Add custom PBA script to support keyfile, yubikey and password.

author: Mauro Santos 2015-11-10 00:55:42 +0000
committer: Mauro Santos 2015-11-10 00:55:42 +0000
commit: 2a9958aed5c09a50e6080d672fcd3469d82201ad (patch)
tree: 298cef4a881fe9113deb02fc2e56d4d9926fa9c8
parent: 16cd45fae2ab67ee94ca3e362b74f32e6e459b3d (diff)
download: aur-2a9958aed5c09a50e6080d672fcd3469d82201ad.tar.gz
10 files changed, 286 insertions, 33 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 9d6411a4ae8a..750294840976 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = sedutil
 	pkgdesc = TCG OPAL 2.00 SED Management Program
 	pkgver = 1.10
-	pkgrel = 1
+	pkgrel = 2
 	url = https://github.com/Drive-Trust-Alliance/sedutil
 	install = sedutil.install
 	arch = i686
@@ -9,20 +9,28 @@ pkgbase = sedutil
 	license = GPL3
 	optdepends = syslinux: to create a bootable PBA disk image
 	optdepends = intel-ucode: microcode update files for Intel CPUs
+	optdepends = yubikey-personalization: for yubikey support
+	backup = etc/linuxpba/linuxpba.conf
 	source = sedutil-1.10.tar.gz::https://github.com/Drive-Trust-Alliance/sedutil/archive/1.10.tar.gz
 	source = extlinux.conf
 	source = mklinuxpba-initramfs
 	source = mklinuxpba-bios
-	source = linuxpba.conf
+	source = linuxpba-arch
+	source = linuxpba.conf.etc
+	source = linuxpba.conf.lib
 	source = linuxpba.hook
 	source = linuxpba.install
+	source = getpasswd.c
 	sha256sums = 31b1006a1f65b83fb419635f21a02bfb99bed8d4d6b351f566831af3682165dd
 	sha256sums = 5ab7ef67fea0f4e370d8f0a4da87636a1df18e0edb0152d08f906f38280cc0e8
-	sha256sums = c66318cb2ddd357de927ab47eb3ec4618a4353ad06e5bd48e6676d77b48b323d
-	sha256sums = 046e481ffca77f222f4c044e32427f25bca12ac9a5e6832ea657596f8fd84228
-	sha256sums = 9273e9c5d5ce54be31a49ec42839b06d0e54752a19c9e6d4643793174ee9214e
+	sha256sums = 77c725e4eee095dbede512d2bca13b8f2c139a67b9b87a11d98be94e6df0e1d7
+	sha256sums = c599c6066f23aa403cd7c4c43b9b9900079cdbb7bc0b97c79e70a2383864646f
+	sha256sums = 7b2ffee83e775f9225728f2457752e20792112148079490f95e7b3b72ee0db30
+	sha256sums = b444dc45933db1ba893ad1a4c6a9a7405b2332ae11b5db8dc86c6dae45776948
+	sha256sums = fb23e2697cb5d8e3240ed6cd9345c40606defd298405938020e7efffe9cbebed
 	sha256sums = d9a7b66d8365e7f4eb0233b30c0ab70b5e978f6554960bf12994a1f0910c1447
-	sha256sums = 7c32370c3405fc33359c1fc5bb243f387c71ca454e9da88348669fd383f04558
+	sha256sums = b20ec0ee18cf8cbdad7e2154fdad3e0c4ba3b65471c750464c69f23318e4e80d
+	sha256sums = e94d011c98bd336f37d6d4923e5d63a22ebd10d8f2c6486b6bcd6617524d6484
 
 pkgname = sedutil
 
diff --git a/PKGBUILD b/PKGBUILD
index 6db16a0b666d..b25c173abaef 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -2,32 +2,42 @@
 
 pkgname=sedutil
 pkgver=1.10
-pkgrel=1
+pkgrel=2
 pkgdesc="TCG OPAL 2.00 SED Management Program"
 arch=('i686' 'x86_64')
 url="https://github.com/Drive-Trust-Alliance/sedutil"
 license=('GPL3')
 optdepends=('syslinux: to create a bootable PBA disk image'
-            'intel-ucode: microcode update files for Intel CPUs')
+            'intel-ucode: microcode update files for Intel CPUs'
+            'yubikey-personalization: for yubikey support')
+backup=('etc/linuxpba/linuxpba.conf')
 install=sedutil.install
 source=("${pkgname}-${pkgver}.tar.gz::https://github.com/Drive-Trust-Alliance/${pkgname}/archive/${pkgver}.tar.gz"
         'extlinux.conf'
         'mklinuxpba-initramfs'
         'mklinuxpba-bios'
-        'linuxpba.conf'
+        'linuxpba-arch'
+        'linuxpba.conf.etc'
+        'linuxpba.conf.lib'
         'linuxpba.hook'
-        'linuxpba.install')
+        'linuxpba.install'
+        'getpasswd.c')
 sha256sums=('31b1006a1f65b83fb419635f21a02bfb99bed8d4d6b351f566831af3682165dd'
             '5ab7ef67fea0f4e370d8f0a4da87636a1df18e0edb0152d08f906f38280cc0e8'
-            'c66318cb2ddd357de927ab47eb3ec4618a4353ad06e5bd48e6676d77b48b323d'
-            '046e481ffca77f222f4c044e32427f25bca12ac9a5e6832ea657596f8fd84228'
-            '9273e9c5d5ce54be31a49ec42839b06d0e54752a19c9e6d4643793174ee9214e'
+            '77c725e4eee095dbede512d2bca13b8f2c139a67b9b87a11d98be94e6df0e1d7'
+            'c599c6066f23aa403cd7c4c43b9b9900079cdbb7bc0b97c79e70a2383864646f'
+            '7b2ffee83e775f9225728f2457752e20792112148079490f95e7b3b72ee0db30'
+            'b444dc45933db1ba893ad1a4c6a9a7405b2332ae11b5db8dc86c6dae45776948'
+            'fb23e2697cb5d8e3240ed6cd9345c40606defd298405938020e7efffe9cbebed'
             'd9a7b66d8365e7f4eb0233b30c0ab70b5e978f6554960bf12994a1f0910c1447'
-            '7c32370c3405fc33359c1fc5bb243f387c71ca454e9da88348669fd383f04558')
+            'b20ec0ee18cf8cbdad7e2154fdad3e0c4ba3b65471c750464c69f23318e4e80d'
+            'e94d011c98bd336f37d6d4923e5d63a22ebd10d8f2c6486b6bcd6617524d6484')
 PKGEXT='.pkg.tar'
 CPPFLAGS="$CPPFLAGS -O2"
 
 build() {
+    cd "${srcdir}/"
+    gcc -Wall -o getpasswd getpasswd.c
     cd "${srcdir}/${pkgname}-${pkgver}/linux/CLI/"
     make CONF=Release_$CARCH build
     cd "${srcdir}/${pkgname}-${pkgver}/LinuxPBA/"
@@ -41,9 +51,12 @@ package() {
     install -Dm755 "LinuxPBA/dist/Release_$CARCH/GNU-Linux-x86/linuxpba" "${pkgdir}/usr/bin/linuxpba"
     install -Dm755 "${srcdir}/mklinuxpba-initramfs" "${pkgdir}/usr/bin/mklinuxpba-initramfs"
     install -Dm755 "${srcdir}/mklinuxpba-bios" "${pkgdir}/usr/bin/mklinuxpba-bios"
+    install -Dm755 "${srcdir}/linuxpba-arch" "${pkgdir}/usr/bin/linuxpba-arch"
+    install -Dm755 "${srcdir}/getpasswd" "${pkgdir}/usr/bin/getpasswd"
 
     install -Dm644 "${srcdir}/linuxpba.hook" "${pkgdir}/usr/lib/initcpio/hooks/linuxpba"
     install -Dm644 "${srcdir}/linuxpba.install" "${pkgdir}/usr/lib/initcpio/install/linuxpba"
-    install -Dm644 "${srcdir}/linuxpba.conf" "${pkgdir}/etc/linuxpba/linuxpba.conf"
-    install -Dm644 "${srcdir}/extlinux.conf" "${pkgdir}/etc/linuxpba/extlinux.conf"
+    install -Dm644 "${srcdir}/linuxpba.conf.etc" "${pkgdir}/etc/linuxpba/linuxpba.conf"
+    install -Dm644 "${srcdir}/linuxpba.conf.lib" "${pkgdir}/usr/lib/linuxpba/linuxpba.conf"
+    install -Dm644 "${srcdir}/extlinux.conf" "${pkgdir}/usr/lib/linuxpba/extlinux.conf"
 }
diff --git a/getpasswd.c b/getpasswd.c
new file mode 100644
index 000000000000..8cda21159b11
--- /dev/null
+++ b/getpasswd.c
@@ -0,0 +1,47 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <termios.h>
+
+int main(){
+
+    struct termios termold, termnew;
+    tcgetattr(fileno(stdin), &termold);
+    termnew = termold;
+    termnew.c_lflag &= ~ECHO;
+    termnew.c_cc[VINTR] = '\0';
+    termnew.c_cc[VEOF] = '\0';
+    termnew.c_cc[VKILL] = '\0';
+    termnew.c_cc[VLNEXT] = '\0';
+    termnew.c_cc[VQUIT] = '\0';
+    termnew.c_cc[VSTART] = '\0';
+    termnew.c_cc[VSTOP] = '\0';
+    termnew.c_cc[VSUSP] = '\0';
+    termnew.c_cc[VWERASE] = '\0';
+    tcsetattr(fileno(stdin), TCSANOW, &termnew);
+
+    char *line = NULL;
+    size_t len = 0;
+    size_t read;
+    read = getline(&line, &len, stdin);
+
+    tcsetattr(fileno(stdin), TCSANOW, &termold);
+
+    printf("%.*s",(int)read-1,line);
+
+    free(line);
+
+    return 0;
+
+}
+
+/* Using getpass() - deprecated
+ *
+ * #include <stdio.h>
+ * #include <unistd.h>
+ *
+ * int main(){
+ *     char *passwd = getpass("");
+ *     printf("%s",passwd);
+ * }
+ *
+ */
diff --git a/linuxpba-arch b/linuxpba-arch
new file mode 100755
index 000000000000..83748caec088
--- /dev/null
+++ b/linuxpba-arch
@@ -0,0 +1,122 @@
+#!/usr/bin/ash
+
+SED_STATUS(){
+    NAME=$1
+    SERIAL=$2
+    LOCKED=$3
+    MBRDONE=$4
+}
+
+KEYRING="/etc/linuxpba/keyring.luks"
+SED_PASSWD=""
+
+echo ""
+
+if [[ -e "$KEYRING" ]]
+then
+
+    . /etc/linuxpba/linuxpba.conf
+
+    if [[ -e "/usr/bin/ykchalresp" && -e "/usr/bin/ykinfo" ]]
+    then
+        ykinfo -s &>/dev/null
+        if [[ $? -eq 0 ]]
+        then
+            echo "Press the Yubikey button if it is blinking."
+            KEYFOB_PASSWD="$(ykchalresp -2 "$YKCHAL" 2>/dev/null)"
+        fi
+    fi
+
+    if [[ "x$KEYFOB_PASSWD" != "x" && "x$SED_PASSWD" = "x" ]]
+    then
+        echo -n "Unlocking keyring with yubikey password ... "
+        echo -n "$KEYFOB_PASSWD" | cryptsetup --key-file - open --type luks \
+                                   "$KEYRING" keyring &>/dev/null
+        if [[ $? -ne 0 ]]
+        then
+            echo "FAIL"
+        else
+            echo "OK"
+            SED_PASSWD="$(cat /dev/mapper/keyring)"
+            cryptsetup close keyring
+        fi
+    fi
+
+    if [[ "x$SED_PASSWD" = "x" ]]
+    then
+        WAIT=6
+        while [[ ! -b "$KFNAME" && "$WAIT" -gt 0 ]]
+        do
+            sleep 0.5
+            let WAIT-=1
+        done
+    fi
+
+    if [[ -e "$KFNAME" && "x$SED_PASSWD" = "x" ]]
+    then
+        echo -n "Unlocking keyring with keyfile ... "
+        cryptsetup --key-file "$KFNAME" --keyfile-offset "$KFSKIP" \
+        --keyfile-size "$KFSIZE" open --type luks "$KEYRING" keyring &>/dev/null
+        if [[ $? -ne 0 ]]
+        then
+            echo "FAIL"
+        else
+            echo "OK"
+            SED_PASSWD="$(cat /dev/mapper/keyring)"
+            cryptsetup close keyring
+        fi
+    fi
+fi
+
+while [[ "x$SED_PASSWD" = "x" ]]
+do
+    echo -n "Enter password to unlock the OPAL drives: "
+    SED_PASSWD="$(getpasswd)"
+    echo ""
+done
+
+ERRORS=0
+
+for DRIVE in $(sedutil-cli --scan 2>/dev/null | awk '$1 ~ "/dev/sd" && $2 !~ "No" {print $1}')
+do
+    [[ "x$DRIVE" = "x" ]] && continue
+    SED_STATUS $(sedutil-cli --query $DRIVE | awk 'NR==2 {name=$3; serial=$5} NR==6 {gsub(",","",$0);lock=$3; mbr=$12} END {print name,serial,lock,mbr}')
+    if [[ "$LOCKED" = "Y" ]]
+    then
+        echo -n "Unlocking $NAME $SERIAL ($DRIVE) ... "
+        sedutil-cli --setLockingRange 0 RW "$SED_PASSWD" "$DRIVE" &>/dev/null
+        if [[ $? -ne 0 ]]
+        then
+            echo "FAIL"
+            let ERRORS+=1
+            continue
+        else
+            echo "OK"
+        fi
+    fi
+    if [[ "$MBRDONE" = "N" ]]
+    then
+        echo -n "Setting MBR DONE on $NAME $SERIAL ($DRIVE) ... "
+        sedutil-cli --setMBRDone on "$SED_PASSWD" "$DRIVE" &>/dev/null
+        if [[ $? -ne 0 ]]
+        then
+            echo "FAIL"
+            let ERRORS+=1
+            continue
+        else
+            echo "OK"
+        fi
+    fi
+done
+
+if [[ "$ERRORS" -gt 0 && "$WAIT_ON_ERRORS" -eq 1 ]]
+then
+    echo ""
+    echo "Some operations failed, drive(s) may not be fully unlocked and accessible!"
+    echo "Press ENTER to reboot."
+    getpasswd > /dev/null
+fi
+
+echo "Rebooting..."
+
+reboot -f
diff --git a/linuxpba.conf b/linuxpba.conf
deleted file mode 100644
index 17cd05371a44..000000000000
--- a/linuxpba.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-MODULES=""
-BINARIES=""
-FILES=""
-HOOKS="base udev autodetect block keymap keyboard linuxpba"
-
-#COMPRESSION=<gzip|bzip2|lzma|xz|lzop|lz4>
-COMPRESSION="xz"
-#COMPRESSION_OPTIONS=""
diff --git a/linuxpba.conf.etc b/linuxpba.conf.etc
new file mode 100644
index 000000000000..d70f596877e8
--- /dev/null
+++ b/linuxpba.conf.etc
@@ -0,0 +1,38 @@
+### mkinitcpio options ###
+
+MODULES=""
+BINARIES=""
+FILES=""
+HOOKS="base udev autodetect block keymap keyboard linuxpba"
+
+#COMPRESSION=<gzip|bzip2|lzma|xz|lzop|lz4>
+COMPRESSION="xz"
+#COMPRESSION_OPTIONS=""
+
+
+### linuxpba options ###
+
+# Use the PBA agent from sedutil that supports only password input
+# or use custom the PBA agent that supports keyfile, yubikey and
+# password input. This will result in the smallest initramfs image.
+# All the settings below this one only have any effect if USE_SEDUTIL_PBA=0
+USE_SEDUTIL_PBA=1
+
+# The challenge to send to the yubikey. The response will unlock the
+# keyring file. Use the challenge configured here as the challenge when
+# creating your luks encrypted keyring file.
+YKCHAL=GiveMeThePassword
+
+# Keyfile name. Use an udev rule to create a single symlink to one of many
+# devices with the luks keys and add the rule file in the FILES array above,
+# or set this to /dev/disk/by-id of the device where you keep the keyfile.
+KFNAME=/dev/cryptkey
+
+# How many bytes to skip in the beginning of the keyfile device
+KFSKIP=524288
+
+# How many bytes to read from the keyfile device
+KFSIZE=4096
+
+# Wait before rebooting if the are any problems when unlocking the OPAL drives.
+WAIT_ON_ERRORS=1
diff --git a/linuxpba.conf.lib b/linuxpba.conf.lib
new file mode 100644
index 000000000000..f616a8a3fcac
--- /dev/null
+++ b/linuxpba.conf.lib
@@ -0,0 +1,3 @@
+. /etc/linuxpba/linuxpba.conf
+
+MODULES="$MODULES loop dm-crypt xts algif_skcipher af_alg"
diff --git a/linuxpba.install b/linuxpba.install
index c5648c536d46..f76ce1d09c00 100644
--- a/linuxpba.install
+++ b/linuxpba.install
@@ -1,7 +1,37 @@
 build () {
-    add_binary /usr/bin/linuxpba
-    add_file "/usr/share/terminfo/l/linux"
-    add_runscript
+
+    # subshell to avoid namespace pollution
+    (
+        . /etc/linuxpba/linuxpba.conf
+        if [[ "$USE_SEDUTIL_PBA" = 1 ]]
+        then
+            add_binary "linuxpba"
+            add_file "/usr/share/terminfo/l/linux"
+        else
+            add_binary "/usr/bin/linuxpba-arch" "/usr/bin/linuxpba"
+            add_binary "getpasswd"
+            add_binary "sedutil-cli"
+            if [[ -e "/etc/linuxpba/keyring.luks" ]]
+            then
+                add_file "/etc/linuxpba/linuxpba.conf"
+                [[ -e "/usr/bin/ykchalresp" ]] && add_binary "ykchalresp"
+                [[ -e "/usr/bin/ykinfo" ]] && add_binary "ykinfo"
+                add_binary "cryptsetup"
+                add_binary "dmsetup"
+                add_file "/etc/linuxpba/keyring.luks"
+                add_module loop
+                #add_all_modules '/crypto/'
+                add_module dm-crypt
+                add_module xts
+                add_module algif_skcipher
+                add_module af_alg
+                add_file "/usr/lib/udev/rules.d/10-dm.rules"
+                add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
+                add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
+                add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
+            fi
+        fi
+    ) && add_runscript
 }
 
 help () {
diff --git a/mklinuxpba-bios b/mklinuxpba-bios
index c91d4c4b45eb..cadefd7e2bd4 100755
--- a/mklinuxpba-bios
+++ b/mklinuxpba-bios
@@ -50,9 +50,9 @@ extlinux -i mnt
 if [[ -e /boot/intel-ucode.img ]]
 then
     cp /boot/intel-ucode.img mnt
-    cp /etc/linuxpba/extlinux.conf mnt
+    cp /usr/lib/linuxpba/extlinux.conf mnt
 else
-    sed 's/intel-ucode.img,//' /etc/linuxpba/extlinux.conf > mnt/extlinux.conf
+    sed 's/intel-ucode.img,//' /usr/lib/linuxpba/extlinux.conf > mnt/extlinux.conf
 fi
 cp /boot/linuxpba.img mnt
 cp /boot/$kernel_image mnt
@@ -70,9 +70,9 @@ extlinux -i mnt
 if [[ -e /boot/intel-ucode.img ]]
 then
     cp /boot/intel-ucode.img mnt
-    cp /etc/linuxpba/extlinux.conf mnt
+    cp /usr/lib/linuxpba/extlinux.conf mnt
 else
-    sed 's/intel-ucode.img,//' /etc/linuxpba/extlinux.conf > mnt/extlinux.conf
+    sed 's/intel-ucode.img,//' /usr/lib/linuxpba/extlinux.conf > mnt/extlinux.conf
 fi
 cp /boot/linuxpba-fallback.img mnt/linuxpba.img
 cp /boot/$kernel_image mnt
diff --git a/mklinuxpba-initramfs b/mklinuxpba-initramfs
index c1a8e357c222..23fa82c2b8ea 100755
--- a/mklinuxpba-initramfs
+++ b/mklinuxpba-initramfs
@@ -1,4 +1,4 @@
 #!/bin/bash
 
-mkinitcpio -c /etc/linuxpba/linuxpba.conf -g /boot/linuxpba.img
-mkinitcpio -S autodetect -c /etc/linuxpba/linuxpba.conf -g /boot/linuxpba-fallback.img
+mkinitcpio -c /usr/lib/linuxpba/linuxpba.conf -g /boot/linuxpba.img
+mkinitcpio -S autodetect -c /usr/lib/linuxpba/linuxpba.conf -g /boot/linuxpba-fallback.img
author	Mauro Santos	2015-11-10 00:55:42 +0000
committer	Mauro Santos	2015-11-10 00:55:42 +0000
commit	2a9958aed5c09a50e6080d672fcd3469d82201ad (patch)
tree	298cef4a881fe9113deb02fc2e56d4d9926fa9c8
parent	16cd45fae2ab67ee94ca3e362b74f32e6e459b3d (diff)
download	aur-2a9958aed5c09a50e6080d672fcd3469d82201ad.tar.gz