Initial import from 0.5a version.

[secure-linux-project.git] / encrypt / asset.sh

#!/bin/sh
##############################################
# Script for Secure Linux Project            #
# Copyright(c) 2005, 2006 by Roland Haeder   #
##############################################
# Purpose: Creates the encrypted asset       #
##############################################
# This software is licensed under the GNU    #
# General Public License Version 2 or either #
# and comes with ABSOLUTELY NO WARRANTY      #
# neither implied nor explicit.              #
##############################################

rm -fv ./.local.sh
. ./.settings.sh || exit 3

if test "$UMOUNT_ASSET" == "0"; then
        umount /dev/loop3 > /dev/null 2>&1
        umount /dev/loop2 > /dev/null 2>&1
        losetup -d /dev/loop3 > /dev/null 2>&1
        losetup -d /dev/loop2 > /dev/null 2>&1
        losetup -d /dev/loop1 > /dev/null 2>&1
fi

if test -e $MULTI_KEY; then
        echo "$0: Keyfile found."
 else
        echo "$0: Keyfile not found! Run gen.sh first."
        exit 2
fi

mkdir $VERBOSE $KEYS $SECRETS $STICK

if test -e $BASEDIR/.seed; then
        echo "$0: Using saved seed... "
 else
        echo "$0: Please run gen.sh first to generate the seeds!"
        exit 255
fi

if test -e $BASEDIR/.stick_seed; then
        echo "$0: Using saved stick seed... "
 else
        echo "$0: Please run gen.sh first to generate the seeds!"
        exit 255
fi

MKFS="0" # Make no filesystem is the default
if test -e $BASEDIR/.created; then
        echo "$0: Using existing filesystem on $FS_ROOT."
else
        echo "$0: Will create/overwrite filesystem on $FS_ROOT."
        MKFS="1"
fi
for usr in $USERS; do
        if test "$MKFS" == "1" && test ! -e "$BASEDIR/.stick_$usr"; then
                # Remove invalid image if present (e.g. different seed)
                rm $VERBOSE -f $BASEDIR/setup/images/key-$usr.img
        fi

        if test -e $BASEDIR/setup/images/key-$usr.img; then
                echo "$0: Key-image found for $usr."
         else
                echo -n "$0: Generating key-image for $usr ... "
                head -c 256k $RAND > $BASEDIR/setup/images/key-$usr.img
                echo "done"
                losetup -e $CIPHER -K $STICK_KEY /dev/loop2 $BASEDIR/setup/images/key-$usr.img || exit 1
                mke2fs /dev/loop2 || exit 4
                mount /dev/loop2 $KEYS
                cp $VERBOSE $BASEDIR/setup/keys/$usr-$MULTI_KEY_SUFFIX $KEYS/
                umount $KEYS
                losetup -d /dev/loop2
        fi
done

if test -b $ASSET_DEVICE; then
        # Real device
        echo "$0: Using real device."
        DEVICE="$ASSET_DEVICE"
        BOOT="$ASSET_DEVICE"1
        ASSET="$ASSET_DEVICE"2
 else
        # Image for testing
        echo "$0: Using loop-device on test image."
        losetup -e NONE /dev/loop7 $ASSET_DEVICE || exit 1
        losetup -e NONE -o 64512 /dev/loop8 /dev/loop7 || exit 1
        losetup -e NONE -o $OFFSET_SWAP /dev/loop9 /dev/loop7 || exit 1
        DEVICE="/dev/loop7"
        BOOT="/dev/loop8"
        ASSET="/dev/loop9"
fi


echo -n "$0: Scrambling $DEVICE ... "
if test "$COUNT" == "0" && test -b $DEVICE; then
        # Whole disc/partition
        echo
        # You can watch the process here...
        shred -n 1 $VERBOSE $DEVICE || exit 1
        echo
 elif test "$COUNT" != "0" && test -b $DEVICE; then
        # Disabled!
        echo "disabled"
 elif test $COUNT -gt 0 && test -f $DEVICE; then
        # Maybe file for testing?
        if test "$OPENSSL" == "1"; then
                openssl rand -out $DEVICE $(($COUNT*1024)) > /dev/null 2>&1
         else
                dd if=$RAND of=$DEVICE bs=1k count=$COUNT > /dev/null 2>&1
        fi
        echo "done"
 else
        # Invalid mode
        echo "invalid!"
        echo "$0: You entered an invalid value for ASSET and COUNT:"
        echo
        echo "ASSET=$ASSET"
        echo "COUNT=$COUNT"
        exit 6
fi

echo -n "$0: Setting up $LOOP_ASSET ... "
head -c $SEED_LEN $RAND | uuencode -m - | head -n 2 | tail -n 1 | losetup -p 0 -e $CIPHER -S `cat $BASEDIR/.seed` -C $ITER $LOOP_ASSET $DEVICE || exit1

if test "$ZERO_ASSET" == "1"; then
        # This may take very long on large discs!
        echo -n "Zero-ing... "
        nice -n 19 dd if=/dev/zero of=$LOOP_ASSET bs=4k conv=notrunc 2>/dev/null
fi
losetup -d $LOOP_ASSET || exit 1
echo "done"

if test ! -e "$BASEDIR/.created"; then
        MB="$(($SIZE_BOOT/1024))"
        echo "$0: Zeroing $DEVICE ($MB MB only)..."
        dd if=/dev/zero of=$DEVICE bs=1k count=$SIZE_BOOT > /dev/null 2>&1

        parted -s $DEVICE mklabel msdos || exit 1

        # Determine maximum sectos
        SIZE_MAX=`cfdisk -P s $DEVICE | grep "Free Space" | cut -c26- | cut -f1 -d " "`
        # One secor = 512 Byte so we can calculate the maximum MBytes + some extra
        SIZE_MAX="$(($SIZE_MAX * 512 / 1024 / 1024 + $SIZE_EXTRA))"
        echo "$0: Maximum size is $SIZE_MAX MByte"

        echo -n "$0: Creating partitions on $ASSET_DEVICE ... "
        #parted -s $DEVICE mkpart extended 0 $SIZE_MAX || exit 1
        echo -n "."
        parted -s $DEVICE mkpart primary 0 $MB || exit 1
        echo -n "."
        parted -s $DEVICE mkpart primary $MB $SIZE_MAX || exit 1
        echo ". done"

        echo "$0: Creating $FS_BOOT on $BOOT..."
        mkfs -t $FS_BOOT -b $SIZE_BLOCK $BOOT || exit 1
fi
echo
echo "$0: Need a password for creating asset on $ASSET."
echo
losetup -e $CIPHER -C $ITER -S `cat $BASEDIR/.seed` -K $MULTI_KEY /dev/loop1 $ASSET || exit 1

echo "$0: Creating randomized swap partition..."
mkswap /dev/loop1 $SIZE_SWAP || exit 1

mkdir $VERBOSE $BASEDIR/root

losetup -e NONE -o $OFFSET_ROOT /dev/loop2 /dev/loop1 || exit 1

if test "$MKFS" == "1"; then
        # Run a "dry" test to gather maximum size of target /dev/loop2
        SIZE_MAX=`mke2fs -n -j -b $SIZE_BLOCK /dev/loop2 | grep "inodes," | cut -f 3 -d " "`
        SIZE_MAX="$((SIZE_MAX * $SIZE_BLOCK  - $OFFSET_DATA))"
        BLOCKS_ROOT="$(($SIZE_ROOT * 1024 / $SIZE_BLOCK))"
        FREE_SPACE="$(($OFFSET_DATA - ($OFFSET_ROOT + $BLOCKS_ROOT * $SIZE_BLOCK)))"
        echo -n "$0: Size<->Offset-Data: $FREE_SPACE - "
        # DEBUG: read dummy
        if test "$FREE_SPACE" == "$ROOM_PART"; then
                echo "okay"
         else
                echo "failed!"
                echo "FREE_SPACE=$FREE_SPACE / ROOM_PART=$ROOM_PART"
                exit 6
        fi

        mkfs -t $FS_ROOT -b $SIZE_BLOCK /dev/loop2 $BLOCKS_ROOT || exit 1
 else
        fsck.$FS_ROOT -pv /dev/loop2 || exit 2
fi
mount -t $FS_ROOT /dev/loop2 $BASEDIR/root

mkdir $VERBOSE $BASEDIR/root/initrd $BOOT_MOUNT $MP_DATA

losetup -o $OFFSET_DATA /dev/loop3 /dev/loop1 || exit 1

if test "$MKFS" == "1"; then
        mkfs -t $FS_DATA -b $SIZE_BLOCK /dev/loop3 $BLOCKS_DATA || exit 1
        echo -n "" > $BASEDIR/.created
 else
        fsck.$FS_DATA -pv /dev/loop3 || exit 2
fi

mount /dev/loop3 $MP_DATA

if test "$UMOUNT_ASSET" == "1"; then
        umount /dev/loop3
        umount /dev/loop2
        losetup -d /dev/loop3
        losetup -d /dev/loop2
        losetup -d /dev/loop1
fi

# Is the .local.sh not beeing created or STICK_SIZE not yet set?
if ! test -e "$BASEDIR/.local.sh" || test "$STICK_SIZE" == "xxx"; then
        # Now we can write the .local.sh script which keeps our configuration stuff
        echo -n "$0: Writing .local.sh ... "
        cp $BASEDIR/.local.sh.head $BASEDIR/.local.sh > /dev/null 2>&1
        if test -b "$STICK_DEVIE"; then
                # On real stick device
                echo "KEYS=/$MNT/$KEYS_DIR" >> $BASEDIR/.local.sh
                echo "SEED_STICK=/.seed" >> $BASEDIR/.local.sh
         else
                # For testing purposes
                echo "KEYS=$BASEDIR/initrd/$MNT/$KEYS_DIR" >> $BASEDIR/.local.sh
                echo "SEED_STICK=$BASEDIR/initrd/.seed" >> $BASEDIR/.local.sh
        fi
        echo "SEED_LEN=$SEED_LEN" >> $BASEDIR/.local.sh
        echo "PASS_LEN=$PASS_LEN" >> $BASEDIR/.local.sh
        echo "RAND=$RAND" >> $BASEDIR/.local.sh
        echo "SEED_USER=\$KEYS/.seed" >> $BASEDIR/.local.sh
        echo "SEED_STICK_MD5=\"`md5sum -b $BASEDIR/.stick_seed | cut -c -32`\"" >> $BASEDIR/.local.sh
        echo "ASSET=$ASSET" >> $BASEDIR/.local.sh
        echo "ROOT_OFFSET=$OFFSET_ROOT" >> $BASEDIR/.local.sh
        echo "DATA_OFFSET=$OFFSET_DATA" >> $BASEDIR/.local.sh
        echo "SWAP_OFFSET=$OFFSET_SWAP" >> $BASEDIR/.local.sh
        echo "SWAP_SIZE=$SIZE_SWAP" >> $BASEDIR/.local.sh
        if test -b "$STICK_DEVIE"; then
                # On real stick device
                echo "MOUNT=/$MNT/new-root/" >> $BASEDIR/.local.sh
                echo "STICK_KEY=\"\$KEYS/`basename $STICK_KEY`\"" >> $BASEDIR/.local.sh
         else
                # For testing purposes
                echo "MOUNT=$BASEDIR/initrd/$MNT/new-root/" >> $BASEDIR/.local.sh
                echo "STICK_KEY=\"$BASEDIR/initrd/`basename $STICK_KEY`\"" >> $BASEDIR/.local.sh
        fi
        echo "if test \"\$1\" != \"\"; then" >> $BASEDIR/.local.sh
        echo "  DISC_KEY=\"\$1.gpg\"" >> $BASEDIR/.local.sh
        echo " else" >> $BASEDIR/.local.sh
        echo "  DISC_KEY=\"\"" >> $BASEDIR/.local.sh
        echo "fi" >> $BASEDIR/.local.sh
        echo "STICK_MD5=`md5sum -b $STICK_KEY | cut -c -32`" >> $BASEDIR/.local.sh
        echo "STICK_LOOP=/dev/loop4" >> $BASEDIR/.local.sh
        echo "CIPHER=$CIPHER" >> $BASEDIR/.local.sh
        echo "ITER=$ITER" >> $BASEDIR/.local.sh
        echo "BOOT_DEVICE=\""$ASSET_DEVICE"1\"" >> $BASEDIR/.local.sh
        echo "ROOT_TYPE=$FS_ROOT" >> $BASEDIR/.local.sh
        echo "DATA_TYPE=$FS_DATA" >> $BASEDIR/.local.sh
        echo "STICK_TYPE=$FS_STICK" >> $BASEDIR/.local.sh
        echo "STICK_DEVICE=$STICK_DEVICE" >> $BASEDIR/.local.sh
        echo "STICK_START=xxx" >> $BASEDIR/.local.sh
        if test -b "$STICK_DEVIE"; then
                # On real stick device
                echo "STICK_MOUNT=/$MNT/stick" >> $BASEDIR/.local.sh
         else
                # For testing purposes
                echo "STICK_MOUNT=$BASEDIR/initrd/$MNT/stick" >> $BASEDIR/.local.sh
        fi

        # Write more MD5 sums here
        for user in $USERS; do
                MD5=`md5sum -b $BASEDIR/setup/keys/$user-$MULTI_KEY_SUFFIX | cut -c -32`
                if test "$user" == "$MASTER_USER"; then
                        # First MD5 sum
                        echo "MD5SUMS=\"`echo $MD5`\" # ($user)" >> $BASEDIR/.local.sh
                 else
                        # Next/last MD5 sum
                        echo "MD5SUMS=\"\$MD5SUMS `echo $MD5`\" # ($user)" >> $BASEDIR/.local.sh
                fi
        done

        # Append existing footer script to this script
        if test -e "$BASEDIR/.local.sh.foot"; then
                echo "" >> $BASEDIR/.local.sh
                cat $BASEDIR/.local.sh.foot >> $BASEDIR/.local.sh
        fi

        # Set rights/owner/group
        echo " done"
        chmod -c go-rwx,u+rwx $BASEDIR/.local.sh
        chown -c root.root $BASEDIR/.local.sh

        # Extra syncing
        sync

        echo
        echo "$0: .local.sh is now created."
else
        echo "$0: Creation of .local.sh skipped."
fi
echo
echo "You may want to execute initrd.sh to setup your initrd image."
if test -f "$ASSET"; then
        echo -n "$0: Removing file $ASSET... "
        rm -f $ASSET
        touch $ASSET
        echo "done"
fi