#!/bin/sh ############# # init # ############# # Created for the http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS # guide. -- by Reikinio(Federico Zagarzazu) ############################### # Last modification: 27d/05m/06y ############ # ToDO # * managing hotplug events(see busybox mdev config help) # -- useful for ultra paranoid users who boot from an usb stick, but # have the keys stored on a removable media, ie: media full of mp3s # key is hidden in one of them. # * steganography support # # * use functions to avoid repetitive code ? # (this is a minimal shell, not bash) # It would be nice to convert every if test into a generic function # # # * etc.. # # Notes # * To workaround the gpg /dev/tty error, its passphrase # is stored on a variable. # If you come up with a better way, let me know. # # * The root partition key is stored on a variable. # If you come up with a better way, let me know. # # * piping gpg passphrase to gpg and then piping the output to crypsetup luksOpen # doesnt work here, why ? export PATH=/sbin:/bin dmesg -n 1 init=/sbin/init # functions drop_shell() { echo echo "Dropping you into a minimal shell," echo "reboot with ctrl-alt-supr." exec /bin/sh } /bin/mount -t proc proc /proc /bin/mount -t sysfs sysfs /sys CMDLINE=`cat /proc/cmdline` # Populate /dev from /sys /bin/mount -t tmpfs tmpfs /dev /sbin/mdev -s for param in $CMDLINE; do case "$param" in loadkmap=*) loadkeymap="`echo $param | cut -d= -f2`";; loadfont=*) font="`echo $param | cut -d= -f2`";; rescue) echo "Rescue Mode"; drop_shell;; gpg=*) # the user has the keys on a gpg encrypted file use_gpg="`echo $param | cut -d= -f2`";; root=*) # get root and fs type root_dev="`echo $param | cut -d= -f2 | cut -d: -f1`"; fs_type="`echo $param | cut -d: -f2`";; esac done # check for root and fs_type if [ -z "$root_dev" ] then echo "Error: root argument missing." drop_shell elif [ -z "$fs_type" -eq 0 ] # fixme then echo "Error: root filesystem type missing." drop_shell fi # loadkmap ? if [ -n "$loadkeymap" ] then if [ ! -e "/etc/${loadkeymap}" ] then echo "Error: loadkmap argument passed, but ${loadkeymap} does not exist." drop_shell fi loadkmap < "/etc/${loadkeymap}" if [ -n "$font" ] then if [ ! -e "/etc/${font}" ] then echo "Error: loadfont argument passed, but ${font} does not exist." drop_shell fi loadfont < "/etc/${font}" fi fi # print ascii art clear echo cat /etc/ascii 2>/dev/null echo if [ -n "$use_gpg" ] then if [ ! -e "/etc/${use_gpg}" ] then echo "Error: gpg argument passed, but ${use_gpg} does not exist." drop_shell fi echo -n "Enter passphrase: " read -s pass echo key=`echo "$pass" | gpg --no-tty --passphrase-fd 0 --decrypt /etc/$use_gpg 2>/dev/null` echo $key | cryptsetup luksOpen "$root_dev" root if [ "$?" -eq 0 ] then mount -t "$fs_type" /dev/mapper/root /new-root if [ "$?" -ne 0 ] then echo "Error: mount root failed." drop_shell fi echo "Root decrypted!" else echo "Error: root decryption failed." drop_shell fi else cryptsetup luksOpen "$root_dev" root if [ "$?" -eq 0 ] then mount -t "$fs_type" /dev/mapper/root /new-root if [ "$?" -ne 0 ] then echo "Error: mount root failed." drop_shell fi echo "Root decrypted!" else echo "Error: root decryption failed." drop_shell fi fi # Unmount everything and switch root filesystems for good: # exec the real init and begin the real boot process. /bin/umount -l /proc /bin/umount -l /sys /bin/umount -l /dev echo "Switching.." exec switch_root /new-root "$init"