From 8308101a3586a363b01ac736dfed8caea40f237b Mon Sep 17 00:00:00 2001 From: Sam Ebstein Date: Thu, 19 Sep 2024 09:41:42 -0700 Subject: [PATCH 1/2] Containerfile: creating a fat32 formatted third partition on airgap.iso to allow for arbitrary user data. --- Containerfile | 22 ++++++++++++++++++++++ Makefile | 8 ++++++-- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/Containerfile b/Containerfile index 155c807..1b02cdc 100644 --- a/Containerfile +++ b/Containerfile @@ -179,6 +179,28 @@ RUN <<-EOF iso/ EOF +# Need sfdisk from util-linux +COPY --from=util-linux . . +RUN <<-EOF + set -eux + # Increase the size of the ISO by 512 MB to create space for the third partition + dd if=/dev/zero bs=1M count=512 >> airgap.iso + + # Append a new partition that uses the additional space + echo ", +" | sfdisk --append airgap.iso + + # Set the newly added third partition to FAT32 + sfdisk --part-type airgap.iso 3 b + + # Calculate the byte offset of the third partition + # This is done by finding the end of the first partition using fdisk, adding 1 sector, + # and multiplying by 512 (since each sector is 512 bytes). + OFFSET=$(fdisk -l airgap.iso | awk '/^airgap.iso1/ {print ($4 + 1) * 512}') + + # Format the third partition as FAT32 and label it 'USER' + mformat -v USER -i airgap.iso@@$OFFSET :: +EOF + ## Minimal Autorun SD card image COPY sdcard sdcard RUN <<-EOF diff --git a/Makefile b/Makefile index 4c573cd..87223db 100644 --- a/Makefile +++ b/Makefile @@ -55,7 +55,9 @@ vm-bios: out/airgap.iso -usbdevice tablet \ -drive id=external,if=none,format=raw,file=out/sdcard.img \ -display gtk,show-menubar=off,zoom-to-fit=on \ - -cdrom "out/airgap.iso" + -device usb-storage,drive=usbdrive \ + -drive id=usbdrive,if=none,format=raw,file=out/airgap.iso \ + -boot order=c .PHONY: vm-efi vm-efi: out/airgap.iso @@ -70,7 +72,9 @@ vm-efi: out/airgap.iso -usbdevice tablet \ -drive id=external,if=none,format=raw,file=out/sdcard.img \ -display gtk,show-menubar=off,zoom-to-fit=on \ - -cdrom "out/airgap.iso" + -device usb-storage,drive=usbdrive \ + -drive id=usbdrive,if=none,format=raw,file=airgap.iso \ + -boot order=c ## Signing, Verification, and Release Targets From d8dd960dd57df4e28e40b570830e6eb34ff28aeb Mon Sep 17 00:00:00 2001 From: Sam Ebstein Date: Thu, 19 Sep 2024 12:52:39 -0700 Subject: [PATCH 2/2] rootfs/usr/local/bin/autorun: adding autorun checks on new fat32 formatted USER partition --- Makefile | 2 +- rootfs/usr/local/bin/autorun | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 87223db..bf3948e 100644 --- a/Makefile +++ b/Makefile @@ -73,7 +73,7 @@ vm-efi: out/airgap.iso -drive id=external,if=none,format=raw,file=out/sdcard.img \ -display gtk,show-menubar=off,zoom-to-fit=on \ -device usb-storage,drive=usbdrive \ - -drive id=usbdrive,if=none,format=raw,file=airgap.iso \ + -drive id=usbdrive,if=none,format=raw,file=out/airgap.iso \ -boot order=c ## Signing, Verification, and Release Targets diff --git a/rootfs/usr/local/bin/autorun b/rootfs/usr/local/bin/autorun index 89a8db2..c811d6a 100755 --- a/rootfs/usr/local/bin/autorun +++ b/rootfs/usr/local/bin/autorun @@ -4,7 +4,17 @@ source /etc/profile folder=${1?} -if [ -f "${folder}/autorun.sh.asc" ]; then +if [ "$folder" == "/media/USER" ] && [ -f "${folder}/autorun.sh" ]; then + if touch "${folder}/.write_test" 2>/dev/null; then + echo "!! Autorun: Read-only verification failed for /media/USER" >/dev/console + exit 1; + else + echo "" >/dev/console + echo "++ Autorun: Found /media/USER/autorun.sh" >/dev/console; + echo "** Autorun: Executing /media/USER/autorun.sh" >/dev/console + /bin/bash "/media/USER/autorun.sh" >/dev/console + fi +elif [ -f "${folder}/autorun.sh.asc" ]; then echo "" >/dev/console echo "++ Autorun: Found ${folder}/autorun.sh" >/dev/console; gpg --verify "${folder}/autorun.sh.asc" >/dev/null 2>&1 || {