Skip to content
Snippets Groups Projects
Commit bf83715e authored by ping's avatar ping
Browse files

Adding ram only, shared func for init, ubuntu version as variable and secure boot

parent f7c44144
No related branches found
No related tags found
No related merge requests found
Showing with 136 additions and 72 deletions
#!/bin/sh #!/bin/sh
LUKS_FILE="/squash.rootfs" . /scripts/tools
find_active_interface() { SQUASH_FILE="/squash.rootfs"
for iface in $(ls /sys/class/net); do
if [ "$iface" = "lo" ]; then
continue
fi
if [ "$(cat /sys/class/net/$iface/type)" = "1" ]; then
if ip link show "$iface" | grep -q "<BROADCAST,MULTICAST>"; then
echo "Lookup for $iface interface"
dhcpcd -q $iface
exit_code=$?
if [ "$exit_code" -eq 0 ]; then
return 0
fi
fi
fi
done
echo "No active network interface found." >&2
/bin/sh
return 1
}
mount_and_switch() {
SQUASHFS_PATH=$1
echo "Mounting overlay..."
mkdir -p /squash /upper /work /newroot
mount -t squashfs $SQUASHFS_PATH /squash
mount -t overlay -o lowerdir=/squash,upperdir=/upper,workdir=/work overlayfs /newroot
mount -t devtmpfs none /newroot/dev
mount -t proc none /newroot/proc
mount -t sysfs none /newroot/sys
mount -t tmpfs none /newroot/tmp
mount -t devpts none /newroot/dev/pts
exec switch_root /newroot /sbin/init
}
decrypt_with_passphrase() {
cryptsetup open $LUKS_FILE data
exit_code=$?
if [ "$exit_code" -eq 0 ]; then
mount_and_switch /dev/mapper/data
fi
echo "Wrong passphrase"
}
decrypt_with_challenge() {
echo -n "$1" | cryptsetup open $LUKS_FILE data
exit_code=$?
if [ "$exit_code" -eq 0 ]; then
mount_and_switch /dev/mapper/data
fi
echo "Decryption error, possibliy wrong Yubikey"
}
sleep 3 sleep 3
echo "DHCP lookup..." echo "DHCP lookup..."
find_active_interface find_active_interface
wget $(cat /squashfs-url) -O $LUKS_FILE wget $(cat /squashfs-url) -O $SQUASH_FILE
cryptsetup isLuks $SQUASH_FILE
exit_code=$?
if [ ! $exit_code -eq 0 ]; then
mount_and_switch $SQUASH_FILE
fi
echo "Waiting for Yubikey. Press 'p' to enter the passphrase" echo "Waiting for Yubikey"
while true; do while true; do
output=$(ykchalresp -2 -i /scripts/challenge 2>&1) output=$(ykchalresp -2 -i /scripts/challenge 2>&1)
exit_code=$? exit_code=$?
if read -t 1 -n 1 input && [ "$input" = "p" ]; then if read -t 1 -n 1 input && [ "$input" = "p" ]; then
echo "" echo ""
decrypt_with_passphrase decrypt_with_passphrase $SQUASH_FILE
continue continue
fi fi
...@@ -89,5 +33,5 @@ while true; do ...@@ -89,5 +33,5 @@ while true; do
continue continue
fi fi
decrypt_with_challenge $output decrypt_with_challenge $SQUASH_FILE $output
done done
#!/bin/bash
mount_and_switch() {
SQUASHFS_PATH=$1
mount_fs $SQUASHFS_PATH
mount -t devtmpfs none /newroot/dev
mount -t proc none /newroot/proc
mount -t sysfs none /newroot/sys
mount -t tmpfs none /newroot/tmp
mount -t devpts none /newroot/dev/pts
exec switch_root /newroot /sbin/init
}
decrypt_with_passphrase() {
SQUASHFS_LUKS=$1
cryptsetup open $1 data
exit_code=$?
if [ "$exit_code" -eq 0 ]; then
mount_and_switch /dev/mapper/data
fi
echo "Wrong passphrase"
}
decrypt_with_challenge() {
SQUASHFS_LUKS=$1
echo -n "$2" | cryptsetup open $SQUASHFS_LUKS data
exit_code=$?
if [ "$exit_code" -eq 0 ]; then
mount_and_switch /dev/mapper/data
fi
echo "Decryption error, possibly wrong Yubikey"
}
mount_fs() {
SQUASHFS_PATH=$1
mkdir -p /newroot/{home, run, tmp, var/log, var/tmp} /rw_home /squash
if grep -q "squashfs_tmpfs" /proc/cmdline; then
echo "Mounting fs on ram..."
mount -t squashfs -o loop,ro $SQUASHFS_PATH /squash
mount -t tmpfs none /newroot
cp -rp /squash/* /newroot
else
echo "Mounting fs..."
mount -t squashfs -o loop,ro "$SQUASHFS_PATH" /newroot
fi
mount -t tmpfs none /rw_home
cp -rp /newroot/home/. /rw_home/
mount -t tmpfs none /newroot/run
mount -t tmpfs none /newroot/tmp
mount -t tmpfs none /newroot/var/log
mount -t tmpfs none /newroot/var/tmp
mount -t tmpfs none /newroot/var/lib/systemd
mount --bind /rw_home /newroot/home
}
find_active_interface() {
for iface in $(ls /sys/class/net); do
if [ "$iface" = "lo" ]; then
continue
fi
if [ "$(cat /sys/class/net/$iface/type)" = "1" ]; then
if ip link show "$iface" | grep -q "<BROADCAST,MULTICAST>"; then
echo "Lookup for $iface interface"
dhcpcd -q $iface
exit_code=$?
if [ "$exit_code" -eq 0 ]; then
return 0
fi
fi
fi
done
echo "No active network interface found." >&2
/bin/sh
return 1
}
...@@ -2,4 +2,4 @@ while [ ! -e /dev/dri/card* ]; do ...@@ -2,4 +2,4 @@ while [ ! -e /dev/dri/card* ]; do
sleep 1 sleep 1
done done
startx startx && poweroff
#/bin/sh
. tools/functions.sh
echo " [Masking services...]"
run_command_chroot systemctl mask console-setup
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
. tools/functions.sh . tools/functions.sh
echo " [Compiling nexus-exam...]" echo " [Compiling nexus-exam...]"
cd .. pushd .. > /dev/null
run_command make build_nexus-exam SERVER=$SERVER CERT=$CERT EXAM_USER=$EXAM_USER EXAM_PWD=$EXAM_PWD run_command make build_nexus-exam SERVER=$SERVER CERT=$CERT EXAM_USER=$EXAM_USER EXAM_PWD=$EXAM_PWD
check_exit_code $? "Error during nexus-exam compilation" check_exit_code $? "Error during nexus-exam compilation"
if [[ "$ROOTFS_DIR" != /* ]]; then if [[ "$ROOTFS_DIR" != /* ]]; then
...@@ -14,4 +14,4 @@ else ...@@ -14,4 +14,4 @@ else
cp build/nexus-exam $ROOTFS_DIR/usr/local/bin/nexus-exam cp build/nexus-exam $ROOTFS_DIR/usr/local/bin/nexus-exam
fi fi
make clean_client make clean_client
cd - popd > /dev/null
#/bin/bash
. tools/functions.sh
echo " [Adding challenge file...]"
echo "$CHALLENGE" > $ROOTFS_DIR/etc/challenge
...@@ -4,5 +4,5 @@ ...@@ -4,5 +4,5 @@
if [ ! -z $PXE_URL ]; then if [ ! -z $PXE_URL ]; then
echo " [Adding PXE url...]" echo " [Adding PXE url...]"
echo -n "$PXE_URL/$LUKS_IMG" > $ROOTFS_DIR/etc/squashfs-url echo -n "$PXE_URL/$SQUASHFS_IMG" > $ROOTFS_DIR/etc/squashfs-url
fi fi
#/bin/bash
. tools/functions.sh
echo " [Cleanup...]"
PACKAGES="casper krb5-locales libatm1t64 libglib2.0-data libnss-systemd libpam-cap logrotate python3-rich rfkill rsyslog systemd-hwe-hwdb systemd-resolved systemd-timesyncd ubuntu-pro-client-l10n xfce4-terminal xxd yubikey-personalization zstd"
run_command_chroot apt remove --purge -y $PACKAGES
...@@ -37,3 +37,15 @@ check_environment_var() { ...@@ -37,3 +37,15 @@ check_environment_var() {
helper helper
fi fi
} }
get_total_size() {
local total=0
for file in "$@"; do
if [[ -f "$file" ]]; then
total=$(( total + $(stat -c%s "$file") ))
else
return 1
fi
done
echo "$total"
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment