add disk encryption

olinux/create_arm_debootstrap.sh

@@ -24,6 +24,7 @@ cat <<EOF
   -c		cross debootstrap
   -p		use aptcacher proxy
   -i		set path for kernel package or install from testing (set '-i testing' to install from debian testing)
+  -e		configure for encrypted partition	(default: false)
 
 EOF
 exit 1
@@ -35,7 +36,7 @@ DEB_HOSTNAME=olinux
 REP=$(dirname $0)
 APT='apt-get install -y --force-yes'
 
-while getopts ":a:b:d:n:t:i:ycp" opt; do
+while getopts ":a:b:d:n:t:i:ycpe" opt; do
   case $opt in
     d)
       DEBIAN_RELEASE=$OPTARG
@@ -64,6 +65,9 @@ while getopts ":a:b:d:n:t:i:ycp" opt; do
     p)
       APTCACHER=yes
       ;;
+    e)
+      ENCRYPT=yes
+      ;;
     \?)
       show_usage
       ;;
@@ -124,6 +128,11 @@ fi
 
 chroot_deb $TARGET_DIR 'apt-get update'
 
+
+if [ -n $ENCRYPT ] ; then
+  PACKAGES=$PACKAGES" dropbear busybox cryptsetup "
+fi
+
 # Add useful packages
 chroot_deb $TARGET_DIR "$APT openssh-server ntp parted locales vim-nox bash-completion rng-tools $PACKAGES"
 echo 'HRNGDEVICE=/dev/urandom' >> $TARGET_DIR/etc/default/rng-tools
@@ -168,7 +177,7 @@ chroot_deb $TARGET_DIR "dpkg-reconfigure -f noninteractive tzdata"
 
 if [ "$DEBIAN_RELEASE" = "jessie" ] ; then
   # Add fstab for root
-  chroot_deb $TARGET_DIR "echo '/dev/mmcblk0 / ext4	defaults	0	1' >> /etc/fstab"
+  chroot_deb $TARGET_DIR "echo '/dev/mmcblk0p1 / ext4	defaults	0	1' >> /etc/fstab"
   # Configure tty
   install -m 755 -o root -g root ${REP}/config/ttyS0.conf $TARGET_DIR/etc/init/ttyS0.conf
   chroot_deb $TARGET_DIR 'cp /lib/systemd/system/serial-getty@.service /etc/systemd/system/getty.target.wants/serial-getty@ttyS0.service'
@@ -213,30 +222,62 @@ if [ $INSTALL_KERNEL ] ; then
     cat <<EOT > ${TARGET_DIR}/etc/apt/preferences.d/kernel-testing
 Package: linux-image*
 Pin: release o=Debian,a=testing
-Pin-Priority: 100
+Pin-Priority: 990
 
 Package: u-boot*
 Pin: release o=Debian,a=testing
-Pin-Priority: 100
+Pin-Priority: 990
 
 Package: flash-kernel*
 Pin: release o=Debian,a=testing
-Pin-Priority: 100
-EOT
+Pin-Priority: 990
 
-    # And other packages from stable
-    cat <<EOT > ${TARGET_DIR}/etc/apt/preferences.d/stable
 Package: *
-Pin: release o=Debian,a=stable
-Pin-Priority: 900
+Pin: release o=Debian,a=testing
+Pin-Priority: 50
 EOT
 
     umount_dir $TARGET_DIR
     chroot_deb $TARGET_DIR 'apt-get update'
+    chroot_deb $TARGET_DIR 'apt-get upgrade -y --force-yes'
     mkdir $TARGET_DIR/etc/flash-kernel
     echo $FLASH_KERNEL > $TARGET_DIR/etc/flash-kernel/machine
-    echo 'LINUX_KERNEL_CMDLINE="console=tty0 hdmi.audio=EDID:0 disp.screen0_output_mode=EDID:1280x720p60 root=/dev/mmcblk0p1 rootwait sunxi_ve_mem_reserve=0 sunxi_g2d_mem_reserve=0 sunxi_no_mali_mem_reserve sunxi_fb_mem_reserve=0 panic=10 loglevel=6 consoleblank=0"' > $TARGET_DIR/etc/default/flash-kernel
-    chroot_deb $TARGET_DIR "$APT linux-image-armmp flash-kernel u-boot-sunxi u-boot-tools"
+    if [ -n $ENCRYPT ] ; then
+      PACKAGES="stunnel dropbear busybox"
+      echo 'LINUX_KERNEL_CMDLINE="console=tty0 hdmi.audio=EDID:0 disp.screen0_output_mode=EDID:1280x720p60 root=/dev/mapper/root cryptopts=target=root,source=/dev/mmcblk0p2,cipher=aes-xts-plain64,size=256,hash=sha1 rootwait sunxi_ve_mem_reserve=0 sunxi_g2d_mem_reserve=0 sunxi_no_mali_mem_reserve sunxi_fb_mem_reserve=0 panic=10 loglevel=6 consoleblank=0"' > $TARGET_DIR/etc/default/flash-kernel
+      echo 'aes' >> $TARGET_DIR/etc/initramfs-tools/modules
+      echo 'aes_x86_64' >> $TARGET_DIR/etc/initramfs-tools/modules
+      echo 'aes_generic' >> $TARGET_DIR/etc/initramfs-tools/modules
+      echo 'dm-crypt' >> $TARGET_DIR/etc/initramfs-tools/modules
+      echo 'dm-mod' >> $TARGET_DIR/etc/initramfs-tools/modules
+      echo 'sha256' >> $TARGET_DIR/etc/initramfs-tools/modules
+      echo 'sha256_generic' >> $TARGET_DIR/etc/initramfs-tools/modules
+      echo 'lrw' >> $TARGET_DIR/etc/initramfs-tools/modules
+      echo 'xts' >> $TARGET_DIR/etc/initramfs-tools/modules
+      echo 'crypto_blkcipher' >> $TARGET_DIR/etc/initramfs-tools/modules
+      echo 'gf128mul' >> $TARGET_DIR/etc/initramfs-tools/modules
+    else
+      echo 'LINUX_KERNEL_CMDLINE="console=tty0 hdmi.audio=EDID:0 disp.screen0_output_mode=EDID:1280x720p60 root=/dev/mmcblk0p1 rootwait sunxi_ve_mem_reserve=0 sunxi_g2d_mem_reserve=0 sunxi_no_mali_mem_reserve sunxi_fb_mem_reserve=0 panic=10 loglevel=6 consoleblank=0"' > $TARGET_DIR/etc/default/flash-kernel
+    fi
+    chroot_deb $TARGET_DIR "$APT linux-image-armmp flash-kernel u-boot-sunxi u-boot-tools $PACKAGES"
+    if [ -n $ENCRYPT ] ; then
+      echo 'root	/dev/mmcblk0p2	none	luks' >> $TARGET_DIR/etc/crypttab
+      echo '/dev/mapper/root	/	ext4	defaults	0	1' > $TARGET_DIR/etc/fstab
+      echo '/dev/mmcblk0p1	/boot	ext4	defaults	0	2' >> $TARGET_DIR/etc/fstab
+      sed -i -e 's#DEVICE=#DEVICE=eth0#' $TARGET_DIR/etc/initramfs-tools/initramfs.conf
+      cp /olinux/script/initramfs/cryptroot $TARGET_DIR/etc/initramfs-tools/hooks/cryptroot
+#      cp /olinux/script/initramfs/openvpn $TARGET_DIR/etc/initramfs-tools/hooks/openvpn
+      cp /olinux/script/initramfs/httpd $TARGET_DIR/etc/initramfs-tools/hooks/httpd
+      cp /olinux/script/initramfs/httpd_start $TARGET_DIR/etc/initramfs-tools/scripts/local-top/httpd
+      cp /olinux/script/initramfs/httpd_stop $TARGET_DIR/etc/initramfs-tools/scripts/local-bottom/httpd
+      cp /olinux/script/initramfs/stunnel $TARGET_DIR/etc/initramfs-tools/hooks/httpd
+      cp /olinux/script/initramfs/stunnel_start $TARGET_DIR/etc/initramfs-tools/scripts/local-top/httpd
+      cp /olinux/script/initramfs/stunnel_stop $TARGET_DIR/etc/initramfs-tools/scripts/local-bottom/httpd
+      mkdir -p $TARGET_DIR/etc/initramfs-tools/root/www/cgi-bin
+      cp /olinux/script/initramfs/index.html $TARGET_DIR/etc/initramfs-tools/root/www/
+      cp /olinux/script/initramfs/post.sh $TARGET_DIR/etc/initramfs-tools/root/www/cgi-bin/
+      chroot_deb $TARGET_DIR "update-initramfs -u -k all"
+    fi
   else
     cp ${INSTALL_KERNEL}/*.deb $TARGET_DIR/tmp/
     chroot_deb $TARGET_DIR 'dpkg -i /tmp/*.deb'

olinux/create_device.sh

@@ -13,20 +13,22 @@ cat <<EOF
 
   -d		device name (img, /dev/sdc, /dev/mmc)	(mandatory)
   -s		size of img in MB		 	(mandatory only for img device option)
-  -t		image name				(default: /olinux/olinux.img)
-  -b		debootstrap directory			(default: /olinux/debootstrap)
+  -t		final image name			(default: /olinux/olinux.img)
+  -b		debootstrap directory, .img or tarball	(default: /olinux/debootstrap)
   -u		uboot file				(default: /olinux/sunxi/u-boot/u-boot-sunxi-with-spl.bin)
+  -e		encrypt partition			(default: false)
 
 EOF
 exit 1
 }
 
 TARGET=./olinux/olinux.img
-MNT=/mnt
+MNT1=/mnt/dest
+MNT2=/mnt/source
 DEB_DIR=./olinux/debootstrap
 UBOOT_FILE=./olinux/sunxi/u-boot/u-boot-sunxi-with-spl.bin
 
-while getopts ":s:d:t:b:u:" opt; do
+while getopts ":s:d:t:b:u:e" opt; do
   case $opt in
     d)
       DEVICE=$OPTARG
@@ -43,6 +45,9 @@ while getopts ":s:d:t:b:u:" opt; do
     u)
       UBOOT_FILE=$OPTARG
       ;;
+    e)
+      ENCRYPT=yes
+      ;;
     \?)
       show_usage
       ;;
@@ -57,6 +62,9 @@ if [ "$DEVICE" = "img" ] && [ -z $IMGSIZE ] ; then
   show_usage
 fi
 
+mkdir -p $MNT1
+mkdir -p $MNT2
+
 if [ "${DEVICE}" = "img" ] ; then
   echo "- Create image."
   rm -f ${TARGET}
@@ -79,11 +87,18 @@ else
   IMGSIZE="100%"
 fi
 
-# create one partition starting at 2048 which is default
-echo "- Partitioning"
-parted --script $DEVICE mklabel msdos
-parted --script $DEVICE mkpart primary ext4 2048s ${IMGSIZE}
-parted --script $DEVICE align-check optimal 1
+if [ -z $ENCRYPT ] ; then
+  # create one partition starting at 2048 which is default
+  echo "- Partitioning"
+  parted --script $DEVICE mklabel msdos
+  parted --script $DEVICE mkpart primary ext4 2048s ${IMGSIZE}
+  parted --script $DEVICE align-check optimal 1
+else
+  parted --script $DEVICE mklabel msdos
+  parted --script $DEVICE mkpart primary ext4 2048s 512MB
+  parted --script $DEVICE mkpart primary ext4 512MB ${IMGSIZE}
+  parted --script $DEVICE align-check optimal 1
+fi
 
 if [ "${TYPE}" = "loop" ] ; then
   DEVICEP1=${DEVICE}p1
@@ -98,16 +113,38 @@ mkfs.ext4 $DEVICEP1 >/dev/null 2>&1
 # tune filesystem
 tune2fs -o journal_data_writeback $DEVICEP1 >/dev/null 2>&1
 
-echo "- Mount filesystem"
-# mount image to already prepared mount point
-mount -t ext4 $DEVICEP1 $MNT
+if [ -z $ENCRYPT ] ; then
+  echo "- Mount filesystem"
+  # mount image to already prepared mount point
+  mount -t ext4 $DEVICEP1 $MNT1
+else
+  DEVICEP2=${DEVICE}2
+  cryptsetup -y -v luksFormat $DEVICEP2
+  cryptsetup luksOpen $DEVICEP2 olinux
+  mkfs.ext4 /dev/mapper/olinux >/dev/null 2>&1
+  echo "- Mount filesystem"
+  # mount image to already prepared mount point
+  mount -t ext4 /dev/mapper/olinux $MNT1
+  mkdir	$MNT1/boot
+  mount -t ext4 $DEVICEP1 $MNT1/boot
+fi  
 
 echo "- Copy bootstrap files"
 if [ -d ${DEB_DIR} ] ; then
-  cp -ar ${DEB_DIR}/* $MNT/
-else
+  # Assume that directly the debootstrap directory
+  cp -ar ${DEB_DIR}/* $MNT1/
+elif [ `file ${DEB_DIR} | grep 'DOS/MBR'` ] ; then
+  # Assume that is a .img file
+  # find first avaliable free device
+  DEVICE1=$(losetup -f)
+
+  # mount image as block device
+  losetup -o 1048576 $DEVICE ${DEB_DIR}
+  mount ${DEVICE1} $MNT2/
+  cp -ar $MNT2/* $MNT1/
+else 
   # Assume that is a tarball file
-  tar --same-owner --preserve-permissions -xvf ${DEB_DIR} -C $MNT/ .
+  tar --same-owner --preserve-permissions -xvf ${DEB_DIR} -C $MNT1/ .
 fi
 sync
 
@@ -115,13 +152,22 @@ echo "- Write sunxi-with-spl"
 dd if=${UBOOT_FILE} of=${DEVICE} bs=1024 seek=8 >/dev/null 2>&1
 sync
 
-echo "- Sfill"
-sfill -z -l -l -f $MNT
-
 echo "- Umount"
 if [ "${TYPE}" = "loop" ] ; then
-  umount $MNT
+  echo "- Sfill"
+  sfill -z -l -l -f $MNT1
+  umount $MNT1
   losetup -d $DEVICE
 else
-  umount $MNT
+  if [ -n $ENCRYPT ] ; then
+    umount $MNT1/boot
+    umount $MNT1
+    cryptsetup luksClose olinux 
+  else
+    umount $MNT1
+  fi
+  if [ `file ${DEB_DIR} | grep 'DOS/MBR'` ] ; then
+    umount $MNT2
+    losetup -d $DEVICE1
+  fi	  
 fi

olinux/script/firstrun

@@ -34,27 +34,22 @@ case "$1" in
     echo ""
     rm -f /etc/ssh/ssh_host*
     dpkg-reconfigure openssh-server 
-    echo ""
-    echo "############################"
-    echo "# Expanding root partition #"
-    echo "############################"
-    echo ""
-    (echo d; echo n; echo p; echo 1; echo ; echo; echo w) | fdisk /dev/mmcblk0
-    /sbin/insserv secondrun 
-    echo ""
-    echo "##################"
-    echo "# Running depmod #"
-    echo "##################"
-    echo ""
-    /sbin/depmod -a
-    echo ""
-    echo "##################"
-    echo "#     Reboot     #"
-    echo "##################"
-    echo ""
+    # do not resize if root is crypted 
     /sbin/insserv -r firstrun
-    /sbin/insserv secondrun
-    /sbin/reboot
+    if [ ! -e /etc/crypttab ]; then
+      echo ""
+      echo "############################"
+      echo "# Expanding root partition #"
+      echo "############################"
+      (echo d; echo n; echo p; echo 1; echo ; echo; echo w) | fdisk /dev/mmcblk0
+      /sbin/insserv secondrun
+      echo ""
+      echo "##################"
+      echo "#     Reboot     #"
+      echo "##################"
+      echo ""
+      /sbin/reboot
+    fi
     ;;
   *)
     echo "Usage: $N {start}" >&2

olinux/script/initramfs/cryptroot

@@ -0,0 +1,82 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs()
+{
+	echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+add_crypto_modules() {
+	local mod file altmod found genericfound
+	mod="$1"
+	found=""
+	genericfound=""
+
+	if [ -z "$mod" ]; then
+		return 1
+	fi
+
+	# We have several potential sources of modules (in order of preference):
+	#
+	#   a) /lib/modules/$VERSION/kernel/arch/$ARCH/crypto/$mod-$specific.ko
+	#   b) /lib/modules/$VERSION/kernel/crypto/$mod_generic.ko
+	#   c) /lib/modules/$VERSION/kernel/crypto/$mod.ko
+	#
+	# and (currently ignored):
+	#
+	#   d) /lib/modules/$VERSION/kernel/drivers/crypto/$specific-$mod.ko
+
+	for file in $(find "$MODULESDIR/kernel/arch/" -name "$mod-*.ko" 2>/dev/null); do
+		altmod="${file##*/}"
+		altmod="${altmod%.ko}"
+		manual_add_modules "$altmod"
+		found="yes"
+	done
+
+	for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}_generic.ko" 2>/dev/null); do
+		altmod="${file##*/}"
+		altmod="${altmod%.ko}"
+		manual_add_modules "$altmod"
+		found="yes"
+		genericfound="yes"
+	done
+
+	if [ -z "$genericfound" ]; then
+		for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}.ko" 2>/dev/null); do
+			altmod="${file##*/}"
+			altmod="${altmod%.ko}"
+			manual_add_modules "$altmod"
+			found="yes"
+		done
+	fi
+
+	if [ -z "$found" ]; then
+		return 1
+	fi
+
+	return 0
+}
+
+for mod in aes cbc chainiv cryptomgr krng sha256 xts; do
+	add_crypto_modules $mod
+done
+
+for mod in dm_mod dm_crypt; do
+	manual_add_modules $mod
+done
+
+copy_exec /sbin/cryptsetup
+copy_exec /sbin/dmsetup
+copy_exec /lib/cryptsetup/askpass
+copy_exec /bin/sed
+exit 0

olinux/script/initramfs/httpd

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs()
+{
+	echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+cp -r /etc/initramfs-tools/root/www "${DESTDIR}/root/"
+
+exit 0

olinux/script/initramfs/httpd_start

@@ -0,0 +1,17 @@
+#/bin/sh
+
+prereqs() {
+	echo "$PREREQ"
+}
+
+case "$1" in
+	prereqs)
+		prereqs
+		exit 0
+	;;
+esac
+
+ip l set lo up
+/sbin/httpd -p 127.0.0.1:80 -vv -h /root/www
+
+exit 0

olinux/script/initramfs/httpd_stop

@@ -0,0 +1,16 @@
+#/bin/sh
+
+prereqs() {
+	echo "$PREREQ"
+}
+
+case "$1" in
+	prereqs)
+		prereqs
+		exit 0
+	;;
+esac
+
+killall httpd
+
+exit 0

olinux/script/initramfs/index.html

@@ -0,0 +1,19 @@
+<html>
+  <head>
+    <title>Unlock root partition</title>
+  </head>
+  
+  <body>
+    <div style="text-align: center;"><IMG SRC="./unicorn.gif" ALT="image">
+    <form name="form1" method="post" action="/cgi-bin/post.sh">
+      <p><!-- <TPL:MESSAGE> -->Enter luks passphrase to unlock the main partition
+        <input name="Text_Field" type="password" id="Text_Field">
+      </p>
+      <p>
+      <input type="submit" name="Submit" value="Unlock">
+      </p>
+    </form>
+    </div>
+  </body>
+</html>
+

olinux/script/initramfs/openvpn

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs()
+{
+	echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+copy_exec /usr/sbin/openvpn
+
+exit 0

olinux/script/initramfs/post.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+read QUERY_STRING
+eval $(echo "$QUERY_STRING"|awk -F'&' '{for(i=1;i<=NF;i++){print $i}}')
+tmp=`httpd -d $Text_Field`
+echo -ne $tmp >/lib/cryptsetup/passfifo
+i=0
+while true; do
+  sleep 1
+  i=$(($i + 1))
+  echo $i
+  if [ -f /dev/mapper/root ] ; then
+    echo "<html>"
+    echo "  <head>"
+    echo "    <title>Unlock root partition</title>"
+    echo "  </head>"
+    echo ""
+    echo "  <body>"
+    echo "    <div style='text-align: center;'><IMG SRC='../unicorn.gif' ALT='image'>"
+    echo "      Disk unlock !!"
+    echo "    </div>"
+    echo "  </body>"
+    echo "</html>"
+    exit 0
+  elif [ ${i} -gt 10 ] ; then
+    cat ../index.html
+    exit 0
+  fi
+done
+
+exit 0

olinux/script/initramfs/stunnel

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs()
+{
+	echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+openssl genrsa -out /etc/initramfs-tools/stunnel.key 1024
+openssl req -new -key /etc/initramfs-tools/stunnel.key -out /etc/initramfs-tools/stunnel.csr -subj /countryName=FR/stateOrProvinceName=France/localityName=Nancy/organizationName="Brique !!!"/commonName=""/
+openssl x509 -req -days 366 -in /etc/initramfs-tools/stunnel.csr -signkey /etc/initramfs-tools/stunnel.key -out /etc/initramfs-tools/stunnel.pem
+copy_exec /usr/bin/stunnel 
+mkdir -p "${DESTDIR}/etc/stunnel/"
+cp /etc/initramfs-tools/stunnel.conf "${DESTDIR}/etc/stunnel/"
+cp /etc/initramfs-tools/stunnel.pem "${DESTDIR}/etc/stunnel/"
+cp /etc/initramfs-tools/stunnel.key "${DESTDIR}/etc/stunnel/"
+
+exit 0

olinux/script/initramfs/stunnel.conf

@@ -0,0 +1,38 @@
+; ==== stunnel configuration for https to http forwarding ====
+
+; Certificate/key is needed in server mode and optional in client mode
+cert = /etc/stunnel/stunnel.pem
+
+; since private key and certificate are in one file, we don't need
+; to specify the key file. Since we do not use authentication with
+; client certs, we don't need the CA certificate for verification.
+key = /etc/stunnel/stunnel.key
+;CAfile = /home/stunnel/etc/stunnel/cacert.pem
+
+; Some security enhancements for UNIX systems - comment them out on Win32
+;chroot = /home/stunnel/var/lib/stunnel/
+;setuid = nobody
+;setgid = nogroup
+; PID is created inside chroot jail
+pid = /var/run/stunnel.pid
+
+; Some performance tunings
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+;compression = rle
+
+; Some debugging stuff useful for troubleshooting
+;debug = 7
+;output = stunnel.log
+
+; Use it for client mode
+;client = yes
+
+; Service-level configuration
+
+[https]
+accept  = 443
+connect = 80
+TIMEOUTclose = 0
+
+; ==== end of stunnel.conf ====

olinux/script/initramfs/stunnel_start

@@ -0,0 +1,18 @@
+#/bin/sh
+
+PREREQ="httpd"
+
+prereqs() {
+	echo "$PREREQ"
+}
+
+case "$1" in
+	prereqs)
+		prereqs
+		exit 0
+	;;
+esac
+
+/usr/bin/stunnel /etc/stunnel/stunnel.conf
+
+exit 0

olinux/script/initramfs/stunnel_stop

@@ -0,0 +1,16 @@
+#/bin/sh
+
+prereqs() {
+	echo "$PREREQ"
+}
+
+case "$1" in
+	prereqs)
+		prereqs
+		exit 0
+	;;
+esac
+
+killall stunnel
+
+exit 0