From 7395bc29e6d762619fb5a45f76c7cdf8d92d4689 Mon Sep 17 00:00:00 2001 From: "Alex Xu (Hello71)" Date: Sun, 16 Feb 2020 22:21:11 -0500 Subject: update --- Makefile | 25 ++++++++------- cpio_list.txt | 44 +++++++++++++++++++++++++++ init | 57 ++++++++++++++-------------------- make | 98 ++++++++++++++++++++++++++--------------------------------- passwd | 2 +- unlock | 4 ++- 6 files changed, 127 insertions(+), 103 deletions(-) create mode 100644 cpio_list.txt diff --git a/Makefile b/Makefile index 22883a1..6832bbd 100644 --- a/Makefile +++ b/Makefile @@ -1,21 +1,24 @@ +CC = gcc +CFLAGS ?= -O2 -pipe +MAKEFLAGS += -L -R -r + all: initramfs.img -initramfs.img: +initramfs.img: gen_init_cpio ./make -include initramfs.d -install: install-initramfs.img +gen_init_cpio: gen_init_cpio.c + $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $^ $(LDLIBS) -o $@ -install-initramfs.img: initramfs.img - rm -f $@.old $@.new - cp $< $@.new - if [ -e $@ ]; then mv $@ $@.old; fi - mv $@.new $@ +install: initramfs.img + rm -f /boot/$<.old /boot/$<.new + cp $< /boot/$<.new || rm -f /boot/$<.new + if [ -e /boot/$< ]; then mv /boot/$< /boot/$<.old; fi + mv /boot/$<.new /boot/$< clean: - $(RM) -r initramfs.img initramfs.d kernel - -.PHONY: all install install-initramfs.img clean + rm -f -r initramfs.img initramfs.d gen_init_cpio -MAKEFLAGS = -L -R -r +.PHONY: all install clean diff --git a/cpio_list.txt b/cpio_list.txt new file mode 100644 index 0000000..79b38f0 --- /dev/null +++ b/cpio_list.txt @@ -0,0 +1,44 @@ +# basic directories. note that parent directories for files will be +# auto-generated by make script, and everything will be sorted afterwards +dir /dev 0755 0 0 +dir /mnt 0755 0 0 +dir /proc 0755 0 0 +dir /run 0755 0 0 +dir /run/cryptsetup 0755 0 0 +dir /sys 0755 0 0 + +# kernel needs this to be available before /init +nod /dev/console 0600 0 0 c 5 1 + +# symlinks +slink /bin/sh busybox 0755 0 0 +slink /etc/mtab /proc/self/mounts 0755 0 0 + +# executables +file /bin/busybox /bin/busybox 0755 0 0 +file /init ./init 0755 0 0 + +# firmware +file /lib/firmware/amdgpu/polaris10_ce_2.bin /lib/firmware/amdgpu/polaris10_ce_2.bin 0644 0 0 +file /lib/firmware/amdgpu/polaris10_k_smc.bin /lib/firmware/amdgpu/polaris10_k_smc.bin 0644 0 0 +file /lib/firmware/amdgpu/polaris10_mc.bin /lib/firmware/amdgpu/polaris10_mc.bin 0644 0 0 +file /lib/firmware/amdgpu/polaris10_me_2.bin /lib/firmware/amdgpu/polaris10_me_2.bin 0644 0 0 +file /lib/firmware/amdgpu/polaris10_mec2_2.bin /lib/firmware/amdgpu/polaris10_mec2_2.bin 0644 0 0 +file /lib/firmware/amdgpu/polaris10_mec_2.bin /lib/firmware/amdgpu/polaris10_mec_2.bin 0644 0 0 +file /lib/firmware/amdgpu/polaris10_pfp_2.bin /lib/firmware/amdgpu/polaris10_pfp_2.bin 0644 0 0 +file /lib/firmware/amdgpu/polaris10_rlc.bin /lib/firmware/amdgpu/polaris10_rlc.bin 0644 0 0 +file /lib/firmware/amdgpu/polaris10_sdma.bin /lib/firmware/amdgpu/polaris10_sdma.bin 0644 0 0 +file /lib/firmware/amdgpu/polaris10_sdma1.bin /lib/firmware/amdgpu/polaris10_sdma1.bin 0644 0 0 +file /lib/firmware/amdgpu/polaris10_smc_sk.bin /lib/firmware/amdgpu/polaris10_smc_sk.bin 0644 0 0 +file /lib/firmware/amdgpu/polaris10_uvd.bin /lib/firmware/amdgpu/polaris10_uvd.bin 0644 0 0 +file /lib/firmware/amdgpu/polaris10_vce.bin /lib/firmware/amdgpu/polaris10_vce.bin 0644 0 0 +file /lib/firmware/rtl_nic/rtl8168h-2.fw /lib/firmware/rtl_nic/rtl8168h-2.fw 0644 0 0 + +# dropbear support +file /etc/dropbear/dropbear_ecdsa_host_key ./dropbear_ecdsa_host_key 0600 0 0 +file /etc/dropbear/dropbear_rsa_host_key ./dropbear_rsa_host_key 0600 0 0 +file /etc/passwd ./passwd 0644 0 0 +file /lib64/libnss_files.so.2 /lib64/libnss_files.so.2 0755 0 0 +file /root/.ssh/authorized_keys ./authorized_keys 0600 0 0 +file /sbin/unlock ./unlock 0755 0 0 +file /usr/share/udhcpc/default.script /usr/share/udhcpc/default.script 0755 0 0 diff --git a/init b/init index e8041ef..8df2dda 100644 --- a/init +++ b/init @@ -1,46 +1,33 @@ #!/bin/sh -trap 'kill $dropbear_pid; exec sh' EXIT +trap 'exec sh' EXIT -case "$PATH" in - */*) ;; - *) export PATH="/usr/sbin:/usr/bin:/sbin:/bin" ;; -esac +export PATH="/usr/sbin:/usr/bin:/sbin:/bin" mount -t proc proc /proc mount -t devtmpfs devtmpfs /dev +# use -p to avoid "directory exists" error mkdir -p /dev/pts +# /dev/pts for dropbear mount -t devpts devpts /dev/pts -mount -t sysfs sysfs /sys ( ip link set eth0 up -ip addr add 192.168.0.7/24 dev eth0 -exec dropbear -F -s -p 2222 -K 30 -) & -dropbear_pid=$! - -enc_root=$(findfs UUID=26748575-d7a7-418b-8f68-21be7c937500) || exit -cryptsetup open --tries 65535 --allow-discards "$enc_root" root || [ -e /dev/mapper/root ] || exit - -kill $dropbear_pid -dropbear_pid= - -e2fsck -C 0 -E inode_count_fullmap -p /dev/mapper/root -e2fsck_r=$? -if [ $(( e2fsck_r & 2 )) = 2 ]; then - reboot -f -fi -case "$e2fsck_r" in - 0|1) ;; - *) exit -esac - -mount -o nodev,commit=30 /dev/mapper/root /mnt || exit -cd /mnt -umount /dev/pts -mount --move /dev dev -mount --move /proc proc -mount --move /sys sys - -exec switch_root /mnt /usr/lib/systemd/systemd +udhcpc -i eth0 +# -p 2222 to avoid host key clash +dropbear -p 2222 +) >/dev/null 2>&1 & + +root=$(findfs UUID=26748575-d7a7-418b-8f68-21be7c937500) || exit +cryptsetup open --tries 65535 --allow-discards "$root" root +# in case of /sbin/unlock +[ -e /dev/mapper/root ] || exit +e2fsck -C 0 -E inode_count_fullmap -p /dev/mapper/root || exit +mount -o nodev /dev/mapper/root /mnt || exit + +kill -9 -1 +ip link set eth0 down + +cd /mnt || exit +umount -n /dev/pts /dev /proc +exec switch_root . /usr/lib/systemd/systemd diff --git a/make b/make index 70c19f4..9f35483 100755 --- a/make +++ b/make @@ -2,65 +2,41 @@ set -e -scriptloc=${BASH_SOURCE:-$0} -scriptdir=${scriptloc%/*} +compressor="lz4 --best --favor-decSpeed -l" -gen_cpio_list() { - cat << EOF -dir /dev 0755 0 0 -dir /mnt 0755 0 0 -dir /proc 0755 0 0 -dir /run 0755 0 0 -dir /run/cryptsetup 0755 0 0 -dir /sys 0755 0 0 - -nod /dev/console 0600 0 0 c 5 1 - -slink /bin/sh busybox 0755 0 0 -slink /etc/mtab /proc/self/mounts 0755 0 0 - -slink /usr/lib64/libgcc_s.so libgcc_s.so.1 0755 0 0 -file /usr/lib64/libgcc_s.so.1 /usr/lib/gcc/x86_64-pc-linux-gnu/9.1.0/libgcc_s.so.1 0755 0 0 - -file /bin/busybox /bin/busybox 0755 0 0 -file /etc/passwd $scriptdir/passwd 0644 0 0 -file /etc/dropbear/dropbear_rsa_host_key $scriptdir/dropbear_rsa_host_key 0600 0 0 -file /etc/dropbear/dropbear_ecdsa_host_key $scriptdir/dropbear_ecdsa_host_key 0600 0 0 -file /init $scriptdir/init 0755 0 0 -file /lib/firmware/radeon/CAYMAN_mc.bin /lib/firmware/radeon/CAYMAN_mc.bin 0644 0 0 -file /lib/firmware/radeon/CAYMAN_me.bin /lib/firmware/radeon/CAYMAN_me.bin 0644 0 0 -file /lib/firmware/radeon/CAYMAN_pfp.bin /lib/firmware/radeon/CAYMAN_pfp.bin 0644 0 0 -file /lib/firmware/radeon/CAYMAN_rlc.bin /lib/firmware/radeon/CAYMAN_rlc.bin 0644 0 0 -file /lib/firmware/radeon/CAYMAN_smc.bin /lib/firmware/radeon/CAYMAN_smc.bin 0644 0 0 -file /lib/firmware/radeon/SUMO_uvd.bin /lib/firmware/radeon/SUMO_uvd.bin 0644 0 0 -file /lib/firmware/rtl_nic/rtl8168h-2.fw /lib/firmware/rtl_nic/rtl8168h-2.fw 0644 0 0 -file /lib64/libnss_files.so.2 /lib64/libnss_files.so.2 0755 0 0 -file /root/.ssh/authorized_keys $scriptdir/authorized_keys 0600 0 0 -file /unlock $scriptdir/unlock 0755 0 0 -EOF - for cmd in cryptsetup e2fsck dropbear; do - cmdp="$(command -v "$cmd")" - # builtin - if [ "$cmd" = "$cmdp" ]; then - continue - fi - ldd "$cmdp" | while read a b c d; do - if [ "$b" = '=>' ]; then - printf 'file /lib64/%s %s 0755 0 0\n' "${c##*/}" "$c" - else - # interpreter - case "$a" in - /*) printf 'file %s %s 0755 0 0\n' "$a" "$a" ;; - esac - fi - done - printf 'file %s %s 0755 0 0\n' "$cmdp" "$cmdp" +# generate a cpio entry for a command +gen_cmd() { + cmd=$1 + cmdp="$(command -v "$cmd")" + # builtin + if [ "$cmd" = "$cmdp" ]; then + return + fi + printf 'file %s %s 0755 0 0\n' "$cmdp" "$cmdp" + ldd "$cmdp" | grep / | while read line; do + tmp=${line% *} + lib=/${tmp#*/} + # don't bother with ld.so.conf + printf 'file /lib64/%s %s 0755 0 0\n' "${lib##*/}" "$lib" done } +# generate the main file list +gen_cpio_list() { + sed -e '/^#/d' cpio_list.txt + gen_cmd e2fsck + gen_cmd dropbear + export LD_PRELOAD=libgcc_s.so.1 + gen_cmd cryptsetup +} + +# filter the list and insert parent directory entries gen_dir_ents() { while read type target args; do + # re-print the original entry printf '%s %s %s\n' "$type" "$target" "$args" + # print the necessary directory entries. duplicates will be + # filtered by sort -u later while [ "${target%/*}" != '' ]; do target=${target%/*} printf 'dir %s 0755 0 0\n' "$target" @@ -68,18 +44,30 @@ gen_dir_ents() { done } +# filter the list and generate the make dependency file gen_depfile() { - deps='make' + deps='cpio_list.txt make' while read type target source args; do + # re-print the original entry printf '%s %s %s %s\n' "$type" "$target" "$source" "$args" + # accumulate the dependencies in a list to avoid make bugs. + # there will be no duplicates since the list was previously sorted if [ "$type" = file ]; then deps="$deps $source" + # avoid "No rule to make target" when deps disappear echo "$source:" >&3 fi done echo "initramfs.img: $deps" >&3 } -gen_cpio_list | gen_dir_ents | sort -u | gen_depfile 3>initramfs.d | "${scriptdir}"/gen_init_cpio -t 0 - | xz --x86 --lzma2=preset=9e --check=crc32 -c > initramfs.img +if ! [ -e cpio_list.txt ] || ! [ -e gen_init_cpio ]; then + cd "${0%/*}" +fi -# vim:ft=sh: +gen_cpio_list | \ +gen_dir_ents | \ +sort -u | \ +gen_depfile 3>initramfs.d | \ +./gen_init_cpio -t 0 - | \ +$compressor > initramfs.img diff --git a/passwd b/passwd index eb85a55..fd6236d 100644 --- a/passwd +++ b/passwd @@ -1 +1 @@ -root:x:0:0:root:/root:/bin/sh +root:x:0:0::/root:/bin/sh diff --git a/unlock b/unlock index d034674..50d282b 100644 --- a/unlock +++ b/unlock @@ -1,3 +1,5 @@ #!/bin/sh -cryptsetup open /dev/nvme0n1p2 root && pkill cryptsetup +root=$(findfs UUID=26748575-d7a7-418b-8f68-21be7c937500) || exit +cryptsetup open --allow-discards "$root" root || exit +pkill cryptsetup -- cgit v1.2.3-54-g00ecf