(reset history)

This commit is contained in:
Albert S. 2017-01-08 10:06:30 +01:00
commit 6ab22efc9d
4 changed files with 716 additions and 0 deletions

111
README Normal file
View File

@ -0,0 +1,111 @@
The scripts to encrypt /home/ and swap with /dev/urandom as the keyfile.
Update:
=======
The method as described below is not be the best for the most paranoid
users. The N900 may not have enough entropy when generating the keys.
The result: low-quality keys.
Please refer to the cryptsetup manual for more details, especially
the section. "NOTES ON RANDOM NUMBER GENERATORS".
Thanks to "robotanarchy" for pointing this out.
In practise, if you are not protecting yourself against
certain 3 letter organizations you should be ok anyway...
The method as described below was pretty much the only possible way back
then when this document was written.
These days, a much simpler approach would be to use rescueOS
to mount the home partition, copy all the data to your HDD on your PC,
overwriting the partition with /dev/urandom data
and then to use cryptsetup, e. g. with --use-random to luksFormat
the home partition. Then you simply copy all the data back.
However, you still need to modify bootscripts, therefore
you can still refer to the instructions below.
Of course, you can also use rescueOS to modify the bootscripts.
This should make things easier.
Partially outdated:
Required for installation:
==========================
-busybox's loadkmap and watchdog. You can get these packages by installing "busybox-power".
-dmcrypt, cryptsetup etc. Verify these things work before putting them in init scripts.
-Console skills.
Reflashing COMBINED with an encrypted home partition is funny. Hope that
you never have to.
Read the warning in rcS.
Getting started
========================
WARNING: It's easy to mess it up (in the first try).
You are doing everything at own risk. Don't expect support if something
goes wrong.
As long as we are in hildon, the partition is in use, which means we can
not just unmount and encrypt it. In R&D mode(with disabled watchdogs)
through ssh, after killing hildon and other stuff, it might be possible, but it is
too messy.
First, we need the fbcon kernel module. power kernel >=v47 ships it,
but you can also compile it into the kernel in case you use a different kernel.
If you have the module:
++++++++++++++++++++++++
Open /sbin/preinit
Go to the init_system() function.
above of the "}" insert: modprobe fbcon.
+++++++++++++++++++++++++
This seems to be a good place for it. /sbin/preinit is under
some nokia licence which prohibits sharing that file.
1. Backup /home/ without /home/user/MyDocs using cp -a to preserve permissions.
2. Now we just need a shell. /etc/init.d/rcS asks for it. After
"/sbin/hwclock -s || true" we can add it this code:
watchdog -t 10 /dev/twl4030_wdt #To feed watchdogs
watchdog -t 10 /dev/watchdog
loadkmap < /nokia-n900.kmap #To get special characters working
echo "Press any key to enable shell"
read -n 1 -t 2 shellmode
if [ -n "$shellmode" ] ; then
sh
fi
killall watchdog #so that later dsme can continue doing this job.
You need something like the busybox-power package(stock version doesn't
have loadkmap and watchdog included).
They keymap can be found in meego-ce or here:
http://bazaar.launchpad.net/~pali/+junk/maemo_recovery-boot/view/head:/nokia-n900.map
However, you have to convert it (not on the N900) by using "loadkeys -b nokia-n900.map > nokia-n900.kmap"
3. Reboot.
4. An example setup:
cryptsetup luksFormat /dev/mmcblk0p2
cryptsetup luksOpen /dev/mmcblk0p2 home_luks
mkfs.ext3 /dev/mapper/home_luks
mount -t ext3 /dev/mapper/home_luks /mnt/
#and now copy back with permissions and unmount /mnt/
NOTE: This does not perform a secure delete. Keep this in mind!
5. If you type exit now, your device won't boot because you still have the old bootscripts.
Study the scripts in the directory you got this README from.
Start with rcS-late (it mounts the home partition).
Then modify rcS (after your first successful bootup with an encrypted home partition).
It'll ask you on every boot for the LUKS password.
If everything looks fine for you, replace the scripts.
osso-mmc-mount.sh is also useful.
Happy hacking!

126
osso-mmc-mount.sh Normal file
View File

@ -0,0 +1,126 @@
#!/bin/sh
# This file is part of ke-recv
#
# Copyright (C) 2005-2009 Nokia Corporation. All rights reserved.
#
# Author: Kimmo Hämäläin <kimmo.hamalainen@nokia.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# version 2 as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
# 02110-1301 USA
# Return codes:
# 0 - mounted read-write
# 1 - could not mount
# 2 - mounted read-only
#Modified by NIN101 to stop mounting attempts on encrypted
#partitions
PDEV=$1 ;# preferred device (partition)
MP=$2 ;# mount point
#Remove if your MyDocs partition is NOT encrypted.
if [ "$PDEV" = "/dev/mmcblk0p1" ] ; then
exit
fi
#unnecessary actually
if [ "$PDEV" = "/dev/mmcblk0p2" ] ; then
exit
fi
if [ "$PDEV" = "/dev/dm-0" ] ; then
exit
fi
grep "$PDEV " /proc/mounts > /dev/null
if [ $? = 0 ]; then
logger "$0: $PDEV is already mounted"
exit 0
fi
if [ ! -d $MP ]; then
mkdir -p $MP
fi
if ! [ $PDEV = /dev/mmcblk0 -o $PDEV = /dev/mmcblk1 ]; then
# check the FAT magic number
PNUM=$(echo $PDEV | sed "s#/dev/mmcblk[01]p##")
DEV=$(echo $PDEV | sed "s#p[1234]##")
PID=$(sfdisk -c $DEV $PNUM)
case "$PID" in
b | c | e | 4 | 6 | 14 | 16 | 1b | 1c | 1e)
logger "$0: $PDEV partition type is '$PID'"
;;
*)
logger "$0: $PDEV type '$PID' is not FAT32 or FAT16"
exit 1
;;
esac
fi
# time limited check
#/sbin/dosfsck -I -n -T 10 $PDEV
#if [ $? != 0 ]; then
# logger "$0: $PDEV is corrupt, trying to mount it read-only"
# mmc-mount $PDEV $MP ro
# if [ $? = 0 ]; then
# logger "$0: $PDEV mounted read-only"
# exit 2
# else
# logger "$0: Couldn't mount $PDEV read-only"
# exit 1
# fi
#fi
mmc-mount $PDEV $MP rw
RC=$?
logger "$0: mounting $PDEV read-write to $MP, rc: $RC"
if [ $RC = 0 ]; then
# create some special directories for user's partition
if [ "x$MP" = "x/home/user/MyDocs" -a -w $MP ]; then
# use global folder names
USERDIRS="/home/user/.config/user-dirs.dirs"
if [ -f "$USERDIRS" ]; then
HOME='/home/user'
source "$USERDIRS"
mkdir -p "$XDG_DOCUMENTS_DIR"
mkdir -p "$XDG_PICTURES_DIR"
mkdir -p "$XDG_MUSIC_DIR"
mkdir -p "$XDG_VIDEOS_DIR"
mkdir -p "$NOKIA_CAMERA_DIR"
else
# fallback
for d in .sounds .videos .documents .images .camera; do
mkdir -p $MP/$d
done
fi
touch $MP
elif [ "x$MP" = "x/home/user/MyDocs" ]; then
logger "$0: '$MP' is not writable"
elif [ "x$MP" = "x/media/mmc1" -a -w $MP ]; then
# use global folder names
USERDIRS="/home/user/.config/user-dirs.dirs"
if [ -f "$USERDIRS" ]; then
HOME='/home/user'
source "$USERDIRS"
mkdir -p "$NOKIA_MMC_CAMERA_DIR"
fi
elif [ "x$MP" = "x/media/mmc1" ]; then
logger "$0: '$MP' is not writable"
fi
fi
exit $(($RC != 0))

319
rcS Normal file
View File

@ -0,0 +1,319 @@
#/bin/sh
# Copyright(C) 2006 Nokia Corporation.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
# USA
#Modified by NIN101(http://nin101.uni.cx).
#Provides: Shell if demanded by user; maps an LUKS encrypted partition
#Requires busybox-power or at least the applets "loadkmap" & "watchdog"
#WARNING: Charging WON'T work when device is turned off before the
#user pluggs in the charger. Or: It will, but you have to enter
#your LUKS password at a state where the screen is very very dark :-).
#This is because home gets mounted before BME starts.
umask 022
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MODULES="twl4030-vibra
dspbridge
iommu2
omap3-iommu
omap34xxcam-mod
omap_previewer_hack
board-rx51-camera
et8ek8
ad5820
adp1653
vs6555
uinput"
if [ -L /var/run ]
then
rm -f /var/run
mkdir /var/run
fi
mount -n -t proc proc /proc
mount -n -t sysfs sysfs /sys
mount -n -t tmpfs -o size=1M,noatime tmpfs /tmp
mount -n -t tmpfs -o size=256k,mode=0755,nosuid,noatime tmpfs /var/run
#MODE=`getbootstate`
# This doesn't really belong here, but we have start this so early
start_bootchart(){
if [ -e /bootchart -a -e /etc/init.d/bootchart ]
then
/etc/init.d/bootchart start
fi
}
start_softupd()
{
echo "Starting software updater"
/etc/init.d/softupd.rcS
}
in_flash_mode()
{
grep update /proc/component_version 1>/dev/null 2>/dev/null
}
mount_devpts() {
TTYGRP=5
TTYMODE=620
if [ ! -d /dev/pts ]
then
mkdir /dev/pts
fi
if [ ! -c /dev/ptmx ]
then
mknod /dev/ptmx c 5 2
chmod 666 /dev/ptmx
fi
mount -n -t devpts -ogid=$TTYGRP,mode=$TTYMODE devpts /dev/pts
rm -rf /var/tmp/*
}
# I hate this hack. -- Md
make_extra_nodes () {
if [ "$(echo /lib/udev/devices/*)" != "/lib/udev/devices/*" ]; then
cp -a /lib/udev/devices/* /dev/
fi
grep '^[^#]' /etc/udev/links.conf | \
while read type name arg1; do
[ "$type" -a "$name" -a ! -e "/dev/$name" -a ! -L "/dev/$name" ] ||continue
case "$type" in
L)
ln -s $arg1 /dev/$name
;;
D)
mkdir -p /dev/$name
;;
M)
mknod /dev/$name $arg1 && chmod 600 /dev/$name
;;
*)
echo "unparseable line ($type $name $arg1)"
;;
esac
done
}
load_extra_modules () {
echo -n "Loading extra modules..."
for i in $MODULES; do
echo "Loading $i"
modprobe -q $i ||:
done
echo "done."
}
# Mount home and paging partitions if they are available
mount_mmc(){
device=$1
swap=$device"p1"
home=$device"p2"
test=$device"p3"
if [ -e $test ]
then
echo "Mounting partition $swap for paging"
# swap disabled as a workaround for Xorg bug, per NB#111807.
swapon $swap
modprobe ext3
echo "Mounting partition $home as home directory"
mount -t ext3 -o noatime,commit=1,data=writeback $home /home
else
echo "No paging partition available as $swap"
echo "No home partition available as $home"
fi
}
prepare_start_udev()
{
. /etc/udev/udev.conf
if [ -z "$tmpfs_size" ]; then
tmpfs_size="1M"
fi
ACTION=add
echo -n "Mounting a tmpfs over /dev..."
mount -n -o size=$tmpfs_size,mode=0755,noatime -t tmpfs none /dev
echo "done."
mkdir -p /dev/.udev/db /dev/.udev/queue
echo "" > /sys/kernel/uevent_helper
echo -n "Creating extra device nodes... "
make_extra_nodes
echo "done."
}
start_udev()
{
prepare_start_udev
/sbin/udevd --daemon
}
make_nodes()
{
echo -n "Creating device nodes... "
if [ -x /sbin/udevtrigger ]; then
/sbin/udevtrigger
else
/sbin/udevadm trigger
#wait for all events
/sbin/udevadm settle
fi
echo "done."
}
# When modifying this script, do not forget that between the time that
# the new /dev has been mounted and udevtrigger has been run there will be
# no /dev/null. This also means that you cannot use the "&" shell command.
start_bootchart
if in_flash_mode; then
start_softupd
reboot
fi
# here only in non-flash mode
# No need to start udev before softupd anymore
start_udev
make_nodes
load_extra_modules
mount_devpts
mount -n -o size=64M,nosuid,nodev,noatime -t tmpfs tmpfs /dev/shm
# mount_mmc "/dev/mmcblk0"
/sbin/hwclock -s || true
watchdog -t 10 /dev/twl4030_wdt
watchdog -t 10 /dev/watchdog
modprobe dm_mod
modprobe dm_loop
#LED part taken from a post on talk.maemo.org by Mentalist Traceur. Thx
modprobe leds-lp5523
for i in 1 2 3 4 5 6; do
echo 25 > /sys/class/leds/lp5523\:kb$i/brightness
done
loadkmap < /nokia-n900.kmap
CONT=0
while [ "$CONT" -ne 1 ] ; do
cryptsetup luksOpen /dev/mmcblk0p2 home_luks
if [ "$?" -eq 0 ] || [ -b /dev/mapper/home_luks ] ; then
CONT=1
fi
done
echo "Press any key to enable shell"
read -n 1 -t 2 shellmode
if [ -n "$shellmode" ] ; then
sh
fi
killall watchdog
# cannot collect product data if we are under SDK
# it should not be run there, but explicit check is better
OPI=`which osso-product-info`
if [ x$OPI != x ]; then
# Make sure /etc/hostname and /etc/hosts exist and are not empty. They do not
# exist if this is the very first boot, and they may be empty if power cut
# happended before the contents has reached the media.
if [ ! -f /etc/hostname -o ! -s /etc/hostname -o ! -f /etc/hosts -o ! -s /etc/hosts ]; then
hostname="`$OPI -qOSSO_PRODUCT_SHORT_NAME | sed 's/ /-/g'`"
echo $hostname > /etc/hostname
echo "127.0.0.1 $hostname localhost" > /etc/hosts
chmod 644 /etc/hosts
fi
# Similarly, make sure /etc/issue and /etc/issue.net are fine
if [ ! -f /etc/issue -o ! -s /etc/issue -o ! -f /etc/issue.net -o ! -s /etc/issue.net -o -f /home/user/first-boot-flag ]; then
full_name=`$OPI -qOSSO_PRODUCT_RELEASE_FULL_NAME`
echo "$full_name \n \l" > /etc/issue
echo "" >> /etc/issue
echo "$full_name %h" > /etc/issue.net
fi
fi
# Note, normally we would have to sync the FS to make sure the files have
# reached the media. But because the files are small, they would be either
# empty or non-existing in case of an unclean reboot, and we handle both
# cases.
hostname -F /etc/hostname
ifup lo &
#echo /sbin/udevsend > /proc/sys/kernel/hotplug
#: > /var/run/utmp
#chmod 664 /var/run/utmp
#chgrp utmp /var/run/utmp
rm -f /etc/mtab
cat /proc/mounts > /etc/mtab
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "49152 65535" > /proc/sys/net/ipv4/ip_local_port_range
echo 6000 > /sys/class/bluetooth/hci0/idle_timeout
# adjust other kernel parameters to minimize memory consumption
# and optimize IO pressure
echo 16 > /proc/sys/kernel/pty/max
echo 1024 > /proc/sys/kernel/threads-max
echo 8192 > /proc/sys/fs/file-max
echo 100 > /proc/sys/vm/swappiness
echo 5 > /proc/sys/vm/page-cluster
echo 500 > /proc/sys/vm/dirty_expire_centisecs
echo 65536 > /proc/sys/net/core/rmem_default
echo 16384 > /proc/sys/net/core/wmem_default
echo 20 > /proc/sys/net/unix/max_dgram_qlen
# Finalize SSU in case it has been interrupted by power failure
if test -x /usr/libexec/ham-rescue.sh; then
/usr/libexec/ham-rescue.sh
fi
# Disable sysrq to avoid accidental console-carbage resets.
echo 0 > /proc/sys/kernel/sysrq
echo "/what/me/worry" > /proc/sys/kernel/core_pattern
echo 1 > /proc/sys/kernel/panic
echo 1 > /proc/sys/kernel/panic_on_oops
exit 0

160
rcS-late Normal file
View File

@ -0,0 +1,160 @@
description "late rcS actions"
start on started hal
stop on stopping hal
console none
script
#Mounts an encrypted home by bypassing /etc/fstab.
#Encrypted swap.
#mount /home; fix ext3 and retry mounting if 1st attempt fails
mount_home ()
{
/bin/mount /dev/mapper/home_luks /home -t ext3 -o rw,noatime,errors=continue,commit=1,data=writeback && grep -q "/home ext3 rw" /proc/mounts
if [ $? -eq 0 ]
then
return 0
else
grep -q "/home ext3 ro" /proc/mounts
if [ $? -eq 0 ]
then
umount /home
fi
HOME_DEV=`grep "/home ext3" /etc/fstab | cut -d' ' -f1`
#fsck.ext3 -y $HOME_DEV >> /var/lib/fsck_ext3_home.log 2>&1
sync
/bin/mount /dev/mapper/home_luks /home -t ext3 -o rw,noatime,errors=continue,commit=1,data=writeback && grep -q "/home ext3 rw" /proc/mounts
return $?
fi
}
ACT_DEAD=0
HOME_MOUNTED=0
#check act_dead
if [ -e /tmp/ACT_DEAD ]; then
ACT_DEAD=1
fi
# Generate fstab and mount /home
. /etc/default/mount-opts
fstab=/etc/fstab
tmp_fstab=/tmp/fstab
sfdisk -l /dev/mmcblk0 | /bin/busybox awk \
-v home_opts="$home_opts" -v fat_opts="$fat_opts" \
-f /usr/lib/genfstab.awk > $tmp_fstab
cmp -s $tmp_fstab $fstab || cp $tmp_fstab $fstab
rm -f $tmp_fstab
if [ $ACT_DEAD -eq 0 ]; then
modprobe dm_crypt
modprobe dm_mod
/sbin/cryptsetup -d /dev/urandom create swapenc /dev/mmcblk0p3
/sbin/mkswap /dev/mapper/swapenc
/sbin/swapon /dev/mapper/swapenc
# Setup lowmem module
echo 32768 > /proc/sys/vm/lowmem_deny_watermark_pages
echo 98304 > /proc/sys/vm/lowmem_notify_high_pages
echo 131072 > /proc/sys/vm/lowmem_notify_low_pages
echo 1024 > /proc/sys/vm/lowmem_nr_decay_pages
# Exclude some UIDs from memory allocation denial.
# 30000 is messagebus, 30001 could be used by Matchbox
echo "30000 30001 30002 30003" > /proc/sys/vm/lowmem_allowed_uids
fi
mount_home && HOME_MOUNTED=1
# If failed to mount /home and system has been already optified - reboot
if [ $HOME_MOUNTED -eq 0 ]
then
if [ -e /var/lib/maemo-optify-firstboot-do-not-clean-home-opt ]; then
telinit 6
fi
else
[ ! -d /home/opt ] && mkdir /home/opt
[ ! -d /opt ] && mkdir /opt
fi
if [ $ACT_DEAD -eq 0 ]
then
if [ $HOME_MOUNTED -eq 1 ]
then
if [ -x /usr/sbin/maemo-optify-firstboot.sh ]; then
. /usr/sbin/maemo-optify-firstboot.sh
fi
fi
fi
/bin/mount /opt || echo "Failed to mount(bind) /opt."
if [ $ACT_DEAD -eq 0 ]
then
if [ $HOME_MOUNTED -eq 1 ]
then
if [ -x /usr/sbin/maemo-optify-auto-opt.sh ]; then
. /usr/sbin/maemo-optify-auto-opt.sh
fi
fi
if [ -d /home/preinstalled -a -d /home/user ]
then
rm -rf /home/user
fi
if [ ! -d /home/user ]
then
if [ -d /home/preinstalled ]
then
mv /home/preinstalled /home/user
else
mkdir /home/user
fi
cd /etc/skel
cp -a . /home/user
chown -R user:users /home/user
sync
fi
fi
if [ ! -d /home/user ]
then
mkdir /home/user
chown user:users /home/user
sync
fi
# We can safely continue booting now.
initctl emit MOUNTS_OK
# Adjust flushing of memory card buffers
echo 40 > /proc/sys/vm/dirty_ratio
echo 10 > /proc/sys/vm/dirty_background_ratio
# Initialize PRNG pool with the HW RNG. Slow, but that's ok.
URANDOM_POOLSZ=512
if [ -e /dev/hwrng ]; then
echo "Seeding entropy pool"
dd if=/dev/hwrng of=/dev/urandom bs=$URANDOM_POOLSZ count=1
fi
# Data for the panic info driver
mount -t debugfs nodev /sys/kernel/debug
modprobe panic_info_buff
sleep 1
osso-product-info > /sys/kernel/debug/panic_info_buff
end script
normal exit 0