From d441f8401e54db46a2cca4a151de5230b4f71fe9 Mon Sep 17 00:00:00 2001 From: Tatiana Leon Date: Tue, 14 Mar 2017 12:23:21 +0100 Subject: [PATCH] trustfence-initramfs: remove support for encrypted rootfs installation The recovery ramdisk already contains functionality for encrypted rootfs installation. The goal is to centralize all this functionality in the recovery ramdisk. https://jira.digi.com/browse/DEL-3829 Signed-off-by: Tatiana Leon --- .../trustfence/trustfence-initramfs.bb | 7 +- .../ccimx6sbc/trustfence-initramfs-init | 13 +-- .../ccimx6sbc/trustfence-install.sh | 89 ------------------ .../ccimx6ul/trustfence-initramfs-init | 46 +-------- .../ccimx6ul/trustfence-install.sh | 94 ------------------- 5 files changed, 8 insertions(+), 241 deletions(-) delete mode 100644 meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6sbc/trustfence-install.sh delete mode 100644 meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-install.sh diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb index 278301b5d..0d6d77ef4 100644 --- a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb +++ b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb @@ -1,4 +1,4 @@ -# Copyright (C) 2016 Digi International. +# Copyright (C) 2016, 2017 Digi International Inc. SUMMARY = "Trustfence initramfs required files" LICENSE = "GPL-2.0" @@ -6,15 +6,12 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425 SRC_URI = " \ file://trustfence-initramfs-init \ - file://trustfence-install.sh \ " S = "${WORKDIR}" do_install() { - install -d ${D}${base_sbindir} install -m 0755 trustfence-initramfs-init ${D}/init - install -m 0755 trustfence-install.sh ${D}${base_sbindir} } # Do not create debug/devel packages @@ -30,7 +27,7 @@ RDEPENDS_${PN} = " \ u-boot-fw-utils \ " -RDEPENDS_${PN}_append_ccimx6sbc = " \ +RDEPENDS_${PN}_append_ccimx6 = " \ cryptsetup \ rng-tools \ " diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6sbc/trustfence-initramfs-init b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6sbc/trustfence-initramfs-init index 899f5c4e0..5759d3bd3 100644 --- a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6sbc/trustfence-initramfs-init +++ b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6sbc/trustfence-initramfs-init @@ -3,7 +3,7 @@ # # trustfence-initramfs-init # -# Copyright (C) 2016 by Digi International Inc. +# Copyright (C) 2016, 2017 by Digi International Inc. # All rights reserved. # # This program is free software; you can redistribute it and/or modify it @@ -31,7 +31,7 @@ mkdir -p /var/run && rngd for arg in $(cat /proc/cmdline); do case "${arg}" in - init=*|rescue=1|root=*|trustfence_install=*) eval ${arg};; + init=*|rescue=1|root=*) eval ${arg};; esac done @@ -47,15 +47,6 @@ if [ -n "${rescue}" ]; then done fi -# Run install script if "trustfence_install" kernel parameter exists -if [ -n "${trustfence_install}" ]; then - trustfence-install.sh ${trustfence_install} ${root} - sleep 1 - echo ">> Rebooting the system" - sleep 1 - sync && reboot -f -fi - # Open LUKS encrypted device if trustfence-tool ${root} cryptroot; then # Reset root variable to the decrypted mapped device diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6sbc/trustfence-install.sh b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6sbc/trustfence-install.sh deleted file mode 100644 index 4b83e3caf..000000000 --- a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6sbc/trustfence-install.sh +++ /dev/null @@ -1,89 +0,0 @@ -#!/bin/sh -#=============================================================================== -# -# trustfence-install.sh -# -# Copyright (C) 2016 by Digi International Inc. -# All rights reserved. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License version 2 as published by -# the Free Software Foundation. -# -# -# !Description: Wrapper script for initial deployment of encrypted rootfs -# -# The script gathers the needed information from the 'trustfence_install' -# kernel command line parameter with following syntax: -# -# trustfence_install="source:serverip:filename" -# source -> 'tftp' | -# serverip -> | '' (serverip or empty if local) -# filename -> (path relative to 'source') -# -# For 'tftp' mode the kernel IP autoconfig may be used to bring the network -# interface up, with 'ip' kernel parameter. Examples: -# -# ip=:::::eth0:off -# ip=dhcp -# -# This script is meant for testing purposes. It's NOT a stable API and may -# be subject to change. -# -#=============================================================================== - -set -o pipefail - -TF_INSTALL_INFO="${1}" -TF_ROOTFS_DEV="${2}" - -error() { - [ "${#}" != "0" ] && printf "\n[ERROR]: %s\n\n" "${1}" - exit 1 -} - -# Parse trustfence_install kernel parameter -IFS=":" read SOURCE SERVERIP FILENAME <<_EOF_ -${TF_INSTALL_INFO} -_EOF_ - -# Validate command line arguments -if [ -z "${SOURCE}" ] || [ -z "${FILENAME}" ] || { [ "${SOURCE}" = "tftp" ] && [ -z "${SERVERIP}" ]; }; then - error "wrong 'trustfence_install' parameter: ${TF_INSTALL_INFO}" -elif ! [ -b "${TF_ROOTFS_DEV}" ]; then - error "${TF_ROOTFS_DEV} is not a block device" -fi - -# Generate random key, initialize the partition and open the virtual mapped device -trustfence-tool --format --newkey "${TF_ROOTFS_DEV}" cryptroot -if [ "${?}" != "0" ]; then - error "trustfence-tool: open mapped device" -fi - -# Install image to the encrypted mapped device -if [ "${SOURCE}" = "tftp" ]; then - printf "\nInstalling ${FILENAME} from TFTP\n\n" - tftp -g -l - -r "${FILENAME}" "${SERVERIP}" | pv -tprebW | dd of=/dev/mapper/cryptroot 2>/dev/null - if [ "${?}" != "0" ]; then - error "write ${FILENAME}" - fi -elif [ -b "${SOURCE}" ]; then - printf "\nInstalling ${FILENAME} from local media\n\n" - MOUNTPOINT="/media/$(basename ${SOURCE})" - FSTYPE="$(blkid ${SOURCE} | sed -e 's,.*TYPE="\([^"]\+\)".*,\1,g')" - mkdir -p ${MOUNTPOINT} - mount -r ${FSTYPE:+-t ${FSTYPE}} ${SOURCE} ${MOUNTPOINT} - pv -tprebW ${MOUNTPOINT}/${FILENAME} | dd of=/dev/mapper/cryptroot 2>/dev/null - if [ "${?}" != "0" ]; then - error "write ${FILENAME}" - fi - umount ${SOURCE} -else - error "${SOURCE} is neither a block device nor 'tftp'" -fi - -echo "" -echo "#######################" -echo "# Install completed #" -echo "#######################" -echo "" diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-initramfs-init b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-initramfs-init index 2c30dbf84..80739af78 100644 --- a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-initramfs-init +++ b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-initramfs-init @@ -3,7 +3,7 @@ # # trustfence-initramfs-init # -# Copyright (C) 2016 by Digi International Inc. +# Copyright (C) 2016, 2017 by Digi International Inc. # All rights reserved. # # This program is free software; you can redistribute it and/or modify it @@ -28,58 +28,20 @@ sysctl -q -w kernel.printk=4 for arg in $(cat /proc/cmdline); do case "${arg}" in - init=*|rescue=1|root=*|trustfence_install=*) eval ${arg};; - trustfence_fskey*) - tf_fskey_bool=true; - eval ${arg};; + init=*|rescue=1|root=*) eval ${arg};; esac done # Translate "PARTUUID=..." to real device root="/dev/$(findfs ${root})" -rescue_shell () { +# Jump to a rescue shell if requested +if [ -n "${rescue}" ]; then # Expand console and respawn if exited while true; do setsid cttyhack sh -l sleep 1 done -} - -# Jump to a rescue shell if requested -if [ -n "${rescue}" ]; then - rescue_shell -fi - -if [ -n "${tf_fskey_bool}" ]; then - # Program key if trustfence_fskey kernel parameter exists - if [ -n "${trustfence_fskey}" ]; then - # trustfence_fskey not empty - use provided key - printf "\nUsing provided key\n" - trustfence-tool --newkey=${trustfence_fskey} - if [ "${?}" != "0" ]; then - error "trustfence-tool: key generation" - fi - else - # trustfence_fskey empty - use random key - printf "\nGenerating new random key\n" - trustfence-tool --newkey - if [ "${?}" != "0" ]; then - error "trustfence-tool: key generation" - fi - fi - printf "\nFile system encryption key changed.\n" - printf "A system reboot is needed for the kernel to use it.\n" - rescue_shell -fi - -# Run install script if "trustfence_install" kernel parameter exists -if [ -n "${trustfence_install}" ]; then - trustfence-install.sh ${trustfence_install} - sleep 1 - echo ">> Rebooting the system" - sleep 1 - sync && reboot -f fi # Mount device diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-install.sh b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-install.sh deleted file mode 100644 index e87f01e6c..000000000 --- a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-install.sh +++ /dev/null @@ -1,94 +0,0 @@ -#!/bin/sh -#=============================================================================== -# -# trustfence-install.sh -# -# Copyright (C) 2016 by Digi International Inc. -# All rights reserved. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License version 2 as published by -# the Free Software Foundation. -# -# -# !Description: Wrapper script for initial deployment of encrypted filesystems -# -# The script gathers the needed information from the 'trustfence_install' -# kernel command line parameter with following syntax: -# -# trustfence_install="source:serverip:filename:partname" -# source -> 'tftp' | -# serverip -> | '' (serverip or empty if local) -# filename -> (path relative to 'source') -# partname -> (should match an entry on the -# partition table) -# -# For 'tftp' mode the kernel IP autoconfig may be used to bring the network -# interface up, with 'ip' kernel parameter. Examples: -# -# ip=:::::eth0:off -# ip=dhcp -# -# This script is meant for testing purposes. It's NOT a stable API and may -# be subject to change. -# -#=============================================================================== - -set -o pipefail - -TF_INSTALL_INFO="${1}" - -error() { - [ "${#}" != "0" ] && printf "\n[ERROR]: %s\n\n" "${1}" - exit 1 -} - -# Parse trustfence_install kernel parameter -IFS=":" read SOURCE SERVERIP FILENAME PARTNAME <<_EOF_ -${TF_INSTALL_INFO} -_EOF_ - -# Validate command line arguments -if [ -z "${SOURCE}" ] || [ -z "${FILENAME}" ] || [ -z "${PARTNAME}" ] || { [ "${SOURCE}" = "tftp" ] && [ -z "${SERVERIP}" ]; }; then - error "wrong 'trustfence_install' parameter: ${TF_INSTALL_INFO}" -fi - -# Format partition -mtdindex="$(sed -ne "/\"${PARTNAME}\"$/s,^mtd\([0-9]\):.*,\1,g;T;p" /proc/mtd)" -ubidetach -p /dev/mtd${mtdindex} >/dev/null 2>&1 -ubiformat -y /dev/mtd${mtdindex} -UBI_DEVICE="$(ubiattach -p /dev/mtd${mtdindex} | sed -ne 's,.*device number \([0-9]\).*,\1,g;T;p')" -ubimkvol /dev/ubi${UBI_DEVICE} -N "${PARTNAME}" -m - -# Install image to the encrypted mapped device -if [ "${SOURCE}" = "tftp" ]; then - printf "\nInstalling ${FILENAME} from TFTP\n\n" - FILE=$(basename "$FILENAME") - tftp -g -l - -r "${FILENAME}" "${SERVERIP}" > ${FILE} || { error "tftp failed"; } - FILESIZE=$(stat -c%s "$FILE") - pv -tprebW ${FILE} | ubiupdatevol /dev/ubi${UBI_DEVICE}_0 -s ${FILESIZE} - 2>/dev/null - rm -f ${FILE} - if [ "${?}" != "0" ]; then - error "write ${FILENAME}" - fi -elif [ -b "${SOURCE}" ]; then - printf "\nInstalling ${FILENAME} from local media\n\n" - MOUNTPOINT="/media/$(basename ${SOURCE})" - FSTYPE="$(blkid ${SOURCE} | sed -e 's,.*TYPE="\([^"]\+\)".*,\1,g')" - mkdir -p ${MOUNTPOINT} - mount -r ${FSTYPE:+-t ${FSTYPE}} ${SOURCE} ${MOUNTPOINT} - FILESIZE=$(stat -c%s "${MOUNTPOINT}/${FILENAME}") - pv -tprebW ${MOUNTPOINT}/${FILENAME} | ubiupdatevol /dev/ubi${UBI_DEVICE}_0 -s ${FILESIZE} - 2>/dev/null - if [ "${?}" != "0" ]; then - error "write ${FILENAME}" - fi - umount ${SOURCE} -else - error "${SOURCE} is neither a block device nor 'tftp'" -fi - -echo "" -echo "#######################" -echo "# Install completed #" -echo "#######################" -echo ""