--- /dev/null
+AUTHORS.txt
+-----------
+
+This file's format goes like this way:
+
+- Author's real name aka. "nickname" <valid email address>
+ (function in project | is related to)
+
+So here we go with all authors who has contributed parts to this project:
+
+- Roland Häder aka. "Quix0r" <webmaster@mxchange.org>
+ (Project starter and maintainer)
--- /dev/null
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
--- /dev/null
+NEWS.txt - File
+---------------
+
+In this file I will write some news related to this project. So please keep an
+eye on this to stay up-to-date.
+
+2006/05/16 - 13:16pm
+--------------------
+
+- First news written and first package completed.
+- Version v0.0.2 finished (0.0.2 was for testing only!)
--- /dev/null
+/--------------------------------------------\
+| README file for Secure-Linux Project |
+| Copyright (c) 2005, 2006 by Roland Häder |
+|--------------------------------------------|
+| This software is licensed under the GNU |
+| General Public License Version 2 or either |
+| and comes with ABSOLUTELY NO WARRANTY |
+| neither implied nor explicit. |
+\--------------------------------------------/
+
+Some general things before starting:
+------------------------------------
+
+- Read this file carefully before running executing any script!
+
+- Read the LICENSE.txt file if you want to know more about the license covering
+ this software. :-)
+
+- See AUTHORS.txt for contact informations.
+
+- And don't forget to have a look in the TODO.txt file when you are interested
+ in helping us to make these scripts better.
+
+- Always make a backup of your data / docs / source code / whatever which is
+ important to you. We cannot restore your lost data!
+
+- Test the optional free ISO image (round-about 120 megs) together with qemu
+ and write me (webmaster [at] mxchange [dot] org) back your feedback.
+
+- Checkout .settings.sh twice before using it on real devices (MAKE BACKUP
+ FIRST!)
+
+- If you don't find a LICENSE.txt file within this package please contact the
+ Free Software Foundation at http://www.fsf.org or http://www.fsfeurope.org and
+ report them you have found this software!
+
+- License for additional files in DOCS: I'm not interested in these files so
+ they go with this package "as is". Use them (especially the README.txt) for
+ your needs as you like.
--- /dev/null
+TODO List
+---------
+
+Several things must be done in this project:
+
+- Improve setup procedure (will be re-imported from 0.0.1 soon!)
+- Make some scripts a little more flexible
+- Add nice dialogs for setting up .settings.sh and the whole procedure
+ (as like as debconf uses them)
+- Improve documentation
+- Stop using prohibitory software and join the Free Software Community! :-)
--- /dev/null
+# This is the footer for .local.sh Add what you want here. :-)
+# But please also never use exit here.
+#
+# Uncomment the following three lines for debugging the order of md5sums.
+#for md5 in $MD5SUMS; do
+# echo $md5
+#done
--- /dev/null
+#!/bin/sh
+##############################################
+# Script for Secure Linux Project #
+# Copyright(c) 2005, 2006 by Roland Haeder #
+##############################################
+# Purpose: Local configuration file #
+##############################################
+# This software is licensed under the GNU #
+# General Public License Version 2 or either #
+# and comes with ABSOLUTELY NO WARRANTY #
+# neither implied nor explicit. #
+##############################################
+
+if test "$1" == ""; then
+ if test "$INSTALL" != "1"; then
+ echo "$0: Please provide a username as first argument!"
+ exit 255
+ fi
+fi
+
+# This script will hold the configuration data after setup.
+# It will be generated automatically! DO NOT EDIT THIS FILE UNLESS YOU
+# KNOW WHAT YOU ARE DOING!
+#
+# And never use exit here. This file will be source'd
+export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
--- /dev/null
+#!/bin/sh
+##############################################
+# Script for Secure Linux Project #
+# Copyright(c) 2005, 2006 by Roland Haeder #
+##############################################
+# Purpose: Main configuration file #
+##############################################
+# This software is licensed under the GNU #
+# General Public License Version 2 or either #
+# and comes with ABSOLUTELY NO WARRANTY #
+# neither implied nor explicit. #
+##############################################
+
+######## Begin general stuff ########
+# 1=Setup mode. If you turn this off, a username will be requested
+INSTALL="1"
+# Option for cp/mkdir/rm-commands for verbose output
+VERBOSE="-v"
+# Update switch for cp-command. You can remove this for always copy.
+UPDATE="-u"
+# Options for the dd-cmmand (CARE!)
+CONVERT=""
+# Use strict OpenPGP behavior for gpg commands
+OPENPGP="--openpgp"
+# Length of all seeds (15-25 shall be fine)
+SEED_LEN="15"
+# Length of the random password
+PASS_LEN="40"
+# 1=Forces cpio.sh to copy all given files/directories without checking sizes
+FORCE_CPIO="1"
+# Which program shall I take? awk or gawk (last prefered!)
+AWK=`which gawk | tail -n 1`
+# Does the test go right?
+if test "$AWK" == ""; then
+ echo "$0: Failed! The program gawk was found! We need this program"
+ echo "$0: to calculate with decimal-dotted values in functions.sh!"
+ exit 255
+fi
+######## End general stuff ########
+
+########## Begin gen.sh ##########
+BASEDIR="/encrypt"
+# For now on this will be setup automatically
+ASSET=""
+# For testing purposes use an image like this
+#ASSET_DEVICE="$BASEDIR/setup/images/asset.img"
+# For productive purposes use a "real" device here
+ASSET_DEVICE="/dev/hda"
+# For productive purposes use a "real" partition here:
+CIPHER="AES256"
+KEYS="$BASEDIR/keys"
+SECRETS="$BASEDIR/secrets"
+STICK="$BASEDIR/stick"
+LOOP_ASSET="/dev/loop1"
+LOOP_TEST="/dev/loop2"
+# *Exactly* the same name(s) as you entered while gpg --gen-key for comment
+USERS="quix0r angei junior"
+# The master-key for creating the encrypted filesystem
+MASTER="$BASEDIR/setup/keys/masterkey-secret.gpg"
+# Additional keys (e.g. for your laptop) The path "BASEDIR/setup/keys" will be added!
+EXTRA_KEYS="laptop-secret.gpg videos-secret.gpg home-secret.gpg"
+# * 1kByte! No value means scrambling is disabled. A zero (0) together with
+# Real device (/dev/hda; /dev/drbd0; etc.) means use shred
+#COUNT="$((200*1024))"
+COUNT="0"
+RAND="/dev/urandom"
+# Use openssl or dd for scrambling disc/image? (dd=0, openssl=1)
+OPENSSL="1"
+# The multi-key for encrypting disc/image
+MULTI_KEY="$BASEDIR/setup/keys/userkey-secret.gpg"
+# The multi-key for encrypting disc/image
+STICK_KEY="$BASEDIR/setup/keys/stick-secret.gpg"
+MULTI_KEY_SUFFIX="secret.gpg"
+# The first user is the "master" of this system
+MASTER_USER=`echo $USERS | awk '{print $1}'`
+# 1= Zero LOOP_ASSET after setting up. This will be done in gen.sh
+ZERO_ASSET="1"
+
+########## End gen.sh ############
+
+########## Begin initrd.sh ##########
+BOOT_DEVICE="$ASSET_DEVICE"1
+BOOT_MOUNT="$BASEDIR/root/boot"
+if test "$UMOUNT_INITRD" == ""; then
+ # Shall I umount the initrd after creation?
+ UMOUNT_INITRD="0"
+fi
+KERN_VER="2.6.8-2-386"
+KERN_FOUND="0" # Never set it to 1 here!
+INITRD_LOOP="/dev/loop5"
+# Check filesystem? (will be overriden after initial creation)
+CHK_LOOP="1"
+# Relative directory for mouting stick et cetera (to /)
+MNT="mnt"
+# Relative directory for storing key file(s) and seed (to /MNT)
+KEYS_DIR="keys"
+########## End initrd.sh ##########
+
+########## Begin asses.sh ###########
+ROOM_PART="12288" # "Zero'ed" room between partitions
+
+# Filesystems
+FS_BOOT="ext2"
+FS_ROOT="ext3"
+FS_DATA="ext3"
+FS_STICK="ext2"
+
+# Special mount points (e.g. for "data partition")
+MP_DATA="$BASEDIR/root/home"
+
+# Sizes for misc things (I have used a 200 GB HDD)
+SIZE_BLOCK="4096" # Size of a block in filesystem
+# Size of encrypted swap partition
+# GB MB KB
+SIZE_SWAP="$(( 2*1024*1024))" # = 2 GB
+#SIZE_SWAP="$(( 20*1024))" # = 20 MB
+# Size of unencrypted boot partition (for kernel-image, Sytem.map and initrd)
+SIZE_BOOT="$(( 8*1024))" # = 8 MB
+# Size of encrypted root (/) partition
+# GB MB KB
+SIZE_ROOT="$((170*1024*1024))" # = 170 GB
+#SIZE_ROOT="$(( 110*1024))" # = 100 MB
+SIZE_MAX="0" # Will be calculated later!
+
+# Some extra space which would be left free after second partition
+# You have to experiment with this value until it matches!
+# You may find out if all disc space is consumed with "cfdisk ASSET_DEVICE"
+SIZE_EXTRA="$((1024 * 9 + 231))"
+
+# Offsets for the losetup command
+OFFSET_SWAP="$(($SIZE_BOOT*1024+$ROOM_PART))"
+OFFSET_ROOT="$(($OFFSET_SWAP+$SIZE_SWAP*1024+$ROOM_PART))"
+OFFSET_DATA="$(($OFFSET_ROOT+$SIZE_ROOT*1024+$ROOM_PART))"
+
+# This value will be overridden later
+BLOCKS_ROOT="0"
+# 1= umount asset, 0= keep asset mounted (needed to continue with cpio.sh
+UMOUNT_ASSET="0"
+# Count of iterations for losetup
+ITER="200"
+
+# Modules needed for booting system
+MODULES="loop"
+
+######## End assest.sh #############
+
+# Files and directories which we can to copy with cpio (do not copy all here!)
+CPIO_FILES="/home/ /root"
+
+# The target stick device (for testing place an 4MB image here)
+#STICK_DEVICE="$BASEDIR/setup/images/stick.img"
+# Change this to your USB stick device!
+STICK_DEVICE="/dev/sda" # Please use the testing image above first!
+# Size of the USB stick device in 1kBytes (will be overwritten later)
+STICK_SIZE="$((256*1024))"
+# This size will be used only for creating an image which has the same
+# raw size as your USB stick has. So please check the total size of first.
+# NOTE: If you want to change this to your real device (/dev/sda e.g.) and
+# you already run asset.sh / stick.sh then please run asset.sh again!
+#
+# Otherwise your stick may take "logical" damage.
+
+# The FQFN of the usb-storage module, change it to your matching version
+USB_STORAGE="/lib/modules/$KERN_VER/kernel/drivers/usb/storage/usb-storage.ko"
+
+# Shall I zero the sticks before creating partitions on it? (solves some problems with parted)
+STICK_ZERO="1" # 0=Disabled
+
+# Is there an additional .local.sh script? (for testing)
+LOCAL="0"
+if test -e ./.local.sh; then
+ # Include local configuration file
+ echo "$0: Loading .local.sh."
+ . ./.local.sh
+ LOCAL="1"
+ elif test -e $BASEDIR; then
+ # Use existing directory
+ echo "$0: Using $BASEDIR."
+ else
+ # Create base directory (maybe first call?)
+ mkdir $VERBOSE $BASEDIR
+fi
+
+# Load additional functions
+. $BASEDIR/include/functions.sh
--- /dev/null
+#!/bin/sh
+##############################################
+# Script for Secure Linux Project #
+# Copyright(c) 2005, 2006 by Roland Haeder #
+##############################################
+# Purpose: Creates the encrypted asset #
+##############################################
+# This software is licensed under the GNU #
+# General Public License Version 2 or either #
+# and comes with ABSOLUTELY NO WARRANTY #
+# neither implied nor explicit. #
+##############################################
+
+rm -fv ./.local.sh
+. ./.settings.sh || exit 3
+
+if test "$UMOUNT_ASSET" == "0"; then
+ umount /dev/loop3 > /dev/null 2>&1
+ umount /dev/loop2 > /dev/null 2>&1
+ losetup -d /dev/loop3 > /dev/null 2>&1
+ losetup -d /dev/loop2 > /dev/null 2>&1
+ losetup -d /dev/loop1 > /dev/null 2>&1
+fi
+
+if test -e $MULTI_KEY; then
+ echo "$0: Keyfile found."
+ else
+ echo "$0: Keyfile not found! Run gen.sh first."
+ exit 2
+fi
+
+mkdir $VERBOSE $KEYS $SECRETS $STICK
+
+if test -e $BASEDIR/.seed; then
+ echo "$0: Using saved seed... "
+ else
+ echo "$0: Please run gen.sh first to generate the seeds!"
+ exit 255
+fi
+
+if test -e $BASEDIR/.stick_seed; then
+ echo "$0: Using saved stick seed... "
+ else
+ echo "$0: Please run gen.sh first to generate the seeds!"
+ exit 255
+fi
+
+MKFS="0" # Make no filesystem is the default
+if test -e $BASEDIR/.created; then
+ echo "$0: Using existing filesystem on $FS_ROOT."
+else
+ echo "$0: Will create/overwrite filesystem on $FS_ROOT."
+ MKFS="1"
+fi
+for usr in $USERS; do
+ if test "$MKFS" == "1" && test ! -e "$BASEDIR/.stick_$usr"; then
+ # Remove invalid image if present (e.g. different seed)
+ rm $VERBOSE -f $BASEDIR/setup/images/key-$usr.img
+ fi
+
+ if test -e $BASEDIR/setup/images/key-$usr.img; then
+ echo "$0: Key-image found for $usr."
+ else
+ echo -n "$0: Generating key-image for $usr ... "
+ head -c 256k $RAND > $BASEDIR/setup/images/key-$usr.img
+ echo "done"
+ losetup -e $CIPHER -K $STICK_KEY /dev/loop2 $BASEDIR/setup/images/key-$usr.img || exit 1
+ mke2fs /dev/loop2 || exit 4
+ mount /dev/loop2 $KEYS
+ cp $VERBOSE $BASEDIR/setup/keys/$usr-$MULTI_KEY_SUFFIX $KEYS/
+ umount $KEYS
+ losetup -d /dev/loop2
+ fi
+done
+
+if test -b $ASSET_DEVICE; then
+ # Real device
+ echo "$0: Using real device."
+ DEVICE="$ASSET_DEVICE"
+ BOOT="$ASSET_DEVICE"1
+ ASSET="$ASSET_DEVICE"2
+ else
+ # Image for testing
+ echo "$0: Using loop-device on test image."
+ losetup -e NONE /dev/loop7 $ASSET_DEVICE || exit 1
+ losetup -e NONE -o 64512 /dev/loop8 /dev/loop7 || exit 1
+ losetup -e NONE -o $OFFSET_SWAP /dev/loop9 /dev/loop7 || exit 1
+ DEVICE="/dev/loop7"
+ BOOT="/dev/loop8"
+ ASSET="/dev/loop9"
+fi
+
+
+echo -n "$0: Scrambling $DEVICE ... "
+if test "$COUNT" == "0" && test -b $DEVICE; then
+ # Whole disc/partition
+ echo
+ # You can watch the process here...
+ shred -n 1 $VERBOSE $DEVICE || exit 1
+ echo
+ elif test "$COUNT" != "0" && test -b $DEVICE; then
+ # Disabled!
+ echo "disabled"
+ elif test $COUNT -gt 0 && test -f $DEVICE; then
+ # Maybe file for testing?
+ if test "$OPENSSL" == "1"; then
+ openssl rand -out $DEVICE $(($COUNT*1024)) > /dev/null 2>&1
+ else
+ dd if=$RAND of=$DEVICE bs=1k count=$COUNT > /dev/null 2>&1
+ fi
+ echo "done"
+ else
+ # Invalid mode
+ echo "invalid!"
+ echo "$0: You entered an invalid value for ASSET and COUNT:"
+ echo
+ echo "ASSET=$ASSET"
+ echo "COUNT=$COUNT"
+ exit 6
+fi
+
+echo -n "$0: Setting up $LOOP_ASSET ... "
+head -c $SEED_LEN $RAND | uuencode -m - | head -n 2 | tail -n 1 | losetup -p 0 -e $CIPHER -S `cat $BASEDIR/.seed` -C $ITER $LOOP_ASSET $DEVICE || exit1
+
+if test "$ZERO_ASSET" == "1"; then
+ # This may take very long on large discs!
+ echo -n "Zero-ing... "
+ nice -n 19 dd if=/dev/zero of=$LOOP_ASSET bs=4k conv=notrunc 2>/dev/null
+fi
+losetup -d $LOOP_ASSET || exit 1
+echo "done"
+
+if test ! -e "$BASEDIR/.created"; then
+ MB="$(($SIZE_BOOT/1024))"
+ echo "$0: Zeroing $DEVICE ($MB MB only)..."
+ dd if=/dev/zero of=$DEVICE bs=1k count=$SIZE_BOOT > /dev/null 2>&1
+
+ parted -s $DEVICE mklabel msdos || exit 1
+
+ # Determine maximum sectos
+ SIZE_MAX=`cfdisk -P s $DEVICE | grep "Free Space" | cut -c26- | cut -f1 -d " "`
+ # One secor = 512 Byte so we can calculate the maximum MBytes + some extra
+ SIZE_MAX="$(($SIZE_MAX * 512 / 1024 / 1024 + $SIZE_EXTRA))"
+ echo "$0: Maximum size is $SIZE_MAX MByte"
+
+ echo -n "$0: Creating partitions on $ASSET_DEVICE ... "
+ #parted -s $DEVICE mkpart extended 0 $SIZE_MAX || exit 1
+ echo -n "."
+ parted -s $DEVICE mkpart primary 0 $MB || exit 1
+ echo -n "."
+ parted -s $DEVICE mkpart primary $MB $SIZE_MAX || exit 1
+ echo ". done"
+
+ echo "$0: Creating $FS_BOOT on $BOOT..."
+ mkfs -t $FS_BOOT -b $SIZE_BLOCK $BOOT || exit 1
+fi
+echo
+echo "$0: Need a password for creating asset on $ASSET."
+echo
+losetup -e $CIPHER -C $ITER -S `cat $BASEDIR/.seed` -K $MULTI_KEY /dev/loop1 $ASSET || exit 1
+
+echo "$0: Creating randomized swap partition..."
+mkswap /dev/loop1 $SIZE_SWAP || exit 1
+
+mkdir $VERBOSE $BASEDIR/root
+
+losetup -e NONE -o $OFFSET_ROOT /dev/loop2 /dev/loop1 || exit 1
+
+if test "$MKFS" == "1"; then
+ # Run a "dry" test to gather maximum size of target /dev/loop2
+ SIZE_MAX=`mke2fs -n -j -b $SIZE_BLOCK /dev/loop2 | grep "inodes," | cut -f 3 -d " "`
+ SIZE_MAX="$((SIZE_MAX * $SIZE_BLOCK - $OFFSET_DATA))"
+ BLOCKS_ROOT="$(($SIZE_ROOT * 1024 / $SIZE_BLOCK))"
+ FREE_SPACE="$(($OFFSET_DATA - ($OFFSET_ROOT + $BLOCKS_ROOT * $SIZE_BLOCK)))"
+ echo -n "$0: Size<->Offset-Data: $FREE_SPACE - "
+ # DEBUG: read dummy
+ if test "$FREE_SPACE" == "$ROOM_PART"; then
+ echo "okay"
+ else
+ echo "failed!"
+ echo "FREE_SPACE=$FREE_SPACE / ROOM_PART=$ROOM_PART"
+ exit 6
+ fi
+
+ mkfs -t $FS_ROOT -b $SIZE_BLOCK /dev/loop2 $BLOCKS_ROOT || exit 1
+ else
+ fsck.$FS_ROOT -pv /dev/loop2 || exit 2
+fi
+mount -t $FS_ROOT /dev/loop2 $BASEDIR/root
+
+mkdir $VERBOSE $BASEDIR/root/initrd $BOOT_MOUNT $MP_DATA
+
+losetup -o $OFFSET_DATA /dev/loop3 /dev/loop1 || exit 1
+
+if test "$MKFS" == "1"; then
+ mkfs -t $FS_DATA -b $SIZE_BLOCK /dev/loop3 $BLOCKS_DATA || exit 1
+ echo -n "" > $BASEDIR/.created
+ else
+ fsck.$FS_DATA -pv /dev/loop3 || exit 2
+fi
+
+mount /dev/loop3 $MP_DATA
+
+if test "$UMOUNT_ASSET" == "1"; then
+ umount /dev/loop3
+ umount /dev/loop2
+ losetup -d /dev/loop3
+ losetup -d /dev/loop2
+ losetup -d /dev/loop1
+fi
+
+# Is the .local.sh not beeing created or STICK_SIZE not yet set?
+if ! test -e "$BASEDIR/.local.sh" || test "$STICK_SIZE" == "xxx"; then
+ # Now we can write the .local.sh script which keeps our configuration stuff
+ echo -n "$0: Writing .local.sh ... "
+ cp $BASEDIR/.local.sh.head $BASEDIR/.local.sh > /dev/null 2>&1
+ if test -b "$STICK_DEVIE"; then
+ # On real stick device
+ echo "KEYS=/$MNT/$KEYS_DIR" >> $BASEDIR/.local.sh
+ echo "SEED_STICK=/.seed" >> $BASEDIR/.local.sh
+ else
+ # For testing purposes
+ echo "KEYS=$BASEDIR/initrd/$MNT/$KEYS_DIR" >> $BASEDIR/.local.sh
+ echo "SEED_STICK=$BASEDIR/initrd/.seed" >> $BASEDIR/.local.sh
+ fi
+ echo "SEED_LEN=$SEED_LEN" >> $BASEDIR/.local.sh
+ echo "PASS_LEN=$PASS_LEN" >> $BASEDIR/.local.sh
+ echo "RAND=$RAND" >> $BASEDIR/.local.sh
+ echo "SEED_USER=\$KEYS/.seed" >> $BASEDIR/.local.sh
+ echo "SEED_STICK_MD5=\"`md5sum -b $BASEDIR/.stick_seed | cut -c -32`\"" >> $BASEDIR/.local.sh
+ echo "ASSET=$ASSET" >> $BASEDIR/.local.sh
+ echo "ROOT_OFFSET=$OFFSET_ROOT" >> $BASEDIR/.local.sh
+ echo "DATA_OFFSET=$OFFSET_DATA" >> $BASEDIR/.local.sh
+ echo "SWAP_OFFSET=$OFFSET_SWAP" >> $BASEDIR/.local.sh
+ echo "SWAP_SIZE=$SIZE_SWAP" >> $BASEDIR/.local.sh
+ if test -b "$STICK_DEVIE"; then
+ # On real stick device
+ echo "MOUNT=/$MNT/new-root/" >> $BASEDIR/.local.sh
+ echo "STICK_KEY=\"\$KEYS/`basename $STICK_KEY`\"" >> $BASEDIR/.local.sh
+ else
+ # For testing purposes
+ echo "MOUNT=$BASEDIR/initrd/$MNT/new-root/" >> $BASEDIR/.local.sh
+ echo "STICK_KEY=\"$BASEDIR/initrd/`basename $STICK_KEY`\"" >> $BASEDIR/.local.sh
+ fi
+ echo "if test \"\$1\" != \"\"; then" >> $BASEDIR/.local.sh
+ echo " DISC_KEY=\"\$1.gpg\"" >> $BASEDIR/.local.sh
+ echo " else" >> $BASEDIR/.local.sh
+ echo " DISC_KEY=\"\"" >> $BASEDIR/.local.sh
+ echo "fi" >> $BASEDIR/.local.sh
+ echo "STICK_MD5=`md5sum -b $STICK_KEY | cut -c -32`" >> $BASEDIR/.local.sh
+ echo "STICK_LOOP=/dev/loop4" >> $BASEDIR/.local.sh
+ echo "CIPHER=$CIPHER" >> $BASEDIR/.local.sh
+ echo "ITER=$ITER" >> $BASEDIR/.local.sh
+ echo "BOOT_DEVICE=\""$ASSET_DEVICE"1\"" >> $BASEDIR/.local.sh
+ echo "ROOT_TYPE=$FS_ROOT" >> $BASEDIR/.local.sh
+ echo "DATA_TYPE=$FS_DATA" >> $BASEDIR/.local.sh
+ echo "STICK_TYPE=$FS_STICK" >> $BASEDIR/.local.sh
+ echo "STICK_DEVICE=$STICK_DEVICE" >> $BASEDIR/.local.sh
+ echo "STICK_START=xxx" >> $BASEDIR/.local.sh
+ if test -b "$STICK_DEVIE"; then
+ # On real stick device
+ echo "STICK_MOUNT=/$MNT/stick" >> $BASEDIR/.local.sh
+ else
+ # For testing purposes
+ echo "STICK_MOUNT=$BASEDIR/initrd/$MNT/stick" >> $BASEDIR/.local.sh
+ fi
+
+ # Write more MD5 sums here
+ for user in $USERS; do
+ MD5=`md5sum -b $BASEDIR/setup/keys/$user-$MULTI_KEY_SUFFIX | cut -c -32`
+ if test "$user" == "$MASTER_USER"; then
+ # First MD5 sum
+ echo "MD5SUMS=\"`echo $MD5`\" # ($user)" >> $BASEDIR/.local.sh
+ else
+ # Next/last MD5 sum
+ echo "MD5SUMS=\"\$MD5SUMS `echo $MD5`\" # ($user)" >> $BASEDIR/.local.sh
+ fi
+ done
+
+ # Append existing footer script to this script
+ if test -e "$BASEDIR/.local.sh.foot"; then
+ echo "" >> $BASEDIR/.local.sh
+ cat $BASEDIR/.local.sh.foot >> $BASEDIR/.local.sh
+ fi
+
+ # Set rights/owner/group
+ echo " done"
+ chmod -c go-rwx,u+rwx $BASEDIR/.local.sh
+ chown -c root.root $BASEDIR/.local.sh
+
+ # Extra syncing
+ sync
+
+ echo
+ echo "$0: .local.sh is now created."
+else
+ echo "$0: Creation of .local.sh skipped."
+fi
+echo
+echo "You may want to execute initrd.sh to setup your initrd image."
+if test -f "$ASSET"; then
+ echo -n "$0: Removing file $ASSET... "
+ rm -f $ASSET
+ touch $ASSET
+ echo "done"
+fi
--- /dev/null
+#!/bin/sh
+##############################################
+# Script for Secure Linux Project #
+# Copyright(c) 2005, 2006 by Roland Haeder #
+##############################################
+# Purpose: Copys choosen directories/files #
+# to the asset #
+##############################################
+# This software is licensed under the GNU #
+# General Public License Version 2 or either #
+# and comes with ABSOLUTELY NO WARRANTY #
+# neither implied nor explicit. #
+##############################################
+
+. ./.settings.sh || exit 3
+
+cd /
+#find bin dev etc home lib mnt opt root sbin sys tmp usr var -print0 | \
+if test "$FORCE_CPIO" != "1"; then
+ # Check size of given targets
+ ALL_TOTAL="0"
+ for target in $CPIO_FILES; do
+ TOTAL="0"
+ if test -d "$target"; then
+ # Directory
+ if test "$VERBOSE" == "-v"; then
+ echo "$0: $target is a directory."
+ fi
+ sh $BASEDIR/sizes.sh $target
+ elif test -f "$target"; then
+ # File
+ TOTAL=`stat --format="%s" $target`
+ if test "$VERBOSE" == "-v"; then
+ echo "$0: $target is $TOTAL Bytes large."
+ fi
+ else
+ # Something else is not counted
+ if test "$VERBOSE" == "-v"; then
+ echo "$0: $target is no file/directory -> 0 Bytes forced."
+ fi
+ fi
+ ALL_TOTAL="$(($ALL_TOTAL + $TOTAL))"
+ done
+ echo
+ # Size for below if command
+ CHECK="$((ALL_TOTAL/1024))"
+
+ # Begin looking for right unit (GB/MB/kB/Bytes)
+ UNIT="GByte"
+ SIZE="$((ALL_TOTAL/1024/1024/1024))"
+ if test "$SIZE" == "0"; then
+ UNIT="MByte"
+ SIZE="$((ALL_TOTAL/1024/1024))"
+ if test "$SIZE" == "0"; then
+ UNIT="kByte"
+ SIZE="$((ALL_TOTAL/1024))"
+ if test "$SIZE" == "0"; then
+ UNIT="Bytes"
+ SIZE="$ALL_TOTAL"
+ fi
+ fi
+ fi
+
+ echo -n "$0: Total size: $SIZE $UNIT -> "
+ if test $SIZE_ROOT -gt $CHECK; then
+ echo "okay"
+ else
+ echo "warning!"
+ fi
+ echo
+ echo "$0: Press RETURN if this is also okay for you."
+ read dummy
+else
+ # Do not check sizes of targets in CPIO_FILES
+ echo "$0: Warning: Will copy targets in CPIO_FILES regardless if you have"
+ echo "$0: enough space on $BASEDIR/root/!"
+ echo
+ echo "Press RETURN to begin copy process or CTRL+C to abort..."
+ read dummy
+fi
+
+
+# Shall I copy files?
+if test "$CPIO_FILES" != ""; then
+ TEST=`grep "$BASEDIR" $CPIO_FILES`
+ if test "$TEST" != ""; then
+ echo "$0: Found my own path $BASEDIR in CPIO_FILES! Aborting..."
+ exit 6
+ fi
+
+ find $CPIO_FILES -print0 | \
+ cpio --pass-through --make-directories --null --reset-access-time \
+ --make-directories --preserve-modification-time --verbose $BASEDIR/root/
+
+ # Do some extra sync
+ sync
+fi
+
+# Create additional directories
+mkdir $VERBOSE $BASEDIR/root/{boot,cdrom,floppy,proc}
+
+echo "$0: When no error ('no space left on device' may"
+echo "$0: occur on testing images) then please continue"
+echo "$0: with stick.sh to setup your USB stick(s)!"
--- /dev/null
+#!/bin/sh
+##############################################
+# Script for Secure Linux Project #
+# Copyright(c) 2005, 2006 by Roland Haeder #
+##############################################
+# Purpose: Finish installation #
+##############################################
+# This software is licensed under the GNU #
+# General Public License Version 2 or either #
+# and comes with ABSOLUTELY NO WARRANTY #
+# neither implied nor explicit. #
+##############################################
+
+. ./.settings.sh || exit 3
+
+# Need to do "cd $BASEDIR/source" and "cp --parents -a etc/init.d/swap.sh
+# $BASEDIR/root" here.
+
+# We can also do distribution-dependent things here for installing it on
+# $BASEDIR/root. E.g. for Debian: dpkg --get-selections > list.tmp and
+# debootstrap $SUIT $BASEDIR/root
+
+echo "$0: Please customize .local.sh now and check-out ASSET."
--- /dev/null
+#!/bin/sh
+##############################################
+# Script for Secure Linux Project #
+# Copyright(c) 2005, 2006 by Roland Haeder #
+##############################################
+# Purpose: Create keys and key-images #
+##############################################
+# This software is licensed under the GNU #
+# General Public License Version 2 or either #
+# and comes with ABSOLUTELY NO WARRANTY #
+# neither implied nor explicit. #
+##############################################
+
+. ./.settings.sh || exit 3
+mkdir $VERBOSE -p $BASEDIR/setup/{images,keys}
+
+if test -e $BASEDIR/.seed; then
+ echo "$0: Using saved seed... "
+ losetup -d $LOOP_ASSET > /dev/null 2>&1
+ else
+ echo -n "$0: Creating seed... "
+ head -c $SEED_LEN $RAND | uuencode -m - | head -2 | tail -1 > $BASEDIR/.seed
+ echo "done"
+fi
+
+if test -e $BASEDIR/.stick_seed; then
+ echo "$0: Using saved stick seed... "
+ losetup -d $LOOP_ASSET > /dev/null 2>&1
+ else
+ echo -n "$0: Creating seed... "
+ head -c $SEED_LEN $RAND | uuencode -m - | head -2 | tail -1 > $BASEDIR/.stick_seed
+ echo "done"
+fi
+
+for user in $USERS; do
+ if ! test -e "$BASEDIR/setup/keys/$user-$MULTI_KEY_SUFFIX"; then
+ echo "$0: Generate key for $user..."
+ gpg $OPENPGP --quiet --gen-key --cipher-algo $CIPHER
+ else
+ echo "$0: Key found for $user."
+ fi
+done
+
+if ! test -e "$MASTER"; then
+ echo -n "$0: Generating master key... "
+ head -c 2925 $RAND | uuencode -m - | head -n 66 | tail -n 65 | gpg $OPENPGP --cipher-algo $CIPHER -e -a -r $MASTER_USER > $MASTER 2> /dev/null
+ echo "done"
+else
+ echo "$0: Master key found."
+fi
+
+mkdir $VERBOSE $KEYS > /dev/null 2>&1
+umask 077
+
+# Generate options list
+OPTIONS=""
+for user in $USERS; do
+ OPTIONS="$OPTIONS -r $user"
+done
+
+# Write multi-key for encrypting disc
+if ! test -e "$MULTI_KEY"; then
+ gpg $OPENPGP --decrypt < "$MASTER" | gpg $OPENPGP -e -a --always-trust $OPTIONS > "$MULTI_KEY" || exit 1
+else
+ echo "$0: User-key found."
+fi
+
+# Write another multi-key for accessing the stick
+if ! test -e "$STICK_KEY"; then
+ gpg $OPENPGP --decrypt < "$MASTER" | gpg $OPENPGP -e -a --always-trust $OPTIONS > "$STICK_KEY" || exit 1
+else
+ echo "$0: Stick-key found."
+fi
+
+# Write additional keys
+for key in $EXTRA_KEYS; do
+ FILE="$BASEDIR/setup/keys/$key"
+ if ! test -e "$FILE"; then
+ echo "$0: Generating key $key..."
+ gpg $OPENPGP --decrypt < "$MULTI_KEY" | gpg $OPENPGP -e -a --always-trust $OPTIONS > "$FILE" || exit 1
+ else
+ echo "$0: Key $key found."
+ fi
+done
+
+# Write keys for the users
+for user in $USERS; do
+ if ! test -e "$BASEDIR/setup/keys/$user-$MULTI_KEY_SUFFIX"; then
+ echo "$0: Generating key-file for $user ..."
+ gpg $OPENPGP --decrypt < "$MULTI_KEY" | gpg $OPENPGP -e -a --always-trust -r "$user" > "$BASEDIR/setup/keys/$user-$MULTI_KEY_SUFFIX"
+ else
+ echo "$0: Key found for $user."
+ fi
+done
+
+echo "$0: done"
+echo
+echo "Now you may want to execute asset.sh to continue"
+echo "You can also customize some things now."
--- /dev/null
+#!/bin/sh
+##############################################
+# Script for Secure Linux Project #
+# Copyright(c) 2005, 2006 by Roland Haeder #
+##############################################
+# Purpose: Additional functions #
+##############################################
+# This software is licensed under the GNU #
+# General Public License Version 2 or either #
+# and comes with ABSOLUTELY NO WARRANTY #
+# neither implied nor explicit. #
+##############################################
+
+make_part()
+{
+ # Creates partitions on DEVICE
+ echo "$0: Zeroing stick on $DEVICE... (this can take loooong . . . )"
+ dd if=/dev/zero of=$DEVICE bs=1k > /dev/null 2>&1
+ echo "$0: Analysing stick size on $DEVICE..."
+ parted -s $DEVICE mklabel msdos > /dev/null 2>&1
+
+ SIZE=""
+ # Determine maximum sectos
+ for pos in `seq 26 30`; do
+ SIZE=`cfdisk -P s $DEVICE | grep "Free Space" | cut -c$pos- | cut -f1 -d " "`
+ if test "$SIZE" != ""; then
+ #echo "$0: DEBUG: $pos=$SIZE"
+ break
+ fi
+ done
+
+ # One secor = 512 Byte so we can calculate the maximum MBytes + some extra
+ SIZE="$(($SIZE * 512 / 1024 / 1024))"
+ echo "$0: Maximum size is $SIZE MByte"
+ echo -n "$0: Creating partitions... "
+ # This holds the encrypted filesystem with the main key
+ parted -s $DEVICE mkpartfs primary ext2 0 1 > /dev/null 2>&1
+ echo -n "."
+ # This holds an encrypted filesystem for the key to unlock part1
+ parted -s $DEVICE mkpartfs primary ext2 2 3 > /dev/null 2>&1
+ echo -n "."
+ # This is the last part for data you want to carry on the stick with you
+ parted -s $DEVICE mkpartfs primary fat32 4 $SIZE > /dev/null 2>&1
+ echo ". done"
+ echo -n "$0: Analysing... "
+ cfdisk -P s $DEVICE > $BASEDIR/.parted
+ parted -s $DEVICE rm 1 > /dev/null 2>&1
+ parted -s $DEVICE rm 2 > /dev/null 2>&1
+ echo "done"
+ cat $BASEDIR/.parted
+ echo "$0: Press RETURN to continue or CTRL+C to abort..."
+ read dummy
+}
+
+analyse_stick()
+{
+ # Now let's analyse the stick/image...
+ echo -n "$0: Analysing $DEVICE ... "
+
+ START1=`cat $BASEDIR/.parted | grep "1 Primary" | awk '{print $3}' | cut -f 1 -d "*"`
+ START1=`$AWK --assign=start=$START1 'BEGIN {print start*512}'`
+ echo -n "."
+
+ START2=`cat $BASEDIR/.parted | grep "2 Primary" | awk '{print $3}' | cut -f 1 -d "*"`
+ START2=`$AWK --assign=start=$START2 'BEGIN {print start*512}'`
+ echo -n "."
+
+ START3=`cat $BASEDIR/.parted | grep "4 Primary" | awk '{print $3}' | cut -f 1 -d "*"`
+ START3=`$AWK --assign=start=$START3 'BEGIN {print start*512}'`
+ echo -n "."
+
+ # Enough space for the image? (in Bytes)
+ SIZE_FREE=`cat $BASEDIR/.parted | grep "1 Primary" | awk '{print $6}' | cut -f 1 -d "*"`
+ SIZE_FREE=`$AWK --assign=start=$SIZE_FREE 'BEGIN {print start*512}'`
+ echo ". done"
+
+ # Update STICK_START...
+ echo -n "$0: Updating .local.sh ... "
+ EVAL="sed 's/STICK_START=xxx/STICK_START=1024/g' $BASEDIR/.local.sh > $BASEDIR/tmp"
+ eval $EVAL > /dev/null 2>&1
+ echo "done"
+
+ if test -e $BASEDIR/tmp; then
+ if test "`cat $BASEDIR/tmp`" != "`cat $BASEDIR/.local.sh`"; then
+ # Move existing tmp file back to .local.sh
+ echo -n "$0: Updating .local.sh ... "
+ mv $BASEDIR/tmp $BASEDIR/.local.sh > /dev/null 2>&1
+ chmod go-rwx,u+rwx $BASEDIR/.local.sh > /dev/null 2>&1
+ chown root.root $BASEDIR/.local.sh > /dev/null 2>&1
+ echo "done"
+ echo -n "$0: Re-reading .local.sh ... "
+ . ./.local.sh
+ echo "done"
+ else
+ # Remove tmp file
+ echo "$0: .local.sh is up-to-date."
+ rm $VERBOSE $BASEDIR/tmp
+ fi
+ fi
+}
+
+write_image()
+{
+ # Is enough space there?
+ echo "$0: $SIZE_FREE - $SIZE_TARGET - $STICK_START ($FILE)"
+ if test $SIZE_FREE -gt $SIZE_TARGET; then
+ # Remove any existing loop-devices
+ losetup -d /dev/loop12 > /dev/null 2>&1
+ losetup -d /dev/loop11 > /dev/null 2>&1
+ # Enough space there, so let's copy FILE into STICK_DEVICE
+ echo "$0: Setting up loop-device... (Offset=$STICK_START,Dev=$DEVICE)"
+ losetup -o $STICK_START /dev/loop11 $DEVICE
+ echo "$0: Writing image ... ($SIZE_TARGET Bytes)"
+ dd if=$FILE of=/dev/loop11 bs=1 count=$SIZE_TARGET $CONVERT > /dev/null 2>&1
+ echo "$0: Verifying ... "
+ dd if=/dev/loop11 of=$BASEDIR/verify.img bs=1 count=$SIZE_TARGET $CONVERT > /dev/null 2>&1
+ M1=`md5sum -b $BASEDIR/verify.img | cut -c -32`
+ M2=`md5sum -b $FILE | cut -c -32`
+ if test "$M1" != "$M2"; then
+ echo "$0: Failed! Aborting here... ($M1/$M2)"
+ exit 6
+ else
+ echo "$0: MD5 checksums matches."
+ fi
+ # Remove verify.img
+ rm $VERBOSE $BASEDIR/verify.img
+ # Testing it...
+ echo "$0: Will now test the written image."
+ echo -n "$0: Enter $user's "
+ losetup -e $CIPHER -K $BASEDIR/setup/keys/$user-$MULTI_KEY_SUFFIX /dev/loop12 /dev/loop11 || exit 1
+ #losetup -a
+ mount -t $FS_STICK /dev/loop12 $BASEDIR/keys || exit 1
+ # Copy the seed to the stick/image
+ cp $VERBOSE $BASEDIR/.seed $BASEDIR/keys
+ echo "$0: Free space: `df | grep /dev/loop12 | awk '{print $4}'` kByte"
+ mount | grep /dev/loop12
+ umount /dev/loop12
+ sync
+ SIZE_MD5="$(($SIZE_TARGET-1024))"
+ echo -n "$0: Generating new MD5... (first $SIZE_MD5 Bytes) "
+ dd if=/dev/loop12 bs=1 count=$SIZE_MD5 > $BASEDIR/md5.img 2>/dev/null
+ MD5=`md5sum -b $BASEDIR/md5.img`
+ echo -n `basename $FILE` >> $BASEDIR/initrd/.md5sums
+ echo -n " " >> $BASEDIR/initrd/.md5sums
+ echo $MD5 | cut -c -32 >> $BASEDIR/initrd/.md5sums
+ echo "done"
+ rm $VERBOSE $BASEDIR/md5.img
+ losetup -d /dev/loop12
+ losetup -d /dev/loop11
+ umount /dev/loop13 > /dev/null 2>&1
+ losetup -d /dev/loop13 > /dev/null 2>&1
+ echo "$0: Test is PASSED. (MD5=`echo $MD5 | cut -c -32`)"
+ # Prepare master image which holds the .seed and .pass files
+ echo "$0: Preparing master-image on $BOOT_MOUNT ($BOOT_DEVICE)... "
+ mkdir --parents $VERBOSE $BOOT_MOUNT
+ umount $BOOT_DEVICE
+ mount $BOOT_DEVICE $BOOT_MOUNT
+ if test "$user" == "$MASTER_USER"; then
+ # Create master image on first user
+ MASTER_SEED=`head -c $SEED_LEN $RAND | uuencode -m - | head -2 | tail -1`
+ MASTER_PASS=`head -c $PASS_LEN $RAND | uuencode -m - | head -2 | tail -1`
+ dd if=/dev/zero of=$BOOT_MOUNT/master.img bs=1k count=2048 > /dev/null 2>&1
+ echo $MASTER_PASS | losetup -p 0 -S $MASTER_SEED -C $ITER -e $CIPHER /dev/loop13 $BOOT_MOUNT/master.img || exit 2
+ mkfs -t $FS_STICK -b 1024 /dev/loop13 > /dev/null 2>&1
+ echo $MASTER_SEED > $BASEDIR/.seed_master
+ echo $MASTER_PASS > $BASEDIR/.pass_master
+ cp $VERBOSE $BASEDIR/.????_master $BASEDIR/initrd/
+ else
+ MASTER_SEED=`cat $BASEDIR/.seed_master`
+ MASTER_PASS=`cat $BASEDIR/.pass_master`
+ echo $MASTER_PASS | losetup -p 0 -S $MASTER_SEED -C $ITER -e $CIPHER /dev/loop13 $BOOT_MOUNT/master.img || exit 2
+ fi
+ mount /dev/loop13 $BASEDIR/initrd/mnt/stick
+ echo "START2=$START2" > $BASEDIR/initrd/mnt/stick/.start2_$user.sh
+ chmod -c u+x,go-rwx $BASEDIR/initrd/mnt/stick/.start2_$user.sh
+ echo "$0: done"
+ # Prepare second partition which holds the secret key
+ echo "$0: Preparing 2nd part. on $DEVICE... "
+ USER_SEED=`head -c $SEED_LEN $RAND | uuencode -m - | head -2 | tail -1`
+ USER_PASS=`head -c $PASS_LEN $RAND | uuencode -m - | head -2 | tail -1`
+ losetup -o $START2 /dev/loop12 "$DEVICE"
+ echo $USER_PASS | losetup -p 0 -S $USER_SEED -C $ITER -e $CIPHER /dev/loop11 /dev/loop12
+ dd if=/dev/zero of=/dev/loop11 bs=1k count=1024 > /dev/null 2>&1
+ mkfs -t $FS_STICK -b 1024 /dev/loop11 || exit 1
+ mount /dev/loop11 $BASEDIR/secrets || exit 1
+ gpg --export-secret-keys -a "$user" > $BASEDIR/secrets/$user-secret.gpg
+ umount /dev/loop11
+ losetup -d /dev/loop11
+ losetup -d /dev/loop12
+ echo $USER_SEED > $BASEDIR/initrd/mnt/stick/.seed_$user
+ echo $USER_PASS > $BASEDIR/initrd/mnt/stick/.pass_$user
+ umount /dev/loop13
+ losetup -d /dev/loop13
+ echo "$0: done"
+ else
+ # SIZE_TARGET is small than SIZE_FREE!
+ echo "$0: Image is bigger than allocated space!"
+ exit 4
+ fi
+}
--- /dev/null
+#!/bin/sh
+##############################################
+# Script for Secure Linux Project #
+# Copyright(c) 2005, 2006 by Roland Haeder #
+##############################################
+# Purpose: Create initrd-image #
+##############################################
+# This software is licensed under the GNU #
+# General Public License Version 2 or either #
+# and comes with ABSOLUTELY NO WARRANTY #
+# neither implied nor explicit. #
+##############################################
+
+. ./.settings.sh || exit 3
+
+if test -e $MULTI_KEY; then
+ echo "$0: Keyfile found."
+ else
+ echo "$0: Keyfile not found! Run gen.sh first."
+ exit 2
+fi
+
+if ! test -e $BOOT_MOUNT; then
+ echo "$0: Please run asset.sh first!"
+ exit 2
+fi
+
+echo "$0: Stage 1 - Unmounting old devices ..."
+umount $INITRD_LOOP
+losetup -d $INITRD_LOOP
+umount $BOOT_DEVICE
+mount $BOOT_DEVICE $BOOT_MOUNT
+echo "$0: Stage 2 - done."
+
+if ! test -e $BOOT_MOUNT/initrd && ! test -e $BOOT_MOUNT/initrd.gz; then
+ echo "$0: Stage 2 - Setting up initrd with e2fs ..."
+ head -c 8m /dev/zero > $BOOT_MOUNT/initrd
+ mke2fs -F -m0 -b 1024 -L "SLP 0.4a" $VERBOSE $BOOT_MOUNT/initrd
+ mkdir $VERBOSE $BASEDIR/initrd
+ CHK_LOOP="0"
+ echo "$0: Stage 2 - done."
+else
+ if test -e $BOOT_MOINT/initrd.gz; then
+ echo "$0: Stage 2 - Uncompressing initrd.gz ..."
+ gunzip $VERBOSE
+ echo "$0: Stage 2 - done."
+ else
+ echo "$0: Stage 2 - skipped (me2fs)."
+ fi
+fi
+
+echo "$0: Stage 3 - Setting up loop-device ..."
+losetup $INITRD_LOOP $BOOT_MOUNT/initrd
+echo "$0: Stage 3 - done."
+
+if test "$CHK_LOOP" == "1"; then
+ echo "$0: Stage 4 - Checking fs on initrd ..."
+ e2fsck -pv $INITRD_LOOP
+ echo "$0: Stage 4 - done"
+else
+ echo "$0: Stage 4 - skipped (e2fsck)."
+fi
+
+echo "$0: Stage 5 - Initializing initrd & copy process ..."
+mkdir $VERBOSE $BASEDIR/initrd
+mount $INITRD_LOOP $BASEDIR/initrd
+cp $VERBOSE $BASEDIR/.stick_seed $BASEDIR/initrd/.seed
+cd $BASEDIR/initrd
+echo "$0: Stage 5 - done."
+
+echo "$0: Stage 6 - Creating directories ..."
+mkdir $VERBOSE -p {bin,dev,lib,$MNT/{$KEYS_DIR,new-root,boot,stick,stick2},usr/{bin,sbin,lib},proc,sbin} || exit 2
+echo "$0: Stage 6 - done."
+
+echo "$0: Stage 7 - Copying device files ..."
+cp $VERBOSE $UPDATE -a /dev/{console,hd{a*,b*,c*,d*},tty,null,sda,urandom,md?} dev || exit 2
+echo "$0: Stage 7 - done."
+
+echo "$0: Stage 8 - Copying programs ..."
+cp $VERBOSE $UPDATE `which mount sh umount cat sleep sync dd uname grep sed mknod ln ls` /sbin/{modprobe*,depmod*} bin || exit 2
+cp $VERBOSE $UPDATE `which losetup pivot_root insmod insmod.modutils mkswap swapon swapoff mdadm mdrun fsck fsck.ext2 fsck.ext2 mdrun mdadmin` sbin || exit 2
+cp $VERBOSE $UPDATE `which chroot` usr/sbin || exit 2
+cp $VERBOSE $UPDATE `which test md5sum cut gpg tail uuencode` usr/bin || exit 2
+echo "$0: Stage 8 - done."
+
+echo "$0: Stage 9 - Copying libraries ..."
+cp $VERBOSE $UPDATE -a /lib/lib{usb-0.1.so.4*,readline.so.5*,bz2.so*,resolv*,uuid.so.1*,ncurses.so.2.5.4,ld-2.3.6.so,c-2.3.6.so,c.so.6,blkid.so.1*,selinux.so.1,sepol.so.1,m-2.3.2.so,m.so.6,rt*,ext2fs.so.2*,pthread*,acl.so.1*,attr.so.1*,se*} lib || exit 2
+cp $VERBOSE $UPDATE -a /usr/lib{libz.so*} usr/lib || exit 2
+cp $VERBOSE $UPDATE -a /lib/ lib/ || exit 2
+echo "$0: Stage 9 - done."
+
+# Copy our scripts
+echo "$0: Stage 10 - Copying SLP scripts and stick-secret.gpg ..."
+cp $VERBOSE $UPDATE $BASEDIR/setup/keys/stick-secret.gpg $BASEDIR/{source/{decrypt.sh,linuxrc,swap.sh},.local.sh} $BASEDIR/initrd || exit 2
+mkdir --parents --$VERBOSE $BASEDIR/initrd/lib/modules/$KERN_VER/ || exit 2
+cp $VERBOSE $UPDATE $BASEDIR/source/lib/modules/$KERN_VER/loop.* $BASEDIR/initrd/lib/modules/$KERN_VER/ || exit 2
+echo "$0: Stage 10 - done."
+
+# Prepare directories for gpg
+echo "$0: Stage 11 - Preparing .gnupg ..."
+mkdir --parents $VERBOSE $BASEDIR/initrd/root/.gnupg
+echo "$0: Stage 11 - done."
+
+# Create lots of loop-back devices (we need loop-aes compiled with "max_loop = 8" here!)
+echo "$0: Stage 12 - Creating loop-devices ..."
+for idx in `seq 0 16`; do
+ if ! test -e "dev/loop$idx"; then
+ mknod --mode=660 "dev/loop$idx" b 7 $idx
+ fi
+done
+echo "$0: Stage 12 - done."
+
+echo "$0: Stage 13 - Setting symbolic links ..."
+cd lib
+ln $VERBOSE -sf ld-2.3.6.so ld-linux.so.2 || exit 2
+ln $VERBOSE -sf libdl-2.3.6 libdl.so.2 || exit 2
+ln $VERBOSE -sf libncurses.so.2.5.4 libncurses.so.5 || exit 2
+cd ../sbin
+ln $VERBOSE -sf /linuxrc init
+cd ../root
+# To prevent filling up the initrd while development
+ln $VERBOSE -sf /dev/null .bash_history || exit 2
+cd ../bin
+ln $VERBOSE -sf sh bash || exit 2
+cd ..
+echo "$0: Stage 13 - done."
+
+if test -e "/boot/vmlinuz-$KERN_VER"; then
+ if test -e "/boot/System.map-$KERN_VER"; then
+ echo "$0: Stage 14 - Copying kernel/System.map ..."
+ KERN_FOUND="1"
+ cp $VERBOSE $UPDATE "/boot/vmlinuz-$KERN_VER" "/boot/System.map-$KERN_VER" $BOOT_MOUNT/ || exit 2
+ echo "$0: Stage 14 - done."
+ else
+ echo "$0: Stage 14 - No System.map found for version $KERN_VER."
+ fi
+else
+ echo "$0: Stage 14 -No kernel found for version $KERN_VER."
+fi
+
+if test "$KERN_FOUND" == "0"; then
+ if test -e "/usr/src/linux-$KERN_VER"; then
+ cd "/usr/src/linux-$KERN_VER"
+ make menuconfig
+ if test -e .config; then
+ # Build kernel and modules and install them
+ make dep bzImage modules modules_install || exit 1
+ # Copy kernel/System.map to initrd
+ echo "$0: Stage 14 - Copying compiled kernel/System.amp ..."
+ cp $VERBOSE System.map $BOOT_MOUNT/System.map-$KERN_VER || exit 2
+ cp $VERBOSE arch/i386/boot/bzImage $BOOT_MOUNT/vmlinuz-$KERN_VER || exit 2
+ echo "$0: Stage 14 - done."
+ else
+ echo "FAILED: Compilation of kernel v$KERN_VER"
+ exit 2
+ fi
+ else
+ echo "FAILED: Cannot find build-directory /usr/src/linux-$KERN_VER!"
+ exit 2
+ fi
+fi
+
+# Copy RAID modules to initrd
+echo "$0: Stage 15 - Copying kernel modules ..."
+cp $VERBOSE --parents /lib/modules/$KERN_VER/kernel/drivers/md/{raid5,xor,md}.* $BASEDIR/initrd/ || exit 2
+if test -e "/usr/src/modules/loop-aes/"; then
+ # Install loop-aes module
+ cd /usr/src/modules/loop-aes/
+ # Build loop-aes and install it
+ make clean all install || exit 1
+ # Generate path on initrd
+ mkdir $VERBOSE $BASEDIR/initrd/lib/modules/$KERN_BER/{kernel/block,block} || exit 2
+ if test -e "loop.ko"; then
+ # Kernel version >= 2.6.*
+ cp loop.ko $BASEDIR/initrd/lib/modules/$KERN_BER/block/ || exit 2
+ else
+ # Kernel version <= 2.4.*
+ cp loop.o $BASEDIR/initrd/lib/modules/$KERN_BER/block/ || exit 2
+ fi
+else
+ # Copy legacy loop.o
+ cp $VERBOSE --parents /lib/modules/$KERN_VER/kernel/driversblock/loop.o $BASEDIR/initrd || exit 2
+fi
+cd $BASEDIR
+echo "$0: Stage 15 - done."
+
+if test "$UMOUNT_INITRD" == "1"; then
+ echo "$0: Removing initrd and loop ..."
+ cd ..
+ umount $INITRD_LOOP
+ losetup -d $INITRD_LOOP
+fi
+
+echo
+echo "All done now."
+echo
+echo "You may want to execute cpio.sh to copy all your data to the encrypted"
+echo "disk in $BASEDIR/root."
--- /dev/null
+lba32
+boot=/dev/hda
+root=/dev/ram0
+map=/boot/map
+delay=200
+timeout=100
+prompt
+vga=extended
+menu-title=" Quix0r's Computer "
+
+default=Linux
+
+image=/boot/vmlinuz-2.4.32
+ label=Linux
+ initrd=/boot/initrd.gz
+ append="root=/dev/ram0 init=/linuxrc rw ramdisk_size=5120"
--- /dev/null
+lba32
+# Change this matching to your $ASSET_DEVICE!
+# And run lilo -v -C lilo.sample to setup your loader
+boot=/dev/hda
+root=/dev/ram0
+map=/boot/map
+delay=200
+timeout=100
+prompt
+vga=extended
+
+default=Linux
+
+image=/boot/vmlinuz-2.6.13.2
+ label=Linux
+ initrd=/boot/initrd.gz
+ append="root=/dev/ram0 init=/linuxrc rw"
--- /dev/null
+#!/bin/sh
+##############################################
+# Script for Secure Linux Project #
+# Copyright(c) 2005, 2006 by Roland Haeder #
+##############################################
+# Purpose: See below #
+##############################################
+# This software is licensed under the GNU #
+# General Public License Version 2 or either #
+# and comes with ABSOLUTELY NO WARRANTY #
+# neither implied nor explicit. #
+##############################################
+
+# The purpose of this script is to search for lost/deleted scripts (plain text)
+# or which you have maybe overwritten by "echo foo>bar" and bar was a very
+# important 12600 Bytes long script for you.
+
+#### Configuration ######
+
+# The MEDIUM holding the filesystem where you have deleted/overwritten the
+# script. This can also be a partition! E.g. /dev/hda
+MEDIUM=""
+
+# Search string you are looking for. This shall be a string within middle of
+# The lost file. It shall be unique so you have beeter search results in first
+# run.
+SEARCH=""
+
+# Skipped bytes by dd command
+# Enter the value which you get from grep command -2048 here and run this
+# script again.
+SKIP=""
+
+# Size in bytes; no exact value here. Give +4096 more for looking around target
+# area)
+SIZE=""
+
+# The target file we shall write the found data. This *shall better* be
+# an other drive/partition than MEDIUM. Or else maybe some data could be
+# overwritten by this command which you also want to restore!
+TARGET=""
+# Do *always* enter a filename here (like /var/test.sh; where /var/ is mounted
+# on other partition as MEDIUM
+
+# Self-test, you need "grep" and "dd" for this script!
+DD=`which dd`
+GREP=`which grep`
+if test "$DD" == "" || test "$GREP" == ""; then
+ echo "$0: Self-test failed! Cannot find dd or grep!"
+ echo
+ echo "DD = $DD"
+ echo "GREP = $GREP"
+else
+ echo "$0: Self-test passed."
+fi
+
+if test "$SKIP" != "" && test "$SIZE" != ""; then
+ # Output data to TARGET
+ echo -n "$0: Writing $SIZE Bytes to $TARGET... "
+ dd if=$MEDIUM skip=$SKIP bs=1 count=$SIZE > $TARGET
+ echo "done"
+ # Hint: You may have to experiment a little with SIZE and SKIP until
+ # you find your lost file. But -2048 for SKIP and +4096 for SIZE might
+ # be a good starting point.
+elif test "$SEARCH" != "" && test "$MEDIUM" != ""; then
+ # Search on MEDIUM for SEARCH. This may take long!
+ echo "$0: Searching for $SEARCH ... This may take loooong . . ."
+ grep --text -b $SEARCH $MEDIUM
+else
+ # Please setup me!
+ echo "$0: You have to setup this script ($0) first!"
+fi
--- /dev/null
+#!/bin/sh
+##############################################
+# Script for Secure Linux Project #
+# Copyright(c) 2005, 2006 by Roland Haeder #
+##############################################
+# Purpose: Setups software RAID. UNFINISHED! #
+##############################################
+# This software is licensed under the GNU #
+# General Public License Version 2 or either #
+# and comes with ABSOLUTELY NO WARRANTY #
+# neither implied nor explicit. #
+##############################################
+
+. ./.settings.sh || exit 3
+
+exit 255
+
+mdadm --create /dev/md0 --level=5 --raid-devices=3 /dev/hd["bcd"]1
--- /dev/null
+#!/bin/sh
+##############################################
+# Script for Secure Linux Project #
+# Copyright(c) 2005, 2006 by Roland Haeder #
+##############################################
+# Purpose: Determines sizes of single files #
+# or of a whole bunch of files in a #
+# directory #
+##############################################
+# This software is licensed under the GNU #
+# General Public License Version 2 or either #
+# and comes with ABSOLUTELY NO WARRANTY #
+# neither implied nor explicit. #
+##############################################
+
+if test "$1" == ""; then
+ echo "$0: No directory provided for scanning!"
+ exit 6
+fi
+
+cd /
+DIR="$1"
+# use only first entry
+DIR=`echo $DIR | cut -f 1 -d " "`
+echo -n "$0: Reading sizes in /$DIR ... "
+SIZES=`find $DIR -exec stat --format="%s" {} \;`
+echo "done"
+TOTAL=0
+
+echo -n "$0: Calculating... "
+for si in $SIZES; do
+ TOTAL="$(($TOTAL + $si))"
+done
+export TOTAL
+echo "done"
+echo
+echo "Total size: $(($TOTAL/1024/1024/1024)) GByte"
--- /dev/null
+Welcome to the Secure Linux Project v0.3a!
+
+This is a Debian Linux 3.1 system.
+
--- /dev/null
+#!/bin/sh
+##############################################
+# Script for Secure Linux Project #
+# Copyright(c) 2005, 2006 by Roland Haeder #
+##############################################
+# Purpose: Decryption of the root system #
+##############################################
+# This software is licensed under the GNU #
+# General Public License Version 2 or either #
+# and comes with ABSOLUTELY NO WARRANTY #
+# neither implied nor explicit. #
+##############################################
+
+halt_script()
+{
+ umount $MOUNT/home
+ umount $MOUNT
+ umount $KEYS > /dev/null 2>&1
+ losetup -d /dev/loop2 > /dev/null 2>&1
+ losetup -d /dev/loop9 > /dev/null 2>&1
+ losetup -d /dev/loop8 > /dev/null 2>&1
+ losetup -d $STICK_LOOP > /dev/null 2>&1
+ losetup -d /dev/loop7 > /dev/null 2>&1
+ # Add more todo here!
+ exit 1
+}
+
+if ! test -e /proc/version; then
+ # Mount missing /proc
+ mount /proc
+fi
+
+if test -e .local.sh; then
+ . ./.local.sh
+ if test "$STICK_START" == "xxx"; then
+ echo "$0: Cannot continue!"
+ echo "Please run stick.sh first to setup your USB sticks."
+ exit 3
+ fi
+ else
+ echo "$0: Settings file .local.sh not found."
+ echo "Please start the setup process with gen.sh!"
+ exit 3
+fi
+
+# Check given gpgkey
+if test -e "$STICK_KEY"; then
+ MD5=`md5sum -b $STICK_KEY | cut -c -32`
+ if test "$MD5" != "$STICK_MD5"; then
+ echo "$0: Cannot verify stick key $STICK_KEY!"
+ exit 4
+ fi
+ else
+ echo "$0: Cannot find stick-key $STICK_KEY!"
+ exit 5
+fi
+
+# Ask for username and passphrase to search on the USB stick for the matching
+# and unlock it with the passphrase. But we do this step-by-step. So first
+# ask for username
+losetup -o $STICK_START /dev/loop8 $STICK_DEVICE || halt_script
+
+# Remove debug file
+rm -f /mounts.lst > /dev/null 2>&1
+
+for ((FAILED=1, TRY=1; ($FAILED != 0) && (TRY <= 3); TRY++)) do
+ echo -n "Enter password: "
+ read -s passw
+ if test "$passw" != ""; then
+ # Check partition
+ fsck -t $STICK_TYPE -p -v $BOOT_DEVICE
+
+ # Mount the boot-partition temporary
+ mount -t $STICK_TYPE $BOOT_DEVICE /mnt/boot
+
+ # Decrypt the master image which holds the secret keys
+ MASTER_SEED=`cat /.seed_master`
+ MASTER_PASS=`cat /.pass_master`
+ echo $MASTER_PASS | losetup -p 0 -S $MASTER_SEED -C $ITER -e $CIPHER /dev/loop13 /mnt/boot/master.img || halt_script
+ # "Source" the user's special script which holds the start position
+ source /mnt/boot/.start2_$1.sh
+ # Mount the master image read/write to update the seed
+ mount -t $STICK_TYPE -o ro /dev/loop13 /mnt/stick
+ # Decrypt the 2nd partition for importing temporarily the user's key
+ USER_SEED=`cat /mnt/stick/.seed_$1`
+ USER_PASS=`cat /mnt/stick/.pass_$1`
+ losetup -o $START2 /dev/loop12 "$STICK_DEVICE"
+ echo $USER_PASS | losetup -p 0 -S $USER_SEED -c $ITER -e $CIPHER /dev/loop11 /dev/loop12
+ mount -t $STICK_TYPE -o ro /dev/loop11 /mnt/stick2 || halt_script
+ # Import the secret key
+ gpg --import < /mnt/stick2/$1-secret.gpg > /dev/null 2>&1
+ # Umount and rehash USER_SEED/USER_PASS
+ umount /mnt/stick2 > /dev/null 2>&1
+ losetup -d /dev/loop11 > /dev/null 2>&1
+ USER_SEED=`head -c $SEED_LEN $RAND | uuencode -m - | head -2 | tail -1`
+ USER_PASS=`head -c $PASS_LEN $RAND | uuencode -m - | head -2 | tail -1`
+ echo $USER_SEED > /mnt/stick/.seed_$1
+ echo $USER_PASS > /mnt/stick/.pass_$1
+ echo $USER_PASS | losetup -p 0 -S $USER_SEED -c $ITER -e $CIPHER /dev/loop11 /dev/loop12
+ mkfs -t $STICK_TYPE -b 1024 /dev/loop11
+ mount -t $STICK_TYPE /dev/loop11 /mnt/stick2
+ gpg --export-secret-keys -a "$1" > /mnt/stick2/$1-secret.gpg
+ umount /mnt/stick2
+ losetup -d /dev/loop11
+
+ # Remove last loop-devices
+ losetup -d /dev/loop12 > /dev/null 2>&1
+ umount /mnt/stick > /dev/null 2>&1
+ losetup -d /dev/loop13 > /dev/null 2>&1
+ umount /mnt/boot > /dev/null 2>&1
+
+ # Decrypt the stick now to access the key for decrypting the asset
+ echo $passw | losetup -e $CIPHER -K $STICK_KEY -p 0 -G /root/.gnupg /dev/loop2 /dev/loop8
+ STATUS="$?"
+ if test "$STATUS" == "0"; then
+ # mount >> /mounts.lst
+ STICK_WARNING=false
+ fsck -t $STICK_TYPE -p -v /dev/loop2 > /stick.msg 2>&1
+ STATUS="$?"
+ if test "$STATUS" != "0"; then
+ # Hold a warning message
+ STICK_WARING=true
+ fi
+ mount -t $STICK_TYPE /dev/loop2 $KEYS > /dev/null 2>&1
+ if test "$?" == "0"; then
+ # Check if key exists
+ FAILED="1"
+ if test -e "$KEYS/$1-secret.gpg"; then
+ MD5=`md5sum -b $KEYS/$1-secret.gpg | cut -c -32`
+ for m5 in $MD5SUMS; do
+ if test "$m5" == "$MD5"; then
+ # It does exist so stop searching for it
+ echo "Accepted."
+ FAILED="0"
+ break
+ fi
+ done
+
+ if test "$FAILED" == "1"; then
+ # MD5 sums differ
+ echo "failed!"
+ echo
+ echo "$0: Sorry, cannot verify keyfile! Fatal error."
+ halt_script
+ fi
+ else
+ # Keyfile not found! :-(
+ echo "failed!"
+ echo
+ echo "$0: Sorry, invalid user $1!"
+ USER=""
+ fi
+ else
+ echo "failed!"
+ halt_script
+ fi
+ if ! test STICK_WARNING; then
+ echo "$0: WARNING: The stick-fs was bad or not unmounted before! ($STATUS)"
+ cat /stick.msg
+ echo "Press RETURN to continue or CTRL-C to enter rescue console..."
+ read -s dummy || halt_script
+ fi
+ rm -f /stick.msg > /dev/null 2>&1
+ else
+ echo "Wrong password! (Attempts left: $((3 - $TRY)))"
+ fi
+ else
+ echo "No password given!"
+ TRY=$(($TRY-1))
+ fi
+done
+
+if [ $FAILED -ne 0 ]; then
+ echo "$0: Sorry, you get only three attempts to guess the password."
+ halt_script
+fi
+
+if test "$FAILED" == "0"; then
+ # The key seems to be not changed so let's decrypt the asset
+ echo "$0: Stage 1 - Decrypting asset..."
+ echo $passw | losetup -e $CIPHER -p 0 -K "$KEYS/$1-secret.gpg" -G /root/.gnupg /dev/loop7 $ASSET || halt_script > /dev/null 2>&1
+ echo "$0: Stage 1 - done."
+
+ # Prepare all loop devices
+ umount $MOUNT
+ losetup -d /dev/loop10 > /dev/null 2>&1
+ losetup -d /dev/loop3 > /dev/null 2>&1
+ losetup -d /dev/loop4 > /dev/null 2>&1
+
+ # Setup the root and data "partition"
+ echo "$0: Stage 2 - Faking partitions (root=8,base-swap=3,base=7) ..."
+ losetup -o $ROOT_OFFSET /dev/loop10 /dev/loop7 || halt_script
+ losetup -o $SWAP_OFFSET /dev/loop3 /dev/loop7 || halt_script
+ echo "$0: Stage 2 - done."
+
+ # Mount devices
+ # mount >> /mounts.lst
+ echo "$0: Stage 3 - Checking root-fs (this could take loooong)..."
+ fsck -t $ROOT_TYPE -p -v /dev/loop10 > /fsck.log 2>&1
+ if test "$?" != "0"; then
+ cat /fsck.log
+ echo "Press RETURN to continue or CTRL+C to enter rescue console..."
+ read -s dummy || /bin/sh
+ fi
+ rm -f /fsck.log > /dev/null 2>&1
+ echo "$0: Stage 3 - done."
+
+ echo "$0: Stage 4 - Mounting root-fs ..."
+ mount /dev/loop10 $MOUNT > /dev/null 2>&1
+ echo "$0: Stage 4 - done."
+
+ echo "$0: Stage 5 - Preparing DATA filesystem ..."
+ if test -e "/.raid_cfg.sh"; then
+ # Run RAID setup script (no "exit" command there!)
+ source raid.sh $1 $passw
+ # Something which you can use but not /home!
+ losetup -o $DATA_OFFSET /dev/loop5 /dev/loop7 > /dev/null 2>&1
+ else
+ # /home without RAID
+ losetup -o $DATA_OFFSET /dev/loop9 /dev/loop7 > /dev/null 2>&1
+ fi
+ echo "$0: Stage 5 - done."
+
+ # Remove the key with loop device
+ echo "$0: Stage 6 - Removing USB stick ..."
+ umount $KEYS
+ losetup -d /dev/loop2
+ losetup -d /dev/loop8
+ echo "$0: Stage 6 - done."
+
+ # Mount DATA (mostly /home)
+ # mount >> /mounts.lst
+ echo "$0: Stage 7 - Checking filesystem on DATA ..."
+ fsck -t $DATA_TYPE -p -v /dev/loop9 > /dev/null 2>&1
+ echo "$0: Stage 7 - done."
+
+ echo "$0: Stage 8 - Mounting filesystem on DATA ..."
+ mount -t $DATA_TYPE /dev/loop9 $MOUNT/home/ > /dev/null 2>&1
+ echo "$0: Stage 8 - done."
+
+ # Run swap.sh (DO NOT USE exit THERE!)
+ echo "$0: Stage 9 - Activating swap space ..."
+ source swap.sh $1
+ echo "$0: Stage 9 - done."
+else
+ halt_script
+fi
--- /dev/null
+proc /proc proc defaults 0 0
+pts /dev/pts devpts mode=662 0 0
+usbdev /proc/bus/usb usbdevfs defaults 0 0
+
+/dev/loop1 / ext3 defaults 0 0
+/dev/loop2 /home ext3 defaults 0 0
+/dev/hda1 /boot ext2 defaults 0 1
+
+/dev/loop4 none swap sw 0 0
--- /dev/null
+#!/bin/sh
+##############################################
+# Script for Secure Linux Project #
+# Copyright(c) 2005, 2006 by Roland Haeder #
+##############################################
+# Purpose: Activate randomizly created swap #
+# device #
+##############################################
+# This software is licensed under the GNU #
+# General Public License Version 2 or either #
+# and comes with ABSOLUTELY NO WARRANTY #
+# neither implied nor explicit. #
+##############################################
+#
+# NOTE: THE REAL AUTHOR OF THIS SCRIPT IS SOMEONE ELSE!
+#
+# If you are the one then please feel free to contact me and I will
+# add your name+email in the copyright note above
+#
+# Run this script somewhere in your startup scripts _after_ random
+# number generator has been initialized and /usr has been mounted.
+# (md5sum, uuencode, tail and head programs usually reside in /usr/bin/)
+#
+# Highly extended and prepared for SYSVINIT scripts by Roland Haeder
+# <webmaster@mxchange.org>
+
+function no_swap()
+{
+ echo "$0: No .local.sh detected. Please start setting up your encrypted"
+ echo "$0: system with gen.sh."
+}
+
+[ -c /dev/urandom ] || exit 0
+. /lib/init/vars.sh
+. /lib/lsb/init-functions
+. /.local.sh || no_swap
+
+# encrypted swap partition
+SWAPDEVICE="/dev/hdc2"
+
+# loop device name
+LOOPDEV="/dev/loop8"
+
+# Blocksize for filling devices with zeros
+ZERO_BSIZE="4k"
+
+# Number of above blocks for the zeros
+ZERO_COUNT=3`echo $RANDOM | cut -c -2`
+
+# Special options of above stuff
+ZERO_OPTS="conv=notrunc"
+
+# Length of the salt for password
+SALT_LEN="18"
+
+case "$1" in
+ start)
+ [ "$VERBOSE" = no ] || log_action_begin_msg "Initializing encrypted swap partition $SWAPDEVICE ..."
+ MD=`dd if=${SWAPDEVICE} bs=$ZERO_BSIZE count=$ZERO_COUNT 2>/dev/null | md5sum | cut -c-32`
+ for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do
+ dd if=/dev/zero of=${SWAPDEVICE} bs=$ZERO_BSIZE count=$ZERO_COUNT $ZERO_OPTS 2>/dev/null
+ sync
+ done
+ UR=`dd if=/dev/urandom bs=$SALT_LEN count=1 2>/dev/null | uuencode -m - | head -n 2 | tail -n 1`
+ echo ${MD}${UR} | losetup -p 0 -C $ITER -e $CIPHER ${LOOPDEV} ${SWAPDEVICE}
+ MD=
+ UR=
+ dd if=/dev/zero of=${LOOPDEV} bs=$ZERO_BSIZE count=$ZERO_COUNT $ZERO_OPTS 2>/dev/null
+ [ "$VERBOSE" = no ] || log_action_end_msg 0
+ sync
+ mkswap ${LOOPDEV}
+ sync
+ swapon ${LOOPDEV}
+ ;;
+
+ stop)
+ # Remove all swap spaces and our loop device
+ [ "$VERBOSE" = no ] || log_action_begin_msg "Removing encrypted swapspace ..."
+ swapoff $LOOPDEV
+ losetup -d $LOOPDEV >/dev/null 2>&1
+ [ "$VERBOSE" = no ] || log_action_end_msg 0
+ ;;
+
+ restart|reload|force-reload)
+ $0 stop
+ $0 start
+ ;;
+
+ *)
+ echo "Usage: $0 {start|stop|reload|restart|force-reload}" >&2
+ exit 1
+ ;;
+esac
+
+exit 0
--- /dev/null
+#!/bin/sh
+
+# /proc einbinden
+mount /proc
+
+# insmod all modules
+/sbin/modprobe -akv loop > /dev/null 2>&1
+/sbin/modprobe -akv md > /dev/null 2>&1
+/sbin/modprobe -akv xor > /dev/null 2>&1
+/sbin/modprobe -akv raid5 > /dev/null 2>&1
+/sbin/modprobe -akv unix > /dev/null 2>&1
+
+# Sleep a little to wait for all output
+/bin/sleep 3
+
+# Output welcome message
+cat /.welcome.msg
+
+# Ask for username
+USER=""
+while test "$USER" == ""; do
+ echo "Please supply a username to continue:"
+ read USER
+ if test "$USER" != ""; then
+ source decrypt.sh $USER
+ fi
+done
+
+# Remove /proc
+umount /proc
+
+# Pivot to the asset's root file system
+echo "$0: Final stage - Booting original Linux system ..."
+cd $MOUNT
+/sbin/pivot_root . initrd
+
+# Pass control to init
+shift 1
+exec chroot . /sbin/init $* <dev/console >dev/console 2>&1
--- /dev/null
+#!/bin/sh
+
+source /.local.sh
+source /.raid_cfg.sh
+
+/sbin/mdrun
+if test "$?" == "0"; then
+ echo "$0: Decrypting RAID array..."
+ echo "$2" | losetup -e $CIPHER -p 0 -K "$KEYS/$1-secret.gpg" -G /root/.gnupg /dev/loop9 $RAID_DEV
+ echo "$0: done ($?)"
+fi
--- /dev/null
+#!/bin/sh
+
+source /.local.sh
+source /.raid_cfg.sh
+
+umount $MOUNT/home
+mdadm --manage $RAID_DEV --stop
+umount $MOUNT
+umount $KEYS
+losetup -d /dev/loop10
+losetup -d /dev/loop9
+losetup -d /dev/loop2
+losetup -d /dev/loop8
+losetup -d /dev/loop5
+swapoff -av
+losetup -d /dev/loop4
+losetup -d /dev/loop3
+losetup -d /dev/loop7
+umount /proc
--- /dev/null
+#!/bin/sh
+
+source /.local.sh
+
+ZEROS="$SWAP_SIZE"
+SWAP_SIZE="$(($SWAP_SIZE*1024))"
+VERIFY="$(($SWAP_OFFSET+$SWAP_SIZE))"
+VERIFY="$(($ROOT_OFFSET-$VERIFY))"
+
+if test "$VERIFY" != "12288"; then
+ echo "$0: Failed verification: $VERIFY!=12288. No swap space available!"
+else
+ # encrypted swap partition
+ SWAPDEVICE="/dev/loop3"
+
+ # loop device name
+ LOOPDEV="/dev/loop4"
+
+ # Blocksize for filling devices with zeros
+ ZERO_BSIZE="4k"
+
+ # Number of above blocks for the zeros
+ ZERO_COUNT=3`echo $RANDOM | cut -c -2`
+
+ # Special options of above stuff
+ ZERO_OPTS="conv=notrunc"
+
+ # Length of the salt for password
+ SALT_LEN="18"
+
+ echo "$0: Initializing encrypted swap partition $SWAPDEVICE ..."
+ MD=`dd if=${SWAPDEVICE} bs=$ZERO_BSIZE count=$ZERO_COUNT 2>/dev/null | md5sum | cut -c-32`
+ for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do
+ dd if=/dev/zero of=${SWAPDEVICE} bs=$ZERO_BSIZE count=$ZERO_COUNT $ZERO_OPTS 2>/dev/null
+ sync
+ done
+ UR=`dd if=/dev/urandom bs=$SALT_LEN count=1 2>/dev/null | uuencode -m - | head -n 2 | tail -n 1` 2>/dev/null
+ echo "$0: Preparing ${LOOPDEV}..."
+ echo ${MD}${UR} | losetup -p 0 -C $ITER -e $CIPHER ${LOOPDEV} ${SWAPDEVICE}
+ MD=
+ UR=
+ dd if=/dev/zero of=${LOOPDEV} bs=$ZERO_BSIZE count=$ZERO_COUNT $ZERO_OPTS 2>/dev/null
+ sync
+ echo "$0: Creating swap space ..."
+ mkswap -fc ${LOOPDEV} $SWAP_SIZE || exit 1
+ sync
+ echo "$0: Activating swap space ..."
+ swapon ${LOOPDEV} || exit 1
+fi
--- /dev/null
+#!/bin/sh
+##############################################
+# Script for Secure Linux Project #
+# Copyright(c) 2005, 2006 by Roland Haeder #
+##############################################
+# Purpose: Creates the USB sticks and makes #
+# *binary* backups of your old once #
+##############################################
+# This software is licensed under the GNU #
+# General Public License Version 2 or either #
+# and comes with ABSOLUTELY NO WARRANTY #
+# neither implied nor explicit. #
+##############################################
+
+. ./.settings.sh || exit 3
+
+if test -b $STICK_DEVICE; then
+ # Stick is a real device
+ echo "WARNING! REAL DEVICE $STICK_DEVICE ENTERED! PLEASE MAKE BACKUP BEFORE CONTINUE!"
+ echo "Please insert first stick now ($MASTER_USER) before continue."
+ echo
+ echo "Press RETURN to continue or CTRL+C to abort here."
+ read dummy
+ DEVICE="$STICK_DEVICE"
+ echo -n "$0: Preparing backups... "
+ BACKUP="$BASEDIR/backups/"
+ mkdir $BACKUP > /dev/null 2>&1
+ for user in $USERS; do
+ mkdir $BACKUP/$user > /dev/null 2>&1
+ done
+ echo "done"
+ else
+ # Stick is an image
+ DEVICE=/dev/loop5
+ losetup -d /dev/loop6 > /dev/null 2>&1
+ losetup -d $DEVICE > /dev/null 2>&1
+ if test -e $STICK_DEVICE; then
+ # Use existing image
+ echo "$0: Using image $STICK_DEVICE."
+ losetup $DEVICE $STICK_DEVICE
+ else
+ if test $STICK_SIZE -gt 0; then
+ # Create image
+ echo "$0: Creating testing image $STICK_DEVICE."
+ dd if=/dev/zero of=$STICK_DEVICE bs=1k count=$STICK_SIZE
+ losetup $DEVICE $STICK_DEVICE
+ else
+ # Invalid size / cannot detect!
+ echo "$0: Please provide a size for image $STICK_DEVICE!"
+ exit 3
+ fi
+ fi
+fi
+
+# Clean an existing .md5sums file
+if test ! -e "$BASEDIR/initrd/.md5sums"; then
+ echo -n "" > $BASEDIR/initrd/.md5sums
+else
+ mv $BASEDIR/initrd/.md5sums $BASEDIR/.md5sums
+fi
+
+if test -b $STICK_DEVICE; then
+ if test ! -e "$BASEDIR/.backuped"; then
+ # Now let's setup all sticks
+ echo "$0: Will now do a binary backup of your sticks."
+ for user in $USERS; do
+ rmmod usb-storage > /dev/null 2>&1
+ echo "Please insert USB stick for $user and press RETURN to continue."
+ read dummy
+ insmod -kv $USB_STORAGE delay_use=0 > /dev/null 2>&1
+ sleep 1
+ for ((FAILED=1, TRY=1; ($FAILED != 0) && (TRY <= 15); TRY++)) do
+ # Auto-detect size here
+ SSIZE=`fdisk -s $DEVICE`
+ # DEBUG: echo "Code=$? (Size=$(($SSIZE/1024)) MB)"
+ if test "$?" == "0"; then
+ FAILED=0
+ fi
+ sleep 1
+ done
+ if test "$FAILED" == "0"; then
+ echo -n "$0: Binary backup of $DEVICE for $user... "
+ dd if=$DEVICE of=$BACKUP/$user/stick.img bs=1k count=$SSIZE $CONVERT > /dev/null 2>&1
+ CODE="$?"
+ if test "$CODE" == "0"; then
+ echo "done"
+ echo -n "$0: Compressing... "
+ bzip2 -9f $BACKUP/$user/stick.img >/dev/null 2>&1
+ echo "done"
+ else
+ echo "failed. (Code=$CODE)"
+ exit 6
+ fi
+ else
+ echo "$0: Too many attemnts to read from $DEVICE!"
+ exit 5
+ fi
+ done
+ echo "$0: Binary backup complete."
+ echo -n "" > "$BASEDIR/.backuped"
+ fi
+
+ echo "$0: Running make_part() on all sticks now."
+ for user in $USERS; do
+ if test ! -e "$BASEDIR/.stick_$user"; then
+ # Create filename for the image
+ FILE="$BASEDIR/setup/images/key-$user.img"
+
+ rmmod usb-storage > /dev/null 2>&1
+ echo "Please insert USB stick for $user and press RETURN to continue."
+ echo
+ echo "WARNING! You will loose data after this point!"
+ read dummy
+ insmod $USB_STORAGE delay_use=0 > /dev/null 2>&1
+ for ((FAILED=1, TRY=1; ($FAILED != 0) && ($TRY <= 15); TRY++)) do
+ # Auto-detect size here
+ #echo "$0: Scanning..."
+ SSIZE=`fdisk -s $DEVICE`
+ CODE="$?"
+ #echo "$0: Code=$CODE"
+ if test "$CODE" == "0"; then
+ FAILED=0
+ break
+ fi
+ #echo "$0: Sleeping..."
+ sleep 1
+ done
+
+ if test "$FAILED" == "0"; then
+ echo "$0: Slept $TRY seconds."
+ # Total size for the parted command (again)
+ SIZE="$(($SSIZE/1024))"
+ SIZE_TARGET=`stat --format="%s" $FILE`
+
+ # Continue with creating new partitions...
+ echo "$0: Creating partition on $DEVICE..."
+ make_part
+ analyse_stick
+
+ # Write image
+ write_image
+ else
+ echo "$0: Too many attemnts to read from $DEVICE!"
+ exit 5
+ fi
+ echo -n "" > "$BASEDIR/.stick_$user"
+ else
+ echo "$0: Skipping stick for $user."
+ fi
+ done
+
+ # Do we need to update STICK_START?
+ if test "$STICK_START" == "xxx"; then
+ echo "$0: Fatal error. Please remove one of the .stick_user files to setup STICK_START!"
+ exit 2
+ fi
+ else
+ # Total size for the parted command
+ SIZE="$(($SSIZE/1024))"
+
+ # For testing purposes only first user
+ echo "$0: Using $MASTER_USER for testing."
+
+ # Create "partitions" on the image
+ make_part
+
+ # Analyse the stick
+ analyse_stick
+
+ # Set user for the first user
+ user="$MASTER_USER"
+
+ # Create filename for the image
+ FILE="$BASEDIR/setup/images/key-$user.img"
+
+ # Use MASTER_USER for testing purposes
+ echo "$0: Using image $FILE."
+ SIZE_TARGET=`stat --format="%s" $FILE`
+
+ # Write image now
+ write_image
+fi
+
+if test -e "$BASEDIR/.md5sums"; then
+ cat $BASEDIR/.md5sums $BASEDIR/initrd/.md5sums >> $BASEDIR/.dummy
+ rm $VERBOSE $BASEDIR/.md5sums
+ mv $VERBOSE $BASEDIR/.dummy $BASEDIR/initrd/.md5sums
+fi
+
+# Creating image/stick now completed
+echo
+echo "$0: All done now."
+echo
+echo "Now it's time for executing finish.sh to finish setup."
--- /dev/null
+#!/bin/sh
+
+source /.local.sh
+
+ZEROS="$SWAP_SIZE"
+SWAP_SIZE="$(($SWAP_SIZE*1024))"
+VERIFY="$(($SWAP_OFFSET+$SWAP_SIZE))"
+VERIFY="$(($ROOT_OFFSET-$VERIFY))"
+
+if test "$VERIFY" != "12288"; then
+ echo "$0: Failed verification: $VERIFY!=12288. No swap space available!"
+else
+ # encrypted swap partition
+ SWAPDEVICE="/dev/loop3"
+
+ # loop device name
+ LOOPDEV="/dev/loop4"
+
+ # Blocksize for filling devices with zeros
+ ZERO_BSIZE="4k"
+
+ # Number of above blocks for the zeros
+ ZERO_COUNT=3`echo $RANDOM | cut -c -2`
+
+ # Special options of above stuff
+ ZERO_OPTS="conv=notrunc"
+
+ # Length of the salt for password
+ SALT_LEN="18"
+
+ echo "$0: Initializing encrypted swap partition $SWAPDEVICE ..."
+ MD=`dd if=${SWAPDEVICE} bs=$ZERO_BSIZE count=$ZERO_COUNT 2>/dev/null | md5sum | cut -c-32`
+ for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do
+ dd if=/dev/zero of=${SWAPDEVICE} bs=$ZERO_BSIZE count=$ZERO_COUNT $ZERO_OPTS 2>/dev/null
+ sync
+ done
+ UR=`dd if=/dev/urandom bs=$SALT_LEN count=1 2>/dev/null | uuencode -m - | head -n 2 | tail -n 1` 2>/dev/null
+ echo "$0: Preparing ${LOOPDEV}..."
+ echo ${MD}${UR} | losetup -p 0 -C $ITER -e $CIPHER ${LOOPDEV} ${SWAPDEVICE}
+ MD=
+ UR=
+ dd if=/dev/zero of=${LOOPDEV} bs=$ZERO_BSIZE count=$ZERO_COUNT $ZERO_OPTS 2>/dev/null
+ sync
+ echo "$0: Creating swap space ..."
+ mkswap -fc ${LOOPDEV} $SWAP_SIZE || exit 1
+ sync
+ echo "$0: Activating swap space ..."
+ swapon ${LOOPDEV} || exit 1
+fi
--- /dev/null
+#!/bin/sh
+##############################################
+# Script for Secure Linux Project #
+# Copyright(c) 2005, 2006 by Roland Haeder #
+##############################################
+# Purpose: Main configuration file #
+##############################################
+# This software is licensed under the GNU #
+# General Public License Version 2 or either #
+# and comes with ABSOLUTELY NO WARRANTY #
+# neither implied nor explicit. #
+##############################################
+
+######## Begin general stuff ########
+# 1=Setup mode. If you turn this off, a username will be requested
+INSTALL="1"
+# Option for cp/mkdir/rm-commands for verbose output
+VERBOSE="-v"
+# Update switch for cp-command. You can remove this for always copy.
+UPDATE="-u"
+# Options for the dd-cmmand (CARE!)
+CONVERT=""
+# Use strict OpenPGP behavior for gpg commands
+OPENPGP="--openpgp"
+# Length of both seeds (15-25 shall be fine)
+SEED_LEN="15"
+# 1=Forces cpio.sh to copy all given files/directories without checking sizes
+FORCE_CPIO="1"
+# Which program shall I take? awk or gawk (last prefered!)
+AWK=`which gawk | tail -n 1`
+# Does the test go right?
+if test "$AWK" == ""; then
+ echo "$0: Failed! The program gawk was found! We need this program"
+ echo "$0: to calculate with decimal-dotted values in functions.sh!"
+ exit 255
+fi
+######## End general stuff ########
+
+########## Begin gen.sh ##########
+BASEDIR="/encrypt"
+# For now on this will be setup automatically
+ASSET=""
+# For testing purposes use an image like this
+#ASSET_DEVICE="$BASEDIR/setup/images/asset.img"
+# For productive purposes use a "real" device here
+ASSET_DEVICE="/dev/hdc"
+# For productive purposes use a "real" partition here:
+CIPHER="AES256"
+KEYS="$BASEDIR/keys"
+LOOP_ASSET="/dev/loop1"
+LOOP_TEST="/dev/loop2"
+# *Exactly* the same name(s) as you entered while gpg --gen-key for comment
+USERS="quix0r angei junior"
+# The master-key for creating the encrypted filesystem
+MASTER="$BASEDIR/setup/keys/masterkey-secret.gpg"
+# Additional keys (e.g. for your laptop) The path "BASEDIR/setup/keys" will be added!
+EXTRA_KEYS="laptop-secret.gpg videos-secret.gpg home-secret.gpg"
+# * 1kByte! No value means scrambling is disabled. A zero (0) together with
+# Real device (/dev/hda; /dev/drbd0; etc.) means use shred
+#COUNT="$((200*1024))"
+COUNT="0"
+RAND="/dev/urandom"
+# Use openssl or dd for scrambling disc/image? (dd=0, openssl=1)
+OPENSSL="1"
+# The multi-key for encrypting disc/image
+MULTI_KEY="$BASEDIR/setup/keys/userkey-secret.gpg"
+# The multi-key for encrypting disc/image
+STICK_KEY="$BASEDIR/setup/keys/stick-secret.gpg"
+MULTI_KEY_SUFFIX="secret.gpg"
+# The first user is the "master" of this system
+MASTER_USER=`echo $USERS | awk '{print $1}'`
+# 1= Zero LOOP_ASSET after setting up. This will be done in gen.sh
+ZERO_ASSET="1"
+
+########## End gen.sh ############
+
+########## Begin initrd.sh ##########
+BOOT_MOUNT="$BASEDIR/root/boot"
+if test "$UMOUNT_INITRD" == ""; then
+ # Shall I umount the initrd after creation?
+ UMOUNT_INITRD="0"
+fi
+KERN_VER="2.6.8-2-386"
+KERN_FOUND="0" # Never set it to 1 here!
+INITRD_LOOP="/dev/loop5"
+# Check filesystem? (will be overriden after initial creation)
+CHK_LOOP="1"
+# Relative directory for mouting stick et cetera (to /)
+MNT="mnt"
+# Relative directory for storing key file(s) and seed (to /MNT)
+KEYS_DIR="keys"
+########## End initrd.sh ##########
+
+########## Begin asses.sh ###########
+ROOM_PART="12288" # "Zero'ed" room between partitions
+
+# Filesystems
+FS_BOOT="ext2"
+FS_ROOT="ext3"
+FS_DATA="ext3"
+FS_STICK="ext2"
+
+# Special mount points (e.g. for "data partition")
+MP_DATA="$BASEDIR/root/home"
+
+# Sizes for misc things (I have used a 200 GB HDD)
+SIZE_BLOCK="4096" # Size of a block in filesystem
+# Size of encrypted swap partition
+# GB MB KB
+SIZE_SWAP="$(( 2*1024*1024))" # = 2 GB
+#SIZE_SWAP="$(( 20*1024))" # = 20 MB
+# Size of unencrypted boot partition (for kernel-image, Sytem.map and initrd)
+SIZE_BOOT="$(( 8*1024))" # = 8 MB
+# Size of encrypted root (/) partition
+# GB MB KB
+SIZE_ROOT="$((170*1024*1024))" # = 170 GB
+#SIZE_ROOT="$(( 110*1024))" # = 100 MB
+SIZE_MAX="0" # Will be calculated later!
+
+# Some extra space which would be left free after second partition
+# You have to experiment with this value until it matches!
+# You may find out if all disc space is consumed with "cfdisk ASSET_DEVICE"
+SIZE_EXTRA="$((1024 * 9 + 231))"
+
+# Offsets for the losetup command
+OFFSET_SWAP="$(($SIZE_BOOT*1024+$ROOM_PART))"
+OFFSET_ROOT="$(($OFFSET_SWAP+$SIZE_SWAP*1024+$ROOM_PART))"
+OFFSET_DATA="$(($OFFSET_ROOT+$SIZE_ROOT*1024+$ROOM_PART))"
+
+# This value will be overridden later
+BLOCKS_ROOT="0"
+# 1= umount asset, 0= keep asset mounted (needed to continue with cpio.sh
+UMOUNT_ASSET="0"
+# Count of iterations for losetup
+ITER="200"
+
+# Modules needed for booting system
+MODULES="loop"
+
+######## End assest.sh #############
+
+# Files and directories which we can to copy with cpio (do not copy all here!)
+CPIO_FILES="/home/ /root"
+
+# The target stick device (for testing place an 4MB image here)
+#STICK_DEVICE="$BASEDIR/setup/images/stick.img"
+# Change this to your USB stick device!
+STICK_DEVICE="/dev/sda" # Please use the testing image above first!
+# Size of the USB stick device in 1kBytes (will be overwritten later)
+STICK_SIZE="$((256*1024))"
+# This size will be used only for creating an image which has the same
+# raw size as your USB stick has. So please check the total size of first.
+# NOTE: If you want to change this to your real device (/dev/sda e.g.) and
+# you already run asset.sh / stick.sh then please run asset.sh again!
+#
+# Otherwise your stick may take "logical" damage.
+
+# The FQFN of the usb-storage module, change it to your matching version
+USB_STORAGE="/lib/modules/$KERN_VER/kernel/drivers/usb/storage/usb-storage.ko"
+
+# Is there an additional .local.sh script? (for testing)
+LOCAL="0"
+if test -e ./.local.sh; then
+ # Include local configuration file
+ echo "$0: Loading .local.sh."
+ . ./.local.sh
+ LOCAL="1"
+ elif test -e $BASEDIR; then
+ # Use existing directory
+ echo "$0: Using $BASEDIR."
+ else
+ # Create base directory (maybe first call?)
+ mkdir $VERBOSE $BASEDIR
+fi
+
+# Load additional functions
+. $BASEDIR/include/functions.sh
projects / secure-linux-project.git / commitdiff