diff options
| author | xsmile | 2021-05-31 23:07:05 +0200 |
|---|---|---|
| committer | xsmile | 2021-05-31 23:07:05 +0200 |
| commit | 598dcf572319df3599f88b5160a57bf54d636906 (patch) | |
| tree | 2f17c1c319b0a9fd1ec733feb72c779b06d78f17 | |
| download | aur-598dcf572319df3599f88b5160a57bf54d636906.tar.gz | |
init
| -rw-r--r-- | .SRCINFO | 42 | ||||
| -rw-r--r-- | .gitignore | 10 | ||||
| -rw-r--r-- | PKGBUILD | 76 | ||||
| -rw-r--r-- | mkinitcpio-pba.conf | 6 | ||||
| -rw-r--r-- | mkinitcpio-rescue.conf | 6 | ||||
| -rw-r--r-- | sedutil-mkimg.sh | 72 | ||||
| -rw-r--r-- | sedutil-pba.hook | 5 | ||||
| -rw-r--r-- | sedutil-pba.install | 13 | ||||
| -rw-r--r-- | sedutil-rescue.hook | 5 | ||||
| -rw-r--r-- | sedutil-rescue.install | 27 | ||||
| -rw-r--r-- | sedutil-sleep.conf | 4 | ||||
| -rw-r--r-- | sedutil-sleep.service | 7 | ||||
| -rw-r--r-- | sedutil.install | 16 | ||||
| -rw-r--r-- | show_asterisk.patch | 9 | ||||
| -rw-r--r-- | syslinux-pba.cfg | 9 | ||||
| -rw-r--r-- | syslinux-rescue.cfg | 9 |
16 files changed, 316 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..6a67164fe618 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,42 @@ +pkgbase = sedutil-ladar + pkgdesc = TCG OPAL 2.00 SED Management Program. ladar's fork, SHA512 variant + pkgver = 1.16.0 + pkgrel = 1 + url = https://github.com/ladar/sedutil + install = sedutil.install + arch = x86_64 + license = GPL3 + optdepends = gptfdisk: for creating the pre-boot authentication and rescue images + optdepends = syslinux: for creating the pre-boot authentication and rescue images + provides = sedutil + conflicts = sedutil + backup = etc/sedutil/sedutil-sleep.conf + source = https://github.com/ladar/sedutil/releases/download/1.16.0/sedutil-1.16.0-SHA512.tar.gz + source = show_asterisk.patch + source = sedutil-mkimg.sh + source = mkinitcpio-pba.conf + source = mkinitcpio-rescue.conf + source = sedutil-pba.hook + source = sedutil-pba.install + source = sedutil-rescue.hook + source = sedutil-rescue.install + source = syslinux-pba.cfg + source = syslinux-rescue.cfg + source = sedutil-sleep.conf + source = sedutil-sleep.service + sha256sums = e31fdfdc9d57f8bc63652bca5abe0468be145b6f5d5a215ce34b666cf9893f84 + sha256sums = c192b82c7ce0080e920e805a05b49b0cca4692467b9d716e6c5fcbf8f2a9463c + sha256sums = 8f1e5c43e70382cef32a9fe888d7aba71c8cceecd9c045c492746a85a200ab17 + sha256sums = fdf05acf90bf86fe269a3fbd1a34ee1f04d2c6b1c6289b6a779fa1c403ae4336 + sha256sums = 26f18516de5a6ad16ea02cb84d621175b54033b22b32efb10a8bb0f2eed49456 + sha256sums = d9a7b66d8365e7f4eb0233b30c0ab70b5e978f6554960bf12994a1f0910c1447 + sha256sums = c4ac3b9e9572138e3599b953418a246da0f41ec28dc2edd67867abbb011a47ac + sha256sums = eb734a57b48964be9a703250215532c25b33d38510766ef571a1999100095bfc + sha256sums = 70edb21d16848027c44c6e80d627f5ef86d40f99c74d0ec7f9e56caa7bebae1e + sha256sums = e2ff1c580f75554b21d8fcfdc5feb4dec4f146b5d0b111143ada4686acaad206 + sha256sums = 620f28dfb8b226b5bd6361f9aa388a24b498485d37bfa079471ad6e49a14fcdf + sha256sums = 377d2ebad2fc21e15980c1efbd06b39fa506d6d33df87df3602bc25b42be1a4e + sha256sums = f3a24271ba964de1db2927f07a9ea2765515d871c481c87cf3dccd5dd5949326 + +pkgname = sedutil-ladar + diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000000..8022f34c64fd --- /dev/null +++ b/.gitignore @@ -0,0 +1,10 @@ +pkg/* +src/* + +*.zip +*.tar* + +*.asc +*.sig + +README.md diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..e83dd90b3153 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,76 @@ +# Maintainer: xsmile <> + +pkgname=sedutil-ladar +_pkgname=sedutil +pkgver=1.16.0 +pkgrel=1 +pkgdesc="TCG OPAL 2.00 SED Management Program. ladar's fork, SHA512 variant" +arch=(x86_64) +url=https://github.com/ladar/sedutil +license=(GPL3) +optdepends=('gptfdisk: for creating the pre-boot authentication and rescue images' + 'syslinux: for creating the pre-boot authentication and rescue images') +provides=(sedutil) +conflicts=(sedutil) +backup=(etc/sedutil/sedutil-sleep.conf) +install=sedutil.install +source=("$url/releases/download/$pkgver/$_pkgname-$pkgver-SHA512.tar.gz" + show_asterisk.patch + sedutil-mkimg.sh + mkinitcpio-pba.conf + mkinitcpio-rescue.conf + sedutil-pba.hook + sedutil-pba.install + sedutil-rescue.hook + sedutil-rescue.install + syslinux-pba.cfg + syslinux-rescue.cfg + sedutil-sleep.conf + sedutil-sleep.service) +sha256sums=('e31fdfdc9d57f8bc63652bca5abe0468be145b6f5d5a215ce34b666cf9893f84' + 'c192b82c7ce0080e920e805a05b49b0cca4692467b9d716e6c5fcbf8f2a9463c' + '8f1e5c43e70382cef32a9fe888d7aba71c8cceecd9c045c492746a85a200ab17' + 'fdf05acf90bf86fe269a3fbd1a34ee1f04d2c6b1c6289b6a779fa1c403ae4336' + '26f18516de5a6ad16ea02cb84d621175b54033b22b32efb10a8bb0f2eed49456' + 'd9a7b66d8365e7f4eb0233b30c0ab70b5e978f6554960bf12994a1f0910c1447' + 'c4ac3b9e9572138e3599b953418a246da0f41ec28dc2edd67867abbb011a47ac' + 'eb734a57b48964be9a703250215532c25b33d38510766ef571a1999100095bfc' + '70edb21d16848027c44c6e80d627f5ef86d40f99c74d0ec7f9e56caa7bebae1e' + 'e2ff1c580f75554b21d8fcfdc5feb4dec4f146b5d0b111143ada4686acaad206' + '620f28dfb8b226b5bd6361f9aa388a24b498485d37bfa079471ad6e49a14fcdf' + '377d2ebad2fc21e15980c1efbd06b39fa506d6d33df87df3602bc25b42be1a4e' + 'f3a24271ba964de1db2927f07a9ea2765515d871c481c87cf3dccd5dd5949326') + +prepare() { + cd $_pkgname-$pkgver + # disable visual feedback + patch -p1 -i "$srcdir"/show_asterisk.patch +} + +build() { + cd $_pkgname-$pkgver + ./configure \ + --prefix=/usr \ + --sbindir=/usr/bin + make +} + +package() { + pushd $_pkgname-$pkgver + make DESTDIR="$pkgdir" install + popd + + # pre-boot authentication and rescue image creation + install -Dm644 sedutil-pba.hook "$pkgdir"/usr/lib/initcpio/hooks/sedutil-pba + install -Dm644 sedutil-pba.install "$pkgdir"/usr/lib/initcpio/install/sedutil-pba + install -Dm644 sedutil-rescue.install "$pkgdir"/usr/lib/initcpio/install/sedutil-rescue + install -Dm644 mkinitcpio-pba.conf -t "$pkgdir"/usr/share/sedutil/ + install -Dm644 mkinitcpio-rescue.conf -t "$pkgdir"/usr/share/sedutil/ + install -Dm644 syslinux-pba.cfg -t "$pkgdir"/usr/share/sedutil/ + install -Dm644 syslinux-rescue.cfg -t "$pkgdir"/usr/share/sedutil/ + install -D sedutil-mkimg.sh "$pkgdir"/usr/bin/sedutil-mkimg + + # sleep support via systemd + install -Dm644 "$srcdir"/sedutil-sleep.service -t "$pkgdir"/usr/lib/systemd/system + install -Dm600 "$srcdir"/sedutil-sleep.conf -t "$pkgdir"/etc/sedutil +} diff --git a/mkinitcpio-pba.conf b/mkinitcpio-pba.conf new file mode 100644 index 000000000000..3803a30e3031 --- /dev/null +++ b/mkinitcpio-pba.conf @@ -0,0 +1,6 @@ +MODULES=() +BINARIES=() +FILES=() +HOOKS=(base udev autodetect block keyboard keymap sedutil-pba) +COMPRESSION=zstd +COMPRESSION_OPTIONS=(-16) diff --git a/mkinitcpio-rescue.conf b/mkinitcpio-rescue.conf new file mode 100644 index 000000000000..0f9a2d2e840e --- /dev/null +++ b/mkinitcpio-rescue.conf @@ -0,0 +1,6 @@ +MODULES=() +BINARIES=() +FILES=() +HOOKS=(base udev autodetect block keyboard keymap sedutil-rescue) +COMPRESSION=zstd +COMPRESSION_OPTIONS=(-16) diff --git a/sedutil-mkimg.sh b/sedutil-mkimg.sh new file mode 100644 index 000000000000..bdb7177e0f5c --- /dev/null +++ b/sedutil-mkimg.sh @@ -0,0 +1,72 @@ +#!/bin/bash + +# Creates two disk images using the currently installed kernel: +# - pre-boot authentication (PBA) environment running the "linuxpba" binary +# - rescue image containing "sedutil-cli" and the PBA image + +[ "$(id -u)" -ne 0 ] && { echo 'Root privileges required, exiting'; exit 1; } + +# Image size. Min MBR Table Size is 128M as per specification +IMGSIZE=64M +# Partition label +PARTLABEL=SEDUTIL +# Kernel image +KERNEL=$(find /usr/lib/modules -mindepth 1 -print -quit)/vmlinuz +# Required packages +DEPENDS=(gptfdisk syslinux) + +check() { + for pkg in "${DEPENDS[@]}"; do + [ $(pacman -Qsq "^${pkg}$") ] || { echo "Missing package, install: ${DEPENDS[@]}"; exit 1; } + done +} + +cleanup() { + buildtype="$1" + loopdev="$2" + + umount -q mnt-"$buildtype" + losetup -d "$loopdev" + rmdir mnt-"$buildtype" +} + +package() { + local buildtype="$1" + local img=${buildtype}.img + + # generate initramfs + mkinitcpio -c /usr/share/sedutil/mkinitcpio-"${buildtype}".conf -g initramfs-"${buildtype}".img >/dev/null + # create a GPT image with an EFI system partition + truncate -s $IMGSIZE "$img" + sgdisk -n 0:0:0 -t 0:ef00 "$img" >/dev/null + # format and mount the image + local loopdev=$(losetup -f --show -P "$img") || { exit 1; } + mkfs.vfat -n $PARTLABEL "${loopdev}p1" >/dev/null + mkdir mnt-"${buildtype}" + mount "${loopdev}"p1 mnt-"${buildtype}" || { cleanup "$buildtype" "$loopdev"; exit 1; } + # copy bootloader + install -D /usr/lib/syslinux/efi64/syslinux.efi mnt-"${buildtype}"/efi/boot/bootx64.efi + install -D /usr/lib/syslinux/efi64/ldlinux.e64 -t mnt-"${buildtype}"/efi/boot/ + install -D /usr/share/sedutil/syslinux-"${buildtype}".cfg mnt-"${buildtype}"/syslinux.cfg + # copy Linux image and initramfs + install -D "$KERNEL" mnt-"${buildtype}"/vmlinuz-linux + install -D initramfs-"${buildtype}".img -t mnt-"${buildtype}"/ + [ "$buildtype" = "pba" ] && export SEDUTIL_PBA_IMG=$(realpath "$img") + # clean up + cleanup "$buildtype" "$loopdev" +} + +echo '==> Checking requirements' +check +pkgdir=$(mktemp -d) +mkdir -p "$pkgdir"; chmod 755 "$pkgdir"; cd "$pkgdir" +echo '==> Creating pre-boot authentication image' +package pba +echo '==> Creating rescue image' +package rescue + +cat << EOF +==> Result +PBA image : $pkgdir/pba.img +Rescue image: $pkgdir/rescue.img +EOF diff --git a/sedutil-pba.hook b/sedutil-pba.hook new file mode 100644 index 000000000000..9bd2e3b49c44 --- /dev/null +++ b/sedutil-pba.hook @@ -0,0 +1,5 @@ +#!/usr/bin/ash + +run_hook() { + linuxpba +} diff --git a/sedutil-pba.install b/sedutil-pba.install new file mode 100644 index 000000000000..5e6bff1d16d2 --- /dev/null +++ b/sedutil-pba.install @@ -0,0 +1,13 @@ +#!/bin/bash + +build() { + add_binary linuxpba + + add_runscript +} + +help() { + cat <<HELPEOF +This hook creates a pre-boot authentication environment to unlock self-encrypting drives that comply with the TCG OPAL 2.00 standard. +HELPEOF +} diff --git a/sedutil-rescue.hook b/sedutil-rescue.hook new file mode 100644 index 000000000000..e360aea15b78 --- /dev/null +++ b/sedutil-rescue.hook @@ -0,0 +1,5 @@ +#!/usr/bin/ash + +run_hook() { + linuxrescue +} diff --git a/sedutil-rescue.install b/sedutil-rescue.install new file mode 100644 index 000000000000..12a9c189e339 --- /dev/null +++ b/sedutil-rescue.install @@ -0,0 +1,27 @@ +#!/bin/bash + +build() { + add_binary sedutil-cli + add_file "$SEDUTIL_PBA_IMG" /usr/sedutil/uefi64.img + cat << EOF > "$BUILDROOT"/usr/bin/linuxrescue +cat << EOM +* ********************************** * +* DTA sedutil rescue image * +* * +* The following tools are available: * +* - sedutil-cli * +* - PBA image in /usr/sedutil/ * +* * +* ********************************** * +EOM +EOF + chmod 755 "$BUILDROOT"/usr/bin/linuxrescue + + add_runscript +} + +help() { + cat <<HELPEOF +This hook creates a rescue environment to manage self-encrypting drives that comply with the TCG OPAL 2.00 standard. +HELPEOF +} diff --git a/sedutil-sleep.conf b/sedutil-sleep.conf new file mode 100644 index 000000000000..5cc2cf34a925 --- /dev/null +++ b/sedutil-sleep.conf @@ -0,0 +1,4 @@ +# Password to unlock the drive. +# Used by the sedutil-sleep.service file. + +#SED_PASSWORD= diff --git a/sedutil-sleep.service b/sedutil-sleep.service new file mode 100644 index 000000000000..078eb9981353 --- /dev/null +++ b/sedutil-sleep.service @@ -0,0 +1,7 @@ +[Service] +Type=oneshot +EnvironmentFile=/etc/sedutil/sedutil-sleep.conf +ExecStart=/bin/sh -c 'echo "$SED_PASSWORD" | /usr/bin/sedutil-cli -s --prepareForS3Sleep 0 Admin1 /dev/nvme0n1 &>/dev/null' + +[Install] +WantedBy=multi-user.target diff --git a/sedutil.install b/sedutil.install new file mode 100644 index 000000000000..4a9c5274f905 --- /dev/null +++ b/sedutil.install @@ -0,0 +1,16 @@ +post_install() { + cat << EOM + +:: Requirements for sedutil-cli +- add "libata.allow_tpm=1" to the kernel parameters + +:: PBA and rescue images +- run "sedutil-mkimg" to build both image types + +:: Optional sleep support +- WARNING: requires the unlock secrets to be kept on disk and in kernel memory +- set the unlock password in "/etc/sedutil/sedutil-sleep.conf" +- enable the systemd service "sedutil-sleep.service" + +EOM +} diff --git a/show_asterisk.patch b/show_asterisk.patch new file mode 100644 index 000000000000..fc0985aeac38 --- /dev/null +++ b/show_asterisk.patch @@ -0,0 +1,9 @@ +# Disable visual feedback for the password prompt +--- a/LinuxPBA/GetPassPhrase.h ++++ b/LinuxPBA/GetPassPhrase.h +@@ -19,4 +19,4 @@ along with sedutil. If not, see <http:/ + * C:E********************************************************************** */ + #pragma once + #include "SecureContainer.h" +-std::shared_ptr<SecureString> GetPassPhrase(const char *prompt, bool show_asterisk=true); ++std::shared_ptr<SecureString> GetPassPhrase(const char *prompt, bool show_asterisk=false); diff --git a/syslinux-pba.cfg b/syslinux-pba.cfg new file mode 100644 index 000000000000..4be0a9d82361 --- /dev/null +++ b/syslinux-pba.cfg @@ -0,0 +1,9 @@ +ALLOWOPTIONS 0 +DEFAULT sedutil +NOESCAPE 1 +PROMPT 0 + +LABEL sedutil + KERNEL /vmlinuz-linux + INITRD /initramfs-pba.img + APPEND libata.allow_tpm=1 quiet loglevel=0 rd.udev.log_level=3 diff --git a/syslinux-rescue.cfg b/syslinux-rescue.cfg new file mode 100644 index 000000000000..a376e7e2d740 --- /dev/null +++ b/syslinux-rescue.cfg @@ -0,0 +1,9 @@ +ALLOWOPTIONS 0 +DEFAULT sedutil +NOESCAPE 1 +PROMPT 0 + +LABEL sedutil + KERNEL /vmlinuz-linux + INITRD /initramfs-rescue.img + APPEND libata.allow_tpm=1 |