| View previous topic :: View next topic |
| Author |
Message |
kris0
n00b
Joined: 10 Oct 2021
Posts: 16
|
 Posted: Sun Oct 10, 2021 8:44 pm Post subject: Decrypt your root with a yubikey (systemd initramfs script) |
 |
|
I wanted to decrypt my root drive with my yubikey but dracut didn't support it at the time so I wrote this script to compile my kernel and create a initramfs that would. Decided to share, comments welcome and I would be curious about anybody doing anything similar.
To use this you must
- Be using systemd with an encrypted root with a fido2 key enrolled (see man crypttab for examples)
- Set the kernel option to use the /usr/src/initramfs (or whatever IDR is set to) as the initramfs
- Have lddtree and all the tools it copies over installed (I'm using dash as my /bin/sh I haven't checked what bash would pull in)
- Add a /boot/vmlinuz-gentoo-init entry to your bootloader
- Set the ROOT_UUID var
| Code: |
#!/bin/sh
set -e
if [ "$(id -u)" -ne 0 ]||[ "$1" != "inhibited" ]; then
exec sudo systemd-inhibit --why "updating kernel" $0 inhibited $@
fi
shift
FILE_POSTFIX=gentoo-init
FILES="vmlinuz config System.map"
ROOT_UUID=SET_ME
MAKE_CONFIG="spin_while make oldconfig"
KERNEL_SRC_DIR=/usr/src/linux
IDR=/usr/src/initramfs
while [ $# -gt 0 ]; do
case $1 in
-f|--fallback)
printf "\033[0m[\033[33mWARNING FALLBACK WILL BE OVERWRITTEN!!! ^C to Cancel!\033[0m]\n"
CREATE_FALLBACK=y
shift
;;
-n|--nconfig)
MAKE_CONFIG="make nconfig"
shift
;;
-s|--src-dir)
KERNEL_SRC_DIR=$2
shift 2
;;
-b|--backup-initramfs)
BACKUP_INITRAMFS=y
shift
;;
*)
echo Unknown Parameter: $1
exit 1
;; esac
done
if [ "$BACKUP_INITRAMFS" ]; then
echo backing up initramfs.
borg create --one-file-system /backup/gen2/borg::initramfs_{now} /usr/src/initramfs
fi
echo Creating new initramfs.
rm -r ${IDR}
mkdir --parents ${IDR}/usr/bin \
${IDR}/bin \
${IDR}/dev \
${IDR}/etc \
${IDR}/lib \
${IDR}/lib64 \
${IDR}/mnt/root \
${IDR}/proc \
${IDR}/root \
${IDR}/sbin \
${IDR}/sys \
${IDR}/run
cp --archive /dev/null /dev/console /dev/tty ${IDR}/dev/
cp --archive /etc/udev ${IDR}/etc/
cp --archive /lib/udev ${IDR}/lib/
lddtree --copy-to-tree ${IDR} \
/bin/sh \
/bin/mount \
/bin/umount \
/sbin/findfs \
/sbin/switch_root \
/usr/bin/killall \
/sbin/dmsetup \
/lib/systemd/systemd-vconsole-setup \
/bin/ln \
/lib/systemd/systemd-cryptsetup \
/lib/systemd/systemd-udevd \
/bin/udevadm \
/usr/lib64/libfido2.so.1 \
/bin/echo
cat <<-EOF >${IDR}/init
#!/bin/sh
set -e
failure_mode(){
/bin/echo good luck!
exec /bin/sh
}
trap failure_mode EXIT
/bin/echo mounting temporary filesystems...
/bin/mount -n -t devtmpfs devtmpfs /dev
/bin/mount -n -t proc proc /proc
/bin/mount -n -t sysfs sysfs /sys
/bin/mount -n -t tmpfs -o mode=755,nodev,nosuid tmpfs /run
/bin/echo starting udev...
/lib/systemd/systemd-udevd --daemon --resolve-names=never
/bin/udevadm trigger
/bin/udevadm settle
/bin/echo decyrpting root...
/lib/systemd/systemd-cryptsetup attach root \$(/sbin/findfs UUID=${ROOT_UUID}) - fido2-device=auto
/bin/echo mounting root...
/bin/mount -o ro,subvol=root /dev/mapper/root /mnt/root
/bin/echo killing udev and waiting for it to die...
/usr/bin/killall -vw systemd-udevd
/bin/echo moving run to new root...
/bin/mount -vn --move /run /mnt/root/run
/bin/echo umounting filesystems...
/bin/umount /proc
/bin/umount /sys
/bin/umount /dev
/bin/echo switching root...
exec /sbin/switch_root /mnt/root /sbin/init
EOF
cat <<-EOF >${IDR}/etc/initrd-release
FILE_POSTFIX=custom_init
ID=custom_init
PRETTY_FILE_POSTFIX="custom_init/Linux"
ANSI_COLOR="1;32"
HOME_URL="somewhere_in_denver"
SUPPORT_URL="lol?"
BUG_REPORT_URL="lol"
EOF
chown root:root ${IDR}/init
chmod 0500 ${IDR}/init
spin_while(){
msg="Running $@..."
loop="C O M P I L I N G"
exec 3<&1; exec 4<&2
exec 1>>/var/log/build_kernel.log
exec 2>>/var/log/build_kernel_err.log
printf "\033[2K\033[32m%-40b %4b\033[0m" "$msg" "" 1>&3
printf "\033[?25l" 1>&3
"$@" &sleep .25; pid=$!; ti=0
while kill -0 $pid >/dev/null; do
for i in $loop; do
printf "%s\033[4D" "[ ${i}]" 1>&3; sleep .25
done
ti=$(( $ti + 1 ))
done
if wait $pid; then
printf "\033[0m[\033[32mOK\033[0m]\n" 1>&3
else
printf "\033[0m[\033[33mFAILED\033[0m]\n" 1>&3
fi
exec 2<&4; exec 1<&3
printf "\033[1G\033[?25h"
}
echo Building kernel.
cd $KERNEL_SRC_DIR
eval "$MAKE_CONFIG" || exit 1
spin_while make prepare || exit 2
spin_while make modules_prepare || exit 3
spin_while make -j18 || exit 4
echo Installing kernel.
spin_while make install || exit 5
spin_while make modules_install || exit 6
LINUZ=$(make -s kernelrelease)
for FILE in ${FILES}; do
if [ "$CREATE_FALLBACK" ]; then
cp -v /boot/$FILE-${FILE_POSTFIX} /boot/$FILE-${FILE_POSTFIX}-fallback|| echo Current ${FILE} not found.
fi
mv -v /boot/$FILE-${FILE_POSTFIX} /boot/$FILE-${FILE_POSTFIX}-previous|| echo Current ${FILE} not found.
mv -v /boot/$FILE-${LINUZ} /boot/$FILE-${FILE_POSTFIX}
done
echo done.
exit
|
|
|
| Back to top |
|
 |
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Documentation, Tips & Tricks
