[PATCH] Support for LUKS-contained encrypted rootfs
Hi,
I'd like to submit these small patches to live-build and live-boot which
allow me to build a useable encrypted live root filesystem using
cryptsetup and LUKS.
These are surely not fit for merging as-is, but I'm providing it in the
hope that it might provide some kind of baseline for the return of
encrypted rootfs in debian-live.
Some notes :
* This code is barely tested, please don't use it on anything but a test
build system.
* The cryptsetup package still needs to be added manually using a
package-list. I couldn't figure out the right way to install it
automatically in the chroot stage.
* The live-boot parameter to use is encryption=luks.
* The config/binary paramater to use is LB_LUKS_ENCRYPTION="true".
* The aforementioned variable and parameter names might need to be
changed to something else for namespace consistency.
* cryptsetup operations in binary stage execute outside of the chroot only.
* The interactive part of binary_luks_encryption is flaky, it could be a
lot more robust I think.
* I didn't take the liberty of patching out cryptoloop support from
live-boot, however that might need to be considered due to its
deprecated status.
Regards,
-- Jerome
diff --git a/components/9990-misc-helpers.sh b/components/9990-misc-helpers.sh
index 2bf2db1..9df8b68 100755
--- a/components/9990-misc-helpers.sh
+++ b/components/9990-misc-helpers.sh
@@ -614,6 +614,10 @@ setup_loop ()
if [ -z "${encryption}" ]
then
losetup ${options} "${dev}" "${fspath}"
+ elif [ "${encryption}" = "luks" ]
+ then
+ losetup ${options} "${dev}" "${fspath}"
+ dev=$(open_luks_device "${dev}")
else
# Loop AES encryption
while true
diff --git a/scripts/build/binary b/scripts/build/binary
index 60e0532..f8bdc27 100755
--- a/scripts/build/binary
+++ b/scripts/build/binary
@@ -68,6 +68,7 @@ lb binary_disk ${@}
lb binary_loadlin ${@}
lb binary_win32-loader ${@}
lb binary-includes ${@}
+lb binary_luks_encryption ${@}
lb binary-hooks ${@}
lb binary_checksums ${@}
diff --git a/scripts/build/binary_luks_encryption b/scripts/build/binary_luks_encryption
new file mode 100755
index 0000000..b68a59c
--- /dev/null
+++ b/scripts/build/binary_luks_encryption
@@ -0,0 +1,119 @@
+#!/bin/sh
+
+set -e
+
+# Including common functions
+[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh
+
+# Setting static variables
+DESCRIPTION="$(Echo 'create rootfs luks container')"
+HELP=""
+USAGE="${PROGRAM}"
+
+Arguments "${@}"
+
+# Reading configuration files
+Read_conffiles config/all config/common config/bootstrap config/chroot config/binary config/source
+Set_defaults
+
+if [ "${LB_LUKS_ENCRYPTION}" != "true" ]
+then
+ return 0
+fi
+
+# Requiring stage file
+Require_stagefile .build/binary_rootfs
+
+# Checking stage file
+Check_stagefile .build/binary_luks_encryption
+
+# Checking lock file
+Check_lockfile .lock
+
+# Creating lock file
+Create_lockfile .lock
+
+case "${LB_INITRAMFS}" in
+ casper)
+ INITFS="casper"
+ ;;
+
+ live-boot)
+ INITFS="live"
+ ;;
+
+ *)
+ INITFS="boot"
+ ;;
+esac
+
+# Checking depends
+Check_package chroot/sbin/cryptsetup cryptsetup
+
+# Restoring cache
+Restore_cache cache/packages.binary
+
+# Installing depends
+Install_package
+
+# Find available loop device
+LOOPDEV=$(losetup -f)
+
+# Calculate LUKS container size by adding 4k for the LUKS header
+BLOCKS=$(ls -l --block-size=512 binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM} | awk '{print $5+4096}')
+
+Echo_message "Begin creating LUKS encrypted container for root filesystem..."
+
+dd if=/dev/zero of=binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}.tmp bs=512 count=1 seek=${BLOCKS}
+losetup ${LOOPDEV} binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}.tmp
+
+# Check if /dev/mapper/live is available
+if /sbin/cryptsetup status live 1>/dev/null 2>&1
+then
+ log_warning_msg "Couldn't create LUKS device 'live', already open"
+ return 1
+fi
+
+while true
+do
+
+ echo
+ echo " **************************************"
+ Echo " ** Configuring encrypted filesystem **"
+ echo " **************************************"
+ echo
+
+ /lib/cryptsetup/askpass "Enter root filesystem passphrase : " | \
+ /sbin/cryptsetup --batch-mode --key-file - luksFormat ${LOOPDEV}
+
+ echo
+ if /lib/cryptsetup/askpass "Confirm root filesystem passphrase : " | \
+ /sbin/cryptsetup -T 1 luksOpen ${LOOPDEV} live
+ then
+ echo
+ break
+ fi
+
+ echo
+ echo -n "There was an error creating the LUKS container ... Retry? [Y/n] "
+ read answer
+
+ if [ "$(echo "${answer}" | cut -b1 | tr A-Z a-z)" = "n" ]
+ then
+ return 1
+ fi
+done
+
+Echo_message "Begin moving root filesystem into encrypted LUKS container..."
+
+dd if=binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM} of=/dev/mapper/live bs=512
+
+# Close LUKS container
+cryptsetup luksClose /dev/mapper/live
+losetup -d ${LOOPDEV}
+
+# Move LUKS container into place
+mv binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}.tmp binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}
+
+# Creating stage file
+Create_stagefile .build/binary_luks_encryption
diff --git a/scripts/build/config b/scripts/build/config
index e3ae141..aa1f220 100755
--- a/scripts/build/config
+++ b/scripts/build/config
@@ -122,7 +122,8 @@ USAGE="${PROGRAM} [--apt apt|aptitude]\n\
\t [--win32-loader true|false]\n\
\t [--bootstrap-qemu-exclude PACKAGES]\n\
\t [--bootstrap-qemu-static PATH]\n\
-\t [--bootstrap-qemu-arch ARCH]"
+\t [--bootstrap-qemu-arch ARCH]\n
+\t [--luks-encryption true|false]"
Local_arguments ()
@@ -147,7 +148,7 @@ Local_arguments ()
net-cow-server:,net-tarball:,firmware-binary:,firmware-chroot:,swap-file-path:,swap-file-size:,
loadlin:,win32-loader:,source:,source-images:,breakpoints,conffile:,debug,force,
help,ignore-system-defaults,quiet,usage,verbose,version,bootstrap-qemu-static:,bootstrap-qemu-arch:,
- bootstrap-qemu-exclude:"
+ bootstrap-qemu-exclude:,luks-encryption:"
# Remove spaces added by indentation
LONG_OPTIONS="$(echo ${LONG_OPTIONS} | tr -d ' ')"
ARGUMENTS="$(getopt --longoptions ${LONG_OPTIONS} --name="${PROGRAM}" --options a:f:d:m:l:k:p:b:e:s:c:huv --shell sh -- "${@}")"
@@ -703,6 +704,11 @@ Local_arguments ()
shift 2
;;
+ --luks-encryption)
+ LB_LUKS_ENCRYPTION="${2}"
+ shift 2
+ ;;
+
# config/source
--source)
LB_SOURCE="${2}"
@@ -1307,6 +1313,10 @@ LB_SWAP_FILE_PATH="${LB_SWAP_FILE_PATH}"
# \$LB_SWAP_FILE_SIZE: set swap file size
# (Default: ${LB_SWAP_FILE_SIZE})
LB_SWAP_FILE_SIZE="${LB_SWAP_FILE_SIZE}"
+
+# \$LB_LUKS_ENCRYPTION: encrypt rootfs using luks
+# (Default: ${LB_LUKS_ENCRYPTION})
+LB_LUKS_ENCRYPTION="${LB_LUKS_ENCRYPTION}"
EOF
# Creating lb_source_* configuration
Reply to: