From 4cfc3f4bf8ecd9ca96f0861af249d19fcbeb12f7 Mon Sep 17 00:00:00 2001 From: Chris Gianelloni Date: Thu, 21 Jun 2007 20:25:43 +0000 Subject: [PATCH] Added a patch from Nelson Batalha from bug #174294 to enable the use of encryption on a CD and the location of a key. git-svn-id: svn+ssh://svn.gentoo.org/var/svnroot/genkernel/trunk@516 67a159dc-881f-0410-a524-ba9dfbe2cb84 --- ChangeLog | 5 ++ generic/initrd.scripts | 50 ++++++++++++++ generic/linuxrc | 147 ++++++++++++++++++++++++++--------------- 3 files changed, 149 insertions(+), 53 deletions(-) diff --git a/ChangeLog b/ChangeLog index ccbb625..b90751b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,11 @@ # Copyright 2006-2007 Gentoo Foundation; Distributed under the GPL v2 # $Header: $ + 21 Jun 2007; Chris Gianelloni + generic/initrd.scripts, generic/linuxrc: + Added a patch from Nelson Batalha from bug + #174294 to enable the use of encryption on a CD and the location of a key. + 21 Jun 2007; Chris Gianelloni gen_determineargs.sh, gen_funcs.sh, genkernel, genkernel.8, genkernel.conf: Added two patches from John R. Graham from diff --git a/generic/initrd.scripts b/generic/initrd.scripts index 0fd14e8..4493bf8 100644 --- a/generic/initrd.scripts +++ b/generic/initrd.scripts @@ -100,6 +100,39 @@ findcdmount() { fi } +findkeymount() { + if [ "$#" -gt "0" ] + then + for x in $* + do + # Check for a block device to mount + if [ -b "${x}" ] + then + good_msg "Attempting to mount key media:- ${x}" + mount -r -t auto ${x} ${NEW_ROOT}/mnt/key \ + > /dev/null 2>&1 + fi + if [ "$?" = '0' ] + then + # Check for the key + if [ -e ${NEW_ROOT}/mnt/key/${SUBDIR}/${KEYNAME} ] + then + KEY_ROOT="${x}" + break + else + umount ${NEW_ROOT}/mnt/key + fi + fi + fi + done + if [ "${KEY_ROOT}" != '' ] + then + good_msg "Key media found on ${x}" + fi + fi +} + + cache_cd_contents() { # Check loop file exists and cache to ramdisk if DO_cache is enabled if [ "${LOOPTYPE}" != "noloop" ] && [ "${LOOPTYPE}" != "sgimips" ] @@ -357,6 +390,23 @@ bootstrapCD() { findcdmount $DEVICES } +bootstrapKey() { + # Locate the device with our key on it. + # USB Keychain/Storage + KEYDEVS="/dev/sd*" + # CDROM DEVICES + KEYDEVS="${KEYDEVS} /dev/cdroms/* /dev/ide/cd/* /dev/sr*" + # IDE devices + KEYDEVS="${KEYDEVS} /dev/hd*" + # USB using the USB Block Driver + KEYDEVS="${KEYDEVS} /dev/ubd* /dev/ubd/*" + # iSeries devices + KEYDEVS="${KEYDEVs} /dev/iseries/vcd*" + + findkeymount ${KEYDEVS} +} + + cmdline_hwopts() { # Scan CMDLINE for any "doscsi" or "noscsi"-type arguments diff --git a/generic/linuxrc b/generic/linuxrc index 019b403..6d7c74b 100644 --- a/generic/linuxrc +++ b/generic/linuxrc @@ -72,13 +72,16 @@ do CDROOT=1 CDROOT_DEV=`parse_opt "${x}"` ;; - # Start livecd loop and looptype options + # Start livecd loop, looptype options and encryption loop\=*) LOOP=`parse_opt "${x}"` ;; looptype\=*) LOOPTYPE=`parse_opt "${x}"` ;; + loop_crypt\=*) + LOOP_CRYPT=`parse_opt "${x}"` + ;; # Start Device Manager options devfs) USE_DEVFS_NORMAL=1 @@ -261,7 +264,7 @@ then mount -t tmpfs tmpfs ${NEW_ROOT} fi - for i in dev mnt mnt/cdrom mnt/livecd tmp tmp/.initrd mnt/gentoo sys + for i in dev mnt mnt/cdrom mnt/livecd mnt/key tmp tmp/.initrd mnt/gentoo sys do mkdir -p ${NEW_ROOT}/$i chmod 755 ${NEW_ROOT}/$i @@ -490,66 +493,104 @@ then fi cache_cd_contents - # Setup the loopback mounts + - if [ "${LOOPTYPE}" = 'normal' ] + # If encrypted, find key and mount, otherwise mount as usual + if [ "${LOOP_CRYPT}" != '' ] then - good_msg 'Mounting loop filesystem' - mount -t ext2 -o loop,ro ${NEW_ROOT}/mnt/cdrom/${LOOPEXT}${LOOP} ${NEW_ROOT}/mnt/livecd - test_success 'Mount filesystem' - FS_LOCATION='mnt/livecd' + good_msg 'You booted an encrypted livecd' + KEYNAME=$(head -n 1 ${NEW_ROOT}/mnt/cdrom/livecd) + if [ "${KEYNAME}" = '' ] + then + good_msg 'It's not locked with a gpg key, attempting to decrypt manually' + losetup -e ${LOOP_CRYPT} /dev/loop1 ${NEW_ROOT}/mnt/cdrom/${LOOPEXT}${LOOP} + - elif [ "${LOOPTYPE}" = 'squashfs' ] - then - good_msg 'Mounting squashfs filesystem' - mount -t squashfs -o loop,ro ${NEW_ROOT}/mnt/cdrom/${LOOPEXT}${LOOP} ${NEW_ROOT}/mnt/livecd + else + good_msg 'Livecd locked with gpg key' + bootstrapKey + good_msg 'Attempting to decrypt with key' + losetup -K ${NEW_ROOT}/mnt/key/${SUBDIR}/${KEYNAME} -e ${LOOP_CRYPT} /dev/loop1 \ + ${NEW_ROOT}/mnt/cdrom/${LOOPEXT}${LOOP} + fi + + test_success 'Unencrypting loop' - test_success 'Mount filesystem' - FS_LOCATION='mnt/livecd' - - elif [ "${LOOPTYPE}" = 'gcloop' ] - then - good_msg 'Mounting gcloop filesystem' - echo ' ' | losetup -E 19 -e ucl-0 -p0 ${NEW_ROOT}/dev/loop0 ${NEW_ROOT}/mnt/cdrom/${LOOPEXT}${LOOP} - test_success 'losetup the loop device' + case ${LOOPTYPE} in + squashfs) + MOUNTTYPE="squashfs" + normal) + MOUNTTYPE="ext2" + esac - mount -t ext2 -o ro ${NEW_ROOT}/dev/loop0 ${NEW_ROOT}/mnt/livecd - test_success 'Mount the losetup loop device' + mount -t ${MOUNTTYPE} -o ro /dev/loop1 ${NEW_ROOT}/mnt/livecd + + test_success 'Mount filesystem, checking key' FS_LOCATION='mnt/livecd' - - elif [ "${LOOPTYPE}" = 'zisofs' ] - then - FS_LOCATION="mnt/cdrom/${LOOPEXT}${LOOP}" - - elif [ "${LOOPTYPE}" = 'noloop' ] - then - FS_LOCATION='mnt/cdrom' - elif [ "${LOOPTYPE}" = 'sgimips' ] - then - # getdvhoff finds the starting offset (in bytes) of the squashfs - # partition on the cdrom and returns this offset for losetup - # - # All currently supported SGI Systems use SCSI CD-ROMs, so - # so we know that the CD-ROM is usually going to be /dev/sr0. - # - # We use the value given to losetup to set /dev/loop0 to point - # to the liveCD root partition, and then mount /dev/loop0 as - # the LiveCD rootfs - good_msg 'Locating the SGI LiveCD Root Partition' - echo ' ' | \ - losetup -o $(/bin/getdvhoff ${NEW_ROOT}${REAL_ROOT} 0) \ - ${NEW_ROOT}${CDROOT_DEV} \ - ${NEW_ROOT}${REAL_ROOT} - test_success 'losetup /dev/sr0 /dev/loop0' - - good_msg 'Mounting the Root Partition' - mount -t squashfs -o ro ${NEW_ROOT}${CDROOT_DEV} ${NEW_ROOT}/mnt/livecd - test_success 'mount /dev/loop0 /' - FS_LOCATION='mnt/livecd' - fi + + # Setup the loopback mounts, if unencrypted + else + if [ "${LOOPTYPE}" = 'normal' ] + then + good_msg 'Mounting loop filesystem' + mount -t ext2 -o loop,ro ${NEW_ROOT}/mnt/cdrom/${LOOPEXT}${LOOP} ${NEW_ROOT}/mnt/livecd + test_success 'Mount filesystem' + FS_LOCATION='mnt/livecd' + + + elif [ "${LOOPTYPE}" = 'squashfs' ] + then + good_msg 'Mounting squashfs filesystem' + mount -t squashfs -o loop,ro ${NEW_ROOT}/mnt/cdrom/${LOOPEXT}${LOOP} ${NEW_ROOT}/mnt/livecd + + test_success 'Mount filesystem' + FS_LOCATION='mnt/livecd' + + elif [ "${LOOPTYPE}" = 'gcloop' ] + then + good_msg 'Mounting gcloop filesystem' + echo ' ' | losetup -E 19 -e ucl-0 -p0 ${NEW_ROOT}/dev/loop0 ${NEW_ROOT}/mnt/cdrom/${LOOPEXT}${LOOP} + test_success 'losetup the loop device' + + mount -t ext2 -o ro ${NEW_ROOT}/dev/loop0 ${NEW_ROOT}/mnt/livecd + test_success 'Mount the losetup loop device' + FS_LOCATION='mnt/livecd' + + elif [ "${LOOPTYPE}" = 'zisofs' ] + then + FS_LOCATION="mnt/cdrom/${LOOPEXT}${LOOP}" + + elif [ "${LOOPTYPE}" = 'noloop' ] + then + FS_LOCATION='mnt/cdrom' + + elif [ "${LOOPTYPE}" = 'sgimips' ] + then + # getdvhoff finds the starting offset (in bytes) of the squashfs + # partition on the cdrom and returns this offset for losetup + # + # All currently supported SGI Systems use SCSI CD-ROMs, so + # so we know that the CD-ROM is usually going to be /dev/sr0. + # + # We use the value given to losetup to set /dev/loop0 to point + # to the liveCD root partition, and then mount /dev/loop0 as + # the LiveCD rootfs + good_msg 'Locating the SGI LiveCD Root Partition' + echo ' ' | \ + losetup -o $(/bin/getdvhoff ${NEW_ROOT}${REAL_ROOT} 0) \ + ${NEW_ROOT}${CDROOT_DEV} \ + ${NEW_ROOT}${REAL_ROOT} + test_success 'losetup /dev/sr0 /dev/loop0' + + good_msg 'Mounting the Root Partition' + mount -t squashfs -o ro ${NEW_ROOT}${CDROOT_DEV} ${NEW_ROOT}/mnt/livecd + test_success 'mount /dev/loop0 /' + FS_LOCATION='mnt/livecd' + fi + # # End cdrom looptype determination and mounting if necessary #