diff options
author | Andrew Cady <d@jerkface.net> | 2023-06-21 23:40:03 -0400 |
---|---|---|
committer | u <u@billy> | 2023-11-17 08:44:10 -0500 |
commit | 191905e493e680dc8a36bce7d28d7e912d2e98bd (patch) | |
tree | 6ef9c8528268b7861af2c52f6b48f6e9032ecd68 /src/initrd | |
parent | 1b697950d2aca3395ca9d245cafca29af87a6c97 (diff) |
remove gpg
Diffstat (limited to 'src/initrd')
-rw-r--r-- | src/initrd/btrfs-create.sh | 52 | ||||
-rw-r--r-- | src/initrd/common.sh | 5 | ||||
-rwxr-xr-x | src/initrd/grok-block | 66 | ||||
-rwxr-xr-x | src/initrd/menu-select | 10 |
4 files changed, 7 insertions, 126 deletions
diff --git a/src/initrd/btrfs-create.sh b/src/initrd/btrfs-create.sh index 894d835..5a43977 100644 --- a/src/initrd/btrfs-create.sh +++ b/src/initrd/btrfs-create.sh | |||
@@ -5,21 +5,6 @@ | |||
5 | 5 | ||
6 | losetup() { /sbin/losetup "$@"; } | 6 | losetup() { /sbin/losetup "$@"; } |
7 | 7 | ||
8 | luks_secret() | ||
9 | { | ||
10 | local parms=$-; # this junk keeps set -x from being too annoying | ||
11 | set +x | ||
12 | [ -n "$luks_secret" ] || luks_secret="$(head -c256 /dev/urandom)" | ||
13 | printf %s "$luks_secret" | ||
14 | case $parms in *x*) set -x; set -x ;; esac | ||
15 | } | ||
16 | |||
17 | floor4() | ||
18 | { | ||
19 | # Negatives round up, but aren't used. | ||
20 | echo $(($1 / 4 * 4)) | ||
21 | } | ||
22 | |||
23 | ceil4() | 8 | ceil4() |
24 | { | 9 | { |
25 | local x="$1" | 10 | local x="$1" |
@@ -205,11 +190,8 @@ initialize_root_filesystem() | |||
205 | done | 190 | done |
206 | chroot /root chown -R u:u ${uhome} | 191 | chroot /root chown -R u:u ${uhome} |
207 | 192 | ||
208 | mv /root/root/.gnupg /root/root/.gnupg~ | ||
209 | mv /gpg/gnupghome /root/root/.gnupg || return | ||
210 | |||
211 | copy_execs sbin mdadm dmsetup cryptsetup fsck.hfsplus | 193 | copy_execs sbin mdadm dmsetup cryptsetup fsck.hfsplus |
212 | copy_execs bin btrfs rsync gpg gpg2 gpg-agent | 194 | copy_execs bin btrfs rsync |
213 | 195 | ||
214 | # Copy these over unconditionally, because they ought to remain in sync with | 196 | # Copy these over unconditionally, because they ought to remain in sync with |
215 | # the initrd. | 197 | # the initrd. |
@@ -333,8 +315,7 @@ open_samizdat_blockdev() | |||
333 | 315 | ||
334 | if [ ! -e "$decrypted_keyfile" ] | 316 | if [ ! -e "$decrypted_keyfile" ] |
335 | then | 317 | then |
336 | gpg2 --verify "$keyfile" || return | 318 | echo -n secret > "$decrypted_keyfile" |
337 | gpg2 --output=- --verify "$keyfile" | gpg2 --decrypt > "$decrypted_keyfile" || return | ||
338 | fi | 319 | fi |
339 | 320 | ||
340 | cryptsetup --key-file "$decrypted_keyfile" luksOpen "$dev" "$cryptname" || return | 321 | cryptsetup --key-file "$decrypted_keyfile" luksOpen "$dev" "$cryptname" || return |
@@ -349,12 +330,9 @@ init_samizdat_blockdev() | |||
349 | 330 | ||
350 | [ ! -b /dev/mapper/"$cryptname" ] || return | 331 | [ ! -b /dev/mapper/"$cryptname" ] || return |
351 | 332 | ||
352 | luks_secret >/dev/null | 333 | echo -n secret | cryptsetup -v luksFormat "$dev" - || return |
353 | luks_secret | gpg2 --default-recipient-self --encrypt --armor | gpg2 --clearsign --output "$keyfile" || return | ||
354 | |||
355 | luks_secret | cryptsetup -v luksFormat "$dev" - || return | ||
356 | cryptsetup luksDump "$dev" >&2 | 334 | cryptsetup luksDump "$dev" >&2 |
357 | luks_secret | cryptsetup --key-file - luksOpen "$dev" "$cryptname" || return | 335 | echo -n secret | cryptsetup --key-file - luksOpen "$dev" "$cryptname" || return |
358 | 336 | ||
359 | [ -b /dev/mapper/"$cryptname" ] || return | 337 | [ -b /dev/mapper/"$cryptname" ] || return |
360 | } | 338 | } |
@@ -415,28 +393,6 @@ get_cdrom_sizelimit() | |||
415 | fi | 393 | fi |
416 | } | 394 | } |
417 | 395 | ||
418 | init_gpg() | ||
419 | { | ||
420 | export GNUPGHOME=/gpg/gnupghome | ||
421 | mkdir -p "$GNUPGHOME" | ||
422 | if [ -e /gnupghome.tar ]; then | ||
423 | tar -C "$GNUPGHOME" -zxf /gnupghome.tar && bootdone samizdat-gpg | ||
424 | return | ||
425 | else | ||
426 | bootwait samizdat-cdrom | ||
427 | (umask 077; rsync --exclude '/luks-key*' --ignore-existing -rpP /cdrom/gnupghome/ "$GNUPGHOME") | ||
428 | bootdone samizdat-gpg | ||
429 | fi | ||
430 | |||
431 | local LOG_DIR=/run/initramfs/samizdat/log | ||
432 | if samizdat-password-agent > "$LOG_DIR"/samizdat-password-agent.log 2>&1; then | ||
433 | true | ||
434 | else | ||
435 | echo 'samizdat-password-agent failed; continuing in hope of hope...' | ||
436 | true # false | ||
437 | fi | ||
438 | } | ||
439 | |||
440 | start_meter() | 396 | start_meter() |
441 | { | 397 | { |
442 | local startmsg="$*" | 398 | local startmsg="$*" |
diff --git a/src/initrd/common.sh b/src/initrd/common.sh index 8f4e101..d7d7fa0 100644 --- a/src/initrd/common.sh +++ b/src/initrd/common.sh | |||
@@ -148,9 +148,4 @@ my_openvt() | |||
148 | /bin/openvt -c "$@" | 148 | /bin/openvt -c "$@" |
149 | } | 149 | } |
150 | 150 | ||
151 | # This runs before way before NTP and on a LiveCD we have no | ||
152 | # reason to trust the system clock. | ||
153 | gpg2_nobatch() { GPG_TTY=$(tty) command gpg2 --ignore-time-conflict --ignore-valid-from "$@"; } | ||
154 | gpg2() { gpg2_nobatch --batch "$@"; } | ||
155 | |||
156 | xcp() { if [ -f "$1" -a ! -f "$2" ]; then cp "$1" "$2"; fi; } | 151 | xcp() { if [ -f "$1" -a ! -f "$2" ]; then cp "$1" "$2"; fi; } |
diff --git a/src/initrd/grok-block b/src/initrd/grok-block index a7056ad..d194486 100755 --- a/src/initrd/grok-block +++ b/src/initrd/grok-block | |||
@@ -7,15 +7,6 @@ case "$DEVNAME" in /dev/loop*|/dev/ram*|/dev/dm-*|/dev/md*|/dev/fd*) exit ;; esa | |||
7 | 7 | ||
8 | debug_log "grok-block.${DEVNAME##*/}" | 8 | debug_log "grok-block.${DEVNAME##*/}" |
9 | 9 | ||
10 | addmenu_choosekey() | ||
11 | { | ||
12 | dev=$1 | ||
13 | dir=$2 | ||
14 | addmenu "$dev//$dir" \ | ||
15 | "[ Use the GPG key on $dev ]" \ | ||
16 | "menu-select boot-gpg $dev $dir" | ||
17 | } | ||
18 | |||
19 | addmenu_repairhfs() | 10 | addmenu_repairhfs() |
20 | { | 11 | { |
21 | local device="$1" | 12 | local device="$1" |
@@ -87,26 +78,6 @@ retry_mount() | |||
87 | done | 78 | done |
88 | } | 79 | } |
89 | 80 | ||
90 | Gpg2() | ||
91 | { | ||
92 | gpg2 --lock-never --no-permission-warning --no-auto-check-trustdb --no-options "$@" | ||
93 | } | ||
94 | |||
95 | gpg_verify() | ||
96 | { | ||
97 | [ -e "$1" ] || return | ||
98 | bootwait samizdat-gpg | ||
99 | export GNUPGHOME=/gpg/gnupghome | ||
100 | Gpg2 --verify "$1" | ||
101 | } | ||
102 | |||
103 | gpg_can_decrypt() | ||
104 | { | ||
105 | [ -e "$1" ] || return | ||
106 | bootwait samizdat-gpg | ||
107 | Gpg2 --decrypt "$1" | Gpg2 --decrypt "$1" >/dev/null | ||
108 | } | ||
109 | |||
110 | is_lvm() | 81 | is_lvm() |
111 | { | 82 | { |
112 | for n in 0 1 2 3; do | 83 | for n in 0 1 2 3; do |
@@ -229,21 +200,7 @@ grok_block() | |||
229 | # TODO: And what if we create partitions and then reboot the machine mid-install? | 200 | # TODO: And what if we create partitions and then reboot the machine mid-install? |
230 | 201 | ||
231 | elif [ "$ID_PART_ENTRY_NAME" = samizdat-rootfs ]; then | 202 | elif [ "$ID_PART_ENTRY_NAME" = samizdat-rootfs ]; then |
232 | : | 203 | bootdone samizdat-rootfs |
233 | |||
234 | elif [ "$ID_PART_ENTRY_NAME" = samizdat-keys ]; then | ||
235 | mkdir -p /gpg | ||
236 | cp -a "$mountpoint"/gnupghome /gpg/ && bootdone samizdat-gpg && bootdone samizdat-cdrom | ||
237 | |||
238 | elif [ "$ID_PART_ENTRY_NAME" = samizdat-plaintext ]; then | ||
239 | if gpg_verify "$mountpoint"/disk.key && gpg_can_decrypt "$mountpoint"/disk.key; then | ||
240 | umount "$mountpoint" | ||
241 | addmenu_choose_native_root "$(parent_device "$DEVNAME")" | ||
242 | bootdone key-mounted | ||
243 | else | ||
244 | umount "$mountpoint" | ||
245 | fi | ||
246 | |||
247 | elif [ "$DEVNAME" = /dev/nbd1 ]; then | 204 | elif [ "$DEVNAME" = /dev/nbd1 ]; then |
248 | # This is our rootfs, over the network | 205 | # This is our rootfs, over the network |
249 | umount "$mountpoint" | 206 | umount "$mountpoint" |
@@ -307,25 +264,6 @@ eval "$(PATH=$PATH:/lib/udev vol_id "$DEVNAME" | | |||
307 | sed "s/'/'\\\\''/; s/=\(.*\)/='\1'/" | 264 | sed "s/'/'\\\\''/; s/=\(.*\)/='\1'/" |
308 | )" | 265 | )" |
309 | 266 | ||
310 | CDROM_ID_FS_UUID_ENC='73256269-4002-4e42-adbd-0e49ed1c7438' | 267 | grok_block & |
311 | CDROM_ID_FS_LABEL_ENC=$(sed 's/ /\\x20/g' /lib/samizdat/vol_id.txt) | ||
312 | if [ "$ID_FS_UUID_ENC" = "$CDROM_ID_FS_UUID_ENC" -o \ | ||
313 | "$ID_FS_LABEL_ENC" = "$CDROM_ID_FS_LABEL_ENC" ] | ||
314 | then | ||
315 | # Recognize and mount the Samizdat | ||
316 | if ! mountpoint -q /cdrom; then | ||
317 | mkdir -p /cdrom | ||
318 | . mdadm-dup.sh | ||
319 | dup_mount_cdrom "$DEVNAME" /cdrom && bootdone samizdat-cdrom | ||
320 | if [ -e /cdrom/gnupghome ]; then | ||
321 | # TODO: don't use first match | ||
322 | mkdir -p /gpg/gnupghome | ||
323 | cp /cdrom/gnupghome/* /gpg/gnupghome | ||
324 | bootdone samizdat-gpg | ||
325 | fi | ||
326 | fi | ||
327 | else | ||
328 | grok_block & | ||
329 | fi | ||
330 | 268 | ||
331 | # vim:set et sw=2: | 269 | # vim:set et sw=2: |
diff --git a/src/initrd/menu-select b/src/initrd/menu-select index 1fcade4..9730c09 100755 --- a/src/initrd/menu-select +++ b/src/initrd/menu-select | |||
@@ -5,7 +5,6 @@ | |||
5 | # $0 boot-overwrite [dev name] [loop file] [megabytes] - overwrite with new luks overlay | 5 | # $0 boot-overwrite [dev name] [loop file] [megabytes] - overwrite with new luks overlay |
6 | # $0 boot-luks [dev name] [loop file] - boot existing luks-encrypted overlay | 6 | # $0 boot-luks [dev name] [loop file] - boot existing luks-encrypted overlay |
7 | # $0 boot-destroy-disk [dev-name] - install to a fresh hard disk | 7 | # $0 boot-destroy-disk [dev-name] - install to a fresh hard disk |
8 | # $0 boot-gpg [key id] [gnupg homedir] [???] - boot any device signed with the key | ||
9 | 8 | ||
10 | . btrfs-create.sh | 9 | . btrfs-create.sh |
11 | . common.sh | 10 | . common.sh |
@@ -76,7 +75,6 @@ case "$1" in | |||
76 | # specified in KB here. I did not really believe it. | 75 | # specified in KB here. I did not really believe it. |
77 | modprobe brd rd_nr=1 rd_size=$memtotal_kb | 76 | modprobe brd rd_nr=1 rd_size=$memtotal_kb |
78 | 77 | ||
79 | init_gpg || error | ||
80 | init_samizdat /dev/ram0 '' || { | 78 | init_samizdat /dev/ram0 '' || { |
81 | umount /root/cdrom | 79 | umount /root/cdrom |
82 | umount /root/outerfs | 80 | umount /root/outerfs |
@@ -94,7 +92,6 @@ case "$1" in | |||
94 | mkfs.btrfs -f "$dev"2 || error | 92 | mkfs.btrfs -f "$dev"2 || error |
95 | mkdir /plaintext | 93 | mkdir /plaintext |
96 | mount "$dev"2 /plaintext || error | 94 | mount "$dev"2 /plaintext || error |
97 | init_gpg || error | ||
98 | 95 | ||
99 | init_samizdat_blockdev "$dev"3 /plaintext/disk.key || error | 96 | init_samizdat_blockdev "$dev"3 /plaintext/disk.key || error |
100 | init_samizdat /dev/mapper/samizdatcrypt '' || error | 97 | init_samizdat /dev/mapper/samizdatcrypt '' || error |
@@ -106,10 +103,7 @@ case "$1" in | |||
106 | boot-native) | 103 | boot-native) |
107 | dev="$2" | 104 | dev="$2" |
108 | umount /plaintext || true | 105 | umount /plaintext || true |
109 | mkdir /plaintext | 106 | open_samizdat_blockdev "$dev"3 - || error |
110 | mount "$dev"2 /plaintext || error | ||
111 | init_gpg || error | ||
112 | open_samizdat_blockdev "$dev"3 /plaintext/disk.key || error | ||
113 | open_samizdat || error open_samizdat | 107 | open_samizdat || error open_samizdat |
114 | bootdone root-mounted | 108 | bootdone root-mounted |
115 | ;; | 109 | ;; |
@@ -128,8 +122,6 @@ case "$1" in | |||
128 | rm "$loopfile" "$loopfile"k | 122 | rm "$loopfile" "$loopfile"k |
129 | fi | 123 | fi |
130 | 124 | ||
131 | init_gpg || error | ||
132 | |||
133 | if [ "$1" = 'boot-luks' ]; then | 125 | if [ "$1" = 'boot-luks' ]; then |
134 | open_samizdat_blockdev_from_loop "$loopfile" "$loopfile"k || error | 126 | open_samizdat_blockdev_from_loop "$loopfile" "$loopfile"k || error |
135 | open_samizdat || error open_samizdat | 127 | open_samizdat || error open_samizdat |