diff options
Diffstat (limited to 'mkosi.images/system/mkosi.postinst.chroot')
-rwxr-xr-x | mkosi.images/system/mkosi.postinst.chroot | 211 |
1 files changed, 145 insertions, 66 deletions
diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot index 0cb9b9c..4686802 100755 --- a/mkosi.images/system/mkosi.postinst.chroot +++ b/mkosi.images/system/mkosi.postinst.chroot @@ -1,68 +1,9 @@ -#!/bin/sh +#!/bin/bash # SPDX-License-Identifier: LGPL-2.1-or-later set -e +set -o nounset -if [ "$1" = "build" ]; then - exit 0 -fi - -if [ -n "$SANITIZERS" ]; then - LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}') - - mkdir -p /etc/systemd/system.conf.d - - cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF -[Manager] -ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ - UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ - LD_PRELOAD=$LD_PRELOAD -DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ - UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ - LD_PRELOAD=$LD_PRELOAD -EOF - - # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose - # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any - # sanitizer failures appear directly on the user's console. - mkdir -p /etc/systemd/system/systemd-journald.service.d - cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF -[Service] -StandardOutput=tty -EOF - - # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users. - # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As - # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login - # from calling vhangup() so that journald's ASAN logs correctly end up in the console. - - mkdir -p /etc/systemd/system/console-getty.service.d - cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF -[Service] -TTYVHangup=no -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -EOF - # ASAN and syscall filters aren't compatible with each other. - find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} + - - # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default. - systemctl mask systemd-hwdb-update.service -fi - -if [ -n "$IMAGE_ID" ] ; then - sed -n \ - -i \ - -e '/^IMAGE_ID=/!p' \ - -e "\$aIMAGE_ID=$IMAGE_ID" \ - /usr/lib/os-release -fi - -if [ -n "$IMAGE_VERSION" ] ; then - sed -n \ - -i \ - -e '/^IMAGE_VERSION=/!p' \ - -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \ - /usr/lib/os-release -fi +useradd --uid 4711 --create-home --user-group testuser if command -v authselect >/dev/null; then # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so @@ -85,9 +26,147 @@ fi mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf rm -f /etc/resolv.conf -. /usr/lib/os-release +for f in "$BUILDROOT"/usr/share/*.verity.sig; do + jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash" +done + +# We want /var/log/journal to be created on first boot so it can be created with the right chattr settings by +# systemd-journald. +rm -r "$BUILDROOT/var/log/journal" + +rm -f /etc/nsswitch.conf +cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf + +# Remove to make TEST-73-LOCALE pass on Ubuntu. +rm -f /etc/default/keyboard + +# This is executed inside the chroot so no need to disable any features as the default features will match +# the kernel's supported features. +SYSTEMD_REPART_MKFS_OPTIONS_EXT4="" \ + systemd-repart \ + --empty=create \ + --dry-run=no \ + --size=auto \ + --offline=true \ + --root test/TEST-24-CRYPTSETUP \ + --definitions test/TEST-24-CRYPTSETUP/keydev.repart \ + "$OUTPUTDIR/keydev.raw" + +can_test_pkcs11() { + if ! command -v "softhsm2-util" >/dev/null; then + echo "softhsm2-util not available, skipping the PKCS#11 test" >&2 + return 1 + fi + if ! command -v "pkcs11-tool" >/dev/null; then + echo "pkcs11-tool not available, skipping the PKCS#11 test" >&2 + return 1 + fi + if ! command -v "certtool" >/dev/null; then + echo "certtool not available, skipping the PKCS#11 test" >&2 + return 1 + fi + if ! systemctl --version | grep -q "+P11KIT"; then + echo "Support for p11-kit is disabled, skipping the PKCS#11 test" >&2 + return 1 + fi + if ! systemctl --version | grep -q "+OPENSSL"; then + echo "Support for openssl is disabled, skipping the PKCS#11 test" >&2 + return 1 + fi + if ! systemctl --version | grep -q "+LIBCRYPTSETUP\b"; then + echo "Support for libcryptsetup is disabled, skipping the PKCS#11 test" >&2 + return 1 + fi + if ! systemctl --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then + echo "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test" >&2 + return 1 + fi + + return 0 +} + +setup_pkcs11_token() { + echo "Setup PKCS#11 token" >&2 + local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE + + export SOFTHSM2_CONF="/tmp/softhsm2.conf" + mkdir -p /usr/lib/softhsm/tokens/ + cat >$SOFTHSM2_CONF <<EOF +directories.tokendir = /usr/lib/softhsm/tokens/ +objectstore.backend = file +slots.removable = false +slots.mechanisms = ALL +EOF + export GNUTLS_PIN="1234" + export GNUTLS_SO_PIN="12345678" + softhsm2-util --init-token --free --label "TestToken" --pin "$GNUTLS_PIN" --so-pin "$GNUTLS_SO_PIN" + + if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then + echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2 + P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules" + fi + + if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then + echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2 + P11_MODULE_DIR="/usr/lib/pkcs11" + fi + + SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs) + if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then + SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE" + fi + + # RSA ##################################################### + pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt + + certtool --generate-self-signed \ + --load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \ + --load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \ + --template "test/TEST-24-CRYPTSETUP/template.cfg" \ + --outder --outfile "/tmp/rsa_test.crt" + + pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey" + rm "/tmp/rsa_test.crt" + + # prime256v1 ############################################## + pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive + + certtool --generate-self-signed \ + --load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \ + --load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \ + --template "test/TEST-24-CRYPTSETUP/template.cfg" \ + --outder --outfile "/tmp/ec_test.crt" + + pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey" + rm "/tmp/ec_test.crt" + + ########################################################### + rm "$SOFTHSM2_CONF" + unset SOFTHSM2_CONF + + cat >/etc/softhsm2.conf <<EOF +directories.tokendir = /usr/lib/softhsm/tokens/ +objectstore.backend = file +slots.removable = false +slots.mechanisms = ALL +log.level = INFO +EOF + + mkdir -p /etc/systemd/system/systemd-cryptsetup@.service.d + cat >/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf <<EOF +[Unit] +# Make sure we can start systemd-cryptsetup@empty_pkcs11_auto.service many times +StartLimitBurst=10 + +[Service] +Environment="SOFTHSM2_CONF=/etc/softhsm2.conf" +Environment="PIN=$GNUTLS_PIN" +EOF + + unset GNUTLS_PIN + unset GNUTLS_SO_PIN +} -if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then - alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1 - alternatives --set python3 /usr/bin/python3.9 +if can_test_pkcs11; then + setup_pkcs11_token fi |