Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Initramfs Full Disk Encryption Open-rc
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Wed Jul 01, 2015 5:11 pm    Post subject: Reply with quote

steveL wrote:
Simply use:
Code:
if grep -qF fubar "$file"; then
instead.

as.gentoo wrote:
True, but not good to read -> understand.

Incorrect; it reads much more cleanly and simply. What is being tested is grep's exit status, and we see upfront what the actual statement of interest is; we don't have to scan up to see what the branch is conditioned on.

Further for newbs, you want them to see how to use 'if' properly, not obfuscate the basics.
steveL wrote:
In bash, you should use the more powerful [[ instead

Quote:
Please keep in mind that we talk about a script to be executed by busybox.

Fair enough; in which case you're not talking about bash at all, and the "In bash.." part becomes relevant.

Nonetheless #bash will teach you sh if you specify that upfront, and the point about 'if' stands, since it is a sh construct unspecific to any shell; if you'd been using it correctly, I wouldn't have posted.

You're right though that if this is bb, then '[[' is of no use; my bad for not spotting that.

Though I'd still have put it in there, on a general purpose chat forum, as others will at some point read it, and I'd like people to know the difference. Especially I'd like to see Gentoo bash being an exemplar rather than an embarrassment, but that's by the by.
Back to top
View user's profile Send private message
bluehippy
n00b
n00b


Joined: 07 Sep 2014
Posts: 25

PostPosted: Thu Jul 02, 2015 1:23 pm    Post subject: Reply with quote

NeddySeagon

I created the initramfs according to the Gentoo Wiki with lvm, /devtmpfs and crypt support. Additionally i copied stty into /bin and a static 1.4.16 GPG to /usr/bin/gpg (from sakaki's guide).

The initramfs folder (folder + all content) is included in the kernel without any presious compression or packing.


as.gentoo

Thanks for your long explanation of the used bash commands. It's not confusing at all and helped me to find out the (most likely) bug in my script.

steveL

I didn't know the [[ command before and it looks quite useful and you're bash tutorial looks good for me. I'll definitley have a look. Thanks for doing this!


I tried around a bit more and when trying to decrypt the key-file gpg gives error "No key-file for this passphrase". Something in the following section goes wrong. Does anyone has an idea?

Code:
for I in $NUMS
do

   stty_orig='stty -g </dev/console'
   echo "Enter password for ...."
   stty -echo </dev/console
   read PASS </dev/console
   stty $stty_orig </dev/console

# Decrypt gpg key-file and parse it into cryptsetup

   CRYPTSETUP_PASS=$(echo "$PASS" | gpg --decrypt --no-tty --passphrase-fd 0 /mnt/usb-keydev/luks-key.gpg)
   if [ "$?" -eq "0" ]; then
      echo "$CRYPTSETUP_PASS" | cryptsetup --key-file - luksOpen $(findfs UUID="xxx") gentoo || rescue_shell
      break
   fi
done


The code for entering the password is just copy&paste from here. Is there a better way to query for the password? Without the [b]stty[/] part, gpg gives an gpg:cannot open /dev/tty: No such device or address error
Back to top
View user's profile Send private message
as.gentoo
Guru
Guru


Joined: 07 Aug 2004
Posts: 318

PostPosted: Thu Jul 02, 2015 3:40 pm    Post subject: Reply with quote

@neddy:

I don't remember the whole process. I probably forgot something, please complete.
However, here's what I have and know.
--
I made a folder containing the base structe of a FS. Then copied mdadm.conf,
the madadm and busybox binaries. I copied some devices from /dev as well.
Code:
@/usr/src/initramfs:
.
├── bin
│   └── busybox      # static binary
├── dev
│   └── *
├── etc
│   └── mdadm.conf
├── init
├── lib
├── mnt
│   └── root
├── proc
├── root
├── sbin
│   └── mdadm      # static binary
└── sys

# dev contains:

dev
dev/console
dev/md16
dev/null
dev/sda
dev/sda1
dev/sda2
dev/sda3
dev/sda4
dev/sda5
dev/sda6
dev/sda7
dev/sda8
dev/sda9
dev/sdb
dev/sdb1
dev/sdb2
dev/sdb3
dev/sdb4
dev/sdb5
dev/sdb6
dev/sdb7
dev/sdb8
dev/sdb9
dev/sdc
dev/sdc1
dev/sdc2
dev/sdc3
dev/sdc4
dev/sdc5
dev/sdd
dev/sdd1
dev/sdd2
dev/sdd3
dev/sdd4
dev/sdd5
dev/sde
dev/sde1
dev/sde2
dev/sde3
dev/sde4
dev/sde5
dev/sdf
dev/sdf1
dev/sdf2
dev/sdf3
dev/sdf4
dev/sdf5
dev/tty
Then saving executable busybox script into /usr/src/initramfs as init
Code:
#!/bin/busybox sh

rescue_shell() {
    echo "Dropping to shell..."
    busybox --install -s
    exec /bin/sh
}

# mount proc and sys
mount -t proc none /proc
mount -t sysfs none /sys
mount -t devtmpfs none /dev

echo "This script mounts rootfs and boots it up, nothing more!"

# assemble raid arrays
mdadm --assemble /dev/md16 --name=FSroot || rescue_shell
#mdadm --assemble /dev/md16 /dev/sd[ef]6 || rescue_shell
mdadm --assemble /dev/md12 --name=SWAP1
mdadm --assemble /dev/md13 --name=var_tmp
mdadm --assemble /dev/md14 --name=tmp
mdadm --assemble /dev/md15 --name=var_portage
mdadm --assemble /dev/md17 --name=var
mdadm --assemble /dev/md18 --name=usr
mdadm --assemble /dev/md19 --name=boot
mdadm --assemble /dev/md101 --name=SWAP10
mdadm --assemble /dev/md102 --name=srv
mdadm --assemble /dev/md103 --name=home
mdadm --assemble /dev/md104 --name=var_log
mdadm --assemble /dev/md105 --name=usr_local

# mount the root FS
### mount -o ro /dev/disk/by-label/FSroot /mnt/root || rescue_shell (can't for since /dev/disk is not available here)
mount -o ro /dev/md16 /mnt/root || rescue_shell

# clean up
umount /proc
umount /sys
umount /dev

# boot the real thing
exec switch_root /mnt/root /sbin/init
IIRC I then compressed /usr/src/initramfs/* using cpio and gzip (name my-initramfs.cpio.gz) and copied the file to to /boot. Next was creating a proper grub entry in /etc/grub.d/40_custion, here it is.
Code:
menuentry 'Gentoo GNU/Linux - 2.6.37-hardened-r7' --class gentoo --class
gnu-linux --class gnu --class os {
        insmod part_gpt
   insmod mdraid1x
   insmod ext2
   insmod vbe
#       insmod vga
   insmod gzio
#       insmod xzio

   gfxpayload=1280x1024x16,1280x1024

   set root='(md19)'
   search --no-floppy --label --set=root boot
   echo   'Loading Linux 2.6.37-hardened-r7 ...'

#   linux   /kernel-2.6.37-hardened-r7 root=/dev/md16 ro domdadm
#   linux   /kernel-2.6.37-hardened-r7 root='(md16)' ro domdadm
#   linux   /kernel-2.6.37-hardened-r7 root=/dev/disk/by-label/FSroot ro
domdadm
#   linux   /kernel-2.6.37-hardened-r7 root=LABEL=FSroot ro

   linux   /kernel-2.6.37-hardened-r7 root=/dev/md16 ro
   echo   'Loading initial ramdisk ...'
   initrd  /my-initramfs.cpio.gz}
Back to top
View user's profile Send private message
bluehippy
n00b
n00b


Joined: 07 Sep 2014
Posts: 25

PostPosted: Thu Jul 02, 2015 3:40 pm    Post subject: Reply with quote

Yuhu! It works!

The error was lying in

Code:
CRYPTSETUP_PASS=$(echo "$PASS" | gpg --decrypt --no-tty --passphrase-fd 0 /mnt/usb-keydev/luks-key.gpg)
   if [ "$?" -eq "0" ]; then
      echo "$CRYPTSETUP_PASS" | cryptsetup --key-file - luksOpen $(findfs UUID="xxx") gentoo || rescue_shell
      break
   fi


The decrypted key should be stored in CRYPTSETUP_PASS and then passed along to cryptsetup. This somehow went wrong and gpg was giving out an error. If it was the storing or pasing over, idk.

My solution to the problem is

Code:
CRYPTSETUP_PASS=$(echo "$PASS" | gpg --decrypt --no-tty --passphrase-fd 0 /mnt/usb-keydev/luks-key.gpg)
   if [ "$?" -eq "0" ]; then
      echo "$PASS" | gpg --decrypt --no-tty --passphrase-fd 0 /mnt/usb-keydev/luks-key.gpg | cryptsetup --key-file - luksOpen $(findfs UUID="xxx") gentoo
      break
   fi


It's not a beautiful solution, but does its work. The first key decryption is just done to check if it was successful and maybe query again for the password.

The final init script:
Code:
#!/bin/busybox sh

# Drop me to a rescue shell, if something goes wrong
rescue_shell() {
   echo "Something went wrong. Dropping to a shell."
   exec sh
}

echo "Starting init script"

# Populate /dev from kernel to have access to /dev/mapper/ later
# and be able to use UUID for mounting
mount -t devtmpfs none /dev

# Wait for /dev to be populated
sleep 3s

# Mount the /proc and /sys filesystems
mount -t proc none /proc
mount -t sysfs none /sys

echo "Creating symlinks to busybox"
/bin/busybox --install -s
echo "Loading keymap"
loadkmap < /etc/keymap/de.bmap

# Mount the device with the key file for the luks partition
echo "Mount usb stick and decrypt harddrive"
mkdir /mnt/usb-keydev
mount -v -t ext2 $(findfs UUID="xxxx") /mnt/usb-keydev

# Read password for gpg
# Without this, gpg gives a "No tty available error"
# The whole encryption is tried up to 3 times
I=1
NUMS="1 2 3"

for I in $NUMS
do

   echo "Enter password ........"
   stty -echo
   read PASS
   stty echo

   CRYPTSETUPPASS=""

# Decrypt gpg key-file and parse it into cryptsetup

   CRYPTSETUPPASS=$(echo "$PASS" | gpg --decrypt --no-tty --passphrase-fd 0 /mnt/usb-keydev/luks-key.gpg)
   if [ "$?" -eq "0" ]; then
      echo "$PASS" | gpg --decrypt --no-tty --passphrase-fd 0 /mnt/usb-keydev/luks-key.gpg | cryptsetup --key-file - luksOpen $(findfs UUID="xxxx") gentoo
      CRYPTSETUPPASS=""
      PASS=""
      break
   fi
done

# Open up the LVM
echo "Open LVM"
lvm vgscan --mknodes
lvm vgchange -a y
lvm vgscan --mknodes

# Mount the root filesystem
mount -o ro /dev/mapper/vg1-root /mnt/root || rescue_shell

# Clean up
echo "Clean up"
umount /mnt/usb-keydev
umount /dev
umount /sys
umount /proc

# Boot the real thing
echo "Init script complete, boot computer now"
exec /sbin/switch_root /mnt/root /sbin/init
Back to top
View user's profile Send private message
as.gentoo
Guru
Guru


Joined: 07 Aug 2004
Posts: 318

PostPosted: Thu Jul 02, 2015 3:41 pm    Post subject: Reply with quote

@bluehippy

It was a pleasure.
Back to top
View user's profile Send private message
bluehippy
n00b
n00b


Joined: 07 Sep 2014
Posts: 25

PostPosted: Thu Jul 02, 2015 3:46 pm    Post subject: Reply with quote

as.gentoo

Thank you and let me return the flowers.

Everybody Thanks for the help!

PS.: I changed the topic to a better fitting one
Back to top
View user's profile Send private message
as.gentoo
Guru
Guru


Joined: 07 Aug 2004
Posts: 318

PostPosted: Thu Jul 02, 2015 3:48 pm    Post subject: Reply with quote

And for the sake of completeness, sometimes you do not want to quote a variable:
Code:
$> s_test="a b c" ;

$> for s_x in ${s_test} ; do echo ${s_x} ; done # without quotes
a
b
c

$> for s_x in "${s_test}" ; do echo ${s_x} ; done # with quotes
a b c


Quote:
PS.: I changed the topic to a better fitting one
EDIT: excellent :!:
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum