2 ##############################################
3 # Script for Secure Linux Project #
4 # Copyright(c) 2005, 2006 by Roland Haeder #
5 ##############################################
6 # Purpose: Creates the encrypted asset #
7 ##############################################
8 # This software is licensed under the GNU #
9 # General Public License Version 2 or either #
10 # and comes with ABSOLUTELY NO WARRANTY #
11 # neither implied nor explicit. #
12 ##############################################
15 . ./.settings.sh || exit 3
17 if test "$UMOUNT_ASSET" == "0"; then
18 umount /dev/loop3 > /dev/null 2>&1
19 umount /dev/loop2 > /dev/null 2>&1
20 losetup -d /dev/loop3 > /dev/null 2>&1
21 losetup -d /dev/loop2 > /dev/null 2>&1
22 losetup -d /dev/loop1 > /dev/null 2>&1
25 if test -e $MULTI_KEY; then
26 echo "$0: Keyfile found."
28 echo "$0: Keyfile not found! Run gen.sh first."
32 mkdir $VERBOSE $KEYS $SECRETS $STICK
34 if test -e $BASEDIR/.seed; then
35 echo "$0: Using saved seed... "
37 echo "$0: Please run gen.sh first to generate the seeds!"
41 if test -e $BASEDIR/.stick_seed; then
42 echo "$0: Using saved stick seed... "
44 echo "$0: Please run gen.sh first to generate the seeds!"
48 MKFS="0" # Make no filesystem is the default
49 if test -e $BASEDIR/.created; then
50 echo "$0: Using existing filesystem on $FS_ROOT."
52 echo "$0: Will create/overwrite filesystem on $FS_ROOT."
56 if test "$MKFS" == "1" && test ! -e "$BASEDIR/.stick_$usr"; then
57 # Remove invalid image if present (e.g. different seed)
58 rm $VERBOSE -f $BASEDIR/setup/images/key-$usr.img
61 if test -e $BASEDIR/setup/images/key-$usr.img; then
62 echo "$0: Key-image found for $usr."
64 echo -n "$0: Generating key-image for $usr ... "
65 head -c 256k $RAND > $BASEDIR/setup/images/key-$usr.img
67 losetup -e $CIPHER -K $STICK_KEY /dev/loop2 $BASEDIR/setup/images/key-$usr.img || exit 1
68 mke2fs /dev/loop2 || exit 4
69 mount /dev/loop2 $KEYS
70 cp $VERBOSE $BASEDIR/setup/keys/$usr-$MULTI_KEY_SUFFIX $KEYS/
76 if test -b $ASSET_DEVICE; then
78 echo "$0: Using real device."
79 DEVICE="$ASSET_DEVICE"
81 ASSET="$ASSET_DEVICE"2
84 echo "$0: Using loop-device on test image."
85 losetup -e NONE /dev/loop7 $ASSET_DEVICE || exit 1
86 losetup -e NONE -o 64512 /dev/loop8 /dev/loop7 || exit 1
87 losetup -e NONE -o $OFFSET_SWAP /dev/loop9 /dev/loop7 || exit 1
94 echo -n "$0: Scrambling $DEVICE ... "
95 if test "$COUNT" == "0" && test -b $DEVICE; then
96 # Whole disc/partition
98 # You can watch the process here...
99 shred -n 1 $VERBOSE $DEVICE || exit 1
101 elif test "$COUNT" != "0" && test -b $DEVICE; then
104 elif test $COUNT -gt 0 && test -f $DEVICE; then
105 # Maybe file for testing?
106 if test "$OPENSSL" == "1"; then
107 openssl rand -out $DEVICE $(($COUNT*1024)) > /dev/null 2>&1
109 dd if=$RAND of=$DEVICE bs=1k count=$COUNT > /dev/null 2>&1
115 echo "$0: You entered an invalid value for ASSET and COUNT:"
122 echo -n "$0: Setting up $LOOP_ASSET ... "
123 head -c $SEED_LEN $RAND | uuencode -m - | head -n 2 | tail -n 1 | losetup -p 0 -e $CIPHER -S `cat $BASEDIR/.seed` -C $ITER $LOOP_ASSET $DEVICE || exit1
125 if test "$ZERO_ASSET" == "1"; then
126 # This may take very long on large discs!
127 echo -n "Zero-ing... "
128 nice -n 19 dd if=/dev/zero of=$LOOP_ASSET bs=4k conv=notrunc 2>/dev/null
130 losetup -d $LOOP_ASSET || exit 1
133 if test ! -e "$BASEDIR/.created"; then
134 MB="$(($SIZE_BOOT/1024))"
135 echo "$0: Zeroing $DEVICE ($MB MB only)..."
136 dd if=/dev/zero of=$DEVICE bs=1k count=$SIZE_BOOT > /dev/null 2>&1
138 parted -s $DEVICE mklabel msdos || exit 1
140 # Determine maximum sectos
141 SIZE_MAX=`cfdisk -P s $DEVICE | grep "Free Space" | cut -c26- | cut -f1 -d " "`
142 # One secor = 512 Byte so we can calculate the maximum MBytes + some extra
143 SIZE_MAX="$(($SIZE_MAX * 512 / 1024 / 1024 + $SIZE_EXTRA))"
144 echo "$0: Maximum size is $SIZE_MAX MByte"
146 echo -n "$0: Creating partitions on $ASSET_DEVICE ... "
147 #parted -s $DEVICE mkpart extended 0 $SIZE_MAX || exit 1
149 parted -s $DEVICE mkpart primary 0 $MB || exit 1
151 parted -s $DEVICE mkpart primary $MB $SIZE_MAX || exit 1
154 echo "$0: Creating $FS_BOOT on $BOOT..."
155 mkfs -t $FS_BOOT -b $SIZE_BLOCK $BOOT || exit 1
158 echo "$0: Need a password for creating asset on $ASSET."
160 losetup -e $CIPHER -C $ITER -S `cat $BASEDIR/.seed` -K $MULTI_KEY /dev/loop1 $ASSET || exit 1
162 echo "$0: Creating randomized swap partition..."
163 mkswap /dev/loop1 $SIZE_SWAP || exit 1
165 mkdir $VERBOSE $BASEDIR/root
167 losetup -e NONE -o $OFFSET_ROOT /dev/loop2 /dev/loop1 || exit 1
169 if test "$MKFS" == "1"; then
170 # Run a "dry" test to gather maximum size of target /dev/loop2
171 SIZE_MAX=`mke2fs -n -j -b $SIZE_BLOCK /dev/loop2 | grep "inodes," | cut -f 3 -d " "`
172 SIZE_MAX="$((SIZE_MAX * $SIZE_BLOCK - $OFFSET_DATA))"
173 BLOCKS_ROOT="$(($SIZE_ROOT * 1024 / $SIZE_BLOCK))"
174 FREE_SPACE="$(($OFFSET_DATA - ($OFFSET_ROOT + $BLOCKS_ROOT * $SIZE_BLOCK)))"
175 echo -n "$0: Size<->Offset-Data: $FREE_SPACE - "
177 if test "$FREE_SPACE" == "$ROOM_PART"; then
181 echo "FREE_SPACE=$FREE_SPACE / ROOM_PART=$ROOM_PART"
185 mkfs -t $FS_ROOT -b $SIZE_BLOCK /dev/loop2 $BLOCKS_ROOT || exit 1
187 fsck.$FS_ROOT -pv /dev/loop2 || exit 2
189 mount -t $FS_ROOT /dev/loop2 $BASEDIR/root
191 mkdir $VERBOSE $BASEDIR/root/initrd $BOOT_MOUNT $MP_DATA
193 losetup -o $OFFSET_DATA /dev/loop3 /dev/loop1 || exit 1
195 if test "$MKFS" == "1"; then
196 mkfs -t $FS_DATA -b $SIZE_BLOCK /dev/loop3 $BLOCKS_DATA || exit 1
197 echo -n "" > $BASEDIR/.created
199 fsck.$FS_DATA -pv /dev/loop3 || exit 2
202 mount /dev/loop3 $MP_DATA
204 if test "$UMOUNT_ASSET" == "1"; then
207 losetup -d /dev/loop3
208 losetup -d /dev/loop2
209 losetup -d /dev/loop1
212 # Is the .local.sh not beeing created or STICK_SIZE not yet set?
213 if ! test -e "$BASEDIR/.local.sh" || test "$STICK_SIZE" == "xxx"; then
214 # Now we can write the .local.sh script which keeps our configuration stuff
215 echo -n "$0: Writing .local.sh ... "
216 cp $BASEDIR/.local.sh.head $BASEDIR/.local.sh > /dev/null 2>&1
217 if test -b "$STICK_DEVIE"; then
218 # On real stick device
219 echo "KEYS=/$MNT/$KEYS_DIR" >> $BASEDIR/.local.sh
220 echo "SEED_STICK=/.seed" >> $BASEDIR/.local.sh
222 # For testing purposes
223 echo "KEYS=$BASEDIR/initrd/$MNT/$KEYS_DIR" >> $BASEDIR/.local.sh
224 echo "SEED_STICK=$BASEDIR/initrd/.seed" >> $BASEDIR/.local.sh
226 echo "SEED_LEN=$SEED_LEN" >> $BASEDIR/.local.sh
227 echo "PASS_LEN=$PASS_LEN" >> $BASEDIR/.local.sh
228 echo "RAND=$RAND" >> $BASEDIR/.local.sh
229 echo "SEED_USER=\$KEYS/.seed" >> $BASEDIR/.local.sh
230 echo "SEED_STICK_MD5=\"`md5sum -b $BASEDIR/.stick_seed | cut -c -32`\"" >> $BASEDIR/.local.sh
231 echo "ASSET=$ASSET" >> $BASEDIR/.local.sh
232 echo "ROOT_OFFSET=$OFFSET_ROOT" >> $BASEDIR/.local.sh
233 echo "DATA_OFFSET=$OFFSET_DATA" >> $BASEDIR/.local.sh
234 echo "SWAP_OFFSET=$OFFSET_SWAP" >> $BASEDIR/.local.sh
235 echo "SWAP_SIZE=$SIZE_SWAP" >> $BASEDIR/.local.sh
236 if test -b "$STICK_DEVIE"; then
237 # On real stick device
238 echo "MOUNT=/$MNT/new-root/" >> $BASEDIR/.local.sh
239 echo "STICK_KEY=\"\$KEYS/`basename $STICK_KEY`\"" >> $BASEDIR/.local.sh
241 # For testing purposes
242 echo "MOUNT=$BASEDIR/initrd/$MNT/new-root/" >> $BASEDIR/.local.sh
243 echo "STICK_KEY=\"$BASEDIR/initrd/`basename $STICK_KEY`\"" >> $BASEDIR/.local.sh
245 echo "if test \"\$1\" != \"\"; then" >> $BASEDIR/.local.sh
246 echo " DISC_KEY=\"\$1.gpg\"" >> $BASEDIR/.local.sh
247 echo " else" >> $BASEDIR/.local.sh
248 echo " DISC_KEY=\"\"" >> $BASEDIR/.local.sh
249 echo "fi" >> $BASEDIR/.local.sh
250 echo "STICK_MD5=`md5sum -b $STICK_KEY | cut -c -32`" >> $BASEDIR/.local.sh
251 echo "STICK_LOOP=/dev/loop4" >> $BASEDIR/.local.sh
252 echo "CIPHER=$CIPHER" >> $BASEDIR/.local.sh
253 echo "ITER=$ITER" >> $BASEDIR/.local.sh
254 echo "BOOT_DEVICE=\""$ASSET_DEVICE"1\"" >> $BASEDIR/.local.sh
255 echo "ROOT_TYPE=$FS_ROOT" >> $BASEDIR/.local.sh
256 echo "DATA_TYPE=$FS_DATA" >> $BASEDIR/.local.sh
257 echo "STICK_TYPE=$FS_STICK" >> $BASEDIR/.local.sh
258 echo "STICK_DEVICE=$STICK_DEVICE" >> $BASEDIR/.local.sh
259 echo "STICK_START=xxx" >> $BASEDIR/.local.sh
260 if test -b "$STICK_DEVIE"; then
261 # On real stick device
262 echo "STICK_MOUNT=/$MNT/stick" >> $BASEDIR/.local.sh
264 # For testing purposes
265 echo "STICK_MOUNT=$BASEDIR/initrd/$MNT/stick" >> $BASEDIR/.local.sh
268 # Write more MD5 sums here
269 for user in $USERS; do
270 MD5=`md5sum -b $BASEDIR/setup/keys/$user-$MULTI_KEY_SUFFIX | cut -c -32`
271 if test "$user" == "$MASTER_USER"; then
273 echo "MD5SUMS=\"`echo $MD5`\" # ($user)" >> $BASEDIR/.local.sh
276 echo "MD5SUMS=\"\$MD5SUMS `echo $MD5`\" # ($user)" >> $BASEDIR/.local.sh
280 # Append existing footer script to this script
281 if test -e "$BASEDIR/.local.sh.foot"; then
282 echo "" >> $BASEDIR/.local.sh
283 cat $BASEDIR/.local.sh.foot >> $BASEDIR/.local.sh
286 # Set rights/owner/group
288 chmod -c go-rwx,u+rwx $BASEDIR/.local.sh
289 chown -c root.root $BASEDIR/.local.sh
295 echo "$0: .local.sh is now created."
297 echo "$0: Creation of .local.sh skipped."
300 echo "You may want to execute initrd.sh to setup your initrd image."
301 if test -f "$ASSET"; then
302 echo -n "$0: Removing file $ASSET... "