diff options
author | Mauro Santos | 2015-11-10 00:55:42 +0000 |
---|---|---|
committer | Mauro Santos | 2015-11-10 00:55:42 +0000 |
commit | 2a9958aed5c09a50e6080d672fcd3469d82201ad (patch) | |
tree | 298cef4a881fe9113deb02fc2e56d4d9926fa9c8 | |
parent | 16cd45fae2ab67ee94ca3e362b74f32e6e459b3d (diff) | |
download | aur-2a9958aed5c09a50e6080d672fcd3469d82201ad.tar.gz |
Add custom PBA script to support keyfile, yubikey and password.
-rw-r--r-- | .SRCINFO | 20 | ||||
-rw-r--r-- | PKGBUILD | 33 | ||||
-rw-r--r-- | getpasswd.c | 47 | ||||
-rwxr-xr-x | linuxpba-arch | 122 | ||||
-rw-r--r-- | linuxpba.conf | 8 | ||||
-rw-r--r-- | linuxpba.conf.etc | 38 | ||||
-rw-r--r-- | linuxpba.conf.lib | 3 | ||||
-rw-r--r-- | linuxpba.install | 36 | ||||
-rwxr-xr-x | mklinuxpba-bios | 8 | ||||
-rwxr-xr-x | mklinuxpba-initramfs | 4 |
10 files changed, 286 insertions, 33 deletions
@@ -1,7 +1,7 @@ pkgbase = sedutil pkgdesc = TCG OPAL 2.00 SED Management Program pkgver = 1.10 - pkgrel = 1 + pkgrel = 2 url = https://github.com/Drive-Trust-Alliance/sedutil install = sedutil.install arch = i686 @@ -9,20 +9,28 @@ pkgbase = sedutil license = GPL3 optdepends = syslinux: to create a bootable PBA disk image optdepends = intel-ucode: microcode update files for Intel CPUs + optdepends = yubikey-personalization: for yubikey support + backup = etc/linuxpba/linuxpba.conf source = sedutil-1.10.tar.gz::https://github.com/Drive-Trust-Alliance/sedutil/archive/1.10.tar.gz source = extlinux.conf source = mklinuxpba-initramfs source = mklinuxpba-bios - source = linuxpba.conf + source = linuxpba-arch + source = linuxpba.conf.etc + source = linuxpba.conf.lib source = linuxpba.hook source = linuxpba.install + source = getpasswd.c sha256sums = 31b1006a1f65b83fb419635f21a02bfb99bed8d4d6b351f566831af3682165dd sha256sums = 5ab7ef67fea0f4e370d8f0a4da87636a1df18e0edb0152d08f906f38280cc0e8 - sha256sums = c66318cb2ddd357de927ab47eb3ec4618a4353ad06e5bd48e6676d77b48b323d - sha256sums = 046e481ffca77f222f4c044e32427f25bca12ac9a5e6832ea657596f8fd84228 - sha256sums = 9273e9c5d5ce54be31a49ec42839b06d0e54752a19c9e6d4643793174ee9214e + sha256sums = 77c725e4eee095dbede512d2bca13b8f2c139a67b9b87a11d98be94e6df0e1d7 + sha256sums = c599c6066f23aa403cd7c4c43b9b9900079cdbb7bc0b97c79e70a2383864646f + sha256sums = 7b2ffee83e775f9225728f2457752e20792112148079490f95e7b3b72ee0db30 + sha256sums = b444dc45933db1ba893ad1a4c6a9a7405b2332ae11b5db8dc86c6dae45776948 + sha256sums = fb23e2697cb5d8e3240ed6cd9345c40606defd298405938020e7efffe9cbebed sha256sums = d9a7b66d8365e7f4eb0233b30c0ab70b5e978f6554960bf12994a1f0910c1447 - sha256sums = 7c32370c3405fc33359c1fc5bb243f387c71ca454e9da88348669fd383f04558 + sha256sums = b20ec0ee18cf8cbdad7e2154fdad3e0c4ba3b65471c750464c69f23318e4e80d + sha256sums = e94d011c98bd336f37d6d4923e5d63a22ebd10d8f2c6486b6bcd6617524d6484 pkgname = sedutil @@ -2,32 +2,42 @@ pkgname=sedutil pkgver=1.10 -pkgrel=1 +pkgrel=2 pkgdesc="TCG OPAL 2.00 SED Management Program" arch=('i686' 'x86_64') url="https://github.com/Drive-Trust-Alliance/sedutil" license=('GPL3') optdepends=('syslinux: to create a bootable PBA disk image' - 'intel-ucode: microcode update files for Intel CPUs') + 'intel-ucode: microcode update files for Intel CPUs' + 'yubikey-personalization: for yubikey support') +backup=('etc/linuxpba/linuxpba.conf') install=sedutil.install source=("${pkgname}-${pkgver}.tar.gz::https://github.com/Drive-Trust-Alliance/${pkgname}/archive/${pkgver}.tar.gz" 'extlinux.conf' 'mklinuxpba-initramfs' 'mklinuxpba-bios' - 'linuxpba.conf' + 'linuxpba-arch' + 'linuxpba.conf.etc' + 'linuxpba.conf.lib' 'linuxpba.hook' - 'linuxpba.install') + 'linuxpba.install' + 'getpasswd.c') sha256sums=('31b1006a1f65b83fb419635f21a02bfb99bed8d4d6b351f566831af3682165dd' '5ab7ef67fea0f4e370d8f0a4da87636a1df18e0edb0152d08f906f38280cc0e8' - 'c66318cb2ddd357de927ab47eb3ec4618a4353ad06e5bd48e6676d77b48b323d' - '046e481ffca77f222f4c044e32427f25bca12ac9a5e6832ea657596f8fd84228' - '9273e9c5d5ce54be31a49ec42839b06d0e54752a19c9e6d4643793174ee9214e' + '77c725e4eee095dbede512d2bca13b8f2c139a67b9b87a11d98be94e6df0e1d7' + 'c599c6066f23aa403cd7c4c43b9b9900079cdbb7bc0b97c79e70a2383864646f' + '7b2ffee83e775f9225728f2457752e20792112148079490f95e7b3b72ee0db30' + 'b444dc45933db1ba893ad1a4c6a9a7405b2332ae11b5db8dc86c6dae45776948' + 'fb23e2697cb5d8e3240ed6cd9345c40606defd298405938020e7efffe9cbebed' 'd9a7b66d8365e7f4eb0233b30c0ab70b5e978f6554960bf12994a1f0910c1447' - '7c32370c3405fc33359c1fc5bb243f387c71ca454e9da88348669fd383f04558') + 'b20ec0ee18cf8cbdad7e2154fdad3e0c4ba3b65471c750464c69f23318e4e80d' + 'e94d011c98bd336f37d6d4923e5d63a22ebd10d8f2c6486b6bcd6617524d6484') PKGEXT='.pkg.tar' CPPFLAGS="$CPPFLAGS -O2" build() { + cd "${srcdir}/" + gcc -Wall -o getpasswd getpasswd.c cd "${srcdir}/${pkgname}-${pkgver}/linux/CLI/" make CONF=Release_$CARCH build cd "${srcdir}/${pkgname}-${pkgver}/LinuxPBA/" @@ -41,9 +51,12 @@ package() { install -Dm755 "LinuxPBA/dist/Release_$CARCH/GNU-Linux-x86/linuxpba" "${pkgdir}/usr/bin/linuxpba" install -Dm755 "${srcdir}/mklinuxpba-initramfs" "${pkgdir}/usr/bin/mklinuxpba-initramfs" install -Dm755 "${srcdir}/mklinuxpba-bios" "${pkgdir}/usr/bin/mklinuxpba-bios" + install -Dm755 "${srcdir}/linuxpba-arch" "${pkgdir}/usr/bin/linuxpba-arch" + install -Dm755 "${srcdir}/getpasswd" "${pkgdir}/usr/bin/getpasswd" install -Dm644 "${srcdir}/linuxpba.hook" "${pkgdir}/usr/lib/initcpio/hooks/linuxpba" install -Dm644 "${srcdir}/linuxpba.install" "${pkgdir}/usr/lib/initcpio/install/linuxpba" - install -Dm644 "${srcdir}/linuxpba.conf" "${pkgdir}/etc/linuxpba/linuxpba.conf" - install -Dm644 "${srcdir}/extlinux.conf" "${pkgdir}/etc/linuxpba/extlinux.conf" + install -Dm644 "${srcdir}/linuxpba.conf.etc" "${pkgdir}/etc/linuxpba/linuxpba.conf" + install -Dm644 "${srcdir}/linuxpba.conf.lib" "${pkgdir}/usr/lib/linuxpba/linuxpba.conf" + install -Dm644 "${srcdir}/extlinux.conf" "${pkgdir}/usr/lib/linuxpba/extlinux.conf" } diff --git a/getpasswd.c b/getpasswd.c new file mode 100644 index 000000000000..8cda21159b11 --- /dev/null +++ b/getpasswd.c @@ -0,0 +1,47 @@ +#include <stdio.h> +#include <stdlib.h> +#include <termios.h> + +int main(){ + + struct termios termold, termnew; + tcgetattr(fileno(stdin), &termold); + termnew = termold; + termnew.c_lflag &= ~ECHO; + termnew.c_cc[VINTR] = '\0'; + termnew.c_cc[VEOF] = '\0'; + termnew.c_cc[VKILL] = '\0'; + termnew.c_cc[VLNEXT] = '\0'; + termnew.c_cc[VQUIT] = '\0'; + termnew.c_cc[VSTART] = '\0'; + termnew.c_cc[VSTOP] = '\0'; + termnew.c_cc[VSUSP] = '\0'; + termnew.c_cc[VWERASE] = '\0'; + tcsetattr(fileno(stdin), TCSANOW, &termnew); + + char *line = NULL; + size_t len = 0; + size_t read; + read = getline(&line, &len, stdin); + + tcsetattr(fileno(stdin), TCSANOW, &termold); + + printf("%.*s",(int)read-1,line); + + free(line); + + return 0; + +} + +/* Using getpass() - deprecated + * + * #include <stdio.h> + * #include <unistd.h> + * + * int main(){ + * char *passwd = getpass(""); + * printf("%s",passwd); + * } + * + */ diff --git a/linuxpba-arch b/linuxpba-arch new file mode 100755 index 000000000000..83748caec088 --- /dev/null +++ b/linuxpba-arch @@ -0,0 +1,122 @@ +#!/usr/bin/ash + +SED_STATUS(){ + NAME=$1 + SERIAL=$2 + LOCKED=$3 + MBRDONE=$4 +} + +KEYRING="/etc/linuxpba/keyring.luks" +SED_PASSWD="" + +echo "" + +if [[ -e "$KEYRING" ]] +then + + . /etc/linuxpba/linuxpba.conf + + if [[ -e "/usr/bin/ykchalresp" && -e "/usr/bin/ykinfo" ]] + then + ykinfo -s &>/dev/null + if [[ $? -eq 0 ]] + then + echo "Press the Yubikey button if it is blinking." + KEYFOB_PASSWD="$(ykchalresp -2 "$YKCHAL" 2>/dev/null)" + fi + fi + + if [[ "x$KEYFOB_PASSWD" != "x" && "x$SED_PASSWD" = "x" ]] + then + echo -n "Unlocking keyring with yubikey password ... " + echo -n "$KEYFOB_PASSWD" | cryptsetup --key-file - open --type luks \ + "$KEYRING" keyring &>/dev/null + if [[ $? -ne 0 ]] + then + echo "FAIL" + else + echo "OK" + SED_PASSWD="$(cat /dev/mapper/keyring)" + cryptsetup close keyring + fi + fi + + if [[ "x$SED_PASSWD" = "x" ]] + then + WAIT=6 + while [[ ! -b "$KFNAME" && "$WAIT" -gt 0 ]] + do + sleep 0.5 + let WAIT-=1 + done + fi + + if [[ -e "$KFNAME" && "x$SED_PASSWD" = "x" ]] + then + echo -n "Unlocking keyring with keyfile ... " + cryptsetup --key-file "$KFNAME" --keyfile-offset "$KFSKIP" \ + --keyfile-size "$KFSIZE" open --type luks "$KEYRING" keyring &>/dev/null + if [[ $? -ne 0 ]] + then + echo "FAIL" + else + echo "OK" + SED_PASSWD="$(cat /dev/mapper/keyring)" + cryptsetup close keyring + fi + fi +fi + +while [[ "x$SED_PASSWD" = "x" ]] +do + echo -n "Enter password to unlock the OPAL drives: " + SED_PASSWD="$(getpasswd)" + echo "" +done + +ERRORS=0 + +for DRIVE in $(sedutil-cli --scan 2>/dev/null | awk '$1 ~ "/dev/sd" && $2 !~ "No" {print $1}') +do + [[ "x$DRIVE" = "x" ]] && continue + SED_STATUS $(sedutil-cli --query $DRIVE | awk 'NR==2 {name=$3; serial=$5} NR==6 {gsub(",","",$0);lock=$3; mbr=$12} END {print name,serial,lock,mbr}') + if [[ "$LOCKED" = "Y" ]] + then + echo -n "Unlocking $NAME $SERIAL ($DRIVE) ... " + sedutil-cli --setLockingRange 0 RW "$SED_PASSWD" "$DRIVE" &>/dev/null + if [[ $? -ne 0 ]] + then + echo "FAIL" + let ERRORS+=1 + continue + else + echo "OK" + fi + fi + if [[ "$MBRDONE" = "N" ]] + then + echo -n "Setting MBR DONE on $NAME $SERIAL ($DRIVE) ... " + sedutil-cli --setMBRDone on "$SED_PASSWD" "$DRIVE" &>/dev/null + if [[ $? -ne 0 ]] + then + echo "FAIL" + let ERRORS+=1 + continue + else + echo "OK" + fi + fi +done + +if [[ "$ERRORS" -gt 0 && "$WAIT_ON_ERRORS" -eq 1 ]] +then + echo "" + echo "Some operations failed, drive(s) may not be fully unlocked and accessible!" + echo "Press ENTER to reboot." + getpasswd > /dev/null +fi + +echo "Rebooting..." + +reboot -f diff --git a/linuxpba.conf b/linuxpba.conf deleted file mode 100644 index 17cd05371a44..000000000000 --- a/linuxpba.conf +++ /dev/null @@ -1,8 +0,0 @@ -MODULES="" -BINARIES="" -FILES="" -HOOKS="base udev autodetect block keymap keyboard linuxpba" - -#COMPRESSION=<gzip|bzip2|lzma|xz|lzop|lz4> -COMPRESSION="xz" -#COMPRESSION_OPTIONS="" diff --git a/linuxpba.conf.etc b/linuxpba.conf.etc new file mode 100644 index 000000000000..d70f596877e8 --- /dev/null +++ b/linuxpba.conf.etc @@ -0,0 +1,38 @@ +### mkinitcpio options ### + +MODULES="" +BINARIES="" +FILES="" +HOOKS="base udev autodetect block keymap keyboard linuxpba" + +#COMPRESSION=<gzip|bzip2|lzma|xz|lzop|lz4> +COMPRESSION="xz" +#COMPRESSION_OPTIONS="" + + +### linuxpba options ### + +# Use the PBA agent from sedutil that supports only password input +# or use custom the PBA agent that supports keyfile, yubikey and +# password input. This will result in the smallest initramfs image. +# All the settings below this one only have any effect if USE_SEDUTIL_PBA=0 +USE_SEDUTIL_PBA=1 + +# The challenge to send to the yubikey. The response will unlock the +# keyring file. Use the challenge configured here as the challenge when +# creating your luks encrypted keyring file. +YKCHAL=GiveMeThePassword + +# Keyfile name. Use an udev rule to create a single symlink to one of many +# devices with the luks keys and add the rule file in the FILES array above, +# or set this to /dev/disk/by-id of the device where you keep the keyfile. +KFNAME=/dev/cryptkey + +# How many bytes to skip in the beginning of the keyfile device +KFSKIP=524288 + +# How many bytes to read from the keyfile device +KFSIZE=4096 + +# Wait before rebooting if the are any problems when unlocking the OPAL drives. +WAIT_ON_ERRORS=1 diff --git a/linuxpba.conf.lib b/linuxpba.conf.lib new file mode 100644 index 000000000000..f616a8a3fcac --- /dev/null +++ b/linuxpba.conf.lib @@ -0,0 +1,3 @@ +. /etc/linuxpba/linuxpba.conf + +MODULES="$MODULES loop dm-crypt xts algif_skcipher af_alg" diff --git a/linuxpba.install b/linuxpba.install index c5648c536d46..f76ce1d09c00 100644 --- a/linuxpba.install +++ b/linuxpba.install @@ -1,7 +1,37 @@ build () { - add_binary /usr/bin/linuxpba - add_file "/usr/share/terminfo/l/linux" - add_runscript + + # subshell to avoid namespace pollution + ( + . /etc/linuxpba/linuxpba.conf + if [[ "$USE_SEDUTIL_PBA" = 1 ]] + then + add_binary "linuxpba" + add_file "/usr/share/terminfo/l/linux" + else + add_binary "/usr/bin/linuxpba-arch" "/usr/bin/linuxpba" + add_binary "getpasswd" + add_binary "sedutil-cli" + if [[ -e "/etc/linuxpba/keyring.luks" ]] + then + add_file "/etc/linuxpba/linuxpba.conf" + [[ -e "/usr/bin/ykchalresp" ]] && add_binary "ykchalresp" + [[ -e "/usr/bin/ykinfo" ]] && add_binary "ykinfo" + add_binary "cryptsetup" + add_binary "dmsetup" + add_file "/etc/linuxpba/keyring.luks" + add_module loop + #add_all_modules '/crypto/' + add_module dm-crypt + add_module xts + add_module algif_skcipher + add_module af_alg + add_file "/usr/lib/udev/rules.d/10-dm.rules" + add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" + add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" + add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" + fi + fi + ) && add_runscript } help () { diff --git a/mklinuxpba-bios b/mklinuxpba-bios index c91d4c4b45eb..cadefd7e2bd4 100755 --- a/mklinuxpba-bios +++ b/mklinuxpba-bios @@ -50,9 +50,9 @@ extlinux -i mnt if [[ -e /boot/intel-ucode.img ]] then cp /boot/intel-ucode.img mnt - cp /etc/linuxpba/extlinux.conf mnt + cp /usr/lib/linuxpba/extlinux.conf mnt else - sed 's/intel-ucode.img,//' /etc/linuxpba/extlinux.conf > mnt/extlinux.conf + sed 's/intel-ucode.img,//' /usr/lib/linuxpba/extlinux.conf > mnt/extlinux.conf fi cp /boot/linuxpba.img mnt cp /boot/$kernel_image mnt @@ -70,9 +70,9 @@ extlinux -i mnt if [[ -e /boot/intel-ucode.img ]] then cp /boot/intel-ucode.img mnt - cp /etc/linuxpba/extlinux.conf mnt + cp /usr/lib/linuxpba/extlinux.conf mnt else - sed 's/intel-ucode.img,//' /etc/linuxpba/extlinux.conf > mnt/extlinux.conf + sed 's/intel-ucode.img,//' /usr/lib/linuxpba/extlinux.conf > mnt/extlinux.conf fi cp /boot/linuxpba-fallback.img mnt/linuxpba.img cp /boot/$kernel_image mnt diff --git a/mklinuxpba-initramfs b/mklinuxpba-initramfs index c1a8e357c222..23fa82c2b8ea 100755 --- a/mklinuxpba-initramfs +++ b/mklinuxpba-initramfs @@ -1,4 +1,4 @@ #!/bin/bash -mkinitcpio -c /etc/linuxpba/linuxpba.conf -g /boot/linuxpba.img -mkinitcpio -S autodetect -c /etc/linuxpba/linuxpba.conf -g /boot/linuxpba-fallback.img +mkinitcpio -c /usr/lib/linuxpba/linuxpba.conf -g /boot/linuxpba.img +mkinitcpio -S autodetect -c /usr/lib/linuxpba/linuxpba.conf -g /boot/linuxpba-fallback.img |