mirror of
https://github.com/suikan4github/kaiten-yaki.git
synced 2025-12-20 02:21:17 -03:00
Refine the comment.
This commit is contained in:
Suikan
parent
be32e5e387
commit
40264ce02f
3 changed files with 43 additions and 34 deletions
|
|
@ -9,26 +9,30 @@ function chrooted_job() {
|
|||
# Mount the rest of partitions by target /etc/fstab
|
||||
mount -a
|
||||
|
||||
# Set up the kernel hook of encryption
|
||||
# Prepare the crypto tool in the install target
|
||||
echo "...Installing cryptsetup-initramfs package."
|
||||
apt -qq install -y cryptsetup-initramfs
|
||||
|
||||
# Prepare a key file to embed in to the ramfs.
|
||||
# Prepare a new key file to embed in to the ramfs.
|
||||
# This new file contains a new key to open the LUKS volume.
|
||||
# The new key is 4096byte length binary value.
|
||||
# Because this key is sotred as "cleartext", in the target file sysmte,
|
||||
# only root is allowed to access this key file.
|
||||
echo "...Prepairing key file."
|
||||
mkdir /etc/luks
|
||||
dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1 status=none
|
||||
chmod u=rx,go-rwx /etc/luks
|
||||
chmod u=r,go-rwx /etc/luks/boot_os.keyfile
|
||||
|
||||
# Add a key to the key file. Use the passphrase in the environment variable.
|
||||
# Add the new key to the LUKS 2nd key slot. The passphrase is required to modify the LUKS keyslot.
|
||||
echo "...Adding a key to the key file."
|
||||
printf %s "${PASSPHRASE}" | cryptsetup luksAddKey --iter-time "${ITERTIME}" -d - "${DEV}${CRYPTPARTITION}" /etc/luks/boot_os.keyfile
|
||||
|
||||
# Add the LUKS volume information to /etc/crypttab to decrypt by kernel.
|
||||
# Register the LUKS voluem to /etc/crypttab to tell "This volume is encrypted"
|
||||
echo "...Adding LUKS volume info to /etc/crypttab."
|
||||
echo "${CRYPTPARTNAME} UUID=$(blkid -s UUID -o value ${DEV}${CRYPTPARTITION}) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab
|
||||
|
||||
# Putting key file into the ramfs initial image
|
||||
# Add key file to the list of the intems in initfsram.
|
||||
echo "...Registering key file to the ramfs"
|
||||
echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook
|
||||
echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf
|
||||
|
|
|
|||
|
|
@ -6,39 +6,43 @@ source config.sh
|
|||
|
||||
# Create a key file for LUKS and register it as contents of the initramfs image
|
||||
function chrooted_job() {
|
||||
# Mount the rest of partitions by target /etc/fstab
|
||||
mount -a
|
||||
# Mount the rest of partitions by target /etc/fstab
|
||||
mount -a
|
||||
|
||||
# Set up the kernel hook of encryption
|
||||
echo "...Installing cryptsetup-initramfs package."
|
||||
xbps-install -y lvm2 cryptsetup
|
||||
# Prepare the crypto tool in the install target
|
||||
echo "...Installing cryptsetup-initramfs package."
|
||||
xbps-install -y lvm2 cryptsetup
|
||||
|
||||
# Prepare a key file to embed in to the ramfs.
|
||||
echo "...Prepairing key file."
|
||||
mkdir /etc/luks
|
||||
dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1 status=none
|
||||
chmod u=rx,go-rwx /etc/luks
|
||||
chmod u=r,go-rwx /etc/luks/boot_os.keyfile
|
||||
# Prepare a new key file to embed in to the ramfs.
|
||||
# This new file contains a new key to open the LUKS volume.
|
||||
# The new key is 4096byte length binary value.
|
||||
# Because this key is sotred as "cleartext", in the target file sysmte,
|
||||
# only root is allowed to access this key file.
|
||||
echo "...Prepairing key file."
|
||||
mkdir /etc/luks
|
||||
dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1 status=none
|
||||
chmod u=rx,go-rwx /etc/luks
|
||||
chmod u=r,go-rwx /etc/luks/boot_os.keyfile
|
||||
|
||||
# Add a key to the key file. Use the passphrase in the environment variable.
|
||||
echo "...Adding a key to the key file."
|
||||
printf %s "${PASSPHRASE}" | cryptsetup luksAddKey --iter-time "${ITERTIME}" -d - "${DEV}${CRYPTPARTITION}" /etc/luks/boot_os.keyfile
|
||||
# Add the new key to the LUKS 2nd key slot. The passphrase is required to modify the LUKS keyslot.
|
||||
echo "...Adding a key to the key file."
|
||||
printf %s "${PASSPHRASE}" | cryptsetup luksAddKey --iter-time "${ITERTIME}" -d - "${DEV}${CRYPTPARTITION}" /etc/luks/boot_os.keyfile
|
||||
|
||||
# Add the LUKS volume information to /etc/crypttab to decrypt by kernel.
|
||||
echo "...Adding LUKS volume info to /etc/crypttab."
|
||||
echo "${CRYPTPARTNAME} UUID=$(blkid -s UUID -o value ${DEV}${CRYPTPARTITION}) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab
|
||||
# Register the LUKS voluem to /etc/crypttab to tell "This volume is encrypted"
|
||||
echo "...Adding LUKS volume info to /etc/crypttab."
|
||||
echo "${CRYPTPARTNAME} UUID=$(blkid -s UUID -o value ${DEV}${CRYPTPARTITION}) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab
|
||||
|
||||
# Putting key file into the ramfs initial image
|
||||
echo "...Registering key file to the ramfs"
|
||||
echo 'install_items+=" /etc/luks/boot_os.keyfile /etc/crypttab " ' > /etc/dracut.conf.d/10-crypt.conf
|
||||
# Add key file to the list of the intems in initfsram.
|
||||
echo "...Registering key file to the ramfs"
|
||||
echo 'install_items+=" /etc/luks/boot_os.keyfile /etc/crypttab " ' > /etc/dracut.conf.d/10-crypt.conf
|
||||
|
||||
# Finally, update the ramfs initial image with the key file.
|
||||
echo "...Upadting initramfs."
|
||||
xbps-reconfigure -fa
|
||||
echo "...grub-mkconfig."
|
||||
grub-mkconfig -o /boot/grub/grub.cfg
|
||||
# Finally, update the ramfs initial image with the key file.
|
||||
echo "...Upadting initramfs."
|
||||
xbps-reconfigure -fa
|
||||
echo "...grub-mkconfig."
|
||||
grub-mkconfig -o /boot/grub/grub.cfg
|
||||
|
||||
# Leave chroot
|
||||
# Leave chroot
|
||||
}
|
||||
|
||||
# Execute job
|
||||
|
|
|
|||
|
|
@ -298,14 +298,15 @@ function post_install() {
|
|||
echo "...Mounting all other dirs."
|
||||
for n in proc sys dev tmp etc/resolv.conf; do mount --rbind "/$n" "${TARGETMOUNTPOINT}/$n"; done
|
||||
|
||||
# Copy all scripts to the target /tmp to in chroot session.
|
||||
# Copy all scripts to the target /tmp for using in chroot session.
|
||||
echo "...Copy files in current dir to ${TARGETMOUNTPOINT}/tmp."
|
||||
mkdir "${TARGETMOUNTPOINT}/tmp/kaiten-yaki"
|
||||
cp -r ./* -t "${TARGETMOUNTPOINT}/tmp/kaiten-yaki"
|
||||
|
||||
# Change root and create the keyfile and ramfs image for Linux kernel.
|
||||
# The here document is script executed under chroot. And here we call
|
||||
# the distribution dependent script "lib/chrooted_job_${DISTRIBUTIONSIGNATURE}.sh".
|
||||
# The here-document is script executed under chroot. At here we call
|
||||
# the distribution dependent script "lib/chrooted_job_${DISTRIBUTIONSIGNATURE}.sh",
|
||||
# which was copied to /temp at previous code.
|
||||
echo "...Chroot to ${TARGETMOUNTPOINT}. and execute chrooted_job_${DISTRIBUTIONSIGNATURE}.sh"
|
||||
# shellcheck disable=SC2086
|
||||
cat <<- HEREDOC | chroot "${TARGETMOUNTPOINT}" /bin/bash
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue