From 47b40316c032234025344cbfd1593e4d21e5167d Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Mon, 12 Jul 2021 17:55:02 +0900 Subject: [PATCH 01/18] btrfs support Fail to install the ubuntu when the / volume is btrfs #24 --- script/lib/common.sh | 3 ++- script/ubuntu-kaiten-yaki.sh | 9 +++++++++ script/void-kaiten-yaki.sh | 3 +++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/script/lib/common.sh b/script/lib/common.sh index 8fcb0ea..3f9285f 100644 --- a/script/lib/common.sh +++ b/script/lib/common.sh @@ -291,8 +291,9 @@ function para_install_msg() { function post_install() { ## Mount the target file system # ${TARGETMOUNTPOINT} is created by the GUI/TUI installer + # ${BTRFSOPTION} is defined by the caller of this function for BTRFS formated volume. echo "...Mounting /dev/mapper/${VGNAME}-${LVROOTNAME} on ${TARGETMOUNTPOINT}." - mount /dev/mapper/"${VGNAME}"-"${LVROOTNAME}" "${TARGETMOUNTPOINT}" + mount "${BTRFSOPTION}" /dev/mapper/"${VGNAME}"-"${LVROOTNAME}" "${TARGETMOUNTPOINT}" # And mount other directories echo "...Mounting all other dirs." diff --git a/script/ubuntu-kaiten-yaki.sh b/script/ubuntu-kaiten-yaki.sh index 96ace9b..adfbbdd 100644 --- a/script/ubuntu-kaiten-yaki.sh +++ b/script/ubuntu-kaiten-yaki.sh @@ -53,6 +53,15 @@ function main() { # Post-install stage # ******************************************************************************* + # If the target volume is formated by btrfs, Ubiquity install the root into the + # @ sub-volume. Thus, mount command inside post_install have to use special option + # to specify @ as mount target. + if lsblk -o NAME,FSTYPE | grep -i "${VGNAME}-${LVROOTNAME}" | grep -i "btrfs" > /dev/null ; then + export BTRFSOPTION="-o subvol=@" + else + export BTRFSOPTION="" + fi + # Distribution dependent finalizing. Embedd encryption key into the ramfs image. # The script is parameterized by env-variable to fit to the distribution post_install diff --git a/script/void-kaiten-yaki.sh b/script/void-kaiten-yaki.sh index 5838747..c63f906 100644 --- a/script/void-kaiten-yaki.sh +++ b/script/void-kaiten-yaki.sh @@ -74,6 +74,9 @@ function main() { # Post-install stage # ******************************************************************************* + # We don't need special option for BTRFSOPTION. + export BTRFSOPTION="" + # Distribution dependent finalizing. Embedd encryption key into the ramfs image. # The script is parameterized by env-variable to fit to the distribution post_install From 3c7691db07f623319a47c71ee7e7e4ecf873911a Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Mon, 12 Jul 2021 22:03:36 +0900 Subject: [PATCH 02/18] Fix the blank option problem. --- script/lib/common.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/script/lib/common.sh b/script/lib/common.sh index 3f9285f..ed5be7d 100644 --- a/script/lib/common.sh +++ b/script/lib/common.sh @@ -291,9 +291,11 @@ function para_install_msg() { function post_install() { ## Mount the target file system # ${TARGETMOUNTPOINT} is created by the GUI/TUI installer - # ${BTRFSOPTION} is defined by the caller of this function for BTRFS formated volume. + # ${BTRFSOPTION} is defined by the caller of this function for BTRFS formated volume. + # ${BTRFSOPTION} have to be NOT quoted. Otherwise, mount will receive an empty + # string as first option, when the veraible is empty. echo "...Mounting /dev/mapper/${VGNAME}-${LVROOTNAME} on ${TARGETMOUNTPOINT}." - mount "${BTRFSOPTION}" /dev/mapper/"${VGNAME}"-"${LVROOTNAME}" "${TARGETMOUNTPOINT}" + mount ${BTRFSOPTION} /dev/mapper/"${VGNAME}"-"${LVROOTNAME}" "${TARGETMOUNTPOINT}" # And mount other directories echo "...Mounting all other dirs." From ea1a1ae7fd8f58cae297f94cd18ef84ebfb8ae2b Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Mon, 12 Jul 2021 23:12:17 +0900 Subject: [PATCH 03/18] Test OK Fail to install the ubuntu when the / volume is btrfs #24 Tested on Ubuntu and Void Linux. Btrfs and ext4. --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e4e18d..e0a9874 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ Record of the modification in project development. ### Deprecated ### Removed ### Fixed +- [Issue 24 : Fail to install the ubuntu when the / volume is btrfs](https://github.com/suikan4github/kaiten-yaki/issues/24) + ### Known Issue ## [1.1.0] - 2021-07-11 From 3bb2a5622cfd8505dd915b0dced97e3bdee06fba Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Sat, 17 Jul 2021 14:38:01 +0900 Subject: [PATCH 04/18] Update AN01 for btrfs Issue #26 --- CHANGELOG.md | 2 ++ appnote/an01_howtorecover.md | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e0a9874..9282be0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ Record of the modification in project development. ## [Unreleased] - yyyy-mm-dd ### Added ### Changed +- [Issue 26 : Update AN01 for btrfs](https://github.com/suikan4github/kaiten-yaki/issues/26) + ### Deprecated ### Removed ### Fixed diff --git a/appnote/an01_howtorecover.md b/appnote/an01_howtorecover.md index 6cc3b9a..563fbc0 100644 --- a/appnote/an01_howtorecover.md +++ b/appnote/an01_howtorecover.md @@ -45,6 +45,11 @@ Following is the example. The (lvm/vg1-mate) is dependent on the system. It has ls set prefix=(lvm/vg1-mate)/boot/grub ``` +Note that above example assume the root volume format is usual one ( ex: ext4, jfs, xfs ). If the root volume is formatted by btrfs, above prefix doesn't work, it should contain the sub-volume name in the path : +``` +ls +set prefix=(lvm/vg1-mate)/@/boot/grub +``` Then, the third step is the same with the BIOS systems. From e1e67af67c92ed2eca4cc304dbe45971b1715b1e Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Sat, 17 Jul 2021 14:40:35 +0900 Subject: [PATCH 05/18] Correct spell. --- appnote/an01_howtorecover.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appnote/an01_howtorecover.md b/appnote/an01_howtorecover.md index 563fbc0..4e17132 100644 --- a/appnote/an01_howtorecover.md +++ b/appnote/an01_howtorecover.md @@ -45,7 +45,7 @@ Following is the example. The (lvm/vg1-mate) is dependent on the system. It has ls set prefix=(lvm/vg1-mate)/boot/grub ``` -Note that above example assume the root volume format is usual one ( ex: ext4, jfs, xfs ). If the root volume is formatted by btrfs, above prefix doesn't work, it should contain the sub-volume name in the path : +Note that above example assumes the root volume format is usual one ( ex: ext4, jfs, xfs ). If the root volume is formatted by btrfs, above prefix doesn't work. The path name should contain the sub-volume name : ``` ls set prefix=(lvm/vg1-mate)/@/boot/grub From d5e113259fcd9e3732f8d6359e7571db661954d1 Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Sat, 17 Jul 2021 15:05:43 +0900 Subject: [PATCH 06/18] Refactoring: Sourcing config.sys is not needed in the chrooted_job #25 --- CHANGELOG.md | 1 + script/lib/chrooted_job_ubuntu.sh | 4 ---- script/lib/chrooted_job_void.sh | 4 ---- 3 files changed, 1 insertion(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9282be0..fe0908a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ Record of the modification in project development. ## [Unreleased] - yyyy-mm-dd ### Added ### Changed +- [Issue 25 : Refactoring: Sourcing config.sys is not needed in the chrooted_job](https://github.com/suikan4github/kaiten-yaki/issues/25) - [Issue 26 : Update AN01 for btrfs](https://github.com/suikan4github/kaiten-yaki/issues/26) ### Deprecated diff --git a/script/lib/chrooted_job_ubuntu.sh b/script/lib/chrooted_job_ubuntu.sh index 2d953ca..6d8cd57 100644 --- a/script/lib/chrooted_job_ubuntu.sh +++ b/script/lib/chrooted_job_ubuntu.sh @@ -1,9 +1,5 @@ #!/bin/bash -# Include configuration. This sript file have to be executed at Kaiten-yaki/script dir -# shellcheck disable=SC1091 -source config.sh - # Create a key file for LUKS and register it as contents of the initramfs image function chrooted_job() { # Mount the rest of partitions by target /etc/fstab diff --git a/script/lib/chrooted_job_void.sh b/script/lib/chrooted_job_void.sh index 2d50a73..9ce0c82 100644 --- a/script/lib/chrooted_job_void.sh +++ b/script/lib/chrooted_job_void.sh @@ -1,9 +1,5 @@ #!/bin/bash -# Include configuration. This sript file have to be executed at Kaiten-yaki/script dir -# shellcheck disable=SC1091 -source config.sh - # Create a key file for LUKS and register it as contents of the initramfs image function chrooted_job() { # Mount the rest of partitions by target /etc/fstab From fd6663d2f300115efe4b0e09bcda6532e535482b Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Sat, 17 Jul 2021 16:00:03 +0900 Subject: [PATCH 07/18] Add btrfs support in the README. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b22dc3a..68a318c 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ The followings are the list of functionalities: - Automatic detection of BIOS/EFI firmware and create MBR/GPT, respectively. - Create an EFI partition, if needed. - Support multiple boot in a LUKS partition. +- Support btrfs in addition to the major file systems. - The "/boot" is located in the same logical volume as the "/". - The swap logical volume is located inside the encrypted volume. - You need to type a passphrase only once in the boot sequence. From 36acfe505bedb684e921bd5245cde63f74dea2f9 Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Sun, 18 Jul 2021 21:11:26 +0900 Subject: [PATCH 08/18] Removed Y/N confirmation Eliminates the confirmation dialog Issue #27 --- script/lib/common.sh | 34 ---------------------------------- 1 file changed, 34 deletions(-) diff --git a/script/lib/common.sh b/script/lib/common.sh index ed5be7d..7b022e0 100644 --- a/script/lib/common.sh +++ b/script/lib/common.sh @@ -61,42 +61,8 @@ function confirmation(){ "${LVROOTNAME}" uses ${LVROOTSIZE} of the LVM volume group. Are you sure to install? [Y/N] HEREDOC - read -r YESNO - if [ "${YESNO}" != "Y" ] && [ "${YESNO}" != "y" ] ; then - cat <<- HEREDOC - ...Installation process terminated.. - HEREDOC - return 1 # with error status - fi # if YES - # For sure ask to erase. - if [ "${ERASEALL}" -ne 0 ] ; then - echo "Are you sure you want to erase entire \"${DEV}\"? [Y/N]" - read -r YESNO - if [ "${YESNO}" != "Y" ] && [ "${YESNO}" != "y" ] ; then - cat <<-HEREDOC - ...Check your config.sh. The variable ERASEALL is ${ERASEALL}. - - ...Installation process terminated.. - HEREDOC - return 1 # with error status - fi # if YES - fi # if erase all - - # For sure ask to overwrite. - if [ "${OVERWRITEINSTALL}" -ne 0 ] ; then - echo "Are you sure you want to overwrite \"${LVROOTNAME}\" in \"${VGNAME}\"? [Y/N]" - read -r YESNO - if [ "${YESNO}" != "Y" ] && [ "${YESNO}" != "y" ] ; then - cat <<-HEREDOC - ...Check your config.sh. The variable OVERWRITEINSTALL is ${OVERWRITEINSTALL}. - - ...Installation process terminated.. - HEREDOC - return 1 # with error status - fi # if YES - fi # if overwrite # ----- Set Passphrase ----- # Input passphrase From 8bf48b9b0c2c03efc2f558259369e24c906a50b4 Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Sun, 18 Jul 2021 21:53:48 +0900 Subject: [PATCH 09/18] Refine the parameter printing. --- script/lib/common.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/script/lib/common.sh b/script/lib/common.sh index 7b022e0..6e4c6ea 100644 --- a/script/lib/common.sh +++ b/script/lib/common.sh @@ -57,11 +57,21 @@ function confirmation(){ # For surre ask the your config.sh is edited cat <<- HEREDOC - The destination logical volume label is "${LVROOTNAME}" - "${LVROOTNAME}" uses ${LVROOTSIZE} of the LVM volume group. - Are you sure to install? [Y/N] + LUKS volume partition : ${DEV}${CRYPTPARTITION} + LUKS volume name : "${CRYPTPARTNAME}" + Volume group name : "${VGNAME}" + Root volume name : "${VGNAME}-${LVROOTNAME}" + Swap volume name : "${VGNAME}-${LVSWAPNAME}" + Size of "${VGNAME}-${LVROOTNAME}" : ${LVROOTSIZE} HEREDOC + if [ "${ERASEALL}" -ne 0 ] ; then + echo "Going to erase entire disk ${DEV}." + elif [ "${OVERWRITEINSTALL}" -ne 0 ] ; then + echo "Going to overwrite the logical volume \"${VGNAME}-${LVROOTNAME}\"." + else + echo "Going to create a new logical volume \"${VGNAME}-${LVROOTNAME}\"." + fi # ----- Set Passphrase ----- From 73c2e1e2e222ad918d4a2a673b6e2b515008583b Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Sun, 18 Jul 2021 21:59:43 +0900 Subject: [PATCH 10/18] Update the INSTALL.md and CHANGELOG.md Eliminates the confirmation dialog #27 --- CHANGELOG.md | 1 + INSTALL.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fe0908a..bdf0fc5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ Record of the modification in project development. ### Changed - [Issue 25 : Refactoring: Sourcing config.sys is not needed in the chrooted_job](https://github.com/suikan4github/kaiten-yaki/issues/25) - [Issue 26 : Update AN01 for btrfs](https://github.com/suikan4github/kaiten-yaki/issues/26) +- [Issue 27 : Eliminates the confirmation dialog](https://github.com/suikan4github/kaiten-yaki/issues/27) ### Deprecated ### Removed diff --git a/INSTALL.md b/INSTALL.md index b0b01bd..991dc4c 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -142,7 +142,7 @@ In the case of Void Linux ```bash source void-kaiten-yaki.sh ``` -After several interactive confirmations, Kaiten-yaki will ask you to input a passphrase. This passphrase will be applied to the encryption of the LUKS volume. Make sure you use identical passphrases between all installations of the distributions in a computer. Otherwise, the install process terminates with an error, except the first distribution installation. +After printing the configuration parameters, Kaiten-yaki will ask you to input a passphrase. This passphrase will be applied to the encryption of the LUKS volume. Make sure you use identical passphrases between all installations of the distributions in a computer. Otherwise, the install process terminates with an error, except the first distribution installation. ## Second stage : GUI/TUI installer After the first script finishes, the GUI/TUI installer starts automatically. Configure it as usual and run it. Ensure you map the following correctly. From e0ff77c549e3e2b0bb80ccfb63d034aa8d7680a6 Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Wed, 21 Jul 2021 05:44:21 +0900 Subject: [PATCH 11/18] Explain the target is AMD64 explicitly. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 68a318c..f8b43aa 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # Kaiten-yaki: Full disk encryption install script for Linux -Kaiten-yaki is a script set to install Linux to your desktop system. With these scripts, you can install Ubuntu/Void Linux to an encrypted partition easily. +Kaiten-yaki is a script set to install Linux to your AMD64 desktop system. With these scripts, you can install Ubuntu/Void Linux to an encrypted partition easily. The followings are the list of functionalities: - Ubuntu and Void Linux. From 00d506a017f68709f1cfac36094d83bca80024c7 Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Wed, 21 Jul 2021 09:27:45 +0900 Subject: [PATCH 12/18] Removed applicaiton notes. Move application notes to Wiki Issue #28 --- CHANGELOG.md | 2 + README.md | 7 +-- appnote/an01_howtorecover.md | 67 ------------------------- appnote/an02_keyslot.md | 83 ------------------------------- appnote/an03_itertime.md | 48 ------------------ appnote/an04_favoritepartition.md | 44 ---------------- 6 files changed, 4 insertions(+), 247 deletions(-) delete mode 100644 appnote/an01_howtorecover.md delete mode 100644 appnote/an02_keyslot.md delete mode 100644 appnote/an03_itertime.md delete mode 100644 appnote/an04_favoritepartition.md diff --git a/CHANGELOG.md b/CHANGELOG.md index bdf0fc5..02d25ab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,8 @@ Record of the modification in project development. ### Deprecated ### Removed +- [Issue 28 : Move application notes to Wiki](https://github.com/suikan4github/kaiten-yaki/issues/28) + ### Fixed - [Issue 24 : Fail to install the ubuntu when the / volume is btrfs](https://github.com/suikan4github/kaiten-yaki/issues/24) diff --git a/README.md b/README.md index f8b43aa..52ccfa9 100644 --- a/README.md +++ b/README.md @@ -48,11 +48,8 @@ If you install two or more Void Linux into the EFI system, only the last one can # Variants considerations Ubuntu has several variants ( flavors ). While while only the MATE flavor is tested, other flavors may work correctly as far as it uses Ubiquity installer. -# Application notes -- [AN01 : How to recover from the mistyping of the passphrase](appnote/an01_howtorecover.md) -- [AN02 : Managing LUKS key slots](appnote/an02_keyslot.md) -- [AN03 : The ITERTIME parameter and vulnerability](appnote/an03_itertime.md) -- [AN04 : How to make LUKS volume to the favorite partition](appnote/an04_favoritepartition.md) +# Other resources +See [Wiki](wiki/) for the application notes and the useful links. # Acknowledgments These scripts are based on the script by [myn's diary](https://myn.hatenablog.jp/entry/install-ubuntu-focal-with-lvm-on-luks). That page contains rich information, hint, and techniques around the encrypted volume and Ubiquity installer. diff --git a/appnote/an01_howtorecover.md b/appnote/an01_howtorecover.md deleted file mode 100644 index 4e17132..0000000 --- a/appnote/an01_howtorecover.md +++ /dev/null @@ -1,67 +0,0 @@ -# AN01 : How to recover from the mistyping of the passphrase -The mistyping of the passphrase is painful, in the full disk encrypted Linux. - -In the usual encrypted Ubuntu install by Ubiquity, mistyping disk passphrase is warned by the kernel, and prompted to re-type. But in the full encrypted system, the user sees a boring message and command prompt. Usually, the user just gives up and reboot. It adds tens of second to reboot, and discourage the user to use a long passphrase. - -![bios](../image/an01_bios.png) - -This application note explains how to recover from this condition, quickly. - -# BIOS system -In the BIOS system, the recovery is pretty easy. - -In the case of the mistyping passphrase, GRUB goes into rescue mode. The user can recover by 3 commands from this mode. - -``` -cryptomount -a -insmod normal -normal -``` - -The **cryptomount** command tries to mount the encrypted partition specified by parameter. To mount it, GRUB prompts the user to type the passphrase. The "-a" option means all encrypted partitions. If the system is encrypted by Kaiten-yaki, it has only one encrypted LUKS partition. So, this is the easiest way. - -The **insmod** command loads a GRUB command module from the mounted storage and inserts it into the command list. The second line loads the "normal" command which displays the normal menu to the user. - -Finally, **normal** command shows the normal boot menu to the user. - -Now, the user can select the system to boot as usual. - -# EFI system -In the EFI system, recovery needs extra steps compared to the BIOS system. - -Unlike the BIOS system, GURB is not in the rescue mode but the normal mode, when the passphrase is mistyped. So, the user can use command completion. This is better than the BIOS system. - -The first step of the recovery is the same with the BIOS system. -``` -cryptomount -a -``` -Again, in the EFI system, the user can use the command completion by pressing the [TAB] key. - -The second step is unique in the EFI system. The user can check the list of volumes existing in the system by **ls** command. The ls command allows the user can identify which volume contains the grub menu. And then, the user picks the right volume and assign it to the **prefix** variable, with the grub path. - -Following is the example. The (lvm/vg1-mate) is dependent on the system. It has to be substituted by the appropriate volume name for each system. - -``` -ls -set prefix=(lvm/vg1-mate)/boot/grub -``` -Note that above example assumes the root volume format is usual one ( ex: ext4, jfs, xfs ). If the root volume is formatted by btrfs, above prefix doesn't work. The path name should contain the sub-volume name : -``` -ls -set prefix=(lvm/vg1-mate)/@/boot/grub -``` - -Then, the third step is the same with the BIOS systems. - -``` -insmod normal -normal -``` -Following is the screenshot of the command sequence to recover the mistyping of the passphrase. - -![bios](../image/an01_efi.png) - -## Conclusion -In the full disk encrypted system, mistyping of the passphrase is more painful than the partially encrypted system. The user can overcome this situation with several steps of commands and can show the normal boot menu. - -![bios](../image/an01_normal.png) diff --git a/appnote/an02_keyslot.md b/appnote/an02_keyslot.md deleted file mode 100644 index 525554f..0000000 --- a/appnote/an02_keyslot.md +++ /dev/null @@ -1,83 +0,0 @@ -# AN02 Managing LUKS key slots -If somebody wants to install two or three distributions into a system, Kaiten-yaki works perfectly. There is no problem at all. - -On the other hand, some extreme cases like installing distributions as many as possible, or repeating the overwrite installation unveils the limitation of the number of the LUKS key slots. The user must understand and must manage the LUKS key slots well, to handle these cases. - -This application note explains the limitations and difficulties that come from the number of LUKS key slots, and how to overcome that limitation( if possible ). - -# The LUKS key slots -The LUKS volume has 8 key slots which can stores one key hash value. In other words, the user can use 8 different keys to open a LUKS volume. - -In this context, the "user" is not limited to a human being. Any software can use a passphrase to open a LUKS volume. Thus, even only one person uses a computer, multiple key slots may be used. - -If an user ( or software ) feeds a passphrase to open a LUKS volume, the management software ( dm-crypt library ) scans key slots and check whether there is a matching slot or not. If there is a slot in which the stored hash value matches with the hash value of the given passphrase, that passphrase is the right one. - -# How Kaiten-yaki uses the LUKS key slots -Kaiten-yaki uses N+1 LUKS key slots to install the N distributions in a system ( where N is an integer ). - -Whenever Kaiten-yaki creates a LUKS volume, it registers a passphrase typed by the user. This passphrase is stored in the key slot 0. So, when the user types his passphrase correctly at boot time, its hash will be matched with the hash value in slot 0, by default. - -In addition to the user passphrase, Kaiten-yaki uses one key slot to register the passphrase to let the Linux kernel open the LUKS volume. This passphrase is different from the user passphrase. Actually, this passphrase is random binary brock generated by /dev/random. This key is stored in the file under /etc/luks. Even somebody watches its value over the shoulder of a user, the risk is small because it is difficult to read for a human being. - -Anyway, this usage defines the maximum number of Linux installed in a system. That is 7 if all are installed by Kaiten-yaki. If a user try to install the 8th distribution in a LUKS volume with Kaiten-yaki, it will fail because there is no vacant LUKS key slot. -# Overwrite installation -The overwrite installation is another case that consumes a LUKS key slot. - -if the variable OVERWITEINSTALL in config.sh is set to 1, Kaiten-yaki just overwrites an existing logical volume in the LUKS volume. Also, in this case, Kaiten-yaki registers a new key file for the new installation. Thus, while the number of the installed Linux is the same, the number of the used LUKS key slot is increased. - -Eventually, the user fails to install even the installed Linux is small like 2 or 3, if there is not vacant LUKS key slot. -# Managing key slots -Some users may want to delete a key slot to install another distribution. In this case, they must know which LUKS key slots are used or not. - -This section explains how to investigate the used slots. - -First of all, user can list the status of the all LUKS key slots. The example of this command is shown below. Slot 0, 1, and 2 are occupied : -``` -takemasa@mate-vm:~$ sudo cryptsetup luksDump /dev/sda2 | grep -i bled -Key Slot 0: ENABLED -Key Slot 1: ENABLED -Key Slot 2: ENABLED -Key Slot 3: DISABLED -Key Slot 4: DISABLED -Key Slot 5: DISABLED -Key Slot 6: DISABLED -Key Slot 7: DISABLED -``` -If there is still a vacant LUKS key slot, the user can install another distribution without deleting the existing slot. But if there is not vacant LUKS key slot at all, the user must delete an occupied but unused slot. To know such a slot, the user must mark all the occupied and used slots. - -First of all, check the LUKS key slot for the user passphrase. Run the followings command. -```sh -cryptsetup -v --test-passphrase luksOpen /dev/sdXN -``` -Where X is a, b, c..., N is 1, 2, 3... - -The command will prompt to type the passphrase to decrypt. If the user types the correct passphrase, the command shows the key slot number of that passphrase. The followings are the example : -``` -takemasa@mate-vm:~$ sudo cryptsetup -v --test-passphrase luksOpen /dev/sda2 -Enter passphrase for /dev/sda2: -Key slot 0 unlocked. -Command successful. -``` -We can see the slot 0 is used. - -Next, run the following command **for each** installation of distribution. This command shows the slot number which stores the key of the passphrase file passing to the kernel. /etc/luks/boot_os.keyfile is created by Kaiten-yaki, during the installation - -```sh -sudo cryptsetup -v --test-passphrase luksOpen /dev/sdXN --key-file /etc/luks/boot_os.keyfile -``` -Followings are the sample execution : -``` -takemasa@mate-vm:~$ sudo cryptsetup -v --test-passphrase luksOpen /dev/sda2 --key-file /etc/luks/boot_os.keyfile -Key slot 2 unlocked. -Command successful. -``` -By repeating this command inside all installations, the user can list up the occupied and used slots. The other slots are occupied but not used. - -Finally, the user can delete the appropriate occupied but not used LUKS key slot by the following command. -```sh -sudo cryptsetup luksKillSlot /dev/sdXN key_slot_number_to_delete -``` -# Conclusion -For the typical case like installing 2 or 3 distributions in a system, there is no problem to use Kaiten-yaki, at all. - -But if users want to install as many as possible, or repeat the overwrite install, they must understand the number of the LUKS key slots. \ No newline at end of file diff --git a/appnote/an03_itertime.md b/appnote/an03_itertime.md deleted file mode 100644 index 2d440a8..0000000 --- a/appnote/an03_itertime.md +++ /dev/null @@ -1,48 +0,0 @@ -# AN03 The ITERTIME parameter and vulnerability -The ITERTIME configuration parameter in the config.sh can provide a better user experience during the passphrase input. It can reduce the pain of the longer passphrase and encourage users to use longer passphrases. - -On the other hand, it may pull a vulnerability. - -The followings are the consideration around the ITERTIME parameter. - -## The passphrase experience -Let's assume there is a Ubuntu desktop system in which the disk was encrypted by Ubiquity installer without Kaiten-yaki. In this system, the /boot partition is installed as a separate and un-encrypted state. So, the Linux kernel file is not protected. - -If the user mistyped the passphrase at boot, Ubuntu prompts to type a passphrase again. There is no pain. It just asks. - -Now, let's see what's happen if a user mistyped the passphrase on the system which was installed by Kaiten-yaki. It takes a very wrong time to see the error message. And the system doesn't prompt to type again ( The prompt issue is discussed in the [AN01](an01_howtorecover.md) ). Especially, the more number of the installations in a system makes the longer duration till the error message. Sometimes this is unbearable pain to the user. - -This kind of pain de-motivates users to use a long passphrase, because the longer passphrase causes more mistypes. As a result, some users may use the shorter passphrase. The bad user experience of passphrase input may help the malicious attackers. - -## Why the full disk encryption is so slow at passphrase input -GRUB is the root cause of this slow user passphrase matching. - -The passphrase is hashed and stored to LUKS key slot when a LUKS volume is created ( or, a new passphrase is added ). The stored hash value is not simple. The cryptsetup command makes hash value from the user passphrase. And then, create the next hash from this hash. And then, create a third hash from the 2nd hash, so on. This repeating is named [key stretching](https://en.wikipedia.org/wiki/Key_stretching). - -The key stretching technique enforces malicious attackers to use more computation resources on the brute force attacking. The more stretching iteration times require the more resources to attack. - -Of course, there is a balance and security strength. By default, the cryptsetup command takes the iteration needing 1 sect to calculate the passphrase hash, for the LUKS1 format. This sounds like a good balance. The cryptsetup runs on Linux when it calculates the appropriate iteration of key stretching. So, there is no problem if Linux challenges user passwords. It will take about 1 sec, by default on the Linux system. 1 second is acceptable for almost users. - -But there is a pitfall. On the full disk encryption system by Kaiten-yaki, the /boot is encrypted. So, to load the Linux kernel, GRUB has to decrypt the LUKS volume. That means GRUB has to calculate the passphrase hash. Unfortunately, this calculation is slower than Linux's one. Thus the user has to wait longer than 1 second. - -The duration by GRUB to calculate the passphrase hash value is up to the system. It depends on the CPU. Also, In addition to this slow hashing, GRUB has to scan all used key slots when the user mistyped. For example, if 3 distributions are installed in a LUKS volume by Kaiten-yaki, 4 key slots are used. Thus, if it takes 10 seconds to challenged one hash by GRUB, this system takes 40seconds to show "The wrong password". - -This is the mechanism of the slow response at the passphrase input. -## The key stretching, the --iter-time parameter, and the vulnerability -Kaiten-yaki can relax this pain by ITERTIME configuration parameter in config.sh. This parameter is passed to the cryptsetup command as --iter-time parameter. - -By setting 1000 to the ITERTIME, cryptsetup takes the key stretching iteration cycle to take 1000 milliseconds. By setting 100, it will be 100 milliseconds. It is believed the default value of --iter-time is 1000 ( Its compile default ). Thus, choosing 100 as ITERTIME shorten the duration to the "Wrong password" from 40 seconds to 4 seconds, in the above example. This sounds acceptable. - -On the other hand, the smaller ITERTIME is the weaker to the bute force attack. It is assumed the strength of the passphrase hash is linear to the ITERTIME parameter ( --iter-time parameter of cryptsetup ). - -## The longer passphrase vs. longer key stretching -While the passphrase hash strength is considered linear to the key stretching iteration, the passphrase strength is exponential to its length. - -There many discussions on the strength of the passphrase. Simply speaking, Adding one alphabet ( a-z ) may expand its strength 26 times. That is why the long passphrase is very important. - -The 1/10 strength of the key stretching can be covered by adding 1 character to the passphrase. - -## Conclusion -The full disk encryption will give big pain to the user at the passphrase input phase. It seems to be reasonable to use the smaller ITERTIME ( --iter-time ) parameter to encourage the user to use the longer passphrase like 20 letters, from the viewpoint of security. - -The security policy is up to the people, community, and mission. The consideration here assumed the desktop PC as a hobby. For mission-critical usage, the user should consult security experts. \ No newline at end of file diff --git a/appnote/an04_favoritepartition.md b/appnote/an04_favoritepartition.md deleted file mode 100644 index 8ef4b61..0000000 --- a/appnote/an04_favoritepartition.md +++ /dev/null @@ -1,44 +0,0 @@ -# AN04 How to make LUKS volume to the favorite partition -Kaiten-yaki creates the LUKS volume on the 1st partition for the BIOS system ( 2nd partition for the EFI system ) by default. Also, Kaiten-yaki assigns all space for the LUKS volume, except the space for the EFI partition. - -This application note explains how to use the favorite partition with favorite size for LUKS volume. - -## Step 1: Making partitions -To use custom partitioning, the user must create all partitions by themselves. The user can do it with the popular partitioning tool like gparted. It is recommended to set the partition table as MBR and GPT for BIOS and EFI systems, respectively. - -In this documentation, we assume the user wants to use /dev/sda5 as LUKS partition to install Ubuntu, as example. -## Step 2: Configuration -Next user must configure the config.sh. - -The first parameter to edit is **DEV** parameter which represents the target device. In this example, it must be set as /dev/sda. -```sh -export DEV="/dev/sda" -``` -The second parameter to edit is **CRYPTPARTITION**. By default, this parameter is set automatically according to the firmware type. The EFIPARTITION parameter can be left untouched. This parameter is not used. -```sh -if [ ${ISEFI} -ne 0 ] ; then -# EFI firmware -export EFIPARTITION=1 -export CRYPTPARTITION=5 -else -# BIOS firmware -export CRYPTPARTITION=5 -fi # EFI firmware -``` -Makes sure the **ERASEALL** and **OVERWRITEINSTALL** are 0. -## Step 3: Make LUKS partition -After saving the customer config.sh, run the following command to set the environment variable. -```sh -source config.sh -``` -Then, run the following command to create a LUKS volume. -```sh -cryptsetup luksFormat --iter-time "${ITERTIME}" --type=luks1 "${DEV}${CRYPTPARTITION}" -``` -This command sets up the LUKS volume on the specified partition. This command also asks for the passphrase of this LUKS volume. -## Step 4: Run Kaiten-yaki -Now, it's a time to run Kaiten-yaki -```sh -source kaiten-yaki-ubuntu -``` -All other operations are same with usual install. \ No newline at end of file From f92e09229583c3f27ce813d1742015e266c756f4 Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Wed, 21 Jul 2021 09:31:55 +0900 Subject: [PATCH 13/18] Fixed link to wiki. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 52ccfa9..3626ff6 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,7 @@ If you install two or more Void Linux into the EFI system, only the last one can Ubuntu has several variants ( flavors ). While while only the MATE flavor is tested, other flavors may work correctly as far as it uses Ubiquity installer. # Other resources -See [Wiki](wiki/) for the application notes and the useful links. +See [Wiki](https://github.com/suikan4github/kaiten-yaki/wiki) for the application notes and the useful links. # Acknowledgments These scripts are based on the script by [myn's diary](https://myn.hatenablog.jp/entry/install-ubuntu-focal-with-lvm-on-luks). That page contains rich information, hint, and techniques around the encrypted volume and Ubiquity installer. From 47bfcac6ccb76100de2db30099e52c8e7b671f37 Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Wed, 21 Jul 2021 21:14:59 +0900 Subject: [PATCH 14/18] Refinet the configuration parameter display --- script/lib/common.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/script/lib/common.sh b/script/lib/common.sh index 6e4c6ea..cd0365c 100644 --- a/script/lib/common.sh +++ b/script/lib/common.sh @@ -61,8 +61,10 @@ function confirmation(){ LUKS volume name : "${CRYPTPARTNAME}" Volume group name : "${VGNAME}" Root volume name : "${VGNAME}-${LVROOTNAME}" + Root volume size : "${LVROOTSIZE}" Swap volume name : "${VGNAME}-${LVSWAPNAME}" - Size of "${VGNAME}-${LVROOTNAME}" : ${LVROOTSIZE} + Swap volume size : "${LVSWAPSIZE}" + --iter-time parameter : ${ITERTIME} HEREDOC if [ "${ERASEALL}" -ne 0 ] ; then From 44bb28e50a54d2d1bcd3d2ee6c573418c68f11b7 Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Fri, 23 Jul 2021 08:17:47 +0900 Subject: [PATCH 15/18] Refine the INSTALL.md --- INSTALL.md | 35 ++++++++++++++++++----------------- image/an01_bios.png | Bin 5718 -> 0 bytes image/an01_efi.png | Bin 10519 -> 0 bytes image/an01_normal.png | Bin 7280 -> 0 bytes 4 files changed, 18 insertions(+), 17 deletions(-) delete mode 100755 image/an01_bios.png delete mode 100755 image/an01_efi.png delete mode 100755 image/an01_normal.png diff --git a/INSTALL.md b/INSTALL.md index 991dc4c..a4ef2d6 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -9,31 +9,32 @@ You can execute the install script without the command line parameter. For examp ```sh source ubuntu-kaiten-yaki.sh ``` -The first stage of the script is preparation like: erasing a disk, format partition, and encryption. This is the most critical stage of the entire installation process. This part is controlled by the configuration parameter. Thus, you have to edit the config.txt carefully. +The first stage of the script is preparation like: erasing a disk, format partition, and encryption. This is the most critical stage of the entire installation process. This part is controlled by the configuration parameter. Thus, you have to edit the config.sh carefully. In the second stage, the distribution-dependent GUI/TUI installer is invoked from the running script. That is the Ubiquity/void-installer of Ubuntu/Void Linux, respectively. -The third configure the target Linux system to decrypt the encrypted volume automatically, without prompting user to type passphrase. In this stage, Everything is automatic. +The third stage configures the target Linux system to decrypt the encrypted volume automatically, without prompting user to type passphrase. In this stage, Everything is automatic. # Installation Follow the steps below. ## Shell preparation -First of all, promote the shell to root. Almost of the procedure in the installation requires root privilege. Note that the scripts require Bash. +First of all, promote the shell to root. Kaiten-yaki script requires root permission to edit the storage device. Note that the scripts require Bash as shell. In the case of Ubuntu installation: -```bash +```sh # Promote to the root user sudo -i /bin/bash ``` In the case of Void Linux installation: -```bash +```sh +# Promote to the root user sudo -i /bin/bash xbps-install -Su xbps nano ``` -The nano is an editor package to configure the config.txt. The choice of editor is up to you. Kaiten-yaki script doesn't have a dependency on nano editor. +The nano is an editor package to configure the config.sh. The choice of editor is up to you. Kaiten-yaki script doesn't have a dependency on nano editor. And then, go to the kaiten-yaki/script directory. -```bash +```sh cd /the/downloaded/directory/kaiten-yaki/script ``` Now, ready to configure. @@ -43,13 +44,13 @@ This is a very critical part of the installation. The configuration parameters a Followings are the set of the default settings of the parameters : - Install to **/dev/sda** (DEV). - Do not erase the entire disk (ERASEALL). -- Overwrite install is disabled. +- Do not overwrite the existing logical volume (OVERWRITEINSTALL). - In the case of EFI firmware, 200MB is allocated to the EFI partition (EFISIZE). - Create a logical volume group named "vg1" in the encrypted volume (VGNAME) - Create a swap logical volume named "swap" in the "vg1". The size is 8GB (LVSWAPNAME,LVSWAPSIZE) - Create a logical volume named **"anko"** as root volume, in the "vg1". The size of the new volume is the **50%** of the free space (LVROOTNAME, LVROOTSIZE). -```bash +```sh # Configuration parameters for Kaiten-Yaki # Storage device to install the linux. @@ -120,11 +121,11 @@ And set the following parameters as same as the previous installation. - VGNAME - CRYPTPARTNAME -Kaiten-yaki will leave the "bad" logical volume and allow you to overwrite it by GUI/TUI installer. +Kaiten-yaki will leave the LUKS encrypted partition and allow you to overwrite the "bad" logical volume by GUI/TUI installer. ### About ITERTIME parameter This parameter is recommended to left as default value (=0), unless you understand what it mean well. -The ITERTIME parameter is passed as --iter-time parameter to the [cryptosetup command](https://man7.org/linux/man-pages/man8/cryptsetup.8.html), when script setup the LUKS crypto volume. +The ITERTIME parameter is passed as --iter-time parameter to the [cryptosetup command](https://man7.org/linux/man-pages/man8/cryptsetup.8.html), when script setup the LUKS crypto volume. See [AN03](https://github.com/suikan4github/kaiten-yaki/wiki/AN03:-The-ITERTIME-parameter-and-vulnerability) The unit of value is milliseconds. The target linux kernel may take this duration, to calculate a hash value from the given passphrase. You can change this duration through this parameter. @@ -134,15 +135,15 @@ The smaller value gives the weaker security. After you set the configuration parameters correctly, execute the following command from the shell. Again, you have to be promoted as the root user, and you have to use Bash. In the case of Ubuntu : -```bash +```sh source ubuntu-kaiten-yaki.sh ``` In the case of Void Linux -```bash +```sh source void-kaiten-yaki.sh ``` -After printing the configuration parameters, Kaiten-yaki will ask you to input a passphrase. This passphrase will be applied to the encryption of the LUKS volume. Make sure you use identical passphrases between all installations of the distributions in a computer. Otherwise, the install process terminates with an error, except the first distribution installation. +After printing the configuration parameters, Kaiten-yaki will prompt you to input a passphrase. This passphrase will be applied to the encryption of the LUKS volume. Make sure you use identical passphrases between all installations of the distributions in a computer. Otherwise, the install process terminates with an error, except the case of the ERASEALL configuration parameter is 1. ## Second stage : GUI/TUI installer After the first script finishes, the GUI/TUI installer starts automatically. Configure it as usual and run it. Ensure you map the following correctly. @@ -152,12 +153,12 @@ Target Directory | Host Volume | Comment / | /dev/mapper/vg1-ubuntu | Host volume name is up to your configuration parameter. swap | /dev/mapper/swap | Only the first distribution installation requires this mapping. -During the GUI/TUI installer copying files, Kaiten-yaki modifies the /etc/default/grub of the target system. This is the pretty dirty way. But if we don't modify this file, GUI/TUI installer fails at last. +During the GUI/TUI installer copying files, Kaiten-yaki modifies the /etc/default/grub of the target system. This is a pretty dirty way. But if we don't modify this file, GUI/TUI installer fails at last. ![Ubuntu Partitioning](image/ubuntu_partitioning.png) ![Void Partitioning](image/void_partitioning.png) -## Do not reboot +### Do not reboot At the end of the GUI/TUI installing, do not reboot the system. Click "Continue" and just exit the GUI/TUI installer without rebooting. Otherwise, we cannot finalize the entire installation process. ![Ubuntu done](image/ubuntu_done.png) @@ -166,7 +167,7 @@ At the end of the GUI/TUI installing, do not reboot the system. Click "Continue" ## Third stage: Finalizing After GUI/TUI installer quits without rebooting, the final part of the install process automatically starts. -In this section, Kaiten-yaki put the encryption key of the LUKS volume into the ramfs initial stage to allow the Linux kernel to decrypt the LUKS partition which contains root logical volume. Thus, the system will ask you passphrase only once when GRUB starts. +In this section, Kaiten-yaki put the encryption key of the LUKS volume into the initramfs image to allow the Linux kernel decrypting the LUKS partition which contains root logical volume. Thus, the system will ask you the passphrase only once when GRUB starts. You can reboot the system if you see the "Ready to reboot" message on the console. diff --git a/image/an01_bios.png b/image/an01_bios.png deleted file mode 100755 index 034f2e73da997a3690aa576240190a9a07c65bfd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5718 zcmb_gc{E%5zTa(6j#F;yRE1ND9%Ip(hZ@RNQz=R$X3-+%P%}04=uxHU5maNIOG4Bb z#8C4!Mr#%k5>w4F&t7`&yX(ER-oNj=)^A>W|MvcVKi@IN*hu#pGZ!-e0N3;$Ye4|u zay?_7{>x=X|Gk_2fH7S1h3Gy4aD%tMGZsHNYZz((K*f8O)8`<@`s$0vmc9URz5PeK z)a_O5$k_bdPus#z(+Ba~&(+KG4%8Ki0A!?Oq?M%6!dcxovX6xPU>^ zOBdnEbg%q6J;BS0#rNsnn0`feRk`%j!S*zSpi^h&nwhS%6mdh4mz9{ zgvC{osno=ke|9SuW6&0@)lUo{LmfFpsAETJou|fRnQ#v#Dw(PfcQbi!gyTfs!yGou z|5OOmWI)J-j$+n@N&hmRl$xyQ<2375^IM0Le+L=~YnB=)#b!@2(PCQY1n(2>n1)G{ z*01z9a{ScX<8L}L8EDsgK7O#kB3A*W0mX_OR$G_?Uz&owQ|xc={89st`q5ObMcGTU zWOB1z>jWX)<f6-OhD*dZ5Y^g+$Fgxwmhx2eC z{CT#Hf))_coK}cYC)52peV(7_rs@GCuFe57TD5Q>X=`L-fxNgeULq(8)O|ZYP)PGM zMjc6r@(Sd`aD>ztmK|yqnJoSl=}?waUU{^`lK_#PLEiEFbVYBU&2V|lqbA8gaNl@f zH@TWrlQQ4}i^CV{grp@Gm@x>jRk)UE;+0_jvbTsRqdaMHJNm_~OQ9Iu zu$DIQlfeVOOquKgwO>*>zc8KPPcN!E(+@yib(~%Yem$9MB#BOet(?CR_wPmYrmLx8m~ez0=-MX2rkF1Er<%Chjed8L@1QfIyj zO9DS)fF5~&z#zzy!D}@|L?hbOVZ=f)i`@W1K%wDd@12X8KFu0L=il#5%Z4OI?le6w zI7jzvEOe<%os;H9Rfo4#5?WZ@4)0{|#_}nrZmjwgx7B0HQc1ssHI{|l#??sIj|X(U zZ<@+C3OE@3bHj%vp*L^4W&47g;6@UMOEgL3T|09#6Q#RyrG1pw)40hQP=nP8ffd^K z#+luEx)7q2ZFbFJQcN6H^HD}Ry@0K`_qy-_WcrPF+k5~OEGIV#x0UsEgxV!y1|7L~ zu=W@N?RAH(J*)6{sYLea1^4$79+}~L&>=2s>@*I;zb<<6=f~|Fo{qz9uxaZ?aETN5 zdyL17PKM2Z!9HUjibX}bLx=QXnHiAVvYst=zX#i%fiVe%@gKz|c({HjR3|zgMviZ2 zS8?Wg*Z;{TP%rQ!vEN^02_!Gafu^`uyZPOYZXOE?=n&~n<4RZ&={}Om79~IPtk&`# zFGJ%;%o60CnbYbzsztSRy7O~ajrvkQHU?Q2qzPAeSmzFyX``N}$RG=3tf<0@C=>a2 z9hI^yB=NfrW7itKbTyzALrhP0G<{!58nG`F?_QsY54e-sOVw0_f5a zv(3$nGD5n{d9D&~xtZ-#0w0n#a=pMDYmhzI>>z}GVpH3SaELrq#QOc6t znLS00Q?)}AuIp19v42#ZhM5iZ`FnxoG$LGS_9Q1S)#OuX=rwv95=`#R@2(aWaD2Yqxkxl&1A(~dJq4B zQJAU_-=AfYMeS6oV@sKIu?fmeITn_%v5M;%{7V~em&YmM%a8Dq?UC!W`Es_VjLn%W zD5?SS?F|H{MWJlh$KhUg6JLrxl?+n$U)J9}N#3CZX)!TCZr#+PzxxP5i`Vu0>@H`@ z*T3Tr?_L)>-Fka{!*P5balsuSzc+qoOv0wpE#!XImVHOq-X9C?g8qd^3e#q%eG8uI0Qr|7~#7KGwWG zq%$c8i_xnQR1|YjMYLkjXqZe=EccNV?~{8%-p_3i)JHeRg-f))^%Os=6r96WYqi%F zY3qoV1e6Lt;f_lz$oX{70*tm4((CP5!(o_Yt5QMOC|T@$TBMI0LW3tHpe(23Y9L3W zI+&KXc6Vd@YF3#U+C!0D!IJLFuz>^07#rg+pMN=PB^2YUDz=hE9t6+YuT|9DoM`)Cz zMPb1;BeP|*D?n&{Nx8=I;`4~wz(m0m3+qt?UQv|xhhw=Q*fqh6-CRf%0A_51%_cT# z6}g&O8$HMay15{20yT@Qho=R>AK3ak*+Hj`;TQ;yr3cG(?9ZHB!*R}PekUu z?oR+^aUl!5)^r|;53%{OQNl?vE2rE5np@8|k=4&Lay(EnETBx{SE+H1I2M}3qOsu; z*4}|`focl%A&5zfS-@^0u*cpLI82dtmJBRF1~C=yh|l4tKj36B+DP%3*RK7&4yWjNvOCX@o(duv3Z2_}U-PLqeY1;hIoYG`8| zlB#c*#zGtD1<&S(<@%4R-OlIX;Ot3UEC_t*m8A5Z{4Y&P0TiJms6BENH1eLpJEpvb zvnr;cBFQ6t5bV*yo^|CL;MFH_BJ=*w_qoDl$%S=XtZfURS9sGbuxB;}#H`jSKCOMq z|3W?F&(m$6g-f%eBX+Or$i*#(Nad{aZ9{PmrB27ziO=WI`M=QdAIL_uPv=VyB|Jn9 zoE~2J5_gvU`mYsSQbGTtRs^QRjXn|W>C^3)^6B1#dUG3UyM-@<8Q;fB0{rqLaU|5Bmf(MI5Tt_NVmGE4G*ckC>yGLjT*?;itdQEPRw-dLLn;+aMIc+Vt z8IO5pGr@t5c?=6kCBDbhAP3wIHiirXWZ1AZ@im>;9Lbid_*>*A`wJ%-A!MstOk5?h zHD3or>dISC5biTW#=T*gV&>I@aP>x?-tKtFDc#Uwgm1H4H%yx};=6|9YBne7MEGMp2VeN!Jd#|4gI zGJ!Rcv4jAjw(E<*IIuTUZ5{*_b<&oMhgbz#pUYoDA<%m}MDEH7(zw%u%Z-yUi*4V}!oC7NJ5&JDGuiJ@s-rQYRdxb@-j9*yRn0HoH^Y&%8Nv)zntK z%bRSP*6&aHOVFPmTy7L9sdSlR9kn=jk^%X-{CDwoUGPBU|jn$Y(T-?MfMGanmwOX!t>{YZJ?7%;<@ ze2W+1(FxAx+`>)mH`sRWKnncndOYO8MFQItty5B^Qv&m1qeguIdWTvWG>d*HEr z2!E&>@+bzQ5c}-jzg9iyRosiu`lci9+J0W`5!m(}r69)Iq_u;* zO$7@}I(^fDtr&YLOqv@8RAN_pd64C4UYfEkr++z07K-&bOVe&3GZwNGJkmY{E?Hwj zTOxU4-tZCaX3f0`C;${fkziw7_EY z`u2#vCo#skEKFP|Ft?J9r`13V~l!B zQWt;t5b8D(O2{NOT8utVEkvzl3QI!e4cP;Qj?G4Dv(4p8aa|!5i)UIsJD-#+w`_LS z%j#{5oHNWfzB-?!okl%4j-80YL|mutW144HU*duijxD}t`Jj~FdF9&j9{&;Yl5VoY zrGqS}NeTW}VQp6txJUX zn4>E>W)htY@}G9X#v4GSq^)3`h-4(mHwpQ%?z8n!q;j}1H_SW9!yM$ia^(=dZ#1`g zhyGiTWa#e9re?U80K)+P#d>sb2T*-<>Jirx+o3{r`0d}u*5Y$m)pbhQ6(FcC!oMZP zt}`Za#dCgmiU3V-m=)Iy-tj5UF31@#nI{kgQ{JYVxsNmBDw;SHwihK`wtJg^S(2kV z(_Ekc{cU8plz!7?b&z`Va6p6hRYQxJsX$k}%E*_8V`=JVy-N}VE?_IF(is$TarO~E zYdVO)KMG7`B8!%-d8(J^gct&V*Zk%ta)kS(Dh^uWn8KRm1|BG#@5DN|RZt7y7e`g~P&Ik(sZ>AU5$9R&f;wKW({XkBOsKV# zE%Z9Z!uSU8<$Le=ozt?~Fd}&-+H0*Y%o+c-#ZH_$^;XzCdAldJ+Wlz(Lk|=+lAf+@ zxm*DNo9{Cedg$^8*CcBpywaJ%bRpyTz`^fAtw~c7?4A(71kAoXP!rE^nNuk33AeT_ z9)f}WkY{dfT;f3yL;z5IykGiEu?-!PyWtx+BVVIBBh&P(lw!2wk=_tJTB2VPKBA*W zQpws}Z>RRbg@Ff**lz1!_^=C;zOe5ULc0O-AJT^qYQtjLrh-JmZwD9X2Pa~ta3&h{ z@_11iA8!eSG~FVqZscN@J&mN@^OmIDSh~4LGR_RT(*u`Y=(ZNFs$~YY(0=N78UOR@ zEfb@JCDrlzN3rWa#J5PS6*W$IE zK0Nuy;O)(Cjt)CX{7XeB*Yy`#!v>`#&mk}T8dZJ*W|b}m3p};=mwY$%qNj##llA3q zm+3=9DvcU%0RZpPW>s4~UXk2maH}Qd+solb2@}P?17jkcbG6jGOs=(^3CN+ZZh}wY z#d8l!q0l_9Jh`)cEk$0X)mls>PD|u=X11xkc^&{%+r73RfP}I4YRq=P9gDPzjUu(u z4)o5LStbsdA759)4$L;Kok|EJXk``01+rHgFlo>yj&i?mK-M2ji6`O{*&Ahlq%aDW z@(`GmG>UyU8HDBU5i>PRU=(Qp)o5~tUj#!GA}eB@1KBYtU}FZy&C^l zeiFp86wwkHape-_Apm?~dT_CHNA2*&^OF*m@U_dpmhH@mv#?}Q_Z?nN0I*vaZ_z^@ zJmTq2&todohjp_prGMno+n3R6jY{5x@jQVTPYD4)=x6otCD~D1W2QcQmvyJ{@0`vn z6P?%Nbx(5yi%etCu>1!Az~{Q+{%eDZXCRT(s>w6;#P_r|vs53#0*&nk0bdk@(l^aN zb5}9)j}|1p1c7ntt;=Nu?|cBzSc(ret2?Xtr*R(ld%?g1P3Ta{GAl3pkIy>`XPEt? zbE2$<>ev7&I^}^coS?7yd(XjHZa%_@@~r%Wm%c1B4F)* z0$y#}AGEC)T?K&V=@z>0LQtHkAQ5ik41BRJZuz@%KzWu_kyRNkZfE{(;9{BqEoOtEfnk$Ny z;vGkpJ9jphzG%~W-K&u8`QYOT+Q$CNN3I1vPH*W z0Ki|rfxQpx+G70)&~b8OJ^)+|2dsdw}7HXE~w@^S(f)M z@w19`+EIjdhB2fJ)#!McvFIXJJ%-Y-C+qIIN4@^}9i%Sn2uZY}46pctRKhf9iimF9 z&k=mmx4!qB_FZzo^jJ?f~I2~d{J5hm7!&3buw2q zLUR-sW_uz`U#<;tBzTTS>bk}BCGShQ z8(BXTT75LUGmR6rX;rJwNW=&B4qQZ~hhuOBVkC{J<6Rs^DT)M8XZlfvop8tLZjOXZYUI66roBg(dRh+Tjm$0(AC3l<#8<|J>Jx5dPs43SWyu9)j2iCCx0o7dkRVK1h;A{2}z3BPVEkIodz3zFiGGCJ)jmP7SE zw%S`4BSE3@+!l*9e0gm`d2RKE$ZO5arOGOq=r#M7g_ebYW<@{};S8xTZY$~gr*RQ8 zb#jL-**~)l>~B?@g$qu;^)*z>E5rEfLTu|K!HvIDz_^k0bkHcd9@a|}{nCH`94*}u zSzkc7S5sfKO;{6OQ~rFkb$PWDENq9nkb!FN&;{bENaWbR{y=ZE=5 zCv(S=>FiQu12%WWdpBY}O3-lHC97EcyL9+do~X4xRqj)z43;`I^B6_Eby(VC)1}-G zf=3+tJg9x95DmK1Jw)z-S2{1GH|=ylI*Jrmg9#7m(a)+%V8;A{W<^xY+gzr&Dx?@!~T{Utn)ZkhA^(btXFTGkUnIlhc)$(_{urrP4% zqX?^Hu^M1|#Gy<4bBp&#&A(%C!E zmRUUAXeKw3AdNpu%?oCakx?%)h!63%Z0Ejgtbv3AG&xX!FfZKV&Hh`S>ux!GXl|(zI!ezOE`SD!lFNhZz!o3Rh%qDj!G2b0;fp3{6c7 z=B?b78O1HTVr&<>IyQmZ;n^tG|cY8EogpRbq#nelrj#>Cv3WV)q9-HO3EqLNU> z{N_=zq^2tsJ(qsFvTbkF*mm)5;(*JJ!)2(3Yl7njEsr%yW(Ls> znY71wsku#^oN8s=UdydwL!+CTAj>3-IEe?6d-S_T<5|<`Oo?t53=WK1ME2a?cf}Gz zgb+O)P1kEV)%FE$xI+6UM`?jc^e% zu#%IcBJ0bvlvlRYE%P(Wvpx{hv0OYx)xUrE=;EZxUJ6^8cFZ=PtDi^JQkA7t2mPjZ zK{$8i2Y-skh7lU97k(~pXkARH@9E`F=LfLtBolYO2Yo(do@+K~o~ljHbYl_xVtHST zZ&SajM2(*JF-MxYY3Jiq(H3w0NH%~t9OK(nN9}t znK%+^J#M_h!pI$Gn|w<8G5u`;R3%;XTbH`@27$p~%Q$zLK~U@v zIce1+^Xa|??{i~P<7rAz==iKJZ&Y7dt~p9!>k(pdbt}189lR*^Cw_|oV+d)k%X9Vw zWv~NxsD!_%HLPJ%RgELEZaV4!p(5g(NZCs7QtuDkH=y7LUsz&Wn`sask-$`4{*{C%i!RVk~X1ef{=nPv+~C0Uwn)8|Hsdc0)>Av994tGR>c?;W+N{obcAS5{(^&rMG8h6asp6Gl zqRVLSK>8kIuF)*-wodrm{Vw<+XSz%`tFOXq;1#HxjQMTCPdP&2D6QZ00b2&2qoX(S z%QS7<_`Aab>N7r5Rq@R)^aC1}FzaXkewAaDqH*efx!B7EuzMC<;?!BPA@4jG&NdK~ z*|nLM0;KN3SE0V}PiZ0+{g^AGjbW)7LVu*#HP@}Cr)v!lmk)5aG*JjW+CN>zfmG-l z&-5p4%e+K}^9j|F2g z(ISt*L?B1p1v0d>lqOm(7T+s#ibY zxLnfQh&SJH^uDwA^d1_%O*qHhmlXz7Yyy@uQ+!ZNs}s4JG?M zuOta?!F6J1Ke{>(5U8)9jBdhm#JchKU@+il_Bv}EI~CjUBiR#mhrVJ$og5PJXa-Q_*H{agiH zm$zFLj--0*z?*-~HUawjGo<$(NkEzUry4nF^f}+jT5#-w;5nc58O2+!Yqp2ANSmw^ z+7-o4*?7FU#$;4;4f+_Iixq5Ul9dkwzNiAg8qhPEh`1|dMNx(Z(H1O%YEddgJ*s|? z)r(Dz2PBH^mJfOd522N^`o~@5pwLc~gR@T2>2#CSH>zj0hZH@X)gDKqdPoP}vRc!1 zUkEI$QzO zDT=D2fZqBaE!n`k!L59E5=hv+`YRy6d&mFyMop&m1dU`ikfmd6bsYy zok*bKxR|l=VgVdTV7v;lqF9B)tbpFL&uFmkS6TsH%gb;li(c_6FXQF0f`;LEeEf@G z@nBXl|ANFZCJ9m3De!zN)l!OH6)~8Tr|4>J?unCNR~99LCAwq!Kx?1OdoLgL!?J&V z>sMXD-$?Gt&?8QHiG+tzePBZ-hpxx94N0Hd(R4Q2tTB&Kyaur>ReuWc^IJ?Vf3V(b zk}|UvXw*MNbVP0Z%ge%Tw@b&b8=TZbzt>KU;Q=7&9=N4r=jw~zn^K|*WTwe<#Mg1~ zzuox=5FUyH`eQ)TuepaSqJWgLX5f1e1~lIK6$oh4yQ;U%Y^bcX)H3Aj0F*{g`|&T~ zg+r5)T%2Dyq3hqu;t*z*GmPq3pO#4s$-q zuclW4jfA^EucVy6<_jR-OJZLCgG<_-j;|Y50TPvs6HM?u*i9}bq$QTtr;J&~xePgqOcn4g|WF6$FxcmTkiTC#fNZYH+Azmq@X zV8f};#TXG=J20(F=uDAu`+rQk0ly2cB)(&P`tnaF{yv|wl<-SBEMp5*xaD*tq- z`pLo9b(DtB&F}V?gfRrIIbMeLmEQ6@UFq>6^F;&F_gpum>PPxbbN0ff#Md|BO-ryh zbt0Sm+u6^f&#F2Lgoft4^SLQXyY;ey z-ObW^WnVRuvH6u)Jb&4IBDH>-O2J(5W-ZnH@xg$~g((RN+u7ItG=?lflb#(H35NLD zpPB7M4*4=iS3q{}{LqJA6!cV=o$pn=mt7<^lEy~0jajb;;JPzfh41bxaPiIZE|v~+$leMVQoUSJEyWGo&D)W)>#`qF0XE^5iehrpMB)5A;m*<{K=cT z$v3Y}=n*H8vy$(|}C9z1Xb`^)0eTHJmT3GPw1@&$OiuoGo^h%@7(aD%Rc#4AAGkih87PVQIVCq2EBD7=+Bla4Z_L! z%Y3hR_4-F^E>va|<-YX0j{+yruSug~kvfG4Wk3;f#jN^bH7JOtIin*4aIy~rQhCQT z@Vwa9np-s3d36V?7w<)@C<{bSj`}RDvz}MOEk@&wjN&QVtGN-~wtox;UthlXI4qos zDj4_L&8g&4;#jt589BuX+76=#p4=4d(3a*QX)du0J_GhePt4 z&gWv|TP<;O_A!~Fyynf9x%c*FQ;J3B!YbMNDF0iQ=X2!>W*a(B6OdiWeYD5YrDhom z9~1Iu(Ma>ctN{4An(V#Aa=%thPQI%;2<}DlsEd8ecxC5o) zPM{0Vxy943KN*w^Gz)7sDQ`R43VBrC+R)Z%b7a9Bc-?gAvJLK>6oq_tDixeH)*mOs6Cvk=C^Yo(#|vmW)+hmD ztl=ogSsc~VW6~1|eI=aZ^IYt?NS@;sK|0m)!Nf7!uUcDV=`3ceEGLsDVTgzqnK*<7 zi7x9bLrEsvV~b@&a^fCyaneJXZU$dg436XTLgwk^PYybjbUt>ATOrI|3tztYOV5Qk z`263w4J9+ZzQHuGNQmYRZZX(mX|sIIf^U$xOPl$0NbQ{FU@2&=f1?Ev0!)*9RZS=tC2z7 z>Zo2)NH0?zH5D6cQ<}~I854H|gIQe-8Avq6FS0g?5)BzDxXz`cYdZ(uCg_5=DTAWH zH?1~lN*(M_)s>D{2D0r%lRDnglp5Px?fXsTLz|jN{)cpZXv2OqC2}nU2p2)6(Ps`P z8f|1Ql_TG2cf5N4n1^wZhe^fs#U0>2&Qs_gU3((bV+ogt1Ri60lQ>jOu2#S7UXnxx z6r;k8JDE1?lh9x!Qp!3RimF$4(S9^MuJMQ+_u-zH3TQU^SO9x%BX^}0ruqA)*G&WO z0a5C;6Cv6@!+iFM%1WAoUXdhs%J+H~MP<$jf0Amw&XBQYbmI##`+sJ`XX6v?x7ZQ2 ztCYz;A;1K83}U*C4%HKv5XI!;$&{~;^2OWa(e{_MrxBvffc^_7Sk&C4N<{t&NC zhz0@bgSV3L z_dZ$z3^=`aS^#`$1r7O7sYy%9ad~=zapZO`a*?)DDt7a82{8ozgF8F69cUhkz z0ziA`3+suIPSmAra58)c^f=ayW}y9neg%-z=CY>4mCXHE+?EG)lm(iT6Mi2=RR3Aj zv7&o2Q;9%+&D%lJj{O}5?3!7k=7;_!!e9IV$S1Ti&?L##R47qt5iOG5-wGt` z`*$LsDS(zsLHnBvPTA*Txf4oB?`+_lG0ppNs7)#zD9;2sP8*|j zT7^s@*VTcf-z=a)@v!OeU-Jf^WzCDuuA_Uhp{hfCiI}zrpBt(SR_XD|uxI?JovF5` zP-B(MQHX%uGSBV(*k9)&91Y>wCQlK6_8YHO-g%97K&3FXleWm2VMw+fk%uqxzoZQ@_s)$F7eQ{_KbpB&qo49kX65JLO?+~cL!9&sg&y5 z8MQ10aX@&Bw5P^vIyc6kg{;^=OG=L?XSNPhXuHMP z;!I+OMfmP=($K6?`$BPpB{;&TwjdW!c4ay@ZEFPDoa2}pTKUWn8l?8hH+*yM6|-@E z)|iJiiQ+#AL7l8WGLsf~mYxTSM~w%>WdaXT3{sP_{JT~?BpR<2dUpDOlj@+~JbsMr z3O2^4r%7`t-yNnSHi@<7#Ho7&nIVPS>2$$!sBM+*vX&@&EJtsH-=TMn(?Z9q(90s8 zsUX_5#09whu}2{)7uMbC)D7p!`3(JnVH%I&1}*4LPWi<2R%neKn4Bg+f>)ah8sihB zkBMAjZeu3#xXhRnUpHcd)@d~a$f}&!paM!ZWa)yhq~7FmYGn!!)H$S3eimoa)#YJ& z2lSY0)aq&xal2ec#JNf5MGR^HMo@uc2M56oibAyK%kc*^THb4fj1=@s@3iGtYLq%tbd6f?+w# z>NT@b9#*ynf{!h?&v2^Gma$H>7(g_aeihp*xgU#3?^6@XQNorW{S_Kv)gx_RDVh7& zBwGCh1?PDDu$EY+>AB^Ba;jIh{#6Z8C19CR{ck1RcpYTCth>EL1fUIF;uGcK+ceYP zdSTW!HF>5yDeZVElY^X$t)6SB49oj1 z+O$IfDt05YW>;53PgSL>d_!JhTi08kG?LFn_S)e#R{2hQR?T4_$e$Sw(1zU?ICrG) z0mk?^pgHX|_O~~u!kl^-3=iOsrA+S1E9}-wh6~?>7QYXSFFv=PK;lY21abzUIc4JJyUJ-2@i1uC{%tEB^*)4FumA`zbSOb9Kx6w=zzjN$$ z=K8^ch=-8f3|0@{-ivUB;>Z!>>_9D6J(C9{lnM*TZy*U5vUk@uJW^)VGOeTP-+x z7}#|+YGZ!b7MJ&8@;0tds`CKapEq$={`&pNYo-AnQD_TD(R0~A=?m-c6l3=%;vOiW zE&-wM96!>kkN#x*Xfoj|ZjdfdD7jx9$;iv3U|FE9wj*mcN|*76~)o6Z z)4=v-)?Cr}27kG@U>yC(mYBklRfL3_d$ZF)G^EtZN9VtUB+Tu z(@zstg3ct3j_wn!km zY95OAG7jN5i#g=3>E6Aqq5Y!MB)n#Ymzxx7){_EMr7F}*2pia0>r!+o53Qi|_q>Va$=XtAnC*}rN$J^nH_uS~NFd?1Ef zxqH;A@2uwXw5HU4r(NWz+?B6UB3a$ovM*wM284O#fRF|U=J%SM{sy_LMUZ>)PXiT{ z2!I)X4jo6|;P{Zk=u5SPeR3h&0vyZ8x&*tKUDTPSWF_59GfCbHqE>c8kmZ_<8{J7S#V^6^{S!{?V7DWwB+|*~H{GUkq=( R06?E_gAX65|0dyY{|&1t5widQ diff --git a/image/an01_normal.png b/image/an01_normal.png deleted file mode 100755 index a90c26f994168e5ec5efb5d569155467c99f2955..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7280 zcmeHsX;_kL+wOx_HfZ){ljg8mrM1-5a@LGiYJ+o{BMy}n4v9m~C|Is6t)!MYlmbmk zX=;UnBe-fACMqSODI(^CfH2dhqp;_m=TJE`MnJqpi&GSFh5UVhy2dc1xlp0R6;21*l7(Uy?*G zo;qm^Qr+*O7uOPs)w$Iow}8(jNVr(Pu&!G6-!pfhNefrZcJI%!E$5D;HIiWv{ol! z>e!~xe$NcE#>&soHoATgrf`b*edpDENBo+^V?~g)kL==ge^Tk2i+|Sa5xKX*HSw|( zQa+a$qWXUG(@mf*=Z3QftCx-;aCw^59>^L<=d(MeW1|`ADgr-Qwz=H4Ig!^ALn~3y zr%gT~ja?6eb!eJ#%-|cYTKaFNPaJEJ66F0$sP^0-d4{VXu!eHV9_Np96ICyr3 z!ia0ZA{2t+X)B;j(6CPJzu+;muqh-3g{`oNQ~~bI(e=m#!%5XWfYOYEG9oI~2>_I% z5bXn+|0j?=?G8U<8b(4yL$(1*nHdVa&lTvuz?dZlgGYV~6JFjX`~BVI}eW?w9XpFvT^7dbSf zOz1Bu{2Maj(PAkxwq)=6%`*BMa|PzE4xn^Fs{>)k!VOW8N2@&)c^_rAqToNc;O+OX z*@Uh6$OOO!jY;nU3|s%4=`;r*P3z{(Q*a7)xJk%iW=qS<;B)H$%nS~#RiH0o_cF#*>BO7fH9>J(6)**D5@C7;MDU3aAkpqiIyBlnXw zX#ud4fM{%Kch5{LQ?LD!yBQme_Ki};XK*lS_Hvg4i!lf!d9#5;1*L`?@UY?*|L~KG{6$}T}I4LI7 z<%wixfpytB`rq52ZB zaj7w(CUipNIkjCsuP%t|D6oF|VeNW(HiBQq6|(NT6Q1ks4RZ|9+RK1X*kR?;^+VO0 zF?D*|pU^}d>(6#Y^F7@OwV?Zr?5vD6Sg1!B=_Xh79I3dyY|laP5D^hHUpkKaIa(Nb zrKW8m+L*Xj|)55eA&mL^39*t-xKEr-pN^e<>>{Yp(yLY|T$ioMXEh`#*-Jv-XG{o*?&3%w|*S$W_DhKZ4DYsy2_AA7p-nV)q{hs&UeVl4u^^pii1a9mr z4zkno)SkeRHra+pKj3Yvv|lJfM)#hVvVB3B7uc^I{DUn0gLdUv(Co3GMR4|vUuEf$ zGt#sr@W-u*2lv@T~7jsdde2s94YQ>J}Nn2d*dI z?!H_1d%ts%xe^n6W`IR$w_BYCj;ES}-+Z5e0YQK%UikI3uU1$I6W=ABPr(un2ljP|Pm#8$4ywF39(Z_>1Q6K3b`3=g{B z(QDT#U5qs9aPN%;`kZ%j* zM=}D6pGLk~sUM7XO+5e6H8hsdkDYFk zFe~!s105xcR6T@>gj{REz1^$J7yWi^isfL73}T@KElv;V_sTGz2RCS_T!u(Fdc|U$ zY30AMAeu?w#PA=!4zlosh@wRaMnd(jnhR=uVKZ1rqObVrRTJHYxP zsLlOniTx#umPkwAC{zC8*o8XcrnugS^dytkXuSWn6B=LDFnF;JZUBNs-zk0TGPgff zKT*DThk?}TzetqAkFI-qd!Lfc7asBAo8!~18J%#x%?05EA_&U=YehHg<(G-(UlJso zg*g*mpKcbl0S?q6pq(>JNJSXohd6~~(DOT;y%E1E>M=({=5w|EDikes;#3Dnaa=F zPg&|q_C(iwAjj;y;O4k)UjMLZD=E`8#Obi-MaSnbe)f0D@(ranblO(&n;g6D%#|fd zZ7yGPh3u^qm!>4%xbrpL@YU9>EqZs^puz^AD!+LhT3mSVxoLlDOLM$+Sb-g#W`j#| zL1N!8`8yFRJO>6PPRT;ybNOHsbFlUW@MbO7)qRiOKRUFkYnGi*vBk>?px^tlzJp_6 z{4>~~U$TG=S%A{N8l3+&{C7P5Ux7m#&AoC}EX5im0iys z&X&rCuu~eIY|4e77=L|fcu!v7dqgl&x0N4kupwXVv~c4 zb_!W=d(wgqK8&l4K6MW5H~x~JS}J6Qzu*_queFwx9LJ-}$K$FxcuTqQKL}@6sHHV{ zUqdq8#k#dd$j+xV>r|;t+ksl@LB+6dwO<>Dt**k`nk41DpduLU$nM_ja{Q8@ited6 z*E$Zf@yO#H_~bjpJb(%D3Phapu|OOxeQ3TltoGPZ!V5cRYIAuL*j)OuNoFf_CEoqG ztUl4;0npCJGOC)tqAf*dx|U+#lFU!Tt2XRqGql{4@|{KkattoKZj36byE7E+Xgm`b{!V<72mZF z*`F!EIqi`L82x@sYla`fMFg~lvM#qi>VLiGV3qZg z{`i+s7 z`zyvN_cfIye1R7S*QR#`Z^^KT4w7{!=$-=y4A?;eXup55hXL2j#OEop)-G zb!Pli%-BzagR2Yoe)pqXnJo>;RN|CqhV;7c!Z$9ipXYCCoX;H7#UZpCPvQ=isMC3& zB_pWZTG;LwV(|!D+FzS`3y*?qNa<{T%BoN|hoEXx-{=>>zNg|;M}5PNBJ@%?{M~UTz6ZGv1JnKs&)*_#ERQj668TGg9ixEWmr6?*A>s z6o1RT?&X<9ol8~bGk)WQ8gMZ-ChWp+k3p&|Tqw+weTzaijd@QzTC4Ye)I;54TZw7i zjP8n>nB3gbdr||4Mmd3XxT2a z6~Ee&(h2kgzJ?S>RA{`JEip_EsP^zm;O+V1>MX+skjwcC9YPXiX-5l1%w@^FU(`dX z5rS*I7`*np+SnsduwiC$v$jdO{Tn~W?g!OAL$O@pNGz$9KhafA`E4pPlghr|Zp!d|uIYjG7G}PjMuMaSTSBHtVGadFMj8@Z-{p`;W7w_@F+Do_ih*_92Q@X4EX#pGMtdw|Awr)*+^v zD>?8JGE_Z9ohPYYDtNZag;du%p&5IFAwowFbXRH4avg3cVw~_CtYK}2O&{JhXg;!i zE@_ipckRBvs?)sIJs+OkZZZFB=Dr7O!qUc3)soraV$j1~tRw<1sU`0Z}qTDCFo)Yfq``I z^6~1=Z&3byazELF<8K4{O?7BHleUi^{yK9d+=XA3xjJEU1)%wPOFB~c(Xd{l<7C9g zTG3(Gw7dwx*E>i*cOWWTb<-TwhShw)^E?_|>gVU;#T$m85w;Sx_8nY>L2jc8RQQks<2_u%oP|-y5v?C`7g7{8gq!-TVeIXx2XMXHBwrKNI ze*qCTt6LYpPG>Wl17&eW zULTi(!{OXwP_-)at=l<)-U?7vxagqLrK`tQwD7#9{EniIeNZp?#vSh^8)f`tgJ!G$ zw~aBc=GT;IQ%A(b_AK|H%81JYlZJ?BL#P~q?xx;=Mq zwtpDXo=wz%5}-kqFHCf{lS2 zJ-gdb?E|&sUz3fzT#=?4Kzeh#enjq;wg`{34K0%fY_?k4`e4H>G*>BZ7xAZh{G#z1 zFt^I;X39f<11JqW`qK{NIVLy78g$`qnB&@JqPTVK)P9Zsyge9GZeR!~vHZ(Dha3XO z7G4?%t3u{XW*PcJJjE*IQ_a9R=Nh8ey(mJ_(D~T8z%KZ6JZM$B6R*&*68WVg2m2#3 zj|RaB5(O;mrqx>6WMM{xw4*gW&78}OcpB)oLib#Hg%rYQmb0c!63VWW&BWp|JB0Us zIBQec{LEG9TkGo+)%|I$B*|FR!r$2Ki-PmWDm|W-Eu7jvr++ZdVkL8OaveVGepjSh zy}=qeu=L1YvVX`q+$#rE#rS0;+yzOqhwg$fS>Yo2<)r+b;P*!sBAxz-yXR7~b zt0E6Th=0WjOpDk_g(VGRqHNIsvNf~OKPYpqACu|Iozsu4KiC?v)6XbT277NXUd>qA znN*>$Nhq_3q(wgo+@c`}t5z5mew!`2{yD6M;77S$AUKrV_$~4d0JFSws>F}F86XNeRRFTe)Q6xW==pXH)U(0 zNwwtJX=G?*wy6MH%`M*T&*v3urIp#M{b-5A4SR8BiGW^QMQ`jHORt z>e({V`2q>m^@%h(-;Dig(ynbOs5NFacnqtYFIDzhnzIFD7I@l@~iaIWi z%~r12(h<*7pM_DW4w{^qcs78TVD*C&WM7A4(i#trm-)eT*1$Vy@pIHK{Et!p|I_Jn bRmC=BcfY|(Y2n%?5jgAY;Z$?-!p;8y(+Fdk From 2a7d5ff125bf9996e00b58035b24d465c7a47908 Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Sat, 24 Jul 2021 15:22:25 +0900 Subject: [PATCH 16/18] Update comment For keyfile registration to initfsram --- script/lib/chrooted_job_ubuntu.sh | 3 ++- script/lib/chrooted_job_void.sh | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/script/lib/chrooted_job_ubuntu.sh b/script/lib/chrooted_job_ubuntu.sh index 6d8cd57..5cdd73b 100644 --- a/script/lib/chrooted_job_ubuntu.sh +++ b/script/lib/chrooted_job_ubuntu.sh @@ -29,7 +29,8 @@ function chrooted_job() { echo "${CRYPTPARTNAME} UUID=$(blkid -s UUID -o value ${DEV}${CRYPTPARTITION}) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab # Add key file to the list of the intems in initfsram. - echo "...Registering key file to the ramfs" + # See https://cryptsetup-team.pages.debian.net/cryptsetup/README.initramfs.html for detail + echo "...Directing to include keyfile into the initfsram" echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf diff --git a/script/lib/chrooted_job_void.sh b/script/lib/chrooted_job_void.sh index 9ce0c82..2bed1d5 100644 --- a/script/lib/chrooted_job_void.sh +++ b/script/lib/chrooted_job_void.sh @@ -29,7 +29,8 @@ function chrooted_job() { echo "${CRYPTPARTNAME} UUID=$(blkid -s UUID -o value ${DEV}${CRYPTPARTITION}) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab # Add key file to the list of the intems in initfsram. - echo "...Registering key file to the ramfs" + # See https://man7.org/linux/man-pages/man5/dracut.conf.5.html for details. + echo "...Directing to include keyfile into the initfsram" echo 'install_items+=" /etc/luks/boot_os.keyfile /etc/crypttab " ' > /etc/dracut.conf.d/10-crypt.conf # Finally, update the ramfs initial image with the key file. From 95820a63d70bc263cc14d8ec09d4e9ab96ab061f Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Wed, 28 Jul 2021 08:22:45 +0900 Subject: [PATCH 17/18] Change > to >> Item should be added to /etc/dracut.conf.d/10-crypt.conf , rather than be overwritten Issue #29 --- CHANGELOG.md | 1 + script/lib/chrooted_job_ubuntu.sh | 4 ++-- script/lib/chrooted_job_void.sh | 6 +++--- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 02d25ab..80f3645 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ Record of the modification in project development. ### Fixed - [Issue 24 : Fail to install the ubuntu when the / volume is btrfs](https://github.com/suikan4github/kaiten-yaki/issues/24) +- [Issue 29 : Item should be added to /etc/dracut.conf.d/10-crypt.conf , rather than be overwritten](https://github.com/suikan4github/kaiten-yaki/issues/29) ### Known Issue diff --git a/script/lib/chrooted_job_ubuntu.sh b/script/lib/chrooted_job_ubuntu.sh index 5cdd73b..9fdc473 100644 --- a/script/lib/chrooted_job_ubuntu.sh +++ b/script/lib/chrooted_job_ubuntu.sh @@ -28,9 +28,9 @@ function chrooted_job() { echo "...Adding LUKS volume info to /etc/crypttab." echo "${CRYPTPARTNAME} UUID=$(blkid -s UUID -o value ${DEV}${CRYPTPARTITION}) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab - # Add key file to the list of the intems in initfsram. + # Add key file to the list of the intems in initramfs. # See https://cryptsetup-team.pages.debian.net/cryptsetup/README.initramfs.html for detail - echo "...Directing to include keyfile into the initfsram" + echo "...Directing to include keyfile into the initramfs" echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf diff --git a/script/lib/chrooted_job_void.sh b/script/lib/chrooted_job_void.sh index 2bed1d5..2bb8430 100644 --- a/script/lib/chrooted_job_void.sh +++ b/script/lib/chrooted_job_void.sh @@ -28,10 +28,10 @@ function chrooted_job() { echo "...Adding LUKS volume info to /etc/crypttab." echo "${CRYPTPARTNAME} UUID=$(blkid -s UUID -o value ${DEV}${CRYPTPARTITION}) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab - # Add key file to the list of the intems in initfsram. + # Add key file to the list of the intems in initramfs. # See https://man7.org/linux/man-pages/man5/dracut.conf.5.html for details. - echo "...Directing to include keyfile into the initfsram" - echo 'install_items+=" /etc/luks/boot_os.keyfile /etc/crypttab " ' > /etc/dracut.conf.d/10-crypt.conf + echo "...Directing to include keyfile into the initramfs" + echo 'install_items+=" /etc/luks/boot_os.keyfile /etc/crypttab " ' >> /etc/dracut.conf.d/10-crypt.conf # Finally, update the ramfs initial image with the key file. echo "...Upadting initramfs." From fdfd8953d514ffa8df2bebf911f322acca677274 Mon Sep 17 00:00:00 2001 From: Suikan <26223147+suikan4github@users.noreply.github.com> Date: Sat, 16 Oct 2021 07:51:31 +0900 Subject: [PATCH 18/18] Update README and CHANGELOG prepare to release v1.2.0 --- CHANGELOG.md | 11 ++++++++++- README.md | 5 +++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 80f3645..7c6a855 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,14 @@ Record of the modification in project development. ## [Unreleased] - yyyy-mm-dd ### Added ### Changed +### Deprecated +### Removed +### Fixed +### Known Issue + +## [1.2.0] - 2021-10-16 +### Added +### Changed - [Issue 25 : Refactoring: Sourcing config.sys is not needed in the chrooted_job](https://github.com/suikan4github/kaiten-yaki/issues/25) - [Issue 26 : Update AN01 for btrfs](https://github.com/suikan4github/kaiten-yaki/issues/26) - [Issue 27 : Eliminates the confirmation dialog](https://github.com/suikan4github/kaiten-yaki/issues/27) @@ -66,6 +74,7 @@ See [Testing before release v1.1.0](https://github.com/suikan4github/kaiten-yaki ### Known Issue -[Unreleased]: https://github.com/suikan4github/kaiten-yaki/compare/v1.1.0...develop +[Unreleased]: https://github.com/suikan4github/kaiten-yaki/compare/v1.2.0...develop +[1.2.0]: https://github.com/suikan4github/kaiten-yaki/compare/v1.1.0...v1.2.0 [1.1.0]: https://github.com/suikan4github/kaiten-yaki/compare/v1.0.0...v1.1.0 [1.0.0]: https://github.com/suikan4github/kaiten-yaki/compare/v0.0.0...v1.0.0 diff --git a/README.md b/README.md index 3626ff6..aff6af9 100644 --- a/README.md +++ b/README.md @@ -27,9 +27,10 @@ As depicted above, the LVM volume group has only one physical volume. These scripts are tested with the following environment. - VMWare Workstation 15.5.7 ( EFI/BIOS ) - ThinkPad X220 (BIOS) -- Ubuntu 20.04.2 amd64 desktop +- Ubuntu 20.04.3 amd64 desktop - Ubuntu 21.04 amd64 desktop -- Ubuntu Mate 20.04.2 amd64 desktop +- Ubuntu 21.10 amd64 desktop +- Ubuntu Mate 20.04.3 amd64 desktop - void-live-x86_64-20210218-mate.iso - void-live-x86_64-musl-20210218-mate.iso - void-live-x86_64-20210218.iso