meta-digi-dey: trustfence: implement encrypted rootfs installation
https://jira.digi.com/browse/DEL-2700 Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit is contained in:
Javier Viguera
parent
b37cbc26c3
commit
a8bec40bea
|
|
@ -4,13 +4,17 @@ SUMMARY = "Trustfence initramfs required files"
|
|||
LICENSE = "GPL-2.0"
|
||||
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
|
||||
|
||||
SRC_URI = "file://trustfence-initramfs-init"
|
||||
SRC_URI = " \
|
||||
file://trustfence-initramfs-init \
|
||||
file://trustfence-install.sh \
|
||||
"
|
||||
|
||||
S = "${WORKDIR}"
|
||||
|
||||
do_install() {
|
||||
install -d ${D}${sbindir}
|
||||
install -d ${D}${base_sbindir}
|
||||
install -m 0755 trustfence-initramfs-init ${D}/init
|
||||
install -m 0755 trustfence-install.sh ${D}${base_sbindir}
|
||||
}
|
||||
|
||||
# Do not create debug/devel packages
|
||||
|
|
|
|||
|
|
@ -31,10 +31,13 @@ mkdir -p /var/run && rngd
|
|||
|
||||
for arg in $(cat /proc/cmdline); do
|
||||
case "${arg}" in
|
||||
init=*|rescue=1|root=*) eval ${arg};;
|
||||
init=*|rescue=1|root=*|trustfence_install=*) eval ${arg};;
|
||||
esac
|
||||
done
|
||||
|
||||
# Translate "PARTUUID=..." to real device
|
||||
root="$(findfs ${root})"
|
||||
|
||||
# Jump to a rescue shell if requested
|
||||
if [ -n "${rescue}" ]; then
|
||||
# Expand console and respawn if exited
|
||||
|
|
@ -44,8 +47,14 @@ if [ -n "${rescue}" ]; then
|
|||
done
|
||||
fi
|
||||
|
||||
# Translate "PARTUUID=..." to real device
|
||||
root="$(findfs ${root})"
|
||||
# Run install script if "trustfence_install" kernel parameter exists
|
||||
if [ -n "${trustfence_install}" ]; then
|
||||
trustfence-install.sh ${trustfence_install} ${root}
|
||||
sleep 1
|
||||
echo ">> Rebooting the system"
|
||||
sleep 1
|
||||
sync && reboot -f
|
||||
fi
|
||||
|
||||
# Open LUKS encrypted device
|
||||
if trustfence-tool ${root} cryptroot; then
|
||||
|
|
|
|||
|
|
@ -0,0 +1,89 @@
|
|||
#!/bin/sh
|
||||
#===============================================================================
|
||||
#
|
||||
# trustfence-install.sh
|
||||
#
|
||||
# Copyright (C) 2016 by Digi International Inc.
|
||||
# All rights reserved.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License version 2 as published by
|
||||
# the Free Software Foundation.
|
||||
#
|
||||
#
|
||||
# !Description: Wrapper script for initial deployment of encrypted rootfs
|
||||
#
|
||||
# The script gathers the needed information from the 'trustfence_install'
|
||||
# kernel command line parameter with following syntax:
|
||||
#
|
||||
# trustfence_install="source:serverip:filename"
|
||||
# source -> 'tftp' | <block-device>
|
||||
# serverip -> <tftp-ip> | '' (serverip or empty if local)
|
||||
# filename -> <image-filename> (path relative to 'source')
|
||||
#
|
||||
# For 'tftp' mode the kernel IP autoconfig may be used to bring the network
|
||||
# interface up, with 'ip' kernel parameter. Examples:
|
||||
#
|
||||
# ip=<static-ip>:::<netmask>::eth0:off
|
||||
# ip=dhcp
|
||||
#
|
||||
# This script is meant for testing purposes. It's NOT a stable API and may
|
||||
# be subject to change.
|
||||
#
|
||||
#===============================================================================
|
||||
|
||||
set -o pipefail
|
||||
|
||||
TF_INSTALL_INFO="${1}"
|
||||
TF_ROOTFS_DEV="${2}"
|
||||
|
||||
error() {
|
||||
[ "${#}" != "0" ] && printf "\n[ERROR]: %s\n\n" "${1}"
|
||||
exit 1
|
||||
}
|
||||
|
||||
# Parse trustfence_install kernel parameter
|
||||
IFS=":" read SOURCE SERVERIP FILENAME <<_EOF_
|
||||
${TF_INSTALL_INFO}
|
||||
_EOF_
|
||||
|
||||
# Validate command line arguments
|
||||
if [ -z "${SOURCE}" ] || [ -z "${FILENAME}" ] || { [ "${SOURCE}" = "tftp" ] && [ -z "${SERVERIP}" ]; }; then
|
||||
error "wrong 'trustfence_install' parameter: ${TF_INSTALL_INFO}"
|
||||
elif ! [ -b "${TF_ROOTFS_DEV}" ]; then
|
||||
error "${TF_ROOTFS_DEV} is not a block device"
|
||||
fi
|
||||
|
||||
# Generate random key, initialize the partition and open the virtual mapped device
|
||||
trustfence-tool --format --newkey "${TF_ROOTFS_DEV}" cryptroot
|
||||
if [ "${?}" != "0" ]; then
|
||||
error "trustfence-tool: open mapped device"
|
||||
fi
|
||||
|
||||
# Install image to the encrypted mapped device
|
||||
if [ "${SOURCE}" = "tftp" ]; then
|
||||
printf "\nInstalling ${FILENAME} from TFTP\n\n"
|
||||
tftp -g -l - -r "${FILENAME}" "${SERVERIP}" | pv -tprebW | dd of=/dev/mapper/cryptroot 2>/dev/null
|
||||
if [ "${?}" != "0" ]; then
|
||||
error "write ${FILENAME}"
|
||||
fi
|
||||
elif [ -b "${SOURCE}" ]; then
|
||||
printf "\nInstalling ${FILENAME} from local media\n\n"
|
||||
MOUNTPOINT="/media/$(basename ${SOURCE})"
|
||||
FSTYPE="$(blkid ${SOURCE} | sed -e 's,.*TYPE="\([^"]\+\)".*,\1,g')"
|
||||
mkdir -p ${MOUNTPOINT}
|
||||
mount -r ${FSTYPE:+-t ${FSTYPE}} ${SOURCE} ${MOUNTPOINT}
|
||||
pv -tprebW ${MOUNTPOINT}/${FILENAME} | dd of=/dev/mapper/cryptroot 2>/dev/null
|
||||
if [ "${?}" != "0" ]; then
|
||||
error "write ${FILENAME}"
|
||||
fi
|
||||
umount ${SOURCE}
|
||||
else
|
||||
error "${SOURCE} is neither a block device nor 'tftp'"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "#######################"
|
||||
echo "# Install completed #"
|
||||
echo "#######################"
|
||||
echo ""
|
||||
Loading…
Reference in New Issue