From e89138b2b71c2984e0e3c7ef9bcf41b1578affd8 Mon Sep 17 00:00:00 2001 From: BodgeMaster <> Date: Sun, 5 Apr 2026 21:27:59 +0200 Subject: [PATCH] install stage 1, opt/grub-config.sh: initial implementation of encryption support I'll be very surprised if this contains no bugs. --- install-stage1.sh | 232 +++++++++++++++++++++++++++++++++------------- opt/grub-config | 39 ++++---- 2 files changed, 191 insertions(+), 80 deletions(-) diff --git a/install-stage1.sh b/install-stage1.sh index 63f46be..53afad4 100644 --- a/install-stage1.sh +++ b/install-stage1.sh @@ -131,72 +131,166 @@ if grep "$TARGET_DISK" /proc/mounts >> $LOGFILE 2>&1; then fi fi -echo -n "Wiping and partitioning storage... " -# new GPT -# 2M BIOS GRUB -# 66592 sectors ESP (first sector + 66591 sectors, the minimum to format FAT32 with default settings) -# everything else one big partition -echo "g -n +echo " +Do you want to encrypt your files? + +With the exception of the files essential for booting, the system will be encrypted. +This will use an additional 1Gib of storage space. + +If you enable encryption, you will be prompted for a passphrase. This passphrase will be +asked separately during bootup and may be different from the user login. +" + +if yesno; then + ADD_CRYPTSETUP="cryptsetup" + echo -n "Wiping and partitioning storage... " + # new GPT + # 2M BIOS GRUB + # 66592 sectors ESP (first sector + 66591 sectors, the minimum to format FAT32 with default settings) + # everything else one big partition + echo "g + n -+2M -n + +2M + n -+66591 -n + +66591 + n + + + +1G + n -t -1 -4 -t -2 -1 -t -3 -20 -w" | fdisk --wipe always --wipe-partitions always "/dev/$TARGET_DISK" >> $LOGFILE 2>&1 -TARGET_PART_BIOS="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '2p')" -TARGET_PART_EFI="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '3p')" -TARGET_PART_BIG="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '4p')" -echo "done" + t + 1 + 4 + t + 2 + 1 + t + 3 + 142 + t + 4 + 20 + w" | fdisk --wipe always --wipe-partitions always "/dev/$TARGET_DISK" >> $LOGFILE 2>&1 + TARGET_PART_BIOS="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '2p')" + TARGET_PART_EFI="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '3p')" + TARGET_PART_BOOT="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '4p')" + TARGET_PART_BIG="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '5p')" + echo "done" -echo -n "Formatting partitions... " -mkfs.vfat -F32 -n "EFIBOOT" "$TARGET_PART_EFI" >> $LOGFILE 2>&1 -mkfs.f2fs -f -l "container" "$TARGET_PART_BIG" >> $LOGFILE 2>&1 -echo "done" + echo -n "Formatting partitions... " + mkfs.vfat -F32 -n "EFIBOOT" "$TARGET_PART_EFI" >> $LOGFILE 2>&1 + mkfs.f2fs -f -l "container" "$TARGET_PART_BOOT" >> $LOGFILE 2>&1 + echo "Setting up encryption. You will be asked for the same password twice." + cryptsetup luksFormat --batch-mode --type luks2 --force-password "$TARGET_PART_BIG" + cryptsetup luksOpen --batch-mode --type luks2 "$TARGET_PART_BIG" voidusb-container + if [ "$?" -gt 0 ]; then + echo "Failed to open encrypted container. The entered passwords probably didn't match." + exit 1 + fi + echo "done" -echo -n "Mounting partitions and virtual file systems... " -mkdir -p /mnt/target >> $LOGFILE 2>&1 -mount -t tmpfs -o size=3g,mode=755 tmpfs /mnt/target >> $LOGFILE 2>&1 + echo -n "Mounting partitions and virtual file systems... " + mkdir -p /mnt/target >> $LOGFILE 2>&1 + mount -t tmpfs -o size=3g,mode=755 tmpfs /mnt/target >> $LOGFILE 2>&1 -# used for chroot later -mkdir /mnt/target/run >> $LOGFILE 2>&1 -mount -t tmpfs none /mnt/target/run >> $LOGFILE 2>&1 -mkdir /mnt/target/proc >> $LOGFILE 2>&1 -mount -t proc proc /mnt/target/proc >> $LOGFILE 2>&1 -mkdir /mnt/target/sys >> $LOGFILE 2>&1 -mount --rbind /sys /mnt/target/sys >> $LOGFILE 2>&1 -mount --make-rslave /mnt/target/sys >> $LOGFILE 2>&1 -mkdir /mnt/target/dev >> $LOGFILE 2>&1 -mount --rbind /dev /mnt/target/dev >> $LOGFILE 2>&1 -mount --make-rslave /mnt/target/dev >> $LOGFILE 2>&1 + # used for chroot later + mkdir /mnt/target/run >> $LOGFILE 2>&1 + mount -t tmpfs none /mnt/target/run >> $LOGFILE 2>&1 + mkdir /mnt/target/proc >> $LOGFILE 2>&1 + mount -t proc proc /mnt/target/proc >> $LOGFILE 2>&1 + mkdir /mnt/target/sys >> $LOGFILE 2>&1 + mount --rbind /sys /mnt/target/sys >> $LOGFILE 2>&1 + mount --make-rslave /mnt/target/sys >> $LOGFILE 2>&1 + mkdir /mnt/target/dev >> $LOGFILE 2>&1 + mount --rbind /dev /mnt/target/dev >> $LOGFILE 2>&1 + mount --make-rslave /mnt/target/dev >> $LOGFILE 2>&1 -# actual storage -mkdir -p /mnt/target/run/void-usb/container >> $LOGFILE 2>&1 -mount "$TARGET_PART_BIG" /mnt/target/run/void-usb/container >> $LOGFILE 2>&1 -mkdir /mnt/target/boot >> $LOGFILE 2>&1 -mkdir /mnt/target/run/void-usb/container/boot >> $LOGFILE 2>&1 -mount --bind /mnt/target/run/void-usb/container/boot /mnt/target/boot >> $LOGFILE 2>&1 -mkdir /mnt/target/boot/efi >> $LOGFILE 2>&1 -mount "$TARGET_PART_EFI" /mnt/target/boot/efi >> $LOGFILE 2>&1 -mkdir /mnt/target/home >> $LOGFILE 2>&1 -mkdir /mnt/target/run/void-usb/container/home >> $LOGFILE 2>&1 -mount --bind /mnt/target/run/void-usb/container/home /mnt/target/home >> $LOGFILE 2>&1 -echo "done" + # actual storage + mkdir -p /mnt/target/run/void-usb/container >> $LOGFILE 2>&1 + mount /dev/mapper/voidusb-container /mnt/target/run/void-usb/container >> $LOGFILE 2>&1 + mkdir /mnt/target/boot >> $LOGFILE 2>&1 + mount "$TARGET_PART_BOOT" /mnt/target/boot + mkdir /mnt/target/boot/efi >> $LOGFILE 2>&1 + mount "$TARGET_PART_EFI" /mnt/target/boot/efi >> $LOGFILE 2>&1 + mkdir /mnt/target/home >> $LOGFILE 2>&1 + mkdir /mnt/target/run/void-usb/container/home >> $LOGFILE 2>&1 + mount --bind /mnt/target/run/void-usb/container/home /mnt/target/home >> $LOGFILE 2>&1 + echo "done" +else + echo -n "Wiping and partitioning storage... " + # new GPT + # 2M BIOS GRUB + # 66592 sectors ESP (first sector + 66591 sectors, the minimum to format FAT32 with default settings) + # everything else one big partition + echo "g + n + + + +2M + n + + + +66591 + n + + + + t + 1 + 4 + t + 2 + 1 + t + 3 + 20 + w" | fdisk --wipe always --wipe-partitions always "/dev/$TARGET_DISK" >> $LOGFILE 2>&1 + TARGET_PART_BIOS="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '2p')" + TARGET_PART_EFI="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '3p')" + TARGET_PART_BIG="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '4p')" + echo "done" + + echo -n "Formatting partitions... " + mkfs.vfat -F32 -n "EFIBOOT" "$TARGET_PART_EFI" >> $LOGFILE 2>&1 + mkfs.f2fs -f -l "container" "$TARGET_PART_BIG" >> $LOGFILE 2>&1 + echo "done" + + echo -n "Mounting partitions and virtual file systems... " + mkdir -p /mnt/target >> $LOGFILE 2>&1 + mount -t tmpfs -o size=3g,mode=755 tmpfs /mnt/target >> $LOGFILE 2>&1 + + # used for chroot later + mkdir /mnt/target/run >> $LOGFILE 2>&1 + mount -t tmpfs none /mnt/target/run >> $LOGFILE 2>&1 + mkdir /mnt/target/proc >> $LOGFILE 2>&1 + mount -t proc proc /mnt/target/proc >> $LOGFILE 2>&1 + mkdir /mnt/target/sys >> $LOGFILE 2>&1 + mount --rbind /sys /mnt/target/sys >> $LOGFILE 2>&1 + mount --make-rslave /mnt/target/sys >> $LOGFILE 2>&1 + mkdir /mnt/target/dev >> $LOGFILE 2>&1 + mount --rbind /dev /mnt/target/dev >> $LOGFILE 2>&1 + mount --make-rslave /mnt/target/dev >> $LOGFILE 2>&1 + + # actual storage + mkdir -p /mnt/target/run/void-usb/container >> $LOGFILE 2>&1 + mount "$TARGET_PART_BIG" /mnt/target/run/void-usb/container >> $LOGFILE 2>&1 + mkdir /mnt/target/boot >> $LOGFILE 2>&1 + mkdir /mnt/target/run/void-usb/container/boot >> $LOGFILE 2>&1 + mount --bind /mnt/target/run/void-usb/container/boot /mnt/target/boot >> $LOGFILE 2>&1 + mkdir /mnt/target/boot/efi >> $LOGFILE 2>&1 + mount "$TARGET_PART_EFI" /mnt/target/boot/efi >> $LOGFILE 2>&1 + mkdir /mnt/target/home >> $LOGFILE 2>&1 + mkdir /mnt/target/run/void-usb/container/home >> $LOGFILE 2>&1 + mount --bind /mnt/target/run/void-usb/container/home /mnt/target/home >> $LOGFILE 2>&1 + echo "done" +fi clear echo "Storage is now prepared and ready for installation. @@ -252,7 +346,7 @@ XBPS_ARCH="$TARGET_TYPE" xbps-install --yes --sync --rootdir /mnt/target --repos wifi-firmware traceroute grep gzip file sed gawk less coreutils findutils \ diffutils pciutils usbutils tzdata base-files ncurses mdocml procps-ng \ kbd xbps sudo ethtool kmod eudev runit-void removed-packages nano acpid \ - squashfs-tools grub grub-i386-efi grub-x86_64-efi dracut xz 2>&1 | tee --append $LOGFILE + squashfs-tools grub grub-i386-efi grub-x86_64-efi dracut xz $ADD_CRYPTSETUP 2>&1 | tee --append $LOGFILE if [ "$?" -ne 0 ]; then echo "" echo "An error occurred while trying to install the base system." @@ -300,15 +394,27 @@ echo " echo "done" echo "Adding fstab." -echo "# See fstab(5). -# +if [ -n "$TARGET_PART_BOOT" ]; then + echo "# See fstab(5). + # -# /run/void-usb/container, /run/void-usb/overlay, and / are mounted by scripts in initramfs + # /run/void-usb/container, /run/void-usb/overlay, and / are mounted by scripts in initramfs -/run/void-usb/container/boot /boot none bind 0 0 -/run/void-usb/container/home /home none bind 0 0 -UUID=$(blkid --output value --match-tag UUID $TARGET_PART_EFI) /boot/efi vfat defaults,fmask=0077,dmask=0077 0 2 -" > /mnt/target/etc/fstab + UUID=$(blkid --output value --match-tag UUID $TARGET_PART_EFI) /boot f2fs nodev,nosuid,noexec 0 2 + /run/void-usb/container/home /home none bind 0 0 + UUID=$(blkid --output value --match-tag UUID $TARGET_PART_EFI) /boot/efi vfat nodev,nosuid,noexec,umask=133,dmask=022 0 2 + " > /mnt/target/etc/fstab +else + echo "# See fstab(5). + # + + # /run/void-usb/container, /run/void-usb/overlay, and / are mounted by scripts in initramfs + + /run/void-usb/container/boot /boot none bind 0 0 + /run/void-usb/container/home /home none bind 0 0 + UUID=$(blkid --output value --match-tag UUID $TARGET_PART_EFI) /boot/efi vfat nodev,nosuid,noexec,umask=133,dmask=022 0 2 + " > /mnt/target/etc/fstab +fi echo "Configuring keyboard layout." if grep "#KEYMAP=" /mnt/target/etc/rc.conf; then diff --git a/opt/grub-config b/opt/grub-config index 3b4de7e..e7adf70 100644 --- a/opt/grub-config +++ b/opt/grub-config @@ -4,22 +4,27 @@ OS_NAME="Void Linux USB" GRUB_PREFIX="/boot/efi/LOADER/grub" CFG_CUSTOM_BEFORE="custom_before.cfg" CFG_CUSTOM_AFTER="custom_after.cfg" -CONTAINER_UUID="$(blkid --output value --match-tag UUID "$(grep " /run/void-usb/container " /proc/mounts | sed -e 's/ .*//')")" -# TODO: rd.vconsole.keymap -LINUX_CMDLINE="quiet root=/dev/loop0 ro void-usb-container=UUID=$CONTAINER_UUID rd.vconsole.keymap=de-latin1" -DEFAULT_LINUX=/boot/vmlinu? -if [ ! -f "$DEFAULT_LINUX" ]; then - # in cases where it’s a .gz or .xz or whatever - DEFAULT_LINUX=$(find /boot -type l -name "vmlinu*" 2>/dev/null | sort | head -n1) +if [ "$(findmnt --noheadings --nofsroot --output SOURCE /boot)" = "$(findmnt --noheadings --nofsroot --output SOURCE /run/void-usb/container)" ]; then + GRUB_BOOT_PATH="/boot" +else + # assuming separate /boot partition + GRUB_BOOT_PATH="" fi +VOIDUSB_CONTAINER="$(findmnt --noheadings --output SOURCE /run/void-usb/container)" +if grep "/dev/mapper" <<< "$VOIDUSB_CONTAINER" > /dev/null; then + LUKS_SETTINGS="rd.luks.uuid=$(blkid --output value --match-tag UUID "$(ls /sys/block/"$(basename "$(realpath "$VOIDUSB_CONTAINER")")"/slaves | head -n1)")" +else + VOIDUSB_CONTAINER="UUID=$(blkid --output value --match-tag UUID "$VOIDUSB_CONTAINER")" +fi +# TODO: rd.vconsole.keymap +LINUX_CMDLINE="quiet root=/dev/loop0 ro $LUKS_SETTINGS void-usb-container=$VOIDUSB_CONTAINER rd.vconsole.keymap=de-latin1" + +DEFAULT_LINUX=$(find /boot -type l -name "vmlinu*" 2>/dev/null | sort | head -n1) DEFAULT_LINUX="$(sed 's|^/boot/||' <<< "$DEFAULT_LINUX")" -DEFAULT_INITRAMFS=/boot/initramfs.img -if [ ! -f "$DEFAULT_INITRAMFS" ]; then - # hope to find anything named initramfs or initrd - DEFAULT_INITRAMFS=$(find /boot -type l -name "init*" 2>/dev/null | sort | head -n1) -fi +# hope to find anything named initramfs or initrd +DEFAULT_INITRAMFS=$(find /boot -type l -name "init*" 2>/dev/null | sort | head -n1) DEFAULT_INITRAMFS="$(sed 's|^/boot/||' <<< "$DEFAULT_INITRAMFS")" function make_menuentry { @@ -50,9 +55,9 @@ function make_menuentry { echo " menuentry 'Linux $LINUX_VERSION' { echo 'Loading $LINUX...' - linux /boot/$LINUX $LINUX_CMDLINE + linux $GRUB_BOOT_PATH/$LINUX $LINUX_CMDLINE echo 'Loading initial ramdisk...' - initrd /boot/$INITRAMFS + initrd $GRUB_BOOT_PATH/$INITRAMFS }" >> "$GRUB_PREFIX/grub.cfg" } @@ -66,7 +71,7 @@ echo "# This file is auto-generated by $0. # $GRUB_PREFIX/$CFG_CUSTOM_BEFORE or # $GRUB_PREFIX/$CFG_CUSTOM_AFTER -search --fs-uuid --set=root $CONTAINER_UUID +search --fs-uuid --set=root $(blkid --output value --match-tag UUID "$(findmnt --noheadings --nofsroot --output SOURCE /boot)") set menu_color_normal=white/black set menu_color_highlight=black/light-gray @@ -81,9 +86,9 @@ fi menuentry '$OS_NAME' { echo 'Loading Linux...' - linux /boot/$DEFAULT_LINUX $LINUX_CMDLINE + linux $GRUB_BOOT_PATH/$DEFAULT_LINUX $LINUX_CMDLINE echo 'Loading initial ramdisk...' - initrd /boot/$DEFAULT_INITRAMFS + initrd $GRUB_BOOT_PATH/$DEFAULT_INITRAMFS } submenu 'Choose kernel version...' {" > "$GRUB_PREFIX/grub.cfg"