forked from public/airgap
Compare commits
47 Commits
stagex-rew
...
main
Author | SHA1 | Date |
---|---|---|
Sam Ebstein | bb76f61615 | |
Lance Vick | 934fb903dd | |
Sam Ebstein | 575967e5b4 | |
Lance Vick | 8db8dfc2a1 | |
Lance Vick | e75ac046e0 | |
Lance Vick | d480d0a809 | |
Lance Vick | 23cf93a8c2 | |
Lance Vick | 1f2abbaee9 | |
Lance Vick | 6fa36e4e74 | |
Lance Vick | cac8bc947d | |
Sam Ebstein | d8dd960dd5 | |
Sam Ebstein | 8308101a35 | |
Ryan Heywood | 1f26de8fc1 | |
Ryan Heywood | 4ad5be07db | |
Lance Vick | 657a3ff611 | |
Lance Vick | ea623cc147 | |
Ryan Heywood | 95ccf80fe8 | |
Ryan Heywood | 5904a22c80 | |
Anton Livaja | 485fc58bfb | |
Lance Vick | e1c677bc06 | |
Lance Vick | dc8515ea02 | |
Lance Vick | 3cb460b72e | |
Lance Vick | f1c0f2f8b5 | |
Lance Vick | 1f2ce99275 | |
Lance Vick | 721ffad1f0 | |
Lance Vick | 74bf27bc66 | |
Lance Vick | 44e18ea21b | |
Lance Vick | a2a3cce64c | |
Lance Vick | f0270a2862 | |
Lance Vick | 24725ea630 | |
Lance Vick | 96ea9054f9 | |
Lance Vick | 4676d9f889 | |
Lance Vick | d1707c48f1 | |
Lance Vick | 51ec4ca719 | |
Lance Vick | f735b7e3af | |
Lance Vick | c20dedcc35 | |
Lance Vick | d737fce6ea | |
Lance Vick | e886bc51fa | |
Lance Vick | fbdb919b7f | |
Anton Livaja | df223e6deb | |
Anton Livaja | 1578b3c76d | |
Anton Livaja | 0af9d294a7 | |
Anton Livaja | dc60d53fca | |
Ryan Heywood | 16479807f1 | |
Spencer Judd | 38689b24b2 | |
Lance Vick | de0a962876 | |
Spencer Judd | 7d9f87c976 |
|
@ -1 +1,2 @@
|
|||
dist/*.iso filter=lfs diff=lfs merge=lfs -text
|
||||
dist/airgap.iso filter=lfs diff=lfs merge=lfs -text
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
cache/
|
||||
out/
|
||||
out*/
|
||||
.*
|
||||
|
|
271
Containerfile
271
Containerfile
|
@ -1,69 +1,236 @@
|
|||
FROM stagex/busybox AS busybox
|
||||
FROM stagex/musl AS musl
|
||||
FROM stagex/xorriso AS xorriso
|
||||
FROM stagex/syslinux AS syslinux
|
||||
FROM stagex/cpio AS cpio
|
||||
FROM stagex/linux-airgap AS linux
|
||||
FROM stagex/mtools AS mtools
|
||||
FROM stagex/dosfstools AS dosfstools
|
||||
FROM stagex/alsa-lib:sx2024.09.0@sha256:a41b481187f76c1e9ed4e237977f4892c1507a3b8f8f6736ff3fdd5144bd2afb AS alsa-lib
|
||||
FROM stagex/bash:sx2024.09.0@sha256:cb58f55d268fbe7ef629cda86e3a8af893066e4af7f26ef54748b6ad47bdaa66 AS bash
|
||||
FROM stagex/bc:sx2024.09.0@sha256:039cc5ac357a17d6374445fe4eed1dac15cc72f615bd9657c17e2c3904d42b62 AS bc
|
||||
FROM stagex/busybox:sx2024.09.0@sha256:d34bfa56566aa72d605d6cbdc154de8330cf426cfea1bc4ba8013abcac594395 AS busybox
|
||||
FROM stagex/ccid:sx2024.09.0@sha256:3225dc4a6a1af5f828854157a6b16eb09a0b0f7ebe9d9ee34030afe3966afad1 AS ccid
|
||||
FROM stagex/cpio:sx2024.09.0@sha256:abccb58edb5f1f31b3b9c8b61cffa10cd56de3307e337335927b8df4d9112d24 AS cpio
|
||||
FROM stagex/curl:sx2024.09.0@sha256:8e5705a77a76c92d058e016184dabd0c4fa2f6117021cc5ff55df35f654cb158 AS curl
|
||||
FROM stagex/dtc:sx2024.09.0@sha256:57f8aaa94059c43081b32fccb473ebd2c0cf16878dcf0e24e0e56c910467e93a AS dtc
|
||||
FROM stagex/eudev:sx2024.09.0@sha256:7da7aed7ea7eb73bda86e206e765bdc8e6367c2c2ae535ccd68c7c1b0a936611 AS eudev
|
||||
FROM stagex/flashtools:sx2024.09.0@sha256:4e61cc6f0af9aa6116bb93f048c20d00026d75c27dc52b7e8604f0e340c55b80 AS flashtools
|
||||
FROM stagex/gcc:sx2024.09.0@sha256:439bf36289ef036a934129d69dd6b4c196427e4f8e28bc1a3de5b9aab6e062f0 AS gcc
|
||||
FROM stagex/glib:sx2024.09.0@sha256:d280c18f8b52ce21a26924b0cb1bfb69ea6508b57db73efe22401572e71dbe84 AS glib
|
||||
FROM stagex/gpg:sx2024.09.0@sha256:f63555b39740db63b34c06894a4a9d5e125d04f5d51e799909d06c490e8ecd42 AS gpg
|
||||
FROM stagex/grub:sx2024.09.0@sha256:a14c60f152c759185e5702e910053cb5c0d9eee11f43d8d5d40a84123aece9fd AS grub
|
||||
FROM stagex/ipxe:sx2024.09.0@sha256:5791d9b42c7e9099a0180c4fe6cc4b8e9afc9e6b9ec392099c65c53b71db7908 AS ipxe
|
||||
FROM stagex/jq:sx2024.09.0@sha256:3e8b44aa54481bdd46406e9d3a63862f4216f81530a1898b3c144e1c38847a82 AS jq
|
||||
FROM stagex/jq:sx2024.09.0@sha256:3e8b44aa54481bdd46406e9d3a63862f4216f81530a1898b3c144e1c38847a82 AS jq
|
||||
FROM stagex/keyfork:sx2024.09.0@sha256:2288c1d769a0c3c535835019ad4919cc45b094492b5aa959a0eaf1e883a96214 AS keyfork
|
||||
FROM stagex/libaio:sx2024.09.0@sha256:c8d6dd6f3e6fbda73ac0620b2bc4b4cfe6fa504bf7a17eee3bb56e286c394b8b AS libaio
|
||||
FROM stagex/libassuan:sx2024.09.0@sha256:1f31e888ab3f02634009d1a38acca9f25deb827432eb91392e21fd75128a44aa AS libassuan
|
||||
FROM stagex/libffi:sx2024.09.0@sha256:ab647ebf8464e00cde623f86f716e7f50ce82c30eafde813b7977d917ff7143a AS libffi
|
||||
FROM stagex/libgcrypt:sx2024.09.0@sha256:49c84a586969ff625b3304dcf8905a98db0da36fb8704e3d7a0771d271509b68 AS libgcrypt
|
||||
FROM stagex/libgpg-error:sx2024.09.0@sha256:11c17c1ac41f36c85e538bd34a0095a9f17e116f61c38d560350c02a6929e55a AS libgpg-error
|
||||
FROM stagex/libksba:sx2024.09.0@sha256:2913b382fdb76f02f9d78ee162066e04953ba782b8f722145111617a842f40a3 AS libksba
|
||||
FROM stagex/libqrencode:sx2024.09.0@sha256:8c0f523bdf8d315e7b67cadd584e23d22a316dd1973232d49603e127717e4d1a AS libqrencode
|
||||
FROM stagex/libseccomp:sx2024.09.0@sha256:f48d783989da9d509cc6b4c12ec34e14074ffc1ab7a4f2d1e322c417d967e12f AS libseccomp
|
||||
FROM stagex/libslirp:sx2024.09.0@sha256:9dfb87e4a0adba80b862ce6b96112d96f509ffbca25bb71c60ba5bb5693b481d AS libslirp
|
||||
FROM stagex/libtpms:sx2024.09.0@sha256:d909a55137d0bf4a76331c2bf0358ee192d6c93ad77a5099af09ce1bcca2a6cd AS libtpms
|
||||
FROM stagex/libusb:sx2024.09.0@sha256:6c0dcf2b9519b1a41066ad71d3b597e9dae84fb73e5d031a3bdd2eb40f78ef94 AS libusb
|
||||
FROM stagex/libzstd:sx2024.09.0@sha256:a055f8cd6e11b0b8836b2e5e1d755f672edbd344a4f4b5aba94919a6511be4c3 AS libzstd
|
||||
FROM stagex/linux-airgap:sx2024.09.0@sha256:efb98b59ab37a7e33db423eda7a49bb7273b087838fda8098ce6736a0860fc73 AS linux-airgap
|
||||
FROM stagex/lzo:sx2024.09.0@sha256:09c60840e3e3e5835ec027c21283febc9f8cf53ab887576fbe9c38dbdbdfd571 AS lzo
|
||||
FROM stagex/mtools:sx2024.09.0@sha256:c83f7aebce9076903dbf1082aac981d3c0950d9e8952a900e5e072e2a811cda7 AS mtools
|
||||
FROM stagex/musl:sx2024.09.0@sha256:ad351b875f26294562d21740a3ee51c23609f15e6f9f0310e0994179c4231e1d AS musl
|
||||
FROM stagex/npth:sx2024.09.0@sha256:21d50ec1421fe75af4bea240d76022ddb8c114fd2805bfeb06fb938e5a58fc0d AS npth
|
||||
FROM stagex/numactl:sx2024.09.0@sha256:39e667b966a443f42e1c7a8c944203945bd1808ce759df1706bb3b93b0b674c2 AS numactl
|
||||
FROM stagex/openpgp-card-tools:sx2024.09.0@sha256:56d4696d111b309e536f1b70980db7098cd7823005432e4130432cb2f625cf9f AS openpgp-card-tools
|
||||
FROM stagex/opensc:sx2024.09.0@sha256:5117a9d39d3b77655b29bf661d9e04eea2001a5b033b2fd6b4297048330ff6e7 AS opensc
|
||||
FROM stagex/openssl:sx2024.09.0@sha256:2c1a9d8fcc6f52cb11a206f380b17d74c1079f04cbb08071a4176648b4df52c1 AS openssl
|
||||
FROM stagex/pcsc-lite:sx2024.09.0@sha256:4fe37671197ac768637e95f7395ae1a18412b3f42359d0c0aa9f4e7f684aef4e AS pcsc-lite
|
||||
FROM stagex/pcsc-tools:sx2024.09.0@sha256:05046ca5d41a09163eda26785563fd98f0cb1179030c3f4ee3243997a907bb96 AS pcsc-tools
|
||||
FROM stagex/qemu:sx2024.09.0@sha256:c9b099bc7d810a581e0e0f68061dd525d7efdb5334d119b4253249a459bd907e AS qemu
|
||||
FROM stagex/seabios:sx2024.09.0@sha256:f4e535fb1bfc2c7ae1756cdaa2404b1572f6ad195ceabba90d87ed0599fd97d7 AS seabios
|
||||
FROM stagex/sops:sx2024.09.0@sha256:c742fb1f0c5a4f9d9bc9afc37ba686b247d2b17d55d179409d33736b43c9aaa5 AS sops
|
||||
FROM stagex/swtpm:sx2024.09.0@sha256:c47fb2c4d8690936b4adef832a3f354231bb5a04206bf2fb565218034ce27792 AS swtpm
|
||||
FROM stagex/syslinux:sx2024.09.0@sha256:a41388558d7f6d9a29847ee2ff5507ab3100bfe9032ef3b99a3d783ad60ed390 AS syslinux
|
||||
FROM stagex/tpm2-tools:sx2024.09.0@sha256:c2fc693ec68a9d097151e5b3dd5b923f0dcc35fd4e0624b91ade3bf21367162c AS tpm2-tools
|
||||
FROM stagex/tpm2-tss:sx2024.09.0@sha256:a8bf8c0973e1b5ba62ce5034a6230684ebe5a142da275d09e81fa2f2f9c87411 AS tpm2-tss
|
||||
FROM stagex/util-linux:sx2024.09.0@sha256:7e3f3c1e748f5c216503e69b9f8f2e9f8084ec675fb29b23f3a6f0ed3b20c54a AS util-linux
|
||||
FROM stagex/xorriso:sx2024.09.0@sha256:2205a8f53d4fc569880c311061daa085f40c62b2fd94d556e72bd31b4df9e63a AS xorriso
|
||||
FROM stagex/xz:sx2024.09.0@sha256:b57c5e6144117bc0124855e9538e60c302cc7bf53fafb53e2eef3434015366f1 AS xz
|
||||
FROM stagex/yq:sx2024.09.0@sha256:bd6882f0f3ea664e9de6cf732cef2fa2781fc2852f5e6502a6aea1e63eb9708b AS yq
|
||||
FROM stagex/zlib:sx2024.09.0@sha256:96b4100550760026065dac57148d99e20a03d17e5ee20d6b32cbacd61125dbb6 AS zlib
|
||||
|
||||
FROM scratch AS base
|
||||
ARG VERSION development
|
||||
ARG GIT_TIMESTAMP null
|
||||
ARG GIT_AUTHOR null
|
||||
ARG GIT_REF null
|
||||
ARG GIT_PUBKEY null
|
||||
COPY --from=busybox . /
|
||||
COPY --from=musl . /
|
||||
COPY --from=xorriso . /
|
||||
COPY --from=cpio . /
|
||||
COPY --from=mtools . /
|
||||
COPY --from=linux . /
|
||||
COPY --from=dosfstools . /
|
||||
COPY --from=syslinux . /
|
||||
COPY --from=xz . /
|
||||
COPY --from=grub . /
|
||||
|
||||
FROM base as dev
|
||||
COPY --from=gcc . /
|
||||
COPY --from=glib . /
|
||||
COPY --from=alsa-lib . /
|
||||
COPY --from=lzo . /
|
||||
COPY --from=dtc . /
|
||||
COPY --from=zlib . /
|
||||
COPY --from=numactl . /
|
||||
COPY --from=libaio . /
|
||||
COPY --from=libseccomp . /
|
||||
COPY --from=libffi . /
|
||||
COPY --from=libzstd . /
|
||||
COPY --from=libslirp . /
|
||||
COPY --from=seabios . /
|
||||
COPY --from=ipxe . /
|
||||
COPY --from=qemu . /
|
||||
COPY --from=swtpm . /
|
||||
COPY --from=openssl . /
|
||||
COPY --from=curl . /
|
||||
COPY --from=libtpms . /
|
||||
COPY --from=tpm2-tss . /
|
||||
COPY --from=tpm2-tools . /
|
||||
|
||||
FROM base AS build
|
||||
COPY --from=linux /bzImage /iso/boot/bzImage
|
||||
COPY --from=stagex/busybox . initramfs
|
||||
COPY --chmod=0755 <<-EOF initramfs/init
|
||||
#!/bin/sh
|
||||
/bin/sh
|
||||
|
||||
## Kernel
|
||||
COPY --from=linux-airgap /bzImage iso/boot/vmlinuz
|
||||
|
||||
## Initramfs
|
||||
COPY --from=busybox . initramfs
|
||||
COPY --from=eudev . initramfs
|
||||
COPY --from=musl . initramfs
|
||||
COPY --from=zlib . initramfs
|
||||
COPY --from=npth . initramfs
|
||||
COPY --from=libksba . initramfs
|
||||
COPY --from=libgpg-error . initramfs
|
||||
COPY --from=libassuan . initramfs
|
||||
COPY --from=libgcrypt . initramfs
|
||||
COPY --from=keyfork . initramfs
|
||||
COPY --from=bash . initramfs
|
||||
COPY --from=gpg . initramfs
|
||||
COPY --from=jq . initramfs
|
||||
COPY --from=yq . initramfs
|
||||
COPY --from=bc . initramfs
|
||||
COPY --from=flashtools . initramfs
|
||||
COPY --from=curl . initramfs
|
||||
COPY --from=tpm2-tools . initramfs
|
||||
COPY --from=tpm2-tss . initramfs
|
||||
COPY --from=openssl . initramfs
|
||||
COPY --from=libusb . initramfs
|
||||
COPY --from=ccid . initramfs
|
||||
COPY --from=pcsc-lite . initramfs
|
||||
COPY --from=pcsc-tools . initramfs
|
||||
COPY --from=openpgp-card-tools . initramfs
|
||||
COPY --from=libqrencode . initramfs
|
||||
COPY --from=opensc . initramfs
|
||||
COPY --from=util-linux . initramfs
|
||||
COPY --from=sops . initramfs
|
||||
COPY rootfs/ initramfs
|
||||
COPY <<-EOF initramfs/etc/environment
|
||||
export VERSION="$VERSION"
|
||||
export GIT_TIMESTAMP="$GIT_TIMESTAMP"
|
||||
export GIT_AUTHOR="$GIT_AUTHOR"
|
||||
export GIT_REF="$GIT_REF"
|
||||
export GIT_PUBKEY="$GIT_PUBKEY"
|
||||
EOF
|
||||
RUN cd initramfs && find . | cpio -o -H newc | gzip -9 > /iso/boot/init.gz
|
||||
COPY <<-EOF iso/isolinux/isolinux.cfg
|
||||
DEFAULT linux
|
||||
LABEL linux
|
||||
KERNEL boot/bzImage
|
||||
APPEND initrd=boot/init.gz
|
||||
EOF
|
||||
COPY --from=syslinux /usr/share/syslinux/isolinux.bin iso/isolinux/
|
||||
COPY --from=syslinux /usr/share/syslinux/ldlinux.c32 iso/isolinux/
|
||||
RUN <<-EOF
|
||||
set -eux
|
||||
mkdir -p iso/efi
|
||||
truncate -s $((10796+128+128))k iso/efi/esp.img
|
||||
mkfs.fat -F 16 -f 1 -M 0xF0 -r 112 -R 1 iso/efi/esp.img
|
||||
mmd -i iso/efi/esp.img ::boot
|
||||
mcopy -i iso/efi/esp.img iso/boot/bzImage ::boot/bzImage
|
||||
mcopy -i iso/efi/esp.img iso/boot/init.gz ::boot/init.gz
|
||||
mmd -i iso/efi/esp.img ::syslinux
|
||||
mcopy -i iso/efi/esp.img iso/isolinux/isolinux.cfg ::syslinux/syslinux.cfg
|
||||
mcopy -i iso/efi/esp.img /usr/share/syslinux/efi64/ldlinux.e64 ::syslinux/ldlinux.e64
|
||||
mmd -i iso/efi/esp.img ::efi
|
||||
mmd -i iso/efi/esp.img ::efi/boot
|
||||
mcopy -i iso/efi/esp.img /usr/share/syslinux/efi64/syslinux.efi ::efi/boot/boot64.efi
|
||||
ls -Rlah iso
|
||||
cd initramfs
|
||||
find . -exec touch -hcd "@0" "{}" +
|
||||
find . -print0 \
|
||||
| sort -z \
|
||||
| cpio \
|
||||
--null \
|
||||
--create \
|
||||
--verbose \
|
||||
--reproducible \
|
||||
--format=newc \
|
||||
| gzip --best \
|
||||
> ../iso/boot/initramfs
|
||||
EOF
|
||||
|
||||
## Grub (EFI Boot)
|
||||
COPY config/grub.cfg iso/boot/grub/grub.cfg
|
||||
COPY config/grub_early.cfg grub_early.cfg
|
||||
RUN <<-EOF
|
||||
set -eux
|
||||
mkdir -p efi/boot
|
||||
grub-mkimage \
|
||||
--config="grub_early.cfg" \
|
||||
--prefix="/boot/grub" \
|
||||
--output="efi/boot/bootx64.efi" \
|
||||
--format="x86_64-efi" \
|
||||
--compression="xz" \
|
||||
all_video \
|
||||
disk \
|
||||
part_gpt \
|
||||
part_msdos \
|
||||
linux \
|
||||
normal \
|
||||
configfile \
|
||||
search \
|
||||
search_label \
|
||||
efi_gop \
|
||||
fat \
|
||||
iso9660 \
|
||||
gzio \
|
||||
serial \
|
||||
terminal
|
||||
find efi -exec touch -hcd "@0" "{}" +
|
||||
mformat -i iso/boot/grub/efi.img -C -f 1440 -N 0 ::
|
||||
mcopy -i iso/boot/grub/efi.img -ms efi ::
|
||||
touch -md "@0" iso/boot/grub/efi.img
|
||||
EOF
|
||||
|
||||
## Syslinux (BIOS Boot)
|
||||
COPY config/syslinux.cfg iso/boot/syslinux/
|
||||
COPY --from=syslinux \
|
||||
/usr/share/syslinux/isohdpfx.bin \
|
||||
/usr/share/syslinux/isolinux.bin \
|
||||
/usr/share/syslinux/ldlinux.c32 \
|
||||
/usr/share/syslinux/libutil.c32 \
|
||||
/usr/share/syslinux/libcom32.c32 \
|
||||
/usr/share/syslinux/mboot.c32 \
|
||||
iso/boot/syslinux/
|
||||
|
||||
## Build Hybrid EFI/BIOS ISO
|
||||
FROM build AS install
|
||||
RUN xorriso \
|
||||
-as mkisofs \
|
||||
-output airgap.iso \
|
||||
-eltorito-boot isolinux/isolinux.bin \
|
||||
-no-emul-boot \
|
||||
-boot-load-size 4 \
|
||||
-boot-info-table \
|
||||
-eltorito-alt-boot \
|
||||
-eltorito-platform efi \
|
||||
-eltorito-boot efi/esp.img \
|
||||
-no-emul-boot \
|
||||
-eltorito-catalog isolinux/boot.cat \
|
||||
iso
|
||||
#RUN isohybrid airgap.iso
|
||||
ENV SOURCE_DATE_EPOCH=1
|
||||
RUN <<-EOF
|
||||
set -eux
|
||||
dd if=/dev/zero bs=1M count=10 >> user.img
|
||||
mformat -v user -i user.img -N 0 ::
|
||||
find iso -exec touch -hcd "@0" "{}" +
|
||||
xorrisofs \
|
||||
-output airgap.iso \
|
||||
-full-iso9660-filenames \
|
||||
-joliet \
|
||||
-rational-rock \
|
||||
-sysid LINUX \
|
||||
-volid "airgap" \
|
||||
-isohybrid-mbr iso/boot/syslinux/isohdpfx.bin \
|
||||
-eltorito-boot boot/syslinux/isolinux.bin \
|
||||
-eltorito-catalog boot/syslinux/boot.cat \
|
||||
-no-emul-boot \
|
||||
-boot-load-size 4 \
|
||||
-boot-info-table \
|
||||
-eltorito-alt-boot \
|
||||
-e boot/grub/efi.img \
|
||||
-no-emul-boot \
|
||||
-isohybrid-gpt-basdat \
|
||||
-follow-links \
|
||||
-append_partition 3 0xb user.img \
|
||||
iso/
|
||||
EOF
|
||||
|
||||
## Minimal Autorun SD card image
|
||||
COPY sdcard sdcard
|
||||
RUN <<-EOF
|
||||
set -eux
|
||||
dd if=/dev/zero of=sdcard.img bs=1M count=32
|
||||
mformat -v external -i sdcard.img ::
|
||||
mcopy -i sdcard.img -s sdcard/* ::
|
||||
EOF
|
||||
|
||||
FROM scratch AS package
|
||||
COPY --from=install /sdcard.img /
|
||||
COPY --from=install /airgap.iso /
|
||||
|
|
136
Makefile
136
Makefile
|
@ -1,21 +1,129 @@
|
|||
VERSION := development
|
||||
GIT_REF := $(shell git log -1 --format=%H)
|
||||
GIT_AUTHOR := $(shell git log -1 --format=%an)
|
||||
GIT_PUBKEY := $(shell git log -1 --format=%GP)
|
||||
GIT_TIMESTAMP := $(shell git log -1 --format=%cd --date=iso)
|
||||
export
|
||||
|
||||
## Use env vars from latest release when reproducing
|
||||
ifdef REPRODUCE
|
||||
include dist/release.env
|
||||
export
|
||||
endif
|
||||
ifdef NOCACHE
|
||||
NO_CACHE := --no-cache
|
||||
endif
|
||||
|
||||
.DEFAULT_GOAL :=
|
||||
.PHONY: default
|
||||
default: \
|
||||
$(OUT_DIR)/airgap.iso
|
||||
out/release.env \
|
||||
out/manifest.txt \
|
||||
out/airgap.iso
|
||||
|
||||
.PHONY: vm
|
||||
vm:
|
||||
$(call toolchain,$(USER)," \
|
||||
qemu-system-i386 \
|
||||
-M pc \
|
||||
-nographic \
|
||||
-cdrom "$(OUT_DIR)/airgap.iso"; \
|
||||
")
|
||||
## Primary targets
|
||||
|
||||
$(OUT_DIR)/airgap.iso: \
|
||||
$(FETCH_DIR)/buildroot
|
||||
out/airgap.iso: Containerfile $(shell git ls-files rootfs)
|
||||
SOURCE_DATE_EPOCH=1 \
|
||||
docker build \
|
||||
--progress=plain \
|
||||
--output type=oci,tar=false,force-compression=true,name=airgap,dest=airgap \
|
||||
. \
|
||||
-f Containerfile
|
||||
--output type=local,rewrite-timestamp=true,dest=out \
|
||||
--build-arg SOURCE_DATE_EPOCH=1 \
|
||||
--build-arg VERSION="$(VERSION)" \
|
||||
--build-arg GIT_REF="$(GIT_REF)" \
|
||||
--build-arg GIT_AUTHOR="$(GIT_AUTHOR)" \
|
||||
--build-arg GIT_PUBKEY="$(GIT_PUBKEY)" \
|
||||
--build-arg GIT_TIMESTAMP="$(GIT_TIMESTAMP)" \
|
||||
$(NO_CACHE) \
|
||||
-f Containerfile \
|
||||
.
|
||||
|
||||
## Development Targets
|
||||
|
||||
out/dev-shell.digest: Containerfile | out
|
||||
docker build --target dev -f Containerfile -q . > $@
|
||||
|
||||
.PHONY: shell
|
||||
shell: out/dev-shell.digest
|
||||
docker run -it $(shell cat $<) /bin/sh
|
||||
|
||||
.PHONY: vm
|
||||
vm: out/dev-shell.digest out/airgap.iso out/sdcard.img
|
||||
docker run -it -v ./out:/out $(shell cat $<) sh -c "\
|
||||
swtpm socket \
|
||||
--tpmstate dir=. \
|
||||
--ctrl type=unixio,path=vtpm-sock \
|
||||
--tpm2 & \
|
||||
qemu-system-x86_64 \
|
||||
-m 4G \
|
||||
-machine pc \
|
||||
-chardev socket,id=chrtpm,path=vtpm-sock \
|
||||
-tpmdev emulator,id=tpm0,chardev=chrtpm \
|
||||
-device tpm-tis,tpmdev=tpm0 \
|
||||
-usb \
|
||||
-device sdhci-pci \
|
||||
-device sd-card,drive=external \
|
||||
-drive id=external,if=none,format=raw,file=out/sdcard.img \
|
||||
-device usb-storage,drive=usbdrive \
|
||||
-drive id=usbdrive,if=none,format=raw,file=out/airgap.iso \
|
||||
-boot order=c \
|
||||
-nographic; \
|
||||
"
|
||||
|
||||
## Signing, Verification, and Release Targets
|
||||
|
||||
.PHONY: clean
|
||||
clean:
|
||||
rm -rf out
|
||||
|
||||
.PHONY: release
|
||||
release: clean
|
||||
$(MAKE) NOCACHE=1 VERSION=$(VERSION)
|
||||
rm -rf dist/*
|
||||
cp -R out/release.env out/airgap.iso out/manifest.txt dist/
|
||||
|
||||
.PHONY: sign
|
||||
sign:
|
||||
set -e; \
|
||||
git config --get user.signingkey 2>&1 >/dev/null || { \
|
||||
echo "Error: git user.signingkey is not defined"; \
|
||||
exit 1; \
|
||||
}; \
|
||||
fingerprint=$$(\
|
||||
git config --get user.signingkey \
|
||||
| sed 's/.*\([A-Z0-9]\{16\}\).*/\1/g' \
|
||||
); \
|
||||
gpg --armor \
|
||||
--detach-sig \
|
||||
--output dist/manifest.$${fingerprint}.asc \
|
||||
dist/manifest.txt
|
||||
|
||||
.PHONY: verify
|
||||
verify: | dist/manifest.txt
|
||||
set -e; \
|
||||
for file in dist/manifest.*.asc; do \
|
||||
echo "\nVerifying: $${file}\n"; \
|
||||
gpg --verify $${file} dist/manifest.txt; \
|
||||
done;
|
||||
|
||||
.PHONY: reproduce
|
||||
reproduce: clean | out
|
||||
$(MAKE) REPRODUCE=true NOCACHE=1
|
||||
diff -q out/manifest.txt dist/manifest.txt;
|
||||
|
||||
out:
|
||||
mkdir -p $@
|
||||
|
||||
out/release.env: $(shell git ls-files) | out
|
||||
echo 'VERSION=$(VERSION)' > out/release.env
|
||||
echo 'GIT_REF=$(GIT_REF)' >> out/release.env
|
||||
echo 'GIT_AUTHOR=$(GIT_AUTHOR)' >> out/release.env
|
||||
echo 'GIT_PUBKEY=$(GIT_PUBKEY)' >> out/release.env
|
||||
echo 'GIT_TIMESTAMP=$(GIT_TIMESTAMP)' >> out/release.env
|
||||
|
||||
out/manifest.txt: out/airgap.iso out/release.env | out
|
||||
openssl sha256 -r \
|
||||
out/airgap.iso \
|
||||
out/release.env \
|
||||
| sed -e 's/ \*out\// /g' -e 's/ \.\// /g' \
|
||||
> $@
|
||||
|
|
57
README.md
57
README.md
|
@ -1,24 +1,26 @@
|
|||
# AirgapOS #
|
||||
|
||||
<https://github.com/distrust-foundation/airgap>
|
||||
<https://git.distrust.co/public/airgap>
|
||||
|
||||
## About ##
|
||||
|
||||
A live buildroot based Liux distribution designed for managing secrets offline.
|
||||
A full-source-bootstrapped, deterministic, minimal, immutable, and offline,
|
||||
workstation linux distribution designed for creating and managing secrets
|
||||
offline.
|
||||
|
||||
Built for those of us that want to be -really- sure our most important secrets
|
||||
are managed in a clean environment with an "air gap" between us and the
|
||||
internet with high integrity on the supply chain of the firmware and OS used.
|
||||
|
||||
## Uses ##
|
||||
* Generate GPG keychain
|
||||
* Generate PGP keychain
|
||||
* Store/Restore gpg keychain to security token such as a Yubikey or Nitrokey
|
||||
* Signing cryptocurrency transactions
|
||||
* Generate/backup BIP39 universal cryptocurrency wallet seed
|
||||
* Store/Restore BIP39 seed to a hardware wallet such as a Trezor or Ledger
|
||||
|
||||
## Features ##
|
||||
* Determinsitic iso generation for multi-party code->binary verification
|
||||
* Deterministic iso generation for multi-party code->binary verification
|
||||
* Small footprint (< 100MB)
|
||||
* Immutable and Diskless: runs from initramfs
|
||||
* Network support and most drivers removed to minimize exfiltration vectors
|
||||
|
@ -27,37 +29,54 @@ internet with high integrity on the supply chain of the firmware and OS used.
|
|||
|
||||
### Software ###
|
||||
|
||||
* docker 18+
|
||||
* docker 26+
|
||||
|
||||
### Hardware ###
|
||||
|
||||
* Recommended: PC running coreboot-heads
|
||||
* Allows for signed builds, and verification of signed sd card payloads
|
||||
* Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed
|
||||
* Supported remote attestation key (Librem Key, Nitrokey, etc)
|
||||
* Supported GPG smartcard device (Yubikey, Ledger, Trezor, Librem Key, etc)
|
||||
* x86_64 PC or laptop
|
||||
* linuxboot/heads firmware supported and recommended for multi-use machine
|
||||
* Allows for signed builds, and verification of signed sd card payloads
|
||||
* Ensure any Wifi/Disk/Bluetooth/Audio devices are disabled/removed
|
||||
* Blank flash drive
|
||||
* Blank SD card
|
||||
|
||||
## Build ##
|
||||
|
||||
### Update git submodules
|
||||
|
||||
```
|
||||
git submodule update --init --recursive
|
||||
```
|
||||
|
||||
### Build a new release
|
||||
|
||||
```
|
||||
make release
|
||||
```
|
||||
```
|
||||
make release
|
||||
```
|
||||
|
||||
### Reproduce an existing release
|
||||
|
||||
```
|
||||
make attest
|
||||
```
|
||||
```
|
||||
make attest
|
||||
```
|
||||
|
||||
### Sign an existing release
|
||||
|
||||
```
|
||||
make sign
|
||||
```
|
||||
```
|
||||
make sign
|
||||
```
|
||||
|
||||
## Provisioning ##
|
||||
|
||||
1. Write airgap.iso to CD-ROM or SD Card
|
||||
a. `dd if=out/airgap.iso of=/dev/sda bs=1M conv=sync status=progress`
|
||||
b. `cdrecord out/airgap.iso`
|
||||
|
||||
2. Verify media still produces expected hash
|
||||
```
|
||||
sha256sum out/airgap.iso
|
||||
head -c $(stat -c '%s' airgap.iso) /dev/sda | sha256sum
|
||||
```
|
||||
|
||||
## Setup ##
|
||||
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
set timeout=1
|
||||
menuentry "Linux Airgap" {
|
||||
linux /boot/vmlinuz init=/init console=ttyS0 console=tty0 ro
|
||||
initrd /boot/initramfs
|
||||
}
|
|
@ -0,0 +1,2 @@
|
|||
search --no-floppy --set=root --label "airgap"
|
||||
set prefix=($root)/boot/grub
|
|
@ -0,0 +1,8 @@
|
|||
TIMEOUT 2
|
||||
PROMPT -1
|
||||
DEFAULT Airgap
|
||||
LABEL Airgap
|
||||
MENU LABEL Linux Airgap
|
||||
KERNEL /boot/vmlinuz
|
||||
INITRD /boot/initramfs
|
||||
APPEND init=/init console=ttyS0 console=tty0 ro
|
Binary file not shown.
|
@ -0,0 +1,16 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAma0fbsACgkQjkeh7DWh
|
||||
VR0lYBAAsjKcqgoSM73lck4gSga3CWtTfZ/k7azr98HnUw5InTyTwvna2sRGL3jb
|
||||
Q0pUhrPVQVmjXSyxD/hR/uLuiAfUn2Gyhp1MZS3C7jmFcRsxCJzNbByv/2bUS2+U
|
||||
5TaCoxmM8SdxTqcBIyYylKzZ4ub0t3bCWUt2uPqdSqslgEReeqbzzE3jpmiUfmHE
|
||||
daaZhZa3iPEr7vqq00jUGFuSEdxQCQkty0nZHzfGhHwbliiUGyH6/bb+u4v5eGYH
|
||||
VEyRq0CWFgw5sywpSf3UZjR0fkd0do9z6Li1ggN2GV63I4oT3L1LltcMXtgfMp+B
|
||||
SA3gz7/mJsMqM6H2ZWqUgJAZw/mZCGStftSnOTKdyEtpzagNNeePa5f4kM1ZuHF6
|
||||
ehSl1nbnCeCPfedS8+oUm3v8qWiFLXz4tmYvBnfDWaUXIYpNOrvJPtatdinTNRfl
|
||||
nglyEt6Olc+3vEqkrEl7JFu13Gl92mbuhhelKjM/VDheHBUZ6yrso1aLbyruO+wm
|
||||
RxL3pQSCNfAnIQpSdkXga5gVvbZDDISBast3qHFuZaZFbo2p24hw0HnLAfyCrxgF
|
||||
JnN3x2qqRlTzQSrVr4EEXUwUqpt5LlnQ3kDLNVYhXuqTdmyETj1YGnAXkqV/D+Z7
|
||||
B7hlDdddXI5d0yDoYPAmF9N7XJCasdfutnO/8IfZ/eE989jYybE=
|
||||
=eruT
|
||||
-----END PGP SIGNATURE-----
|
|
@ -0,0 +1,16 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEiII6deyqeGsP84sUjkAUeKP773IFAma0f0IACgkQjkAUeKP7
|
||||
73I33w//SaGbbM9z8SYsWhii1SBnfs6NVQSwdBoO20C4gFdmZkPVDak3QoCAioaC
|
||||
GjlEOEDb7SXfWi3n2z72P97dswN6dG1IxQKR1N913IWzUUEXGR0phaC+o0P1/f74
|
||||
MXrcUDLwwJwZsA/0zMV6gHvONEqwgmfEO4WrEB/Ty7ueoJjsmQ2oauWytlh8CVDR
|
||||
3HFwiVoAjRC2d0vKj0eL2n9pNQNEYKb+oJ/gq3sk2L8qPs1vThQguHADvqmi6V3w
|
||||
+4tZqviksPXb+sve3VTsKFDbd5AXvcRY4TbPawQ5W7Aa6iK9W/yA10+zXvcHoGrA
|
||||
6iMR94yI9eprBkqoeoxr2MHPk+8d9xXB16hY/h+OCPibkFFfPST9GDFcp0nk1JFH
|
||||
b0bbpanBsxwN3IxTAL0a7iD2nxftZHjgiZib1lhdhLg35o9iou1V0fRPwdjepS3o
|
||||
2TBvKhtNncUW/87ZhxhdkTI/iUvS0iem3KHUQXkM+ziOC5zGf+PYvMCuy2P0oSei
|
||||
731aVOgxKbpEZHY0pTkuqG7U4+RWZ+KJEnxETcZWoCeY9DW/u2Dx5hukeZJbvmUo
|
||||
111vBoziyocgKvKi5S3ctZaAwm2wNsE0TU/o5u9+Q5ST1wgsKJF+F0laCUQcDPwM
|
||||
UyM5VznH31pChrlzRiUcsm0lMvDkx+JfTSBPOgzABMAcQ3YuTSk=
|
||||
=e+q6
|
||||
-----END PGP SIGNATURE-----
|
|
@ -0,0 +1,2 @@
|
|||
fe92783ef775ccc5e32baefb26f951b7f37ed26ecbb4601a068e20b31bebadbb airgap.iso
|
||||
b714c963bd8b1f3a38295821f0a3521bc64f97c1023c49d22a2e7433385b1a09 release.env
|
|
@ -0,0 +1,5 @@
|
|||
VERSION=2024.8.1
|
||||
GIT_REF=ea623cc147741b0a753ce4ea7aabe512df9a2ef9
|
||||
GIT_AUTHOR=Lance R. Vick
|
||||
GIT_PUBKEY=6B61ECD76088748C70590D55E90A401336C8AAA9
|
||||
GIT_TIMESTAMP=2024-08-08 00:34:41 -0700
|
|
@ -0,0 +1,55 @@
|
|||
#!/bin/sh
|
||||
|
||||
DAEMON="syslogd"
|
||||
PIDFILE="/var/run/$DAEMON.pid"
|
||||
|
||||
SYSLOGD_ARGS=""
|
||||
|
||||
# shellcheck source=/dev/null
|
||||
[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
|
||||
|
||||
# BusyBox' syslogd does not create a pidfile, so pass "-n" in the command line
|
||||
# and use "-m" to instruct start-stop-daemon to create one.
|
||||
start() {
|
||||
printf 'Starting %s: ' "$DAEMON"
|
||||
# shellcheck disable=SC2086 # we need the word splitting
|
||||
start-stop-daemon -b -m -S -q -p "$PIDFILE" -x "/sbin/$DAEMON" \
|
||||
-- -n $SYSLOGD_ARGS
|
||||
status=$?
|
||||
if [ "$status" -eq 0 ]; then
|
||||
echo "OK"
|
||||
else
|
||||
echo "FAIL"
|
||||
fi
|
||||
return "$status"
|
||||
}
|
||||
|
||||
stop() {
|
||||
printf 'Stopping %s: ' "$DAEMON"
|
||||
start-stop-daemon -K -q -p "$PIDFILE"
|
||||
status=$?
|
||||
if [ "$status" -eq 0 ]; then
|
||||
rm -f "$PIDFILE"
|
||||
echo "OK"
|
||||
else
|
||||
echo "FAIL"
|
||||
fi
|
||||
return "$status"
|
||||
}
|
||||
|
||||
restart() {
|
||||
stop
|
||||
sleep 1
|
||||
start
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start|stop|restart)
|
||||
"$1";;
|
||||
reload)
|
||||
# Restart, since there is no true "reload" feature.
|
||||
restart;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart|reload}"
|
||||
exit 1
|
||||
esac
|
|
@ -0,0 +1,55 @@
|
|||
#!/bin/sh
|
||||
|
||||
DAEMON="klogd"
|
||||
PIDFILE="/var/run/$DAEMON.pid"
|
||||
|
||||
KLOGD_ARGS=""
|
||||
|
||||
# shellcheck source=/dev/null
|
||||
[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
|
||||
|
||||
# BusyBox' klogd does not create a pidfile, so pass "-n" in the command line
|
||||
# and use "-m" to instruct start-stop-daemon to create one.
|
||||
start() {
|
||||
printf 'Starting %s: ' "$DAEMON"
|
||||
# shellcheck disable=SC2086 # we need the word splitting
|
||||
start-stop-daemon -b -m -S -q -p "$PIDFILE" -x "/sbin/$DAEMON" \
|
||||
-- -n $KLOGD_ARGS
|
||||
status=$?
|
||||
if [ "$status" -eq 0 ]; then
|
||||
echo "OK"
|
||||
else
|
||||
echo "FAIL"
|
||||
fi
|
||||
return "$status"
|
||||
}
|
||||
|
||||
stop() {
|
||||
printf 'Stopping %s: ' "$DAEMON"
|
||||
start-stop-daemon -K -q -p "$PIDFILE"
|
||||
status=$?
|
||||
if [ "$status" -eq 0 ]; then
|
||||
rm -f "$PIDFILE"
|
||||
echo "OK"
|
||||
else
|
||||
echo "FAIL"
|
||||
fi
|
||||
return "$status"
|
||||
}
|
||||
|
||||
restart() {
|
||||
stop
|
||||
sleep 1
|
||||
start
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start|stop|restart)
|
||||
"$1";;
|
||||
reload)
|
||||
# Restart, since there is no true "reload" feature.
|
||||
restart;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart|reload}"
|
||||
exit 1
|
||||
esac
|
|
@ -0,0 +1,94 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# This script is used by busybox and procps-ng.
|
||||
#
|
||||
# With procps-ng, the "--system" option of sysctl also enables "--ignore", so
|
||||
# errors are not reported via syslog. Use the run_logger function to mimic the
|
||||
# --system behavior, still reporting errors via syslog. Users not interested
|
||||
# on error reports can add "-e" to SYSCTL_ARGS.
|
||||
#
|
||||
# busybox does not have a "--system" option neither reports errors via syslog,
|
||||
# so the scripting provides a consistent behavior between the implementations.
|
||||
# Testing the busybox sysctl exit code is fruitless, as at the moment, since
|
||||
# its exit status is zero even if errors happen. Hopefully this will be fixed
|
||||
# in a future busybox version.
|
||||
|
||||
PROGRAM="sysctl"
|
||||
|
||||
SYSCTL_ARGS=""
|
||||
|
||||
# shellcheck source=/dev/null
|
||||
[ -r "/etc/default/$PROGRAM" ] && . "/etc/default/$PROGRAM"
|
||||
|
||||
# Files are read from directories in the SYSCTL_SOURCES list, in the given
|
||||
# order. A file may be used more than once, since there can be multiple
|
||||
# symlinks to it. No attempt is made to prevent this.
|
||||
SYSCTL_SOURCES="/etc/sysctl.d/ /usr/local/lib/sysctl.d/ /usr/lib/sysctl.d/ /lib/sysctl.d/ /etc/sysctl.conf"
|
||||
|
||||
# If the logger utility is available all messages are sent to syslog, except
|
||||
# for the final status. The file redirections do the following:
|
||||
#
|
||||
# - stdout is redirected to syslog with facility.level "kern.info"
|
||||
# - stderr is redirected to syslog with facility.level "kern.err"
|
||||
# - file dscriptor 4 is used to pass the result to the "start" function.
|
||||
#
|
||||
run_logger() {
|
||||
# shellcheck disable=SC2086 # we need the word splitting
|
||||
find $SYSCTL_SOURCES -maxdepth 1 -name '*.conf' -print0 2> /dev/null | \
|
||||
xargs -0 -r -n 1 readlink -f | {
|
||||
prog_status="OK"
|
||||
while :; do
|
||||
read -r file || {
|
||||
echo "$prog_status" >&4
|
||||
break
|
||||
}
|
||||
echo "* Applying $file ..."
|
||||
/sbin/sysctl -p "$file" $SYSCTL_ARGS || prog_status="FAIL"
|
||||
done 2>&1 >&3 | /usr/bin/logger -t sysctl -p kern.err
|
||||
} 3>&1 | /usr/bin/logger -t sysctl -p kern.info
|
||||
}
|
||||
|
||||
# If logger is not available all messages are sent to stdout/stderr.
|
||||
run_std() {
|
||||
# shellcheck disable=SC2086 # we need the word splitting
|
||||
find $SYSCTL_SOURCES -maxdepth 1 -name '*.conf' -print0 2> /dev/null | \
|
||||
xargs -0 -r -n 1 readlink -f | {
|
||||
prog_status="OK"
|
||||
while :; do
|
||||
read -r file || {
|
||||
echo "$prog_status" >&4
|
||||
break
|
||||
}
|
||||
echo "* Applying $file ..."
|
||||
/sbin/sysctl -p "$file" $SYSCTL_ARGS || prog_status="FAIL"
|
||||
done
|
||||
}
|
||||
}
|
||||
|
||||
if [ -x /usr/bin/logger ]; then
|
||||
run_program="run_logger"
|
||||
else
|
||||
run_program="run_std"
|
||||
fi
|
||||
|
||||
start() {
|
||||
printf '%s %s: ' "$1" "$PROGRAM"
|
||||
status=$("$run_program" 4>&1)
|
||||
echo "$status"
|
||||
if [ "$status" = "OK" ]; then
|
||||
return 0
|
||||
fi
|
||||
return 1
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
start "Running";;
|
||||
restart|reload)
|
||||
start "Rerunning";;
|
||||
stop)
|
||||
:;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart|reload}"
|
||||
exit 1
|
||||
esac
|
|
@ -0,0 +1,24 @@
|
|||
#!/bin/sh
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
printf "Populating %s using udev: " "${udev_root:-/dev}"
|
||||
[ -e /proc/sys/kernel/hotplug ] && printf '\000\000\000\000' > /proc/sys/kernel/hotplug
|
||||
/sbin/udevd -d || { echo "FAIL"; exit 1; }
|
||||
udevadm trigger --type=subsystems --action=add
|
||||
udevadm trigger --type=devices --action=add
|
||||
udevadm settle --timeout=30 || echo "udevadm settle failed"
|
||||
echo "done"
|
||||
;;
|
||||
stop)
|
||||
# Stop execution of events
|
||||
udevadm control --stop-exec-queue
|
||||
killall udevd
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,20 @@
|
|||
#!/bin/sh
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
/usr/sbin/pcscd -d || { echo "FAIL"; exit 1; }
|
||||
killall pcscd
|
||||
/usr/sbin/pcscd -d || { echo "FAIL"; exit 1; }
|
||||
echo "done"
|
||||
;;
|
||||
stop)
|
||||
# Stop execution of events
|
||||
killall pcscd
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,70 @@
|
|||
#! /bin/sh
|
||||
#
|
||||
# Preserve the random seed between reboots. See urandom(4).
|
||||
#
|
||||
|
||||
# Quietly do nothing if /dev/urandom does not exist
|
||||
[ -c /dev/urandom ] || exit 0
|
||||
|
||||
URANDOM_SEED="/var/lib/random-seed"
|
||||
|
||||
# shellcheck source=/dev/null
|
||||
[ -r "/etc/default/urandom" ] && . "/etc/default/urandom"
|
||||
|
||||
if pool_bits=$(cat /proc/sys/kernel/random/poolsize 2> /dev/null); then
|
||||
pool_size=$((pool_bits/8))
|
||||
else
|
||||
pool_size=512
|
||||
fi
|
||||
|
||||
init_rng() {
|
||||
[ -f "$URANDOM_SEED" ] || return 0
|
||||
printf 'Initializing random number generator: '
|
||||
dd if="$URANDOM_SEED" bs="$pool_size" of=/dev/urandom count=1 2> /dev/null
|
||||
status=$?
|
||||
if [ "$status" -eq 0 ]; then
|
||||
echo "OK"
|
||||
else
|
||||
echo "FAIL"
|
||||
fi
|
||||
return "$status"
|
||||
}
|
||||
|
||||
save_random_seed() {
|
||||
printf 'Saving random seed: '
|
||||
status=1
|
||||
if touch "$URANDOM_SEED.new" 2> /dev/null; then
|
||||
old_umask=$(umask)
|
||||
umask 077
|
||||
dd if=/dev/urandom of="$URANDOM_SEED.tmp" bs="$pool_size" count=1 2> /dev/null
|
||||
cat "$URANDOM_SEED" "$URANDOM_SEED.tmp" 2>/dev/null \
|
||||
| sha256sum \
|
||||
| cut -d ' ' -f 1 > "$URANDOM_SEED.new" && \
|
||||
mv "$URANDOM_SEED.new" "$URANDOM_SEED" && status=0
|
||||
rm -f "$URANDOM_SEED.tmp"
|
||||
umask "$old_umask"
|
||||
if [ "$status" -eq 0 ]; then
|
||||
echo "OK"
|
||||
else
|
||||
echo "FAIL"
|
||||
fi
|
||||
|
||||
else
|
||||
echo "SKIP (read-only file system detected)"
|
||||
fi
|
||||
return "$status"
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start|restart|reload)
|
||||
# Carry a random seed from start-up to start-up
|
||||
# Load and then save the whole entropy pool
|
||||
init_rng && save_random_seed;;
|
||||
stop)
|
||||
# Carry a random seed from shut-down to start-up
|
||||
# Save the whole entropy pool
|
||||
save_random_seed;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart|reload}"
|
||||
exit 1
|
||||
esac
|
|
@ -0,0 +1,27 @@
|
|||
#!/bin/sh
|
||||
|
||||
|
||||
# Stop all init scripts in /etc/init.d
|
||||
# executing them in reversed numerical order.
|
||||
#
|
||||
for i in $(ls -r /etc/init.d/S??*) ;do
|
||||
|
||||
# Ignore dangling symlinks (if any).
|
||||
[ ! -f "$i" ] && continue
|
||||
|
||||
case "$i" in
|
||||
*.sh)
|
||||
# Source shell script for speed.
|
||||
(
|
||||
trap - INT QUIT TSTP
|
||||
set stop
|
||||
. $i
|
||||
)
|
||||
;;
|
||||
*)
|
||||
# No sh extension, so fork subprocess.
|
||||
$i stop
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
#!/bin/sh
|
||||
|
||||
|
||||
# Start all init scripts in /etc/init.d
|
||||
# executing them in numerical order.
|
||||
#
|
||||
for i in /etc/init.d/S??* ;do
|
||||
|
||||
# Ignore dangling symlinks (if any).
|
||||
[ ! -f "$i" ] && continue
|
||||
|
||||
case "$i" in
|
||||
*.sh)
|
||||
# Source shell script for speed.
|
||||
(
|
||||
trap - INT QUIT TSTP
|
||||
set start
|
||||
. $i
|
||||
)
|
||||
;;
|
||||
*)
|
||||
# No sh extension, so fork subprocess.
|
||||
$i start
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
|
@ -1,11 +1,5 @@
|
|||
# /etc/inittab
|
||||
#
|
||||
# Copyright (C) 2001 Erik Andersen <andersen@codepoet.org>
|
||||
#
|
||||
# Note: BusyBox init doesn't support runlevels. The runlevels field is
|
||||
# completely ignored by BusyBox init. If you want runlevels, use
|
||||
# sysvinit.
|
||||
#
|
||||
|
||||
# Format for each entry: <id>:<runlevels>:<action>:<process>
|
||||
#
|
||||
# id == tty to run on, or empty for /dev/console
|
||||
|
@ -14,27 +8,26 @@
|
|||
# process == program to run
|
||||
|
||||
# Startup the system
|
||||
::sysinit:/bin/mount -t devtmpfs devtmpfs /dev
|
||||
::sysinit:/bin/mkdir -p /proc /run /dev/pts /dev/shm /sys
|
||||
::sysinit:/bin/mount -t sysfs sysfs /sys
|
||||
::sysinit:/bin/mount -t proc proc /proc
|
||||
::sysinit:/bin/mount -o remount,rw /
|
||||
::sysinit:/bin/mkdir -p /dev/pts /dev/shm
|
||||
::sysinit:/bin/mount -a
|
||||
::sysinit:/sbin/swapon -a
|
||||
null::sysinit:/bin/ln -sf /proc/self/fd /dev/fd
|
||||
null::sysinit:/bin/ln -sf /proc/self/fd/0 /dev/stdin
|
||||
null::sysinit:/bin/ln -sf /proc/self/fd/1 /dev/stdout
|
||||
null::sysinit:/bin/ln -sf /proc/self/fd/2 /dev/stderr
|
||||
::sysinit:/bin/hostname -F /etc/hostname
|
||||
# now run any rc scripts
|
||||
::sysinit:/etc/init.d/rcS
|
||||
|
||||
# Put a getty on the serial port
|
||||
#console::respawn:/sbin/getty -L console 0 vt100 # GENERIC_SERIAL
|
||||
# Put shells on the serial terminal and console
|
||||
console::respawn:-/bin/bash
|
||||
ttyS0::respawn:-/bin/bash
|
||||
::respawn:-/bin/bash
|
||||
|
||||
# Stuff to do for the 3-finger salute
|
||||
#::ctrlaltdel:/sbin/reboot
|
||||
::ctrlaltdel:/sbin/reboot
|
||||
|
||||
# Stuff to do before rebooting
|
||||
::shutdown:/etc/init.d/rcK
|
||||
::shutdown:/sbin/swapoff -a
|
||||
::shutdown:/bin/umount -a -r
|
||||
|
|
|
@ -3,8 +3,7 @@ export PATH="/usr/local/bin:/bin:/sbin:/usr/bin:/usr/sbin"
|
|||
export PS1="[\h \t] \\$ "
|
||||
export GNUPGHOME=/.gnupg
|
||||
source /etc/environment
|
||||
|
||||
dmesg -n1
|
||||
cd /root
|
||||
clear
|
||||
cat << "EOF"
|
||||
_ _ ___ ____
|
||||
|
@ -19,5 +18,5 @@ echo " - Version: $VERSION"
|
|||
echo " - Date: $GIT_TIMESTAMP"
|
||||
echo " - Committer: $GIT_AUTHOR"
|
||||
echo " - Commit: $GIT_REF"
|
||||
echo " - Key: $GIT_KEY"
|
||||
echo " - Key: $GIT_PUBKEY"
|
||||
echo ""
|
||||
|
|
|
@ -1,12 +0,0 @@
|
|||
KERNEL!="sd[a-z][0-9]", GOTO="sd_cards_auto_mount_end"
|
||||
|
||||
# Global mount options
|
||||
ACTION=="add", ENV{mount_options}="relatime"
|
||||
|
||||
# Filesystem specific options
|
||||
ACTION=="add", IMPORT{program}="/sbin/blkid -o udev -p %N"
|
||||
ACTION=="add", ENV{ID_FS_TYPE}=="vfat|ntfs", ENV{mount_options}="$env{mount_options},utf8,flush,user,umask=0000"
|
||||
ACTION=="add", RUN+="/bin/mkdir -p /media/sd-%k", RUN+="/bin/mount -o $env{mount_options} /dev/%k /media/sd-%k"
|
||||
ACTION=="add", RUN+="/usr/local/bin/autorun /media/sd-%k"
|
||||
ACTION=="remove", RUN+="/bin/umount -l /media/sd-%k", RUN+="/bin/rmdir /media/sd-%k"
|
||||
LABEL="sd_cards_auto_mount_end"
|
|
@ -0,0 +1,2 @@
|
|||
#!/bin/sh
|
||||
exec /bin/init
|
|
@ -0,0 +1,15 @@
|
|||
KERNEL!="mmcblk[0-9]p[0-9]|sd[a-z][0-9]", GOTO="automount_end"
|
||||
ACTION=="add", PROGRAM!="/sbin/blkid %N", GOTO="automount_end"
|
||||
IMPORT{program}="/sbin/blkid -o udev -p %N"
|
||||
|
||||
ENV{ID_FS_LABEL}!="", ENV{dir_name}="%E{ID_FS_LABEL}"
|
||||
ENV{ID_FS_LABEL}=="", ENV{dir_name}="%k"
|
||||
|
||||
ACTION=="add", IMPORT{program}="/sbin/blkid -o udev -p %N"
|
||||
ACTION=="add", ENV{ID_FS_TYPE}=="vfat", ENV{mount_options}="relatime,utf8,flush,user,umask=0000"
|
||||
ACTION=="add", RUN+="/bin/mkdir -p /media/%E{dir_name}", RUN+="/bin/mount -o $env{mount_options} /dev/%k /media/%E{dir_name}"
|
||||
ACTION=="add", RUN+="/usr/local/bin/autorun /media/%E{dir_name}"
|
||||
|
||||
ACTION=="remove", ENV{dir_name}!="", RUN+="/bin/umount -l /media/%E{dir_name}", RUN+="/bin/rmdir /media/%E{dir_name}"
|
||||
|
||||
LABEL="automount_end"
|
|
@ -4,7 +4,17 @@ source /etc/profile
|
|||
|
||||
folder=${1?}
|
||||
|
||||
if [ -f "${folder}/autorun.sh.asc" ]; then
|
||||
if [ "$folder" == "/media/USER" ] && [ -f "${folder}/autorun.sh" ]; then
|
||||
if touch "${folder}/.write_test" 2>/dev/null; then
|
||||
echo "!! Autorun: Read-only verification failed for /media/USER" >/dev/console
|
||||
exit 1;
|
||||
else
|
||||
echo "" >/dev/console
|
||||
echo "++ Autorun: Found /media/USER/autorun.sh" >/dev/console;
|
||||
echo "** Autorun: Executing /media/USER/autorun.sh" >/dev/console
|
||||
/bin/bash "/media/USER/autorun.sh" >/dev/console
|
||||
fi
|
||||
elif [ -f "${folder}/autorun.sh.asc" ]; then
|
||||
echo "" >/dev/console
|
||||
echo "++ Autorun: Found ${folder}/autorun.sh" >/dev/console;
|
||||
gpg --verify "${folder}/autorun.sh.asc" >/dev/null 2>&1 || {
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
#!/bin/bash
|
||||
|
||||
echo "Autorun.sh executed"
|
Loading…
Reference in New Issue