2024-03-05 18:49:30 +08:00
|
|
|
#!/bin/bash
|
2021-11-24 02:57:18 +08:00
|
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
2023-06-02 21:42:14 +08:00
|
|
|
set -e
|
2024-06-04 21:25:03 +08:00
|
|
|
set -o nounset
|
2021-11-24 02:57:18 +08:00
|
|
|
|
2023-04-20 16:13:37 +08:00
|
|
|
if command -v authselect >/dev/null; then
|
2024-01-22 19:04:45 +08:00
|
|
|
# authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
|
|
|
|
# let's use the new name if it exists.
|
|
|
|
if [ -d /usr/share/authselect/default/local ]; then
|
|
|
|
PROFILE=local
|
|
|
|
else
|
|
|
|
PROFILE=minimal
|
|
|
|
fi
|
|
|
|
|
|
|
|
authselect select "$PROFILE"
|
2023-04-20 16:13:37 +08:00
|
|
|
|
2024-01-22 19:04:45 +08:00
|
|
|
if authselect list-features "$PROFILE" | grep -q "with-homed"; then
|
2023-04-20 16:13:37 +08:00
|
|
|
authselect enable-feature with-homed
|
|
|
|
fi
|
|
|
|
fi
|
2023-04-23 20:02:06 +08:00
|
|
|
|
2023-08-08 02:17:41 +08:00
|
|
|
# Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
|
|
|
|
# if that's the case.
|
|
|
|
mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
|
2023-04-23 20:02:06 +08:00
|
|
|
rm -f /etc/resolv.conf
|
2023-04-25 22:04:49 +08:00
|
|
|
|
2024-04-25 03:21:34 +08:00
|
|
|
for f in "$BUILDROOT"/usr/share/*.verity.sig; do
|
|
|
|
jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash"
|
|
|
|
done
|
2024-04-30 17:41:02 +08:00
|
|
|
|
|
|
|
# We want /var/log/journal to be created on first boot so it can be created with the right chattr settings by
|
|
|
|
# systemd-journald.
|
|
|
|
rm -r "$BUILDROOT/var/log/journal"
|
2024-05-03 18:57:29 +08:00
|
|
|
|
|
|
|
rm -f /etc/nsswitch.conf
|
|
|
|
cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf
|
2024-05-06 02:46:59 +08:00
|
|
|
|
|
|
|
# Remove to make TEST-73-LOCALE pass on Ubuntu.
|
|
|
|
rm -f /etc/default/keyboard
|
2024-05-15 19:19:19 +08:00
|
|
|
|
|
|
|
# mkfs.ext4 on CentOS doesn't know the orphan_file feature so clear the mkfs options when we're building for
|
|
|
|
# CentOS.
|
|
|
|
if [[ "$DISTRIBUTION" == "centos" ]]; then
|
|
|
|
SYSTEMD_REPART_MKFS_OPTIONS_EXT4=""
|
|
|
|
fi
|
|
|
|
|
|
|
|
export SYSTEMD_REPART_MKFS_OPTIONS_EXT4
|
|
|
|
|
|
|
|
systemd-repart \
|
|
|
|
--empty=create \
|
|
|
|
--dry-run=no \
|
|
|
|
--size=auto \
|
|
|
|
--offline=true \
|
|
|
|
--root test/TEST-24-CRYPTSETUP \
|
|
|
|
--definitions test/TEST-24-CRYPTSETUP/keydev.repart \
|
|
|
|
"$OUTPUTDIR/keydev.raw"
|
|
|
|
|
|
|
|
can_test_pkcs11() {
|
|
|
|
if ! command -v "softhsm2-util" >/dev/null; then
|
|
|
|
echo "softhsm2-util not available, skipping the PKCS#11 test" >&2
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
if ! command -v "pkcs11-tool" >/dev/null; then
|
|
|
|
echo "pkcs11-tool not available, skipping the PKCS#11 test" >&2
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
if ! command -v "certtool" >/dev/null; then
|
|
|
|
echo "certtool not available, skipping the PKCS#11 test" >&2
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
if ! systemctl --version | grep -q "+P11KIT"; then
|
|
|
|
echo "Support for p11-kit is disabled, skipping the PKCS#11 test" >&2
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
if ! systemctl --version | grep -q "+OPENSSL"; then
|
|
|
|
echo "Support for openssl is disabled, skipping the PKCS#11 test" >&2
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
if ! systemctl --version | grep -q "+LIBCRYPTSETUP\b"; then
|
|
|
|
echo "Support for libcryptsetup is disabled, skipping the PKCS#11 test" >&2
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
if ! systemctl --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then
|
|
|
|
echo "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test" >&2
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
setup_pkcs11_token() {
|
|
|
|
echo "Setup PKCS#11 token" >&2
|
|
|
|
local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
|
|
|
|
|
|
|
|
export SOFTHSM2_CONF="/tmp/softhsm2.conf"
|
|
|
|
mkdir -p /usr/lib/softhsm/tokens/
|
|
|
|
cat >$SOFTHSM2_CONF <<EOF
|
|
|
|
directories.tokendir = /usr/lib/softhsm/tokens/
|
|
|
|
objectstore.backend = file
|
|
|
|
slots.removable = false
|
|
|
|
slots.mechanisms = ALL
|
|
|
|
EOF
|
|
|
|
export GNUTLS_PIN="1234"
|
|
|
|
export GNUTLS_SO_PIN="12345678"
|
|
|
|
softhsm2-util --init-token --free --label "TestToken" --pin "$GNUTLS_PIN" --so-pin "$GNUTLS_SO_PIN"
|
|
|
|
|
|
|
|
if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then
|
|
|
|
echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
|
|
|
|
P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules"
|
|
|
|
fi
|
|
|
|
|
|
|
|
if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then
|
|
|
|
echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
|
|
|
|
P11_MODULE_DIR="/usr/lib/pkcs11"
|
|
|
|
fi
|
|
|
|
|
|
|
|
SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs)
|
|
|
|
if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then
|
|
|
|
SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# RSA #####################################################
|
|
|
|
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt
|
|
|
|
|
|
|
|
certtool --generate-self-signed \
|
|
|
|
--load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
|
|
|
|
--load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
|
|
|
|
--template "test/TEST-24-CRYPTSETUP/template.cfg" \
|
|
|
|
--outder --outfile "/tmp/rsa_test.crt"
|
|
|
|
|
|
|
|
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey"
|
|
|
|
rm "/tmp/rsa_test.crt"
|
|
|
|
|
|
|
|
# prime256v1 ##############################################
|
|
|
|
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive
|
|
|
|
|
|
|
|
certtool --generate-self-signed \
|
|
|
|
--load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
|
|
|
|
--load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
|
|
|
|
--template "test/TEST-24-CRYPTSETUP/template.cfg" \
|
|
|
|
--outder --outfile "/tmp/ec_test.crt"
|
|
|
|
|
|
|
|
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey"
|
|
|
|
rm "/tmp/ec_test.crt"
|
|
|
|
|
|
|
|
###########################################################
|
|
|
|
rm "$SOFTHSM2_CONF"
|
|
|
|
unset SOFTHSM2_CONF
|
|
|
|
|
|
|
|
cat >/etc/softhsm2.conf <<EOF
|
|
|
|
directories.tokendir = /usr/lib/softhsm/tokens/
|
|
|
|
objectstore.backend = file
|
|
|
|
slots.removable = false
|
|
|
|
slots.mechanisms = ALL
|
|
|
|
log.level = INFO
|
|
|
|
EOF
|
|
|
|
|
|
|
|
mkdir -p /etc/systemd/system/systemd-cryptsetup@.service.d
|
|
|
|
cat >/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf <<EOF
|
|
|
|
[Unit]
|
|
|
|
# Make sure we can start systemd-cryptsetup@empty_pkcs11_auto.service many times
|
|
|
|
StartLimitBurst=10
|
|
|
|
|
|
|
|
[Service]
|
|
|
|
Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
|
|
|
|
Environment="PIN=$GNUTLS_PIN"
|
|
|
|
EOF
|
|
|
|
|
|
|
|
unset GNUTLS_PIN
|
|
|
|
unset GNUTLS_SO_PIN
|
|
|
|
}
|
|
|
|
|
|
|
|
if can_test_pkcs11; then
|
|
|
|
setup_pkcs11_token
|
|
|
|
fi
|