From a56515855bccf067ad2c11cad94aac8bc95e3738 Mon Sep 17 00:00:00 2001 From: dacook Date: Thu, 17 Dec 2009 08:53:08 -0700 Subject: [PATCH 01/14] GPG source Add source tarball handling for GPG support. --- gen_funcs.sh | 2 +- genkernel.conf | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/gen_funcs.sh b/gen_funcs.sh index cfb9d6b..6af595e 100755 --- a/gen_funcs.sh +++ b/gen_funcs.sh @@ -498,7 +498,7 @@ set_config_with_override() { } check_distfiles() { - for i in $BUSYBOX_SRCTAR $DEVICE_MAPPER_SRCTAR $MULTIPATH_SRCTAR $LVM_SRCTAR $DMRAID_SRCTAR $E2FSPROGS_SRCTAR $ISCSI_SRCTAR + for i in $BUSYBOX_SRCTAR $DEVICE_MAPPER_SRCTAR $MULTIPATH_SRCTAR $LVM_SRCTAR $DMRAID_SRCTAR $E2FSPROGS_SRCTAR $ISCSI_SRCTAR $GPG_SRCTAR do if [ ! -f "${i}" ] then diff --git a/genkernel.conf b/genkernel.conf index 66e22b4..e492936 100644 --- a/genkernel.conf +++ b/genkernel.conf @@ -190,3 +190,8 @@ UNIONFS_FUSE_VER="VERSION_UNIONFS_FUSE" UNIONFS_FUSE_DIR="unionfs-fuse-${UNIONFS_FUSE_VER}" UNIONFS_FUSE_SRCTAR="${DISTDIR}/unionfs-fuse-${UNIONFS_FUSE_VER}.tar.bz2" UNIONFS_FUSE_BINCACHE="%%CACHE%%/unionfs-fuse-${UNIONFS_FUSE_VER}-%%ARCH%%.bz2" + +GPG_VER="VERSION_GPG" +GPG_DIR="gnupg-${GPG_VER}" +GPG_SRCTAR="${DISTDIR}/gnupg-${GPG_VER}.tar.bz2" +GPG_BINCACHE="%%CACHE%%/gnupg-${GPG_VER}-%%ARCH%%.bz2" From 1f71a13b5bf9a8aed496329e40c17467824ea8b6 Mon Sep 17 00:00:00 2001 From: dacook Date: Thu, 17 Dec 2009 08:56:17 -0700 Subject: [PATCH 02/14] GPG bincache Add handling for a cached GPG binary --- gen_determineargs.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/gen_determineargs.sh b/gen_determineargs.sh index d911f07..d34e5bc 100755 --- a/gen_determineargs.sh +++ b/gen_determineargs.sh @@ -110,6 +110,7 @@ determine_real_args() { set_config_with_override 2 REAL_ROOT CMD_REAL_ROOT set_config_with_override 1 DISKLABEL CMD_DISKLABEL set_config_with_override 1 LUKS CMD_LUKS + set_config_with_override 1 GPG CMD_GPG set_config_with_override 1 MDADM CMD_MDADM set_config_with_override 1 MULTIPATH CMD_MULTIPATH set_config_with_override 1 FIRMWARE CMD_FIRMWARE @@ -133,6 +134,7 @@ determine_real_args() { BLKID_BINCACHE=`cache_replace "${BLKID_BINCACHE}"` FUSE_BINCACHE=`cache_replace "${FUSE_BINCACHE}"` UNIONFS_FUSE_BINCACHE=`cache_replace "${UNIONFS_FUSE_BINCACHE}"` + GPG_BINCACHE=`cache_replace "${GPG_BINCACHE}"` DEFAULT_KERNEL_CONFIG=`arch_replace "${DEFAULT_KERNEL_CONFIG}"` BUSYBOX_CONFIG=`arch_replace "${BUSYBOX_CONFIG}"` @@ -144,6 +146,7 @@ determine_real_args() { BLKID_BINCACHE=`arch_replace "${BLKID_BINCACHE}"` FUSE_BINCACHE=`arch_replace "${FUSE_BINCACHE}"` UNIONFS_FUSE_BINCACHE=`arch_replace "${UNIONFS_FUSE_BINCACHE}"` + GPG_BINCACHE=`arch_replace "${GPG_BINCACHE}"` if [ -n "${CMD_BOOTLOADER}" ] then From 8dc02807c36c3dec5caa682663f1afe8537d4385 Mon Sep 17 00:00:00 2001 From: dacook Date: Thu, 17 Dec 2009 08:57:11 -0700 Subject: [PATCH 03/14] GPG compile Configure and compile GPG binary for initrd use --- gen_compile.sh | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/gen_compile.sh b/gen_compile.sh index e58c101..5dd218d 100755 --- a/gen_compile.sh +++ b/gen_compile.sh @@ -665,3 +665,44 @@ compile_iscsi() { fi } +compile_gpg() { + if [ ! -f "${GPG_BINCACHE}" ] + then + [ ! -f "${GPG_SRCTAR}" ] && + gen_die "Could not find gnupg source tarball: ${GPG_SRCTAR}. Please place it there, or place another version, changing /etc/genkernel.conf as necessary!" + cd "${TEMP}" + rm -rf "${GPG_DIR}" + tar -jxf "${GPG_SRCTAR}" + [ ! -d "${GPG_DIR}" ] && + gen_die "gnupg directory ${GPG_DIR} invalid" + cd "${GPG_DIR}" + print_info 1 'gnupg: >> Configuring...' + # --enable-minimal works, but it doesn't reduce the command length much. + # Given its history and the precision this needs, explicit is cleaner. + LDFLAGS='-static' CFLAGS='-Os' ./configure --prefix=/ \ + --enable-static-rnd=linux --disable-dev-random --disable-asm \ + --disable-selinux-support --disable-gnupg-iconv --disable-card-support \ + --disable-agent-support --disable-bzip2 --disable-exec \ + --disable-photo-viewers --disable-keyserver-helpers --disable-ldap \ + --disable-hkp --disable-finger --disable-generic --disable-mailto \ + --disable-keyserver-path --disable-dns-srv --disable-dns-pka \ + --disable-dns-cert --disable-nls --disable-threads --disable-regex \ + --disable-optimization --with-included-zlib --without-capabilities \ + --without-tar --without-ldap --without-libcurl --without-mailprog \ + --without-libpth-prefix --without-libiconv-prefix --without-libintl-prefix\ + --without-zlib --without-bzip2 --without-libusb --without-readline \ + >> ${LOGFILE} 2>&1 || gen_die 'Configuring gnupg failed!' + print_info 1 'gnupg: >> Compiling...' + MAKE=${UTILS_MAKE} compile_generic "" "" + print_info 1 'gnupg: >> Copying to cache...' + [ -f "${TEMP}/${GPG_DIR}/g10/gpg" ] || + gen_die 'gnupg executable does not exist!' + strip "${TEMP}/${GPG_DIR}/g10/gpg" || + gen_die 'Could not strip gpg binary!' + bzip2 -z -c "${TEMP}/${GPG_DIR}/g10/gpg" > "${GPG_BINCACHE}" || + gen_die 'Could not copy the gpg binary to the package directory, does the directory exist?' + + cd "${TEMP}" + rm -rf "${GPG_DIR}" > /dev/null + fi +} From 1d706752f1cfd47c624370a239b64f7143134647 Mon Sep 17 00:00:00 2001 From: dacook Date: Thu, 17 Dec 2009 08:58:32 -0700 Subject: [PATCH 04/14] GPG initramfs append Add function/handling to actually add the GPG binary to the initramfs --- gen_initramfs.sh | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/gen_initramfs.sh b/gen_initramfs.sh index f420a2d..65d849e 100755 --- a/gen_initramfs.sh +++ b/gen_initramfs.sh @@ -451,6 +451,25 @@ append_firmware() { rm -r "${TEMP}/initramfs-firmware-temp/" } +append_gpg() { + if [ -d "${TEMP}/initramfs-gpg-temp" ] + then + rm -r "${TEMP}/initramfs-gpg-temp" + fi + cd ${TEMP} + mkdir -p "${TEMP}/initramfs-gpg-temp/sbin/" + if [ ! -e ${GPG_BINCACHE} ] ; then + print_info 1 ' GPG: Adding support (compiling binaries)...' + compile_gpg + fi + bzip2 -dc "${GPG_BINCACHE}" > "${TEMP}/initramfs-gpg-temp/sbin/gpg" || + gen_die 'Could not extract gpg binary cache!' + chmod a+x "${TEMP}/initramfs-gpg-temp/sbin/gpg" + cd "${TEMP}/initramfs-gpg-temp/" + find . -print | cpio ${CPIO_ARGS} --append -F "${CPIO}" + rm -rf "${TEMP}/initramfs-gpg-temp" > /dev/null +} + print_list() { local x @@ -641,6 +660,7 @@ create_initramfs() { append_data 'mdadm' "${MDADM}" append_data 'luks' "${LUKS}" append_data 'multipath' "${MULTIPATH}" + append_data 'gpg' "${GPG}" if [ "${NORAMDISKMODULES}" = '0' ] then From f78d61d8b35e6438bace812a19e4dea423023793 Mon Sep 17 00:00:00 2001 From: dacook Date: Thu, 17 Dec 2009 08:59:33 -0700 Subject: [PATCH 05/14] GPG runtime Actual boot-time handling of PGP-armored keys --- defaults/initrd.scripts | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/defaults/initrd.scripts b/defaults/initrd.scripts index f14333a..ea53fba 100755 --- a/defaults/initrd.scripts +++ b/defaults/initrd.scripts @@ -742,6 +742,7 @@ openLUKS() { [ ! -e /sbin/cryptsetup ] && bad_msg "The ramdisk does not support LUKS" && exit 1 while [ 1 ] do + local gpg_cmd="" # if crypt_silent=1 and some error occurs, enter shell quietly if [ \( ${CRYPT_SILENT} -eq 1 \) -a \( \( \( ${DEV_ERROR} -eq 1 \) -o \( ${KEY_ERROR} -eq 1 \) \) -o \( ${KEYDEV_ERROR} -eq 1 \) \) ] then @@ -826,10 +827,17 @@ openLUKS() { fi # At this point a candidate key exists (either mounted before or not) good_msg "${LUKS_KEY} on device ${LUKS_KEYDEV} found" ${CRYPT_SILENT} - cryptsetup_options="-d ${mntkey}${LUKS_KEY}" + if [ $(echo ${LUKS_KEY} | grep -o '.gpg$') == ".gpg" ] && [ -e /sbin/gpg ] ; then + [ -e /dev/tty ] && mv /dev/tty /dev/tty.org + mknod /dev/tty c 5 1 + cryptsetup_options="-d -" + gpg_cmd="/sbin/gpg --logger-file /dev/null --quiet --decrypt ${mntkey}${LUKS_KEY} |" + else + cryptsetup_options="-d ${mntkey}${LUKS_KEY}" + fi fi # At this point, keyfile or not, we're ready! - crypt_filter "cryptsetup ${cryptsetup_options} luksOpen ${LUKS_DEVICE} ${LUKS_NAME}" + crypt_filter "${gpg_cmd}cryptsetup ${cryptsetup_options} luksOpen ${LUKS_DEVICE} ${LUKS_NAME}" if [ $? -eq 0 ] then good_msg "LUKS device ${LUKS_DEVICE} opened" ${CRYPT_SILENT} From 535f2950bfcd15608702055438d3f1b8c2f60478 Mon Sep 17 00:00:00 2001 From: dacook Date: Thu, 17 Dec 2009 09:00:14 -0700 Subject: [PATCH 06/14] GPG command-line handling Allow user to specify '--gpg' as an argument to genkernel and trigger the inclusion of PGP-armored LUKS key support. --- gen_cmdline.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/gen_cmdline.sh b/gen_cmdline.sh index 3dcb65d..1bf5de3 100755 --- a/gen_cmdline.sh +++ b/gen_cmdline.sh @@ -97,6 +97,7 @@ longusage() { echo " ramdisk" echo " --luks Include LUKS support" echo " --> 'emerge cryptsetup-luks' with USE=-dynamic" + echo " --gpg Include GPG-armored LUKS key support" echo " --no-busybox Do not include busybox in the initramfs." echo " --unionfs Include support for unionfs" echo " --netboot Create a self-contained env in the initramfs" @@ -524,6 +525,10 @@ parse_cmdline() { CMD_LUKS=1 print_info 2 "CMD_LUKS: ${CMD_LUKS}" ;; + --gpg) + CMD_GPG=1 + print_info 2 "CMD_GPG: ${CMD_GPG}" + ;; --firmware) CMD_FIRMWARE=1 print_info 2 "CMD_FIRMWARE: ${CMD_FIRMWARE}" From 04c37979c15ac7f37aa2452e7dc11af95a903494 Mon Sep 17 00:00:00 2001 From: dacook Date: Mon, 10 Jan 2011 09:24:10 -0700 Subject: [PATCH 07/14] Remove bashism Get rid of bash-ish "==" equivalence test in checking if the LUKS_KEY ends in .gpg. Use strict Bourne-compliant '=' instead. --- defaults/initrd.scripts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/initrd.scripts b/defaults/initrd.scripts index ea53fba..93daa5a 100755 --- a/defaults/initrd.scripts +++ b/defaults/initrd.scripts @@ -827,7 +827,7 @@ openLUKS() { fi # At this point a candidate key exists (either mounted before or not) good_msg "${LUKS_KEY} on device ${LUKS_KEYDEV} found" ${CRYPT_SILENT} - if [ $(echo ${LUKS_KEY} | grep -o '.gpg$') == ".gpg" ] && [ -e /sbin/gpg ] ; then + if [ $(echo ${LUKS_KEY} | grep -o '.gpg$') = ".gpg" ] && [ -e /sbin/gpg ] ; then [ -e /dev/tty ] && mv /dev/tty /dev/tty.org mknod /dev/tty c 5 1 cryptsetup_options="-d -" From fc1e95475a3483f8b5863d3855dc7b21ea222357 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Tue, 11 Jan 2011 23:14:49 +0100 Subject: [PATCH 08/14] Mention cache usage on gnupg in output (consistent to busybox and blkid) --- gen_compile.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/gen_compile.sh b/gen_compile.sh index 5dd218d..f334b6b 100755 --- a/gen_compile.sh +++ b/gen_compile.sh @@ -666,8 +666,10 @@ compile_iscsi() { } compile_gpg() { - if [ ! -f "${GPG_BINCACHE}" ] + if [ -f "${GPG_BINCACHE}" ] then + print_info 1 "gnupg: >> Using cache" + else [ ! -f "${GPG_SRCTAR}" ] && gen_die "Could not find gnupg source tarball: ${GPG_SRCTAR}. Please place it there, or place another version, changing /etc/genkernel.conf as necessary!" cd "${TEMP}" From 537ad948b27430dd0ea6aef66a294bac32044291 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Tue, 11 Jan 2011 23:16:21 +0100 Subject: [PATCH 09/14] Compile gnupg as a util --- gen_compile.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gen_compile.sh b/gen_compile.sh index f334b6b..109e949 100755 --- a/gen_compile.sh +++ b/gen_compile.sh @@ -695,7 +695,7 @@ compile_gpg() { --without-zlib --without-bzip2 --without-libusb --without-readline \ >> ${LOGFILE} 2>&1 || gen_die 'Configuring gnupg failed!' print_info 1 'gnupg: >> Compiling...' - MAKE=${UTILS_MAKE} compile_generic "" "" + compile_generic "" "utils" print_info 1 'gnupg: >> Copying to cache...' [ -f "${TEMP}/${GPG_DIR}/g10/gpg" ] || gen_die 'gnupg executable does not exist!' From b3bf195246d0eca90beccaaa34e21a8c67c79b09 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Tue, 11 Jan 2011 23:24:04 +0100 Subject: [PATCH 10/14] .conf: Document GPG variable --- genkernel.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/genkernel.conf b/genkernel.conf index e492936..2bc8183 100644 --- a/genkernel.conf +++ b/genkernel.conf @@ -56,6 +56,9 @@ USECOLOR="yes" # Add in Luks support. Needs sys-fs/cryptsetup with -dynamic installed. # LUKS="no" +# Add in GnuPG support +# GPG="no" + # Add in EVMS support from static binaries if they exist on the system: you # should run "emerge evms" first. # EVMS="no" From 0f11073887600be0c5897f562a0e86891a244bd2 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Tue, 11 Jan 2011 23:26:52 +0100 Subject: [PATCH 11/14] docmatcher: Teach variables GPG_* and BUSYBOX_APPLETS to it --- maintenance/docmatcher.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/maintenance/docmatcher.py b/maintenance/docmatcher.py index ece71bd..4b6b94e 100644 --- a/maintenance/docmatcher.py +++ b/maintenance/docmatcher.py @@ -14,8 +14,8 @@ NON_VARIABLES = ('UTF', 'USE', 'TCP', 'SMP', 'PXE', 'PPC', 'MAC', 'TFTP', 'SYSTEM', 'SPARC', 'RAID', 'LABEL', 'PROMPT', 'KERNEL', 'GRP', 'DOCTYPE', 'DHCP', 'DEFAULT', 'ATARAID', 'APPEND') -EXTRA_VARIABLES = ['ARCH_OVERRIDE', 'BOOTLOADER', 'CLEAR_CACHE_DIR', 'DEFAULT_KERNEL_SOURCE', 'DISTDIR', 'GK_SHARE'] -for app in ('DEVICE_MAPPER', 'UNIONFS_FUSE', 'BUSYBOX', 'DMRAID', 'LVM', 'ISCSI', 'FUSE'): +EXTRA_VARIABLES = ['ARCH_OVERRIDE', 'BOOTLOADER', 'CLEAR_CACHE_DIR', 'DEFAULT_KERNEL_SOURCE', 'DISTDIR', 'GK_SHARE', 'BUSYBOX_APPLETS'] +for app in ('DEVICE_MAPPER', 'UNIONFS_FUSE', 'BUSYBOX', 'DMRAID', 'LVM', 'ISCSI', 'FUSE', 'GPG'): for prop in ('DIR', 'SRCTAR', 'VER'): EXTRA_VARIABLES.append('%s_%s' % (app, prop)) EXTRA_VARIABLES = tuple(EXTRA_VARIABLES) From 9458432848c5fe4e6071ffca6a2920998ca9009d Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Tue, 11 Jan 2011 23:42:51 +0100 Subject: [PATCH 12/14] docs: Add --gpg to man page --- doc/genkernel.8.txt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/genkernel.8.txt b/doc/genkernel.8.txt index fe87df3..fdc25dc 100644 --- a/doc/genkernel.8.txt +++ b/doc/genkernel.8.txt @@ -287,6 +287,11 @@ INITIALIZATION Add in Luks support from static binaries if they exist on the system. +*--gpg*:: + Add in GnuPG support. A key can be made from + `gpg --encrypt --symmetric /path/to/LUKS-key > /path/to/LUKS-key.gpg` . + After that, re-point the *root_key* argument to the new .gpg file. + *--no-busybox*:: Do not include busybox in the initrd or initramfs. From 84084937e1b7d36fe46876ac27c9c9afe23279ef Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Wed, 12 Jan 2011 16:33:15 +0100 Subject: [PATCH 13/14] docs: Mention GnuPG branch 1.x and its reasoning in man page --- doc/genkernel.8.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/genkernel.8.txt b/doc/genkernel.8.txt index fdc25dc..dee4e00 100644 --- a/doc/genkernel.8.txt +++ b/doc/genkernel.8.txt @@ -288,7 +288,8 @@ INITIALIZATION system. *--gpg*:: - Add in GnuPG support. A key can be made from + Add support for GnuPG 1.x, the portable standalone branch of GnuPG. + A key can be made from `gpg --encrypt --symmetric /path/to/LUKS-key > /path/to/LUKS-key.gpg` . After that, re-point the *root_key* argument to the new .gpg file. From 6c05e62afcfe24365b857ea73424f1b1bbd8fce9 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Wed, 12 Jan 2011 16:30:29 +0100 Subject: [PATCH 14/14] docs: Give credit to dacook --- doc/genkernel.8.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/genkernel.8.txt b/doc/genkernel.8.txt index dee4e00..b36137a 100644 --- a/doc/genkernel.8.txt +++ b/doc/genkernel.8.txt @@ -470,6 +470,7 @@ AUTHORS - Tim Yamin - Eric Edgar - NFS Support by Thomas Seiler +- GnuPG 1.x integration by dacook SEE ALSO