(reset history)
Dieser Commit ist enthalten in:
Commit
6ab22efc9d
111
README
Normale Datei
111
README
Normale Datei
@ -0,0 +1,111 @@
|
||||
The scripts to encrypt /home/ and swap with /dev/urandom as the keyfile.
|
||||
|
||||
|
||||
Update:
|
||||
=======
|
||||
The method as described below is not be the best for the most paranoid
|
||||
users. The N900 may not have enough entropy when generating the keys.
|
||||
The result: low-quality keys.
|
||||
Please refer to the cryptsetup manual for more details, especially
|
||||
the section. "NOTES ON RANDOM NUMBER GENERATORS".
|
||||
Thanks to "robotanarchy" for pointing this out.
|
||||
In practise, if you are not protecting yourself against
|
||||
certain 3 letter organizations you should be ok anyway...
|
||||
|
||||
The method as described below was pretty much the only possible way back
|
||||
then when this document was written.
|
||||
These days, a much simpler approach would be to use rescueOS
|
||||
to mount the home partition, copy all the data to your HDD on your PC,
|
||||
overwriting the partition with /dev/urandom data
|
||||
and then to use cryptsetup, e. g. with --use-random to luksFormat
|
||||
the home partition. Then you simply copy all the data back.
|
||||
However, you still need to modify bootscripts, therefore
|
||||
you can still refer to the instructions below.
|
||||
Of course, you can also use rescueOS to modify the bootscripts.
|
||||
This should make things easier.
|
||||
|
||||
|
||||
Partially outdated:
|
||||
|
||||
Required for installation:
|
||||
==========================
|
||||
-busybox's loadkmap and watchdog. You can get these packages by installing "busybox-power".
|
||||
-dmcrypt, cryptsetup etc. Verify these things work before putting them in init scripts.
|
||||
-Console skills.
|
||||
|
||||
Reflashing COMBINED with an encrypted home partition is funny. Hope that
|
||||
you never have to.
|
||||
|
||||
Read the warning in rcS.
|
||||
|
||||
|
||||
Getting started
|
||||
========================
|
||||
WARNING: It's easy to mess it up (in the first try).
|
||||
You are doing everything at own risk. Don't expect support if something
|
||||
goes wrong.
|
||||
|
||||
|
||||
As long as we are in hildon, the partition is in use, which means we can
|
||||
not just unmount and encrypt it. In R&D mode(with disabled watchdogs)
|
||||
through ssh, after killing hildon and other stuff, it might be possible, but it is
|
||||
too messy.
|
||||
|
||||
First, we need the fbcon kernel module. power kernel >=v47 ships it,
|
||||
but you can also compile it into the kernel in case you use a different kernel.
|
||||
|
||||
If you have the module:
|
||||
++++++++++++++++++++++++
|
||||
Open /sbin/preinit
|
||||
Go to the init_system() function.
|
||||
above of the "}" insert: modprobe fbcon.
|
||||
+++++++++++++++++++++++++
|
||||
This seems to be a good place for it. /sbin/preinit is under
|
||||
some nokia licence which prohibits sharing that file.
|
||||
|
||||
1. Backup /home/ without /home/user/MyDocs using cp -a to preserve permissions.
|
||||
|
||||
2. Now we just need a shell. /etc/init.d/rcS asks for it. After
|
||||
"/sbin/hwclock -s || true" we can add it this code:
|
||||
|
||||
watchdog -t 10 /dev/twl4030_wdt #To feed watchdogs
|
||||
watchdog -t 10 /dev/watchdog
|
||||
loadkmap < /nokia-n900.kmap #To get special characters working
|
||||
echo "Press any key to enable shell"
|
||||
read -n 1 -t 2 shellmode
|
||||
if [ -n "$shellmode" ] ; then
|
||||
sh
|
||||
fi
|
||||
killall watchdog #so that later dsme can continue doing this job.
|
||||
|
||||
You need something like the busybox-power package(stock version doesn't
|
||||
have loadkmap and watchdog included).
|
||||
|
||||
They keymap can be found in meego-ce or here:
|
||||
http://bazaar.launchpad.net/~pali/+junk/maemo_recovery-boot/view/head:/nokia-n900.map
|
||||
However, you have to convert it (not on the N900) by using "loadkeys -b nokia-n900.map > nokia-n900.kmap"
|
||||
|
||||
|
||||
3. Reboot.
|
||||
4. An example setup:
|
||||
cryptsetup luksFormat /dev/mmcblk0p2
|
||||
cryptsetup luksOpen /dev/mmcblk0p2 home_luks
|
||||
mkfs.ext3 /dev/mapper/home_luks
|
||||
mount -t ext3 /dev/mapper/home_luks /mnt/
|
||||
#and now copy back with permissions and unmount /mnt/
|
||||
|
||||
NOTE: This does not perform a secure delete. Keep this in mind!
|
||||
|
||||
5. If you type exit now, your device won't boot because you still have the old bootscripts.
|
||||
Study the scripts in the directory you got this README from.
|
||||
|
||||
Start with rcS-late (it mounts the home partition).
|
||||
|
||||
Then modify rcS (after your first successful bootup with an encrypted home partition).
|
||||
It'll ask you on every boot for the LUKS password.
|
||||
|
||||
If everything looks fine for you, replace the scripts.
|
||||
|
||||
osso-mmc-mount.sh is also useful.
|
||||
|
||||
Happy hacking!
|
126
osso-mmc-mount.sh
Normale Datei
126
osso-mmc-mount.sh
Normale Datei
@ -0,0 +1,126 @@
|
||||
#!/bin/sh
|
||||
# This file is part of ke-recv
|
||||
#
|
||||
# Copyright (C) 2005-2009 Nokia Corporation. All rights reserved.
|
||||
#
|
||||
# Author: Kimmo Hämäläin <kimmo.hamalainen@nokia.com>
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License
|
||||
# version 2 as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful, but
|
||||
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
# General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
|
||||
# 02110-1301 USA
|
||||
|
||||
# Return codes:
|
||||
# 0 - mounted read-write
|
||||
# 1 - could not mount
|
||||
# 2 - mounted read-only
|
||||
|
||||
#Modified by NIN101 to stop mounting attempts on encrypted
|
||||
#partitions
|
||||
|
||||
PDEV=$1 ;# preferred device (partition)
|
||||
MP=$2 ;# mount point
|
||||
|
||||
#Remove if your MyDocs partition is NOT encrypted.
|
||||
if [ "$PDEV" = "/dev/mmcblk0p1" ] ; then
|
||||
exit
|
||||
fi
|
||||
|
||||
#unnecessary actually
|
||||
if [ "$PDEV" = "/dev/mmcblk0p2" ] ; then
|
||||
exit
|
||||
fi
|
||||
|
||||
if [ "$PDEV" = "/dev/dm-0" ] ; then
|
||||
exit
|
||||
fi
|
||||
|
||||
grep "$PDEV " /proc/mounts > /dev/null
|
||||
if [ $? = 0 ]; then
|
||||
logger "$0: $PDEV is already mounted"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ ! -d $MP ]; then
|
||||
mkdir -p $MP
|
||||
fi
|
||||
|
||||
if ! [ $PDEV = /dev/mmcblk0 -o $PDEV = /dev/mmcblk1 ]; then
|
||||
# check the FAT magic number
|
||||
PNUM=$(echo $PDEV | sed "s#/dev/mmcblk[01]p##")
|
||||
DEV=$(echo $PDEV | sed "s#p[1234]##")
|
||||
PID=$(sfdisk -c $DEV $PNUM)
|
||||
case "$PID" in
|
||||
b | c | e | 4 | 6 | 14 | 16 | 1b | 1c | 1e)
|
||||
logger "$0: $PDEV partition type is '$PID'"
|
||||
;;
|
||||
*)
|
||||
logger "$0: $PDEV type '$PID' is not FAT32 or FAT16"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
# time limited check
|
||||
#/sbin/dosfsck -I -n -T 10 $PDEV
|
||||
#if [ $? != 0 ]; then
|
||||
# logger "$0: $PDEV is corrupt, trying to mount it read-only"
|
||||
# mmc-mount $PDEV $MP ro
|
||||
# if [ $? = 0 ]; then
|
||||
# logger "$0: $PDEV mounted read-only"
|
||||
# exit 2
|
||||
# else
|
||||
# logger "$0: Couldn't mount $PDEV read-only"
|
||||
# exit 1
|
||||
# fi
|
||||
#fi
|
||||
|
||||
mmc-mount $PDEV $MP rw
|
||||
RC=$?
|
||||
logger "$0: mounting $PDEV read-write to $MP, rc: $RC"
|
||||
|
||||
if [ $RC = 0 ]; then
|
||||
# create some special directories for user's partition
|
||||
if [ "x$MP" = "x/home/user/MyDocs" -a -w $MP ]; then
|
||||
# use global folder names
|
||||
USERDIRS="/home/user/.config/user-dirs.dirs"
|
||||
if [ -f "$USERDIRS" ]; then
|
||||
HOME='/home/user'
|
||||
source "$USERDIRS"
|
||||
mkdir -p "$XDG_DOCUMENTS_DIR"
|
||||
mkdir -p "$XDG_PICTURES_DIR"
|
||||
mkdir -p "$XDG_MUSIC_DIR"
|
||||
mkdir -p "$XDG_VIDEOS_DIR"
|
||||
mkdir -p "$NOKIA_CAMERA_DIR"
|
||||
else
|
||||
# fallback
|
||||
for d in .sounds .videos .documents .images .camera; do
|
||||
mkdir -p $MP/$d
|
||||
done
|
||||
fi
|
||||
touch $MP
|
||||
elif [ "x$MP" = "x/home/user/MyDocs" ]; then
|
||||
logger "$0: '$MP' is not writable"
|
||||
elif [ "x$MP" = "x/media/mmc1" -a -w $MP ]; then
|
||||
# use global folder names
|
||||
USERDIRS="/home/user/.config/user-dirs.dirs"
|
||||
if [ -f "$USERDIRS" ]; then
|
||||
HOME='/home/user'
|
||||
source "$USERDIRS"
|
||||
mkdir -p "$NOKIA_MMC_CAMERA_DIR"
|
||||
fi
|
||||
elif [ "x$MP" = "x/media/mmc1" ]; then
|
||||
logger "$0: '$MP' is not writable"
|
||||
fi
|
||||
fi
|
||||
|
||||
exit $(($RC != 0))
|
319
rcS
Normale Datei
319
rcS
Normale Datei
@ -0,0 +1,319 @@
|
||||
#/bin/sh
|
||||
# Copyright(C) 2006 Nokia Corporation.
|
||||
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License version 2 as
|
||||
# published by the Free Software Foundation.
|
||||
|
||||
# This program is distributed in the hope that it will be useful, but
|
||||
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
# General Public License for more details.
|
||||
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
|
||||
# USA
|
||||
|
||||
#Modified by NIN101(http://nin101.uni.cx).
|
||||
#Provides: Shell if demanded by user; maps an LUKS encrypted partition
|
||||
#Requires busybox-power or at least the applets "loadkmap" & "watchdog"
|
||||
|
||||
#WARNING: Charging WON'T work when device is turned off before the
|
||||
#user pluggs in the charger. Or: It will, but you have to enter
|
||||
#your LUKS password at a state where the screen is very very dark :-).
|
||||
#This is because home gets mounted before BME starts.
|
||||
|
||||
|
||||
umask 022
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
||||
MODULES="twl4030-vibra
|
||||
dspbridge
|
||||
iommu2
|
||||
omap3-iommu
|
||||
omap34xxcam-mod
|
||||
omap_previewer_hack
|
||||
board-rx51-camera
|
||||
et8ek8
|
||||
ad5820
|
||||
adp1653
|
||||
vs6555
|
||||
uinput"
|
||||
|
||||
if [ -L /var/run ]
|
||||
then
|
||||
rm -f /var/run
|
||||
mkdir /var/run
|
||||
fi
|
||||
|
||||
mount -n -t proc proc /proc
|
||||
mount -n -t sysfs sysfs /sys
|
||||
mount -n -t tmpfs -o size=1M,noatime tmpfs /tmp
|
||||
mount -n -t tmpfs -o size=256k,mode=0755,nosuid,noatime tmpfs /var/run
|
||||
|
||||
#MODE=`getbootstate`
|
||||
|
||||
# This doesn't really belong here, but we have start this so early
|
||||
start_bootchart(){
|
||||
if [ -e /bootchart -a -e /etc/init.d/bootchart ]
|
||||
then
|
||||
/etc/init.d/bootchart start
|
||||
fi
|
||||
}
|
||||
|
||||
start_softupd()
|
||||
{
|
||||
echo "Starting software updater"
|
||||
/etc/init.d/softupd.rcS
|
||||
}
|
||||
|
||||
in_flash_mode()
|
||||
{
|
||||
grep update /proc/component_version 1>/dev/null 2>/dev/null
|
||||
}
|
||||
|
||||
mount_devpts() {
|
||||
TTYGRP=5
|
||||
TTYMODE=620
|
||||
|
||||
if [ ! -d /dev/pts ]
|
||||
then
|
||||
mkdir /dev/pts
|
||||
fi
|
||||
|
||||
if [ ! -c /dev/ptmx ]
|
||||
then
|
||||
mknod /dev/ptmx c 5 2
|
||||
chmod 666 /dev/ptmx
|
||||
fi
|
||||
|
||||
mount -n -t devpts -ogid=$TTYGRP,mode=$TTYMODE devpts /dev/pts
|
||||
rm -rf /var/tmp/*
|
||||
}
|
||||
|
||||
# I hate this hack. -- Md
|
||||
make_extra_nodes () {
|
||||
if [ "$(echo /lib/udev/devices/*)" != "/lib/udev/devices/*" ]; then
|
||||
cp -a /lib/udev/devices/* /dev/
|
||||
fi
|
||||
grep '^[^#]' /etc/udev/links.conf | \
|
||||
while read type name arg1; do
|
||||
[ "$type" -a "$name" -a ! -e "/dev/$name" -a ! -L "/dev/$name" ] ||continue
|
||||
case "$type" in
|
||||
L)
|
||||
ln -s $arg1 /dev/$name
|
||||
;;
|
||||
D)
|
||||
mkdir -p /dev/$name
|
||||
;;
|
||||
M)
|
||||
mknod /dev/$name $arg1 && chmod 600 /dev/$name
|
||||
;;
|
||||
*)
|
||||
echo "unparseable line ($type $name $arg1)"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
load_extra_modules () {
|
||||
echo -n "Loading extra modules..."
|
||||
for i in $MODULES; do
|
||||
echo "Loading $i"
|
||||
modprobe -q $i ||:
|
||||
done
|
||||
echo "done."
|
||||
}
|
||||
|
||||
# Mount home and paging partitions if they are available
|
||||
mount_mmc(){
|
||||
device=$1
|
||||
swap=$device"p1"
|
||||
home=$device"p2"
|
||||
test=$device"p3"
|
||||
|
||||
if [ -e $test ]
|
||||
then
|
||||
echo "Mounting partition $swap for paging"
|
||||
# swap disabled as a workaround for Xorg bug, per NB#111807.
|
||||
swapon $swap
|
||||
modprobe ext3
|
||||
echo "Mounting partition $home as home directory"
|
||||
mount -t ext3 -o noatime,commit=1,data=writeback $home /home
|
||||
else
|
||||
echo "No paging partition available as $swap"
|
||||
echo "No home partition available as $home"
|
||||
fi
|
||||
}
|
||||
|
||||
prepare_start_udev()
|
||||
{
|
||||
. /etc/udev/udev.conf
|
||||
|
||||
if [ -z "$tmpfs_size" ]; then
|
||||
tmpfs_size="1M"
|
||||
fi
|
||||
|
||||
ACTION=add
|
||||
echo -n "Mounting a tmpfs over /dev..."
|
||||
mount -n -o size=$tmpfs_size,mode=0755,noatime -t tmpfs none /dev
|
||||
echo "done."
|
||||
mkdir -p /dev/.udev/db /dev/.udev/queue
|
||||
echo "" > /sys/kernel/uevent_helper
|
||||
echo -n "Creating extra device nodes... "
|
||||
make_extra_nodes
|
||||
echo "done."
|
||||
}
|
||||
|
||||
start_udev()
|
||||
{
|
||||
prepare_start_udev
|
||||
/sbin/udevd --daemon
|
||||
}
|
||||
|
||||
make_nodes()
|
||||
{
|
||||
echo -n "Creating device nodes... "
|
||||
|
||||
if [ -x /sbin/udevtrigger ]; then
|
||||
/sbin/udevtrigger
|
||||
else
|
||||
/sbin/udevadm trigger
|
||||
#wait for all events
|
||||
/sbin/udevadm settle
|
||||
fi
|
||||
echo "done."
|
||||
}
|
||||
|
||||
# When modifying this script, do not forget that between the time that
|
||||
# the new /dev has been mounted and udevtrigger has been run there will be
|
||||
# no /dev/null. This also means that you cannot use the "&" shell command.
|
||||
|
||||
start_bootchart
|
||||
|
||||
if in_flash_mode; then
|
||||
start_softupd
|
||||
reboot
|
||||
fi
|
||||
|
||||
# here only in non-flash mode
|
||||
|
||||
# No need to start udev before softupd anymore
|
||||
|
||||
start_udev
|
||||
make_nodes
|
||||
load_extra_modules
|
||||
|
||||
mount_devpts
|
||||
mount -n -o size=64M,nosuid,nodev,noatime -t tmpfs tmpfs /dev/shm
|
||||
|
||||
# mount_mmc "/dev/mmcblk0"
|
||||
|
||||
/sbin/hwclock -s || true
|
||||
|
||||
watchdog -t 10 /dev/twl4030_wdt
|
||||
watchdog -t 10 /dev/watchdog
|
||||
modprobe dm_mod
|
||||
modprobe dm_loop
|
||||
|
||||
#LED part taken from a post on talk.maemo.org by Mentalist Traceur. Thx
|
||||
modprobe leds-lp5523
|
||||
for i in 1 2 3 4 5 6; do
|
||||
echo 25 > /sys/class/leds/lp5523\:kb$i/brightness
|
||||
done
|
||||
|
||||
loadkmap < /nokia-n900.kmap
|
||||
|
||||
CONT=0
|
||||
while [ "$CONT" -ne 1 ] ; do
|
||||
cryptsetup luksOpen /dev/mmcblk0p2 home_luks
|
||||
if [ "$?" -eq 0 ] || [ -b /dev/mapper/home_luks ] ; then
|
||||
CONT=1
|
||||
fi
|
||||
done
|
||||
|
||||
echo "Press any key to enable shell"
|
||||
read -n 1 -t 2 shellmode
|
||||
if [ -n "$shellmode" ] ; then
|
||||
sh
|
||||
fi
|
||||
|
||||
killall watchdog
|
||||
|
||||
|
||||
# cannot collect product data if we are under SDK
|
||||
# it should not be run there, but explicit check is better
|
||||
OPI=`which osso-product-info`
|
||||
|
||||
if [ x$OPI != x ]; then
|
||||
|
||||
# Make sure /etc/hostname and /etc/hosts exist and are not empty. They do not
|
||||
# exist if this is the very first boot, and they may be empty if power cut
|
||||
# happended before the contents has reached the media.
|
||||
if [ ! -f /etc/hostname -o ! -s /etc/hostname -o ! -f /etc/hosts -o ! -s /etc/hosts ]; then
|
||||
hostname="`$OPI -qOSSO_PRODUCT_SHORT_NAME | sed 's/ /-/g'`"
|
||||
echo $hostname > /etc/hostname
|
||||
echo "127.0.0.1 $hostname localhost" > /etc/hosts
|
||||
chmod 644 /etc/hosts
|
||||
fi
|
||||
|
||||
# Similarly, make sure /etc/issue and /etc/issue.net are fine
|
||||
if [ ! -f /etc/issue -o ! -s /etc/issue -o ! -f /etc/issue.net -o ! -s /etc/issue.net -o -f /home/user/first-boot-flag ]; then
|
||||
full_name=`$OPI -qOSSO_PRODUCT_RELEASE_FULL_NAME`
|
||||
echo "$full_name \n \l" > /etc/issue
|
||||
echo "" >> /etc/issue
|
||||
echo "$full_name %h" > /etc/issue.net
|
||||
fi
|
||||
fi
|
||||
|
||||
# Note, normally we would have to sync the FS to make sure the files have
|
||||
# reached the media. But because the files are small, they would be either
|
||||
# empty or non-existing in case of an unclean reboot, and we handle both
|
||||
# cases.
|
||||
|
||||
hostname -F /etc/hostname
|
||||
ifup lo &
|
||||
|
||||
#echo /sbin/udevsend > /proc/sys/kernel/hotplug
|
||||
|
||||
#: > /var/run/utmp
|
||||
#chmod 664 /var/run/utmp
|
||||
#chgrp utmp /var/run/utmp
|
||||
|
||||
rm -f /etc/mtab
|
||||
cat /proc/mounts > /etc/mtab
|
||||
|
||||
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
|
||||
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
|
||||
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
||||
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
|
||||
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
|
||||
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
||||
echo "49152 65535" > /proc/sys/net/ipv4/ip_local_port_range
|
||||
echo 6000 > /sys/class/bluetooth/hci0/idle_timeout
|
||||
|
||||
# adjust other kernel parameters to minimize memory consumption
|
||||
# and optimize IO pressure
|
||||
echo 16 > /proc/sys/kernel/pty/max
|
||||
echo 1024 > /proc/sys/kernel/threads-max
|
||||
echo 8192 > /proc/sys/fs/file-max
|
||||
echo 100 > /proc/sys/vm/swappiness
|
||||
echo 5 > /proc/sys/vm/page-cluster
|
||||
echo 500 > /proc/sys/vm/dirty_expire_centisecs
|
||||
echo 65536 > /proc/sys/net/core/rmem_default
|
||||
echo 16384 > /proc/sys/net/core/wmem_default
|
||||
echo 20 > /proc/sys/net/unix/max_dgram_qlen
|
||||
|
||||
# Finalize SSU in case it has been interrupted by power failure
|
||||
if test -x /usr/libexec/ham-rescue.sh; then
|
||||
/usr/libexec/ham-rescue.sh
|
||||
fi
|
||||
|
||||
# Disable sysrq to avoid accidental console-carbage resets.
|
||||
echo 0 > /proc/sys/kernel/sysrq
|
||||
|
||||
echo "/what/me/worry" > /proc/sys/kernel/core_pattern
|
||||
echo 1 > /proc/sys/kernel/panic
|
||||
echo 1 > /proc/sys/kernel/panic_on_oops
|
||||
|
||||
exit 0
|
160
rcS-late
Normale Datei
160
rcS-late
Normale Datei
@ -0,0 +1,160 @@
|
||||
description "late rcS actions"
|
||||
|
||||
start on started hal
|
||||
stop on stopping hal
|
||||
|
||||
console none
|
||||
|
||||
script
|
||||
#Mounts an encrypted home by bypassing /etc/fstab.
|
||||
#Encrypted swap.
|
||||
|
||||
|
||||
|
||||
#mount /home; fix ext3 and retry mounting if 1st attempt fails
|
||||
mount_home ()
|
||||
{
|
||||
|
||||
/bin/mount /dev/mapper/home_luks /home -t ext3 -o rw,noatime,errors=continue,commit=1,data=writeback && grep -q "/home ext3 rw" /proc/mounts
|
||||
if [ $? -eq 0 ]
|
||||
then
|
||||
return 0
|
||||
else
|
||||
grep -q "/home ext3 ro" /proc/mounts
|
||||
if [ $? -eq 0 ]
|
||||
then
|
||||
umount /home
|
||||
fi
|
||||
HOME_DEV=`grep "/home ext3" /etc/fstab | cut -d' ' -f1`
|
||||
#fsck.ext3 -y $HOME_DEV >> /var/lib/fsck_ext3_home.log 2>&1
|
||||
sync
|
||||
/bin/mount /dev/mapper/home_luks /home -t ext3 -o rw,noatime,errors=continue,commit=1,data=writeback && grep -q "/home ext3 rw" /proc/mounts
|
||||
return $?
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
ACT_DEAD=0
|
||||
HOME_MOUNTED=0
|
||||
|
||||
#check act_dead
|
||||
if [ -e /tmp/ACT_DEAD ]; then
|
||||
ACT_DEAD=1
|
||||
fi
|
||||
|
||||
# Generate fstab and mount /home
|
||||
. /etc/default/mount-opts
|
||||
|
||||
|
||||
fstab=/etc/fstab
|
||||
tmp_fstab=/tmp/fstab
|
||||
|
||||
sfdisk -l /dev/mmcblk0 | /bin/busybox awk \
|
||||
-v home_opts="$home_opts" -v fat_opts="$fat_opts" \
|
||||
-f /usr/lib/genfstab.awk > $tmp_fstab
|
||||
|
||||
cmp -s $tmp_fstab $fstab || cp $tmp_fstab $fstab
|
||||
rm -f $tmp_fstab
|
||||
|
||||
|
||||
if [ $ACT_DEAD -eq 0 ]; then
|
||||
modprobe dm_crypt
|
||||
modprobe dm_mod
|
||||
/sbin/cryptsetup -d /dev/urandom create swapenc /dev/mmcblk0p3
|
||||
/sbin/mkswap /dev/mapper/swapenc
|
||||
/sbin/swapon /dev/mapper/swapenc
|
||||
# Setup lowmem module
|
||||
echo 32768 > /proc/sys/vm/lowmem_deny_watermark_pages
|
||||
echo 98304 > /proc/sys/vm/lowmem_notify_high_pages
|
||||
echo 131072 > /proc/sys/vm/lowmem_notify_low_pages
|
||||
echo 1024 > /proc/sys/vm/lowmem_nr_decay_pages
|
||||
# Exclude some UIDs from memory allocation denial.
|
||||
# 30000 is messagebus, 30001 could be used by Matchbox
|
||||
echo "30000 30001 30002 30003" > /proc/sys/vm/lowmem_allowed_uids
|
||||
fi
|
||||
|
||||
mount_home && HOME_MOUNTED=1
|
||||
|
||||
# If failed to mount /home and system has been already optified - reboot
|
||||
if [ $HOME_MOUNTED -eq 0 ]
|
||||
then
|
||||
if [ -e /var/lib/maemo-optify-firstboot-do-not-clean-home-opt ]; then
|
||||
telinit 6
|
||||
fi
|
||||
else
|
||||
[ ! -d /home/opt ] && mkdir /home/opt
|
||||
[ ! -d /opt ] && mkdir /opt
|
||||
fi
|
||||
|
||||
if [ $ACT_DEAD -eq 0 ]
|
||||
then
|
||||
if [ $HOME_MOUNTED -eq 1 ]
|
||||
then
|
||||
if [ -x /usr/sbin/maemo-optify-firstboot.sh ]; then
|
||||
. /usr/sbin/maemo-optify-firstboot.sh
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
/bin/mount /opt || echo "Failed to mount(bind) /opt."
|
||||
|
||||
if [ $ACT_DEAD -eq 0 ]
|
||||
then
|
||||
if [ $HOME_MOUNTED -eq 1 ]
|
||||
then
|
||||
if [ -x /usr/sbin/maemo-optify-auto-opt.sh ]; then
|
||||
. /usr/sbin/maemo-optify-auto-opt.sh
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -d /home/preinstalled -a -d /home/user ]
|
||||
then
|
||||
rm -rf /home/user
|
||||
fi
|
||||
|
||||
if [ ! -d /home/user ]
|
||||
then
|
||||
if [ -d /home/preinstalled ]
|
||||
then
|
||||
mv /home/preinstalled /home/user
|
||||
else
|
||||
mkdir /home/user
|
||||
fi
|
||||
cd /etc/skel
|
||||
cp -a . /home/user
|
||||
chown -R user:users /home/user
|
||||
sync
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -d /home/user ]
|
||||
then
|
||||
mkdir /home/user
|
||||
chown user:users /home/user
|
||||
sync
|
||||
fi
|
||||
|
||||
# We can safely continue booting now.
|
||||
initctl emit MOUNTS_OK
|
||||
|
||||
# Adjust flushing of memory card buffers
|
||||
echo 40 > /proc/sys/vm/dirty_ratio
|
||||
echo 10 > /proc/sys/vm/dirty_background_ratio
|
||||
|
||||
# Initialize PRNG pool with the HW RNG. Slow, but that's ok.
|
||||
URANDOM_POOLSZ=512
|
||||
if [ -e /dev/hwrng ]; then
|
||||
echo "Seeding entropy pool"
|
||||
dd if=/dev/hwrng of=/dev/urandom bs=$URANDOM_POOLSZ count=1
|
||||
fi
|
||||
|
||||
# Data for the panic info driver
|
||||
mount -t debugfs nodev /sys/kernel/debug
|
||||
modprobe panic_info_buff
|
||||
sleep 1
|
||||
osso-product-info > /sys/kernel/debug/panic_info_buff
|
||||
end script
|
||||
|
||||
normal exit 0
|
Laden…
In neuem Issue referenzieren
Einen Benutzer sperren