPAGE=437 +CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8" # CONFIG_GOLDFISH is not set # CONFIG_HWSPINLOCK is not set diff --git a/initrd/bin/mount-usb b/initrd/bin/mount-usb index 35e81f07f..771bebabf 100755 --- a/initrd/bin/mount-usb +++ b/initrd/bin/mount-usb @@ -1,16 +1,84 @@ #!/bin/bash # Mount a USB device . /etc/functions +. /etc/luks-functions TRACE "Under /bin/mount-usb" +function usage() { + cat < <--device device> <--mountpoint mountpoint> <--pass passphrase> + $0 --help + +parameters: + --mode: ro or rw (default ro) + --device: device to mount (default: first USB device found) + --mountpoint: where to mount the device (default: /media) + --pass: passphrase for LUKS device (default: none) + --help: Show this help +USAGE_END +} + +MODE="ro" +DEVICE="" +MOUNTPOINT="/media" +PASS="" + + +#Only assign --mode, --device, --mountpoint and --pass parameters only if variables following them are not empty +while [ $# -gt 0 ]; do + case "$1" in + --mode) + if [ -n "$2" ]; then + MODE="$2" + shift + shift + fi + ;; + --device) + if [ -n "$2" ]; then + DEVICE="$2" + shift + shift + fi + ;; + --mountpoint) + if [ -n "$2" ]; then + MOUNTPOINT="$2" + shift + shift + fi + ;; + --pass) + if [ -n "$2" ]; then + PASS="$2" + shift + shift + fi + ;; + *) + usage + exit 1 + ;; + esac +done + + +#Show parameters content but not LUKS passphrase: if empty, show "empty", if provided, show "provided" +DEBUG "Parameters: --mode=$MODE, --device=${DEVICE:-empty}, --mountpoint=$MOUNTPOINT, --pass=${PASS:+provided}" + enable_usb enable_usb_storage -if [ ! -d /media ]; then - mkdir /media +if [ ! -d "$MOUNTPOINT" ]; then + DEBUG "Creating $MOUNTPOINT directory" + mkdir -p "$MOUNTPOINT" > /dev/null 2>&1 +else + DEBUG "Cleaning $MOUNTPOINT directory" + umount "$MOUNTPOINT" > /dev/null 2>&1 || true fi + list_usb_storage > /tmp/usb_block_devices if [ -z "$(cat /tmp/usb_block_devices)" ]; then if [ -x /bin/whiptail ]; then @@ -34,56 +102,102 @@ if [ -z "$(cat /tmp/usb_block_devices)" ]; then fi USB_MOUNT_DEVICE="" -# Check for the common case: a single USB disk with one partition -if [ `cat /tmp/usb_block_devices | wc -l` -eq 1 ]; then - USB_MOUNT_DEVICE=`cat /tmp/usb_block_devices` -fi -# otherwise, let the user pick -if [ -z ${USB_MOUNT_DEVICE} ]; then - > /tmp/usb_disk_list - for i in `cat /tmp/usb_block_devices`; do - echo $i $(blkid | grep $i | grep -o 'LABEL=".*"' | cut -f2 -d '"') >> /tmp/usb_disk_list - done - - if [ -x /bin/whiptail ]; then - MENU_OPTIONS="" - n=0 - while read option - do - n=`expr $n + 1` - option=$(echo $option | tr " " "_") - MENU_OPTIONS="$MENU_OPTIONS $n ${option}" - done < /tmp/usb_disk_list - - MENU_OPTIONS="$MENU_OPTIONS a Abort" - whiptail $BG_COLOR --title "Select your USB disk" \ - --menu "Choose your USB disk [1-$n, a to abort]:" 0 80 8 \ - -- $MENU_OPTIONS \ - 2>/tmp/whiptail - - option_index=$(cat /tmp/whiptail) +# Check if the user has specified a USB device +if [ -n "$DEVICE" ]; then + DEBUG "Checking if "$DEVICE" is a USB detected block device" + if grep -q "$DEVICE" /tmp/usb_block_devices; then + DEBUG "Selected device is a USB block device" + USB_MOUNT_DEVICE="$DEVICE" else - echo "+++ Select your USB disk:" - n=0 - while read option - do - n=`expr $n + 1` - echo "$n. $option" - done < /tmp/usb_disk_list - - read \ - -p "Choose your USB disk [1-$n, a to abort]: " \ - option_index + die "ERROR: Selected $DEVICE is not a USB block device" fi +else + # Check for the common case: a single USB disk with one partition + if [ $(cat /tmp/usb_block_devices | wc -l) -eq 1 ]; then + USB_MOUNT_DEVICE="$(cat /tmp/usb_block_devices)" + fi + # otherwise, let the user pick + if [ -z ${USB_MOUNT_DEVICE} ]; then + > /tmp/usb_disk_list + for i in $(cat /tmp/usb_block_devices); do + #appends label to the device name + echo $i $(blkid | grep $i | grep -o 'LABEL=".*"' | cut -f2 -d '"') >> /tmp/usb_disk_list + done - if [ "$option_index" = "a" ]; then - exit 5 + if [ -x /bin/whiptail ]; then + MENU_OPTIONS="" + n=0 + while read option + do + n=$(expr $n + 1) + option=$(echo $option | tr " " "_") + MENU_OPTIONS="$MENU_OPTIONS $n ${option}" + done < /tmp/usb_disk_list + + MENU_OPTIONS="$MENU_OPTIONS a Abort" + whiptail $BG_COLOR --title "Select your USB disk" \ + --menu "Choose your USB disk [1-$n, a to abort]:" 0 80 8 \ + -- $MENU_OPTIONS \ + 2>/tmp/whiptail + if [ $? -ne 0 ]; then + die "ERROR: Selecting USB disk/partition aborted." + fi + option_index=$(cat /tmp/whiptail) + else + echo "+++ Select your USB disk:" + n=0 + while read option + do + n=$(expr $n + 1) + echo "$n. $option" + done < /tmp/usb_disk_list + + read \ + -p "Choose your USB disk [1-$n, a to abort]: " \ + option_index + fi + + if [ "$option_index" = "a" ]; then + exit 5 + fi + USB_MOUNT_DEVICE=$(head -n $option_index /tmp/usb_disk_list | tail -1 | sed 's/\ .*$//') fi - USB_MOUNT_DEVICE=`head -n $option_index /tmp/usb_disk_list | tail -1 | sed 's/\ .*$//'` +fi + +DEBUG "Checking if $USB_MOUNT_DEVICE is a LUKS device/partition" +if cryptsetup isLuks "$USB_MOUNT_DEVICE"; then + DEBUG "Selected USB partition is a LUKS device" + #Selected USB partition is a LUKS device + if [ -e /dev/mapper/"usb_mount_$(basename "$USB_MOUNT_DEVICE")" ]; then + DEBUG "Closing currently mapped LUKS device" + cryptsetup close "usb_mount_$(basename "$USB_MOUNT_DEVICE")" + fi + DEBUG "Opening LUKS device $USB_MOUNT_DEVICE" + #Pass LUKS passphrase to cryptsetup only if we received one + if [ -z "$PASS" ]; then + #We haven't received a passphrase + cryptsetup open "$USB_MOUNT_DEVICE" "usb_mount_$(basename "$USB_MOUNT_DEVICE")" \ + || die "ERROR: Failed to open ${USB_MOUNT_DEVICE} LUKS device" + else + #We received a pasphrase + cryptsetup open "$USB_MOUNT_DEVICE" "usb_mount_$(basename "$USB_MOUNT_DEVICE")" --key-file <(echo -n "${PASS}") \ + || die "ERROR: Failed to open ${USB_MOUNT_DEVICE} LUKS device" + fi + + warn "Note that you cannot boot from a mounted encrypted device." + DEBUG "Setting USB_MOUNT_DEVICE=/dev/mapper/"usb_mount_$(basename "$USB_MOUNT_DEVICE")"" + USB_MOUNT_DEVICE="/dev/mapper/"usb_mount_$(basename "$USB_MOUNT_DEVICE")"" +else + # Selected USB partition is not a LUKS device + DEBUG "Selected USB partition is not a LUKS device, continuing..." fi -if [ "$1" = "rw" ]; then - mount -o rw $USB_MOUNT_DEVICE /media + +# Mount the USB device +if [ "$MODE" = "rw" ]; then + DEBUG "Mounting $USB_MOUNT_DEVICE as read-write" + mount -o rw "$USB_MOUNT_DEVICE" "$MOUNTPOINT" || die "ERROR: Failed to mount ${USB_MOUNT_DEVICE} as read-write" else - mount -o ro $USB_MOUNT_DEVICE /media + DEBUG "Mounting $USB_MOUNT_DEVICE as read-only" + mount -o ro "$USB_MOUNT_DEVICE" "$MOUNTPOINT" || die "ERROR: Failed to mount ${USB_MOUNT_DEVICE} as read-only" fi diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 9c90732fc..74378fa08 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -546,7 +546,7 @@ if [ "$prompt_output" == "y" \ # mount USB over /media only if not already mounted if ! grep -q /media /proc/mounts ; then # mount USB in rw - if ! mount-usb rw 2>/tmp/error; then + if ! mount-usb -mode rw 2>/tmp/error; then ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Unable to mount USB on /media:\n\n${ERROR}" fi diff --git a/initrd/bin/root-hashes-gui.sh b/initrd/bin/root-hashes-gui.sh index d4bcab448..94533bcb0 100755 --- a/initrd/bin/root-hashes-gui.sh +++ b/initrd/bin/root-hashes-gui.sh @@ -171,7 +171,7 @@ detect_root_device() # check $CONFIG_ROOT_DEV if set/valid if [ -e "$CONFIG_ROOT_DEV" ]; then if cryptsetup isLuks $CONFIG_ROOT_DEV >/dev/null 2>&1; then - if cryptsetup luksOpen $CONFIG_ROOT_DEV rootdisk; then + if cryptsetup open $CONFIG_ROOT_DEV rootdisk; then if mount -o ro /dev/mapper/rootdisk $ROOT_MOUNT >/dev/null 2>&1; then if cd $ROOT_MOUNT && ls -d $CONFIG_ROOT_DIRLIST >/dev/null 2>&1; then # CONFIG_ROOT_DEV is valid device and contains an installed OS return 0 @@ -199,7 +199,7 @@ detect_root_device() # iterate thru possible options and check for LUKS for i in `cat /tmp_root_device_list`; do if cryptsetup isLuks $i >/dev/null 2>&1; then - if cryptsetup luksOpen $i rootdisk; then + if cryptsetup open $i rootdisk; then if mount -o ro /dev/mapper/rootdisk $ROOT_MOUNT >/dev/null 2>&1; then if cd $ROOT_MOUNT && ls -d $CONFIG_ROOT_DIRLIST >/dev/null 2>&1; then # CONFIG_ROOT_DEV is valid device and contains an installed OS @@ -220,7 +220,7 @@ unmount_root_device() { cd / umount $ROOT_MOUNT 2>/dev/null - cryptsetup luksClose rootdisk + cryptsetup close rootdisk } checkonly="n" diff --git a/initrd/etc/functions b/initrd/etc/functions index 5b1a719b0..f90b25ee9 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -102,6 +102,15 @@ enable_usb_storage() list_usb_storage() { TRACE "Under /etc/functions:list_usb_storage" + # List all USB storage devices, including partitions unless we received argument stating we want drives only + # The output is a list of device names, one per line. + + if [ "$1" = "disks" ]; then + DEBUG "Listing USB storage devices (disks only) since list_usb_storage was called with 'disks' argument" + else + DEBUG "Listing USB storage devices (including partitions)" + fi + stat -c %N /sys/block/sd* 2>/dev/null | grep usb | cut -f1 -d ' ' | sed "s/[']//g" | @@ -109,6 +118,7 @@ list_usb_storage() # Ignore devices of size 0, such as empty SD card # readers on laptops attached via USB. if [ "$(cat "$b/size")" -gt 0 ]; then + DEBUG "USB storage device of size greater then 0: $b" echo "$b" fi done | @@ -131,9 +141,17 @@ list_usb_storage() DISK_DATA=$(fdisk -l "$b") if echo "$DISK_DATA" | grep -q "doesn't contain a valid partition table" || [ $(echo "$DISK_DATA" | wc -l) -eq 5 ]; then # No partition table, include this device + DEBUG "USB storage device without partition table: $b" + echo "$b" + #Bypass the check for partitions if we want only disks + elif [ "$1" = "disks" ]; then + # disks only were requested, so we don't list partitions + DEBUG "USB storage device with partition table: $b" + DEBUG "We asked for disks only, so we don't want to list partitions" echo "$b" else # Has a partition table, include partitions + DEBUG "USB storage device with partition table: $b" ls -1 "$b"* | awk 'NR!=1 {print $0}' fi done diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index 3fa3cd525..31b9abb2a 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -1,19 +1,240 @@ #!/bin/bash -# Reencrypt LUKS container and change Disk Recovery Key associated passphrase (Slot 0: main slot) +# LUKS related functions . /etc/functions . /etc/gui_functions . /tmp/config +#List all LUKS devices on the system +list_luks_devices() +{ + #generate a list of devices to choose from that contain a LUKS header + lvm vgscan||true + blkid | cut -d ':' -f 1 | while read device + do cryptsetup isLuks $device + if [ $? -eq 0 ]; then + echo "$device" + fi + done | sort +} + + +#Whiptail prompt asking user to select ratio of device to use for LUKS container between: 10, 25, 50, 75 +select_luks_container_size_percent() +{ + TRACE "Under /etc/luks-functions:select_luks_container_size_percent()" + if [ -x /bin/whiptail ]; then + #whiptail prompt asking user to select ratio of device to use for LUKS container between: 10, 25, 50, 75 + #whiptail returns the percentage of the device to use for LUKS container + whiptail --title "Select LUKS container size percentage of device" --menu \ + "Select LUKS container size percentage of device:" 0 80 10 \ + "10" "10%" \ + "25" "25%" \ + "50" "50%" \ + "75" "75%" \ + 2> /tmp/luks_container_size_percent \ + || die "Error selecting LUKS container size percentage of device" + else + #console prompt asking user to select ratio of device to use for LUKS container between: 10, 25, 50, 75 + #console prompt returns the percentage of the device to use for LUKS container + echo "Select LUKS container size percentage of device:" + echo "1. 10%" + echo "2. 25%" + echo "3. 50%" + echo "4. 75%" + read -p "Choose your LUKS container size percentage of device [1-3]: " option_index + if [ "$option_index" = "1" ]; then + echo "10" > /tmp/luks_container_size_percent + elif [ "$option_index" = "2" ]; then + echo "25" > /tmp/luks_container_size_percent + elif [ "$option_index" = "3" ]; then + echo "50" > /tmp/luks_container_size_percent + elif [ "$option_index" = "4" ]; then + echo "75" > /tmp/luks_container_size_percent + else + die "Error selecting LUKS container size percentage of device" + fi + fi +} + +#Partition a device with two partitions: a first one being a LUKS container containing private ext4 partition and second public exfat partition +# Size provisioning is done by percentage of the device +prepare_thumb_drive() +{ + TRACE "Under /etc/luks-functions:prepare_thumb_drive()" + #Refactoring: only one parameter needed to be prompted for: the passphrase for LUKS container if not coming from oem-provisioning + #If no passphrase was provided, ask user to select passphrase for LUKS container + # if no device provided as parameter, we will ask user to select device to partition + # if no percentage provided as parameter, we will default to 10% of device to use for LUKS container + # we will validate parameters and not make them positional and print a usage function first + + #Set defaults + DEVICE="" #Will list all usb storage devices if not provided as parameter + PERCENTAGE="10" #default to 10% of device to use for LUKS container (requires a LUKS partition bigger then 32mb!) + PASSPHRASE="" #Will prompt user for passphrase if not provided as parameter + + #Parse parameters + while [ $# -gt 0 ]; do + case "$1" in + --device) + DEVICE=$2 + shift 2 + ;; + --percentage) + PERCENTAGE=$2 + shift 2 + ;; + --passphrase) + PASSPHRASE=$2 + shift 2 + ;; + *) + echo "usage: prepare_thumb_drive [--device device] [--percentage percentage] [--passphrase passphrase]" + ;; + esac + done + + DEBUG "DEVICE to partition: $DEVICE" + DEBUG "PERCENTAGE of device that will be used for LUKS container: $PERCENTAGE" + #Output provided if passphrase is provided as parameter + DEBUG "PASSPHRASE for LUKS container: ${PASSPHRASE:+provided}" + + #Prompt for passphrase if not provided as parameter + if [ -z "$PASSPHRASE" ]; then + #If no passphrase was provided, ask user to select passphrase for LUKS container + #console based no whiptail + while [[ ${#PASSPHRASE} -lt 8 ]]; do + { + echo -e "\nEnter passphrase for LUKS container (At least 8 characters long):" + #hide passphrase input from read command + read -r -s PASSPHRASE + #skip confirmation if passphrase is less then 8 characters long (continue) + if [[ ${#PASSPHRASE} -lt 8 ]]; then + echo -e "\nPassphrase must be at least 8 characters long. Please try again." + unset PASSPHRASE + continue + fi + #validate passphrase and ask user to re-enter if not at least 8 characters long + #confirm passphrase + echo -e "\nConfirm passphrase for LUKS container:" + #hide passphrase input from read command + read -r -s PASSPHRASE_CONFIRM + #compare passphrase and passphrase confirmation + if [ "$PASSPHRASE" != "$PASSPHRASE_CONFIRM" ]; then + echo -e "\nPassphrases do not match. Please try again." + unset PASSPHRASE + unset PASSPHRASE_CONFIRM + fi + + };done + fi + + #If no device was provided, ask user to select device to partition + if [ -z "$DEVICE" ]; then + #warn user to disconnect all external drives + if [ -x /bin/whiptail ]; then + whiptail $BG_COLOR_WARNING --title "WARNING: Disconnect all external drives" --msgbox \ + "WARNING: Please disconnect all external drives before proceeding.\n\nHit Enter to continue." 0 80 \ + || die "User cancelled wiping and repartitioning of $DEVICE" + else + echo -e -n "Warning: Please disconnect all external drives before proceeding.\n\nHit Enter to continue?" + read -r -p " [Y/n] " response + #transform response to uppercase with bash parameter expansion + response=${response^^} + #continue if response different then uppercase N + if [[ $response =~ ^(N)$ ]]; then + die "User cancelled wiping and repartitioning of $DEVICE" + fi + fi + + #enable usb + enable_usb + #enable usb storage + enable_usb_storage + + #list all usb storage devices + list_usb_storage disks > /tmp/devices.txt + if [ $(cat /tmp/devices.txt | wc -l) -gt 0 ]; then + file_selector "/tmp/devices.txt" "Select device to partition" + if [ "$FILE" == "" ]; then + die "Error: No device selected" + else + DEVICE=$FILE + fi + else + die "Error: No device found" + fi + fi + + #Check if device is a block device + if [ ! -b $DEVICE ]; then + die "Error: $DEVICE is not a block device" + fi + + if [ -z "$PERCENTAGE" ]; then + #If no percentage was provided, ask user to select percentage of device to use for LUKS container + select_luks_container_size_percent + PERCENTAGE=$(cat /tmp/luks_container_size_percent) + fi + + + #Get disk size in bytes from fdisk + DISK_SIZE_BYTES="$(blockdev --getsize64 "$DEVICE")" + #Convert disk size to MB + DISK_SIZE_MB=$((DISK_SIZE_BYTES/1024/1024)) + #Get size in bytes from percentage and apply percentage to DISK_SIZE_MB + PERCENTAGE_MB="$((DISK_SIZE_MB*PERCENTAGE/100))" + + #Console and whiptail $BG_COLOR_WARNING prompt (Y/n) validate one last time wiping and repartitioning of $device of total size $DISK_SIZE_MB with $PERCENTAGE_MB assigned to LUKS encrypted private partition + if [ -x /bin/whiptail ]; then + whiptail $BG_COLOR_WARNING --title "WARNING: Wiping and repartitioning $DEVICE of $DISK_SIZE_MB MB" --yesno \ + "WARNING: Wiping and repartitioning $DEVICE with $PERCENTAGE_MB MB assigned to private LUKS contained private ext4 partition, rest assigned to extfat public partition.\n\nAre you sure you want to continue?" 0 80 \ + || die "User cancelled wiping and repartitioning of $DEVICE" + else + echo -e -n "Warning: Wiping and repartitioning $DEVICE with $PERCENTAGE_MB MB assigned to private LUKS contained private ext4 partition, rest assigned to extfat public partition.\n\nAre you sure you want to continue?" + read -r -p " [Y/n] " response + #transform response to uppercase with bash parameter expansion + response=${response^^} + #continue if response different then uppercase N + if [[ $response =~ ^(N)$ ]]; then + die "User cancelled wiping and repartitioning of $DEVICE" + fi + fi + + echo -e "Preparing $DEVICE with $PERCENTAGE_MB MB for private LUKS container and rest of disk with exfat\ + \n for public partition (This may take a while)..." | fold -s + DEBUG "Creating empty DOS partition table on device through fdisk to start clean" + echo -e "o\nw\n" | fdisk $DEVICE > /dev/null 2>&1 || die "Error creating partition table" + DEBUG "partition device with two partitions: first one being the percent applied and rest for second partition through fdisk" + echo -e "n\np\n1\n\n+"$PERCENTAGE_MB"M\nn\np\n2\n\n\nw\n" | fdisk $DEVICE > /dev/null 2>&1 || die "Error partitioning device" + DEBUG "cryptsetup luksFormat first partition with LUKS container aes-xts-plain64 cipher with sha256 hash and 512 bit key" + DEBUG "Creating ${PERCENTAGE_MB}MB LUKS container on ${DEVICE}1..." + DO_WITH_DEBUG cryptsetup --batch-mode -c aes-xts-plain64 -h sha256 -s 512 -y luksFormat ${DEVICE}1 \ + --key-file <(echo -n "${PASSPHRASE}") > /dev/null 2>&1 \ + || die "Error formatting LUKS container" + DEBUG "Opening LUKS device and mapping under /dev/mapper/private..." + DO_WITH_DEBUG cryptsetup open ${DEVICE}1 private --key-file <(echo -n "${PASSPHRASE}") > /dev/null 2>&1 \ + || die "Error opening LUKS container" + DEBUG "Formatting LUKS container mapped under /dev/mapper/private as an ext4 partition..." + mke2fs -t ext4 -L private /dev/mapper/private > /dev/null 2>&1 || die "Error formatting LUKS container's ext4 filesystem" + DEBUG "Closing LUKS device /dev/mapper/private..." + cryptsetup close private > /dev/null 2>&1 || die "Error closing LUKS container" + DEBUG "Formatting second partition ${DEVICE}2 with exfat filesystem..." + mkfs.exfat -L public ${DEVICE}2 > /dev/null 2>&1 || die "Error formatting second partition with exfat filesystem" + echo "Done." +} + select_luks_container() { + TRACE "Under /etc/luks-functions:select_luks_container()" if [ -s /boot/kexec_key_devices.txt ]; then + DEBUG "Reusing known good LUKS container device from /boot/kexec_key_devices.txt" + DEBUG "LUKS container device: $(cut -d ' ' -f1 /boot/kexec_key_devices.txt)" LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt) else - #generate a list of devices to choose from that contain a LUKS header - lvm vgscan||true - blkid | cut -d ':' -f 1 | while read device;do cryptsetup isLuks $device;if [ $(echo $?) == 0 ]; then echo $device;fi; done | sort > /tmp/luks_devices.txt - if [ $(cat /tmp/luks_devices.txt | wc -l) -gt 0 ]; then + list_luks_devices > /tmp/luks_devices.txt + #if /tmp/luks_devices.txt exists and is not empty + if [ -s /tmp/luks_devices.txt ]; then file_selector "/tmp/luks_devices.txt" "Select LUKS container device" if [ "$FILE" == "" ]; then return 1 @@ -25,6 +246,7 @@ select_luks_container() mount -o remount,ro /boot fi else + warn "No encrypted device found." return 1 fi @@ -33,6 +255,7 @@ select_luks_container() test_luks_current_disk_recovery_key_passphrase() { + TRACE "Under /etc/luks-functions:test_luks_current_disk_recovery_key_passphrase()" while : ; do select_luks_container || return 1 if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then @@ -41,14 +264,14 @@ test_luks_current_disk_recovery_key_passphrase() read -r luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..." - cryptsetup luksOpen $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase + cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase else echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..." - cryptsetup luksOpen $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase + cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase fi #Validate past cryptsetup-reencrypt attempts - if [ $(echo $?) -ne 0 ]; then + if [ $? -eq 0 ]; then whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \ "If you previously changed it and do not remember it, you will have to\n reinstall OS from a an external drive.\n\nTo do so, place ISO file and its signature file on root of external drive,\n and select Options-> Boot from USB \n\nHit Enter to retry." 30 60 shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2> /dev/null @@ -65,7 +288,7 @@ test_luks_current_disk_recovery_key_passphrase() #Exporting successfully used passphrase possibly reused by oem-factory-reset #We close the volume - cryptsetup luksClose test + cryptsetup close test export luks_current_Disk_Recovery_Key_passphrase break; fi @@ -73,6 +296,7 @@ test_luks_current_disk_recovery_key_passphrase() } luks_reencrypt(){ +TRACE "Under /etc/luks-functions:luks_reencrypt()" while : ; do select_luks_container || return 1 if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then @@ -113,6 +337,7 @@ done luks_change_passphrase() { + TRACE "Under /etc/luks-functions:luks_change_passphrase()" while : ; do select_luks_container || return 1 #if actual or new Disk Recovery Key is not provisioned by oem-provisioning file diff --git a/initrd/etc/mke2fs.conf b/initrd/etc/mke2fs.conf new file mode 100644 index 000000000..b7fc95df7 --- /dev/null +++ b/initrd/etc/mke2fs.conf @@ -0,0 +1,45 @@ +[defaults] + base_features = sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr + default_mntopts = acl,user_xattr + enable_periodic_fsck = 0 + blocksize = 4096 + inode_size = 256 + inode_ratio = 16384 + +[fs_types] + ext3 = { + features = has_journal + } + ext4 = { + features = has_journal,extent,huge_file,flex_bg,metadata_csum,metadata_csum_seed,64bit,dir_nlink,extra_isize,orphan_file + } + small = { + blocksize = 1024 + inode_ratio = 4096 + } + floppy = { + blocksize = 1024 + inode_ratio = 8192 + } + big = { + inode_ratio = 32768 + } + huge = { + inode_ratio = 65536 + } + news = { + inode_ratio = 4096 + } + largefile = { + inode_ratio = 1048576 + blocksize = -1 + } + largefile4 = { + inode_ratio = 4194304 + blocksize = -1 + } + hurd = { + blocksize = 4096 + inode_size = 128 + warn_y2038_dates = 0 + } diff --git a/modules/busybox b/modules/busybox index 03ec0a41d..83cb7ee2a 100644 --- a/modules/busybox +++ b/modules/busybox @@ -2,11 +2,11 @@ CONFIG_BUSYBOX ?= y modules-$(CONFIG_BUSYBOX) += busybox -busybox_version := 1.33.2 +busybox_version := 1.36.1 busybox_dir := busybox-$(busybox_version) busybox_tar := busybox-$(busybox_version).tar.bz2 busybox_url := https://busybox.net/downloads/$(busybox_tar) -busybox_hash := 6843ba7977081e735fa0fdb05893e3c002c8c5ad7c9c80da206e603cc0ac47e7 +busybox_hash := b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314 busybox_configure := $(MAKE) CC="$(heads_cc)" oldconfig busybox_config := config/busybox.config diff --git a/modules/e2fsprogs b/modules/e2fsprogs new file mode 100644 index 000000000..383e98b49 --- /dev/null +++ b/modules/e2fsprogs @@ -0,0 +1,34 @@ +#Module is included unless defined in board to "n" +CONFIG_E2FSPROGS ?= y +modules-$(CONFIG_E2FSPROGS) += e2fsprogs + +e2fsprogs_version := 1.47.0 +e2fsprogs_dir := e2fsprogs-$(e2fsprogs_version) +e2fsprogs_tar := e2fsprogs-$(e2fsprogs_version).tar.xz +e2fsprogs_url := https://mirrors.edge.kernel.org/pub/linux/kernel/people/tytso/e2fsprogs/v$(e2fsprogs_version)/$(e2fsprogs_tar) +e2fsprogs_hash := 144af53f2bbd921cef6f8bea88bb9faddca865da3fbc657cc9b4d2001097d5db + +# For reproducibility reasons we have to override the exec_prefix +# and datarootdir on the configure line so that the Makefiles will +# be generated with the correct paths, but then re-write them when +# we use the install target so that they will be copied to the correct +# location. +e2fsprogs_configure := \ + $(CROSS_TOOLS) \ + CFLAGS="-Os" \ + ./configure \ + --host $(MUSL_ARCH)-linux-musl \ + --prefix "" \ + --libexecdir "/bin" \ + +# Run one build to generate the executables with the pre-defined +# exec_prefix and datarootdir, then a second make to install the binaries +# into our actual target location +e2fsprogs_target := $(MAKE_JOBS) \ + && $(MAKE) -C $(build)/$(e2fsprogs_dir) \ + DESTDIR="$(INSTALL)" \ + install + +e2fsprogs_output := misc/mke2fs + +e2fsprogs_depends := $(musl_dep) diff --git a/modules/exfatprogs b/modules/exfatprogs new file mode 100644 index 000000000..f8b5ae993 --- /dev/null +++ b/modules/exfatprogs @@ -0,0 +1,34 @@ +#Module is included unless defined in board to "n" +CONFIG_EXFATPROGS ?= y +modules-$(CONFIG_EXFATPROGS) += exfatprogs + +exfatprogs_version := 1.2.1 +exfatprogs_dir := exfatprogs-$(exfatprogs_version) +exfatprogs_tar := exfatprogs-$(exfatprogs_version).tar.xz +exfatprogs_url := https://github.com/exfatprogs/exfatprogs/releases/download/$(exfatprogs_version)/$(exfatprogs_tar) +exfatprogs_hash := a6f3b1fb4bd37835c8f8cb421aac4eb75b880a51342b29850c4063973162227b + +# For reproducibility reasons we have to override the exec_prefix +# and datarootdir on the configure line so that the Makefiles will +# be generated with the correct paths, but then re-write them when +# we use the install target so that they will be copied to the correct +# location. +exfatprogs_configure := \ + $(CROSS_TOOLS) \ + CFLAGS="-Os" \ + ./configure \ + --host $(MUSL_ARCH)-linux-musl \ + --prefix "" \ + --libexecdir "/bin" \ + +# Run one build to generate the executables with the pre-defined +# exec_prefix and datarootdir, then a second make to install the binaries +# into our actual target location +exfatprogs_target := $(MAKE_JOBS) \ + && $(MAKE) -C $(build)/$(exfatprogs_dir) \ + DESTDIR="$(INSTALL)" \ + install + +exfatprogs_output := fsck/fsck.exfat mkfs/mkfs.exfat + +exfatprogs_depends := $(musl_dep) diff --git a/patches/busybox-1.33.2.patch b/patches/busybox-1.36.1.patch similarity index 100% rename from patches/busybox-1.33.2.patch rename to patches/busybox-1.36.1.patch From 106a9bf5430653da19ad7547595905994670125a Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Mon, 28 Aug 2023 13:52:08 -0400 Subject: [PATCH 2/3] qemu boards: change default creation size of USB_FD_IMG from 128MB to 256MB Otherwise 10% of 128mb (12mb) is not enough to create a LUKS container --- .../qemu-coreboot-fbwhiptail-tpm1-hotp.config | 2 +- .../qemu-coreboot-fbwhiptail-tpm1.config | 2 +- .../qemu-coreboot-fbwhiptail-tpm2-hotp.config | 2 +- .../qemu-coreboot-fbwhiptail-tpm2.config | 2 +- .../qemu-coreboot-whiptail-tpm1-hotp.config | 2 +- .../qemu-coreboot-whiptail-tpm1.config | 2 +- .../qemu-coreboot-whiptail-tpm2-hotp.config | 2 +- .../qemu-coreboot-whiptail-tpm2.config | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config b/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config index c4a759cd1..72bb9b63a 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config @@ -98,7 +98,7 @@ $(MEMORY_SIZE_FILE): @echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)" USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw $(USB_FD_IMG): - dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=128 + dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256 # Debian obnoxiously does not include /usr/sbin in PATH for non-root, even # though it is meaningful to use mkfs.vfat (etc.) as non-root MKFS_VFAT=mkfs.vfat; \ diff --git a/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config b/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config index 22ffabc89..6ec8c10db 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config @@ -96,7 +96,7 @@ $(MEMORY_SIZE_FILE): @echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)" USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw $(USB_FD_IMG): - dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=128 + dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256 # Debian obnoxiously does not include /usr/sbin in PATH for non-root, even # though it is meaningful to use mkfs.vfat (etc.) as non-root MKFS_VFAT=mkfs.vfat; \ diff --git a/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config b/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config index 97295c3ee..4e7da9574 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config @@ -104,7 +104,7 @@ $(MEMORY_SIZE_FILE): @echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)" USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw $(USB_FD_IMG): - dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=128 + dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256 # Debian obnoxiously does not include /usr/sbin in PATH for non-root, even # though it is meaningful to use mkfs.vfat (etc.) as non-root MKFS_VFAT=mkfs.vfat; \ diff --git a/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config b/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config index 0bac0d7f9..eafc14224 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config @@ -103,7 +103,7 @@ $(MEMORY_SIZE_FILE): @echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)" USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw $(USB_FD_IMG): - dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=128 + dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256 # Debian obnoxiously does not include /usr/sbin in PATH for non-root, even # though it is meaningful to use mkfs.vfat (etc.) as non-root MKFS_VFAT=mkfs.vfat; \ diff --git a/boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config b/boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config index 831afbf6f..0bf1326d3 100644 --- a/boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config +++ b/boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config @@ -98,7 +98,7 @@ $(MEMORY_SIZE_FILE): @echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)" USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw $(USB_FD_IMG): - dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=128 + dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256 # Debian obnoxiously does not include /usr/sbin in PATH for non-root, even # though it is meaningful to use mkfs.vfat (etc.) as non-root MKFS_VFAT=mkfs.vfat; \ diff --git a/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config b/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config index c39103ab5..99699d8ce 100644 --- a/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config +++ b/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config @@ -96,7 +96,7 @@ $(MEMORY_SIZE_FILE): @echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)" USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw $(USB_FD_IMG): - dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=128 + dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256 # Debian obnoxiously does not include /usr/sbin in PATH for non-root, even # though it is meaningful to use mkfs.vfat (etc.) as non-root MKFS_VFAT=mkfs.vfat; \ diff --git a/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config b/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config index 8e10c6166..8729d5a50 100644 --- a/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config +++ b/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config @@ -104,7 +104,7 @@ $(MEMORY_SIZE_FILE): @echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)" USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw $(USB_FD_IMG): - dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=128 + dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256 # Debian obnoxiously does not include /usr/sbin in PATH for non-root, even # though it is meaningful to use mkfs.vfat (etc.) as non-root MKFS_VFAT=mkfs.vfat; \ diff --git a/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config b/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config index 32835ced6..95578b03c 100644 --- a/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config +++ b/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config @@ -103,7 +103,7 @@ $(MEMORY_SIZE_FILE): @echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)" USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw $(USB_FD_IMG): - dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=128 + dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256 # Debian obnoxiously does not include /usr/sbin in PATH for non-root, even # though it is meaningful to use mkfs.vfat (etc.) as non-root MKFS_VFAT=mkfs.vfat; \ From d5aa0c874e1b9306cb8a119474d9222bf0010840 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Mon, 28 Aug 2023 13:53:03 -0400 Subject: [PATCH 3/3] boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.md was invalid symlink --- .../qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.md b/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.md index 42112c58c..e35b1088e 120000 --- a/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.md +++ b/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.md @@ -1 +1 @@ -boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md \ No newline at end of file +../qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.md \ No newline at end of file