From 191905e493e680dc8a36bce7d28d7e912d2e98bd Mon Sep 17 00:00:00 2001 From: Andrew Cady Date: Wed, 21 Jun 2023 23:40:03 -0400 Subject: remove gpg --- src/initrd/btrfs-create.sh | 52 +++--------------------------------- src/initrd/common.sh | 5 ---- src/initrd/grok-block | 66 ++-------------------------------------------- src/initrd/menu-select | 10 +------ 4 files changed, 7 insertions(+), 126 deletions(-) (limited to 'src/initrd') diff --git a/src/initrd/btrfs-create.sh b/src/initrd/btrfs-create.sh index 894d835..5a43977 100644 --- a/src/initrd/btrfs-create.sh +++ b/src/initrd/btrfs-create.sh @@ -5,21 +5,6 @@ losetup() { /sbin/losetup "$@"; } -luks_secret() -{ - local parms=$-; # this junk keeps set -x from being too annoying - set +x - [ -n "$luks_secret" ] || luks_secret="$(head -c256 /dev/urandom)" - printf %s "$luks_secret" - case $parms in *x*) set -x; set -x ;; esac -} - -floor4() -{ - # Negatives round up, but aren't used. - echo $(($1 / 4 * 4)) -} - ceil4() { local x="$1" @@ -205,11 +190,8 @@ initialize_root_filesystem() done chroot /root chown -R u:u ${uhome} - mv /root/root/.gnupg /root/root/.gnupg~ - mv /gpg/gnupghome /root/root/.gnupg || return - copy_execs sbin mdadm dmsetup cryptsetup fsck.hfsplus - copy_execs bin btrfs rsync gpg gpg2 gpg-agent + copy_execs bin btrfs rsync # Copy these over unconditionally, because they ought to remain in sync with # the initrd. @@ -333,8 +315,7 @@ open_samizdat_blockdev() if [ ! -e "$decrypted_keyfile" ] then - gpg2 --verify "$keyfile" || return - gpg2 --output=- --verify "$keyfile" | gpg2 --decrypt > "$decrypted_keyfile" || return + echo -n secret > "$decrypted_keyfile" fi cryptsetup --key-file "$decrypted_keyfile" luksOpen "$dev" "$cryptname" || return @@ -349,12 +330,9 @@ init_samizdat_blockdev() [ ! -b /dev/mapper/"$cryptname" ] || return - luks_secret >/dev/null - luks_secret | gpg2 --default-recipient-self --encrypt --armor | gpg2 --clearsign --output "$keyfile" || return - - luks_secret | cryptsetup -v luksFormat "$dev" - || return + echo -n secret | cryptsetup -v luksFormat "$dev" - || return cryptsetup luksDump "$dev" >&2 - luks_secret | cryptsetup --key-file - luksOpen "$dev" "$cryptname" || return + echo -n secret | cryptsetup --key-file - luksOpen "$dev" "$cryptname" || return [ -b /dev/mapper/"$cryptname" ] || return } @@ -415,28 +393,6 @@ get_cdrom_sizelimit() fi } -init_gpg() -{ - export GNUPGHOME=/gpg/gnupghome - mkdir -p "$GNUPGHOME" - if [ -e /gnupghome.tar ]; then - tar -C "$GNUPGHOME" -zxf /gnupghome.tar && bootdone samizdat-gpg - return - else - bootwait samizdat-cdrom - (umask 077; rsync --exclude '/luks-key*' --ignore-existing -rpP /cdrom/gnupghome/ "$GNUPGHOME") - bootdone samizdat-gpg - fi - - local LOG_DIR=/run/initramfs/samizdat/log - if samizdat-password-agent > "$LOG_DIR"/samizdat-password-agent.log 2>&1; then - true - else - echo 'samizdat-password-agent failed; continuing in hope of hope...' - true # false - fi -} - start_meter() { local startmsg="$*" diff --git a/src/initrd/common.sh b/src/initrd/common.sh index 8f4e101..d7d7fa0 100644 --- a/src/initrd/common.sh +++ b/src/initrd/common.sh @@ -148,9 +148,4 @@ my_openvt() /bin/openvt -c "$@" } -# This runs before way before NTP and on a LiveCD we have no -# reason to trust the system clock. -gpg2_nobatch() { GPG_TTY=$(tty) command gpg2 --ignore-time-conflict --ignore-valid-from "$@"; } -gpg2() { gpg2_nobatch --batch "$@"; } - xcp() { if [ -f "$1" -a ! -f "$2" ]; then cp "$1" "$2"; fi; } diff --git a/src/initrd/grok-block b/src/initrd/grok-block index a7056ad..d194486 100755 --- a/src/initrd/grok-block +++ b/src/initrd/grok-block @@ -7,15 +7,6 @@ case "$DEVNAME" in /dev/loop*|/dev/ram*|/dev/dm-*|/dev/md*|/dev/fd*) exit ;; esa debug_log "grok-block.${DEVNAME##*/}" -addmenu_choosekey() -{ - dev=$1 - dir=$2 - addmenu "$dev//$dir" \ - "[ Use the GPG key on $dev ]" \ - "menu-select boot-gpg $dev $dir" -} - addmenu_repairhfs() { local device="$1" @@ -87,26 +78,6 @@ retry_mount() done } -Gpg2() -{ - gpg2 --lock-never --no-permission-warning --no-auto-check-trustdb --no-options "$@" -} - -gpg_verify() -{ - [ -e "$1" ] || return - bootwait samizdat-gpg - export GNUPGHOME=/gpg/gnupghome - Gpg2 --verify "$1" -} - -gpg_can_decrypt() -{ - [ -e "$1" ] || return - bootwait samizdat-gpg - Gpg2 --decrypt "$1" | Gpg2 --decrypt "$1" >/dev/null -} - is_lvm() { for n in 0 1 2 3; do @@ -229,21 +200,7 @@ grok_block() # TODO: And what if we create partitions and then reboot the machine mid-install? elif [ "$ID_PART_ENTRY_NAME" = samizdat-rootfs ]; then - : - - elif [ "$ID_PART_ENTRY_NAME" = samizdat-keys ]; then - mkdir -p /gpg - cp -a "$mountpoint"/gnupghome /gpg/ && bootdone samizdat-gpg && bootdone samizdat-cdrom - - elif [ "$ID_PART_ENTRY_NAME" = samizdat-plaintext ]; then - if gpg_verify "$mountpoint"/disk.key && gpg_can_decrypt "$mountpoint"/disk.key; then - umount "$mountpoint" - addmenu_choose_native_root "$(parent_device "$DEVNAME")" - bootdone key-mounted - else - umount "$mountpoint" - fi - + bootdone samizdat-rootfs elif [ "$DEVNAME" = /dev/nbd1 ]; then # This is our rootfs, over the network umount "$mountpoint" @@ -307,25 +264,6 @@ eval "$(PATH=$PATH:/lib/udev vol_id "$DEVNAME" | sed "s/'/'\\\\''/; s/=\(.*\)/='\1'/" )" -CDROM_ID_FS_UUID_ENC='73256269-4002-4e42-adbd-0e49ed1c7438' -CDROM_ID_FS_LABEL_ENC=$(sed 's/ /\\x20/g' /lib/samizdat/vol_id.txt) -if [ "$ID_FS_UUID_ENC" = "$CDROM_ID_FS_UUID_ENC" -o \ - "$ID_FS_LABEL_ENC" = "$CDROM_ID_FS_LABEL_ENC" ] -then - # Recognize and mount the Samizdat - if ! mountpoint -q /cdrom; then - mkdir -p /cdrom - . mdadm-dup.sh - dup_mount_cdrom "$DEVNAME" /cdrom && bootdone samizdat-cdrom - if [ -e /cdrom/gnupghome ]; then - # TODO: don't use first match - mkdir -p /gpg/gnupghome - cp /cdrom/gnupghome/* /gpg/gnupghome - bootdone samizdat-gpg - fi - fi -else - grok_block & -fi +grok_block & # vim:set et sw=2: diff --git a/src/initrd/menu-select b/src/initrd/menu-select index 1fcade4..9730c09 100755 --- a/src/initrd/menu-select +++ b/src/initrd/menu-select @@ -5,7 +5,6 @@ # $0 boot-overwrite [dev name] [loop file] [megabytes] - overwrite with new luks overlay # $0 boot-luks [dev name] [loop file] - boot existing luks-encrypted overlay # $0 boot-destroy-disk [dev-name] - install to a fresh hard disk -# $0 boot-gpg [key id] [gnupg homedir] [???] - boot any device signed with the key . btrfs-create.sh . common.sh @@ -76,7 +75,6 @@ case "$1" in # specified in KB here. I did not really believe it. modprobe brd rd_nr=1 rd_size=$memtotal_kb - init_gpg || error init_samizdat /dev/ram0 '' || { umount /root/cdrom umount /root/outerfs @@ -94,7 +92,6 @@ case "$1" in mkfs.btrfs -f "$dev"2 || error mkdir /plaintext mount "$dev"2 /plaintext || error - init_gpg || error init_samizdat_blockdev "$dev"3 /plaintext/disk.key || error init_samizdat /dev/mapper/samizdatcrypt '' || error @@ -106,10 +103,7 @@ case "$1" in boot-native) dev="$2" umount /plaintext || true - mkdir /plaintext - mount "$dev"2 /plaintext || error - init_gpg || error - open_samizdat_blockdev "$dev"3 /plaintext/disk.key || error + open_samizdat_blockdev "$dev"3 - || error open_samizdat || error open_samizdat bootdone root-mounted ;; @@ -128,8 +122,6 @@ case "$1" in rm "$loopfile" "$loopfile"k fi - init_gpg || error - if [ "$1" = 'boot-luks' ]; then open_samizdat_blockdev_from_loop "$loopfile" "$loopfile"k || error open_samizdat || error open_samizdat -- cgit v1.2.3