meta-digi-dey: new Trustfence initramfs package

This package adds some files needed by the trustfence initramfs and that are not included in other packages. https://jira.digi.com/browse/DEL-2278 Signed-off-by: Javier Viguera <javier.viguera@digi.com>
2016-07-07 17:59:25 +02:00 · 2016-07-07 17:59:25 +02:00 · 4dd7d438af
parent 778aade696
commit 4dd7d438af
2 changed files with 102 additions and 0 deletions
--- a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb
+++ b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb
@ -0,0 +1,28 @@
+# Copyright (C) 2016 Digi International.
+
+SUMMARY = "Trustfence initramfs required files"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+
+SRC_URI = "file://trustfence-initramfs-init"
+
+S = "${WORKDIR}"
+
+do_install() {
+	install -d ${D}${sbindir}
+	install -m 0755 trustfence-initramfs-init ${D}/init
+}
+
+# Do not create debug/devel packages
+PACKAGES = "${PN}"
+
+FILES_${PN} = "/"
+
+# Runtime packages used in 'trustfence-initramfs-init'
+RDEPENDS_${PN} = " \
+    cryptsetup \
+    rng-tools \
+    trustfence-tool \
+    util-linux-findfs \
+    wipe \
+"
--- a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init
+++ b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init
@ -0,0 +1,74 @@
+#!/bin/sh
+#===============================================================================
+#
+#  trustfence-initramfs-init
+#
+#  Copyright (C) 2016 by Digi International Inc.
+#  All rights reserved.
+#
+#  This program is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU General Public License version 2 as published by
+#  the Free Software Foundation.
+#
+#
+#  !Description: Init script for Trustfence initramfs
+#
+#===============================================================================
+
+export PATH=/bin:/sbin:/usr/bin:/usr/sbin
+
+mkdir -p /proc /sys /dev
+mount -t proc proc /proc
+mount -t sysfs sysfs /sys
+mount -t devtmpfs devtmpfs /dev
+
+# Set kernel console loglevel
+LOGLEVEL="$(sysctl -n kernel.printk)"
+sysctl -q -w kernel.printk=4
+
+# Launch 'rngd' to feed random data to kernel entropy pool
+mkdir -p /var/run && rngd
+
+for arg in $(cat /proc/cmdline); do
+	case "${arg}" in
+		init=*|rescue=1|root=*) eval ${arg};;
+	esac
+done
+
+# Jump to a rescue shell if requested
+if [ -n "${rescue}" ]; then
+	# Expand console and respawn if exited
+	while true; do
+		setsid cttyhack sh -l
+		sleep 1
+	done
+fi
+
+# Translate "PARTUUID=..." to real device
+root="$(findfs ${root})"
+
+# Open LUKS encrypted device
+TMP_KEYFILE="$(mktemp keyfile.XXXXXX)"
+trustfence-tool -f ${TMP_KEYFILE}
+if cryptsetup --key-file ${TMP_KEYFILE} open --type luks ${root} cryptroot; then
+	# Reset root variable to the decrypted mapped device
+	root="/dev/mapper/cryptroot"
+fi
+wipe -cfs ${TMP_KEYFILE}
+
+# Mount mapped device
+mkdir -p /newroot
+mount ${root} /newroot
+
+#
+# Clean-up and do the switch_root to the final rootfs
+#
+# - explicit kill 'rngd' daemon so it doesn't leak to the final rootfs
+# - restore previous kernel console loglevel
+# - umount virtual filesystems
+#
+pkill -9 rngd
+[ -n "${LOGLEVEL}" ] && sysctl -q -w kernel.printk="${LOGLEVEL}"
+mount --move /dev /newroot/dev
+umount /sys /proc
+exec switch_root /newroot ${init:-/sbin/init}