From 5b69dc7c957ee190e7cec8057cad4a3da2a53aa8 Mon Sep 17 00:00:00 2001 From: shimun Date: Tue, 17 Nov 2020 18:23:54 +0100 Subject: [PATCH] initcpio --- PKGBUILD | 5 ++- initcpio/hook.sh | 74 +++++++++++++++++++++++++++++++++++++++++++ initcpio/keyscript.sh | 14 ++++++++ 3 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 initcpio/hook.sh create mode 100755 initcpio/keyscript.sh diff --git a/PKGBUILD b/PKGBUILD index 99dfb59..38ba4a7 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -17,10 +17,13 @@ pkgver() { build() { cargo build --release --locked --all-features --target-dir=target + target/release/${pkgname} completions target } package() { install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin" install -Dm 755 ../pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin" - install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks" + install -Dm 644 target/fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks" + install -Dm 755 ../initcpio/hook.sh "${pkgdir}/usr/lib/initcpio/install/fido2luks" + install -Dm 755 ../initcpio/hook.sh "${pkgdir}/usr/lib/initcpio/hooks/fido2luks" } diff --git a/initcpio/hook.sh b/initcpio/hook.sh new file mode 100644 index 0000000..9812776 --- /dev/null +++ b/initcpio/hook.sh @@ -0,0 +1,74 @@ +#!/bin/bash + +set -ax + +exit_with() { + echo "$1" >&2 + exit 1 +} + +validate() { + [ ! -e /etc/fido2luks.conf ] && exit_with "/etc/fido2luks.conf does not exist! Please configure first" + . /etc/fido2luks.conf + [ ! -e "$FIDO2LUKS_DEVICE" ] && exit_with "FIDO2LUKS_DEVICE='$FIDO2LUKS_DEVICE' does not exist!" + [ -z "$FIDO2LUKS_CREDENTIAL_ID" ] && exit_with "FIDO2LUKS_CREDENTIAL_ID must be set!" + [ -z "$FIDO2LUKS_MAPPER_NAME" ] && exit_with "FIDO2LUKS_MAPPER_NAME must be set!" +} + +build() { + local mod + add_binary "cryptsetup" + add_module "dm-crypt" + add_module "dm-integrity" + if [[ $CRYPTO_MODULES ]]; then + for mod in $CRYPTO_MODULES; do + add_module "$mod" + done + else + add_all_modules "/crypto/" + fi + + add_binary "dmsetup" + add_file "/usr/lib/udev/rules.d/10-dm.rules" + add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" + add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" + add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" + + add_systemd_unit "systemd-ask-password-console.path" + add_systemd_unit "systemd-ask-password-console.service" + + # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1 + add_binary "/usr/lib/libgcc_s.so.1" + + # add mkswap for creating swap space on the fly (see 'swap' in crypttab(5)) + add_binary "mkswap" + + [[ -f /etc/crypttab.initramfs ]] && add_file "/etc/crypttab.initramfs" "/etc/crypttab" + + validate + add_file "/etc/fido2luks.conf" "/etc/fido2luks.conf" + add_binary "fido2luks" + add_runscipt +} + +run_hook() { + modprobe -a -q dm-crypt + . /etc/fido2luks.conf + if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then + export FIDO2LUKS_PASSWORD_HELPER="systemd-ask-password 'FIDO2 password salt for $FIDO2LUKS_DEVICE'" + fi + fido2luks open +} + +help() { + cat <