forked from BodgeMaster/void-usb
install stage 1, opt/grub-config.sh: initial implementation of encryption support
I'll be very surprised if this contains no bugs.
BodgeMaster
parent
5fb752518e
commit
e89138b2b7
|
|
@ -131,6 +131,99 @@ if grep "$TARGET_DISK" /proc/mounts >> $LOGFILE 2>&1; then
|
|||
fi
|
||||
fi
|
||||
|
||||
echo "
|
||||
Do you want to encrypt your files?
|
||||
|
||||
With the exception of the files essential for booting, the system will be encrypted.
|
||||
This will use an additional 1Gib of storage space.
|
||||
|
||||
If you enable encryption, you will be prompted for a passphrase. This passphrase will be
|
||||
asked separately during bootup and may be different from the user login.
|
||||
"
|
||||
|
||||
if yesno; then
|
||||
ADD_CRYPTSETUP="cryptsetup"
|
||||
echo -n "Wiping and partitioning storage... "
|
||||
# new GPT
|
||||
# 2M BIOS GRUB
|
||||
# 66592 sectors ESP (first sector + 66591 sectors, the minimum to format FAT32 with default settings)
|
||||
# everything else one big partition
|
||||
echo "g
|
||||
n
|
||||
|
||||
|
||||
+2M
|
||||
n
|
||||
|
||||
|
||||
+66591
|
||||
n
|
||||
|
||||
|
||||
+1G
|
||||
n
|
||||
|
||||
|
||||
|
||||
t
|
||||
1
|
||||
4
|
||||
t
|
||||
2
|
||||
1
|
||||
t
|
||||
3
|
||||
142
|
||||
t
|
||||
4
|
||||
20
|
||||
w" | fdisk --wipe always --wipe-partitions always "/dev/$TARGET_DISK" >> $LOGFILE 2>&1
|
||||
TARGET_PART_BIOS="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '2p')"
|
||||
TARGET_PART_EFI="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '3p')"
|
||||
TARGET_PART_BOOT="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '4p')"
|
||||
TARGET_PART_BIG="$(lsblk --raw --noheadings --output PATH "/dev/$TARGET_DISK" | sed -n '5p')"
|
||||
echo "done"
|
||||
|
||||
echo -n "Formatting partitions... "
|
||||
mkfs.vfat -F32 -n "EFIBOOT" "$TARGET_PART_EFI" >> $LOGFILE 2>&1
|
||||
mkfs.f2fs -f -l "container" "$TARGET_PART_BOOT" >> $LOGFILE 2>&1
|
||||
echo "Setting up encryption. You will be asked for the same password twice."
|
||||
cryptsetup luksFormat --batch-mode --type luks2 --force-password "$TARGET_PART_BIG"
|
||||
cryptsetup luksOpen --batch-mode --type luks2 "$TARGET_PART_BIG" voidusb-container
|
||||
if [ "$?" -gt 0 ]; then
|
||||
echo "Failed to open encrypted container. The entered passwords probably didn't match."
|
||||
exit 1
|
||||
fi
|
||||
echo "done"
|
||||
|
||||
echo -n "Mounting partitions and virtual file systems... "
|
||||
mkdir -p /mnt/target >> $LOGFILE 2>&1
|
||||
mount -t tmpfs -o size=3g,mode=755 tmpfs /mnt/target >> $LOGFILE 2>&1
|
||||
|
||||
# used for chroot later
|
||||
mkdir /mnt/target/run >> $LOGFILE 2>&1
|
||||
mount -t tmpfs none /mnt/target/run >> $LOGFILE 2>&1
|
||||
mkdir /mnt/target/proc >> $LOGFILE 2>&1
|
||||
mount -t proc proc /mnt/target/proc >> $LOGFILE 2>&1
|
||||
mkdir /mnt/target/sys >> $LOGFILE 2>&1
|
||||
mount --rbind /sys /mnt/target/sys >> $LOGFILE 2>&1
|
||||
mount --make-rslave /mnt/target/sys >> $LOGFILE 2>&1
|
||||
mkdir /mnt/target/dev >> $LOGFILE 2>&1
|
||||
mount --rbind /dev /mnt/target/dev >> $LOGFILE 2>&1
|
||||
mount --make-rslave /mnt/target/dev >> $LOGFILE 2>&1
|
||||
|
||||
# actual storage
|
||||
mkdir -p /mnt/target/run/void-usb/container >> $LOGFILE 2>&1
|
||||
mount /dev/mapper/voidusb-container /mnt/target/run/void-usb/container >> $LOGFILE 2>&1
|
||||
mkdir /mnt/target/boot >> $LOGFILE 2>&1
|
||||
mount "$TARGET_PART_BOOT" /mnt/target/boot
|
||||
mkdir /mnt/target/boot/efi >> $LOGFILE 2>&1
|
||||
mount "$TARGET_PART_EFI" /mnt/target/boot/efi >> $LOGFILE 2>&1
|
||||
mkdir /mnt/target/home >> $LOGFILE 2>&1
|
||||
mkdir /mnt/target/run/void-usb/container/home >> $LOGFILE 2>&1
|
||||
mount --bind /mnt/target/run/void-usb/container/home /mnt/target/home >> $LOGFILE 2>&1
|
||||
echo "done"
|
||||
else
|
||||
echo -n "Wiping and partitioning storage... "
|
||||
# new GPT
|
||||
# 2M BIOS GRUB
|
||||
|
|
@ -197,6 +290,7 @@ mkdir /mnt/target/home >> $LOGFILE 2>&1
|
|||
mkdir /mnt/target/run/void-usb/container/home >> $LOGFILE 2>&1
|
||||
mount --bind /mnt/target/run/void-usb/container/home /mnt/target/home >> $LOGFILE 2>&1
|
||||
echo "done"
|
||||
fi
|
||||
|
||||
clear
|
||||
echo "Storage is now prepared and ready for installation.
|
||||
|
|
@ -252,7 +346,7 @@ XBPS_ARCH="$TARGET_TYPE" xbps-install --yes --sync --rootdir /mnt/target --repos
|
|||
wifi-firmware traceroute grep gzip file sed gawk less coreutils findutils \
|
||||
diffutils pciutils usbutils tzdata base-files ncurses mdocml procps-ng \
|
||||
kbd xbps sudo ethtool kmod eudev runit-void removed-packages nano acpid \
|
||||
squashfs-tools grub grub-i386-efi grub-x86_64-efi dracut xz 2>&1 | tee --append $LOGFILE
|
||||
squashfs-tools grub grub-i386-efi grub-x86_64-efi dracut xz $ADD_CRYPTSETUP 2>&1 | tee --append $LOGFILE
|
||||
if [ "$?" -ne 0 ]; then
|
||||
echo ""
|
||||
echo "An error occurred while trying to install the base system."
|
||||
|
|
@ -300,6 +394,17 @@ echo "
|
|||
echo "done"
|
||||
|
||||
echo "Adding fstab."
|
||||
if [ -n "$TARGET_PART_BOOT" ]; then
|
||||
echo "# See fstab(5).
|
||||
# <device> <mount point> <fstype> <options> <dump> <pass>
|
||||
|
||||
# /run/void-usb/container, /run/void-usb/overlay, and / are mounted by scripts in initramfs
|
||||
|
||||
UUID=$(blkid --output value --match-tag UUID $TARGET_PART_EFI) /boot f2fs nodev,nosuid,noexec 0 2
|
||||
/run/void-usb/container/home /home none bind 0 0
|
||||
UUID=$(blkid --output value --match-tag UUID $TARGET_PART_EFI) /boot/efi vfat nodev,nosuid,noexec,umask=133,dmask=022 0 2
|
||||
" > /mnt/target/etc/fstab
|
||||
else
|
||||
echo "# See fstab(5).
|
||||
# <device> <mount point> <fstype> <options> <dump> <pass>
|
||||
|
||||
|
|
@ -307,8 +412,9 @@ echo "# See fstab(5).
|
|||
|
||||
/run/void-usb/container/boot /boot none bind 0 0
|
||||
/run/void-usb/container/home /home none bind 0 0
|
||||
UUID=$(blkid --output value --match-tag UUID $TARGET_PART_EFI) /boot/efi vfat defaults,fmask=0077,dmask=0077 0 2
|
||||
UUID=$(blkid --output value --match-tag UUID $TARGET_PART_EFI) /boot/efi vfat nodev,nosuid,noexec,umask=133,dmask=022 0 2
|
||||
" > /mnt/target/etc/fstab
|
||||
fi
|
||||
|
||||
echo "Configuring keyboard layout."
|
||||
if grep "#KEYMAP=" /mnt/target/etc/rc.conf; then
|
||||
|
|
|
|||
|
|
@ -4,22 +4,27 @@ OS_NAME="Void Linux USB"
|
|||
GRUB_PREFIX="/boot/efi/LOADER/grub"
|
||||
CFG_CUSTOM_BEFORE="custom_before.cfg"
|
||||
CFG_CUSTOM_AFTER="custom_after.cfg"
|
||||
CONTAINER_UUID="$(blkid --output value --match-tag UUID "$(grep " /run/void-usb/container " /proc/mounts | sed -e 's/ .*//')")"
|
||||
# TODO: rd.vconsole.keymap
|
||||
LINUX_CMDLINE="quiet root=/dev/loop0 ro void-usb-container=UUID=$CONTAINER_UUID rd.vconsole.keymap=de-latin1"
|
||||
|
||||
DEFAULT_LINUX=/boot/vmlinu?
|
||||
if [ ! -f "$DEFAULT_LINUX" ]; then
|
||||
# in cases where it’s a .gz or .xz or whatever
|
||||
DEFAULT_LINUX=$(find /boot -type l -name "vmlinu*" 2>/dev/null | sort | head -n1)
|
||||
if [ "$(findmnt --noheadings --nofsroot --output SOURCE /boot)" = "$(findmnt --noheadings --nofsroot --output SOURCE /run/void-usb/container)" ]; then
|
||||
GRUB_BOOT_PATH="/boot"
|
||||
else
|
||||
# assuming separate /boot partition
|
||||
GRUB_BOOT_PATH=""
|
||||
fi
|
||||
VOIDUSB_CONTAINER="$(findmnt --noheadings --output SOURCE /run/void-usb/container)"
|
||||
if grep "/dev/mapper" <<< "$VOIDUSB_CONTAINER" > /dev/null; then
|
||||
LUKS_SETTINGS="rd.luks.uuid=$(blkid --output value --match-tag UUID "$(ls /sys/block/"$(basename "$(realpath "$VOIDUSB_CONTAINER")")"/slaves | head -n1)")"
|
||||
else
|
||||
VOIDUSB_CONTAINER="UUID=$(blkid --output value --match-tag UUID "$VOIDUSB_CONTAINER")"
|
||||
fi
|
||||
# TODO: rd.vconsole.keymap
|
||||
LINUX_CMDLINE="quiet root=/dev/loop0 ro $LUKS_SETTINGS void-usb-container=$VOIDUSB_CONTAINER rd.vconsole.keymap=de-latin1"
|
||||
|
||||
DEFAULT_LINUX=$(find /boot -type l -name "vmlinu*" 2>/dev/null | sort | head -n1)
|
||||
DEFAULT_LINUX="$(sed 's|^/boot/||' <<< "$DEFAULT_LINUX")"
|
||||
|
||||
DEFAULT_INITRAMFS=/boot/initramfs.img
|
||||
if [ ! -f "$DEFAULT_INITRAMFS" ]; then
|
||||
# hope to find anything named initramfs or initrd
|
||||
DEFAULT_INITRAMFS=$(find /boot -type l -name "init*" 2>/dev/null | sort | head -n1)
|
||||
fi
|
||||
DEFAULT_INITRAMFS="$(sed 's|^/boot/||' <<< "$DEFAULT_INITRAMFS")"
|
||||
|
||||
function make_menuentry {
|
||||
|
|
@ -50,9 +55,9 @@ function make_menuentry {
|
|||
echo "
|
||||
menuentry 'Linux $LINUX_VERSION' {
|
||||
echo 'Loading $LINUX...'
|
||||
linux /boot/$LINUX $LINUX_CMDLINE
|
||||
linux $GRUB_BOOT_PATH/$LINUX $LINUX_CMDLINE
|
||||
echo 'Loading initial ramdisk...'
|
||||
initrd /boot/$INITRAMFS
|
||||
initrd $GRUB_BOOT_PATH/$INITRAMFS
|
||||
}" >> "$GRUB_PREFIX/grub.cfg"
|
||||
}
|
||||
|
||||
|
|
@ -66,7 +71,7 @@ echo "# This file is auto-generated by $0.
|
|||
# $GRUB_PREFIX/$CFG_CUSTOM_BEFORE or
|
||||
# $GRUB_PREFIX/$CFG_CUSTOM_AFTER
|
||||
|
||||
search --fs-uuid --set=root $CONTAINER_UUID
|
||||
search --fs-uuid --set=root $(blkid --output value --match-tag UUID "$(findmnt --noheadings --nofsroot --output SOURCE /boot)")
|
||||
|
||||
set menu_color_normal=white/black
|
||||
set menu_color_highlight=black/light-gray
|
||||
|
|
@ -81,9 +86,9 @@ fi
|
|||
|
||||
menuentry '$OS_NAME' {
|
||||
echo 'Loading Linux...'
|
||||
linux /boot/$DEFAULT_LINUX $LINUX_CMDLINE
|
||||
linux $GRUB_BOOT_PATH/$DEFAULT_LINUX $LINUX_CMDLINE
|
||||
echo 'Loading initial ramdisk...'
|
||||
initrd /boot/$DEFAULT_INITRAMFS
|
||||
initrd $GRUB_BOOT_PATH/$DEFAULT_INITRAMFS
|
||||
}
|
||||
|
||||
submenu 'Choose kernel version...' {" > "$GRUB_PREFIX/grub.cfg"
|
||||
|
|
|
|||
Loading…
Reference in New Issue