Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trustfence-initramfs: remove support for encrypted rootfs installation 

The recovery ramdisk already contains functionality for encrypted rootfs
installation. The goal is to centralize all this functionality in the recovery
ramdisk.

https://jira.digi.com/browse/DEL-3829

Signed-off-by: Tatiana Leon <tatiana.leon@digi.com>
This commit is contained in:
Tatiana Leon 2017-03-14 12:23:21 +01:00
parent 42856f87aa
commit d441f8401e
5 changed files with 8 additions and 241 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb
View File

@ -1,4 +1,4 @@
# Copyright (C) 2016 Digi International. # Copyright (C) 2016, 2017 Digi International Inc.
SUMMARY = "Trustfence initramfs required files" SUMMARY = "Trustfence initramfs required files"
LICENSE = "GPL-2.0" LICENSE = "GPL-2.0"
@ -6,15 +6,12 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425
SRC_URI = " \ SRC_URI = " \
file://trustfence-initramfs-init \ file://trustfence-initramfs-init \
file://trustfence-install.sh \
" "
S = "${WORKDIR}" S = "${WORKDIR}"
do_install() { do_install() {
install -d ${D}${base_sbindir}
install -m 0755 trustfence-initramfs-init ${D}/init install -m 0755 trustfence-initramfs-init ${D}/init
install -m 0755 trustfence-install.sh ${D}${base_sbindir}
} }
# Do not create debug/devel packages # Do not create debug/devel packages
@ -30,7 +27,7 @@ RDEPENDS_${PN} = " \
u-boot-fw-utils \ u-boot-fw-utils \
" "
RDEPENDS_${PN}_append_ccimx6sbc = " \ RDEPENDS_${PN}_append_ccimx6 = " \
cryptsetup \ cryptsetup \
rng-tools \ rng-tools \
" "

13
meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6sbc/trustfence-initramfs-init
View File

@ -3,7 +3,7 @@
# #
# trustfence-initramfs-init # trustfence-initramfs-init
# #
# Copyright (C) 2016 by Digi International Inc. # Copyright (C) 2016, 2017 by Digi International Inc.
# All rights reserved. # All rights reserved.
# #
# This program is free software; you can redistribute it and/or modify it # This program is free software; you can redistribute it and/or modify it
@ -31,7 +31,7 @@ mkdir -p /var/run && rngd
for arg in $(cat /proc/cmdline); do for arg in $(cat /proc/cmdline); do
case "${arg}" in case "${arg}" in
init=*|rescue=1|root=*|trustfence_install=*) eval ${arg};; init=*|rescue=1|root=*) eval ${arg};;
esac esac
done done
@ -47,15 +47,6 @@ if [ -n "${rescue}" ]; then
done done
fi fi
# Run install script if "trustfence_install" kernel parameter exists
if [ -n "${trustfence_install}" ]; then
trustfence-install.sh ${trustfence_install} ${root}
sleep 1
echo ">> Rebooting the system"
sleep 1
sync && reboot -f
fi
# Open LUKS encrypted device # Open LUKS encrypted device
if trustfence-tool ${root} cryptroot; then if trustfence-tool ${root} cryptroot; then
# Reset root variable to the decrypted mapped device # Reset root variable to the decrypted mapped device

89
meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6sbc/trustfence-install.sh
View File

@ -1,89 +0,0 @@
#!/bin/sh
#===============================================================================
#
# trustfence-install.sh
#
# Copyright (C) 2016 by Digi International Inc.
# All rights reserved.
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 as published by
# the Free Software Foundation.
#
#
# !Description: Wrapper script for initial deployment of encrypted rootfs
#
# The script gathers the needed information from the 'trustfence_install'
# kernel command line parameter with following syntax:
#
# trustfence_install="source:serverip:filename"
# source -> 'tftp' | <block-device>
# serverip -> <tftp-ip> | '' (serverip or empty if local)
# filename -> <image-filename> (path relative to 'source')
#
# For 'tftp' mode the kernel IP autoconfig may be used to bring the network
# interface up, with 'ip' kernel parameter. Examples:
#
# ip=<static-ip>:::<netmask>::eth0:off
# ip=dhcp
#
# This script is meant for testing purposes. It's NOT a stable API and may
# be subject to change.
#
#===============================================================================
set -o pipefail
TF_INSTALL_INFO="${1}"
TF_ROOTFS_DEV="${2}"
error() {
[ "${#}" != "0" ] && printf "\n[ERROR]: %s\n\n" "${1}"
exit 1
}
# Parse trustfence_install kernel parameter
IFS=":" read SOURCE SERVERIP FILENAME <<_EOF_
${TF_INSTALL_INFO}
_EOF_
# Validate command line arguments
if [ -z "${SOURCE}" ] || [ -z "${FILENAME}" ] || { [ "${SOURCE}" = "tftp" ] && [ -z "${SERVERIP}" ]; }; then
error "wrong 'trustfence_install' parameter: ${TF_INSTALL_INFO}"
elif ! [ -b "${TF_ROOTFS_DEV}" ]; then
error "${TF_ROOTFS_DEV} is not a block device"
fi
# Generate random key, initialize the partition and open the virtual mapped device
trustfence-tool --format --newkey "${TF_ROOTFS_DEV}" cryptroot
if [ "${?}" != "0" ]; then
error "trustfence-tool: open mapped device"
fi
# Install image to the encrypted mapped device
if [ "${SOURCE}" = "tftp" ]; then
printf "\nInstalling ${FILENAME} from TFTP\n\n"
tftp -g -l - -r "${FILENAME}" "${SERVERIP}" | pv -tprebW | dd of=/dev/mapper/cryptroot 2>/dev/null
if [ "${?}" != "0" ]; then
error "write ${FILENAME}"
fi
elif [ -b "${SOURCE}" ]; then
printf "\nInstalling ${FILENAME} from local media\n\n"
MOUNTPOINT="/media/$(basename ${SOURCE})"
FSTYPE="$(blkid ${SOURCE} | sed -e 's,.*TYPE="\([^"]\+\)".*,\1,g')"
mkdir -p ${MOUNTPOINT}
mount -r ${FSTYPE:+-t ${FSTYPE}} ${SOURCE} ${MOUNTPOINT}
pv -tprebW ${MOUNTPOINT}/${FILENAME} | dd of=/dev/mapper/cryptroot 2>/dev/null
if [ "${?}" != "0" ]; then
error "write ${FILENAME}"
fi
umount ${SOURCE}
else
error "${SOURCE} is neither a block device nor 'tftp'"
fi
echo ""
echo "#######################"
echo "# Install completed #"
echo "#######################"
echo ""

46
meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-initramfs-init
View File

@ -3,7 +3,7 @@
# #
# trustfence-initramfs-init # trustfence-initramfs-init
# #
# Copyright (C) 2016 by Digi International Inc. # Copyright (C) 2016, 2017 by Digi International Inc.
# All rights reserved. # All rights reserved.
# #
# This program is free software; you can redistribute it and/or modify it # This program is free software; you can redistribute it and/or modify it
@ -28,58 +28,20 @@ sysctl -q -w kernel.printk=4
for arg in $(cat /proc/cmdline); do for arg in $(cat /proc/cmdline); do
case "${arg}" in case "${arg}" in
init=*|rescue=1|root=*|trustfence_install=*) eval ${arg};; init=*|rescue=1|root=*) eval ${arg};;
trustfence_fskey*)
tf_fskey_bool=true;
eval ${arg};;
esac esac
done done
# Translate "PARTUUID=..." to real device # Translate "PARTUUID=..." to real device
root="/dev/$(findfs ${root})" root="/dev/$(findfs ${root})"
rescue_shell () { # Jump to a rescue shell if requested
if [ -n "${rescue}" ]; then
# Expand console and respawn if exited # Expand console and respawn if exited
while true; do while true; do
setsid cttyhack sh -l setsid cttyhack sh -l
sleep 1 sleep 1
done done
}
# Jump to a rescue shell if requested
if [ -n "${rescue}" ]; then
rescue_shell
fi
if [ -n "${tf_fskey_bool}" ]; then
# Program key if trustfence_fskey kernel parameter exists
if [ -n "${trustfence_fskey}" ]; then
# trustfence_fskey not empty - use provided key
printf "\nUsing provided key\n"
trustfence-tool --newkey=${trustfence_fskey}
if [ "${?}" != "0" ]; then
error "trustfence-tool: key generation"
fi
else
# trustfence_fskey empty - use random key
printf "\nGenerating new random key\n"
trustfence-tool --newkey
if [ "${?}" != "0" ]; then
error "trustfence-tool: key generation"
fi
fi
printf "\nFile system encryption key changed.\n"
printf "A system reboot is needed for the kernel to use it.\n"
rescue_shell
fi
# Run install script if "trustfence_install" kernel parameter exists
if [ -n "${trustfence_install}" ]; then
trustfence-install.sh ${trustfence_install}
sleep 1
echo ">> Rebooting the system"
sleep 1
sync && reboot -f
fi fi
# Mount device # Mount device

94
meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-install.sh
View File

@ -1,94 +0,0 @@
#!/bin/sh
#===============================================================================
#
# trustfence-install.sh
#
# Copyright (C) 2016 by Digi International Inc.
# All rights reserved.
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 as published by
# the Free Software Foundation.
#
#
# !Description: Wrapper script for initial deployment of encrypted filesystems
#
# The script gathers the needed information from the 'trustfence_install'
# kernel command line parameter with following syntax:
#
# trustfence_install="source:serverip:filename:partname"
# source -> 'tftp' | <block-device>
# serverip -> <tftp-ip> | '' (serverip or empty if local)
# filename -> <image-filename> (path relative to 'source')
# partname -> <partition name> (should match an entry on the
# partition table)
#
# For 'tftp' mode the kernel IP autoconfig may be used to bring the network
# interface up, with 'ip' kernel parameter. Examples:
#
# ip=<static-ip>:::<netmask>::eth0:off
# ip=dhcp
#
# This script is meant for testing purposes. It's NOT a stable API and may
# be subject to change.
#
#===============================================================================
set -o pipefail
TF_INSTALL_INFO="${1}"
error() {
[ "${#}" != "0" ] && printf "\n[ERROR]: %s\n\n" "${1}"
exit 1
}
# Parse trustfence_install kernel parameter
IFS=":" read SOURCE SERVERIP FILENAME PARTNAME <<_EOF_
${TF_INSTALL_INFO}
_EOF_
# Validate command line arguments
if [ -z "${SOURCE}" ] || [ -z "${FILENAME}" ] || [ -z "${PARTNAME}" ] || { [ "${SOURCE}" = "tftp" ] && [ -z "${SERVERIP}" ]; }; then
error "wrong 'trustfence_install' parameter: ${TF_INSTALL_INFO}"
fi
# Format partition
mtdindex="$(sed -ne "/\"${PARTNAME}\"$/s,^mtd\([0-9]\):.*,\1,g;T;p" /proc/mtd)"
ubidetach -p /dev/mtd${mtdindex} >/dev/null 2>&1
ubiformat -y /dev/mtd${mtdindex}
UBI_DEVICE="$(ubiattach -p /dev/mtd${mtdindex} | sed -ne 's,.*device number \([0-9]\).*,\1,g;T;p')"
ubimkvol /dev/ubi${UBI_DEVICE} -N "${PARTNAME}" -m
# Install image to the encrypted mapped device
if [ "${SOURCE}" = "tftp" ]; then
printf "\nInstalling ${FILENAME} from TFTP\n\n"
FILE=$(basename "$FILENAME")
tftp -g -l - -r "${FILENAME}" "${SERVERIP}" > ${FILE} || { error "tftp failed"; }
FILESIZE=$(stat -c%s "$FILE")
pv -tprebW ${FILE} | ubiupdatevol /dev/ubi${UBI_DEVICE}_0 -s ${FILESIZE} - 2>/dev/null
rm -f ${FILE}
if [ "${?}" != "0" ]; then
error "write ${FILENAME}"
fi
elif [ -b "${SOURCE}" ]; then
printf "\nInstalling ${FILENAME} from local media\n\n"
MOUNTPOINT="/media/$(basename ${SOURCE})"
FSTYPE="$(blkid ${SOURCE} | sed -e 's,.*TYPE="\([^"]\+\)".*,\1,g')"
mkdir -p ${MOUNTPOINT}
mount -r ${FSTYPE:+-t ${FSTYPE}} ${SOURCE} ${MOUNTPOINT}
FILESIZE=$(stat -c%s "${MOUNTPOINT}/${FILENAME}")
pv -tprebW ${MOUNTPOINT}/${FILENAME} | ubiupdatevol /dev/ubi${UBI_DEVICE}_0 -s ${FILESIZE} - 2>/dev/null
if [ "${?}" != "0" ]; then
error "write ${FILENAME}"
fi
umount ${SOURCE}
else
error "${SOURCE} is neither a block device nor 'tftp'"
fi
echo ""
echo "#######################"
echo "# Install completed #"
echo "#######################"
echo ""