systemd/mkosi.images/system/mkosi.postinst.chroot

176 lines
6.2 KiB
Plaintext
Raw Normal View History

#!/bin/bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -e
set -o nounset
if command -v authselect >/dev/null; then
# authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
# let's use the new name if it exists.
if [ -d /usr/share/authselect/default/local ]; then
PROFILE=local
else
PROFILE=minimal
fi
authselect select "$PROFILE"
if authselect list-features "$PROFILE" | grep -q "with-homed"; then
authselect enable-feature with-homed
fi
fi
# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
# if that's the case.
mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
rm -f /etc/resolv.conf
mkosi: Switch to use mkosi presets with prebuilt initrds Instead of building the initrds for the mkosi images with dracut, let's switch to using mkosi presets to build the initrd with mkosi as well. This commit splits up our single image build into three separate mkosi presets: 1. The "base" preset. This image contains systemd and all its runtime dependencies. The sole purpose of this image is to serve as a base image for the initrd and the final image. It's also responsible for building systemd from source with the build script. The results are installed into the base image. Note that we install the systemd and udev packages into this image as well to prevent package managers from overriding the systemd we built from source with the distro packaged systemd if it's pulled in as a dependency by another package from the initrd or final profiles. 2. The "initrd" preset. This image provides the initrd. It's trivial and does nothing more than packaging the base image up as a zstd compressed initramfs and adds /init and /etc/initrd-release symlinks to the image. 3. The "final" preset. This image builds on top of the base image and adds a kernel and extra packages that are useful for testing and debugging. We also split out the optional kernel build into a separate set of config files that are only included if a kernel to build is actually provided. Note that this commit doesn't really change anything about how mkosi is used. The commands remain the same, except that mkosi will now build all the presets in order. "mkosi summary" will show the summary of all the presets. "mkosi qemu, boot, shell" will always boot the final preset. With "-f", all presets will be built and the final one is booted. "-i" makes a cache of each preset. The only thing to keep in mind is that specifying config via the mkosi CLI will apply to each of the presets. e.g. any extra packages added with "-p" will be installed in both the initrd and the final image. To apply local configuration to a single preset, create a file 00-local.conf in mkosi.presets/<profile>/mkosi.conf.d and put all the preset specific configuration in there.
2023-04-25 22:04:49 +08:00
for f in "$BUILDROOT"/usr/share/*.verity.sig; do
jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash"
done
# We want /var/log/journal to be created on first boot so it can be created with the right chattr settings by
# systemd-journald.
rm -r "$BUILDROOT/var/log/journal"
rm -f /etc/nsswitch.conf
cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf
# Remove to make TEST-73-LOCALE pass on Ubuntu.
rm -f /etc/default/keyboard
# mkfs.ext4 on CentOS doesn't know the orphan_file feature so clear the mkfs options when we're building for
# CentOS.
if [[ "$DISTRIBUTION" == "centos" ]]; then
SYSTEMD_REPART_MKFS_OPTIONS_EXT4=""
fi
export SYSTEMD_REPART_MKFS_OPTIONS_EXT4
systemd-repart \
--empty=create \
--dry-run=no \
--size=auto \
--offline=true \
--root test/TEST-24-CRYPTSETUP \
--definitions test/TEST-24-CRYPTSETUP/keydev.repart \
"$OUTPUTDIR/keydev.raw"
can_test_pkcs11() {
if ! command -v "softhsm2-util" >/dev/null; then
echo "softhsm2-util not available, skipping the PKCS#11 test" >&2
return 1
fi
if ! command -v "pkcs11-tool" >/dev/null; then
echo "pkcs11-tool not available, skipping the PKCS#11 test" >&2
return 1
fi
if ! command -v "certtool" >/dev/null; then
echo "certtool not available, skipping the PKCS#11 test" >&2
return 1
fi
if ! systemctl --version | grep -q "+P11KIT"; then
echo "Support for p11-kit is disabled, skipping the PKCS#11 test" >&2
return 1
fi
if ! systemctl --version | grep -q "+OPENSSL"; then
echo "Support for openssl is disabled, skipping the PKCS#11 test" >&2
return 1
fi
if ! systemctl --version | grep -q "+LIBCRYPTSETUP\b"; then
echo "Support for libcryptsetup is disabled, skipping the PKCS#11 test" >&2
return 1
fi
if ! systemctl --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then
echo "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test" >&2
return 1
fi
return 0
}
setup_pkcs11_token() {
echo "Setup PKCS#11 token" >&2
local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
export SOFTHSM2_CONF="/tmp/softhsm2.conf"
mkdir -p /usr/lib/softhsm/tokens/
cat >$SOFTHSM2_CONF <<EOF
directories.tokendir = /usr/lib/softhsm/tokens/
objectstore.backend = file
slots.removable = false
slots.mechanisms = ALL
EOF
export GNUTLS_PIN="1234"
export GNUTLS_SO_PIN="12345678"
softhsm2-util --init-token --free --label "TestToken" --pin "$GNUTLS_PIN" --so-pin "$GNUTLS_SO_PIN"
if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then
echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules"
fi
if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then
echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
P11_MODULE_DIR="/usr/lib/pkcs11"
fi
SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs)
if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then
SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE"
fi
# RSA #####################################################
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt
certtool --generate-self-signed \
--load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
--load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
--template "test/TEST-24-CRYPTSETUP/template.cfg" \
--outder --outfile "/tmp/rsa_test.crt"
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey"
rm "/tmp/rsa_test.crt"
# prime256v1 ##############################################
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive
certtool --generate-self-signed \
--load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
--load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
--template "test/TEST-24-CRYPTSETUP/template.cfg" \
--outder --outfile "/tmp/ec_test.crt"
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey"
rm "/tmp/ec_test.crt"
###########################################################
rm "$SOFTHSM2_CONF"
unset SOFTHSM2_CONF
cat >/etc/softhsm2.conf <<EOF
directories.tokendir = /usr/lib/softhsm/tokens/
objectstore.backend = file
slots.removable = false
slots.mechanisms = ALL
log.level = INFO
EOF
mkdir -p /etc/systemd/system/systemd-cryptsetup@.service.d
cat >/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf <<EOF
[Unit]
# Make sure we can start systemd-cryptsetup@empty_pkcs11_auto.service many times
StartLimitBurst=10
[Service]
Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
Environment="PIN=$GNUTLS_PIN"
EOF
unset GNUTLS_PIN
unset GNUTLS_SO_PIN
}
if can_test_pkcs11; then
setup_pkcs11_token
fi