From 7e7403a7ed36b200d306800cbcedf2c2044588c3 Mon Sep 17 00:00:00 2001 From: khorben Date: Mon, 15 Jul 2013 00:25:38 +0000 Subject: [PATCH] Common definitions for full-disk encryption support, including the rc script responsible for asking the passphrase and chrooting. wsconsctl is also built and used in case a splash screen is enabled. --- distrib/common/cgdroot.rc | 60 ++++++++++++++++++++++++++++++++++++ distrib/common/list.cgdroot | 10 ++++++ distrib/common/mtree.cgdroot | 8 +++++ 3 files changed, 78 insertions(+) create mode 100644 distrib/common/cgdroot.rc create mode 100644 distrib/common/list.cgdroot create mode 100644 distrib/common/mtree.cgdroot diff --git a/distrib/common/cgdroot.rc b/distrib/common/cgdroot.rc new file mode 100644 index 000000000000..b0cad616d83f --- /dev/null +++ b/distrib/common/cgdroot.rc @@ -0,0 +1,60 @@ +# $NetBSD: cgdroot.rc,v 1.1 2013/07/15 00:25:38 khorben Exp $ +# +# Copyright (c) 2013 Pierre Pronchery +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +export PATH +TERM=wsvt25 +export TERM +HOME=/ +export HOME +BLOCKSIZE=1k +export BLOCKSIZE +EDITOR=ed +export EDITOR + +umask 022 + +mount -o ro /dev/wd0a /etc/cgd +if [ $? -ne 0 ]; then + echo "Could not mount the boot partition" 1>&2 + exit 2 +fi +/sbin/wsconsctl -d -w splash.enable=0 > /dev/null 2>&1 +cgdconfig -C +if [ $? -ne 0 ]; then + echo "Could not decrypt the encrypted volume" 1>&2 + umount /etc/cgd + exit 2 +fi +mount -o ro /dev/cgd0a /altroot +if [ $? -ne 0 ]; then + echo "Could not mount the root partition" 1>&2 + cgdconfig -U + umount /etc/cgd + exit 2 +fi +umount /etc/cgd +/sbin/wsconsctl -d -w splash.enable=1 > /dev/null 2>&1 +sysctl -w init.root=/altroot diff --git a/distrib/common/list.cgdroot b/distrib/common/list.cgdroot new file mode 100644 index 000000000000..b7eb941689e3 --- /dev/null +++ b/distrib/common/list.cgdroot @@ -0,0 +1,10 @@ +# $NetBSD: list.cgdroot,v 1.1 2013/07/15 00:25:38 khorben Exp $ +# +# list file (c.f. parselist.awk) for cgd full-disk encryption. +# + +PROG sbin/cgdconfig +PROG sbin/wsconsctl +LIBS -lcrypto + +COPY ${NETBSDSRCDIR}/distrib/common/cgdroot.rc etc/rc diff --git a/distrib/common/mtree.cgdroot b/distrib/common/mtree.cgdroot new file mode 100644 index 000000000000..efe03ba8eb0a --- /dev/null +++ b/distrib/common/mtree.cgdroot @@ -0,0 +1,8 @@ +# $NetBSD: mtree.cgdroot,v 1.1 2013/07/15 00:25:38 khorben Exp $ + +/set type=dir uname=root gname=wheel mode=0755 + +. +./altroot +./etc +./etc/cgd mode=0700