Qubot/armbian-build
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix cryptroot setup with flash-kernel and ssh unlock on newer dropbear versions

Browse Source
This commit is contained in:
Gunjan Gupta 2023-07-31 18:21:13 +05:30 committed by Igor
parent 78aa57982e
commit 154fdb83f9
3 changed files with 20 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
extensions/flash-kernel.sh
View File

@ -74,8 +74,6 @@ function pre_update_initramfs__setup_flash_kernel() {
local chroot_target=$MOUNT local chroot_target=$MOUNT
deploy_qemu_binary_to_chroot "${chroot_target}" deploy_qemu_binary_to_chroot "${chroot_target}"
mount_chroot "$chroot_target/" # this already handles /boot/firmware which is required for it to work. mount_chroot "$chroot_target/" # this already handles /boot/firmware which is required for it to work.
# hack, umount the chroot's /sys, otherwise flash-kernel tries to EFI flash due to the build host (!) being EFI
umount "$chroot_target/sys"
chroot_custom "$chroot_target" chmod -v -x "/etc/kernel/postinst.d/initramfs-tools" chroot_custom "$chroot_target" chmod -v -x "/etc/kernel/postinst.d/initramfs-tools"
chroot_custom "$chroot_target" chmod -v -x "/etc/initramfs/post-update.d/flash-kernel" chroot_custom "$chroot_target" chmod -v -x "/etc/initramfs/post-update.d/flash-kernel"
@ -93,6 +91,9 @@ function pre_update_initramfs__setup_flash_kernel() {
exit 29 exit 29
} }
# hack, umount the chroot's /sys, otherwise flash-kernel tries to EFI flash due to the build host (!) being EFI
umount "$chroot_target/sys"
call_extension_method "pre_flash_kernel" <<- 'PRE_FLASH_KERNEL' call_extension_method "pre_flash_kernel" <<- 'PRE_FLASH_KERNEL'
*run before running flash-kernel* *run before running flash-kernel*
Each board might need different stuff for flash-kernel to work. Implement it here. Each board might need different stuff for flash-kernel to work. Implement it here.

25
extensions/fs-cryptroot-support.sh
View File

@ -19,33 +19,38 @@ function pre_install_kernel_debs__adjust_dropbear_configuration() {
# Adjust initramfs dropbear configuration # Adjust initramfs dropbear configuration
# Needs to be done before kernel installation, else it won't be in the initrd image # Needs to be done before kernel installation, else it won't be in the initrd image
if [[ $CRYPTROOT_SSH_UNLOCK == yes ]]; then if [[ $CRYPTROOT_SSH_UNLOCK == yes ]]; then
declare dropbear_dir="${SDCARD}/etc/dropbear-initramfs"
declare dropbear_config="config"
if [[ -d "${SDCARD}/etc/dropbear/initramfs" ]] ; then
dropbear_dir="${SDCARD}/etc/dropbear/initramfs"
dropbear_config="dropbear.conf"
fi
# Set the port of the dropbear ssh daemon in the initramfs to a different one if configured # Set the port of the dropbear ssh daemon in the initramfs to a different one if configured
# this avoids the typical 'host key changed warning' - `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!` # this avoids the typical 'host key changed warning' - `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!`
[[ -f "${SDCARD}"/etc/dropbear-initramfs/config ]] && [[ -f "${dropbear_dir}/${dropbear_config}" ]] &&
sed -i 's/^#DROPBEAR_OPTIONS=/DROPBEAR_OPTIONS="-p '"${CRYPTROOT_SSH_UNLOCK_PORT}"'"/' \ sed -i 's/^#DROPBEAR_OPTIONS=/DROPBEAR_OPTIONS="-j -k -p '"${CRYPTROOT_SSH_UNLOCK_PORT}"' -s -c cryptroot-unlock"/' \
"${SDCARD}"/etc/dropbear-initramfs/config "${dropbear_dir}/${dropbear_config}"
# setup dropbear authorized_keys, either provided by userpatches or generated # setup dropbear authorized_keys, either provided by userpatches or generated
if [[ -f $USERPATCHES_PATH/dropbear_authorized_keys ]]; then if [[ -f $USERPATCHES_PATH/dropbear_authorized_keys ]]; then
cp "$USERPATCHES_PATH"/dropbear_authorized_keys "${SDCARD}"/etc/dropbear-initramfs/authorized_keys cp "$USERPATCHES_PATH"/dropbear_authorized_keys "${dropbear_dir}"/authorized_keys
else else
# generate a default ssh key for login on dropbear in initramfs # generate a default ssh key for login on dropbear in initramfs
# this key should be changed by the user on first login # this key should be changed by the user on first login
display_alert "Generating a new SSH key pair for dropbear (initramfs)" "" "" display_alert "Generating a new SSH key pair for dropbear (initramfs)" "" ""
# Make sure that the relevant directory exists
[[ -d "${SDCARD}"/etc/dropbear-initramfs ]] || mkdir "${SDCARD}"/etc/dropbear-initramfs
# Generate the SSH keys # Generate the SSH keys
ssh-keygen -t ecdsa -f "${SDCARD}"/etc/dropbear-initramfs/id_ecdsa \ ssh-keygen -t ecdsa -f "${dropbear_dir}"/id_ecdsa \
-N '' -O force-command=cryptroot-unlock -C 'AUTOGENERATED_BY_ARMBIAN_BUILD' 2>&1 -N '' -O force-command=cryptroot-unlock -C 'AUTOGENERATED_BY_ARMBIAN_BUILD' 2>&1
# /usr/share/initramfs-tools/hooks/dropbear will automatically add 'id_ecdsa.pub' to authorized_keys file # /usr/share/initramfs-tools/hooks/dropbear will automatically add 'id_ecdsa.pub' to authorized_keys file
# during mkinitramfs of update-initramfs # during mkinitramfs of update-initramfs
#cat "${SDCARD}"/etc/dropbear-initramfs/id_ecdsa.pub > "${SDCARD}"/etc/dropbear-initramfs/authorized_keys #cat "${dropbear_dir}"/id_ecdsa.pub > "${SDCARD}"/etc/dropbear-initramfs/authorized_keys
CRYPTROOT_SSH_UNLOCK_KEY_NAME="${VENDOR}_${REVISION}_${BOARD^}_${RELEASE}_${BRANCH}_${DESKTOP_ENVIRONMENT}".key CRYPTROOT_SSH_UNLOCK_KEY_NAME="${VENDOR}_${REVISION}_${BOARD^}_${RELEASE}_${BRANCH}_${DESKTOP_ENVIRONMENT}".key
# copy dropbear ssh key to image output dir for convenience # copy dropbear ssh key to image output dir for convenience
cp "${SDCARD}"/etc/dropbear-initramfs/id_ecdsa "${DEST}/images/${CRYPTROOT_SSH_UNLOCK_KEY_NAME}" cp "${dropbear_dir}"/id_ecdsa "${DEST}/images/${CRYPTROOT_SSH_UNLOCK_KEY_NAME}"
display_alert "SSH private key for dropbear (initramfs) has been copied to:" \ display_alert "SSH private key for dropbear (initramfs) has been copied to:" \
"$DEST/images/$CRYPTROOT_SSH_UNLOCK_KEY_NAME" "info" "$DEST/images/$CRYPTROOT_SSH_UNLOCK_KEY_NAME" "info"
fi fi

3
lib/functions/image/initrd.sh
View File

@ -57,7 +57,8 @@ update_initramfs() {
if [[ $CRYPTROOT_ENABLE == yes ]]; then if [[ $CRYPTROOT_ENABLE == yes ]]; then
if [[ $CRYPTROOT_SSH_UNLOCK == yes ]]; then if [[ $CRYPTROOT_SSH_UNLOCK == yes ]]; then
initrd_files_to_hash+=( "${chroot_target}/etc/dropbear-initramfs/" ) [[ -d "${chroot_target}/etc/dropbear-initramfs/" ]] && initrd_files_to_hash+=( "${chroot_target}/etc/dropbear-initramfs/" )
[[ -d "${chroot_target}/etc/dropbear/initramfs/" ]] && initrd_files_to_hash+=( "${chroot_target}/etc/dropbear/initramfs/" )
fi fi
fi fi