mirror of
https://git.sr.ht/~nabijaczleweli/tzpfms
synced 2025-04-11 09:30:02 +03:00
Add i-t impl
This commit is contained in:
наб
parent
415c83ab0e
commit
da2d469cd2
@ -7,6 +7,7 @@ packages:
|
||||
- libtss2-dev
|
||||
- libtspi-dev
|
||||
- ronn
|
||||
- shellcheck
|
||||
tasks:
|
||||
- get-zfs: |
|
||||
sudo sed -i 's/main/main contrib non-free/' /etc/apt/sources.list
|
||||
|
||||
6
.gitignore
vendored
6
.gitignore
vendored
@ -15,7 +15,5 @@
|
||||
!man/**
|
||||
!ext
|
||||
!ext/**
|
||||
!test
|
||||
!test/**
|
||||
!test-data
|
||||
!test-data/**
|
||||
!initrd
|
||||
!initrd/**
|
||||
|
||||
25
Makefile
25
Makefile
@ -30,36 +30,41 @@ INCAR := $(foreach l,$(foreach l,,$(l)/include),-isystemext/$(l)) $(foreach l,,-
|
||||
VERAR := $(foreach l,TZPFMS,-D$(l)_VERSION='$($(l)_VERSION)')
|
||||
BINARY_SOURCES := $(sort $(wildcard $(SRCDIR)bin/*.cpp $(SRCDIR)bin/**/*.cpp))
|
||||
COMMON_SOURCES := $(filter-out $(BINARY_SOURCES),$(sort $(wildcard $(SRCDIR)*.cpp $(SRCDIR)**/*.cpp $(SRCDIR)**/**/*.cpp $(SRCDIR)**/**/**/*.cpp)))
|
||||
# TEST_SOURCES := $(sort $(wildcard $(TSTDIR)*.cpp $(TSTDIR)**/*.cpp $(TSTDIR)**/**/*.cpp $(TSTDIR)**/**/**/*.cpp))
|
||||
SHELLCHECK_SOURCES := $(sort $(shell grep -lR '#!/bin/.*sh' $(INITRDDIR)))
|
||||
MANPAGE_SOURCES := $(sort $(wildcard $(MANDIR)*.md.pp))
|
||||
|
||||
|
||||
.PHONY : all clean build build-test man
|
||||
.PHONY : all clean build shellcheck i-t man
|
||||
.SECONDARY:
|
||||
|
||||
|
||||
all : build man # build-test test
|
||||
|
||||
#test: build-test
|
||||
# $(OUTDIR)tzpfms-test$(EXE)
|
||||
all : build man shellcheck i-t
|
||||
|
||||
clean :
|
||||
rm -rf $(OUTDIR)
|
||||
|
||||
build : $(subst $(SRCDIR)bin/,$(OUTDIR),$(subst .cpp,$(EXE),$(BINARY_SOURCES)))
|
||||
#build-test : $(OUTDIR)tzpfms-test$(EXE)
|
||||
man : $(OUTDIR)man/index.txt
|
||||
shellcheck : $(BLDDIR)shellcheck-stamp
|
||||
i-t : $(OUTDIR)initramfs-tools
|
||||
|
||||
|
||||
#$(OUTDIR)tzpfms-test$(EXE) : $(subst $(TSTDIR),$(BLDDIR)test/,$(subst .cpp,$(OBJ),$(TEST_SOURCES))) $(subst $(SRCDIR),$(OBJDIR),$(subst .cpp,$(OBJ),$(filter-out $(SRCDIR)main.cpp,$(SOURCES)))) $(patsubst ext/fmt/src/%.cc,$(BLDDIR)fmt/obj/%$(OBJ),$(wildcard ext/fmt/src/*.cc))
|
||||
# $(CXX) $(CXXAR) -o$@ $^ $(PIC) $(LDAR)
|
||||
|
||||
$(OUTDIR)man/index.txt : $(MANDIR)index.txt $(patsubst $(MANDIR)%.pp,$(OUTDIR)man/%,$(MANPAGE_SOURCES))
|
||||
@mkdir -p $(dir $@)
|
||||
cp $< $(dir $@)
|
||||
$(RONN) --organization="tzpfms developers" $(filter-out $<,$^)
|
||||
$(RONN) --organization="tzpfms developers" -f $(filter-out $<,$^)
|
||||
|
||||
$(BLDDIR)shellcheck-stamp : $(SHELLCHECK_SOURCES)
|
||||
@mkdir -p $(dir $@)
|
||||
$(SHELLCHECK) --exclude SC1091 $^
|
||||
@date > $@
|
||||
|
||||
$(OUTDIR)initramfs-tools : $(sort $(wildcard $(INITRDDIR)initramfs-tools))
|
||||
@mkdir -p $@/usr/share/initramfs-tools/hooks $@/usr/share/tzpfms
|
||||
ln $(INITRDDIR)initramfs-tools/hook $@/usr/share/initramfs-tools/hooks/tzpfms
|
||||
ln $(INITRDDIR)initramfs-tools/zfs-patch.sh $@/usr/share/tzpfms/initramfs-tools-zfs-patch.sh
|
||||
|
||||
|
||||
$(OUTDIR)%$(EXE) : $(subst $(SRCDIR),$(OBJDIR),$(subst .cpp,$(OBJ),$(SRCDIR)bin/%.cpp $(COMMON_SOURCES)))
|
||||
@mkdir -p $(dir $@)
|
||||
|
||||
@ -14,7 +14,7 @@ Plus it's a pretty good annoyed sigh onomatopoeia.
|
||||
|
||||
### Building
|
||||
|
||||
You'll need `pkg-config`, `ronn`, `libzfslinux-dev`, `libtss2-dev`, `libtspi-dev`, and `make` should hopefully Just Work™ if you have a C++17-capable compiler.
|
||||
You'll need `pkg-config`, `ronn`, `shellcheck`, `libzfslinux-dev`, `libtss2-dev`, `libtspi-dev`, and `make` should hopefully Just Work™ if you have a C++17-capable compiler.
|
||||
The output binaries are trimmed of extraneous dependencies, so they're all just libc + libzfs and friends + the chosen TPM back-end, if any.
|
||||
|
||||
### Installation
|
||||
|
||||
@ -54,6 +54,7 @@ LNCMAKEAR := LDFLAGS="$(LNCXXAR)"
|
||||
|
||||
AWK ?= awk
|
||||
RONN ?= ronn
|
||||
SHELLCHECK ?= shellcheck
|
||||
OBJ := .o
|
||||
CXXAR := -O3 -std=c++17 -fno-exceptions -Wall -Wextra $(CXXSPECIFIC) -pipe $(INCCXXAR) $(PIC)
|
||||
STRIP ?= strip
|
||||
@ -65,3 +66,4 @@ OBJDIR := $(BLDDIR)obj/
|
||||
SRCDIR := src/
|
||||
TSTDIR := test/
|
||||
MANDIR := man/
|
||||
INITRDDIR := initrd/
|
||||
|
||||
20
initrd/initramfs-tools/hook
Executable file
20
initrd/initramfs-tools/hook
Executable file
@ -0,0 +1,20 @@
|
||||
#!/bin/sh
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
PREREQ="zfs"
|
||||
[ "$1" = "prereqs" ] && exec echo "$PREREQ"
|
||||
. /usr/share/initramfs-tools/hook-functions
|
||||
|
||||
|
||||
# Bit of a hack: replace zfs-intramfs' decrypt_fs() in /scripts/zfs with our version that understands tzpfms datasets
|
||||
sed -Ei 's/decrypt_fs\(\)/__tzpfms__&/' "$DESTDIR/scripts/zfs"
|
||||
cat /usr/share/tzpfms/initramfs-tools-zfs-patch.sh >> "$DESTDIR/scripts/zfs"
|
||||
|
||||
|
||||
for x in zfs-tpm-list zfs-tpm2-load-key zfs-tpm1x-load-key; do
|
||||
xloc="$(command -v "$x")"
|
||||
[ "$xloc" = "" ] || copy_exec "$xloc"
|
||||
done
|
||||
|
||||
|
||||
add_loaded_modules '*tpm*' # TODO: is this the best way of going about this?
|
||||
52
initrd/initramfs-tools/zfs-patch.sh
Normal file
52
initrd/initramfs-tools/zfs-patch.sh
Normal file
@ -0,0 +1,52 @@
|
||||
#!/bin/sh
|
||||
# SPDX-License-Identifier: MIT
|
||||
|
||||
# Included into /scripts/zfs in the initrd, replacing the original decrypt_fs(), now available as __tzpfms__decrypt_fs()
|
||||
decrypt_fs() {
|
||||
fs="$1"
|
||||
|
||||
# Bail early if we don't have even the common binaries
|
||||
if ! command -v zfs-tpm-list > /dev/null; then
|
||||
__tzpfms__decrypt_fs "${fs}"
|
||||
return
|
||||
fi
|
||||
|
||||
# First three lines borrowed from /scripts/zfs#decrypt_fs()
|
||||
# If pool encryption is active and the zfs command understands '-o encryption'
|
||||
if [ "$(zpool list -H -o feature@encryption "$(echo "${fs}" | awk -F/ '{print $1}')")" = 'active' ]; then
|
||||
ENCRYPTIONROOT="$(get_fs_value "${fs}" encryptionroot)"
|
||||
|
||||
if ! [ "$ENCRYPTIONROOT" = "-" ]; then
|
||||
if command -v zfs-tpm2-load-key > /dev/null && ! [ "$(zfs-tpm-list -Hub TPM2 "$ENCRYPTIONROOT")" = "" ]; then
|
||||
with_promptable_tty zfs-tpm2-load-key "$ENCRYPTIONROOT"
|
||||
return
|
||||
fi
|
||||
|
||||
if command -v zfs-tpm1x-load-key > /dev/null && ! [ "$(zfs-tpm-list -Hub TPM1.X "$ENCRYPTIONROOT")" = "" ]; then
|
||||
with_promptable_tty zfs-tpm1x-load-key "$ENCRYPTIONROOT"
|
||||
return
|
||||
fi
|
||||
|
||||
__tzpfms__decrypt_fs "${fs}"
|
||||
return
|
||||
fi
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
# Mimic /scripts/zfs#decrypt_fs(): setting "printk" temporarily to "7" will allow prompt even if kernel option "quiet"
|
||||
# TODO?: /scripts/zfs#decrypt_fs() checks for plymouth and systemd,
|
||||
# but we don't know how many passphrases we're gonna read (anywhere between 0 and 2 best-base or 0 and 6 worst-case);
|
||||
# can we "disable" plymouth somehow?
|
||||
with_promptable_tty() {
|
||||
printk="$(awk '{print $1}' /proc/sys/kernel/printk)"
|
||||
echo 7 > /proc/sys/kernel/printk
|
||||
|
||||
"$@"
|
||||
ret="$?"
|
||||
|
||||
echo "$printk" > /proc/sys/kernel/printk
|
||||
|
||||
return "$ret"
|
||||
}
|
||||
@ -27,18 +27,8 @@
|
||||
},
|
||||
{
|
||||
"follow_symlinks": true,
|
||||
"name": "Test",
|
||||
"path": "test"
|
||||
},
|
||||
{
|
||||
"follow_symlinks": true,
|
||||
"name": "Test data",
|
||||
"path": "test-data"
|
||||
},
|
||||
{
|
||||
"follow_symlinks": true,
|
||||
"name": "External code",
|
||||
"path": "ext"
|
||||
"name": "Initrd plug-ins",
|
||||
"path": "initrd"
|
||||
},
|
||||
{
|
||||
"follow_symlinks": true,
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user