diff options
-rw-r--r-- | .gitmodules | 3 | ||||
-rw-r--r-- | Makefile | 30 | ||||
-rw-r--r-- | initramfs-tools/scripts/samizdat | 19 | ||||
-rw-r--r-- | src/initrd/btrfs-create.sh | 52 | ||||
-rw-r--r-- | src/initrd/common.sh | 5 | ||||
-rwxr-xr-x | src/initrd/grok-block | 66 | ||||
-rwxr-xr-x | src/initrd/menu-select | 10 | ||||
-rwxr-xr-x | src/partvi | 13 |
8 files changed, 12 insertions, 186 deletions
diff --git a/.gitmodules b/.gitmodules index 8dd443e..43d1ad1 100644 --- a/.gitmodules +++ b/.gitmodules | |||
@@ -1,9 +1,6 @@ | |||
1 | [submodule "fsmgr"] | 1 | [submodule "fsmgr"] |
2 | path = fsmgr | 2 | path = fsmgr |
3 | url = d@cryptonomic.net:public_git/fsmgr.git | 3 | url = d@cryptonomic.net:public_git/fsmgr.git |
4 | [submodule "kiki"] | ||
5 | path = kiki | ||
6 | url = d@cryptonomic.net:public_git/kiki.git | ||
7 | [submodule "cryptonomic-dyndns-server"] | 4 | [submodule "cryptonomic-dyndns-server"] |
8 | path = cryptonomic-dyndns-server | 5 | path = cryptonomic-dyndns-server |
9 | url = d@cryptonomic.net:public_git/cryptonomic-dyndns-server.git | 6 | url = d@cryptonomic.net:public_git/cryptonomic-dyndns-server.git |
@@ -8,7 +8,7 @@ compiled_programs=${cc_files} ${cpp_files} | |||
8 | CC=gcc -std=gnu99 | 8 | CC=gcc -std=gnu99 |
9 | CFLAGS=-Os | 9 | CFLAGS=-Os |
10 | 10 | ||
11 | INSTALL_SUBMODULES = fsmgr kiki | 11 | INSTALL_SUBMODULES = fsmgr |
12 | NO_INSTALL_SUBMODULES = cryptonomic-dyndns-server | 12 | NO_INSTALL_SUBMODULES = cryptonomic-dyndns-server |
13 | SUBMODULES = $(INSTALL_SUBMODULES) $(NO_INSTALL_SUBMODULES) | 13 | SUBMODULES = $(INSTALL_SUBMODULES) $(NO_INSTALL_SUBMODULES) |
14 | 14 | ||
@@ -47,9 +47,8 @@ $(addprefix src/, $(dyndns_links)): | |||
47 | 47 | ||
48 | src_bin_programs = xorriso-usb.sh btrfs-functions.sh btrfs-receive-root.sh \ | 48 | src_bin_programs = xorriso-usb.sh btrfs-functions.sh btrfs-receive-root.sh \ |
49 | btrfs-send-root.sh var.sh grub-efi.sh keygen.sh initrd.sh qemu.sh \ | 49 | btrfs-send-root.sh var.sh grub-efi.sh keygen.sh initrd.sh qemu.sh \ |
50 | dnsmasq-dhcp-script.sh samizdat-password-agent samizdat-gpg-agent publish-ip.sh \ | 50 | dnsmasq-dhcp-script.sh publish-ip.sh \ |
51 | samizdat-daily-snapshot-root samizdat-diff-root kiki-export-stdout \ | 51 | git-ll-remote usb \ |
52 | kiki-import-stdin store-child-permanently git-ll-remote usb \ | ||
53 | hostname.cryptonomic.net partvi ficlonerange.py ${dyndns_progs} | 52 | hostname.cryptonomic.net partvi ficlonerange.py ${dyndns_progs} |
54 | 53 | ||
55 | bin_programs=$(addprefix src/, $(src_bin_programs)) samizdat-paths.sh ${cc_files} ${btrfs_utils} | 54 | bin_programs=$(addprefix src/, $(src_bin_programs)) samizdat-paths.sh ${cc_files} ${btrfs_utils} |
@@ -118,8 +117,6 @@ ifndef instdir | |||
118 | else | 117 | else |
119 | install -p -m0644 -DT conf/postfix_main.cf ${instdir}/etc/postfix/main.cf | 118 | install -p -m0644 -DT conf/postfix_main.cf ${instdir}/etc/postfix/main.cf |
120 | install -p -m0644 -DT conf/torrc ${instdir}/etc/tor/torrc | 119 | install -p -m0644 -DT conf/torrc ${instdir}/etc/tor/torrc |
121 | ln -sf /var/cache/kiki/config/tor/hostname ${instdir}/etc/mailname | ||
122 | ln -sf /var/cache/kiki/config/tor/hostname ${instdir}/etc/hostname | ||
123 | endif | 120 | endif |
124 | 121 | ||
125 | include user.mk | 122 | include user.mk |
@@ -178,23 +175,10 @@ boot: rootfs | |||
178 | fastboot: rootfs | 175 | fastboot: rootfs |
179 | sudo qemu.sh | 176 | sudo qemu.sh |
180 | 177 | ||
181 | reuse_child := $(shell 2>/dev/null read child < reused-child && echo --reuse-child=$$child; true) | ||
182 | |||
183 | samizdat.netinst.iso: | rootfs/samizdat.btrfs | 178 | samizdat.netinst.iso: | rootfs/samizdat.btrfs |
184 | exit 1; sudo initrd.sh | 179 | exit 1; sudo initrd.sh |
185 | sudo xorriso-usb.sh $(reuse_child) --bootloader --out $@ | 180 | sudo xorriso-usb.sh $(reuse_child) --bootloader --out $@ |
186 | 181 | ||
187 | reused-child: | ||
188 | sudo keygen.sh ${samizdat_child_dir}/child.$$$$ && \ | ||
189 | sudo store-child-permanently $$$$ && \ | ||
190 | echo $$$$ > $@ | ||
191 | |||
192 | testclean: | ||
193 | make -C kiki install | ||
194 | sudo mv /root/.gnupg /root/.gnupg.$$(date -Im) || true | ||
195 | sudo killall gpg-agent || true | ||
196 | rm -f reused-child | ||
197 | |||
198 | cleantest: | 182 | cleantest: |
199 | make testclean | 183 | make testclean |
200 | make isotest | 184 | make isotest |
@@ -205,9 +189,6 @@ isotest: samizdat.iso | |||
205 | isotest-netinst: samizdat.netinst.iso | 189 | isotest-netinst: samizdat.netinst.iso |
206 | USE_ISO=y SLOW_BOOT=y qemu.sh $^ | 190 | USE_ISO=y SLOW_BOOT=y qemu.sh $^ |
207 | 191 | ||
208 | gpg_iso_path=gnupghome | ||
209 | GPG_INPUT_DIR=${samizdat_child_dir}/child.$(shell cat reused-child)/root/.gnupg | ||
210 | |||
211 | samizdat_btrfs_patch_size=256M | 192 | samizdat_btrfs_patch_size=256M |
212 | 193 | ||
213 | get_loop_dev="$$(sudo losetup -n -O name -j $@~tmp)" | 194 | get_loop_dev="$$(sudo losetup -n -O name -j $@~tmp)" |
@@ -233,9 +214,6 @@ veritymount: rootfs/samizdat.seed.btrfs.verity.log | |||
233 | $(verity_root_hash) | 214 | $(verity_root_hash) |
234 | sudo veritysetup remove samizverity | 215 | sudo veritysetup remove samizverity |
235 | 216 | ||
236 | %.verity.log.asc: %.verity.log | ||
237 | sudo gpg --armor --detach-sign $^ | ||
238 | |||
239 | rootfs/%.btrfs: | 217 | rootfs/%.btrfs: |
240 | $(SUDO_MAKE) -C rootfs $(notdir $@) | 218 | $(SUDO_MAKE) -C rootfs $(notdir $@) |
241 | 219 | ||
@@ -298,7 +276,7 @@ gold.iso: rootfs/seed.iso reused-child | |||
298 | mv $@~tmp $@ | 276 | mv $@~tmp $@ |
299 | 277 | ||
300 | rootfs/seed.iso: $(addprefix rootfs/samizdat.seed.btrf, s \ | 278 | rootfs/seed.iso: $(addprefix rootfs/samizdat.seed.btrf, s \ |
301 | $(if $(VERITY), s.verity s.verity.log $(if $(VERITY_SIGN), s.verity.log.asc))) | 279 | $(if $(VERITY), s.verity s.verity.log)) |
302 | rm -f $@~tmp | 280 | rm -f $@~tmp |
303 | touch $@~tmp | 281 | touch $@~tmp |
304 | fallocate -n -l 10G $@~tmp | 282 | fallocate -n -l 10G $@~tmp |
diff --git a/initramfs-tools/scripts/samizdat b/initramfs-tools/scripts/samizdat index 8e9d4fa..9d8b846 100644 --- a/initramfs-tools/scripts/samizdat +++ b/initramfs-tools/scripts/samizdat | |||
@@ -62,15 +62,11 @@ mountroot() | |||
62 | if [ "$nbdroot" ]; then | 62 | if [ "$nbdroot" ]; then |
63 | my_configure_networking | 63 | my_configure_networking |
64 | run_nbd_client | 64 | run_nbd_client |
65 | 65 | (. common.sh && . btrfs-create.sh) | |
66 | wait_for_gnupghome_tar | ||
67 | (sleep 5; echo ) & | ||
68 | (. common.sh && . btrfs-create.sh && init_gpg) | ||
69 | fi | 66 | fi |
70 | 67 | ||
71 | bootmenu | 68 | bootmenu |
72 | samizdat_install_udev_rules | 69 | samizdat_install_udev_rules |
73 | bootwait samizdat-gpg | ||
74 | bootwait root-mounted | 70 | bootwait root-mounted |
75 | osname=$(get_os_name) | 71 | osname=$(get_os_name) |
76 | write_resolv_dot_conf | 72 | write_resolv_dot_conf |
@@ -87,19 +83,6 @@ Press alt-f9 for rescue terminal. | |||
87 | EOF | 83 | EOF |
88 | } | 84 | } |
89 | 85 | ||
90 | wait_for_gnupghome_tar() | ||
91 | { | ||
92 | [ -e /gnupghome.tar ] && return | ||
93 | echo -n Waiting to receive GPG keys through the network... > /dev/tty1 | ||
94 | (while ! tftp -g -r gnupghome.tar -l /gnupghome.tar.$$ "$ROOTSERVER" 2>/run/initramfs/samizdat/log/tftp.$$.log; do | ||
95 | sleep 1; | ||
96 | echo -n . > /dev/tty1 | ||
97 | done | ||
98 | mv /gnupghome.tar.$$ /gnupghome.tar) | ||
99 | echo ' done.' > /dev/tty1 | ||
100 | bootdone gnupg-tar | ||
101 | } | ||
102 | |||
103 | samizdat_restart_udev() | 86 | samizdat_restart_udev() |
104 | { | 87 | { |
105 | local LOG_DIR=/run/initramfs/samizdat/log | 88 | local LOG_DIR=/run/initramfs/samizdat/log |
diff --git a/src/initrd/btrfs-create.sh b/src/initrd/btrfs-create.sh index 894d835..5a43977 100644 --- a/src/initrd/btrfs-create.sh +++ b/src/initrd/btrfs-create.sh | |||
@@ -5,21 +5,6 @@ | |||
5 | 5 | ||
6 | losetup() { /sbin/losetup "$@"; } | 6 | losetup() { /sbin/losetup "$@"; } |
7 | 7 | ||
8 | luks_secret() | ||
9 | { | ||
10 | local parms=$-; # this junk keeps set -x from being too annoying | ||
11 | set +x | ||
12 | [ -n "$luks_secret" ] || luks_secret="$(head -c256 /dev/urandom)" | ||
13 | printf %s "$luks_secret" | ||
14 | case $parms in *x*) set -x; set -x ;; esac | ||
15 | } | ||
16 | |||
17 | floor4() | ||
18 | { | ||
19 | # Negatives round up, but aren't used. | ||
20 | echo $(($1 / 4 * 4)) | ||
21 | } | ||
22 | |||
23 | ceil4() | 8 | ceil4() |
24 | { | 9 | { |
25 | local x="$1" | 10 | local x="$1" |
@@ -205,11 +190,8 @@ initialize_root_filesystem() | |||
205 | done | 190 | done |
206 | chroot /root chown -R u:u ${uhome} | 191 | chroot /root chown -R u:u ${uhome} |
207 | 192 | ||
208 | mv /root/root/.gnupg /root/root/.gnupg~ | ||
209 | mv /gpg/gnupghome /root/root/.gnupg || return | ||
210 | |||
211 | copy_execs sbin mdadm dmsetup cryptsetup fsck.hfsplus | 193 | copy_execs sbin mdadm dmsetup cryptsetup fsck.hfsplus |
212 | copy_execs bin btrfs rsync gpg gpg2 gpg-agent | 194 | copy_execs bin btrfs rsync |
213 | 195 | ||
214 | # Copy these over unconditionally, because they ought to remain in sync with | 196 | # Copy these over unconditionally, because they ought to remain in sync with |
215 | # the initrd. | 197 | # the initrd. |
@@ -333,8 +315,7 @@ open_samizdat_blockdev() | |||
333 | 315 | ||
334 | if [ ! -e "$decrypted_keyfile" ] | 316 | if [ ! -e "$decrypted_keyfile" ] |
335 | then | 317 | then |
336 | gpg2 --verify "$keyfile" || return | 318 | echo -n secret > "$decrypted_keyfile" |
337 | gpg2 --output=- --verify "$keyfile" | gpg2 --decrypt > "$decrypted_keyfile" || return | ||
338 | fi | 319 | fi |
339 | 320 | ||
340 | cryptsetup --key-file "$decrypted_keyfile" luksOpen "$dev" "$cryptname" || return | 321 | cryptsetup --key-file "$decrypted_keyfile" luksOpen "$dev" "$cryptname" || return |
@@ -349,12 +330,9 @@ init_samizdat_blockdev() | |||
349 | 330 | ||
350 | [ ! -b /dev/mapper/"$cryptname" ] || return | 331 | [ ! -b /dev/mapper/"$cryptname" ] || return |
351 | 332 | ||
352 | luks_secret >/dev/null | 333 | echo -n secret | cryptsetup -v luksFormat "$dev" - || return |
353 | luks_secret | gpg2 --default-recipient-self --encrypt --armor | gpg2 --clearsign --output "$keyfile" || return | ||
354 | |||
355 | luks_secret | cryptsetup -v luksFormat "$dev" - || return | ||
356 | cryptsetup luksDump "$dev" >&2 | 334 | cryptsetup luksDump "$dev" >&2 |
357 | luks_secret | cryptsetup --key-file - luksOpen "$dev" "$cryptname" || return | 335 | echo -n secret | cryptsetup --key-file - luksOpen "$dev" "$cryptname" || return |
358 | 336 | ||
359 | [ -b /dev/mapper/"$cryptname" ] || return | 337 | [ -b /dev/mapper/"$cryptname" ] || return |
360 | } | 338 | } |
@@ -415,28 +393,6 @@ get_cdrom_sizelimit() | |||
415 | fi | 393 | fi |
416 | } | 394 | } |
417 | 395 | ||
418 | init_gpg() | ||
419 | { | ||
420 | export GNUPGHOME=/gpg/gnupghome | ||
421 | mkdir -p "$GNUPGHOME" | ||
422 | if [ -e /gnupghome.tar ]; then | ||
423 | tar -C "$GNUPGHOME" -zxf /gnupghome.tar && bootdone samizdat-gpg | ||
424 | return | ||
425 | else | ||
426 | bootwait samizdat-cdrom | ||
427 | (umask 077; rsync --exclude '/luks-key*' --ignore-existing -rpP /cdrom/gnupghome/ "$GNUPGHOME") | ||
428 | bootdone samizdat-gpg | ||
429 | fi | ||
430 | |||
431 | local LOG_DIR=/run/initramfs/samizdat/log | ||
432 | if samizdat-password-agent > "$LOG_DIR"/samizdat-password-agent.log 2>&1; then | ||
433 | true | ||
434 | else | ||
435 | echo 'samizdat-password-agent failed; continuing in hope of hope...' | ||
436 | true # false | ||
437 | fi | ||
438 | } | ||
439 | |||
440 | start_meter() | 396 | start_meter() |
441 | { | 397 | { |
442 | local startmsg="$*" | 398 | local startmsg="$*" |
diff --git a/src/initrd/common.sh b/src/initrd/common.sh index 8f4e101..d7d7fa0 100644 --- a/src/initrd/common.sh +++ b/src/initrd/common.sh | |||
@@ -148,9 +148,4 @@ my_openvt() | |||
148 | /bin/openvt -c "$@" | 148 | /bin/openvt -c "$@" |
149 | } | 149 | } |
150 | 150 | ||
151 | # This runs before way before NTP and on a LiveCD we have no | ||
152 | # reason to trust the system clock. | ||
153 | gpg2_nobatch() { GPG_TTY=$(tty) command gpg2 --ignore-time-conflict --ignore-valid-from "$@"; } | ||
154 | gpg2() { gpg2_nobatch --batch "$@"; } | ||
155 | |||
156 | xcp() { if [ -f "$1" -a ! -f "$2" ]; then cp "$1" "$2"; fi; } | 151 | xcp() { if [ -f "$1" -a ! -f "$2" ]; then cp "$1" "$2"; fi; } |
diff --git a/src/initrd/grok-block b/src/initrd/grok-block index a7056ad..d194486 100755 --- a/src/initrd/grok-block +++ b/src/initrd/grok-block | |||
@@ -7,15 +7,6 @@ case "$DEVNAME" in /dev/loop*|/dev/ram*|/dev/dm-*|/dev/md*|/dev/fd*) exit ;; esa | |||
7 | 7 | ||
8 | debug_log "grok-block.${DEVNAME##*/}" | 8 | debug_log "grok-block.${DEVNAME##*/}" |
9 | 9 | ||
10 | addmenu_choosekey() | ||
11 | { | ||
12 | dev=$1 | ||
13 | dir=$2 | ||
14 | addmenu "$dev//$dir" \ | ||
15 | "[ Use the GPG key on $dev ]" \ | ||
16 | "menu-select boot-gpg $dev $dir" | ||
17 | } | ||
18 | |||
19 | addmenu_repairhfs() | 10 | addmenu_repairhfs() |
20 | { | 11 | { |
21 | local device="$1" | 12 | local device="$1" |
@@ -87,26 +78,6 @@ retry_mount() | |||
87 | done | 78 | done |
88 | } | 79 | } |
89 | 80 | ||
90 | Gpg2() | ||
91 | { | ||
92 | gpg2 --lock-never --no-permission-warning --no-auto-check-trustdb --no-options "$@" | ||
93 | } | ||
94 | |||
95 | gpg_verify() | ||
96 | { | ||
97 | [ -e "$1" ] || return | ||
98 | bootwait samizdat-gpg | ||
99 | export GNUPGHOME=/gpg/gnupghome | ||
100 | Gpg2 --verify "$1" | ||
101 | } | ||
102 | |||
103 | gpg_can_decrypt() | ||
104 | { | ||
105 | [ -e "$1" ] || return | ||
106 | bootwait samizdat-gpg | ||
107 | Gpg2 --decrypt "$1" | Gpg2 --decrypt "$1" >/dev/null | ||
108 | } | ||
109 | |||
110 | is_lvm() | 81 | is_lvm() |
111 | { | 82 | { |
112 | for n in 0 1 2 3; do | 83 | for n in 0 1 2 3; do |
@@ -229,21 +200,7 @@ grok_block() | |||
229 | # TODO: And what if we create partitions and then reboot the machine mid-install? | 200 | # TODO: And what if we create partitions and then reboot the machine mid-install? |
230 | 201 | ||
231 | elif [ "$ID_PART_ENTRY_NAME" = samizdat-rootfs ]; then | 202 | elif [ "$ID_PART_ENTRY_NAME" = samizdat-rootfs ]; then |
232 | : | 203 | bootdone samizdat-rootfs |
233 | |||
234 | elif [ "$ID_PART_ENTRY_NAME" = samizdat-keys ]; then | ||
235 | mkdir -p /gpg | ||
236 | cp -a "$mountpoint"/gnupghome /gpg/ && bootdone samizdat-gpg && bootdone samizdat-cdrom | ||
237 | |||
238 | elif [ "$ID_PART_ENTRY_NAME" = samizdat-plaintext ]; then | ||
239 | if gpg_verify "$mountpoint"/disk.key && gpg_can_decrypt "$mountpoint"/disk.key; then | ||
240 | umount "$mountpoint" | ||
241 | addmenu_choose_native_root "$(parent_device "$DEVNAME")" | ||
242 | bootdone key-mounted | ||
243 | else | ||
244 | umount "$mountpoint" | ||
245 | fi | ||
246 | |||
247 | elif [ "$DEVNAME" = /dev/nbd1 ]; then | 204 | elif [ "$DEVNAME" = /dev/nbd1 ]; then |
248 | # This is our rootfs, over the network | 205 | # This is our rootfs, over the network |
249 | umount "$mountpoint" | 206 | umount "$mountpoint" |
@@ -307,25 +264,6 @@ eval "$(PATH=$PATH:/lib/udev vol_id "$DEVNAME" | | |||
307 | sed "s/'/'\\\\''/; s/=\(.*\)/='\1'/" | 264 | sed "s/'/'\\\\''/; s/=\(.*\)/='\1'/" |
308 | )" | 265 | )" |
309 | 266 | ||
310 | CDROM_ID_FS_UUID_ENC='73256269-4002-4e42-adbd-0e49ed1c7438' | 267 | grok_block & |
311 | CDROM_ID_FS_LABEL_ENC=$(sed 's/ /\\x20/g' /lib/samizdat/vol_id.txt) | ||
312 | if [ "$ID_FS_UUID_ENC" = "$CDROM_ID_FS_UUID_ENC" -o \ | ||
313 | "$ID_FS_LABEL_ENC" = "$CDROM_ID_FS_LABEL_ENC" ] | ||
314 | then | ||
315 | # Recognize and mount the Samizdat | ||
316 | if ! mountpoint -q /cdrom; then | ||
317 | mkdir -p /cdrom | ||
318 | . mdadm-dup.sh | ||
319 | dup_mount_cdrom "$DEVNAME" /cdrom && bootdone samizdat-cdrom | ||
320 | if [ -e /cdrom/gnupghome ]; then | ||
321 | # TODO: don't use first match | ||
322 | mkdir -p /gpg/gnupghome | ||
323 | cp /cdrom/gnupghome/* /gpg/gnupghome | ||
324 | bootdone samizdat-gpg | ||
325 | fi | ||
326 | fi | ||
327 | else | ||
328 | grok_block & | ||
329 | fi | ||
330 | 268 | ||
331 | # vim:set et sw=2: | 269 | # vim:set et sw=2: |
diff --git a/src/initrd/menu-select b/src/initrd/menu-select index 1fcade4..9730c09 100755 --- a/src/initrd/menu-select +++ b/src/initrd/menu-select | |||
@@ -5,7 +5,6 @@ | |||
5 | # $0 boot-overwrite [dev name] [loop file] [megabytes] - overwrite with new luks overlay | 5 | # $0 boot-overwrite [dev name] [loop file] [megabytes] - overwrite with new luks overlay |
6 | # $0 boot-luks [dev name] [loop file] - boot existing luks-encrypted overlay | 6 | # $0 boot-luks [dev name] [loop file] - boot existing luks-encrypted overlay |
7 | # $0 boot-destroy-disk [dev-name] - install to a fresh hard disk | 7 | # $0 boot-destroy-disk [dev-name] - install to a fresh hard disk |
8 | # $0 boot-gpg [key id] [gnupg homedir] [???] - boot any device signed with the key | ||
9 | 8 | ||
10 | . btrfs-create.sh | 9 | . btrfs-create.sh |
11 | . common.sh | 10 | . common.sh |
@@ -76,7 +75,6 @@ case "$1" in | |||
76 | # specified in KB here. I did not really believe it. | 75 | # specified in KB here. I did not really believe it. |
77 | modprobe brd rd_nr=1 rd_size=$memtotal_kb | 76 | modprobe brd rd_nr=1 rd_size=$memtotal_kb |
78 | 77 | ||
79 | init_gpg || error | ||
80 | init_samizdat /dev/ram0 '' || { | 78 | init_samizdat /dev/ram0 '' || { |
81 | umount /root/cdrom | 79 | umount /root/cdrom |
82 | umount /root/outerfs | 80 | umount /root/outerfs |
@@ -94,7 +92,6 @@ case "$1" in | |||
94 | mkfs.btrfs -f "$dev"2 || error | 92 | mkfs.btrfs -f "$dev"2 || error |
95 | mkdir /plaintext | 93 | mkdir /plaintext |
96 | mount "$dev"2 /plaintext || error | 94 | mount "$dev"2 /plaintext || error |
97 | init_gpg || error | ||
98 | 95 | ||
99 | init_samizdat_blockdev "$dev"3 /plaintext/disk.key || error | 96 | init_samizdat_blockdev "$dev"3 /plaintext/disk.key || error |
100 | init_samizdat /dev/mapper/samizdatcrypt '' || error | 97 | init_samizdat /dev/mapper/samizdatcrypt '' || error |
@@ -106,10 +103,7 @@ case "$1" in | |||
106 | boot-native) | 103 | boot-native) |
107 | dev="$2" | 104 | dev="$2" |
108 | umount /plaintext || true | 105 | umount /plaintext || true |
109 | mkdir /plaintext | 106 | open_samizdat_blockdev "$dev"3 - || error |
110 | mount "$dev"2 /plaintext || error | ||
111 | init_gpg || error | ||
112 | open_samizdat_blockdev "$dev"3 /plaintext/disk.key || error | ||
113 | open_samizdat || error open_samizdat | 107 | open_samizdat || error open_samizdat |
114 | bootdone root-mounted | 108 | bootdone root-mounted |
115 | ;; | 109 | ;; |
@@ -128,8 +122,6 @@ case "$1" in | |||
128 | rm "$loopfile" "$loopfile"k | 122 | rm "$loopfile" "$loopfile"k |
129 | fi | 123 | fi |
130 | 124 | ||
131 | init_gpg || error | ||
132 | |||
133 | if [ "$1" = 'boot-luks' ]; then | 125 | if [ "$1" = 'boot-luks' ]; then |
134 | open_samizdat_blockdev_from_loop "$loopfile" "$loopfile"k || error | 126 | open_samizdat_blockdev_from_loop "$loopfile" "$loopfile"k || error |
135 | open_samizdat || error open_samizdat | 127 | open_samizdat || error open_samizdat |
@@ -298,7 +298,6 @@ copy_data_to_mounted_target_filesystems() | |||
298 | $sudo systemd-run -p BindPaths="$(realpath -e "$mnt"):/boot" --wait update-grub | 298 | $sudo systemd-run -p BindPaths="$(realpath -e "$mnt"):/boot" --wait update-grub |
299 | ;; | 299 | ;; |
300 | samizdat-keys) | 300 | samizdat-keys) |
301 | $sudo rsync -a --info=STATS "$GPG_INPUT_DIR"/ "$mnt"/gnupghome/ | ||
302 | ;; | 301 | ;; |
303 | efi-system-partition) | 302 | efi-system-partition) |
304 | EFI_DIR=$mnt | 303 | EFI_DIR=$mnt |
@@ -319,18 +318,6 @@ then sudo= | |||
319 | else sudo=sudo | 318 | else sudo=sudo |
320 | fi | 319 | fi |
321 | 320 | ||
322 | if [ "$GPG_INPUT_DIR" ] | ||
323 | then | ||
324 | $sudo [ -d "$GPG_INPUT_DIR" ] | ||
325 | else | ||
326 | for d in /root/.gnupg /cdrom/gnupghome | ||
327 | do | ||
328 | $sudo [ -d "$d" ] || continue | ||
329 | GPG_INPUT_DIR=$d | ||
330 | break | ||
331 | done | ||
332 | fi | ||
333 | |||
334 | SKIP_ROOTFS_COPY= | 321 | SKIP_ROOTFS_COPY= |
335 | if [ "$1" = 'key' ] | 322 | if [ "$1" = 'key' ] |
336 | then | 323 | then |