diff --git a/basic.sh b/basic.sh index aee0a6f..4e29601 100644 --- a/basic.sh +++ b/basic.sh @@ -3,10 +3,8 @@ # Uninstall unnecessary packages apt-get purge bsdmainutils dictionaries-common emacsen-common gnupg gnupg-agent iamerican ibritish ienglish-common installation-report ispell laptop-detect libsqlite3-0 libssl1.1 nano os-prober pinentry-curses task-english tasksel tasksel-data wamerican -# Install basic services and dependencies -apt-get --no-install-recommends install openssh-server plymouth - -# Copy authorized_keys +# Install OpenSSH server +apt-get --no-install-recommends install openssh-server cp basic/root/.ssh/authorized_keys /root/.ssh/authorized_keys # Rename encrypted partition @@ -14,7 +12,12 @@ sed -i 's/sda2_crypt/system/' /etc/crypttab dmsetup rename sda2_crypt system update-initramfs -u -# Set grub options +# Hide warnings during boot +cp basic/usr/share/initramfs-tools/scripts/local-top/lvm2 /usr/share/initramfs-tools/scripts/local-top/lvm2 +cp basic/usr/share/initramfs-tools/scripts/local-top/cryptroot /usr/share/initramfs-tools/scripts/local-top/cryptroot +update-initramfs -u + +# Set GRUB options cp basic/etc/default/grub /etc/default/grub update-grub diff --git a/basic/etc/default/grub b/basic/etc/default/grub index 8dd7a92..d748b3d 100644 --- a/basic/etc/default/grub +++ b/basic/etc/default/grub @@ -8,7 +8,7 @@ GRUB_TIMEOUT=0 GRUB_RECORDFAIL_TIMEOUT=0 GRUB_FORCE_HIDDEN_MENU="true" GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` -GRUB_CMDLINE_LINUX_DEFAULT="quiet splash" +GRUB_CMDLINE_LINUX_DEFAULT="quiet loglevel=0" GRUB_CMDLINE_LINUX="" # Uncomment to enable BadRAM filtering, modify to suit your needs diff --git a/basic/usr/share/initramfs-tools/local-top/cryptroot b/basic/usr/share/initramfs-tools/local-top/cryptroot new file mode 100644 index 0000000..6eae4f0 --- /dev/null +++ b/basic/usr/share/initramfs-tools/local-top/cryptroot @@ -0,0 +1,425 @@ +#!/bin/sh + +PREREQ="cryptroot-prepare" + +# +# Standard initramfs preamble +# +prereqs() +{ + # Make sure that cryptroot is run last in local-top + for req in $(dirname $0)/*; do + script=${req##*/} + if [ $script != cryptroot ]; then + echo $script + fi + done +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +# source for log_*_msg() functions, see LP: #272301 +. /scripts/functions + +# +# Helper functions +# +message() +{ + if [ -x /bin/plymouth ] && plymouth --ping; then + plymouth message --text="$@" + else + echo "$@" >&2 + fi + return 0 +} + +udev_settle() +{ + # Wait for udev to be ready, see https://launchpad.net/bugs/85640 + if command -v udevadm >/dev/null 2>&1; then + udevadm settle --timeout=30 + elif command -v udevsettle >/dev/null 2>&1; then + udevsettle --timeout=30 + fi + return 0 +} + +parse_options() +{ + local cryptopts + cryptopts="$1" + + if [ -z "$cryptopts" ]; then + return 1 + fi + + # Defaults + cryptcipher=aes-cbc-essiv:sha256 + cryptsize=256 + crypthash=ripemd160 + crypttarget=cryptroot + cryptsource="" + cryptheader="" + cryptlvm="" + cryptkeyscript="" + cryptkey="" # This is only used as an argument to an eventual keyscript + cryptkeyslot="" + crypttries=3 + crypttcrypt="" + cryptveracrypt="" + cryptrootdev="" + cryptdiscard="" + CRYPTTAB_OPTIONS="" + + local IFS=" ," + for x in $cryptopts; do + case $x in + hash=*) + crypthash=${x#hash=} + ;; + size=*) + cryptsize=${x#size=} + ;; + cipher=*) + cryptcipher=${x#cipher=} + ;; + target=*) + crypttarget=${x#target=} + export CRYPTTAB_NAME="$crypttarget" + ;; + source=*) + cryptsource=${x#source=} + if [ ${cryptsource#UUID=} != $cryptsource ]; then + cryptsource="/dev/disk/by-uuid/${cryptsource#UUID=}" + elif [ ${cryptsource#LABEL=} != $cryptsource ]; then + cryptsource="/dev/disk/by-label/$(printf '%s' "${cryptsource#LABEL=}" | sed 's,/,\\x2f,g')" + fi + export CRYPTTAB_SOURCE="$cryptsource" + ;; + header=*) + cryptheader=${x#header=} + if [ ! -e "$cryptheader" ] && [ -e "/conf/conf.d/cryptheader/$cryptheader" ]; then + cryptheader="/conf/conf.d/cryptheader/$cryptheader" + fi + export CRYPTTAB_HEADER="$cryptheader" + ;; + lvm=*) + cryptlvm=${x#lvm=} + ;; + keyscript=*) + cryptkeyscript=${x#keyscript=} + ;; + key=*) + if [ "${x#key=}" != "none" ]; then + cryptkey=${x#key=} + fi + export CRYPTTAB_KEY="$cryptkey" + ;; + keyslot=*) + cryptkeyslot=${x#keyslot=} + ;; + tries=*) + crypttries="${x#tries=}" + case "$crypttries" in + *[![:digit:].]*) + crypttries=3 + ;; + esac + ;; + tcrypt) + crypttcrypt="yes" + ;; + veracrypt) + cryptveracrypt="--veracrypt" + ;; + rootdev) + cryptrootdev="yes" + ;; + discard) + cryptdiscard="yes" + ;; + esac + PARAM="${x%=*}" + if [ "$PARAM" = "$x" ]; then + VALUE="yes" + else + VALUE="${x#*=}" + fi + CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM" + eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\"" + done + export CRYPTTAB_OPTIONS + + if [ -z "$cryptsource" ]; then + message "cryptsetup ($crypttarget): source parameter missing" + return 1 + fi + return 0 +} + +activate_vg() +{ + # Sanity checks + if [ ! -x /sbin/lvm ]; then + message "cryptsetup ($crypttarget): lvm is not available" + return 1 + fi + + # Detect and activate available volume groups + /sbin/lvm vgscan >/dev/null 2>&1 + /sbin/lvm vgchange -a y --sysinit >/dev/null 2>&1 + return $? +} + +setup_mapping() +{ + local opts count cryptopen cryptremove NEWROOT + opts="$1" + + if [ -z "$opts" ]; then + return 0 + fi + + parse_options "$opts" || return 1 + + if [ -z "$cryptkeyscript" ]; then + if [ ${cryptsource#/dev/disk/by-uuid/} != $cryptsource ]; then + # UUIDs are not very helpful + diskname="$crypttarget" + else + diskname="$cryptsource ($crypttarget)" + fi + cryptkeyscript="/lib/cryptsetup/askpass" + cryptkey="Please unlock disk $diskname: " + elif ! type "$cryptkeyscript" >/dev/null; then + message "cryptsetup ($crypttarget): error - script \"$cryptkeyscript\" missing" + return 1 + fi + + if [ "$cryptkeyscript" = "cat" ] && [ "${cryptkey#/root/}" != "$cryptkey" ]; then + # skip the mapping if the root FS is not mounted yet + sed -rn 's/^\s*[^#]\S*\s+(\S+)\s.*/\1/p' /proc/mounts | grep -Fxq "$rootmnt" || return 1 + # substitute the "/root" prefix by the real root FS mountpoint otherwise + cryptkey="${rootmnt}/${cryptkey#/root/}" + fi + + if [ -n "$cryptheader" ] && ! type "$cryptheader" >/dev/null; then + message "cryptsetup ($crypttarget): error - LUKS header \"$cryptheader\" missing" + return 1 + fi + + # The same target can be specified multiple times + # e.g. root and resume lvs-on-lvm-on-crypto + if [ -e "/dev/mapper/$crypttarget" ]; then + return 0 + fi + + modprobe -q dm_crypt + + # Make sure the cryptsource device is available + if [ ! -e $cryptsource ]; then + activate_vg + fi + + # If the encrypted source device hasn't shown up yet, give it a + # little while to deal with removable devices + + # the following lines below have been taken from + # /usr/share/initramfs-tools/scripts/local, as suggested per + # https://launchpad.net/bugs/164044 + if [ ! -e "$cryptsource" ]; then + log_begin_msg "Waiting for encrypted source device..." + + # Default delay is 180s + if [ -z "${ROOTDELAY}" ]; then + slumber=180 + else + slumber=${ROOTDELAY} + fi + + slumber=$(( ${slumber} * 10 )) + while [ ! -e "$cryptsource" ]; do + # retry for LVM devices every 10 seconds + if [ ${slumber} -eq $(( ${slumber}/100*100 )) ]; then + activate_vg + fi + + /bin/sleep 0.1 + slumber=$(( ${slumber} - 1 )) + [ ${slumber} -gt 0 ] || break + done + + if [ ${slumber} -gt 0 ]; then + log_end_msg 0 + else + log_end_msg 1 || true + fi + fi + udev_settle + + # We've given up, but we'll let the user fix matters if they can + if [ ! -e "${cryptsource}" ]; then + + echo " ALERT! ${cryptsource} does not exist." + echo " Check cryptopts=source= bootarg: cat /proc/cmdline" + echo " or missing modules, devices: cat /proc/modules; ls /dev" + panic -r "Dropping to a shell. Will skip ${cryptsource} if you can't fix." + fi + + if [ ! -e "${cryptsource}" ]; then + return 1 + fi + + + # Prepare commands + cryptopen="/sbin/cryptsetup -T 1" + if [ "$cryptdiscard" = "yes" ]; then + cryptopen="$cryptopen --allow-discards" + fi + if [ -n "$cryptheader" ]; then + cryptopen="$cryptopen --header=$cryptheader" + fi + if [ -n "$cryptkeyslot" ]; then + cryptopen="$cryptopen --key-slot=$cryptkeyslot" + fi + if /sbin/cryptsetup isLuks ${cryptheader:-$cryptsource} >/dev/null 2>&1; then + cryptopen="$cryptopen open --type luks $cryptsource $crypttarget --key-file=-" + elif [ "$crypttcrypt" = "yes" ]; then + cryptopen="$cryptopen open --type tcrypt $cryptveracrypt $cryptsource $crypttarget" + else + cryptopen="$cryptopen -c $cryptcipher -s $cryptsize -h $crypthash open --type plain $cryptsource $crypttarget --key-file=-" + fi + cryptremove="/sbin/cryptsetup remove $crypttarget" + NEWROOT="/dev/mapper/$crypttarget" + + # Try to get a satisfactory password $crypttries times + count=0 + while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do + export CRYPTTAB_TRIED="$count" + count=$(( $count + 1 )) + + if [ ! -e "$NEWROOT" ]; then + if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \ + $cryptkeyscript "$cryptkey" | $cryptopen; then + message "cryptsetup ($crypttarget): cryptsetup failed, bad password or options?" + continue + fi + fi + + if [ ! -e "$NEWROOT" ]; then + message "cryptsetup ($crypttarget): unknown error setting up device mapping" + return 1 + fi + + #FSTYPE='' + #eval $(fstype < "$NEWROOT") + FSTYPE="$(/sbin/blkid -s TYPE -o value "$NEWROOT")" + + # See if we need to setup lvm on the crypto device + #if [ "$FSTYPE" = "lvm" ] || [ "$FSTYPE" = "lvm2" ]; then + if [ "$FSTYPE" = "LVM_member" ] || [ "$FSTYPE" = "LVM2_member" ]; then + if [ -z "$cryptlvm" ]; then + message "cryptsetup ($crypttarget): lvm fs found but no lvm configured" + return 1 + elif ! activate_vg; then + # disable error message, LP: #151532 + #message "cryptsetup ($crypttarget): failed to setup lvm device" + return 1 + fi + + # Apparently ROOT is already set in /conf/param.conf for + # flashed kernels at least. See bugreport #759720. + if [ -f /conf/param.conf ] && grep -q "^ROOT=" /conf/param.conf; then + NEWROOT=$(sed -n 's/^ROOT=//p' /conf/param.conf) + else + NEWROOT=${cmdline_root:-/dev/mapper/$cryptlvm} + if [ "$cryptrootdev" = "yes" ]; then + # required for lilo to find the root device + echo "ROOT=$NEWROOT" >>/conf/param.conf + fi + fi + #eval $(fstype < "$NEWROOT") + FSTYPE="$(/sbin/blkid -s TYPE -o value "$NEWROOT")" + fi + + #if [ -z "$FSTYPE" ] || [ "$FSTYPE" = "unknown" ]; then + if [ -z "$FSTYPE" ]; then + message "cryptsetup ($crypttarget): unknown fstype, bad password or options?" + udev_settle + $cryptremove + continue + fi + + # decrease $count by 1, apparently last try was successful. + count=$(( $count - 1 )) + + message "cryptsetup ($crypttarget): set up successfully" + break + done + + failsleep=60 # make configurable later? + + if [ "$cryptrootdev" = "yes" ] && [ $crypttries -gt 0 ] && [ $count -ge $crypttries ]; then + message "cryptsetup ($crypttarget): maximum number of tries exceeded" + message "cryptsetup: going to sleep for $failsleep seconds..." + sleep $failsleep + exit 1 + fi + + udev_settle + return 0 +} + +# +# Begin real processing +# + +# Do we have any kernel boot arguments? +cmdline_cryptopts='' +unset cmdline_root +for opt in $(cat /proc/cmdline); do + case $opt in + cryptopts=*) + opt="${opt#cryptopts=}" + if [ -n "$opt" ]; then + if [ -n "$cmdline_cryptopts" ]; then + cmdline_cryptopts="$cmdline_cryptopts $opt" + else + cmdline_cryptopts="$opt" + fi + fi + ;; + root=*) + opt="${opt#root=}" + case $opt in + /*) # Absolute path given. Not lilo major/minor number. + cmdline_root=$opt + ;; + *) # lilo major/minor number (See #398957). Ignore + esac + ;; + esac +done + +if [ -n "$cmdline_cryptopts" ]; then + # Call setup_mapping separately for each possible cryptopts= setting + for cryptopt in $cmdline_cryptopts; do + setup_mapping "$cryptopt" + done + exit 0 +fi + +# Do we have any settings from the /conf/conf.d/cryptroot file? +if [ -r /conf/conf.d/cryptroot ]; then + while read mapping <&3; do + setup_mapping "$mapping" 3<&- + done 3< /conf/conf.d/cryptroot +fi + +exit 0 diff --git a/basic/usr/share/initramfs-tools/local-top/lvm2 b/basic/usr/share/initramfs-tools/local-top/lvm2 new file mode 100644 index 0000000..33fa987 --- /dev/null +++ b/basic/usr/share/initramfs-tools/local-top/lvm2 @@ -0,0 +1,65 @@ +#!/bin/sh + +PREREQ="mdadm mdrun multipath" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +# get pre-requisites +prereqs) + prereqs + exit 0 + ;; +esac + +if [ ! -e /sbin/lvm ]; then + exit 0 +fi + +lvchange_activate() { + lvm lvchange -aay -y --sysinit --ignoreskippedcluster "$@" >/dev/null 2>&1 +} + +activate() { + local dev="$1" + + # Make sure that we have a non-empty argument + if [ -z "$dev" ]; then + return 1 + fi + + case "$dev" in + # Take care of lilo boot arg, risky activating of all vg + fe[0-9]*) + lvchange_activate + exit 0 + ;; + # FIXME: check major + /dev/root) + lvchange_activate + exit 0 + ;; + + /dev/mapper/*) + eval $(dmsetup splitname --nameprefixes --noheadings --rows "${dev#/dev/mapper/}") + if [ "$DM_VG_NAME" ] && [ "$DM_LV_NAME" ]; then + lvchange_activate "$DM_VG_NAME/$DM_LV_NAME" + fi + ;; + + /dev/*/*) + # Could be /dev/VG/LV; use lvs to check + if lvm lvs -- "$dev" >/dev/null 2>&1; then + lvchange_activate "$dev" + fi + ;; + esac +} + +activate "$ROOT" +activate "$resume" + +exit 0