From 6607728e245bf2a62670d00fb1e3ea24fcf2421a Mon Sep 17 00:00:00 2001 From: "M.Schmidt" Date: Thu, 5 Dec 2024 20:01:07 +0100 Subject: [PATCH] improve(lvm,cryptroot): export private key with a structurally equal naming scheme; cleanup --- extensions/fs-cryptroot-support.sh | 31 +++++++++++++++----------- extensions/lvm.sh | 30 ++++++++++--------------- lib/functions/image/partitioning.sh | 17 +++++++------- lib/functions/image/rootfs-to-image.sh | 2 +- lib/functions/rootfs/trap-rootfs.sh | 5 ----- 5 files changed, 39 insertions(+), 46 deletions(-) diff --git a/extensions/fs-cryptroot-support.sh b/extensions/fs-cryptroot-support.sh index 05949d831718..f0d8c5cfcbb1 100644 --- a/extensions/fs-cryptroot-support.sh +++ b/extensions/fs-cryptroot-support.sh @@ -45,39 +45,44 @@ function pre_install_kernel_debs__adjust_dropbear_configuration() { dropbear_config="dropbear.conf" fi + # make it publicly available to export the private.key with proper naming + declare -g DROPBEAR_DIR=$dropbear_dir + # Set the port of the dropbear ssh daemon in the initramfs to a different one if configured # this avoids the typical 'host key changed warning' - `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!` - [[ -f "${dropbear_dir}/${dropbear_config}" ]] && + [[ -f "${DROPBEAR_DIR}/${dropbear_config}" ]] && sed -i "s/^#DROPBEAR_OPTIONS=.*/DROPBEAR_OPTIONS=\"-I 100 -j -k -p "${CRYPTROOT_SSH_UNLOCK_PORT}" -s -c cryptroot-unlock\"/" \ - "${dropbear_dir}/${dropbear_config}" + "${DROPBEAR_DIR}/${dropbear_config}" # setup dropbear authorized_keys, either provided by userpatches or generated if [[ -f $USERPATCHES_PATH/dropbear_authorized_keys ]]; then - cp "$USERPATCHES_PATH"/dropbear_authorized_keys "${dropbear_dir}"/authorized_keys + cp "$USERPATCHES_PATH"/dropbear_authorized_keys "${DROPBEAR_DIR}"/authorized_keys else # generate a default ssh key for login on dropbear in initramfs # this key should be changed by the user on first login display_alert "Extension: ${EXTENSION}: Generating a new SSH key pair for dropbear (initramfs)" "" "" # Generate the SSH keys - ssh-keygen -t ecdsa -f "${dropbear_dir}"/id_ecdsa \ + ssh-keygen -t ecdsa -f "${DROPBEAR_DIR}"/id_ecdsa \ -N '' -O force-command=cryptroot-unlock -C 'AUTOGENERATED_BY_ARMBIAN_BUILD' 2>&1 # /usr/share/initramfs-tools/hooks/dropbear will automatically add 'id_ecdsa.pub' to authorized_keys file # during mkinitramfs of update-initramfs - #cat "${dropbear_dir}"/id_ecdsa.pub > "${SDCARD}"/etc/dropbear-initramfs/authorized_keys - - - # copy it a) later via hook to make use of a proper naming / structural equal -> "${DESTIMG}/${version}.img" - CRYPTROOT_SSH_UNLOCK_KEY_NAME="${VENDOR}_${REVISION}_${BOARD^}_${RELEASE}_${BRANCH}_${DESKTOP_ENVIRONMENT}".key - # copy dropbear ssh key to image output dir for convenience - cp "${dropbear_dir}"/id_ecdsa "${DEST}/images/${CRYPTROOT_SSH_UNLOCK_KEY_NAME}" - display_alert "Extension: ${EXTENSION}: SSH private key for dropbear (initramfs) has been copied to:" \ - "$DEST/images/$CRYPTROOT_SSH_UNLOCK_KEY_NAME" "info" + # cat "${DROPBEAR_DIR}"/id_ecdsa.pub > "${SDCARD}"/etc/dropbear-initramfs/authorized_keys fi fi } +function post_umount_final_image__export_private_key(){ + if [[ $CRYPTROOT_SSH_UNLOCK == yes ]]; then + CRYPTROOT_SSH_UNLOCK_KEY_PATH="${DESTIMG}/${version}.key" + # copy dropbear ssh key to image output dir for convenience + cp "${DROPBEAR_DIR}"/id_ecdsa "${CRYPTROOT_SSH_UNLOCK_KEY_PATH}" + display_alert "Extension: ${EXTENSION}: SSH private key for dropbear (initramfs) has been copied to:" \ + "$CRYPTROOT_SSH_UNLOCK_KEY_PATH" "info" + fi +} + function post_umount_final_image__750_cryptroot_cleanup(){ execute_and_remove_cleanup_handler cleanup_cryptroot } diff --git a/extensions/lvm.sh b/extensions/lvm.sh index 1d9ac4d1dc06..9e1b1774e6ce 100644 --- a/extensions/lvm.sh +++ b/extensions/lvm.sh @@ -41,10 +41,9 @@ function post_create_partitions__setup_lvm() { function prepare_root_device__create_volume_group() { # the partition to setup LVM on is defined as rootpart - local lvmdev=$rootdevice - display_alert "LVM will be on Partition ${rootpart}, thats ${lvmdev}" "${EXTENSION}" "info" + display_alert "LVM will be on ${rootdevice}" "${EXTENSION}" "info" - # Caculate the required volume size + # Calculate the required volume size declare -g -i rootfs_size rootfs_size=$(du --apparent-size -sm "${SDCARD}"/ | cut -f1) # MiB display_alert "Current rootfs size" "$rootfs_size MiB" "info" @@ -52,25 +51,20 @@ function prepare_root_device__create_volume_group() { display_alert "Root volume size" "$volsize MiB" "info" # Create the PV VG and VOL - display_alert "LVM Creating VG" "${lvmdev}" "info" - check_loop_device ${lvmdev} - pvcreate ${lvmdev} - vgcreate ${LVM_VG_NAME} ${lvmdev} - wait_for_disk_sync "wait for VG to sync" + display_alert "LVM Creating VG" "${rootdevice}" "info" + check_loop_device ${rootdevice} + pvcreate ${rootdevice} + wait_for_disk_sync "wait for pvcreate to sync" + vgcreate ${LVM_VG_NAME} ${rootdevice} + add_cleanup_handler cleanup_lvm + wait_for_disk_sync "wait for vgcreate to sync" # Note that devices wont come up automatically inside docker lvcreate -Zn --name root --size ${volsize}M ${LVM_VG_NAME} vgmknodes lvs >> "${DEST}"/${LOG_SUBPATH}/lvm.log 2>&1 - # TODO [ms] check if disable-scan-enable is necessary - vgchange -a n ${LVM_VG_NAME} - display_alert "LVM created volume group" "${EXTENSION}" "info" - - display_alert "Using LVM root" "${EXTENSION}" "info" - vgscan - vgchange -a y ${LVM_VG_NAME} - + rootdevice=/dev/mapper/${LVM_VG_NAME}-root - display_alert "Root device is ${rootdevice}" "${EXTENSION}" "info" + display_alert "LVM created volume group - root device ${rootdevice}" "${EXTENSION}" "info" } function format_partitions__format_lvm() { @@ -80,7 +74,7 @@ function format_partitions__format_lvm() { display_alert "LVM labeled partitions" "${EXTENSION}" "info" } -function post_umount_final_image__lvm_cleanup(){ +function post_umount_final_image__cleanup_lvm(){ execute_and_remove_cleanup_handler cleanup_lvm } diff --git a/lib/functions/image/partitioning.sh b/lib/functions/image/partitioning.sh index 66cc5fbb08ef..7fe82c5ca695 100644 --- a/lib/functions/image/partitioning.sh +++ b/lib/functions/image/partitioning.sh @@ -252,21 +252,19 @@ function prepare_partitions() { # stage: mount image # lock access to loop devices - exec {FD}> /var/lock/armbian-debootstrap-losetup - flock -x $FD - - #--partscan is using to force the kernel for scanning partition table in preventing of partprobe errors if [[ -z $LOOP ]]; then + exec {FD}> /var/lock/armbian-debootstrap-losetup + flock -x $FD + LOOP=$(losetup -f) - # LOOP=$(losetup --show --partscan --find "${SDCARD}".raw) || exit_with_error "Unable to find free loop device" [[ -z $LOOP ]] && exit_with_error "Unable to find free loop device" display_alert "Allocated loop device" "LOOP=${LOOP}" - check_loop_device "$LOOP" + check_loop_device "${LOOP}" losetup $LOOP ${SDCARD}.raw - fi - # loop device was grabbed here, unlock - flock -u $FD + # loop device was grabbed here, unlock + flock -u $FD + fi display_alert "Running partprobe" "${LOOP}" "debug" run_host_command_logged partprobe "${LOOP}" @@ -320,6 +318,7 @@ function prepare_partitions() { echo "$CRYPTROOT_MAPPER UUID=${physical_root_part_uuid} none luks" >> $SDCARD/etc/crypttab run_host_command_logged cat $SDCARD/etc/crypttab fi + rootfs="UUID=$(blkid -s UUID -o value $rootdevice)" echo "$rootfs / ${mkfs[$ROOTFS_TYPE]} defaults,noatime${mountopts[$ROOTFS_TYPE]} 0 1" >> $SDCARD/etc/fstab run_host_command_logged cat $SDCARD/etc/fstab diff --git a/lib/functions/image/rootfs-to-image.sh b/lib/functions/image/rootfs-to-image.sh index ab460e9a9547..3bc9c7c08bb2 100644 --- a/lib/functions/image/rootfs-to-image.sh +++ b/lib/functions/image/rootfs-to-image.sh @@ -117,7 +117,7 @@ function create_image_from_sdcard_rootfs() { fi wait_for_disk_sync "before umount MOUNT" - + umount_chroot_recursive "${MOUNT}" "MOUNT" call_extension_method "post_umount_final_image" "config_post_umount_final_image" <<- 'POST_UMOUNT_FINAL_IMAGE' diff --git a/lib/functions/rootfs/trap-rootfs.sh b/lib/functions/rootfs/trap-rootfs.sh index abc9e684d53c..1d66b8662463 100644 --- a/lib/functions/rootfs/trap-rootfs.sh +++ b/lib/functions/rootfs/trap-rootfs.sh @@ -54,17 +54,12 @@ function trap_handler_cleanup_rootfs_and_image() { display_alert "Cleanup for rootfs and image" "trap_handler_cleanup_rootfs_and_image" "cleanup" debug_tmpfs_show_usage "before cleanup of rootfs" - cd "${SRC}" || echo "Failed to cwd to ${SRC}" # Move pwd away, so unmounts work # those will loop until they're unmounted. - display_alert "Cleanup sdcard begin" "trap_handler_cleanup_rootfs_and_image" "cleanup" umount_chroot_recursive "${SDCARD}" "SDCARD" || true - - display_alert "Cleanup mount begin" "trap_handler_cleanup_rootfs_and_image" "cleanup" umount_chroot_recursive "${MOUNT}" "MOUNT" || true - display_alert "Cleanup umount sdcard begin" "trap_handler_cleanup_rootfs_and_image" "cleanup" # unmount tmpfs mounted on SDCARD if it exists. #@TODO: move to new tmpfs-utils scheme mountpoint -q "${SDCARD}" && umount "${SDCARD}"