First commit

johnshearing · Aug 6, 2018 · 1b1fa86 · 1b1fa86
1 parent d941b0b
commit 1b1fa86
Show file tree

Hide file tree

Showing 7 changed files with 183 additions and 0 deletions.
diff --git a/1.update.sh b/1.update.sh
@@ -0,0 +1,17 @@
+#https://github.com/johnshearing/MyEtherWalletOffline/blob/master/Air-Gap_Setup.md#setup-luks-full-disk-encryption
+#https://robpol86.com/raspberry_pi_luks.html
+#https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile
+
+#sudo cp -R ~/install/ /boot/
+
+# Make sure only root can run our script
+if [ "$(id -u)" != "0" ]; then
+   echo "This script must be run as root" 1>&2
+   exit 1
+fi
+
+apt-get update
+apt-get upgrade -y
+#sudo rpi-update
+echo "Done. Reboot with: sudo reboot"
+#reboot #needed to load new kernel
diff --git a/2.disk_encrypt.sh b/2.disk_encrypt.sh
@@ -0,0 +1,42 @@
+#https://github.com/johnshearing/MyEtherWalletOffline/blob/master/Air-Gap_Setup.md#setup-luks-full-disk-encryption
+#https://robpol86.com/raspberry_pi_luks.html
+#https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile
+
+# Make sure only root can run our script
+if [ "$(id -u)" != "0" ]; then
+   echo "This script must be run as root" 1>&2
+   exit 1
+fi
+
+apt-get install busybox cryptsetup initramfs-tools -y
+apt-get install expect --no-install-recommends -y
+cp /boot/install/initramfs-rebuild /etc/kernel/postinst.d/initramfs-rebuild
+cp /boot/install/resize2fs /etc/initramfs-tools/hooks/resize2fs
+chmod +x /etc/kernel/postinst.d/initramfs-rebuild
+chmod +x /etc/initramfs-tools/hooks/resize2fs
+
+#Get UUID of /dev/mmcblk0p2
+#blkid | sed -n '/dev\/mmcblk0p2/s/.*\ UUID=\"\([^\"]*\)\".*/\1/p'
+#change fstab from PARTUUID=XXXXXXXX-XX to the result of the command
+
+#sudo -E CRYPTSETUP=y mkinitramfs -o /boot/initramfs.gz
+echo 'CRYPTSETUP=y' | tee --append /etc/cryptsetup-initramfs/conf-hook > /dev/null
+mkinitramfs -o /boot/initramfs.gz
+
+lsinitramfs /boot/initramfs.gz | grep -P "sbin/(cryptsetup|resize2fs|fdisk|dumpe2fs|expect)"
+#Make sure you see sbin/resize2fs, sbin/cryptsetup, and sbin/fdisk in the output.
+
+echo 'initramfs initramfs.gz followkernel' | tee --append /boot/config.txt > /dev/null
+
+sed -i '$s/$/ cryptdevice=\/dev\/mmcblk0p2:sdcard/' /boot/cmdline.txt
+
+ROOT_CMD="$(sed -n 's|^.*root=\(\S\+\)\s.*|\1|p' /boot/cmdline.txt)"
+sed -i -e "s|$ROOT_CMD|/dev/mapper/sdcard|g" /boot/cmdline.txt
+
+FSTAB_CMD="$(blkid | sed -n '/dev\/mmcblk0p2/s/.*\ PARTUUID=\"\([^\"]*\)\".*/\1/p')"
+sed -i -e "s|PARTUUID=$FSTAB_CMD|/dev/mapper/sdcard|g" /etc/fstab
+
+echo 'sdcard /dev/mmcblk0p2 none luks' | tee --append /etc/crypttab > /dev/null
+
+echo "Done. Reboot with: sudo reboot"
+#reboot
diff --git a/3.disk_encrypt_initramfs.sh b/3.disk_encrypt_initramfs.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+#mkdir /tmp/boot
+#mount /dev/mmcblk0p1 /tmp/boot/
+#/tmp/boot/install/3.disk_encrypt_initramfs.sh
+
+e2fsck -f /dev/mmcblk0p2
+resize2fs -fM /dev/mmcblk0p2
+
+#mkdir /tmp/sdcard
+#mount -o ro /dev/mmcblk0p2 /tmp/sdcard
+#BLOCK_COUNT="$(/tmp/sdcard/sbin/dumpe2fs /dev/mmcblk0p2 | sed "s/ //g" | sed -n "/Blockcount:/p" | cut -d ":" -f 2)"
+#umount /tmp/sdcard
+BLOCK_COUNT="$(dumpe2fs /dev/mmcblk0p2 | sed "s/ //g" | sed -n "/Blockcount:/p" | cut -d ":" -f 2)"
+echo "Block count: $BLOCK_COUNT"
+SHA1SUM_ROOT="$(dd bs=4k count=$BLOCK_COUNT if=/dev/mmcblk0p2 | sha1sum)"
+dd bs=4k count=$BLOCK_COUNT if=/dev/mmcblk0p2 of=/dev/sda
+SHA1SUM_EXT="$(dd bs=4k count=$BLOCK_COUNT if=/dev/sda | sha1sum)"
+
+if [ "$SHA1SUM_ROOT" == "$SHA1SUM_EXT" ]; then
+	echo "1.Sha1sums match."
+	cryptsetup --cipher aes-cbc-essiv:sha256 luksFormat /dev/mmcblk0p2
+	cryptsetup luksOpen /dev/mmcblk0p2 sdcard
+	dd bs=4k count=$BLOCK_COUNT if=/dev/sda of=/dev/mapper/sdcard
+	SHA1SUM_NEWROOT="$(dd bs=4k count=1516179 if=/dev/mapper/sdcard | sha1sum)"
+	if [ "$SHA1SUM_ROOT" == "$SHA1SUM_EXT" ]; then
+		echo "2.Sha1sums match."
+		e2fsck -f /dev/mapper/sdcard
+		resize2fs -f /dev/mapper/sdcard
+		echo "Done. Reboot and rebuild initramfs."
+		#poweroff -f
+		#reboot -f
+	else
+		echo "2.Sha1sums error."
+	fi
+else
+	echo "1.Sha1sums error."
+fi
diff --git a/4.luks_open.sh b/4.luks_open.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+#mkdir /tmp/boot
+#mount /dev/mmcblk0p1 /tmp/boot/
+#/tmp/boot/install/4.rebuild_initram.sh
+
+cryptsetup luksOpen /dev/mmcblk0p2 sdcard
+exit
diff --git a/5.rebuild_initram.sh b/5.rebuild_initram.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+sudo mkinitramfs -o /boot/initramfs.gz
+lsinitramfs /boot/initramfs.gz |grep -P "sbin/(cryptsetup|resize2fs|fdisk|dumpe2fs|expect)"
+#sudo reboot
diff --git a/initramfs-rebuild b/initramfs-rebuild
@@ -0,0 +1,35 @@
+#!/bin/sh -e
+
+# Rebuild initramfs.gz after kernel upgrade to include new kernel's modules.
+# https://github.com/Robpol86/robpol86.com/blob/master/docs/_static/initramfs-rebuild.sh
+# Save as (chmod +x): /etc/kernel/postinst.d/initramfs-rebuild
+
+# Remove splash from cmdline.
+if grep -q '\bsplash\b' /boot/cmdline.txt; then
+  sed -i 's/ \?splash \?/ /' /boot/cmdline.txt
+fi
+
+# Exit if not building kernel for this Raspberry Pi's hardware version.
+version="$1"
+current_version="$(uname -r)"
+case "${current_version}" in
+  *-v7+)
+    case "${version}" in
+      *-v7+) ;;
+      *) exit 0
+    esac
+  ;;
+  *+)
+    case "${version}" in
+      *-v7+) exit 0 ;;
+    esac
+  ;;
+esac
+
+# Exit if rebuild cannot be performed or not needed.
+[ -x /usr/sbin/mkinitramfs ] || exit 0
+[ -f /boot/initramfs.gz ] || exit 0
+lsinitramfs /boot/initramfs.gz |grep -q "/$version$" && exit 0  # Already in initramfs.
+
+# Rebuild.
+mkinitramfs -o /boot/initramfs.gz "$version"
diff --git a/resize2fs b/resize2fs
@@ -0,0 +1,38 @@
+#!/bin/sh -e
+
+# Copy resize2fs, fdisk, and other kernel modules into initramfs image.
+# https://github.com/Robpol86/robpol86.com/blob/master/docs/_static/resize2fs.sh
+# Save as (chmod +x): /etc/initramfs-tools/hooks/resize2fs
+
+COMPATIBILITY=false  # Set to false to skip copying other kernel's modules.
+
+PREREQ=""
+prereqs () {
+  echo "${PREREQ}"
+}
+case "${1}" in
+  prereqs)
+    prereqs
+    exit 0
+  ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+copy_exec /sbin/resize2fs /sbin
+copy_exec /sbin/fdisk /sbin
+copy_exec /sbin/dumpe2fs /sbin
+copy_exec /usr/bin/expect /sbin
+cp -R /usr/share/tcltk/* ${DESTDIR}/lib/
+
+# Raspberry Pi 1 and 2+3 use different kernels. Include the other.
+if ${COMPATIBILITY}; then
+  case "${version}" in
+    *-v7+) other_version="$(echo ${version} |sed 's/-v7+$/+/')" ;;
+    *+) other_version="$(echo ${version} |sed 's/+$/-v7+/')" ;;
+    *)
+      echo "Warning: kernel version doesn't end with +, ignoring."
+      exit 0
+  esac
+  cp -r /lib/modules/${other_version} ${DESTDIR}/lib/modules/
+fi