commit 6ab22efc9d7819465c799c14447043a23de0a66c Author: Albert S Date: Sun Jan 8 10:06:30 2017 +0100 (reset history) diff --git a/README b/README new file mode 100644 index 0000000..c5e69ff --- /dev/null +++ b/README @@ -0,0 +1,111 @@ +The scripts to encrypt /home/ and swap with /dev/urandom as the keyfile. + + +Update: +======= +The method as described below is not be the best for the most paranoid +users. The N900 may not have enough entropy when generating the keys. +The result: low-quality keys. +Please refer to the cryptsetup manual for more details, especially +the section. "NOTES ON RANDOM NUMBER GENERATORS". +Thanks to "robotanarchy" for pointing this out. +In practise, if you are not protecting yourself against +certain 3 letter organizations you should be ok anyway... + +The method as described below was pretty much the only possible way back +then when this document was written. +These days, a much simpler approach would be to use rescueOS +to mount the home partition, copy all the data to your HDD on your PC, +overwriting the partition with /dev/urandom data +and then to use cryptsetup, e. g. with --use-random to luksFormat +the home partition. Then you simply copy all the data back. +However, you still need to modify bootscripts, therefore +you can still refer to the instructions below. +Of course, you can also use rescueOS to modify the bootscripts. +This should make things easier. + + +Partially outdated: + +Required for installation: +========================== +-busybox's loadkmap and watchdog. You can get these packages by installing "busybox-power". +-dmcrypt, cryptsetup etc. Verify these things work before putting them in init scripts. +-Console skills. + +Reflashing COMBINED with an encrypted home partition is funny. Hope that +you never have to. + +Read the warning in rcS. + + +Getting started +======================== +WARNING: It's easy to mess it up (in the first try). +You are doing everything at own risk. Don't expect support if something +goes wrong. + + +As long as we are in hildon, the partition is in use, which means we can +not just unmount and encrypt it. In R&D mode(with disabled watchdogs) +through ssh, after killing hildon and other stuff, it might be possible, but it is +too messy. + +First, we need the fbcon kernel module. power kernel >=v47 ships it, +but you can also compile it into the kernel in case you use a different kernel. + +If you have the module: +++++++++++++++++++++++++ +Open /sbin/preinit +Go to the init_system() function. +above of the "}" insert: modprobe fbcon. ++++++++++++++++++++++++++ +This seems to be a good place for it. /sbin/preinit is under +some nokia licence which prohibits sharing that file. + +1. Backup /home/ without /home/user/MyDocs using cp -a to preserve permissions. + +2. Now we just need a shell. /etc/init.d/rcS asks for it. After +"/sbin/hwclock -s || true" we can add it this code: + +watchdog -t 10 /dev/twl4030_wdt #To feed watchdogs +watchdog -t 10 /dev/watchdog +loadkmap < /nokia-n900.kmap #To get special characters working +echo "Press any key to enable shell" +read -n 1 -t 2 shellmode +if [ -n "$shellmode" ] ; then +sh +fi +killall watchdog #so that later dsme can continue doing this job. + +You need something like the busybox-power package(stock version doesn't +have loadkmap and watchdog included). + +They keymap can be found in meego-ce or here: +http://bazaar.launchpad.net/~pali/+junk/maemo_recovery-boot/view/head:/nokia-n900.map +However, you have to convert it (not on the N900) by using "loadkeys -b nokia-n900.map > nokia-n900.kmap" + + +3. Reboot. +4. An example setup: + cryptsetup luksFormat /dev/mmcblk0p2 + cryptsetup luksOpen /dev/mmcblk0p2 home_luks + mkfs.ext3 /dev/mapper/home_luks + mount -t ext3 /dev/mapper/home_luks /mnt/ + #and now copy back with permissions and unmount /mnt/ + + NOTE: This does not perform a secure delete. Keep this in mind! + +5. If you type exit now, your device won't boot because you still have the old bootscripts. +Study the scripts in the directory you got this README from. + +Start with rcS-late (it mounts the home partition). + +Then modify rcS (after your first successful bootup with an encrypted home partition). +It'll ask you on every boot for the LUKS password. + +If everything looks fine for you, replace the scripts. + +osso-mmc-mount.sh is also useful. + +Happy hacking! diff --git a/osso-mmc-mount.sh b/osso-mmc-mount.sh new file mode 100644 index 0000000..a76f0b5 --- /dev/null +++ b/osso-mmc-mount.sh @@ -0,0 +1,126 @@ +#!/bin/sh +# This file is part of ke-recv +# +# Copyright (C) 2005-2009 Nokia Corporation. All rights reserved. +# +# Author: Kimmo Hämäläin +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +# 02110-1301 USA + +# Return codes: +# 0 - mounted read-write +# 1 - could not mount +# 2 - mounted read-only + +#Modified by NIN101 to stop mounting attempts on encrypted +#partitions + +PDEV=$1 ;# preferred device (partition) +MP=$2 ;# mount point + +#Remove if your MyDocs partition is NOT encrypted. +if [ "$PDEV" = "/dev/mmcblk0p1" ] ; then +exit +fi + +#unnecessary actually +if [ "$PDEV" = "/dev/mmcblk0p2" ] ; then +exit +fi + +if [ "$PDEV" = "/dev/dm-0" ] ; then +exit +fi + +grep "$PDEV " /proc/mounts > /dev/null +if [ $? = 0 ]; then + logger "$0: $PDEV is already mounted" + exit 0 +fi + +if [ ! -d $MP ]; then + mkdir -p $MP +fi + +if ! [ $PDEV = /dev/mmcblk0 -o $PDEV = /dev/mmcblk1 ]; then + # check the FAT magic number + PNUM=$(echo $PDEV | sed "s#/dev/mmcblk[01]p##") + DEV=$(echo $PDEV | sed "s#p[1234]##") + PID=$(sfdisk -c $DEV $PNUM) + case "$PID" in + b | c | e | 4 | 6 | 14 | 16 | 1b | 1c | 1e) + logger "$0: $PDEV partition type is '$PID'" + ;; + *) + logger "$0: $PDEV type '$PID' is not FAT32 or FAT16" + exit 1 + ;; + esac +fi + +# time limited check +#/sbin/dosfsck -I -n -T 10 $PDEV +#if [ $? != 0 ]; then +# logger "$0: $PDEV is corrupt, trying to mount it read-only" +# mmc-mount $PDEV $MP ro +# if [ $? = 0 ]; then +# logger "$0: $PDEV mounted read-only" +# exit 2 +# else +# logger "$0: Couldn't mount $PDEV read-only" +# exit 1 +# fi +#fi + +mmc-mount $PDEV $MP rw +RC=$? +logger "$0: mounting $PDEV read-write to $MP, rc: $RC" + +if [ $RC = 0 ]; then + # create some special directories for user's partition + if [ "x$MP" = "x/home/user/MyDocs" -a -w $MP ]; then + # use global folder names + USERDIRS="/home/user/.config/user-dirs.dirs" + if [ -f "$USERDIRS" ]; then + HOME='/home/user' + source "$USERDIRS" + mkdir -p "$XDG_DOCUMENTS_DIR" + mkdir -p "$XDG_PICTURES_DIR" + mkdir -p "$XDG_MUSIC_DIR" + mkdir -p "$XDG_VIDEOS_DIR" + mkdir -p "$NOKIA_CAMERA_DIR" + else + # fallback + for d in .sounds .videos .documents .images .camera; do + mkdir -p $MP/$d + done + fi + touch $MP + elif [ "x$MP" = "x/home/user/MyDocs" ]; then + logger "$0: '$MP' is not writable" + elif [ "x$MP" = "x/media/mmc1" -a -w $MP ]; then + # use global folder names + USERDIRS="/home/user/.config/user-dirs.dirs" + if [ -f "$USERDIRS" ]; then + HOME='/home/user' + source "$USERDIRS" + mkdir -p "$NOKIA_MMC_CAMERA_DIR" + fi + elif [ "x$MP" = "x/media/mmc1" ]; then + logger "$0: '$MP' is not writable" + fi +fi + +exit $(($RC != 0)) diff --git a/rcS b/rcS new file mode 100644 index 0000000..5cbc24c --- /dev/null +++ b/rcS @@ -0,0 +1,319 @@ +#/bin/sh +# Copyright(C) 2006 Nokia Corporation. + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. + +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 +# USA + +#Modified by NIN101(http://nin101.uni.cx). +#Provides: Shell if demanded by user; maps an LUKS encrypted partition +#Requires busybox-power or at least the applets "loadkmap" & "watchdog" + +#WARNING: Charging WON'T work when device is turned off before the +#user pluggs in the charger. Or: It will, but you have to enter +#your LUKS password at a state where the screen is very very dark :-). +#This is because home gets mounted before BME starts. + + +umask 022 +PATH=/sbin:/bin:/usr/sbin:/usr/bin +MODULES="twl4030-vibra +dspbridge +iommu2 +omap3-iommu +omap34xxcam-mod +omap_previewer_hack +board-rx51-camera +et8ek8 +ad5820 +adp1653 +vs6555 +uinput" + +if [ -L /var/run ] +then + rm -f /var/run + mkdir /var/run +fi + +mount -n -t proc proc /proc +mount -n -t sysfs sysfs /sys +mount -n -t tmpfs -o size=1M,noatime tmpfs /tmp +mount -n -t tmpfs -o size=256k,mode=0755,nosuid,noatime tmpfs /var/run + +#MODE=`getbootstate` + +# This doesn't really belong here, but we have start this so early +start_bootchart(){ + if [ -e /bootchart -a -e /etc/init.d/bootchart ] + then + /etc/init.d/bootchart start + fi +} + +start_softupd() +{ + echo "Starting software updater" + /etc/init.d/softupd.rcS +} + +in_flash_mode() +{ + grep update /proc/component_version 1>/dev/null 2>/dev/null +} + +mount_devpts() { + TTYGRP=5 + TTYMODE=620 + + if [ ! -d /dev/pts ] + then + mkdir /dev/pts + fi + + if [ ! -c /dev/ptmx ] + then + mknod /dev/ptmx c 5 2 + chmod 666 /dev/ptmx + fi + + mount -n -t devpts -ogid=$TTYGRP,mode=$TTYMODE devpts /dev/pts + rm -rf /var/tmp/* +} + +# I hate this hack. -- Md +make_extra_nodes () { + if [ "$(echo /lib/udev/devices/*)" != "/lib/udev/devices/*" ]; then + cp -a /lib/udev/devices/* /dev/ + fi + grep '^[^#]' /etc/udev/links.conf | \ + while read type name arg1; do + [ "$type" -a "$name" -a ! -e "/dev/$name" -a ! -L "/dev/$name" ] ||continue + case "$type" in + L) + ln -s $arg1 /dev/$name + ;; + D) + mkdir -p /dev/$name + ;; + M) + mknod /dev/$name $arg1 && chmod 600 /dev/$name + ;; + *) + echo "unparseable line ($type $name $arg1)" + ;; + esac + done +} + +load_extra_modules () { + echo -n "Loading extra modules..." + for i in $MODULES; do + echo "Loading $i" + modprobe -q $i ||: + done + echo "done." +} + +# Mount home and paging partitions if they are available +mount_mmc(){ + device=$1 + swap=$device"p1" + home=$device"p2" + test=$device"p3" + + if [ -e $test ] + then + echo "Mounting partition $swap for paging" + # swap disabled as a workaround for Xorg bug, per NB#111807. + swapon $swap + modprobe ext3 + echo "Mounting partition $home as home directory" + mount -t ext3 -o noatime,commit=1,data=writeback $home /home + else + echo "No paging partition available as $swap" + echo "No home partition available as $home" + fi +} + +prepare_start_udev() +{ + . /etc/udev/udev.conf + + if [ -z "$tmpfs_size" ]; then + tmpfs_size="1M" + fi + + ACTION=add + echo -n "Mounting a tmpfs over /dev..." + mount -n -o size=$tmpfs_size,mode=0755,noatime -t tmpfs none /dev + echo "done." + mkdir -p /dev/.udev/db /dev/.udev/queue + echo "" > /sys/kernel/uevent_helper + echo -n "Creating extra device nodes... " + make_extra_nodes + echo "done." +} + +start_udev() +{ + prepare_start_udev + /sbin/udevd --daemon +} + +make_nodes() +{ + echo -n "Creating device nodes... " + + if [ -x /sbin/udevtrigger ]; then + /sbin/udevtrigger + else + /sbin/udevadm trigger + #wait for all events + /sbin/udevadm settle + fi + echo "done." +} + +# When modifying this script, do not forget that between the time that +# the new /dev has been mounted and udevtrigger has been run there will be +# no /dev/null. This also means that you cannot use the "&" shell command. + + start_bootchart + +if in_flash_mode; then + start_softupd + reboot +fi + +# here only in non-flash mode + +# No need to start udev before softupd anymore + + start_udev + make_nodes + load_extra_modules + +mount_devpts +mount -n -o size=64M,nosuid,nodev,noatime -t tmpfs tmpfs /dev/shm + +# mount_mmc "/dev/mmcblk0" + +/sbin/hwclock -s || true + +watchdog -t 10 /dev/twl4030_wdt +watchdog -t 10 /dev/watchdog +modprobe dm_mod +modprobe dm_loop + +#LED part taken from a post on talk.maemo.org by Mentalist Traceur. Thx +modprobe leds-lp5523 +for i in 1 2 3 4 5 6; do + echo 25 > /sys/class/leds/lp5523\:kb$i/brightness +done + +loadkmap < /nokia-n900.kmap + +CONT=0 +while [ "$CONT" -ne 1 ] ; do +cryptsetup luksOpen /dev/mmcblk0p2 home_luks +if [ "$?" -eq 0 ] || [ -b /dev/mapper/home_luks ] ; then +CONT=1 +fi +done + +echo "Press any key to enable shell" +read -n 1 -t 2 shellmode +if [ -n "$shellmode" ] ; then +sh +fi + +killall watchdog + + +# cannot collect product data if we are under SDK +# it should not be run there, but explicit check is better +OPI=`which osso-product-info` + +if [ x$OPI != x ]; then + + # Make sure /etc/hostname and /etc/hosts exist and are not empty. They do not + # exist if this is the very first boot, and they may be empty if power cut + # happended before the contents has reached the media. + if [ ! -f /etc/hostname -o ! -s /etc/hostname -o ! -f /etc/hosts -o ! -s /etc/hosts ]; then + hostname="`$OPI -qOSSO_PRODUCT_SHORT_NAME | sed 's/ /-/g'`" + echo $hostname > /etc/hostname + echo "127.0.0.1 $hostname localhost" > /etc/hosts + chmod 644 /etc/hosts + fi + + # Similarly, make sure /etc/issue and /etc/issue.net are fine + if [ ! -f /etc/issue -o ! -s /etc/issue -o ! -f /etc/issue.net -o ! -s /etc/issue.net -o -f /home/user/first-boot-flag ]; then + full_name=`$OPI -qOSSO_PRODUCT_RELEASE_FULL_NAME` + echo "$full_name \n \l" > /etc/issue + echo "" >> /etc/issue + echo "$full_name %h" > /etc/issue.net + fi +fi + +# Note, normally we would have to sync the FS to make sure the files have +# reached the media. But because the files are small, they would be either +# empty or non-existing in case of an unclean reboot, and we handle both +# cases. + +hostname -F /etc/hostname +ifup lo & + +#echo /sbin/udevsend > /proc/sys/kernel/hotplug + +#: > /var/run/utmp +#chmod 664 /var/run/utmp +#chgrp utmp /var/run/utmp + +rm -f /etc/mtab +cat /proc/mounts > /etc/mtab + +echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects +echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects +echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter +echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter +echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses +echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts +echo "49152 65535" > /proc/sys/net/ipv4/ip_local_port_range +echo 6000 > /sys/class/bluetooth/hci0/idle_timeout + +# adjust other kernel parameters to minimize memory consumption +# and optimize IO pressure +echo 16 > /proc/sys/kernel/pty/max +echo 1024 > /proc/sys/kernel/threads-max +echo 8192 > /proc/sys/fs/file-max +echo 100 > /proc/sys/vm/swappiness +echo 5 > /proc/sys/vm/page-cluster +echo 500 > /proc/sys/vm/dirty_expire_centisecs +echo 65536 > /proc/sys/net/core/rmem_default +echo 16384 > /proc/sys/net/core/wmem_default +echo 20 > /proc/sys/net/unix/max_dgram_qlen + +# Finalize SSU in case it has been interrupted by power failure +if test -x /usr/libexec/ham-rescue.sh; then + /usr/libexec/ham-rescue.sh +fi + +# Disable sysrq to avoid accidental console-carbage resets. +echo 0 > /proc/sys/kernel/sysrq + +echo "/what/me/worry" > /proc/sys/kernel/core_pattern +echo 1 > /proc/sys/kernel/panic +echo 1 > /proc/sys/kernel/panic_on_oops + +exit 0 diff --git a/rcS-late b/rcS-late new file mode 100644 index 0000000..e05b3fd --- /dev/null +++ b/rcS-late @@ -0,0 +1,160 @@ +description "late rcS actions" + +start on started hal +stop on stopping hal + +console none + +script + #Mounts an encrypted home by bypassing /etc/fstab. + #Encrypted swap. + + + + #mount /home; fix ext3 and retry mounting if 1st attempt fails + mount_home () + { + + /bin/mount /dev/mapper/home_luks /home -t ext3 -o rw,noatime,errors=continue,commit=1,data=writeback && grep -q "/home ext3 rw" /proc/mounts + if [ $? -eq 0 ] + then + return 0 + else + grep -q "/home ext3 ro" /proc/mounts + if [ $? -eq 0 ] + then + umount /home + fi + HOME_DEV=`grep "/home ext3" /etc/fstab | cut -d' ' -f1` + #fsck.ext3 -y $HOME_DEV >> /var/lib/fsck_ext3_home.log 2>&1 + sync + /bin/mount /dev/mapper/home_luks /home -t ext3 -o rw,noatime,errors=continue,commit=1,data=writeback && grep -q "/home ext3 rw" /proc/mounts + return $? + fi + } + + + + + ACT_DEAD=0 + HOME_MOUNTED=0 + + #check act_dead + if [ -e /tmp/ACT_DEAD ]; then + ACT_DEAD=1 + fi + + # Generate fstab and mount /home + . /etc/default/mount-opts + + + fstab=/etc/fstab + tmp_fstab=/tmp/fstab + + sfdisk -l /dev/mmcblk0 | /bin/busybox awk \ + -v home_opts="$home_opts" -v fat_opts="$fat_opts" \ + -f /usr/lib/genfstab.awk > $tmp_fstab + + cmp -s $tmp_fstab $fstab || cp $tmp_fstab $fstab + rm -f $tmp_fstab + + + if [ $ACT_DEAD -eq 0 ]; then + modprobe dm_crypt + modprobe dm_mod + /sbin/cryptsetup -d /dev/urandom create swapenc /dev/mmcblk0p3 + /sbin/mkswap /dev/mapper/swapenc + /sbin/swapon /dev/mapper/swapenc + # Setup lowmem module + echo 32768 > /proc/sys/vm/lowmem_deny_watermark_pages + echo 98304 > /proc/sys/vm/lowmem_notify_high_pages + echo 131072 > /proc/sys/vm/lowmem_notify_low_pages + echo 1024 > /proc/sys/vm/lowmem_nr_decay_pages + # Exclude some UIDs from memory allocation denial. + # 30000 is messagebus, 30001 could be used by Matchbox + echo "30000 30001 30002 30003" > /proc/sys/vm/lowmem_allowed_uids + fi + + mount_home && HOME_MOUNTED=1 + + # If failed to mount /home and system has been already optified - reboot + if [ $HOME_MOUNTED -eq 0 ] + then + if [ -e /var/lib/maemo-optify-firstboot-do-not-clean-home-opt ]; then + telinit 6 + fi + else + [ ! -d /home/opt ] && mkdir /home/opt + [ ! -d /opt ] && mkdir /opt + fi + + if [ $ACT_DEAD -eq 0 ] + then + if [ $HOME_MOUNTED -eq 1 ] + then + if [ -x /usr/sbin/maemo-optify-firstboot.sh ]; then + . /usr/sbin/maemo-optify-firstboot.sh + fi + fi + fi + + /bin/mount /opt || echo "Failed to mount(bind) /opt." + + if [ $ACT_DEAD -eq 0 ] + then + if [ $HOME_MOUNTED -eq 1 ] + then + if [ -x /usr/sbin/maemo-optify-auto-opt.sh ]; then + . /usr/sbin/maemo-optify-auto-opt.sh + fi + fi + + if [ -d /home/preinstalled -a -d /home/user ] + then + rm -rf /home/user + fi + + if [ ! -d /home/user ] + then + if [ -d /home/preinstalled ] + then + mv /home/preinstalled /home/user + else + mkdir /home/user + fi + cd /etc/skel + cp -a . /home/user + chown -R user:users /home/user + sync + fi + fi + + if [ ! -d /home/user ] + then + mkdir /home/user + chown user:users /home/user + sync + fi + + # We can safely continue booting now. + initctl emit MOUNTS_OK + + # Adjust flushing of memory card buffers + echo 40 > /proc/sys/vm/dirty_ratio + echo 10 > /proc/sys/vm/dirty_background_ratio + + # Initialize PRNG pool with the HW RNG. Slow, but that's ok. + URANDOM_POOLSZ=512 + if [ -e /dev/hwrng ]; then + echo "Seeding entropy pool" + dd if=/dev/hwrng of=/dev/urandom bs=$URANDOM_POOLSZ count=1 + fi + + # Data for the panic info driver + mount -t debugfs nodev /sys/kernel/debug + modprobe panic_info_buff + sleep 1 + osso-product-info > /sys/kernel/debug/panic_info_buff +end script + +normal exit 0