Adding ram only, shared func for init, ubuntu version as variable and secure boot

bf83715e · ping · f7c44144 · bf83715e · bf83715e · bf83715e
Commit bf83715e authored 6 months ago by ping
--- a/live_exam_os/config/02-customisation/etc/initramfs-tools/scripts/pxe
+++ b/live_exam_os/config/02-customisation/etc/initramfs-tools/scripts/pxe
 #!/bin/sh

-LUKS_FILE="/squash.rootfs"
+. /scripts/tools

-find_active_interface() {
-    for iface in $(ls /sys/class/net); do
-        if [ "$iface" = "lo" ]; then
-            continue
-        fi
-
-        if [ "$(cat /sys/class/net/$iface/type)" = "1" ]; then
-            if ip link show "$iface" | grep -q "<BROADCAST,MULTICAST>"; then
-                echo "Lookup for $iface interface"
-                dhcpcd -q $iface
-                exit_code=$?
-
-                if [ "$exit_code" -eq 0 ]; then
-                  return 0
-                fi
-            fi
-        fi
-    done
-
-    echo "No active network interface found." >&2
-    /bin/sh
-    return 1
-}
-
-mount_and_switch() {
-  SQUASHFS_PATH=$1
-
-  echo "Mounting overlay..."
-  mkdir -p /squash /upper /work /newroot
-  mount -t squashfs $SQUASHFS_PATH /squash
-
-  mount -t overlay -o lowerdir=/squash,upperdir=/upper,workdir=/work overlayfs /newroot
-  
-  mount -t devtmpfs none /newroot/dev
-  mount -t proc none /newroot/proc
-  mount -t sysfs none /newroot/sys
-  mount -t tmpfs none /newroot/tmp
-  mount -t devpts none /newroot/dev/pts
-  
-  exec switch_root /newroot /sbin/init
-}
-
-decrypt_with_passphrase() {
-  cryptsetup open $LUKS_FILE data
-  exit_code=$?
-  
-  if [ "$exit_code" -eq 0 ]; then
-    mount_and_switch /dev/mapper/data
-  fi
-
-  echo "Wrong passphrase"
-}
-
-decrypt_with_challenge() {
-  echo -n "$1" | cryptsetup open $LUKS_FILE data
-  exit_code=$?
-
-  if [ "$exit_code" -eq 0 ]; then
-    mount_and_switch /dev/mapper/data
-  fi
-
-  echo "Decryption error, possibliy wrong Yubikey"
-}
+SQUASH_FILE="/squash.rootfs"

 sleep 3

 echo "DHCP lookup..."
 find_active_interface

-wget $(cat /squashfs-url) -O $LUKS_FILE
+wget $(cat /squashfs-url) -O $SQUASH_FILE
+
+cryptsetup isLuks $SQUASH_FILE
+exit_code=$?
+if [ ! $exit_code -eq 0 ]; then
+  mount_and_switch $SQUASH_FILE
+fi

-echo "Waiting for Yubikey. Press 'p' to enter the passphrase"
+echo "Waiting for Yubikey"
 while true; do
  output=$(ykchalresp -2 -i /scripts/challenge 2>&1)
  exit_code=$?
  
  if read -t 1 -n 1 input && [ "$input" = "p" ]; then
    echo ""
-    decrypt_with_passphrase
+    decrypt_with_passphrase $SQUASH_FILE
    continue
  fi
  
@@ -89,5 +33,5 @@ while true; do
      continue
  fi
  
-  decrypt_with_challenge $output
+  decrypt_with_challenge $SQUASH_FILE $output
 done
--- a/live_exam_os/config/02-customisation/etc/initramfs-tools/scripts/tools
+++ b/live_exam_os/config/02-customisation/etc/initramfs-tools/scripts/tools
+#!/bin/bash
+
+mount_and_switch() {
+  SQUASHFS_PATH=$1
+
+  mount_fs $SQUASHFS_PATH
+  
+  mount -t devtmpfs none /newroot/dev
+  mount -t proc none /newroot/proc
+  mount -t sysfs none /newroot/sys
+  mount -t tmpfs none /newroot/tmp
+  mount -t devpts none /newroot/dev/pts
+  
+  exec switch_root /newroot /sbin/init
+}
+
+decrypt_with_passphrase() {
+  SQUASHFS_LUKS=$1
+  cryptsetup open $1 data
+  exit_code=$?
+  
+  if [ "$exit_code" -eq 0 ]; then
+    mount_and_switch /dev/mapper/data
+  fi
+
+  echo "Wrong passphrase"
+}
+
+decrypt_with_challenge() {
+  SQUASHFS_LUKS=$1
+  echo -n "$2" | cryptsetup open $SQUASHFS_LUKS data
+  exit_code=$?
+
+  if [ "$exit_code" -eq 0 ]; then
+    mount_and_switch /dev/mapper/data
+  fi
+
+  echo "Decryption error, possibly wrong Yubikey"
+}
+
+mount_fs() {
+  SQUASHFS_PATH=$1
+  mkdir -p /newroot/{home, run, tmp, var/log, var/tmp} /rw_home /squash
+
+  if grep -q "squashfs_tmpfs" /proc/cmdline; then
+    echo "Mounting fs on ram..."
+    mount -t squashfs -o loop,ro $SQUASHFS_PATH /squash
+    mount -t tmpfs none /newroot
+    cp -rp /squash/* /newroot
+  else
+    echo "Mounting fs..."
+    mount -t squashfs -o loop,ro "$SQUASHFS_PATH" /newroot
+  fi
+
+  mount -t tmpfs none /rw_home
+  cp -rp /newroot/home/. /rw_home/
+
+  mount -t tmpfs none /newroot/run
+  mount -t tmpfs none /newroot/tmp
+  mount -t tmpfs none /newroot/var/log
+  mount -t tmpfs none /newroot/var/tmp
+  mount -t tmpfs none /newroot/var/lib/systemd
+  mount --bind /rw_home /newroot/home
+}
+
+
+find_active_interface() {
+    for iface in $(ls /sys/class/net); do
+        if [ "$iface" = "lo" ]; then
+            continue
+        fi
+
+        if [ "$(cat /sys/class/net/$iface/type)" = "1" ]; then
+            if ip link show "$iface" | grep -q "<BROADCAST,MULTICAST>"; then
+                echo "Lookup for $iface interface"
+                dhcpcd -q $iface
+                exit_code=$?
+
+                if [ "$exit_code" -eq 0 ]; then
+                  return 0
+                fi
+            fi
+        fi
+    done
+
+    echo "No active network interface found." >&2
+    /bin/sh
+    return 1
+}
--- a/live_exam_os/config/02-customisation/home/user/.profile
+++ b/live_exam_os/config/02-customisation/home/user/.profile
@@ -2,4 +2,4 @@ while [ ! -e /dev/dri/card* ]; do
    sleep 1
 done

-startx
+startx && poweroff
--- a/live_exam_os/config/03-post_install/2500-disable_services.sh
+++ b/live_exam_os/config/03-post_install/2500-disable_services.sh
+#/bin/sh
+
+. tools/functions.sh
+
+echo " [Masking services...]"
+run_command_chroot systemctl mask console-setup
--- a/live_exam_os/config/03-post_install/3000-nexus_exam.sh
+++ b/live_exam_os/config/03-post_install/3000-nexus_exam.sh
@@ -3,7 +3,7 @@
 . tools/functions.sh

 echo " [Compiling nexus-exam...]"
-cd ..
+pushd ..  > /dev/null
 run_command make build_nexus-exam SERVER=$SERVER CERT=$CERT EXAM_USER=$EXAM_USER EXAM_PWD=$EXAM_PWD
 check_exit_code $? "Error during nexus-exam compilation"
 if [[ "$ROOTFS_DIR" != /* ]]; then
@@ -14,4 +14,4 @@ else
  cp build/nexus-exam $ROOTFS_DIR/usr/local/bin/nexus-exam
 fi
 make clean_client
-cd -
+popd  > /dev/null
--- a/live_exam_os/config/03-post_install/5000-push_challenge.sh
+++ b/live_exam_os/config/03-post_install/5000-push_challenge.sh
+#/bin/bash
+
+. tools/functions.sh
+
+ echo " [Adding challenge file...]"
+ echo "$CHALLENGE" > $ROOTFS_DIR/etc/challenge
--- a/live_exam_os/config/03-post_install/5000-pxe.sh
+++ b/live_exam_os/config/03-post_install/5000-pxe.sh
@@ -4,5 +4,5 @@

 if [ ! -z $PXE_URL ]; then
  echo " [Adding PXE url...]"
-  echo -n "$PXE_URL/$LUKS_IMG" > $ROOTFS_DIR/etc/squashfs-url
+  echo -n "$PXE_URL/$SQUASHFS_IMG" > $ROOTFS_DIR/etc/squashfs-url
 fi
--- a/live_exam_os/config/03-post_install/9999-initramfs.sh
+++ b/live_exam_os/config/03-post_install/9999-initramfs.sh
--- a/live_exam_os/config/03-post_install/9999-cleanup.sh
+++ b/live_exam_os/config/03-post_install/9999-cleanup.sh
+#/bin/bash
+
+. tools/functions.sh
+
+echo " [Cleanup...]"
+PACKAGES="casper krb5-locales libatm1t64 libglib2.0-data libnss-systemd libpam-cap logrotate python3-rich rfkill rsyslog systemd-hwe-hwdb systemd-resolved systemd-timesyncd ubuntu-pro-client-l10n xfce4-terminal xxd yubikey-personalization zstd"
+run_command_chroot apt remove --purge -y $PACKAGES
--- a/live_exam_os/tools/functions.sh
+++ b/live_exam_os/tools/functions.sh
@@ -37,3 +37,15 @@ check_environment_var() {
    helper
  fi
 }
+
+get_total_size() {
+    local total=0
+    for file in "$@"; do
+        if [[ -f "$file" ]]; then
+            total=$(( total + $(stat -c%s "$file") ))
+        else
+            return 1
+        fi
+    done
+    echo "$total"
+}