2 ##############################################
3 # Script for Secure Linux Project #
4 # Copyright(c) 2005, 2006 by Roland Haeder #
5 ##############################################
6 # Purpose: Decryption of the root system #
7 ##############################################
8 # This software is licensed under the GNU #
9 # General Public License Version 2 or either #
10 # and comes with ABSOLUTELY NO WARRANTY #
11 # neither implied nor explicit. #
12 ##############################################
18 umount $KEYS > /dev/null 2>&1
19 losetup -d /dev/loop2 > /dev/null 2>&1
20 losetup -d /dev/loop9 > /dev/null 2>&1
21 losetup -d /dev/loop8 > /dev/null 2>&1
22 losetup -d $STICK_LOOP > /dev/null 2>&1
23 losetup -d /dev/loop7 > /dev/null 2>&1
28 if ! test -e /proc/version; then
33 if test -e .local.sh; then
35 if test "$STICK_START" == "xxx"; then
36 echo "$0: Cannot continue!"
37 echo "Please run stick.sh first to setup your USB sticks."
41 echo "$0: Settings file .local.sh not found."
42 echo "Please start the setup process with gen.sh!"
47 if test -e "$STICK_KEY"; then
48 MD5=`md5sum -b $STICK_KEY | cut -c -32`
49 if test "$MD5" != "$STICK_MD5"; then
50 echo "$0: Cannot verify stick key $STICK_KEY!"
54 echo "$0: Cannot find stick-key $STICK_KEY!"
58 # Ask for username and passphrase to search on the USB stick for the matching
59 # and unlock it with the passphrase. But we do this step-by-step. So first
61 losetup -o $STICK_START /dev/loop8 $STICK_DEVICE || halt_script
64 rm -f /mounts.lst > /dev/null 2>&1
66 for ((FAILED=1, TRY=1; ($FAILED != 0) && (TRY <= 3); TRY++)) do
67 echo -n "Enter password: "
69 if test "$passw" != ""; then
71 fsck -t $STICK_TYPE -p -v $BOOT_DEVICE
73 # Mount the boot-partition temporary
74 mount -t $STICK_TYPE $BOOT_DEVICE /mnt/boot
76 # Decrypt the master image which holds the secret keys
77 MASTER_SEED=`cat /.seed_master`
78 MASTER_PASS=`cat /.pass_master`
79 echo $MASTER_PASS | losetup -p 0 -S $MASTER_SEED -C $ITER -e $CIPHER /dev/loop13 /mnt/boot/master.img || halt_script
80 # "Source" the user's special script which holds the start position
81 source /mnt/boot/.start2_$1.sh
82 # Mount the master image read/write to update the seed
83 mount -t $STICK_TYPE -o ro /dev/loop13 /mnt/stick
84 # Decrypt the 2nd partition for importing temporarily the user's key
85 USER_SEED=`cat /mnt/stick/.seed_$1`
86 USER_PASS=`cat /mnt/stick/.pass_$1`
87 losetup -o $START2 /dev/loop12 "$STICK_DEVICE"
88 echo $USER_PASS | losetup -p 0 -S $USER_SEED -c $ITER -e $CIPHER /dev/loop11 /dev/loop12
89 mount -t $STICK_TYPE -o ro /dev/loop11 /mnt/stick2 || halt_script
90 # Import the secret key
91 gpg --import < /mnt/stick2/$1-secret.gpg > /dev/null 2>&1
92 # Umount and rehash USER_SEED/USER_PASS
93 umount /mnt/stick2 > /dev/null 2>&1
94 losetup -d /dev/loop11 > /dev/null 2>&1
95 USER_SEED=`head -c $SEED_LEN $RAND | uuencode -m - | head -2 | tail -1`
96 USER_PASS=`head -c $PASS_LEN $RAND | uuencode -m - | head -2 | tail -1`
97 echo $USER_SEED > /mnt/stick/.seed_$1
98 echo $USER_PASS > /mnt/stick/.pass_$1
99 echo $USER_PASS | losetup -p 0 -S $USER_SEED -c $ITER -e $CIPHER /dev/loop11 /dev/loop12
100 mkfs -t $STICK_TYPE -b 1024 /dev/loop11
101 mount -t $STICK_TYPE /dev/loop11 /mnt/stick2
102 gpg --export-secret-keys -a "$1" > /mnt/stick2/$1-secret.gpg
104 losetup -d /dev/loop11
106 # Remove last loop-devices
107 losetup -d /dev/loop12 > /dev/null 2>&1
108 umount /mnt/stick > /dev/null 2>&1
109 losetup -d /dev/loop13 > /dev/null 2>&1
110 umount /mnt/boot > /dev/null 2>&1
112 # Decrypt the stick now to access the key for decrypting the asset
113 echo $passw | losetup -e $CIPHER -K $STICK_KEY -p 0 -G /root/.gnupg /dev/loop2 /dev/loop8
115 if test "$STATUS" == "0"; then
116 # mount >> /mounts.lst
118 fsck -t $STICK_TYPE -p -v /dev/loop2 > /stick.msg 2>&1
120 if test "$STATUS" != "0"; then
121 # Hold a warning message
124 mount -t $STICK_TYPE /dev/loop2 $KEYS > /dev/null 2>&1
125 if test "$?" == "0"; then
126 # Check if key exists
128 if test -e "$KEYS/$1-secret.gpg"; then
129 MD5=`md5sum -b $KEYS/$1-secret.gpg | cut -c -32`
130 for m5 in $MD5SUMS; do
131 if test "$m5" == "$MD5"; then
132 # It does exist so stop searching for it
139 if test "$FAILED" == "1"; then
143 echo "$0: Sorry, cannot verify keyfile! Fatal error."
147 # Keyfile not found! :-(
150 echo "$0: Sorry, invalid user $1!"
157 if ! test STICK_WARNING; then
158 echo "$0: WARNING: The stick-fs was bad or not unmounted before! ($STATUS)"
160 echo "Press RETURN to continue or CTRL-C to enter rescue console..."
161 read -s dummy || halt_script
163 rm -f /stick.msg > /dev/null 2>&1
165 echo "Wrong password! (Attempts left: $((3 - $TRY)))"
168 echo "No password given!"
173 if [ $FAILED -ne 0 ]; then
174 echo "$0: Sorry, you get only three attempts to guess the password."
178 if test "$FAILED" == "0"; then
179 # The key seems to be not changed so let's decrypt the asset
180 echo "$0: Stage 1 - Decrypting asset..."
181 echo $passw | losetup -e $CIPHER -p 0 -K "$KEYS/$1-secret.gpg" -G /root/.gnupg /dev/loop7 $ASSET || halt_script > /dev/null 2>&1
182 echo "$0: Stage 1 - done."
184 # Prepare all loop devices
186 losetup -d /dev/loop10 > /dev/null 2>&1
187 losetup -d /dev/loop3 > /dev/null 2>&1
188 losetup -d /dev/loop4 > /dev/null 2>&1
190 # Setup the root and data "partition"
191 echo "$0: Stage 2 - Faking partitions (root=8,base-swap=3,base=7) ..."
192 losetup -o $ROOT_OFFSET /dev/loop10 /dev/loop7 || halt_script
193 losetup -o $SWAP_OFFSET /dev/loop3 /dev/loop7 || halt_script
194 echo "$0: Stage 2 - done."
197 # mount >> /mounts.lst
198 echo "$0: Stage 3 - Checking root-fs (this could take loooong)..."
199 fsck -t $ROOT_TYPE -p -v /dev/loop10 > /fsck.log 2>&1
200 if test "$?" != "0"; then
202 echo "Press RETURN to continue or CTRL+C to enter rescue console..."
203 read -s dummy || /bin/sh
205 rm -f /fsck.log > /dev/null 2>&1
206 echo "$0: Stage 3 - done."
208 echo "$0: Stage 4 - Mounting root-fs ..."
209 mount /dev/loop10 $MOUNT > /dev/null 2>&1
210 echo "$0: Stage 4 - done."
212 echo "$0: Stage 5 - Preparing DATA filesystem ..."
213 if test -e "/.raid_cfg.sh"; then
214 # Run RAID setup script (no "exit" command there!)
215 source raid.sh $1 $passw
216 # Something which you can use but not /home!
217 losetup -o $DATA_OFFSET /dev/loop5 /dev/loop7 > /dev/null 2>&1
220 losetup -o $DATA_OFFSET /dev/loop9 /dev/loop7 > /dev/null 2>&1
222 echo "$0: Stage 5 - done."
224 # Remove the key with loop device
225 echo "$0: Stage 6 - Removing USB stick ..."
227 losetup -d /dev/loop2
228 losetup -d /dev/loop8
229 echo "$0: Stage 6 - done."
231 # Mount DATA (mostly /home)
232 # mount >> /mounts.lst
233 echo "$0: Stage 7 - Checking filesystem on DATA ..."
234 fsck -t $DATA_TYPE -p -v /dev/loop9 > /dev/null 2>&1
235 echo "$0: Stage 7 - done."
237 echo "$0: Stage 8 - Mounting filesystem on DATA ..."
238 mount -t $DATA_TYPE /dev/loop9 $MOUNT/home/ > /dev/null 2>&1
239 echo "$0: Stage 8 - done."
241 # Run swap.sh (DO NOT USE exit THERE!)
242 echo "$0: Stage 9 - Activating swap space ..."
244 echo "$0: Stage 9 - done."