mirror of
https://github.com/armbian/build.git
synced 2025-08-13 14:46:58 +02:00
Cleaned up LUKS support from #948
This commit is contained in:
zador-blood-stained
parent
0ca85e92e4
commit
08743d36b6
@ -207,9 +207,10 @@ for line in "${buildlist[@]}"; do
|
||||
CPUMIN CPUMAX UBOOT_VER KERNEL_VER GOVERNOR BOOTSIZE BOOTFS_TYPE UBOOT_TOOLCHAIN KERNEL_TOOLCHAIN PACKAGE_LIST_EXCLUDE KERNEL_IMAGE_TYPE \
|
||||
write_uboot_platform family_tweaks family_tweaks_bsp setup_write_uboot_platform uboot_custom_postprocess atf_custom_postprocess family_tweaks_s \
|
||||
BOOTSCRIPT UBOOT_TARGET_MAP LOCALVERSION UBOOT_COMPILER KERNEL_COMPILER BOOTCONFIG BOOTCONFIG_VAR_NAME BOOTCONFIG_DEFAULT BOOTCONFIG_NEXT BOOTCONFIG_DEV \
|
||||
MODULES MODULES_NEXT MODULES_DEV INITRD_ARCH BOOTENV_FILE BOOTDELAY MODULES_BLACKLIST MODULES_BLACKLIST_NEXT \
|
||||
MODULES_BLACKLIST_DEV MOUNT SDCARD BOOTPATCHDIR KERNELPATCHDIR buildtext RELEASE IMAGE_TYPE OVERLAY_PREFIX ASOUND_STATE \
|
||||
ATF_COMPILER ATF_USE_GCC ATFSOURCE ATFDIR ATFBRANCH ATFSOURCEDIR PACKAGE_LIST_RM NM_IGNORE_DEVICES DISPLAY_MANAGER family_tweaks_bsp_s
|
||||
MODULES MODULES_NEXT MODULES_DEV INITRD_ARCH BOOTENV_FILE BOOTDELAY MODULES_BLACKLIST MODULES_BLACKLIST_NEXT CRYPTROOT_ENABLE \
|
||||
MODULES_BLACKLIST_DEV MOUNT SDCARD BOOTPATCHDIR KERNELPATCHDIR buildtext RELEASE IMAGE_TYPE OVERLAY_PREFIX ASOUND_STATE CRYPTROOT_PASSPHRASE \
|
||||
ATF_COMPILER ATF_USE_GCC ATFSOURCE ATFDIR ATFBRANCH ATFSOURCEDIR PACKAGE_LIST_RM NM_IGNORE_DEVICES DISPLAY_MANAGER family_tweaks_bsp_s ROOT_MAPPER
|
||||
|
||||
|
||||
read BOARD BRANCH RELEASE BUILD_DESKTOP <<< $line
|
||||
n=$[$n+1]
|
||||
|
||||
@ -23,6 +23,9 @@ CHROOT_CACHE_VERSION=6
|
||||
[[ -z $DISPLAY_MANAGER ]] && DISPLAY_MANAGER=nodm
|
||||
ROOTFS_CACHE_MAX=16 # max number of rootfs cache, older ones will be cleaned up
|
||||
|
||||
# TODO: fixed name can't be used for parallel image building
|
||||
ROOT_MAPPER="armbian-root"
|
||||
|
||||
[[ -z $ROOTFS_TYPE ]] && ROOTFS_TYPE=ext4 # default rootfs type is ext4
|
||||
[[ "ext4 f2fs btrfs nfs fel" != *$ROOTFS_TYPE* ]] && exit_with_error "Unknown rootfs type" "$ROOTFS_TYPE"
|
||||
|
||||
@ -31,6 +34,11 @@ ROOTFS_CACHE_MAX=16 # max number of rootfs cache, older ones will be cleaned up
|
||||
# echo $(( $(blockdev --getsize64 /dev/sdX) / 1024 / 1024 ))
|
||||
[[ "f2fs" == *$ROOTFS_TYPE* && -z $FIXED_IMAGE_SIZE ]] && exit_with_error "Please define FIXED_IMAGE_SIZE"
|
||||
|
||||
# a passphrase is mandatory if rootfs encryption is enabled
|
||||
if [[ $CRYPTROOT_ENABLE == yes && -z $CRYPTROOT_PASSPHRASE ]]; then
|
||||
exit_with_error "Root encryption is enabled but CRYPTROOT_PASSPHRASE is not set"
|
||||
fi
|
||||
|
||||
# small SD card with kernel, boot script and .dtb/.bin files
|
||||
[[ $ROOTFS_TYPE == nfs ]] && FIXED_IMAGE_SIZE=64
|
||||
|
||||
@ -55,6 +63,7 @@ ARCH=armhf
|
||||
KERNEL_IMAGE_TYPE=zImage
|
||||
SERIALCON=ttyS0
|
||||
CAN_BUILD_STRETCH=yes
|
||||
CRYPTROOT_SSH_PORT=2022
|
||||
|
||||
# single ext4 partition is the default and preferred configuration
|
||||
#BOOTFS_TYPE=''
|
||||
@ -139,6 +148,10 @@ PACKAGE_LIST_DESKTOP="xserver-xorg xserver-xorg-video-fbdev gvfs-backends gvfs-f
|
||||
PACKAGE_LIST_DESKTOP_RECOMMENDS="mirage galculator hexchat xfce4-screenshooter network-manager-openvpn-gnome mpv fbi cups-pk-helper \
|
||||
cups geany atril xarchiver leafpad"
|
||||
|
||||
# rootfs encryption related packages
|
||||
if [[ $CRYPTROOT_ENABLE == yes ]]; then
|
||||
PACKAGE_LIST="$PACKAGE_LIST cryptsetup dropbear-initramfs"
|
||||
fi
|
||||
|
||||
case $DISPLAY_MANAGER in
|
||||
nodm)
|
||||
|
||||
@ -312,6 +312,12 @@ prepare_partitions()
|
||||
local bootfs=ext4
|
||||
local bootpart=1
|
||||
[[ -z $BOOTSIZE || $BOOTSIZE -le 8 ]] && BOOTSIZE=64 # MiB, For cleanup processing only
|
||||
elif [[ $CRYPTROOT_ENABLE == yes ]]; then
|
||||
# 2 partition setup for encrypted /root and non-encrypted /boot
|
||||
local bootfs=ext4
|
||||
local bootpart=1
|
||||
local rootpart=2
|
||||
[[ -z $BOOTSIZE || $BOOTSIZE -le 8 ]] && BOOTSIZE=64 # MiB
|
||||
else
|
||||
# single partition ext4 root
|
||||
local rootpart=1
|
||||
@ -395,13 +401,29 @@ prepare_partitions()
|
||||
rm -f $SDCARD/etc/fstab
|
||||
if [[ -n $rootpart ]]; then
|
||||
local rootdevice="${LOOP}p${rootpart}"
|
||||
display_alert "Creating rootfs" "$ROOTFS_TYPE"
|
||||
|
||||
if [[ $CRYPTROOT_ENABLE == yes ]]; then
|
||||
display_alert "Encrypting partition with LUKS" "" "ext"
|
||||
echo -n $CRYPTROOT_PASSPHRASE | cryptsetup luksFormat $rootdevice -
|
||||
echo -n $CRYPTROOT_PASSPHRASE | cryptsetup luksOpen $rootdevice $ROOT_MAPPER -
|
||||
# TODO: pass /dev/mapper to Docker
|
||||
rootdevice=/dev/mapper/$ROOT_MAPPER # used by `mkfs` and `mount` commands
|
||||
fi
|
||||
|
||||
check_loop_device "$rootdevice"
|
||||
display_alert "Creating rootfs" "$ROOTFS_TYPE on $rootdevice"
|
||||
mkfs.${mkfs[$ROOTFS_TYPE]} ${mkopts[$ROOTFS_TYPE]} $rootdevice
|
||||
[[ $ROOTFS_TYPE == ext4 ]] && tune2fs -o journal_data_writeback $rootdevice > /dev/null
|
||||
[[ $ROOTFS_TYPE == btrfs ]] && local fscreateopt="-o compress-force=zlib"
|
||||
mount ${fscreateopt} $rootdevice $MOUNT/
|
||||
# create fstab (and crypttab) entry
|
||||
if [[ $CRYPTROOT_ENABLE == yes ]]; then
|
||||
# map the LUKS container partition via its UUID to be the 'cryptroot' device
|
||||
echo "$ROOT_MAPPER UUID=$(blkid -s UUID -o value ${LOOP}p${rootpart}) none luks" >> $SDCARD/etc/crypttab
|
||||
local rootfs=$rootdevice # used in fstab
|
||||
else
|
||||
local rootfs="UUID=$(blkid -s UUID -o value $rootdevice)"
|
||||
fi
|
||||
echo "$rootfs / ${mkfs[$ROOTFS_TYPE]} defaults,noatime,nodiratime${mountopts[$ROOTFS_TYPE]} 0 1" >> $SDCARD/etc/fstab
|
||||
fi
|
||||
if [[ -n $bootpart ]]; then
|
||||
@ -417,7 +439,11 @@ prepare_partitions()
|
||||
|
||||
# stage: adjust boot script or boot environment
|
||||
if [[ -f $SDCARD/boot/armbianEnv.txt ]]; then
|
||||
if [[ $CRYPTROOT_ENABLE == yes ]]; then
|
||||
echo "rootdev=$rootdevice cryptdevice=UUID=$(blkid -s UUID -o value ${LOOP}p${rootpart}):$ROOT_MAPPER" >> $SDCARD/boot/armbianEnv.txt
|
||||
else
|
||||
echo "rootdev=$rootfs" >> $SDCARD/boot/armbianEnv.txt
|
||||
fi
|
||||
echo "rootfstype=$ROOTFS_TYPE" >> $SDCARD/boot/armbianEnv.txt
|
||||
elif [[ $rootpart != 1 ]]; then
|
||||
local bootscript_dst=${BOOTSCRIPT##*:}
|
||||
@ -428,8 +454,12 @@ prepare_partitions()
|
||||
|
||||
# if we have boot.ini = remove armbianEnv.txt and add UUID there if enabled
|
||||
if [[ -f $SDCARD/boot/boot.ini ]]; then
|
||||
sed -i -e "s/rootfstype \"ext4\"/rootfstype \"$ROOTFS_TYPE\"/" $SDCARD/boot/boot.ini
|
||||
if [[ $CRYPTROOT_ENABLE == yes ]]; then
|
||||
local rootpart="UUID=$(blkid -s UUID -o value ${LOOP}p${rootpart})"
|
||||
sed -i 's/^setenv rootdev .*/setenv rootdev "\/dev\/mapper\/'$ROOT_MAPPER' cryptdevice='UUID="$(blkid -s UUID -o value ${LOOP}p${rootpart})"':'$ROOT_MAPPER'"/' $SDCARD/boot/boot.ini
|
||||
else
|
||||
sed -i 's/^setenv rootdev .*/setenv rootdev "'$rootfs'"/' $SDCARD/boot/boot.ini
|
||||
fi
|
||||
[[ -f $SDCARD/boot/armbianEnv.txt ]] && rm $SDCARD/boot/armbianEnv.txt
|
||||
fi
|
||||
|
||||
@ -481,6 +511,8 @@ create_image()
|
||||
sync
|
||||
[[ $BOOTSIZE != 0 ]] && umount -l $MOUNT/boot
|
||||
[[ $ROOTFS_TYPE != nfs ]] && umount -l $MOUNT
|
||||
[[ $CRYPTROOT_ENABLE == yes ]] && cryptsetup luksClose $ROOT_MAPPER
|
||||
|
||||
losetup -d $LOOP
|
||||
rm -rf --one-file-system $DESTIMG $MOUNT
|
||||
mkdir -p $DESTIMG
|
||||
|
||||
@ -212,6 +212,19 @@ install_common()
|
||||
unmanaged-devices=$NM_IGNORE_DEVICES
|
||||
EOF
|
||||
fi
|
||||
|
||||
# Set the port of the dropbear ssh deamon in the initramfs to a different one if configured
|
||||
# this avoids the typical 'host key changed warning' - `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!`
|
||||
[[ -f $SDCARD/etc/dropbear-initramfs/config ]] && sed -i 's/^#DROPBEAR_OPTIONS=/DROPBEAR_OPTIONS="-p '$CRYPTROOT_SSH_PORT'"/' $SDCARD/etc/dropbear-initramfs/config
|
||||
if [[ $CRYPTROOT_ENABLE == yes ]]; then
|
||||
if [[ -f $SRC/userpatches/dropbear_authorized_keys ]]; then
|
||||
# TODO: check for supported key types in Dropbear
|
||||
mkdir -p $SDCARD/etc/dropbear-initramfs/
|
||||
cp $SRC/userpatches/dropbear_authorized_keys $SDCARD/etc/dropbear-initramfs/authorized_keys
|
||||
else
|
||||
display_alert "Authorized keys file not found in userpatches, cryptsetup SSH unlock will be disabled" "" "wrn"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
install_distribution_specific()
|
||||
|
||||
@ -530,7 +530,7 @@ prepare_host()
|
||||
nfs-kernel-server btrfs-tools ncurses-term p7zip-full kmod dosfstools libc6-dev-armhf-cross \
|
||||
curl patchutils python liblz4-tool libpython2.7-dev linux-base swig libpython-dev aptly acl \
|
||||
locales ncurses-base pixz dialog systemd-container udev lib32stdc++6 libc6-i386 lib32ncurses5 lib32tinfo5 \
|
||||
bison libbison-dev flex libfl-dev"
|
||||
bison libbison-dev flex libfl-dev cryptsetup"
|
||||
|
||||
local codename=$(lsb_release -sc)
|
||||
display_alert "Build host OS release" "${codename:-(unknown)}" "info"
|
||||
|
||||
@ -54,6 +54,7 @@ unmount_on_exit()
|
||||
umount -l $SDCARD >/dev/null 2>&1
|
||||
umount -l $MOUNT/boot >/dev/null 2>&1
|
||||
umount -l $MOUNT >/dev/null 2>&1
|
||||
[[ $CRYPTROOT_ENABLE == yes ]] && cryptsetup luksClose $ROOT_MAPPER
|
||||
losetup -d $LOOP >/dev/null 2>&1
|
||||
rm -rf --one-file-system $SDCARD
|
||||
exit_with_error "debootstrap-ng was interrupted"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user