Compare commits

..

No commits in common. "d737fce6ea7ad70db1200430ea79f7a9fc48cafa" and "fbdb919b7fcfc665d93e475e2e5bab718a7ed5c6" have entirely different histories.

15 changed files with 82 additions and 479 deletions

View File

@ -6,38 +6,16 @@ FROM stagex/cpio AS cpio
FROM stagex/linux-airgap AS linux FROM stagex/linux-airgap AS linux
FROM stagex/mtools AS mtools FROM stagex/mtools AS mtools
FROM stagex/xz AS xz FROM stagex/xz AS xz
FROM stagex/eudev AS eudev
FROM stagex/keyfork AS keyfork
FROM stagex/openpgp-card-tools AS openpgp-card-tools
FROM stagex/gpg AS gpg
FROM stagex/bash AS bash
FROM stagex/grub:local AS grub FROM stagex/grub:local AS grub
FROM stagex/npth AS npth
FROM stagex/libksba AS libksba
FROM stagex/libgpg-error AS libgpg-error
FROM stagex/libassuan AS libassuan
FROM stagex/libgcrypt AS libgcrypt
FROM stagex/jq AS jq
FROM stagex/bc AS bc
FROM stagex/git AS git
FROM stagex/zlib AS zlib
FROM stagex/tpm2-tools AS tpm2-tools
FROM stagex/tpm2-tss AS tpm2-tss
FROM stagex/openssl AS openssl
FROM stagex/pcsc-lite AS pcsc-lite
FROM stagex/flashtools AS flashtools
FROM scratch AS base FROM scratch AS base
ARG VERSION development
ARG GIT_TIMESTAMP null
ARG GIT_AUTHOR null
ARG GIT_REF null
ARG GIT_KEY null
COPY --from=busybox . / COPY --from=busybox . /
COPY --from=musl . / COPY --from=musl . /
COPY --from=xorriso . / COPY --from=xorriso . /
COPY --from=cpio . / COPY --from=cpio . /
COPY --from=mtools . / COPY --from=mtools . /
COPY --from=linux . /
COPY --from=syslinux . /
COPY --from=xz . / COPY --from=xz . /
COPY --from=grub . / COPY --from=grub . /
@ -47,55 +25,41 @@ FROM base AS build
COPY --from=linux /bzImage iso/boot/vmlinuz COPY --from=linux /bzImage iso/boot/vmlinuz
## Initramfs ## Initramfs
COPY --from=busybox . initramfs COPY --from=stagex/busybox . initramfs
COPY --from=eudev . initramfs COPY --chmod=0755 <<-EOF initramfs/init
COPY --from=musl . initramfs #!/bin/sh
COPY --from=zlib . initramfs /bin/sh
COPY --from=npth . initramfs
COPY --from=libksba . initramfs
COPY --from=libgpg-error . initramfs
COPY --from=libassuan . initramfs
COPY --from=libgcrypt . initramfs
COPY --from=keyfork . initramfs
COPY --from=bash . initramfs
COPY --from=gpg . initramfs
COPY --from=jq . initramfs
COPY --from=bc . initramfs
COPY --from=git . initramfs
COPY --from=flashtools . initramfs
COPY --from=tpm2-tools . initramfs
COPY --from=tpm2-tss . initramfs
COPY --from=openssl . initramfs
COPY --from=pcsc-lite . initramfs
COPY --from=openpgp-card-tools . initramfs
COPY rootfs/ initramfs
COPY <<-EOF initramfs/etc/environment
export VERSION="$VERSION"
export GIT_TIMESTAMP="$GIT_TIMESTAMP"
export GIT_AUTHOR="$GIT_AUTHOR"
export GIT_REF="$GIT_REF"
export GIT_KEY="$GIT_KEY"
EOF EOF
RUN <<-EOF RUN <<-EOF
cd initramfs set -eux
find . -print0 \ cd initramfs
| cpio --null --create --verbose --format=newc \ find . \
| gzip --best > ../iso/boot/initramfs | cpio -o -H newc \
| gzip -9 \
> ../iso/boot/initramfs
EOF EOF
## Grub (EFI Boot) ## Grub (EFI Boot)
COPY config/grub.cfg iso/boot/grub/grub.cfg COPY <<-EOF iso/boot/grub/grub.cfg
COPY config/grub_early.cfg grub_early.cfg menuentry "Linux Airgap" {
linux /boot/vmlinuz
initrd /boot/initramfs
}
EOF
COPY <<-EOF grub_early.cfg
search --no-floppy --set=root --label "Airgap"
set prefix=(\$root)/boot/grub
EOF
RUN <<-EOF RUN <<-EOF
set -eux set -eux
mkdir -p efi/boot mkdir -p iso/efi/boot
grub-mkimage \ grub-mkimage \
--config="grub_early.cfg" \ --config="grub_early.cfg" \
--prefix="/boot/grub" \ --prefix="/boot/grub" \
--output="efi/boot/bootx64.efi" \ --output="iso/efi/boot/bootx64.efi" \
--format="x86_64-efi" \ --format="x86_64-efi" \
--compression="xz" \ --compression="xz" \
all_video \ all_video \
disk \ disk \
part_gpt \ part_gpt \
part_msdos \ part_msdos \
@ -107,24 +71,44 @@ RUN <<-EOF
efi_gop \ efi_gop \
fat \ fat \
iso9660 \ iso9660 \
gzio \ cat \
serial \ echo \
terminal ls \
test \
true \
help \
gzio
EOF
RUN <<-EOF
mformat -i iso/boot/grub/efi.img -C -f 1440 -N 0 :: mformat -i iso/boot/grub/efi.img -C -f 1440 -N 0 ::
mcopy -i iso/boot/grub/efi.img -s efi :: mcopy -i iso/boot/grub/efi.img iso/efi
touch -md "@0" iso/boot/grub/efi.img touch -md "@0" iso/boot/grub/efi.img
EOF EOF
## Syslinux (BIOS Boot) ## Syslinux (BIOS Boot)
COPY config/syslinux.cfg iso/boot/syslinux/ COPY <<-EOF iso/boot/syslinux/syslinux.cfg
COPY --from=syslinux \ TIMEOUT 2
/usr/share/syslinux/isohdpfx.bin \ PROMPT -1
/usr/share/syslinux/isolinux.bin \ DEFAULT Airgap
/usr/share/syslinux/ldlinux.c32 \ LABEL Airgap
/usr/share/syslinux/libutil.c32 \ MENU LABEL Linux Airgap
/usr/share/syslinux/libcom32.c32 \ KERNEL /boot/vmlinuz
/usr/share/syslinux/mboot.c32 \ INITRD /boot/initramfs
iso/boot/syslinux/ EOF
RUN <<-EOF
mkdir -p iso/boot/syslinux
for file in \
isohdpfx.bin \
isolinux.bin \
ldlinux.c32 \
libutil.c32 \
libcom32.c32 \
mboot.c32; \
do
mv /usr/share/syslinux/$file iso/boot/syslinux/$file || return 1
done
EOF
## Build Hybrid EFI/BIOS ISO ## Build Hybrid EFI/BIOS ISO
FROM build AS install FROM build AS install
@ -134,7 +118,6 @@ RUN xorrisofs \
-joliet \ -joliet \
-rational-rock \ -rational-rock \
-sysid LINUX \ -sysid LINUX \
-volid "airgap" \
-isohybrid-mbr iso/boot/syslinux/isohdpfx.bin \ -isohybrid-mbr iso/boot/syslinux/isohdpfx.bin \
-eltorito-boot boot/syslinux/isolinux.bin \ -eltorito-boot boot/syslinux/isolinux.bin \
-eltorito-catalog boot/syslinux/boot.cat \ -eltorito-catalog boot/syslinux/boot.cat \
@ -149,5 +132,5 @@ RUN xorrisofs \
iso/ iso/
FROM scratch AS package FROM scratch AS package
COPY --from=install /initramfs /initramfs COPY --from=install /iso /iso
COPY --from=install /airgap.iso / COPY --from=install /airgap.iso /

View File

@ -1,42 +1,27 @@
VERSION := $(shell git tag --points-at HEAD)
GIT_REF := $(shell git log -1 --format=%H)
GIT_AUTHOR := $(shell git log -1 --format=%an)
GIT_KEY := $(shell git log -1 --format=%GP)
GIT_TIMESTAMP := $(shell git log -1 --format=%cd --date=iso)
.DEFAULT_GOAL := .DEFAULT_GOAL :=
.PHONY: default .PHONY: default
default: \ default: \
out/airgap.iso out/airgap.iso
.PHONY: vm .PHONY: vm
vm: vm-bios vm: out/airgap.iso
.PHONY: vm-bios
vm-bios: out/airgap.iso
qemu-system-x86_64 \ qemu-system-x86_64 \
-m 4G \ -m 512M \
-machine pc \ -machine pc \
-serial stdio \ -nographic \
-cdrom "out/airgap.iso" -cdrom "out/airgap.iso"
.PHONY: vm-efi .PHONY: vm-uefi
vm-efi: out/airgap.iso vm-uefi:
qemu-system-x86_64 \ qemu-system-x86_64 \
-m 4G \ -m 4G \
-machine pc \ -machine type=q35 \
-serial stdio \
-bios /usr/share/ovmf/OVMF.fd \ -bios /usr/share/ovmf/OVMF.fd \
-cdrom "out/airgap.iso" -cdrom "out/airgap.iso"
out/airgap.iso: Containerfile $(shell git ls-files rootfs) out/airgap.iso: Containerfile
docker build \ docker build \
--progress=plain \ --progress=plain \
--output type=local,dest=out \ --output type=local,dest=out \
--build-arg VERSION="$(or $(VERSION),"development")" \
--build-arg GIT_REF="$(GIT_REF)" \
--build-arg GIT_AUTHOR="$(GIT_AUTHOR)" \
--build-arg GIT_KEY="$(GIT_KEY)" \
--build-arg GIT_TIMESTAMP="$(GIT_TIMESTAMP)" \
-f Containerfile \ -f Containerfile \
. .

View File

@ -1,5 +0,0 @@
set timeout=1
menuentry "Linux Airgap" {
linux /boot/vmlinuz init=/init console=ttyS0 console=tty0 ro
initrd /boot/initramfs
}

View File

@ -1,2 +0,0 @@
search --no-floppy --set=root --label "airgap"
set prefix=($root)/boot/grub

View File

@ -1,8 +0,0 @@
TIMEOUT 2
PROMPT -1
DEFAULT Airgap
LABEL Airgap
MENU LABEL Linux Airgap
KERNEL /boot/vmlinuz
INITRD /boot/initramfs
APPEND init=/init console=ttyS0 console=tty0 ro

View File

@ -1,55 +0,0 @@
#!/bin/sh
DAEMON="syslogd"
PIDFILE="/var/run/$DAEMON.pid"
SYSLOGD_ARGS=""
# shellcheck source=/dev/null
[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
# BusyBox' syslogd does not create a pidfile, so pass "-n" in the command line
# and use "-m" to instruct start-stop-daemon to create one.
start() {
printf 'Starting %s: ' "$DAEMON"
# shellcheck disable=SC2086 # we need the word splitting
start-stop-daemon -b -m -S -q -p "$PIDFILE" -x "/sbin/$DAEMON" \
-- -n $SYSLOGD_ARGS
status=$?
if [ "$status" -eq 0 ]; then
echo "OK"
else
echo "FAIL"
fi
return "$status"
}
stop() {
printf 'Stopping %s: ' "$DAEMON"
start-stop-daemon -K -q -p "$PIDFILE"
status=$?
if [ "$status" -eq 0 ]; then
rm -f "$PIDFILE"
echo "OK"
else
echo "FAIL"
fi
return "$status"
}
restart() {
stop
sleep 1
start
}
case "$1" in
start|stop|restart)
"$1";;
reload)
# Restart, since there is no true "reload" feature.
restart;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac

View File

@ -1,55 +0,0 @@
#!/bin/sh
DAEMON="klogd"
PIDFILE="/var/run/$DAEMON.pid"
KLOGD_ARGS=""
# shellcheck source=/dev/null
[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
# BusyBox' klogd does not create a pidfile, so pass "-n" in the command line
# and use "-m" to instruct start-stop-daemon to create one.
start() {
printf 'Starting %s: ' "$DAEMON"
# shellcheck disable=SC2086 # we need the word splitting
start-stop-daemon -b -m -S -q -p "$PIDFILE" -x "/sbin/$DAEMON" \
-- -n $KLOGD_ARGS
status=$?
if [ "$status" -eq 0 ]; then
echo "OK"
else
echo "FAIL"
fi
return "$status"
}
stop() {
printf 'Stopping %s: ' "$DAEMON"
start-stop-daemon -K -q -p "$PIDFILE"
status=$?
if [ "$status" -eq 0 ]; then
rm -f "$PIDFILE"
echo "OK"
else
echo "FAIL"
fi
return "$status"
}
restart() {
stop
sleep 1
start
}
case "$1" in
start|stop|restart)
"$1";;
reload)
# Restart, since there is no true "reload" feature.
restart;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac

View File

@ -1,94 +0,0 @@
#!/bin/sh
#
# This script is used by busybox and procps-ng.
#
# With procps-ng, the "--system" option of sysctl also enables "--ignore", so
# errors are not reported via syslog. Use the run_logger function to mimic the
# --system behavior, still reporting errors via syslog. Users not interested
# on error reports can add "-e" to SYSCTL_ARGS.
#
# busybox does not have a "--system" option neither reports errors via syslog,
# so the scripting provides a consistent behavior between the implementations.
# Testing the busybox sysctl exit code is fruitless, as at the moment, since
# its exit status is zero even if errors happen. Hopefully this will be fixed
# in a future busybox version.
PROGRAM="sysctl"
SYSCTL_ARGS=""
# shellcheck source=/dev/null
[ -r "/etc/default/$PROGRAM" ] && . "/etc/default/$PROGRAM"
# Files are read from directories in the SYSCTL_SOURCES list, in the given
# order. A file may be used more than once, since there can be multiple
# symlinks to it. No attempt is made to prevent this.
SYSCTL_SOURCES="/etc/sysctl.d/ /usr/local/lib/sysctl.d/ /usr/lib/sysctl.d/ /lib/sysctl.d/ /etc/sysctl.conf"
# If the logger utility is available all messages are sent to syslog, except
# for the final status. The file redirections do the following:
#
# - stdout is redirected to syslog with facility.level "kern.info"
# - stderr is redirected to syslog with facility.level "kern.err"
# - file dscriptor 4 is used to pass the result to the "start" function.
#
run_logger() {
# shellcheck disable=SC2086 # we need the word splitting
find $SYSCTL_SOURCES -maxdepth 1 -name '*.conf' -print0 2> /dev/null | \
xargs -0 -r -n 1 readlink -f | {
prog_status="OK"
while :; do
read -r file || {
echo "$prog_status" >&4
break
}
echo "* Applying $file ..."
/sbin/sysctl -p "$file" $SYSCTL_ARGS || prog_status="FAIL"
done 2>&1 >&3 | /usr/bin/logger -t sysctl -p kern.err
} 3>&1 | /usr/bin/logger -t sysctl -p kern.info
}
# If logger is not available all messages are sent to stdout/stderr.
run_std() {
# shellcheck disable=SC2086 # we need the word splitting
find $SYSCTL_SOURCES -maxdepth 1 -name '*.conf' -print0 2> /dev/null | \
xargs -0 -r -n 1 readlink -f | {
prog_status="OK"
while :; do
read -r file || {
echo "$prog_status" >&4
break
}
echo "* Applying $file ..."
/sbin/sysctl -p "$file" $SYSCTL_ARGS || prog_status="FAIL"
done
}
}
if [ -x /usr/bin/logger ]; then
run_program="run_logger"
else
run_program="run_std"
fi
start() {
printf '%s %s: ' "$1" "$PROGRAM"
status=$("$run_program" 4>&1)
echo "$status"
if [ "$status" = "OK" ]; then
return 0
fi
return 1
}
case "$1" in
start)
start "Running";;
restart|reload)
start "Rerunning";;
stop)
:;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac

View File

@ -1,29 +0,0 @@
#!/bin/sh
# Check for config file and read it
UDEV_CONFIG=/etc/udev/udev.conf
test -r $UDEV_CONFIG || exit 6
. $UDEV_CONFIG
case "$1" in
start)
printf "Populating %s using udev: " "${udev_root:-/dev}"
[ -e /proc/sys/kernel/hotplug ] && printf '\000\000\000\000' > /proc/sys/kernel/hotplug
/sbin/udevd -d || { echo "FAIL"; exit 1; }
udevadm trigger --type=subsystems --action=add
udevadm trigger --type=devices --action=add
udevadm settle --timeout=30 || echo "udevadm settle failed"
echo "done"
;;
stop)
# Stop execution of events
udevadm control --stop-exec-queue
killall udevd
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
;;
esac
exit 0

View File

@ -1,70 +0,0 @@
#! /bin/sh
#
# Preserve the random seed between reboots. See urandom(4).
#
# Quietly do nothing if /dev/urandom does not exist
[ -c /dev/urandom ] || exit 0
URANDOM_SEED="/var/lib/random-seed"
# shellcheck source=/dev/null
[ -r "/etc/default/urandom" ] && . "/etc/default/urandom"
if pool_bits=$(cat /proc/sys/kernel/random/poolsize 2> /dev/null); then
pool_size=$((pool_bits/8))
else
pool_size=512
fi
init_rng() {
[ -f "$URANDOM_SEED" ] || return 0
printf 'Initializing random number generator: '
dd if="$URANDOM_SEED" bs="$pool_size" of=/dev/urandom count=1 2> /dev/null
status=$?
if [ "$status" -eq 0 ]; then
echo "OK"
else
echo "FAIL"
fi
return "$status"
}
save_random_seed() {
printf 'Saving random seed: '
status=1
if touch "$URANDOM_SEED.new" 2> /dev/null; then
old_umask=$(umask)
umask 077
dd if=/dev/urandom of="$URANDOM_SEED.tmp" bs="$pool_size" count=1 2> /dev/null
cat "$URANDOM_SEED" "$URANDOM_SEED.tmp" 2>/dev/null \
| sha256sum \
| cut -d ' ' -f 1 > "$URANDOM_SEED.new" && \
mv "$URANDOM_SEED.new" "$URANDOM_SEED" && status=0
rm -f "$URANDOM_SEED.tmp"
umask "$old_umask"
if [ "$status" -eq 0 ]; then
echo "OK"
else
echo "FAIL"
fi
else
echo "SKIP (read-only file system detected)"
fi
return "$status"
}
case "$1" in
start|restart|reload)
# Carry a random seed from start-up to start-up
# Load and then save the whole entropy pool
init_rng && save_random_seed;;
stop)
# Carry a random seed from shut-down to start-up
# Save the whole entropy pool
save_random_seed;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac

View File

@ -1,27 +0,0 @@
#!/bin/sh
# Stop all init scripts in /etc/init.d
# executing them in reversed numerical order.
#
for i in $(ls -r /etc/init.d/S??*) ;do
# Ignore dangling symlinks (if any).
[ ! -f "$i" ] && continue
case "$i" in
*.sh)
# Source shell script for speed.
(
trap - INT QUIT TSTP
set stop
. $i
)
;;
*)
# No sh extension, so fork subprocess.
$i stop
;;
esac
done

View File

@ -1,27 +0,0 @@
#!/bin/sh
# Start all init scripts in /etc/init.d
# executing them in numerical order.
#
for i in /etc/init.d/S??* ;do
# Ignore dangling symlinks (if any).
[ ! -f "$i" ] && continue
case "$i" in
*.sh)
# Source shell script for speed.
(
trap - INT QUIT TSTP
set start
. $i
)
;;
*)
# No sh extension, so fork subprocess.
$i start
;;
esac
done

View File

@ -1,5 +1,11 @@
# /etc/inittab # /etc/inittab
#
# Copyright (C) 2001 Erik Andersen <andersen@codepoet.org>
#
# Note: BusyBox init doesn't support runlevels. The runlevels field is
# completely ignored by BusyBox init. If you want runlevels, use
# sysvinit.
#
# Format for each entry: <id>:<runlevels>:<action>:<process> # Format for each entry: <id>:<runlevels>:<action>:<process>
# #
# id == tty to run on, or empty for /dev/console # id == tty to run on, or empty for /dev/console
@ -8,15 +14,16 @@
# process == program to run # process == program to run
# Startup the system # Startup the system
::sysinit:/bin/mount -t devtmpfs devtmpfs /dev
::sysinit:/bin/mkdir -p /proc /run /dev/pts /dev/shm
::sysinit:/bin/mount -t proc proc /proc ::sysinit:/bin/mount -t proc proc /proc
::sysinit:/bin/mount -o remount,rw / ::sysinit:/bin/mount -o remount,rw /
::sysinit:/bin/mkdir -p /dev/pts /dev/shm
::sysinit:/bin/mount -a ::sysinit:/bin/mount -a
::sysinit:/sbin/swapon -a
null::sysinit:/bin/ln -sf /proc/self/fd /dev/fd null::sysinit:/bin/ln -sf /proc/self/fd /dev/fd
null::sysinit:/bin/ln -sf /proc/self/fd/0 /dev/stdin null::sysinit:/bin/ln -sf /proc/self/fd/0 /dev/stdin
null::sysinit:/bin/ln -sf /proc/self/fd/1 /dev/stdout null::sysinit:/bin/ln -sf /proc/self/fd/1 /dev/stdout
null::sysinit:/bin/ln -sf /proc/self/fd/2 /dev/stderr null::sysinit:/bin/ln -sf /proc/self/fd/2 /dev/stderr
::sysinit:/bin/hostname -F /etc/hostname
# now run any rc scripts # now run any rc scripts
::sysinit:/etc/init.d/rcS ::sysinit:/etc/init.d/rcS
@ -29,4 +36,5 @@ null::sysinit:/bin/ln -sf /proc/self/fd/2 /dev/stderr
# Stuff to do before rebooting # Stuff to do before rebooting
::shutdown:/etc/init.d/rcK ::shutdown:/etc/init.d/rcK
::shutdown:/sbin/swapoff -a
::shutdown:/bin/umount -a -r ::shutdown:/bin/umount -a -r

View File

@ -3,7 +3,8 @@ export PATH="/usr/local/bin:/bin:/sbin:/usr/bin:/usr/sbin"
export PS1="[\h \t] \\$ " export PS1="[\h \t] \\$ "
export GNUPGHOME=/.gnupg export GNUPGHOME=/.gnupg
source /etc/environment source /etc/environment
cd /root
dmesg -n1
clear clear
cat << "EOF" cat << "EOF"
_ _ ___ ____ _ _ ___ ____

View File

@ -1,2 +0,0 @@
#!/bin/sh
exec /bin/init