From fc53809803cd2bc2434e312b19a18fa36776da12 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Wed, 12 Jun 2024 05:50:40 +0200
Subject: Adding upstream version 256.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 mkosi.images/system/mkosi.postinst.chroot | 211 ++++++++++++++++++++----------
 1 file changed, 145 insertions(+), 66 deletions(-)

(limited to 'mkosi.images/system/mkosi.postinst.chroot')

diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot
index 0cb9b9c..4686802 100755
--- a/mkosi.images/system/mkosi.postinst.chroot
+++ b/mkosi.images/system/mkosi.postinst.chroot
@@ -1,68 +1,9 @@
-#!/bin/sh
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -e
+set -o nounset
 
-if [ "$1" = "build" ]; then
-    exit 0
-fi
-
-if [ -n "$SANITIZERS" ]; then
-    LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}')
-
-    mkdir -p /etc/systemd/system.conf.d
-
-    cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF
-[Manager]
-ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
-                   UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
-                   LD_PRELOAD=$LD_PRELOAD
-DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\
-                   UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\
-                   LD_PRELOAD=$LD_PRELOAD
-EOF
-
-    # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose
-    # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any
-    # sanitizer failures appear directly on the user's console.
-    mkdir -p /etc/systemd/system/systemd-journald.service.d
-    cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF
-[Service]
-StandardOutput=tty
-EOF
-
-    # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users.
-    # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As
-    # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login
-    # from calling vhangup() so that journald's ASAN logs correctly end up in the console.
-
-    mkdir -p /etc/systemd/system/console-getty.service.d
-    cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF
-[Service]
-TTYVHangup=no
-CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
-EOF
-    # ASAN and syscall filters aren't compatible with each other.
-    find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} +
-
-    # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default.
-    systemctl mask systemd-hwdb-update.service
-fi
-
-if [ -n "$IMAGE_ID" ] ; then
-    sed -n \
-        -i \
-        -e '/^IMAGE_ID=/!p' \
-        -e "\$aIMAGE_ID=$IMAGE_ID" \
-        /usr/lib/os-release
-fi
-
-if [ -n "$IMAGE_VERSION" ] ; then
-    sed -n \
-        -i \
-        -e '/^IMAGE_VERSION=/!p' \
-        -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \
-        /usr/lib/os-release
-fi
+useradd --uid 4711 --create-home --user-group testuser
 
 if command -v authselect >/dev/null; then
     # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
@@ -85,9 +26,147 @@ fi
 mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
 rm -f /etc/resolv.conf
 
-. /usr/lib/os-release
+for f in "$BUILDROOT"/usr/share/*.verity.sig; do
+    jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash"
+done
+
+# We want /var/log/journal to be created on first boot so it can be created with the right chattr settings by
+# systemd-journald.
+rm -r "$BUILDROOT/var/log/journal"
+
+rm -f /etc/nsswitch.conf
+cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf
+
+# Remove to make TEST-73-LOCALE pass on Ubuntu.
+rm -f /etc/default/keyboard
+
+# This is executed inside the chroot so no need to disable any features as the default features will match
+# the kernel's supported features.
+SYSTEMD_REPART_MKFS_OPTIONS_EXT4="" \
+    systemd-repart \
+    --empty=create \
+    --dry-run=no \
+    --size=auto \
+    --offline=true \
+    --root test/TEST-24-CRYPTSETUP \
+    --definitions test/TEST-24-CRYPTSETUP/keydev.repart \
+    "$OUTPUTDIR/keydev.raw"
+
+can_test_pkcs11() {
+    if ! command -v "softhsm2-util" >/dev/null; then
+        echo "softhsm2-util not available, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! command -v "pkcs11-tool" >/dev/null; then
+        echo "pkcs11-tool not available, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! command -v "certtool" >/dev/null; then
+        echo "certtool not available, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! systemctl --version | grep -q "+P11KIT"; then
+        echo "Support for p11-kit is disabled, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! systemctl --version | grep -q "+OPENSSL"; then
+        echo "Support for openssl is disabled, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! systemctl --version | grep -q "+LIBCRYPTSETUP\b"; then
+        echo "Support for libcryptsetup is disabled, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! systemctl --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then
+        echo "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+
+    return 0
+}
+
+setup_pkcs11_token() {
+    echo "Setup PKCS#11 token" >&2
+    local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
+
+    export SOFTHSM2_CONF="/tmp/softhsm2.conf"
+    mkdir -p /usr/lib/softhsm/tokens/
+    cat >$SOFTHSM2_CONF <<EOF
+directories.tokendir = /usr/lib/softhsm/tokens/
+objectstore.backend = file
+slots.removable = false
+slots.mechanisms = ALL
+EOF
+    export GNUTLS_PIN="1234"
+    export GNUTLS_SO_PIN="12345678"
+    softhsm2-util --init-token --free --label "TestToken" --pin "$GNUTLS_PIN" --so-pin "$GNUTLS_SO_PIN"
+
+    if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then
+        echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
+        P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules"
+    fi
+
+    if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then
+        echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
+        P11_MODULE_DIR="/usr/lib/pkcs11"
+    fi
+
+    SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs)
+    if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then
+        SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE"
+    fi
+
+    # RSA #####################################################
+    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt
+
+    certtool --generate-self-signed \
+      --load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
+      --load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
+      --template "test/TEST-24-CRYPTSETUP/template.cfg" \
+      --outder --outfile "/tmp/rsa_test.crt"
+
+    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey"
+    rm "/tmp/rsa_test.crt"
+
+    # prime256v1 ##############################################
+    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive
+
+    certtool --generate-self-signed \
+      --load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
+      --load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
+      --template "test/TEST-24-CRYPTSETUP/template.cfg" \
+      --outder --outfile "/tmp/ec_test.crt"
+
+    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey"
+    rm "/tmp/ec_test.crt"
+
+    ###########################################################
+    rm "$SOFTHSM2_CONF"
+    unset SOFTHSM2_CONF
+
+    cat >/etc/softhsm2.conf <<EOF
+directories.tokendir = /usr/lib/softhsm/tokens/
+objectstore.backend = file
+slots.removable = false
+slots.mechanisms = ALL
+log.level = INFO
+EOF
+
+    mkdir -p /etc/systemd/system/systemd-cryptsetup@.service.d
+    cat >/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf <<EOF
+[Unit]
+# Make sure we can start systemd-cryptsetup@empty_pkcs11_auto.service many times
+StartLimitBurst=10
+
+[Service]
+Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
+Environment="PIN=$GNUTLS_PIN"
+EOF
+
+    unset GNUTLS_PIN
+    unset GNUTLS_SO_PIN
+}
 
-if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then
-    alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1
-    alternatives --set python3 /usr/bin/python3.9
+if can_test_pkcs11; then
+    setup_pkcs11_token
 fi
-- 
cgit v1.2.3