diff --git a/script/lib/chrooted_job_ubuntu.sh b/script/lib/chrooted_job_ubuntu.sh index ce85d61..2d953ca 100644 --- a/script/lib/chrooted_job_ubuntu.sh +++ b/script/lib/chrooted_job_ubuntu.sh @@ -9,26 +9,30 @@ function chrooted_job() { # Mount the rest of partitions by target /etc/fstab mount -a - # Set up the kernel hook of encryption + # Prepare the crypto tool in the install target echo "...Installing cryptsetup-initramfs package." apt -qq install -y cryptsetup-initramfs - # Prepare a key file to embed in to the ramfs. + # Prepare a new key file to embed in to the ramfs. + # This new file contains a new key to open the LUKS volume. + # The new key is 4096byte length binary value. + # Because this key is sotred as "cleartext", in the target file sysmte, + # only root is allowed to access this key file. echo "...Prepairing key file." mkdir /etc/luks dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1 status=none chmod u=rx,go-rwx /etc/luks chmod u=r,go-rwx /etc/luks/boot_os.keyfile - # Add a key to the key file. Use the passphrase in the environment variable. + # Add the new key to the LUKS 2nd key slot. The passphrase is required to modify the LUKS keyslot. echo "...Adding a key to the key file." printf %s "${PASSPHRASE}" | cryptsetup luksAddKey --iter-time "${ITERTIME}" -d - "${DEV}${CRYPTPARTITION}" /etc/luks/boot_os.keyfile - # Add the LUKS volume information to /etc/crypttab to decrypt by kernel. + # Register the LUKS voluem to /etc/crypttab to tell "This volume is encrypted" echo "...Adding LUKS volume info to /etc/crypttab." echo "${CRYPTPARTNAME} UUID=$(blkid -s UUID -o value ${DEV}${CRYPTPARTITION}) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab - # Putting key file into the ramfs initial image + # Add key file to the list of the intems in initfsram. echo "...Registering key file to the ramfs" echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf diff --git a/script/lib/chrooted_job_void.sh b/script/lib/chrooted_job_void.sh index 8482b01..2d50a73 100644 --- a/script/lib/chrooted_job_void.sh +++ b/script/lib/chrooted_job_void.sh @@ -6,39 +6,43 @@ source config.sh # Create a key file for LUKS and register it as contents of the initramfs image function chrooted_job() { - # Mount the rest of partitions by target /etc/fstab - mount -a + # Mount the rest of partitions by target /etc/fstab + mount -a - # Set up the kernel hook of encryption - echo "...Installing cryptsetup-initramfs package." - xbps-install -y lvm2 cryptsetup + # Prepare the crypto tool in the install target + echo "...Installing cryptsetup-initramfs package." + xbps-install -y lvm2 cryptsetup - # Prepare a key file to embed in to the ramfs. - echo "...Prepairing key file." - mkdir /etc/luks - dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1 status=none - chmod u=rx,go-rwx /etc/luks - chmod u=r,go-rwx /etc/luks/boot_os.keyfile + # Prepare a new key file to embed in to the ramfs. + # This new file contains a new key to open the LUKS volume. + # The new key is 4096byte length binary value. + # Because this key is sotred as "cleartext", in the target file sysmte, + # only root is allowed to access this key file. + echo "...Prepairing key file." + mkdir /etc/luks + dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1 status=none + chmod u=rx,go-rwx /etc/luks + chmod u=r,go-rwx /etc/luks/boot_os.keyfile - # Add a key to the key file. Use the passphrase in the environment variable. - echo "...Adding a key to the key file." - printf %s "${PASSPHRASE}" | cryptsetup luksAddKey --iter-time "${ITERTIME}" -d - "${DEV}${CRYPTPARTITION}" /etc/luks/boot_os.keyfile + # Add the new key to the LUKS 2nd key slot. The passphrase is required to modify the LUKS keyslot. + echo "...Adding a key to the key file." + printf %s "${PASSPHRASE}" | cryptsetup luksAddKey --iter-time "${ITERTIME}" -d - "${DEV}${CRYPTPARTITION}" /etc/luks/boot_os.keyfile - # Add the LUKS volume information to /etc/crypttab to decrypt by kernel. - echo "...Adding LUKS volume info to /etc/crypttab." - echo "${CRYPTPARTNAME} UUID=$(blkid -s UUID -o value ${DEV}${CRYPTPARTITION}) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab + # Register the LUKS voluem to /etc/crypttab to tell "This volume is encrypted" + echo "...Adding LUKS volume info to /etc/crypttab." + echo "${CRYPTPARTNAME} UUID=$(blkid -s UUID -o value ${DEV}${CRYPTPARTITION}) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab - # Putting key file into the ramfs initial image - echo "...Registering key file to the ramfs" - echo 'install_items+=" /etc/luks/boot_os.keyfile /etc/crypttab " ' > /etc/dracut.conf.d/10-crypt.conf + # Add key file to the list of the intems in initfsram. + echo "...Registering key file to the ramfs" + echo 'install_items+=" /etc/luks/boot_os.keyfile /etc/crypttab " ' > /etc/dracut.conf.d/10-crypt.conf - # Finally, update the ramfs initial image with the key file. - echo "...Upadting initramfs." - xbps-reconfigure -fa - echo "...grub-mkconfig." - grub-mkconfig -o /boot/grub/grub.cfg + # Finally, update the ramfs initial image with the key file. + echo "...Upadting initramfs." + xbps-reconfigure -fa + echo "...grub-mkconfig." + grub-mkconfig -o /boot/grub/grub.cfg - # Leave chroot + # Leave chroot } # Execute job diff --git a/script/lib/common.sh b/script/lib/common.sh index 4f732b8..ec076b5 100644 --- a/script/lib/common.sh +++ b/script/lib/common.sh @@ -298,14 +298,15 @@ function post_install() { echo "...Mounting all other dirs." for n in proc sys dev tmp etc/resolv.conf; do mount --rbind "/$n" "${TARGETMOUNTPOINT}/$n"; done - # Copy all scripts to the target /tmp to in chroot session. + # Copy all scripts to the target /tmp for using in chroot session. echo "...Copy files in current dir to ${TARGETMOUNTPOINT}/tmp." mkdir "${TARGETMOUNTPOINT}/tmp/kaiten-yaki" cp -r ./* -t "${TARGETMOUNTPOINT}/tmp/kaiten-yaki" # Change root and create the keyfile and ramfs image for Linux kernel. - # The here document is script executed under chroot. And here we call - # the distribution dependent script "lib/chrooted_job_${DISTRIBUTIONSIGNATURE}.sh". + # The here-document is script executed under chroot. At here we call + # the distribution dependent script "lib/chrooted_job_${DISTRIBUTIONSIGNATURE}.sh", + # which was copied to /temp at previous code. echo "...Chroot to ${TARGETMOUNTPOINT}. and execute chrooted_job_${DISTRIBUTIONSIGNATURE}.sh" # shellcheck disable=SC2086 cat <<- HEREDOC | chroot "${TARGETMOUNTPOINT}" /bin/bash