From d0f91512d9ca6d361d8a4a387094c48aab00e111 Mon Sep 17 00:00:00 2001 From: Jan Wagner Date: Tue, 19 Apr 2016 15:10:50 +0200 Subject: fix: ENABLE_CRYPTFS -> UBOOT, SPLITFS, EXPANDROOT - cleanup --- files/boot/uboot.mkimage | 6 +- files/firstboot/21-generate-ssh-keys.sh | 6 ++ files/firstboot/22-expandroot.sh | 18 +++++- files/firstboot/23-generate-machineid.sh | 3 - files/firstboot/23-regenerate-initramfs.sh | 31 +++++++++++ files/firstboot/24-create-resolv-symlink.sh | 15 ----- files/firstboot/24-generate-machineid.sh | 3 + files/firstboot/25-create-resolv-symlink.sh | 15 +++++ files/initramfs/expand-premount | 19 +++++++ files/initramfs/expand-tools | 19 +++++++ files/initramfs/expand_encrypted_rootfs | 85 +++++++++++++++++++++++++++++ 11 files changed, 198 insertions(+), 22 deletions(-) delete mode 100644 files/firstboot/23-generate-machineid.sh create mode 100644 files/firstboot/23-regenerate-initramfs.sh delete mode 100644 files/firstboot/24-create-resolv-symlink.sh create mode 100644 files/firstboot/24-generate-machineid.sh create mode 100644 files/firstboot/25-create-resolv-symlink.sh create mode 100755 files/initramfs/expand-premount create mode 100755 files/initramfs/expand-tools create mode 100644 files/initramfs/expand_encrypted_rootfs (limited to 'files') diff --git a/files/boot/uboot.mkimage b/files/boot/uboot.mkimage index cd71de6..8d02431 100644 --- a/files/boot/uboot.mkimage +++ b/files/boot/uboot.mkimage @@ -1,3 +1,6 @@ +# Set device tree fdtfile +setenv dtbfile bcm2709-rpi-2-b.dtb + # Tell Linux that it is booting on a Raspberry Pi2 setenv machid 0x00000c42 @@ -6,6 +9,7 @@ saveenv # Load the existing Linux kernel into RAM fatload mmc 0:1 ${kernel_addr_r} kernel7.img +fatload mmc 0:1 ${fdt_addr_r} ${dtbfile} +fatload mmc 0:1 ${ramdisk_addr_r} ${initramfs} # Boot the kernel we have just loaded -bootz ${kernel_addr_r} diff --git a/files/firstboot/21-generate-ssh-keys.sh b/files/firstboot/21-generate-ssh-keys.sh index 928ee2e..b3345b4 100644 --- a/files/firstboot/21-generate-ssh-keys.sh +++ b/files/firstboot/21-generate-ssh-keys.sh @@ -1,8 +1,11 @@ logger -t "rc.firstboot" "Generating SSH host keys" if [ -d "/etc/ssh/" ] ; then + # Remove ssh host keys rm -f /etc/ssh/ssh_host_* systemctl stop sshd + + # Regenerate ssh host keys ssh-keygen -q -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key ssh-keygen -q -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key ssh-keygen -q -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key @@ -11,8 +14,11 @@ if [ -d "/etc/ssh/" ] ; then fi if [ -d "/etc/dropbear/" ] ; then + # Remove ssh host keys rm -f /etc/dropbear/dropbear_* systemctl stop dropbear + + # Regenerate ssh host keys dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key diff --git a/files/firstboot/22-expandroot.sh b/files/firstboot/22-expandroot.sh index 03ec50d..235c411 100644 --- a/files/firstboot/22-expandroot.sh +++ b/files/firstboot/22-expandroot.sh @@ -1,10 +1,20 @@ -logger -t "rc.firstboot" "Expanding root" +logger -t "rc.firstboot" "Expanding root partition" + +# Detect root partition device ROOT_PART=$(mount | sed -n 's|^/dev/\(.*\) on / .*|\1|p') -PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$') +if [ -z "$ROOT_PART" ] ; then + log_warning_msg "unable to detect root partition device" + return 1 +fi + +# Extract root device name case "${ROOT_PART}" in mmcblk0*) ROOT_DEV=mmcblk0 ;; sda*) ROOT_DEV=sda ;; esac + +# Check detected root partition name +PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$') if [ "$PART_NUM" = "$ROOT_PART" ] ; then logger -t "rc.firstboot" "$ROOT_PART is not an SD card. Don't know how to expand" return 0 @@ -16,6 +26,8 @@ if [ "$PART_NUM" -gt 2 ] ; then logger -t "rc.firstboot" "Your partition layout is not currently supported by this tool." return 0 fi + +# Check if last partition number LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:) if [ $LAST_PART_NUM -ne $PART_NUM ]; then logger -t "rc.firstboot" "$ROOT_PART is not the last partition. Don't know how to expand" @@ -53,4 +65,4 @@ EOF2 # Reload the partition table, resize root filesystem then remove resizing code from this file partprobe && resize2fs /dev/${ROOT_PART} && - logger -t "rc.firstboot" "Root partition successfuly resized." + logger -t "rc.firstboot" "Root partition successfully resized." diff --git a/files/firstboot/23-generate-machineid.sh b/files/firstboot/23-generate-machineid.sh deleted file mode 100644 index dca48b3..0000000 --- a/files/firstboot/23-generate-machineid.sh +++ /dev/null @@ -1,3 +0,0 @@ -logger -t "rc.firstboot" "Generating D-Bus machine-id" -rm -f /var/lib/dbus/machine-id -dbus-uuidgen --ensure diff --git a/files/firstboot/23-regenerate-initramfs.sh b/files/firstboot/23-regenerate-initramfs.sh new file mode 100644 index 0000000..78e2922 --- /dev/null +++ b/files/firstboot/23-regenerate-initramfs.sh @@ -0,0 +1,31 @@ +logger -t "rc.firstboot" "Regenerating initramfs to remove encrypted root partition auto-expand" + +KERNEL_VERSION=$(uname -r) +KERNEL_ARCH=$(uname -m) +INITRAMFS="/boot/firmware/initramfs-${KERNEL_VERSION}" +INITRAMFS_UBOOT="${INITRAMFS}.uboot" + +# Extract kernel arch +case "${KERNEL_ARCH}" in + arm*) KERNEL_ARCH=arm ;; +esac + +# Regenerate initramfs +if [ -r "${INITRAMFS}" ] ; then + rm -f /etc/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs + rm -f /etc/initramfs-tools/scripts/local-premount/expand-premount + rm -f /etc/initramfs-tools/hooks/expand-tools + rm -f "${INITRAMFS}" + mkinitramfs -o "${INITRAMFS}" "${KERNEL_VERSION}" +fi + +# Convert generated initramfs for U-Boot using mkimage +if [ -r "${INITRAMFS_UBOOT}" ] ; then + rm -f /etc/initramfs-tools/scripts/init-premount/expand_encrypted_rootfs + rm -f /etc/initramfs-tools/scripts/local-premount/expand-premount + rm -f /etc/initramfs-tools/hooks/expand-tools + rm -f "${INITRAMFS_UBOOT}" + mkinitramfs -o "${INITRAMFS}" "${KERNEL_VERSION}" + mkimage -A "${KERNEL_ARCH}" -T ramdisk -C none -n "initramfs-${KERNEL_VERSION}" -d "${INITRAMFS}" "${INITRAMFS_UBOOT}" + rm -f "${INITRAMFS}" +fi diff --git a/files/firstboot/24-create-resolv-symlink.sh b/files/firstboot/24-create-resolv-symlink.sh deleted file mode 100644 index 8a3f00b..0000000 --- a/files/firstboot/24-create-resolv-symlink.sh +++ /dev/null @@ -1,15 +0,0 @@ -logger -t "rc.firstboot" "Creating /etc/resolv.conf symlink" - -# Check if systemd resolve directory exists -if [ ! -d "/run/systemd/resolve" ] ; then - systemctl enable systemd-resolved.service - systemctl restart systemd-resolved.service -fi - -# Create resolv.conf file if it does not exists -if [ ! -f "/run/systemd/resolve/resolv.conf" ] ; then - touch /run/systemd/resolve/resolv.conf -fi - -# Create symlink to /etc/reolv.conf -ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf diff --git a/files/firstboot/24-generate-machineid.sh b/files/firstboot/24-generate-machineid.sh new file mode 100644 index 0000000..dca48b3 --- /dev/null +++ b/files/firstboot/24-generate-machineid.sh @@ -0,0 +1,3 @@ +logger -t "rc.firstboot" "Generating D-Bus machine-id" +rm -f /var/lib/dbus/machine-id +dbus-uuidgen --ensure diff --git a/files/firstboot/25-create-resolv-symlink.sh b/files/firstboot/25-create-resolv-symlink.sh new file mode 100644 index 0000000..8a3f00b --- /dev/null +++ b/files/firstboot/25-create-resolv-symlink.sh @@ -0,0 +1,15 @@ +logger -t "rc.firstboot" "Creating /etc/resolv.conf symlink" + +# Check if systemd resolve directory exists +if [ ! -d "/run/systemd/resolve" ] ; then + systemctl enable systemd-resolved.service + systemctl restart systemd-resolved.service +fi + +# Create resolv.conf file if it does not exists +if [ ! -f "/run/systemd/resolve/resolv.conf" ] ; then + touch /run/systemd/resolve/resolv.conf +fi + +# Create symlink to /etc/reolv.conf +ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf diff --git a/files/initramfs/expand-premount b/files/initramfs/expand-premount new file mode 100755 index 0000000..c0c5582 --- /dev/null +++ b/files/initramfs/expand-premount @@ -0,0 +1,19 @@ +#!/bin/sh + +set -e + +# Check for cryptdevice variable +if [ -z "$cryptdevice" ] ; then + echo "unable to get cryptdevice variable (local-premount)" + exit 1 +fi + +if [ -n "$ROOT" ] ; then + # Resize encrypted root partition + cryptsetup resize "${ROOT}" + e2fsck -fp "${ROOT}" + resize2fs -f "${ROOT}" + e2fsck -fp "${ROOT}" +fi + +exit 0 diff --git a/files/initramfs/expand-tools b/files/initramfs/expand-tools new file mode 100755 index 0000000..ad5dea3 --- /dev/null +++ b/files/initramfs/expand-tools @@ -0,0 +1,19 @@ +#!/bin/sh + +set -e + +# Use initramfs utility functions +. /usr/share/initramfs-tools/hook-functions + +# Add binaries required for resizing the filesystem +copy_exec /bin/grep /bin +copy_exec /usr/bin/awk /bin +copy_exec /usr/bin/cut /bin +copy_exec /usr/bin/tail /bin +copy_exec /sbin/fdisk /sbin +copy_exec /sbin/parted /sbin +copy_exec /sbin/e2fsck /sbin +copy_exec /sbin/resize2fs /sbin +copy_exec /sbin/partprobe /sbin + +exit 0 diff --git a/files/initramfs/expand_encrypted_rootfs b/files/initramfs/expand_encrypted_rootfs new file mode 100644 index 0000000..e6896ba --- /dev/null +++ b/files/initramfs/expand_encrypted_rootfs @@ -0,0 +1,85 @@ +#!/bin/sh +# expand_encrypted_rootfs initramfs-tools boot script + +# dependencies: grep awk cut tail fdisk parted e2fsck resize2fs + +set -e + +# Wait for USB devices to be ready +sleep 5 + +# Use initramfs utility functions +if [ -r "/scripts/functions" ] ; then + . /scripts/functions +fi + +# Check for cryptdevice variable +if [ -z "$cryptdevice" ] ; then + echo "unable to get cryptdevice variable (init-premount)" + return 1 +fi + +# Detect root partition device +ROOT_PART=$(echo $cryptdevice | awk -F"/|:" '{ print $3 }') +if [ -z "$ROOT_PART" ] ; then + log_warning_msg "unable to detect encrypted root partition device (cryptdevice)" + return 1 +fi + +# Extract root device name +case "${ROOT_PART}" in + mmcblk0*) ROOT_DEV=mmcblk0 ;; + sda*) ROOT_DEV=sda ;; +esac + +# Check detected root partition name +PART_NUM=$(echo ${ROOT_PART} | grep -o '[1-9][0-9]*$') +if [ "$PART_NUM" = "$ROOT_PART" ] ; then + log_warning_msg "$ROOT_PART is not an SD card. Don't know how to expand" + return 1 +fi + +# NOTE: the NOOBS partition layout confuses parted. For now, let's only +# agree to work with a sufficiently simple partition layout +if [ "$PART_NUM" -gt 2 ] ; then + log_warning_msg "Your partition layout is not currently supported by this tool." + return 1 +fi + +# Check if last partition number +LAST_PART_NUM=$(parted /dev/${ROOT_DEV} -ms unit s p | tail -n 1 | cut -f 1 -d:) +if [ $LAST_PART_NUM -ne $PART_NUM ]; then + log_warning_msg "$ROOT_PART is not the last partition. Don't know how to expand" + return 1 +fi + +# Get the starting offset of the root partition +PART_START=$(parted /dev/${ROOT_DEV} -ms unit s p | grep "^${PART_NUM}" | cut -f 2 -d: | sed 's/[^0-9]//g') +if [ -z "$PART_START" ] ; then + log_warning_msg "${ROOT_DEV} unable to get starting sector of the partition" + return 1 +fi + +# Get the possible last sector for the root partition +PART_LAST=$(fdisk -l /dev/${ROOT_DEV} | grep '^Disk.*sectors' | awk '{ print $7 - 1 }') +if [ -z "$PART_LAST" ] ; then + log_warning_msg "${ROOT_DEV} unable to get last sector of the partition" + return 1 +fi + +### Since rc.local is run with "sh -e", let's add "|| true" to prevent premature exit +fdisk /dev/${ROOT_DEV} 2> /dev/null <