From 3cf2c621a953bdb23378418ea1b4b6bce74d8ba7 Mon Sep 17 00:00:00 2001 From: Roland Haeder Date: Sat, 4 Jul 2015 17:50:03 +0200 Subject: [PATCH 1/1] Initial import from 0.5a version. Signed-off-by: Roland Haeder --- DOCS/AUTHORS.txt | 12 ++ DOCS/LICENSE.txt | 340 ++++++++++++++++++++++++++++++ DOCS/NEWS.txt | 11 + DOCS/README.txt | 39 ++++ DOCS/TODO.txt | 11 + encrypt/.local.sh.foot | 7 + encrypt/.local.sh.head | 26 +++ encrypt/.settings.sh | 185 ++++++++++++++++ encrypt/asset.sh | 306 +++++++++++++++++++++++++++ encrypt/cpio.sh | 104 +++++++++ encrypt/finish.sh | 23 ++ encrypt/gen.sh | 99 +++++++++ encrypt/include/functions.sh | 200 ++++++++++++++++++ encrypt/initrd.sh | 198 +++++++++++++++++ encrypt/lilo.conf | 16 ++ encrypt/lilo.sample | 17 ++ encrypt/search_hdd.sh | 72 +++++++ encrypt/setup-raid.sh | 18 ++ encrypt/sizes.sh | 37 ++++ encrypt/source/.welcome.msg | 4 + encrypt/source/decrypt.sh | 247 ++++++++++++++++++++++ encrypt/source/etc/fstab | 9 + encrypt/source/etc/init.d/swap.sh | 95 +++++++++ encrypt/source/etc/ld.so.conf | 0 encrypt/source/linuxrc | 39 ++++ encrypt/source/raid.sh | 11 + encrypt/source/remove.sh | 19 ++ encrypt/source/swap.sh | 49 +++++ encrypt/stick.sh | 194 +++++++++++++++++ encrypt/swap.sh | 49 +++++ settings.sh | 177 ++++++++++++++++ 31 files changed, 2614 insertions(+) create mode 100644 DOCS/AUTHORS.txt create mode 100644 DOCS/LICENSE.txt create mode 100644 DOCS/NEWS.txt create mode 100644 DOCS/README.txt create mode 100644 DOCS/TODO.txt create mode 100644 encrypt/.local.sh.foot create mode 100644 encrypt/.local.sh.head create mode 100755 encrypt/.settings.sh create mode 100755 encrypt/asset.sh create mode 100755 encrypt/cpio.sh create mode 100755 encrypt/finish.sh create mode 100755 encrypt/gen.sh create mode 100755 encrypt/include/functions.sh create mode 100755 encrypt/initrd.sh create mode 100644 encrypt/lilo.conf create mode 100644 encrypt/lilo.sample create mode 100755 encrypt/search_hdd.sh create mode 100755 encrypt/setup-raid.sh create mode 100755 encrypt/sizes.sh create mode 100644 encrypt/source/.welcome.msg create mode 100755 encrypt/source/decrypt.sh create mode 100644 encrypt/source/etc/fstab create mode 100755 encrypt/source/etc/init.d/swap.sh create mode 100644 encrypt/source/etc/ld.so.conf create mode 100755 encrypt/source/linuxrc create mode 100755 encrypt/source/raid.sh create mode 100755 encrypt/source/remove.sh create mode 100755 encrypt/source/swap.sh create mode 100755 encrypt/stick.sh create mode 100755 encrypt/swap.sh create mode 100755 settings.sh diff --git a/DOCS/AUTHORS.txt b/DOCS/AUTHORS.txt new file mode 100644 index 0000000..6fb6823 --- /dev/null +++ b/DOCS/AUTHORS.txt @@ -0,0 +1,12 @@ +AUTHORS.txt +----------- + +This file's format goes like this way: + +- Author's real name aka. "nickname" + (function in project | is related to) + +So here we go with all authors who has contributed parts to this project: + +- Roland Häder aka. "Quix0r" + (Project starter and maintainer) diff --git a/DOCS/LICENSE.txt b/DOCS/LICENSE.txt new file mode 100644 index 0000000..83f614e --- /dev/null +++ b/DOCS/LICENSE.txt @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/DOCS/NEWS.txt b/DOCS/NEWS.txt new file mode 100644 index 0000000..cd9fa7a --- /dev/null +++ b/DOCS/NEWS.txt @@ -0,0 +1,11 @@ +NEWS.txt - File +--------------- + +In this file I will write some news related to this project. So please keep an +eye on this to stay up-to-date. + +2006/05/16 - 13:16pm +-------------------- + +- First news written and first package completed. +- Version v0.0.2 finished (0.0.2 was for testing only!) diff --git a/DOCS/README.txt b/DOCS/README.txt new file mode 100644 index 0000000..b386c63 --- /dev/null +++ b/DOCS/README.txt @@ -0,0 +1,39 @@ +/--------------------------------------------\ +| README file for Secure-Linux Project | +| Copyright (c) 2005, 2006 by Roland Häder | +|--------------------------------------------| +| This software is licensed under the GNU | +| General Public License Version 2 or either | +| and comes with ABSOLUTELY NO WARRANTY | +| neither implied nor explicit. | +\--------------------------------------------/ + +Some general things before starting: +------------------------------------ + +- Read this file carefully before running executing any script! + +- Read the LICENSE.txt file if you want to know more about the license covering + this software. :-) + +- See AUTHORS.txt for contact informations. + +- And don't forget to have a look in the TODO.txt file when you are interested + in helping us to make these scripts better. + +- Always make a backup of your data / docs / source code / whatever which is + important to you. We cannot restore your lost data! + +- Test the optional free ISO image (round-about 120 megs) together with qemu + and write me (webmaster [at] mxchange [dot] org) back your feedback. + +- Checkout .settings.sh twice before using it on real devices (MAKE BACKUP + FIRST!) + +- If you don't find a LICENSE.txt file within this package please contact the + Free Software Foundation at http://www.fsf.org or http://www.fsfeurope.org and + report them you have found this software! + +- License for additional files in DOCS: I'm not interested in these files so + they go with this package "as is". Use them (especially the README.txt) for + your needs as you like. diff --git a/DOCS/TODO.txt b/DOCS/TODO.txt new file mode 100644 index 0000000..92699cc --- /dev/null +++ b/DOCS/TODO.txt @@ -0,0 +1,11 @@ +TODO List +--------- + +Several things must be done in this project: + +- Improve setup procedure (will be re-imported from 0.0.1 soon!) +- Make some scripts a little more flexible +- Add nice dialogs for setting up .settings.sh and the whole procedure + (as like as debconf uses them) +- Improve documentation +- Stop using prohibitory software and join the Free Software Community! :-) diff --git a/encrypt/.local.sh.foot b/encrypt/.local.sh.foot new file mode 100644 index 0000000..146aa7f --- /dev/null +++ b/encrypt/.local.sh.foot @@ -0,0 +1,7 @@ +# This is the footer for .local.sh Add what you want here. :-) +# But please also never use exit here. +# +# Uncomment the following three lines for debugging the order of md5sums. +#for md5 in $MD5SUMS; do +# echo $md5 +#done diff --git a/encrypt/.local.sh.head b/encrypt/.local.sh.head new file mode 100644 index 0000000..79864ee --- /dev/null +++ b/encrypt/.local.sh.head @@ -0,0 +1,26 @@ +#!/bin/sh +############################################## +# Script for Secure Linux Project # +# Copyright(c) 2005, 2006 by Roland Haeder # +############################################## +# Purpose: Local configuration file # +############################################## +# This software is licensed under the GNU # +# General Public License Version 2 or either # +# and comes with ABSOLUTELY NO WARRANTY # +# neither implied nor explicit. # +############################################## + +if test "$1" == ""; then + if test "$INSTALL" != "1"; then + echo "$0: Please provide a username as first argument!" + exit 255 + fi +fi + +# This script will hold the configuration data after setup. +# It will be generated automatically! DO NOT EDIT THIS FILE UNLESS YOU +# KNOW WHAT YOU ARE DOING! +# +# And never use exit here. This file will be source'd +export PATH="/usr/sbin:/usr/bin:/sbin:/bin" diff --git a/encrypt/.settings.sh b/encrypt/.settings.sh new file mode 100755 index 0000000..da306ce --- /dev/null +++ b/encrypt/.settings.sh @@ -0,0 +1,185 @@ +#!/bin/sh +############################################## +# Script for Secure Linux Project # +# Copyright(c) 2005, 2006 by Roland Haeder # +############################################## +# Purpose: Main configuration file # +############################################## +# This software is licensed under the GNU # +# General Public License Version 2 or either # +# and comes with ABSOLUTELY NO WARRANTY # +# neither implied nor explicit. # +############################################## + +######## Begin general stuff ######## +# 1=Setup mode. If you turn this off, a username will be requested +INSTALL="1" +# Option for cp/mkdir/rm-commands for verbose output +VERBOSE="-v" +# Update switch for cp-command. You can remove this for always copy. +UPDATE="-u" +# Options for the dd-cmmand (CARE!) +CONVERT="" +# Use strict OpenPGP behavior for gpg commands +OPENPGP="--openpgp" +# Length of all seeds (15-25 shall be fine) +SEED_LEN="15" +# Length of the random password +PASS_LEN="40" +# 1=Forces cpio.sh to copy all given files/directories without checking sizes +FORCE_CPIO="1" +# Which program shall I take? awk or gawk (last prefered!) +AWK=`which gawk | tail -n 1` +# Does the test go right? +if test "$AWK" == ""; then + echo "$0: Failed! The program gawk was found! We need this program" + echo "$0: to calculate with decimal-dotted values in functions.sh!" + exit 255 +fi +######## End general stuff ######## + +########## Begin gen.sh ########## +BASEDIR="/encrypt" +# For now on this will be setup automatically +ASSET="" +# For testing purposes use an image like this +#ASSET_DEVICE="$BASEDIR/setup/images/asset.img" +# For productive purposes use a "real" device here +ASSET_DEVICE="/dev/hda" +# For productive purposes use a "real" partition here: +CIPHER="AES256" +KEYS="$BASEDIR/keys" +SECRETS="$BASEDIR/secrets" +STICK="$BASEDIR/stick" +LOOP_ASSET="/dev/loop1" +LOOP_TEST="/dev/loop2" +# *Exactly* the same name(s) as you entered while gpg --gen-key for comment +USERS="quix0r angei junior" +# The master-key for creating the encrypted filesystem +MASTER="$BASEDIR/setup/keys/masterkey-secret.gpg" +# Additional keys (e.g. for your laptop) The path "BASEDIR/setup/keys" will be added! +EXTRA_KEYS="laptop-secret.gpg videos-secret.gpg home-secret.gpg" +# * 1kByte! No value means scrambling is disabled. A zero (0) together with +# Real device (/dev/hda; /dev/drbd0; etc.) means use shred +#COUNT="$((200*1024))" +COUNT="0" +RAND="/dev/urandom" +# Use openssl or dd for scrambling disc/image? (dd=0, openssl=1) +OPENSSL="1" +# The multi-key for encrypting disc/image +MULTI_KEY="$BASEDIR/setup/keys/userkey-secret.gpg" +# The multi-key for encrypting disc/image +STICK_KEY="$BASEDIR/setup/keys/stick-secret.gpg" +MULTI_KEY_SUFFIX="secret.gpg" +# The first user is the "master" of this system +MASTER_USER=`echo $USERS | awk '{print $1}'` +# 1= Zero LOOP_ASSET after setting up. This will be done in gen.sh +ZERO_ASSET="1" + +########## End gen.sh ############ + +########## Begin initrd.sh ########## +BOOT_DEVICE="$ASSET_DEVICE"1 +BOOT_MOUNT="$BASEDIR/root/boot" +if test "$UMOUNT_INITRD" == ""; then + # Shall I umount the initrd after creation? + UMOUNT_INITRD="0" +fi +KERN_VER="2.6.8-2-386" +KERN_FOUND="0" # Never set it to 1 here! +INITRD_LOOP="/dev/loop5" +# Check filesystem? (will be overriden after initial creation) +CHK_LOOP="1" +# Relative directory for mouting stick et cetera (to /) +MNT="mnt" +# Relative directory for storing key file(s) and seed (to /MNT) +KEYS_DIR="keys" +########## End initrd.sh ########## + +########## Begin asses.sh ########### +ROOM_PART="12288" # "Zero'ed" room between partitions + +# Filesystems +FS_BOOT="ext2" +FS_ROOT="ext3" +FS_DATA="ext3" +FS_STICK="ext2" + +# Special mount points (e.g. for "data partition") +MP_DATA="$BASEDIR/root/home" + +# Sizes for misc things (I have used a 200 GB HDD) +SIZE_BLOCK="4096" # Size of a block in filesystem +# Size of encrypted swap partition +# GB MB KB +SIZE_SWAP="$(( 2*1024*1024))" # = 2 GB +#SIZE_SWAP="$(( 20*1024))" # = 20 MB +# Size of unencrypted boot partition (for kernel-image, Sytem.map and initrd) +SIZE_BOOT="$(( 8*1024))" # = 8 MB +# Size of encrypted root (/) partition +# GB MB KB +SIZE_ROOT="$((170*1024*1024))" # = 170 GB +#SIZE_ROOT="$(( 110*1024))" # = 100 MB +SIZE_MAX="0" # Will be calculated later! + +# Some extra space which would be left free after second partition +# You have to experiment with this value until it matches! +# You may find out if all disc space is consumed with "cfdisk ASSET_DEVICE" +SIZE_EXTRA="$((1024 * 9 + 231))" + +# Offsets for the losetup command +OFFSET_SWAP="$(($SIZE_BOOT*1024+$ROOM_PART))" +OFFSET_ROOT="$(($OFFSET_SWAP+$SIZE_SWAP*1024+$ROOM_PART))" +OFFSET_DATA="$(($OFFSET_ROOT+$SIZE_ROOT*1024+$ROOM_PART))" + +# This value will be overridden later +BLOCKS_ROOT="0" +# 1= umount asset, 0= keep asset mounted (needed to continue with cpio.sh +UMOUNT_ASSET="0" +# Count of iterations for losetup +ITER="200" + +# Modules needed for booting system +MODULES="loop" + +######## End assest.sh ############# + +# Files and directories which we can to copy with cpio (do not copy all here!) +CPIO_FILES="/home/ /root" + +# The target stick device (for testing place an 4MB image here) +#STICK_DEVICE="$BASEDIR/setup/images/stick.img" +# Change this to your USB stick device! +STICK_DEVICE="/dev/sda" # Please use the testing image above first! +# Size of the USB stick device in 1kBytes (will be overwritten later) +STICK_SIZE="$((256*1024))" +# This size will be used only for creating an image which has the same +# raw size as your USB stick has. So please check the total size of first. +# NOTE: If you want to change this to your real device (/dev/sda e.g.) and +# you already run asset.sh / stick.sh then please run asset.sh again! +# +# Otherwise your stick may take "logical" damage. + +# The FQFN of the usb-storage module, change it to your matching version +USB_STORAGE="/lib/modules/$KERN_VER/kernel/drivers/usb/storage/usb-storage.ko" + +# Shall I zero the sticks before creating partitions on it? (solves some problems with parted) +STICK_ZERO="1" # 0=Disabled + +# Is there an additional .local.sh script? (for testing) +LOCAL="0" +if test -e ./.local.sh; then + # Include local configuration file + echo "$0: Loading .local.sh." + . ./.local.sh + LOCAL="1" + elif test -e $BASEDIR; then + # Use existing directory + echo "$0: Using $BASEDIR." + else + # Create base directory (maybe first call?) + mkdir $VERBOSE $BASEDIR +fi + +# Load additional functions +. $BASEDIR/include/functions.sh diff --git a/encrypt/asset.sh b/encrypt/asset.sh new file mode 100755 index 0000000..5a394a8 --- /dev/null +++ b/encrypt/asset.sh @@ -0,0 +1,306 @@ +#!/bin/sh +############################################## +# Script for Secure Linux Project # +# Copyright(c) 2005, 2006 by Roland Haeder # +############################################## +# Purpose: Creates the encrypted asset # +############################################## +# This software is licensed under the GNU # +# General Public License Version 2 or either # +# and comes with ABSOLUTELY NO WARRANTY # +# neither implied nor explicit. # +############################################## + +rm -fv ./.local.sh +. ./.settings.sh || exit 3 + +if test "$UMOUNT_ASSET" == "0"; then + umount /dev/loop3 > /dev/null 2>&1 + umount /dev/loop2 > /dev/null 2>&1 + losetup -d /dev/loop3 > /dev/null 2>&1 + losetup -d /dev/loop2 > /dev/null 2>&1 + losetup -d /dev/loop1 > /dev/null 2>&1 +fi + +if test -e $MULTI_KEY; then + echo "$0: Keyfile found." + else + echo "$0: Keyfile not found! Run gen.sh first." + exit 2 +fi + +mkdir $VERBOSE $KEYS $SECRETS $STICK + +if test -e $BASEDIR/.seed; then + echo "$0: Using saved seed... " + else + echo "$0: Please run gen.sh first to generate the seeds!" + exit 255 +fi + +if test -e $BASEDIR/.stick_seed; then + echo "$0: Using saved stick seed... " + else + echo "$0: Please run gen.sh first to generate the seeds!" + exit 255 +fi + +MKFS="0" # Make no filesystem is the default +if test -e $BASEDIR/.created; then + echo "$0: Using existing filesystem on $FS_ROOT." +else + echo "$0: Will create/overwrite filesystem on $FS_ROOT." + MKFS="1" +fi +for usr in $USERS; do + if test "$MKFS" == "1" && test ! -e "$BASEDIR/.stick_$usr"; then + # Remove invalid image if present (e.g. different seed) + rm $VERBOSE -f $BASEDIR/setup/images/key-$usr.img + fi + + if test -e $BASEDIR/setup/images/key-$usr.img; then + echo "$0: Key-image found for $usr." + else + echo -n "$0: Generating key-image for $usr ... " + head -c 256k $RAND > $BASEDIR/setup/images/key-$usr.img + echo "done" + losetup -e $CIPHER -K $STICK_KEY /dev/loop2 $BASEDIR/setup/images/key-$usr.img || exit 1 + mke2fs /dev/loop2 || exit 4 + mount /dev/loop2 $KEYS + cp $VERBOSE $BASEDIR/setup/keys/$usr-$MULTI_KEY_SUFFIX $KEYS/ + umount $KEYS + losetup -d /dev/loop2 + fi +done + +if test -b $ASSET_DEVICE; then + # Real device + echo "$0: Using real device." + DEVICE="$ASSET_DEVICE" + BOOT="$ASSET_DEVICE"1 + ASSET="$ASSET_DEVICE"2 + else + # Image for testing + echo "$0: Using loop-device on test image." + losetup -e NONE /dev/loop7 $ASSET_DEVICE || exit 1 + losetup -e NONE -o 64512 /dev/loop8 /dev/loop7 || exit 1 + losetup -e NONE -o $OFFSET_SWAP /dev/loop9 /dev/loop7 || exit 1 + DEVICE="/dev/loop7" + BOOT="/dev/loop8" + ASSET="/dev/loop9" +fi + + +echo -n "$0: Scrambling $DEVICE ... " +if test "$COUNT" == "0" && test -b $DEVICE; then + # Whole disc/partition + echo + # You can watch the process here... + shred -n 1 $VERBOSE $DEVICE || exit 1 + echo + elif test "$COUNT" != "0" && test -b $DEVICE; then + # Disabled! + echo "disabled" + elif test $COUNT -gt 0 && test -f $DEVICE; then + # Maybe file for testing? + if test "$OPENSSL" == "1"; then + openssl rand -out $DEVICE $(($COUNT*1024)) > /dev/null 2>&1 + else + dd if=$RAND of=$DEVICE bs=1k count=$COUNT > /dev/null 2>&1 + fi + echo "done" + else + # Invalid mode + echo "invalid!" + echo "$0: You entered an invalid value for ASSET and COUNT:" + echo + echo "ASSET=$ASSET" + echo "COUNT=$COUNT" + exit 6 +fi + +echo -n "$0: Setting up $LOOP_ASSET ... " +head -c $SEED_LEN $RAND | uuencode -m - | head -n 2 | tail -n 1 | losetup -p 0 -e $CIPHER -S `cat $BASEDIR/.seed` -C $ITER $LOOP_ASSET $DEVICE || exit1 + +if test "$ZERO_ASSET" == "1"; then + # This may take very long on large discs! + echo -n "Zero-ing... " + nice -n 19 dd if=/dev/zero of=$LOOP_ASSET bs=4k conv=notrunc 2>/dev/null +fi +losetup -d $LOOP_ASSET || exit 1 +echo "done" + +if test ! -e "$BASEDIR/.created"; then + MB="$(($SIZE_BOOT/1024))" + echo "$0: Zeroing $DEVICE ($MB MB only)..." + dd if=/dev/zero of=$DEVICE bs=1k count=$SIZE_BOOT > /dev/null 2>&1 + + parted -s $DEVICE mklabel msdos || exit 1 + + # Determine maximum sectos + SIZE_MAX=`cfdisk -P s $DEVICE | grep "Free Space" | cut -c26- | cut -f1 -d " "` + # One secor = 512 Byte so we can calculate the maximum MBytes + some extra + SIZE_MAX="$(($SIZE_MAX * 512 / 1024 / 1024 + $SIZE_EXTRA))" + echo "$0: Maximum size is $SIZE_MAX MByte" + + echo -n "$0: Creating partitions on $ASSET_DEVICE ... " + #parted -s $DEVICE mkpart extended 0 $SIZE_MAX || exit 1 + echo -n "." + parted -s $DEVICE mkpart primary 0 $MB || exit 1 + echo -n "." + parted -s $DEVICE mkpart primary $MB $SIZE_MAX || exit 1 + echo ". done" + + echo "$0: Creating $FS_BOOT on $BOOT..." + mkfs -t $FS_BOOT -b $SIZE_BLOCK $BOOT || exit 1 +fi +echo +echo "$0: Need a password for creating asset on $ASSET." +echo +losetup -e $CIPHER -C $ITER -S `cat $BASEDIR/.seed` -K $MULTI_KEY /dev/loop1 $ASSET || exit 1 + +echo "$0: Creating randomized swap partition..." +mkswap /dev/loop1 $SIZE_SWAP || exit 1 + +mkdir $VERBOSE $BASEDIR/root + +losetup -e NONE -o $OFFSET_ROOT /dev/loop2 /dev/loop1 || exit 1 + +if test "$MKFS" == "1"; then + # Run a "dry" test to gather maximum size of target /dev/loop2 + SIZE_MAX=`mke2fs -n -j -b $SIZE_BLOCK /dev/loop2 | grep "inodes," | cut -f 3 -d " "` + SIZE_MAX="$((SIZE_MAX * $SIZE_BLOCK - $OFFSET_DATA))" + BLOCKS_ROOT="$(($SIZE_ROOT * 1024 / $SIZE_BLOCK))" + FREE_SPACE="$(($OFFSET_DATA - ($OFFSET_ROOT + $BLOCKS_ROOT * $SIZE_BLOCK)))" + echo -n "$0: Size<->Offset-Data: $FREE_SPACE - " + # DEBUG: read dummy + if test "$FREE_SPACE" == "$ROOM_PART"; then + echo "okay" + else + echo "failed!" + echo "FREE_SPACE=$FREE_SPACE / ROOM_PART=$ROOM_PART" + exit 6 + fi + + mkfs -t $FS_ROOT -b $SIZE_BLOCK /dev/loop2 $BLOCKS_ROOT || exit 1 + else + fsck.$FS_ROOT -pv /dev/loop2 || exit 2 +fi +mount -t $FS_ROOT /dev/loop2 $BASEDIR/root + +mkdir $VERBOSE $BASEDIR/root/initrd $BOOT_MOUNT $MP_DATA + +losetup -o $OFFSET_DATA /dev/loop3 /dev/loop1 || exit 1 + +if test "$MKFS" == "1"; then + mkfs -t $FS_DATA -b $SIZE_BLOCK /dev/loop3 $BLOCKS_DATA || exit 1 + echo -n "" > $BASEDIR/.created + else + fsck.$FS_DATA -pv /dev/loop3 || exit 2 +fi + +mount /dev/loop3 $MP_DATA + +if test "$UMOUNT_ASSET" == "1"; then + umount /dev/loop3 + umount /dev/loop2 + losetup -d /dev/loop3 + losetup -d /dev/loop2 + losetup -d /dev/loop1 +fi + +# Is the .local.sh not beeing created or STICK_SIZE not yet set? +if ! test -e "$BASEDIR/.local.sh" || test "$STICK_SIZE" == "xxx"; then + # Now we can write the .local.sh script which keeps our configuration stuff + echo -n "$0: Writing .local.sh ... " + cp $BASEDIR/.local.sh.head $BASEDIR/.local.sh > /dev/null 2>&1 + if test -b "$STICK_DEVIE"; then + # On real stick device + echo "KEYS=/$MNT/$KEYS_DIR" >> $BASEDIR/.local.sh + echo "SEED_STICK=/.seed" >> $BASEDIR/.local.sh + else + # For testing purposes + echo "KEYS=$BASEDIR/initrd/$MNT/$KEYS_DIR" >> $BASEDIR/.local.sh + echo "SEED_STICK=$BASEDIR/initrd/.seed" >> $BASEDIR/.local.sh + fi + echo "SEED_LEN=$SEED_LEN" >> $BASEDIR/.local.sh + echo "PASS_LEN=$PASS_LEN" >> $BASEDIR/.local.sh + echo "RAND=$RAND" >> $BASEDIR/.local.sh + echo "SEED_USER=\$KEYS/.seed" >> $BASEDIR/.local.sh + echo "SEED_STICK_MD5=\"`md5sum -b $BASEDIR/.stick_seed | cut -c -32`\"" >> $BASEDIR/.local.sh + echo "ASSET=$ASSET" >> $BASEDIR/.local.sh + echo "ROOT_OFFSET=$OFFSET_ROOT" >> $BASEDIR/.local.sh + echo "DATA_OFFSET=$OFFSET_DATA" >> $BASEDIR/.local.sh + echo "SWAP_OFFSET=$OFFSET_SWAP" >> $BASEDIR/.local.sh + echo "SWAP_SIZE=$SIZE_SWAP" >> $BASEDIR/.local.sh + if test -b "$STICK_DEVIE"; then + # On real stick device + echo "MOUNT=/$MNT/new-root/" >> $BASEDIR/.local.sh + echo "STICK_KEY=\"\$KEYS/`basename $STICK_KEY`\"" >> $BASEDIR/.local.sh + else + # For testing purposes + echo "MOUNT=$BASEDIR/initrd/$MNT/new-root/" >> $BASEDIR/.local.sh + echo "STICK_KEY=\"$BASEDIR/initrd/`basename $STICK_KEY`\"" >> $BASEDIR/.local.sh + fi + echo "if test \"\$1\" != \"\"; then" >> $BASEDIR/.local.sh + echo " DISC_KEY=\"\$1.gpg\"" >> $BASEDIR/.local.sh + echo " else" >> $BASEDIR/.local.sh + echo " DISC_KEY=\"\"" >> $BASEDIR/.local.sh + echo "fi" >> $BASEDIR/.local.sh + echo "STICK_MD5=`md5sum -b $STICK_KEY | cut -c -32`" >> $BASEDIR/.local.sh + echo "STICK_LOOP=/dev/loop4" >> $BASEDIR/.local.sh + echo "CIPHER=$CIPHER" >> $BASEDIR/.local.sh + echo "ITER=$ITER" >> $BASEDIR/.local.sh + echo "BOOT_DEVICE=\""$ASSET_DEVICE"1\"" >> $BASEDIR/.local.sh + echo "ROOT_TYPE=$FS_ROOT" >> $BASEDIR/.local.sh + echo "DATA_TYPE=$FS_DATA" >> $BASEDIR/.local.sh + echo "STICK_TYPE=$FS_STICK" >> $BASEDIR/.local.sh + echo "STICK_DEVICE=$STICK_DEVICE" >> $BASEDIR/.local.sh + echo "STICK_START=xxx" >> $BASEDIR/.local.sh + if test -b "$STICK_DEVIE"; then + # On real stick device + echo "STICK_MOUNT=/$MNT/stick" >> $BASEDIR/.local.sh + else + # For testing purposes + echo "STICK_MOUNT=$BASEDIR/initrd/$MNT/stick" >> $BASEDIR/.local.sh + fi + + # Write more MD5 sums here + for user in $USERS; do + MD5=`md5sum -b $BASEDIR/setup/keys/$user-$MULTI_KEY_SUFFIX | cut -c -32` + if test "$user" == "$MASTER_USER"; then + # First MD5 sum + echo "MD5SUMS=\"`echo $MD5`\" # ($user)" >> $BASEDIR/.local.sh + else + # Next/last MD5 sum + echo "MD5SUMS=\"\$MD5SUMS `echo $MD5`\" # ($user)" >> $BASEDIR/.local.sh + fi + done + + # Append existing footer script to this script + if test -e "$BASEDIR/.local.sh.foot"; then + echo "" >> $BASEDIR/.local.sh + cat $BASEDIR/.local.sh.foot >> $BASEDIR/.local.sh + fi + + # Set rights/owner/group + echo " done" + chmod -c go-rwx,u+rwx $BASEDIR/.local.sh + chown -c root.root $BASEDIR/.local.sh + + # Extra syncing + sync + + echo + echo "$0: .local.sh is now created." +else + echo "$0: Creation of .local.sh skipped." +fi +echo +echo "You may want to execute initrd.sh to setup your initrd image." +if test -f "$ASSET"; then + echo -n "$0: Removing file $ASSET... " + rm -f $ASSET + touch $ASSET + echo "done" +fi diff --git a/encrypt/cpio.sh b/encrypt/cpio.sh new file mode 100755 index 0000000..1fcc9f3 --- /dev/null +++ b/encrypt/cpio.sh @@ -0,0 +1,104 @@ +#!/bin/sh +############################################## +# Script for Secure Linux Project # +# Copyright(c) 2005, 2006 by Roland Haeder # +############################################## +# Purpose: Copys choosen directories/files # +# to the asset # +############################################## +# This software is licensed under the GNU # +# General Public License Version 2 or either # +# and comes with ABSOLUTELY NO WARRANTY # +# neither implied nor explicit. # +############################################## + +. ./.settings.sh || exit 3 + +cd / +#find bin dev etc home lib mnt opt root sbin sys tmp usr var -print0 | \ +if test "$FORCE_CPIO" != "1"; then + # Check size of given targets + ALL_TOTAL="0" + for target in $CPIO_FILES; do + TOTAL="0" + if test -d "$target"; then + # Directory + if test "$VERBOSE" == "-v"; then + echo "$0: $target is a directory." + fi + sh $BASEDIR/sizes.sh $target + elif test -f "$target"; then + # File + TOTAL=`stat --format="%s" $target` + if test "$VERBOSE" == "-v"; then + echo "$0: $target is $TOTAL Bytes large." + fi + else + # Something else is not counted + if test "$VERBOSE" == "-v"; then + echo "$0: $target is no file/directory -> 0 Bytes forced." + fi + fi + ALL_TOTAL="$(($ALL_TOTAL + $TOTAL))" + done + echo + # Size for below if command + CHECK="$((ALL_TOTAL/1024))" + + # Begin looking for right unit (GB/MB/kB/Bytes) + UNIT="GByte" + SIZE="$((ALL_TOTAL/1024/1024/1024))" + if test "$SIZE" == "0"; then + UNIT="MByte" + SIZE="$((ALL_TOTAL/1024/1024))" + if test "$SIZE" == "0"; then + UNIT="kByte" + SIZE="$((ALL_TOTAL/1024))" + if test "$SIZE" == "0"; then + UNIT="Bytes" + SIZE="$ALL_TOTAL" + fi + fi + fi + + echo -n "$0: Total size: $SIZE $UNIT -> " + if test $SIZE_ROOT -gt $CHECK; then + echo "okay" + else + echo "warning!" + fi + echo + echo "$0: Press RETURN if this is also okay for you." + read dummy +else + # Do not check sizes of targets in CPIO_FILES + echo "$0: Warning: Will copy targets in CPIO_FILES regardless if you have" + echo "$0: enough space on $BASEDIR/root/!" + echo + echo "Press RETURN to begin copy process or CTRL+C to abort..." + read dummy +fi + + +# Shall I copy files? +if test "$CPIO_FILES" != ""; then + TEST=`grep "$BASEDIR" $CPIO_FILES` + if test "$TEST" != ""; then + echo "$0: Found my own path $BASEDIR in CPIO_FILES! Aborting..." + exit 6 + fi + + find $CPIO_FILES -print0 | \ + cpio --pass-through --make-directories --null --reset-access-time \ + --make-directories --preserve-modification-time --verbose $BASEDIR/root/ + + # Do some extra sync + sync +fi + +# Create additional directories +mkdir $VERBOSE $BASEDIR/root/{boot,cdrom,floppy,proc} + +echo "$0: When no error ('no space left on device' may" +echo "$0: occur on testing images) then please continue" +echo "$0: with stick.sh to setup your USB stick(s)!" diff --git a/encrypt/finish.sh b/encrypt/finish.sh new file mode 100755 index 0000000..0c2b037 --- /dev/null +++ b/encrypt/finish.sh @@ -0,0 +1,23 @@ +#!/bin/sh +############################################## +# Script for Secure Linux Project # +# Copyright(c) 2005, 2006 by Roland Haeder # +############################################## +# Purpose: Finish installation # +############################################## +# This software is licensed under the GNU # +# General Public License Version 2 or either # +# and comes with ABSOLUTELY NO WARRANTY # +# neither implied nor explicit. # +############################################## + +. ./.settings.sh || exit 3 + +# Need to do "cd $BASEDIR/source" and "cp --parents -a etc/init.d/swap.sh +# $BASEDIR/root" here. + +# We can also do distribution-dependent things here for installing it on +# $BASEDIR/root. E.g. for Debian: dpkg --get-selections > list.tmp and +# debootstrap $SUIT $BASEDIR/root + +echo "$0: Please customize .local.sh now and check-out ASSET." diff --git a/encrypt/gen.sh b/encrypt/gen.sh new file mode 100755 index 0000000..a60d5e9 --- /dev/null +++ b/encrypt/gen.sh @@ -0,0 +1,99 @@ +#!/bin/sh +############################################## +# Script for Secure Linux Project # +# Copyright(c) 2005, 2006 by Roland Haeder # +############################################## +# Purpose: Create keys and key-images # +############################################## +# This software is licensed under the GNU # +# General Public License Version 2 or either # +# and comes with ABSOLUTELY NO WARRANTY # +# neither implied nor explicit. # +############################################## + +. ./.settings.sh || exit 3 +mkdir $VERBOSE -p $BASEDIR/setup/{images,keys} + +if test -e $BASEDIR/.seed; then + echo "$0: Using saved seed... " + losetup -d $LOOP_ASSET > /dev/null 2>&1 + else + echo -n "$0: Creating seed... " + head -c $SEED_LEN $RAND | uuencode -m - | head -2 | tail -1 > $BASEDIR/.seed + echo "done" +fi + +if test -e $BASEDIR/.stick_seed; then + echo "$0: Using saved stick seed... " + losetup -d $LOOP_ASSET > /dev/null 2>&1 + else + echo -n "$0: Creating seed... " + head -c $SEED_LEN $RAND | uuencode -m - | head -2 | tail -1 > $BASEDIR/.stick_seed + echo "done" +fi + +for user in $USERS; do + if ! test -e "$BASEDIR/setup/keys/$user-$MULTI_KEY_SUFFIX"; then + echo "$0: Generate key for $user..." + gpg $OPENPGP --quiet --gen-key --cipher-algo $CIPHER + else + echo "$0: Key found for $user." + fi +done + +if ! test -e "$MASTER"; then + echo -n "$0: Generating master key... " + head -c 2925 $RAND | uuencode -m - | head -n 66 | tail -n 65 | gpg $OPENPGP --cipher-algo $CIPHER -e -a -r $MASTER_USER > $MASTER 2> /dev/null + echo "done" +else + echo "$0: Master key found." +fi + +mkdir $VERBOSE $KEYS > /dev/null 2>&1 +umask 077 + +# Generate options list +OPTIONS="" +for user in $USERS; do + OPTIONS="$OPTIONS -r $user" +done + +# Write multi-key for encrypting disc +if ! test -e "$MULTI_KEY"; then + gpg $OPENPGP --decrypt < "$MASTER" | gpg $OPENPGP -e -a --always-trust $OPTIONS > "$MULTI_KEY" || exit 1 +else + echo "$0: User-key found." +fi + +# Write another multi-key for accessing the stick +if ! test -e "$STICK_KEY"; then + gpg $OPENPGP --decrypt < "$MASTER" | gpg $OPENPGP -e -a --always-trust $OPTIONS > "$STICK_KEY" || exit 1 +else + echo "$0: Stick-key found." +fi + +# Write additional keys +for key in $EXTRA_KEYS; do + FILE="$BASEDIR/setup/keys/$key" + if ! test -e "$FILE"; then + echo "$0: Generating key $key..." + gpg $OPENPGP --decrypt < "$MULTI_KEY" | gpg $OPENPGP -e -a --always-trust $OPTIONS > "$FILE" || exit 1 + else + echo "$0: Key $key found." + fi +done + +# Write keys for the users +for user in $USERS; do + if ! test -e "$BASEDIR/setup/keys/$user-$MULTI_KEY_SUFFIX"; then + echo "$0: Generating key-file for $user ..." + gpg $OPENPGP --decrypt < "$MULTI_KEY" | gpg $OPENPGP -e -a --always-trust -r "$user" > "$BASEDIR/setup/keys/$user-$MULTI_KEY_SUFFIX" + else + echo "$0: Key found for $user." + fi +done + +echo "$0: done" +echo +echo "Now you may want to execute asset.sh to continue" +echo "You can also customize some things now." diff --git a/encrypt/include/functions.sh b/encrypt/include/functions.sh new file mode 100755 index 0000000..4b3fe72 --- /dev/null +++ b/encrypt/include/functions.sh @@ -0,0 +1,200 @@ +#!/bin/sh +############################################## +# Script for Secure Linux Project # +# Copyright(c) 2005, 2006 by Roland Haeder # +############################################## +# Purpose: Additional functions # +############################################## +# This software is licensed under the GNU # +# General Public License Version 2 or either # +# and comes with ABSOLUTELY NO WARRANTY # +# neither implied nor explicit. # +############################################## + +make_part() +{ + # Creates partitions on DEVICE + echo "$0: Zeroing stick on $DEVICE... (this can take loooong . . . )" + dd if=/dev/zero of=$DEVICE bs=1k > /dev/null 2>&1 + echo "$0: Analysing stick size on $DEVICE..." + parted -s $DEVICE mklabel msdos > /dev/null 2>&1 + + SIZE="" + # Determine maximum sectos + for pos in `seq 26 30`; do + SIZE=`cfdisk -P s $DEVICE | grep "Free Space" | cut -c$pos- | cut -f1 -d " "` + if test "$SIZE" != ""; then + #echo "$0: DEBUG: $pos=$SIZE" + break + fi + done + + # One secor = 512 Byte so we can calculate the maximum MBytes + some extra + SIZE="$(($SIZE * 512 / 1024 / 1024))" + echo "$0: Maximum size is $SIZE MByte" + echo -n "$0: Creating partitions... " + # This holds the encrypted filesystem with the main key + parted -s $DEVICE mkpartfs primary ext2 0 1 > /dev/null 2>&1 + echo -n "." + # This holds an encrypted filesystem for the key to unlock part1 + parted -s $DEVICE mkpartfs primary ext2 2 3 > /dev/null 2>&1 + echo -n "." + # This is the last part for data you want to carry on the stick with you + parted -s $DEVICE mkpartfs primary fat32 4 $SIZE > /dev/null 2>&1 + echo ". done" + echo -n "$0: Analysing... " + cfdisk -P s $DEVICE > $BASEDIR/.parted + parted -s $DEVICE rm 1 > /dev/null 2>&1 + parted -s $DEVICE rm 2 > /dev/null 2>&1 + echo "done" + cat $BASEDIR/.parted + echo "$0: Press RETURN to continue or CTRL+C to abort..." + read dummy +} + +analyse_stick() +{ + # Now let's analyse the stick/image... + echo -n "$0: Analysing $DEVICE ... " + + START1=`cat $BASEDIR/.parted | grep "1 Primary" | awk '{print $3}' | cut -f 1 -d "*"` + START1=`$AWK --assign=start=$START1 'BEGIN {print start*512}'` + echo -n "." + + START2=`cat $BASEDIR/.parted | grep "2 Primary" | awk '{print $3}' | cut -f 1 -d "*"` + START2=`$AWK --assign=start=$START2 'BEGIN {print start*512}'` + echo -n "." + + START3=`cat $BASEDIR/.parted | grep "4 Primary" | awk '{print $3}' | cut -f 1 -d "*"` + START3=`$AWK --assign=start=$START3 'BEGIN {print start*512}'` + echo -n "." + + # Enough space for the image? (in Bytes) + SIZE_FREE=`cat $BASEDIR/.parted | grep "1 Primary" | awk '{print $6}' | cut -f 1 -d "*"` + SIZE_FREE=`$AWK --assign=start=$SIZE_FREE 'BEGIN {print start*512}'` + echo ". done" + + # Update STICK_START... + echo -n "$0: Updating .local.sh ... " + EVAL="sed 's/STICK_START=xxx/STICK_START=1024/g' $BASEDIR/.local.sh > $BASEDIR/tmp" + eval $EVAL > /dev/null 2>&1 + echo "done" + + if test -e $BASEDIR/tmp; then + if test "`cat $BASEDIR/tmp`" != "`cat $BASEDIR/.local.sh`"; then + # Move existing tmp file back to .local.sh + echo -n "$0: Updating .local.sh ... " + mv $BASEDIR/tmp $BASEDIR/.local.sh > /dev/null 2>&1 + chmod go-rwx,u+rwx $BASEDIR/.local.sh > /dev/null 2>&1 + chown root.root $BASEDIR/.local.sh > /dev/null 2>&1 + echo "done" + echo -n "$0: Re-reading .local.sh ... " + . ./.local.sh + echo "done" + else + # Remove tmp file + echo "$0: .local.sh is up-to-date." + rm $VERBOSE $BASEDIR/tmp + fi + fi +} + +write_image() +{ + # Is enough space there? + echo "$0: $SIZE_FREE - $SIZE_TARGET - $STICK_START ($FILE)" + if test $SIZE_FREE -gt $SIZE_TARGET; then + # Remove any existing loop-devices + losetup -d /dev/loop12 > /dev/null 2>&1 + losetup -d /dev/loop11 > /dev/null 2>&1 + # Enough space there, so let's copy FILE into STICK_DEVICE + echo "$0: Setting up loop-device... (Offset=$STICK_START,Dev=$DEVICE)" + losetup -o $STICK_START /dev/loop11 $DEVICE + echo "$0: Writing image ... ($SIZE_TARGET Bytes)" + dd if=$FILE of=/dev/loop11 bs=1 count=$SIZE_TARGET $CONVERT > /dev/null 2>&1 + echo "$0: Verifying ... " + dd if=/dev/loop11 of=$BASEDIR/verify.img bs=1 count=$SIZE_TARGET $CONVERT > /dev/null 2>&1 + M1=`md5sum -b $BASEDIR/verify.img | cut -c -32` + M2=`md5sum -b $FILE | cut -c -32` + if test "$M1" != "$M2"; then + echo "$0: Failed! Aborting here... ($M1/$M2)" + exit 6 + else + echo "$0: MD5 checksums matches." + fi + # Remove verify.img + rm $VERBOSE $BASEDIR/verify.img + # Testing it... + echo "$0: Will now test the written image." + echo -n "$0: Enter $user's " + losetup -e $CIPHER -K $BASEDIR/setup/keys/$user-$MULTI_KEY_SUFFIX /dev/loop12 /dev/loop11 || exit 1 + #losetup -a + mount -t $FS_STICK /dev/loop12 $BASEDIR/keys || exit 1 + # Copy the seed to the stick/image + cp $VERBOSE $BASEDIR/.seed $BASEDIR/keys + echo "$0: Free space: `df | grep /dev/loop12 | awk '{print $4}'` kByte" + mount | grep /dev/loop12 + umount /dev/loop12 + sync + SIZE_MD5="$(($SIZE_TARGET-1024))" + echo -n "$0: Generating new MD5... (first $SIZE_MD5 Bytes) " + dd if=/dev/loop12 bs=1 count=$SIZE_MD5 > $BASEDIR/md5.img 2>/dev/null + MD5=`md5sum -b $BASEDIR/md5.img` + echo -n `basename $FILE` >> $BASEDIR/initrd/.md5sums + echo -n " " >> $BASEDIR/initrd/.md5sums + echo $MD5 | cut -c -32 >> $BASEDIR/initrd/.md5sums + echo "done" + rm $VERBOSE $BASEDIR/md5.img + losetup -d /dev/loop12 + losetup -d /dev/loop11 + umount /dev/loop13 > /dev/null 2>&1 + losetup -d /dev/loop13 > /dev/null 2>&1 + echo "$0: Test is PASSED. (MD5=`echo $MD5 | cut -c -32`)" + # Prepare master image which holds the .seed and .pass files + echo "$0: Preparing master-image on $BOOT_MOUNT ($BOOT_DEVICE)... " + mkdir --parents $VERBOSE $BOOT_MOUNT + umount $BOOT_DEVICE + mount $BOOT_DEVICE $BOOT_MOUNT + if test "$user" == "$MASTER_USER"; then + # Create master image on first user + MASTER_SEED=`head -c $SEED_LEN $RAND | uuencode -m - | head -2 | tail -1` + MASTER_PASS=`head -c $PASS_LEN $RAND | uuencode -m - | head -2 | tail -1` + dd if=/dev/zero of=$BOOT_MOUNT/master.img bs=1k count=2048 > /dev/null 2>&1 + echo $MASTER_PASS | losetup -p 0 -S $MASTER_SEED -C $ITER -e $CIPHER /dev/loop13 $BOOT_MOUNT/master.img || exit 2 + mkfs -t $FS_STICK -b 1024 /dev/loop13 > /dev/null 2>&1 + echo $MASTER_SEED > $BASEDIR/.seed_master + echo $MASTER_PASS > $BASEDIR/.pass_master + cp $VERBOSE $BASEDIR/.????_master $BASEDIR/initrd/ + else + MASTER_SEED=`cat $BASEDIR/.seed_master` + MASTER_PASS=`cat $BASEDIR/.pass_master` + echo $MASTER_PASS | losetup -p 0 -S $MASTER_SEED -C $ITER -e $CIPHER /dev/loop13 $BOOT_MOUNT/master.img || exit 2 + fi + mount /dev/loop13 $BASEDIR/initrd/mnt/stick + echo "START2=$START2" > $BASEDIR/initrd/mnt/stick/.start2_$user.sh + chmod -c u+x,go-rwx $BASEDIR/initrd/mnt/stick/.start2_$user.sh + echo "$0: done" + # Prepare second partition which holds the secret key + echo "$0: Preparing 2nd part. on $DEVICE... " + USER_SEED=`head -c $SEED_LEN $RAND | uuencode -m - | head -2 | tail -1` + USER_PASS=`head -c $PASS_LEN $RAND | uuencode -m - | head -2 | tail -1` + losetup -o $START2 /dev/loop12 "$DEVICE" + echo $USER_PASS | losetup -p 0 -S $USER_SEED -C $ITER -e $CIPHER /dev/loop11 /dev/loop12 + dd if=/dev/zero of=/dev/loop11 bs=1k count=1024 > /dev/null 2>&1 + mkfs -t $FS_STICK -b 1024 /dev/loop11 || exit 1 + mount /dev/loop11 $BASEDIR/secrets || exit 1 + gpg --export-secret-keys -a "$user" > $BASEDIR/secrets/$user-secret.gpg + umount /dev/loop11 + losetup -d /dev/loop11 + losetup -d /dev/loop12 + echo $USER_SEED > $BASEDIR/initrd/mnt/stick/.seed_$user + echo $USER_PASS > $BASEDIR/initrd/mnt/stick/.pass_$user + umount /dev/loop13 + losetup -d /dev/loop13 + echo "$0: done" + else + # SIZE_TARGET is small than SIZE_FREE! + echo "$0: Image is bigger than allocated space!" + exit 4 + fi +} diff --git a/encrypt/initrd.sh b/encrypt/initrd.sh new file mode 100755 index 0000000..f846b8b --- /dev/null +++ b/encrypt/initrd.sh @@ -0,0 +1,198 @@ +#!/bin/sh +############################################## +# Script for Secure Linux Project # +# Copyright(c) 2005, 2006 by Roland Haeder # +############################################## +# Purpose: Create initrd-image # +############################################## +# This software is licensed under the GNU # +# General Public License Version 2 or either # +# and comes with ABSOLUTELY NO WARRANTY # +# neither implied nor explicit. # +############################################## + +. ./.settings.sh || exit 3 + +if test -e $MULTI_KEY; then + echo "$0: Keyfile found." + else + echo "$0: Keyfile not found! Run gen.sh first." + exit 2 +fi + +if ! test -e $BOOT_MOUNT; then + echo "$0: Please run asset.sh first!" + exit 2 +fi + +echo "$0: Stage 1 - Unmounting old devices ..." +umount $INITRD_LOOP +losetup -d $INITRD_LOOP +umount $BOOT_DEVICE +mount $BOOT_DEVICE $BOOT_MOUNT +echo "$0: Stage 2 - done." + +if ! test -e $BOOT_MOUNT/initrd && ! test -e $BOOT_MOUNT/initrd.gz; then + echo "$0: Stage 2 - Setting up initrd with e2fs ..." + head -c 8m /dev/zero > $BOOT_MOUNT/initrd + mke2fs -F -m0 -b 1024 -L "SLP 0.4a" $VERBOSE $BOOT_MOUNT/initrd + mkdir $VERBOSE $BASEDIR/initrd + CHK_LOOP="0" + echo "$0: Stage 2 - done." +else + if test -e $BOOT_MOINT/initrd.gz; then + echo "$0: Stage 2 - Uncompressing initrd.gz ..." + gunzip $VERBOSE + echo "$0: Stage 2 - done." + else + echo "$0: Stage 2 - skipped (me2fs)." + fi +fi + +echo "$0: Stage 3 - Setting up loop-device ..." +losetup $INITRD_LOOP $BOOT_MOUNT/initrd +echo "$0: Stage 3 - done." + +if test "$CHK_LOOP" == "1"; then + echo "$0: Stage 4 - Checking fs on initrd ..." + e2fsck -pv $INITRD_LOOP + echo "$0: Stage 4 - done" +else + echo "$0: Stage 4 - skipped (e2fsck)." +fi + +echo "$0: Stage 5 - Initializing initrd & copy process ..." +mkdir $VERBOSE $BASEDIR/initrd +mount $INITRD_LOOP $BASEDIR/initrd +cp $VERBOSE $BASEDIR/.stick_seed $BASEDIR/initrd/.seed +cd $BASEDIR/initrd +echo "$0: Stage 5 - done." + +echo "$0: Stage 6 - Creating directories ..." +mkdir $VERBOSE -p {bin,dev,lib,$MNT/{$KEYS_DIR,new-root,boot,stick,stick2},usr/{bin,sbin,lib},proc,sbin} || exit 2 +echo "$0: Stage 6 - done." + +echo "$0: Stage 7 - Copying device files ..." +cp $VERBOSE $UPDATE -a /dev/{console,hd{a*,b*,c*,d*},tty,null,sda,urandom,md?} dev || exit 2 +echo "$0: Stage 7 - done." + +echo "$0: Stage 8 - Copying programs ..." +cp $VERBOSE $UPDATE `which mount sh umount cat sleep sync dd uname grep sed mknod ln ls` /sbin/{modprobe*,depmod*} bin || exit 2 +cp $VERBOSE $UPDATE `which losetup pivot_root insmod insmod.modutils mkswap swapon swapoff mdadm mdrun fsck fsck.ext2 fsck.ext2 mdrun mdadmin` sbin || exit 2 +cp $VERBOSE $UPDATE `which chroot` usr/sbin || exit 2 +cp $VERBOSE $UPDATE `which test md5sum cut gpg tail uuencode` usr/bin || exit 2 +echo "$0: Stage 8 - done." + +echo "$0: Stage 9 - Copying libraries ..." +cp $VERBOSE $UPDATE -a /lib/lib{usb-0.1.so.4*,readline.so.5*,bz2.so*,resolv*,uuid.so.1*,ncurses.so.2.5.4,ld-2.3.6.so,c-2.3.6.so,c.so.6,blkid.so.1*,selinux.so.1,sepol.so.1,m-2.3.2.so,m.so.6,rt*,ext2fs.so.2*,pthread*,acl.so.1*,attr.so.1*,se*} lib || exit 2 +cp $VERBOSE $UPDATE -a /usr/lib{libz.so*} usr/lib || exit 2 +cp $VERBOSE $UPDATE -a /lib/ lib/ || exit 2 +echo "$0: Stage 9 - done." + +# Copy our scripts +echo "$0: Stage 10 - Copying SLP scripts and stick-secret.gpg ..." +cp $VERBOSE $UPDATE $BASEDIR/setup/keys/stick-secret.gpg $BASEDIR/{source/{decrypt.sh,linuxrc,swap.sh},.local.sh} $BASEDIR/initrd || exit 2 +mkdir --parents --$VERBOSE $BASEDIR/initrd/lib/modules/$KERN_VER/ || exit 2 +cp $VERBOSE $UPDATE $BASEDIR/source/lib/modules/$KERN_VER/loop.* $BASEDIR/initrd/lib/modules/$KERN_VER/ || exit 2 +echo "$0: Stage 10 - done." + +# Prepare directories for gpg +echo "$0: Stage 11 - Preparing .gnupg ..." +mkdir --parents $VERBOSE $BASEDIR/initrd/root/.gnupg +echo "$0: Stage 11 - done." + +# Create lots of loop-back devices (we need loop-aes compiled with "max_loop = 8" here!) +echo "$0: Stage 12 - Creating loop-devices ..." +for idx in `seq 0 16`; do + if ! test -e "dev/loop$idx"; then + mknod --mode=660 "dev/loop$idx" b 7 $idx + fi +done +echo "$0: Stage 12 - done." + +echo "$0: Stage 13 - Setting symbolic links ..." +cd lib +ln $VERBOSE -sf ld-2.3.6.so ld-linux.so.2 || exit 2 +ln $VERBOSE -sf libdl-2.3.6 libdl.so.2 || exit 2 +ln $VERBOSE -sf libncurses.so.2.5.4 libncurses.so.5 || exit 2 +cd ../sbin +ln $VERBOSE -sf /linuxrc init +cd ../root +# To prevent filling up the initrd while development +ln $VERBOSE -sf /dev/null .bash_history || exit 2 +cd ../bin +ln $VERBOSE -sf sh bash || exit 2 +cd .. +echo "$0: Stage 13 - done." + +if test -e "/boot/vmlinuz-$KERN_VER"; then + if test -e "/boot/System.map-$KERN_VER"; then + echo "$0: Stage 14 - Copying kernel/System.map ..." + KERN_FOUND="1" + cp $VERBOSE $UPDATE "/boot/vmlinuz-$KERN_VER" "/boot/System.map-$KERN_VER" $BOOT_MOUNT/ || exit 2 + echo "$0: Stage 14 - done." + else + echo "$0: Stage 14 - No System.map found for version $KERN_VER." + fi +else + echo "$0: Stage 14 -No kernel found for version $KERN_VER." +fi + +if test "$KERN_FOUND" == "0"; then + if test -e "/usr/src/linux-$KERN_VER"; then + cd "/usr/src/linux-$KERN_VER" + make menuconfig + if test -e .config; then + # Build kernel and modules and install them + make dep bzImage modules modules_install || exit 1 + # Copy kernel/System.map to initrd + echo "$0: Stage 14 - Copying compiled kernel/System.amp ..." + cp $VERBOSE System.map $BOOT_MOUNT/System.map-$KERN_VER || exit 2 + cp $VERBOSE arch/i386/boot/bzImage $BOOT_MOUNT/vmlinuz-$KERN_VER || exit 2 + echo "$0: Stage 14 - done." + else + echo "FAILED: Compilation of kernel v$KERN_VER" + exit 2 + fi + else + echo "FAILED: Cannot find build-directory /usr/src/linux-$KERN_VER!" + exit 2 + fi +fi + +# Copy RAID modules to initrd +echo "$0: Stage 15 - Copying kernel modules ..." +cp $VERBOSE --parents /lib/modules/$KERN_VER/kernel/drivers/md/{raid5,xor,md}.* $BASEDIR/initrd/ || exit 2 +if test -e "/usr/src/modules/loop-aes/"; then + # Install loop-aes module + cd /usr/src/modules/loop-aes/ + # Build loop-aes and install it + make clean all install || exit 1 + # Generate path on initrd + mkdir $VERBOSE $BASEDIR/initrd/lib/modules/$KERN_BER/{kernel/block,block} || exit 2 + if test -e "loop.ko"; then + # Kernel version >= 2.6.* + cp loop.ko $BASEDIR/initrd/lib/modules/$KERN_BER/block/ || exit 2 + else + # Kernel version <= 2.4.* + cp loop.o $BASEDIR/initrd/lib/modules/$KERN_BER/block/ || exit 2 + fi +else + # Copy legacy loop.o + cp $VERBOSE --parents /lib/modules/$KERN_VER/kernel/driversblock/loop.o $BASEDIR/initrd || exit 2 +fi +cd $BASEDIR +echo "$0: Stage 15 - done." + +if test "$UMOUNT_INITRD" == "1"; then + echo "$0: Removing initrd and loop ..." + cd .. + umount $INITRD_LOOP + losetup -d $INITRD_LOOP +fi + +echo +echo "All done now." +echo +echo "You may want to execute cpio.sh to copy all your data to the encrypted" +echo "disk in $BASEDIR/root." diff --git a/encrypt/lilo.conf b/encrypt/lilo.conf new file mode 100644 index 0000000..929607d --- /dev/null +++ b/encrypt/lilo.conf @@ -0,0 +1,16 @@ +lba32 +boot=/dev/hda +root=/dev/ram0 +map=/boot/map +delay=200 +timeout=100 +prompt +vga=extended +menu-title=" Quix0r's Computer " + +default=Linux + +image=/boot/vmlinuz-2.4.32 + label=Linux + initrd=/boot/initrd.gz + append="root=/dev/ram0 init=/linuxrc rw ramdisk_size=5120" diff --git a/encrypt/lilo.sample b/encrypt/lilo.sample new file mode 100644 index 0000000..e5d1ce7 --- /dev/null +++ b/encrypt/lilo.sample @@ -0,0 +1,17 @@ +lba32 +# Change this matching to your $ASSET_DEVICE! +# And run lilo -v -C lilo.sample to setup your loader +boot=/dev/hda +root=/dev/ram0 +map=/boot/map +delay=200 +timeout=100 +prompt +vga=extended + +default=Linux + +image=/boot/vmlinuz-2.6.13.2 + label=Linux + initrd=/boot/initrd.gz + append="root=/dev/ram0 init=/linuxrc rw" diff --git a/encrypt/search_hdd.sh b/encrypt/search_hdd.sh new file mode 100755 index 0000000..862fe84 --- /dev/null +++ b/encrypt/search_hdd.sh @@ -0,0 +1,72 @@ +#!/bin/sh +############################################## +# Script for Secure Linux Project # +# Copyright(c) 2005, 2006 by Roland Haeder # +############################################## +# Purpose: See below # +############################################## +# This software is licensed under the GNU # +# General Public License Version 2 or either # +# and comes with ABSOLUTELY NO WARRANTY # +# neither implied nor explicit. # +############################################## + +# The purpose of this script is to search for lost/deleted scripts (plain text) +# or which you have maybe overwritten by "echo foo>bar" and bar was a very +# important 12600 Bytes long script for you. + +#### Configuration ###### + +# The MEDIUM holding the filesystem where you have deleted/overwritten the +# script. This can also be a partition! E.g. /dev/hda +MEDIUM="" + +# Search string you are looking for. This shall be a string within middle of +# The lost file. It shall be unique so you have beeter search results in first +# run. +SEARCH="" + +# Skipped bytes by dd command +# Enter the value which you get from grep command -2048 here and run this +# script again. +SKIP="" + +# Size in bytes; no exact value here. Give +4096 more for looking around target +# area) +SIZE="" + +# The target file we shall write the found data. This *shall better* be +# an other drive/partition than MEDIUM. Or else maybe some data could be +# overwritten by this command which you also want to restore! +TARGET="" +# Do *always* enter a filename here (like /var/test.sh; where /var/ is mounted +# on other partition as MEDIUM + +# Self-test, you need "grep" and "dd" for this script! +DD=`which dd` +GREP=`which grep` +if test "$DD" == "" || test "$GREP" == ""; then + echo "$0: Self-test failed! Cannot find dd or grep!" + echo + echo "DD = $DD" + echo "GREP = $GREP" +else + echo "$0: Self-test passed." +fi + +if test "$SKIP" != "" && test "$SIZE" != ""; then + # Output data to TARGET + echo -n "$0: Writing $SIZE Bytes to $TARGET... " + dd if=$MEDIUM skip=$SKIP bs=1 count=$SIZE > $TARGET + echo "done" + # Hint: You may have to experiment a little with SIZE and SKIP until + # you find your lost file. But -2048 for SKIP and +4096 for SIZE might + # be a good starting point. +elif test "$SEARCH" != "" && test "$MEDIUM" != ""; then + # Search on MEDIUM for SEARCH. This may take long! + echo "$0: Searching for $SEARCH ... This may take loooong . . ." + grep --text -b $SEARCH $MEDIUM +else + # Please setup me! + echo "$0: You have to setup this script ($0) first!" +fi diff --git a/encrypt/setup-raid.sh b/encrypt/setup-raid.sh new file mode 100755 index 0000000..cec7f0b --- /dev/null +++ b/encrypt/setup-raid.sh @@ -0,0 +1,18 @@ +#!/bin/sh +############################################## +# Script for Secure Linux Project # +# Copyright(c) 2005, 2006 by Roland Haeder # +############################################## +# Purpose: Setups software RAID. UNFINISHED! # +############################################## +# This software is licensed under the GNU # +# General Public License Version 2 or either # +# and comes with ABSOLUTELY NO WARRANTY # +# neither implied nor explicit. # +############################################## + +. ./.settings.sh || exit 3 + +exit 255 + +mdadm --create /dev/md0 --level=5 --raid-devices=3 /dev/hd["bcd"]1 diff --git a/encrypt/sizes.sh b/encrypt/sizes.sh new file mode 100755 index 0000000..df37bd6 --- /dev/null +++ b/encrypt/sizes.sh @@ -0,0 +1,37 @@ +#!/bin/sh +############################################## +# Script for Secure Linux Project # +# Copyright(c) 2005, 2006 by Roland Haeder # +############################################## +# Purpose: Determines sizes of single files # +# or of a whole bunch of files in a # +# directory # +############################################## +# This software is licensed under the GNU # +# General Public License Version 2 or either # +# and comes with ABSOLUTELY NO WARRANTY # +# neither implied nor explicit. # +############################################## + +if test "$1" == ""; then + echo "$0: No directory provided for scanning!" + exit 6 +fi + +cd / +DIR="$1" +# use only first entry +DIR=`echo $DIR | cut -f 1 -d " "` +echo -n "$0: Reading sizes in /$DIR ... " +SIZES=`find $DIR -exec stat --format="%s" {} \;` +echo "done" +TOTAL=0 + +echo -n "$0: Calculating... " +for si in $SIZES; do + TOTAL="$(($TOTAL + $si))" +done +export TOTAL +echo "done" +echo +echo "Total size: $(($TOTAL/1024/1024/1024)) GByte" diff --git a/encrypt/source/.welcome.msg b/encrypt/source/.welcome.msg new file mode 100644 index 0000000..bf5a32b --- /dev/null +++ b/encrypt/source/.welcome.msg @@ -0,0 +1,4 @@ +Welcome to the Secure Linux Project v0.3a! + +This is a Debian Linux 3.1 system. + diff --git a/encrypt/source/decrypt.sh b/encrypt/source/decrypt.sh new file mode 100755 index 0000000..8ce7143 --- /dev/null +++ b/encrypt/source/decrypt.sh @@ -0,0 +1,247 @@ +#!/bin/sh +############################################## +# Script for Secure Linux Project # +# Copyright(c) 2005, 2006 by Roland Haeder # +############################################## +# Purpose: Decryption of the root system # +############################################## +# This software is licensed under the GNU # +# General Public License Version 2 or either # +# and comes with ABSOLUTELY NO WARRANTY # +# neither implied nor explicit. # +############################################## + +halt_script() +{ + umount $MOUNT/home + umount $MOUNT + umount $KEYS > /dev/null 2>&1 + losetup -d /dev/loop2 > /dev/null 2>&1 + losetup -d /dev/loop9 > /dev/null 2>&1 + losetup -d /dev/loop8 > /dev/null 2>&1 + losetup -d $STICK_LOOP > /dev/null 2>&1 + losetup -d /dev/loop7 > /dev/null 2>&1 + # Add more todo here! + exit 1 +} + +if ! test -e /proc/version; then + # Mount missing /proc + mount /proc +fi + +if test -e .local.sh; then + . ./.local.sh + if test "$STICK_START" == "xxx"; then + echo "$0: Cannot continue!" + echo "Please run stick.sh first to setup your USB sticks." + exit 3 + fi + else + echo "$0: Settings file .local.sh not found." + echo "Please start the setup process with gen.sh!" + exit 3 +fi + +# Check given gpgkey +if test -e "$STICK_KEY"; then + MD5=`md5sum -b $STICK_KEY | cut -c -32` + if test "$MD5" != "$STICK_MD5"; then + echo "$0: Cannot verify stick key $STICK_KEY!" + exit 4 + fi + else + echo "$0: Cannot find stick-key $STICK_KEY!" + exit 5 +fi + +# Ask for username and passphrase to search on the USB stick for the matching +# and unlock it with the passphrase. But we do this step-by-step. So first +# ask for username +losetup -o $STICK_START /dev/loop8 $STICK_DEVICE || halt_script + +# Remove debug file +rm -f /mounts.lst > /dev/null 2>&1 + +for ((FAILED=1, TRY=1; ($FAILED != 0) && (TRY <= 3); TRY++)) do + echo -n "Enter password: " + read -s passw + if test "$passw" != ""; then + # Check partition + fsck -t $STICK_TYPE -p -v $BOOT_DEVICE + + # Mount the boot-partition temporary + mount -t $STICK_TYPE $BOOT_DEVICE /mnt/boot + + # Decrypt the master image which holds the secret keys + MASTER_SEED=`cat /.seed_master` + MASTER_PASS=`cat /.pass_master` + echo $MASTER_PASS | losetup -p 0 -S $MASTER_SEED -C $ITER -e $CIPHER /dev/loop13 /mnt/boot/master.img || halt_script + # "Source" the user's special script which holds the start position + source /mnt/boot/.start2_$1.sh + # Mount the master image read/write to update the seed + mount -t $STICK_TYPE -o ro /dev/loop13 /mnt/stick + # Decrypt the 2nd partition for importing temporarily the user's key + USER_SEED=`cat /mnt/stick/.seed_$1` + USER_PASS=`cat /mnt/stick/.pass_$1` + losetup -o $START2 /dev/loop12 "$STICK_DEVICE" + echo $USER_PASS | losetup -p 0 -S $USER_SEED -c $ITER -e $CIPHER /dev/loop11 /dev/loop12 + mount -t $STICK_TYPE -o ro /dev/loop11 /mnt/stick2 || halt_script + # Import the secret key + gpg --import < /mnt/stick2/$1-secret.gpg > /dev/null 2>&1 + # Umount and rehash USER_SEED/USER_PASS + umount /mnt/stick2 > /dev/null 2>&1 + losetup -d /dev/loop11 > /dev/null 2>&1 + USER_SEED=`head -c $SEED_LEN $RAND | uuencode -m - | head -2 | tail -1` + USER_PASS=`head -c $PASS_LEN $RAND | uuencode -m - | head -2 | tail -1` + echo $USER_SEED > /mnt/stick/.seed_$1 + echo $USER_PASS > /mnt/stick/.pass_$1 + echo $USER_PASS | losetup -p 0 -S $USER_SEED -c $ITER -e $CIPHER /dev/loop11 /dev/loop12 + mkfs -t $STICK_TYPE -b 1024 /dev/loop11 + mount -t $STICK_TYPE /dev/loop11 /mnt/stick2 + gpg --export-secret-keys -a "$1" > /mnt/stick2/$1-secret.gpg + umount /mnt/stick2 + losetup -d /dev/loop11 + + # Remove last loop-devices + losetup -d /dev/loop12 > /dev/null 2>&1 + umount /mnt/stick > /dev/null 2>&1 + losetup -d /dev/loop13 > /dev/null 2>&1 + umount /mnt/boot > /dev/null 2>&1 + + # Decrypt the stick now to access the key for decrypting the asset + echo $passw | losetup -e $CIPHER -K $STICK_KEY -p 0 -G /root/.gnupg /dev/loop2 /dev/loop8 + STATUS="$?" + if test "$STATUS" == "0"; then + # mount >> /mounts.lst + STICK_WARNING=false + fsck -t $STICK_TYPE -p -v /dev/loop2 > /stick.msg 2>&1 + STATUS="$?" + if test "$STATUS" != "0"; then + # Hold a warning message + STICK_WARING=true + fi + mount -t $STICK_TYPE /dev/loop2 $KEYS > /dev/null 2>&1 + if test "$?" == "0"; then + # Check if key exists + FAILED="1" + if test -e "$KEYS/$1-secret.gpg"; then + MD5=`md5sum -b $KEYS/$1-secret.gpg | cut -c -32` + for m5 in $MD5SUMS; do + if test "$m5" == "$MD5"; then + # It does exist so stop searching for it + echo "Accepted." + FAILED="0" + break + fi + done + + if test "$FAILED" == "1"; then + # MD5 sums differ + echo "failed!" + echo + echo "$0: Sorry, cannot verify keyfile! Fatal error." + halt_script + fi + else + # Keyfile not found! :-( + echo "failed!" + echo + echo "$0: Sorry, invalid user $1!" + USER="" + fi + else + echo "failed!" + halt_script + fi + if ! test STICK_WARNING; then + echo "$0: WARNING: The stick-fs was bad or not unmounted before! ($STATUS)" + cat /stick.msg + echo "Press RETURN to continue or CTRL-C to enter rescue console..." + read -s dummy || halt_script + fi + rm -f /stick.msg > /dev/null 2>&1 + else + echo "Wrong password! (Attempts left: $((3 - $TRY)))" + fi + else + echo "No password given!" + TRY=$(($TRY-1)) + fi +done + +if [ $FAILED -ne 0 ]; then + echo "$0: Sorry, you get only three attempts to guess the password." + halt_script +fi + +if test "$FAILED" == "0"; then + # The key seems to be not changed so let's decrypt the asset + echo "$0: Stage 1 - Decrypting asset..." + echo $passw | losetup -e $CIPHER -p 0 -K "$KEYS/$1-secret.gpg" -G /root/.gnupg /dev/loop7 $ASSET || halt_script > /dev/null 2>&1 + echo "$0: Stage 1 - done." + + # Prepare all loop devices + umount $MOUNT + losetup -d /dev/loop10 > /dev/null 2>&1 + losetup -d /dev/loop3 > /dev/null 2>&1 + losetup -d /dev/loop4 > /dev/null 2>&1 + + # Setup the root and data "partition" + echo "$0: Stage 2 - Faking partitions (root=8,base-swap=3,base=7) ..." + losetup -o $ROOT_OFFSET /dev/loop10 /dev/loop7 || halt_script + losetup -o $SWAP_OFFSET /dev/loop3 /dev/loop7 || halt_script + echo "$0: Stage 2 - done." + + # Mount devices + # mount >> /mounts.lst + echo "$0: Stage 3 - Checking root-fs (this could take loooong)..." + fsck -t $ROOT_TYPE -p -v /dev/loop10 > /fsck.log 2>&1 + if test "$?" != "0"; then + cat /fsck.log + echo "Press RETURN to continue or CTRL+C to enter rescue console..." + read -s dummy || /bin/sh + fi + rm -f /fsck.log > /dev/null 2>&1 + echo "$0: Stage 3 - done." + + echo "$0: Stage 4 - Mounting root-fs ..." + mount /dev/loop10 $MOUNT > /dev/null 2>&1 + echo "$0: Stage 4 - done." + + echo "$0: Stage 5 - Preparing DATA filesystem ..." + if test -e "/.raid_cfg.sh"; then + # Run RAID setup script (no "exit" command there!) + source raid.sh $1 $passw + # Something which you can use but not /home! + losetup -o $DATA_OFFSET /dev/loop5 /dev/loop7 > /dev/null 2>&1 + else + # /home without RAID + losetup -o $DATA_OFFSET /dev/loop9 /dev/loop7 > /dev/null 2>&1 + fi + echo "$0: Stage 5 - done." + + # Remove the key with loop device + echo "$0: Stage 6 - Removing USB stick ..." + umount $KEYS + losetup -d /dev/loop2 + losetup -d /dev/loop8 + echo "$0: Stage 6 - done." + + # Mount DATA (mostly /home) + # mount >> /mounts.lst + echo "$0: Stage 7 - Checking filesystem on DATA ..." + fsck -t $DATA_TYPE -p -v /dev/loop9 > /dev/null 2>&1 + echo "$0: Stage 7 - done." + + echo "$0: Stage 8 - Mounting filesystem on DATA ..." + mount -t $DATA_TYPE /dev/loop9 $MOUNT/home/ > /dev/null 2>&1 + echo "$0: Stage 8 - done." + + # Run swap.sh (DO NOT USE exit THERE!) + echo "$0: Stage 9 - Activating swap space ..." + source swap.sh $1 + echo "$0: Stage 9 - done." +else + halt_script +fi diff --git a/encrypt/source/etc/fstab b/encrypt/source/etc/fstab new file mode 100644 index 0000000..aefd5c7 --- /dev/null +++ b/encrypt/source/etc/fstab @@ -0,0 +1,9 @@ +proc /proc proc defaults 0 0 +pts /dev/pts devpts mode=662 0 0 +usbdev /proc/bus/usb usbdevfs defaults 0 0 + +/dev/loop1 / ext3 defaults 0 0 +/dev/loop2 /home ext3 defaults 0 0 +/dev/hda1 /boot ext2 defaults 0 1 + +/dev/loop4 none swap sw 0 0 diff --git a/encrypt/source/etc/init.d/swap.sh b/encrypt/source/etc/init.d/swap.sh new file mode 100755 index 0000000..2ba517b --- /dev/null +++ b/encrypt/source/etc/init.d/swap.sh @@ -0,0 +1,95 @@ +#!/bin/sh +############################################## +# Script for Secure Linux Project # +# Copyright(c) 2005, 2006 by Roland Haeder # +############################################## +# Purpose: Activate randomizly created swap # +# device # +############################################## +# This software is licensed under the GNU # +# General Public License Version 2 or either # +# and comes with ABSOLUTELY NO WARRANTY # +# neither implied nor explicit. # +############################################## +# +# NOTE: THE REAL AUTHOR OF THIS SCRIPT IS SOMEONE ELSE! +# +# If you are the one then please feel free to contact me and I will +# add your name+email in the copyright note above +# +# Run this script somewhere in your startup scripts _after_ random +# number generator has been initialized and /usr has been mounted. +# (md5sum, uuencode, tail and head programs usually reside in /usr/bin/) +# +# Highly extended and prepared for SYSVINIT scripts by Roland Haeder +# + +function no_swap() +{ + echo "$0: No .local.sh detected. Please start setting up your encrypted" + echo "$0: system with gen.sh." +} + +[ -c /dev/urandom ] || exit 0 +. /lib/init/vars.sh +. /lib/lsb/init-functions +. /.local.sh || no_swap + +# encrypted swap partition +SWAPDEVICE="/dev/hdc2" + +# loop device name +LOOPDEV="/dev/loop8" + +# Blocksize for filling devices with zeros +ZERO_BSIZE="4k" + +# Number of above blocks for the zeros +ZERO_COUNT=3`echo $RANDOM | cut -c -2` + +# Special options of above stuff +ZERO_OPTS="conv=notrunc" + +# Length of the salt for password +SALT_LEN="18" + +case "$1" in + start) + [ "$VERBOSE" = no ] || log_action_begin_msg "Initializing encrypted swap partition $SWAPDEVICE ..." + MD=`dd if=${SWAPDEVICE} bs=$ZERO_BSIZE count=$ZERO_COUNT 2>/dev/null | md5sum | cut -c-32` + for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do + dd if=/dev/zero of=${SWAPDEVICE} bs=$ZERO_BSIZE count=$ZERO_COUNT $ZERO_OPTS 2>/dev/null + sync + done + UR=`dd if=/dev/urandom bs=$SALT_LEN count=1 2>/dev/null | uuencode -m - | head -n 2 | tail -n 1` + echo ${MD}${UR} | losetup -p 0 -C $ITER -e $CIPHER ${LOOPDEV} ${SWAPDEVICE} + MD= + UR= + dd if=/dev/zero of=${LOOPDEV} bs=$ZERO_BSIZE count=$ZERO_COUNT $ZERO_OPTS 2>/dev/null + [ "$VERBOSE" = no ] || log_action_end_msg 0 + sync + mkswap ${LOOPDEV} + sync + swapon ${LOOPDEV} + ;; + + stop) + # Remove all swap spaces and our loop device + [ "$VERBOSE" = no ] || log_action_begin_msg "Removing encrypted swapspace ..." + swapoff $LOOPDEV + losetup -d $LOOPDEV >/dev/null 2>&1 + [ "$VERBOSE" = no ] || log_action_end_msg 0 + ;; + + restart|reload|force-reload) + $0 stop + $0 start + ;; + + *) + echo "Usage: $0 {start|stop|reload|restart|force-reload}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/encrypt/source/etc/ld.so.conf b/encrypt/source/etc/ld.so.conf new file mode 100644 index 0000000..e69de29 diff --git a/encrypt/source/linuxrc b/encrypt/source/linuxrc new file mode 100755 index 0000000..c951f55 --- /dev/null +++ b/encrypt/source/linuxrc @@ -0,0 +1,39 @@ +#!/bin/sh + +# /proc einbinden +mount /proc + +# insmod all modules +/sbin/modprobe -akv loop > /dev/null 2>&1 +/sbin/modprobe -akv md > /dev/null 2>&1 +/sbin/modprobe -akv xor > /dev/null 2>&1 +/sbin/modprobe -akv raid5 > /dev/null 2>&1 +/sbin/modprobe -akv unix > /dev/null 2>&1 + +# Sleep a little to wait for all output +/bin/sleep 3 + +# Output welcome message +cat /.welcome.msg + +# Ask for username +USER="" +while test "$USER" == ""; do + echo "Please supply a username to continue:" + read USER + if test "$USER" != ""; then + source decrypt.sh $USER + fi +done + +# Remove /proc +umount /proc + +# Pivot to the asset's root file system +echo "$0: Final stage - Booting original Linux system ..." +cd $MOUNT +/sbin/pivot_root . initrd + +# Pass control to init +shift 1 +exec chroot . /sbin/init $* dev/console 2>&1 diff --git a/encrypt/source/raid.sh b/encrypt/source/raid.sh new file mode 100755 index 0000000..4419190 --- /dev/null +++ b/encrypt/source/raid.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +source /.local.sh +source /.raid_cfg.sh + +/sbin/mdrun +if test "$?" == "0"; then + echo "$0: Decrypting RAID array..." + echo "$2" | losetup -e $CIPHER -p 0 -K "$KEYS/$1-secret.gpg" -G /root/.gnupg /dev/loop9 $RAID_DEV + echo "$0: done ($?)" +fi diff --git a/encrypt/source/remove.sh b/encrypt/source/remove.sh new file mode 100755 index 0000000..18c3e7d --- /dev/null +++ b/encrypt/source/remove.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +source /.local.sh +source /.raid_cfg.sh + +umount $MOUNT/home +mdadm --manage $RAID_DEV --stop +umount $MOUNT +umount $KEYS +losetup -d /dev/loop10 +losetup -d /dev/loop9 +losetup -d /dev/loop2 +losetup -d /dev/loop8 +losetup -d /dev/loop5 +swapoff -av +losetup -d /dev/loop4 +losetup -d /dev/loop3 +losetup -d /dev/loop7 +umount /proc diff --git a/encrypt/source/swap.sh b/encrypt/source/swap.sh new file mode 100755 index 0000000..2619f45 --- /dev/null +++ b/encrypt/source/swap.sh @@ -0,0 +1,49 @@ +#!/bin/sh + +source /.local.sh + +ZEROS="$SWAP_SIZE" +SWAP_SIZE="$(($SWAP_SIZE*1024))" +VERIFY="$(($SWAP_OFFSET+$SWAP_SIZE))" +VERIFY="$(($ROOT_OFFSET-$VERIFY))" + +if test "$VERIFY" != "12288"; then + echo "$0: Failed verification: $VERIFY!=12288. No swap space available!" +else + # encrypted swap partition + SWAPDEVICE="/dev/loop3" + + # loop device name + LOOPDEV="/dev/loop4" + + # Blocksize for filling devices with zeros + ZERO_BSIZE="4k" + + # Number of above blocks for the zeros + ZERO_COUNT=3`echo $RANDOM | cut -c -2` + + # Special options of above stuff + ZERO_OPTS="conv=notrunc" + + # Length of the salt for password + SALT_LEN="18" + + echo "$0: Initializing encrypted swap partition $SWAPDEVICE ..." + MD=`dd if=${SWAPDEVICE} bs=$ZERO_BSIZE count=$ZERO_COUNT 2>/dev/null | md5sum | cut -c-32` + for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do + dd if=/dev/zero of=${SWAPDEVICE} bs=$ZERO_BSIZE count=$ZERO_COUNT $ZERO_OPTS 2>/dev/null + sync + done + UR=`dd if=/dev/urandom bs=$SALT_LEN count=1 2>/dev/null | uuencode -m - | head -n 2 | tail -n 1` 2>/dev/null + echo "$0: Preparing ${LOOPDEV}..." + echo ${MD}${UR} | losetup -p 0 -C $ITER -e $CIPHER ${LOOPDEV} ${SWAPDEVICE} + MD= + UR= + dd if=/dev/zero of=${LOOPDEV} bs=$ZERO_BSIZE count=$ZERO_COUNT $ZERO_OPTS 2>/dev/null + sync + echo "$0: Creating swap space ..." + mkswap -fc ${LOOPDEV} $SWAP_SIZE || exit 1 + sync + echo "$0: Activating swap space ..." + swapon ${LOOPDEV} || exit 1 +fi diff --git a/encrypt/stick.sh b/encrypt/stick.sh new file mode 100755 index 0000000..a37cc7d --- /dev/null +++ b/encrypt/stick.sh @@ -0,0 +1,194 @@ +#!/bin/sh +############################################## +# Script for Secure Linux Project # +# Copyright(c) 2005, 2006 by Roland Haeder # +############################################## +# Purpose: Creates the USB sticks and makes # +# *binary* backups of your old once # +############################################## +# This software is licensed under the GNU # +# General Public License Version 2 or either # +# and comes with ABSOLUTELY NO WARRANTY # +# neither implied nor explicit. # +############################################## + +. ./.settings.sh || exit 3 + +if test -b $STICK_DEVICE; then + # Stick is a real device + echo "WARNING! REAL DEVICE $STICK_DEVICE ENTERED! PLEASE MAKE BACKUP BEFORE CONTINUE!" + echo "Please insert first stick now ($MASTER_USER) before continue." + echo + echo "Press RETURN to continue or CTRL+C to abort here." + read dummy + DEVICE="$STICK_DEVICE" + echo -n "$0: Preparing backups... " + BACKUP="$BASEDIR/backups/" + mkdir $BACKUP > /dev/null 2>&1 + for user in $USERS; do + mkdir $BACKUP/$user > /dev/null 2>&1 + done + echo "done" + else + # Stick is an image + DEVICE=/dev/loop5 + losetup -d /dev/loop6 > /dev/null 2>&1 + losetup -d $DEVICE > /dev/null 2>&1 + if test -e $STICK_DEVICE; then + # Use existing image + echo "$0: Using image $STICK_DEVICE." + losetup $DEVICE $STICK_DEVICE + else + if test $STICK_SIZE -gt 0; then + # Create image + echo "$0: Creating testing image $STICK_DEVICE." + dd if=/dev/zero of=$STICK_DEVICE bs=1k count=$STICK_SIZE + losetup $DEVICE $STICK_DEVICE + else + # Invalid size / cannot detect! + echo "$0: Please provide a size for image $STICK_DEVICE!" + exit 3 + fi + fi +fi + +# Clean an existing .md5sums file +if test ! -e "$BASEDIR/initrd/.md5sums"; then + echo -n "" > $BASEDIR/initrd/.md5sums +else + mv $BASEDIR/initrd/.md5sums $BASEDIR/.md5sums +fi + +if test -b $STICK_DEVICE; then + if test ! -e "$BASEDIR/.backuped"; then + # Now let's setup all sticks + echo "$0: Will now do a binary backup of your sticks." + for user in $USERS; do + rmmod usb-storage > /dev/null 2>&1 + echo "Please insert USB stick for $user and press RETURN to continue." + read dummy + insmod -kv $USB_STORAGE delay_use=0 > /dev/null 2>&1 + sleep 1 + for ((FAILED=1, TRY=1; ($FAILED != 0) && (TRY <= 15); TRY++)) do + # Auto-detect size here + SSIZE=`fdisk -s $DEVICE` + # DEBUG: echo "Code=$? (Size=$(($SSIZE/1024)) MB)" + if test "$?" == "0"; then + FAILED=0 + fi + sleep 1 + done + if test "$FAILED" == "0"; then + echo -n "$0: Binary backup of $DEVICE for $user... " + dd if=$DEVICE of=$BACKUP/$user/stick.img bs=1k count=$SSIZE $CONVERT > /dev/null 2>&1 + CODE="$?" + if test "$CODE" == "0"; then + echo "done" + echo -n "$0: Compressing... " + bzip2 -9f $BACKUP/$user/stick.img >/dev/null 2>&1 + echo "done" + else + echo "failed. (Code=$CODE)" + exit 6 + fi + else + echo "$0: Too many attemnts to read from $DEVICE!" + exit 5 + fi + done + echo "$0: Binary backup complete." + echo -n "" > "$BASEDIR/.backuped" + fi + + echo "$0: Running make_part() on all sticks now." + for user in $USERS; do + if test ! -e "$BASEDIR/.stick_$user"; then + # Create filename for the image + FILE="$BASEDIR/setup/images/key-$user.img" + + rmmod usb-storage > /dev/null 2>&1 + echo "Please insert USB stick for $user and press RETURN to continue." + echo + echo "WARNING! You will loose data after this point!" + read dummy + insmod $USB_STORAGE delay_use=0 > /dev/null 2>&1 + for ((FAILED=1, TRY=1; ($FAILED != 0) && ($TRY <= 15); TRY++)) do + # Auto-detect size here + #echo "$0: Scanning..." + SSIZE=`fdisk -s $DEVICE` + CODE="$?" + #echo "$0: Code=$CODE" + if test "$CODE" == "0"; then + FAILED=0 + break + fi + #echo "$0: Sleeping..." + sleep 1 + done + + if test "$FAILED" == "0"; then + echo "$0: Slept $TRY seconds." + # Total size for the parted command (again) + SIZE="$(($SSIZE/1024))" + SIZE_TARGET=`stat --format="%s" $FILE` + + # Continue with creating new partitions... + echo "$0: Creating partition on $DEVICE..." + make_part + analyse_stick + + # Write image + write_image + else + echo "$0: Too many attemnts to read from $DEVICE!" + exit 5 + fi + echo -n "" > "$BASEDIR/.stick_$user" + else + echo "$0: Skipping stick for $user." + fi + done + + # Do we need to update STICK_START? + if test "$STICK_START" == "xxx"; then + echo "$0: Fatal error. Please remove one of the .stick_user files to setup STICK_START!" + exit 2 + fi + else + # Total size for the parted command + SIZE="$(($SSIZE/1024))" + + # For testing purposes only first user + echo "$0: Using $MASTER_USER for testing." + + # Create "partitions" on the image + make_part + + # Analyse the stick + analyse_stick + + # Set user for the first user + user="$MASTER_USER" + + # Create filename for the image + FILE="$BASEDIR/setup/images/key-$user.img" + + # Use MASTER_USER for testing purposes + echo "$0: Using image $FILE." + SIZE_TARGET=`stat --format="%s" $FILE` + + # Write image now + write_image +fi + +if test -e "$BASEDIR/.md5sums"; then + cat $BASEDIR/.md5sums $BASEDIR/initrd/.md5sums >> $BASEDIR/.dummy + rm $VERBOSE $BASEDIR/.md5sums + mv $VERBOSE $BASEDIR/.dummy $BASEDIR/initrd/.md5sums +fi + +# Creating image/stick now completed +echo +echo "$0: All done now." +echo +echo "Now it's time for executing finish.sh to finish setup." diff --git a/encrypt/swap.sh b/encrypt/swap.sh new file mode 100755 index 0000000..2619f45 --- /dev/null +++ b/encrypt/swap.sh @@ -0,0 +1,49 @@ +#!/bin/sh + +source /.local.sh + +ZEROS="$SWAP_SIZE" +SWAP_SIZE="$(($SWAP_SIZE*1024))" +VERIFY="$(($SWAP_OFFSET+$SWAP_SIZE))" +VERIFY="$(($ROOT_OFFSET-$VERIFY))" + +if test "$VERIFY" != "12288"; then + echo "$0: Failed verification: $VERIFY!=12288. No swap space available!" +else + # encrypted swap partition + SWAPDEVICE="/dev/loop3" + + # loop device name + LOOPDEV="/dev/loop4" + + # Blocksize for filling devices with zeros + ZERO_BSIZE="4k" + + # Number of above blocks for the zeros + ZERO_COUNT=3`echo $RANDOM | cut -c -2` + + # Special options of above stuff + ZERO_OPTS="conv=notrunc" + + # Length of the salt for password + SALT_LEN="18" + + echo "$0: Initializing encrypted swap partition $SWAPDEVICE ..." + MD=`dd if=${SWAPDEVICE} bs=$ZERO_BSIZE count=$ZERO_COUNT 2>/dev/null | md5sum | cut -c-32` + for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do + dd if=/dev/zero of=${SWAPDEVICE} bs=$ZERO_BSIZE count=$ZERO_COUNT $ZERO_OPTS 2>/dev/null + sync + done + UR=`dd if=/dev/urandom bs=$SALT_LEN count=1 2>/dev/null | uuencode -m - | head -n 2 | tail -n 1` 2>/dev/null + echo "$0: Preparing ${LOOPDEV}..." + echo ${MD}${UR} | losetup -p 0 -C $ITER -e $CIPHER ${LOOPDEV} ${SWAPDEVICE} + MD= + UR= + dd if=/dev/zero of=${LOOPDEV} bs=$ZERO_BSIZE count=$ZERO_COUNT $ZERO_OPTS 2>/dev/null + sync + echo "$0: Creating swap space ..." + mkswap -fc ${LOOPDEV} $SWAP_SIZE || exit 1 + sync + echo "$0: Activating swap space ..." + swapon ${LOOPDEV} || exit 1 +fi diff --git a/settings.sh b/settings.sh new file mode 100755 index 0000000..126ddb0 --- /dev/null +++ b/settings.sh @@ -0,0 +1,177 @@ +#!/bin/sh +############################################## +# Script for Secure Linux Project # +# Copyright(c) 2005, 2006 by Roland Haeder # +############################################## +# Purpose: Main configuration file # +############################################## +# This software is licensed under the GNU # +# General Public License Version 2 or either # +# and comes with ABSOLUTELY NO WARRANTY # +# neither implied nor explicit. # +############################################## + +######## Begin general stuff ######## +# 1=Setup mode. If you turn this off, a username will be requested +INSTALL="1" +# Option for cp/mkdir/rm-commands for verbose output +VERBOSE="-v" +# Update switch for cp-command. You can remove this for always copy. +UPDATE="-u" +# Options for the dd-cmmand (CARE!) +CONVERT="" +# Use strict OpenPGP behavior for gpg commands +OPENPGP="--openpgp" +# Length of both seeds (15-25 shall be fine) +SEED_LEN="15" +# 1=Forces cpio.sh to copy all given files/directories without checking sizes +FORCE_CPIO="1" +# Which program shall I take? awk or gawk (last prefered!) +AWK=`which gawk | tail -n 1` +# Does the test go right? +if test "$AWK" == ""; then + echo "$0: Failed! The program gawk was found! We need this program" + echo "$0: to calculate with decimal-dotted values in functions.sh!" + exit 255 +fi +######## End general stuff ######## + +########## Begin gen.sh ########## +BASEDIR="/encrypt" +# For now on this will be setup automatically +ASSET="" +# For testing purposes use an image like this +#ASSET_DEVICE="$BASEDIR/setup/images/asset.img" +# For productive purposes use a "real" device here +ASSET_DEVICE="/dev/hdc" +# For productive purposes use a "real" partition here: +CIPHER="AES256" +KEYS="$BASEDIR/keys" +LOOP_ASSET="/dev/loop1" +LOOP_TEST="/dev/loop2" +# *Exactly* the same name(s) as you entered while gpg --gen-key for comment +USERS="quix0r angei junior" +# The master-key for creating the encrypted filesystem +MASTER="$BASEDIR/setup/keys/masterkey-secret.gpg" +# Additional keys (e.g. for your laptop) The path "BASEDIR/setup/keys" will be added! +EXTRA_KEYS="laptop-secret.gpg videos-secret.gpg home-secret.gpg" +# * 1kByte! No value means scrambling is disabled. A zero (0) together with +# Real device (/dev/hda; /dev/drbd0; etc.) means use shred +#COUNT="$((200*1024))" +COUNT="0" +RAND="/dev/urandom" +# Use openssl or dd for scrambling disc/image? (dd=0, openssl=1) +OPENSSL="1" +# The multi-key for encrypting disc/image +MULTI_KEY="$BASEDIR/setup/keys/userkey-secret.gpg" +# The multi-key for encrypting disc/image +STICK_KEY="$BASEDIR/setup/keys/stick-secret.gpg" +MULTI_KEY_SUFFIX="secret.gpg" +# The first user is the "master" of this system +MASTER_USER=`echo $USERS | awk '{print $1}'` +# 1= Zero LOOP_ASSET after setting up. This will be done in gen.sh +ZERO_ASSET="1" + +########## End gen.sh ############ + +########## Begin initrd.sh ########## +BOOT_MOUNT="$BASEDIR/root/boot" +if test "$UMOUNT_INITRD" == ""; then + # Shall I umount the initrd after creation? + UMOUNT_INITRD="0" +fi +KERN_VER="2.6.8-2-386" +KERN_FOUND="0" # Never set it to 1 here! +INITRD_LOOP="/dev/loop5" +# Check filesystem? (will be overriden after initial creation) +CHK_LOOP="1" +# Relative directory for mouting stick et cetera (to /) +MNT="mnt" +# Relative directory for storing key file(s) and seed (to /MNT) +KEYS_DIR="keys" +########## End initrd.sh ########## + +########## Begin asses.sh ########### +ROOM_PART="12288" # "Zero'ed" room between partitions + +# Filesystems +FS_BOOT="ext2" +FS_ROOT="ext3" +FS_DATA="ext3" +FS_STICK="ext2" + +# Special mount points (e.g. for "data partition") +MP_DATA="$BASEDIR/root/home" + +# Sizes for misc things (I have used a 200 GB HDD) +SIZE_BLOCK="4096" # Size of a block in filesystem +# Size of encrypted swap partition +# GB MB KB +SIZE_SWAP="$(( 2*1024*1024))" # = 2 GB +#SIZE_SWAP="$(( 20*1024))" # = 20 MB +# Size of unencrypted boot partition (for kernel-image, Sytem.map and initrd) +SIZE_BOOT="$(( 8*1024))" # = 8 MB +# Size of encrypted root (/) partition +# GB MB KB +SIZE_ROOT="$((170*1024*1024))" # = 170 GB +#SIZE_ROOT="$(( 110*1024))" # = 100 MB +SIZE_MAX="0" # Will be calculated later! + +# Some extra space which would be left free after second partition +# You have to experiment with this value until it matches! +# You may find out if all disc space is consumed with "cfdisk ASSET_DEVICE" +SIZE_EXTRA="$((1024 * 9 + 231))" + +# Offsets for the losetup command +OFFSET_SWAP="$(($SIZE_BOOT*1024+$ROOM_PART))" +OFFSET_ROOT="$(($OFFSET_SWAP+$SIZE_SWAP*1024+$ROOM_PART))" +OFFSET_DATA="$(($OFFSET_ROOT+$SIZE_ROOT*1024+$ROOM_PART))" + +# This value will be overridden later +BLOCKS_ROOT="0" +# 1= umount asset, 0= keep asset mounted (needed to continue with cpio.sh +UMOUNT_ASSET="0" +# Count of iterations for losetup +ITER="200" + +# Modules needed for booting system +MODULES="loop" + +######## End assest.sh ############# + +# Files and directories which we can to copy with cpio (do not copy all here!) +CPIO_FILES="/home/ /root" + +# The target stick device (for testing place an 4MB image here) +#STICK_DEVICE="$BASEDIR/setup/images/stick.img" +# Change this to your USB stick device! +STICK_DEVICE="/dev/sda" # Please use the testing image above first! +# Size of the USB stick device in 1kBytes (will be overwritten later) +STICK_SIZE="$((256*1024))" +# This size will be used only for creating an image which has the same +# raw size as your USB stick has. So please check the total size of first. +# NOTE: If you want to change this to your real device (/dev/sda e.g.) and +# you already run asset.sh / stick.sh then please run asset.sh again! +# +# Otherwise your stick may take "logical" damage. + +# The FQFN of the usb-storage module, change it to your matching version +USB_STORAGE="/lib/modules/$KERN_VER/kernel/drivers/usb/storage/usb-storage.ko" + +# Is there an additional .local.sh script? (for testing) +LOCAL="0" +if test -e ./.local.sh; then + # Include local configuration file + echo "$0: Loading .local.sh." + . ./.local.sh + LOCAL="1" + elif test -e $BASEDIR; then + # Use existing directory + echo "$0: Using $BASEDIR." + else + # Create base directory (maybe first call?) + mkdir $VERBOSE $BASEDIR +fi + +# Load additional functions +. $BASEDIR/include/functions.sh -- 2.30.2