install stage 1, opt/grub-config.sh: initial implementation of encryption support

I'll be very surprised if this contains no bugs.

custom-scripts/icewm_bodgemaster_env.sh

@@ -162,6 +162,8 @@ shopt -s checkwinsize
 shopt -s globstar
 EOF
 
+cp /etc/skel/.bashrc /root/.bashrc
+
 cat > /etc/skel/.bashrc_aliases << EOF
 alias ls="ls --color=auto"
 alias la="ls -aF"
@@ -170,6 +172,12 @@ alias x11vnc="x11vnc -repeat -nomodtweak"
 alias blank="sleep 1 && xset dpms force off"
 EOF
 
+cat > /root/.bashrc_aliases << EOF
+alias ls="ls --color=auto"
+alias la="ls -aF"
+alias grep="grep --color=auto"
+EOF
+
 cat > /usr/local/bin/conky_generate_config.sh << BIG_EOF
 #!/usr/bin/env bash
 PART_UUID="\$(blkid --match-tag PARTUUID --output value \$(blkid --output value --match-tag PARTUUID "$(grep "/run/void-usb/container" /proc/mounts | sed 's| /run/void-usb/.*||')"))"

install-stage1.sh

@@ -131,6 +131,99 @@ if grep "$TARGET_DISK" /proc/mounts >> $LOGFILE 2>&1; then
   fi
 fi
 
+echo "
+Do you want to encrypt your files?
+
+With the exception of the files essential for booting, the system will be encrypted.
+This will use an additional 1Gib of storage space.
+
+If you enable encryption, you will be prompted for a passphrase. This passphrase will be
+asked separately during bootup and may be different from the user login.
+"
+
+if yesno; then
+    ADD_CRYPTSETUP="cryptsetup"
+    echo -n "Wiping and partitioning storage... "
+    # new GPT
+    # 2M BIOS GRUB
+    # 66592 sectors ESP (first sector + 66591 sectors, the minimum to format FAT32 with default settings)
+    # everything else one big partition
+    echo "g
+    n
+
+
+    +2M
+    n
+
+
+    +66591
+    n
+
+
+    +1G
+    n
+
+
+
+    t
+    1
+    4
+    t
+    2
+    1
+    t
+    3
+    142
+    t
+    4
+    20
+    w" | fdisk --wipe always --wipe-partitions always "/dev/$TARGET_DISK" >> $LOGFILE 2>&1
+    TARGET_PART_BIOS="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '2p')"
+    TARGET_PART_EFI="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '3p')"
+    TARGET_PART_BOOT="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '4p')"
+    TARGET_PART_BIG="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '5p')"
+    echo "done"
+
+    echo -n "Formatting partitions... "
+    mkfs.vfat -F32 -n "EFIBOOT" "$TARGET_PART_EFI" >> $LOGFILE 2>&1
+    mkfs.f2fs -f -l "container" "$TARGET_PART_BOOT" >> $LOGFILE 2>&1
+    echo "Setting up encryption. You will be asked for the same password twice."
+    cryptsetup luksFormat --batch-mode --type luks2 --force-password "$TARGET_PART_BIG"
+    cryptsetup luksOpen --batch-mode --type luks2 "$TARGET_PART_BIG" voidusb-container
+    if [ "$?" -gt 0 ]; then
+        echo "Failed to open encrypted container. The entered passwords probably didn't match."
+        exit 1
+    fi
+    echo "done"
+
+    echo -n "Mounting partitions and virtual file systems... "
+    mkdir -p /mnt/target >> $LOGFILE 2>&1
+    mount -t tmpfs -o size=3g,mode=755 tmpfs /mnt/target >> $LOGFILE 2>&1
+
+    # used for chroot later
+    mkdir /mnt/target/run >> $LOGFILE 2>&1
+    mount -t tmpfs none /mnt/target/run >> $LOGFILE 2>&1
+    mkdir /mnt/target/proc >> $LOGFILE 2>&1
+    mount -t proc proc /mnt/target/proc >> $LOGFILE 2>&1
+    mkdir /mnt/target/sys >> $LOGFILE 2>&1
+    mount --rbind /sys /mnt/target/sys >> $LOGFILE 2>&1
+    mount --make-rslave /mnt/target/sys >> $LOGFILE 2>&1
+    mkdir /mnt/target/dev >> $LOGFILE 2>&1
+    mount --rbind /dev /mnt/target/dev >> $LOGFILE 2>&1
+    mount --make-rslave /mnt/target/dev >> $LOGFILE 2>&1
+
+    # actual storage
+    mkdir -p /mnt/target/run/void-usb/container >> $LOGFILE 2>&1
+    mount /dev/mapper/voidusb-container /mnt/target/run/void-usb/container >> $LOGFILE 2>&1
+    mkdir /mnt/target/boot >> $LOGFILE 2>&1
+    mount "$TARGET_PART_BOOT" /mnt/target/boot
+    mkdir /mnt/target/boot/efi >> $LOGFILE 2>&1
+    mount "$TARGET_PART_EFI" /mnt/target/boot/efi >> $LOGFILE 2>&1
+    mkdir /mnt/target/home >> $LOGFILE 2>&1
+    mkdir /mnt/target/run/void-usb/container/home >> $LOGFILE 2>&1
+    mount --bind /mnt/target/run/void-usb/container/home /mnt/target/home >> $LOGFILE 2>&1
+    echo "done"
+else
     echo -n "Wiping and partitioning storage... "
     # new GPT
     # 2M BIOS GRUB
@@ -197,6 +290,7 @@ mkdir /mnt/target/home >> $LOGFILE 2>&1
     mkdir /mnt/target/run/void-usb/container/home >> $LOGFILE 2>&1
     mount --bind /mnt/target/run/void-usb/container/home /mnt/target/home >> $LOGFILE 2>&1
     echo "done"
+fi
 
 clear
 echo "Storage is now prepared and ready for installation.
@@ -252,7 +346,7 @@ XBPS_ARCH="$TARGET_TYPE" xbps-install --yes --sync --rootdir /mnt/target --repos
   wifi-firmware traceroute grep gzip file sed gawk less coreutils findutils \
   diffutils pciutils usbutils tzdata base-files ncurses mdocml procps-ng \
   kbd xbps sudo ethtool kmod eudev runit-void removed-packages nano acpid \
-  squashfs-tools grub grub-i386-efi grub-x86_64-efi dracut xz 2>&1 | tee --append $LOGFILE
+  squashfs-tools grub grub-i386-efi grub-x86_64-efi dracut xz $ADD_CRYPTSETUP 2>&1 | tee --append $LOGFILE
 if [ "$?" -ne 0 ]; then
   echo ""
   echo "An error occurred while trying to install the base system."
@@ -300,6 +394,17 @@ echo "
 echo "done"
 
 echo "Adding fstab."
+if [ -n "$TARGET_PART_BOOT" ]; then
+    echo "# See fstab(5).
+    # <device> <mount point> <fstype> <options> <dump> <pass>
+
+    # /run/void-usb/container, /run/void-usb/overlay, and / are mounted by scripts in initramfs
+
+    UUID=$(blkid --output value --match-tag UUID $TARGET_PART_EFI) /boot f2fs nodev,nosuid,noexec 0 2
+    /run/void-usb/container/home /home none bind 0 0
+    UUID=$(blkid --output value --match-tag UUID $TARGET_PART_EFI) /boot/efi vfat nodev,nosuid,noexec,umask=133,dmask=022 0 2
+    " > /mnt/target/etc/fstab
+else
     echo "# See fstab(5).
     # <device> <mount point> <fstype> <options> <dump> <pass>
 
@@ -307,8 +412,9 @@ echo "# See fstab(5).
 
     /run/void-usb/container/boot /boot none bind 0 0
     /run/void-usb/container/home /home none bind 0 0
-UUID=$(blkid --output value --match-tag UUID $TARGET_PART_EFI) /boot/efi vfat defaults,fmask=0077,dmask=0077 0 2
+    UUID=$(blkid --output value --match-tag UUID $TARGET_PART_EFI) /boot/efi vfat nodev,nosuid,noexec,umask=133,dmask=022 0 2
     " > /mnt/target/etc/fstab
+fi
 
 echo "Configuring keyboard layout."
 if grep "#KEYMAP=" /mnt/target/etc/rc.conf; then

kernel.d/post-install/99-void-usb

@@ -11,23 +11,6 @@ VERSION="$2"
 
 echo "Updating default kernel and initramfs symlinks..."
 
-#####################
-# Delete old symlinks
-#####################
-OLD_LINUX=/boot/vmlinu?
-if [ ! -f "$OLD_LINUX" ]; then
-  # in cases where it’s a .gz or .xz or whatever
-  OLD_LINUX=$(find /boot -type l -name "vmlinu*" 2>/dev/null | sort | head -n1)
-fi
-[ -f "$OLD_LINUX" ] && rm "$OLD_LINUX"
-
-OLD_INITRAMFS=/boot/initramfs.img
-if [ ! -f "$OLD_INITRAMFS" ]; then
-  # hope to find anything named initramfs or initrd
-  OLD_INITRAMFS=$(find /boot -type l -name "init*" 2>/dev/null | sort | head -n1)
-fi
-[ -f "$OLD_INITRAMFS" ] && rm "$OLD_INITRAMFS"
-
 #####################
 # Create new symlinks
 #####################
@@ -39,7 +22,7 @@ fi
 if grep -e ".gz$" -e ".xz$" -e ".bz$" -e ".bz2$" -e ".lzma$" -e ".lz$" -e ".img$" >/dev/null 2>&1 <<< "$NEW_LINUX_FILE"; then
   NEW_LINUX_SYMLINK="$NEW_LINUX_SYMLINK$(grep -o -e ".gz$" -e ".xz$" -e ".bz$" -e ".bz2$" -e ".lzma$" -e ".lz$" -e ".img$" 2>/dev/null <<< "$NEW_LINUX_FILE")"
 fi
-ln -s "$NEW_LINUX_FILE" "/boot/$NEW_LINUX_SYMLINK"
+ln -s -f "$NEW_LINUX_FILE" "/boot/$NEW_LINUX_SYMLINK"
 
 NEW_INITRAMFS_FILE="$(find /boot -name "init*$VERSION*" 2>/dev/null | sed 's|^/boot/||')"
 NEW_INITRAMFS_SYMLINK="initramfs"
@@ -49,7 +32,7 @@ fi
 if grep -e ".gz$" -e ".xz$" -e ".bz$" -e ".bz2$" -e ".lzma$" -e ".lz$" -e ".img$" >/dev/null 2>&1 <<< "$NEW_INITRAMFS_FILE"; then
   NEW_INITRAMFS_SYMLINK="$NEW_INITRAMFS_SYMLINK$(grep -o -e ".gz$" -e ".xz$" -e ".bz$" -e ".bz2$" -e ".lzma$" -e ".lz$" -e ".img$" 2>/dev/null <<< "$NEW_INITRAMFS_FILE")"
 fi
-ln -s "$NEW_INITRAMFS_FILE" "/boot/$NEW_INITRAMFS_SYMLINK"
+ln -s -f "$NEW_INITRAMFS_FILE" "/boot/$NEW_INITRAMFS_SYMLINK"
 
 echo "Default kernel and initramfs are now: $NEW_LINUX_FILE, $NEW_INITRAMFS_FILE"
 

kernel.d/pre-install/99-void-usb

@@ -13,5 +13,4 @@ while [ "$(vkpurge list | wc -l)" -gt "$KEEP_OLD_KERNELS" ]; do
   OLDEST_KERNEL="$(vkpurge list | sort | head -n1)"
   echo "Removing old kernel $OLDEST_KERNEL using vkpurge..."
   vkpurge rm "$OLDEST_KERNEL"
-  fi
 done

opt/grub-config

@@ -4,22 +4,27 @@ OS_NAME="Void Linux USB"
 GRUB_PREFIX="/boot/efi/LOADER/grub"
 CFG_CUSTOM_BEFORE="custom_before.cfg"
 CFG_CUSTOM_AFTER="custom_after.cfg"
-CONTAINER_UUID="$(blkid --output value --match-tag UUID "$(grep " /run/void-usb/container " /proc/mounts | sed -e 's/ .*//')")"
-# TODO: rd.vconsole.keymap
-LINUX_CMDLINE="quiet root=/dev/loop0 ro void-usb-container=UUID=$CONTAINER_UUID rd.vconsole.keymap=de-latin1"
 
-DEFAULT_LINUX=/boot/vmlinu?
+if [ "$(findmnt --noheadings --nofsroot --output SOURCE /boot)" = "$(findmnt --noheadings --nofsroot --output SOURCE /run/void-usb/container)" ]; then
-if [ ! -f "$DEFAULT_LINUX" ]; then
+    GRUB_BOOT_PATH="/boot"
-  # in cases where it’s a .gz or .xz or whatever
+else
-  DEFAULT_LINUX=$(find /boot -type l -name "vmlinu*" 2>/dev/null | sort | head -n1)
+    # assuming separate /boot partition
+    GRUB_BOOT_PATH=""
 fi
+VOIDUSB_CONTAINER="$(findmnt --noheadings --output SOURCE /run/void-usb/container)"
+if grep "/dev/mapper" <<< "$VOIDUSB_CONTAINER" > /dev/null; then
+    LUKS_SETTINGS="rd.luks.uuid=$(blkid --output value --match-tag UUID "$(ls /sys/block/"$(basename "$(realpath "$VOIDUSB_CONTAINER")")"/slaves | head -n1)")"
+else
+    VOIDUSB_CONTAINER="UUID=$(blkid --output value --match-tag UUID "$VOIDUSB_CONTAINER")"
+fi
+# TODO: rd.vconsole.keymap
+LINUX_CMDLINE="quiet root=/dev/loop0 ro $LUKS_SETTINGS void-usb-container=$VOIDUSB_CONTAINER rd.vconsole.keymap=de-latin1"
+
+DEFAULT_LINUX=$(find /boot -type l -name "vmlinu*" 2>/dev/null | sort | head -n1)
 DEFAULT_LINUX="$(sed 's|^/boot/||' <<< "$DEFAULT_LINUX")"
 
-DEFAULT_INITRAMFS=/boot/initramfs.img
-if [ ! -f "$DEFAULT_INITRAMFS" ]; then
 # hope to find anything named initramfs or initrd
 DEFAULT_INITRAMFS=$(find /boot -type l -name "init*" 2>/dev/null | sort | head -n1)
-fi
 DEFAULT_INITRAMFS="$(sed 's|^/boot/||' <<< "$DEFAULT_INITRAMFS")"
 
 function make_menuentry {
@@ -50,9 +55,9 @@ function make_menuentry {
   echo "
   menuentry 'Linux $LINUX_VERSION' {
     echo    'Loading $LINUX...'
-    linux   /boot/$LINUX $LINUX_CMDLINE
+    linux   $GRUB_BOOT_PATH/$LINUX $LINUX_CMDLINE
     echo    'Loading initial ramdisk...'
-    initrd  /boot/$INITRAMFS
+    initrd  $GRUB_BOOT_PATH/$INITRAMFS
   }" >> "$GRUB_PREFIX/grub.cfg"
 }
 
@@ -66,7 +71,7 @@ echo "# This file is auto-generated by $0.
 # $GRUB_PREFIX/$CFG_CUSTOM_BEFORE or
 # $GRUB_PREFIX/$CFG_CUSTOM_AFTER
 
-search --fs-uuid --set=root $CONTAINER_UUID
+search --fs-uuid --set=root $(blkid --output value --match-tag UUID "$(findmnt --noheadings --nofsroot --output SOURCE /boot)")
 
 set menu_color_normal=white/black
 set menu_color_highlight=black/light-gray
@@ -81,9 +86,9 @@ fi
 
 menuentry '$OS_NAME' {
   echo 'Loading Linux...'
-  linux /boot/$DEFAULT_LINUX $LINUX_CMDLINE
+  linux $GRUB_BOOT_PATH/$DEFAULT_LINUX $LINUX_CMDLINE
   echo 'Loading initial ramdisk...'
-  initrd /boot/$DEFAULT_INITRAMFS
+  initrd $GRUB_BOOT_PATH/$DEFAULT_INITRAMFS
 }
 
 submenu 'Choose kernel version...' {" > "$GRUB_PREFIX/grub.cfg"