From 6c32f2e0548a7992653ebb0917b7cc3dc9f3012f Mon Sep 17 00:00:00 2001
From: The MMGen Project <mmgen@tuta.io>
Date: Sat, 27 Feb 2021 18:52:53 +0000
Subject: [PATCH] Add automatic disk unlock prompt; minor help/info
 improvements

---
 scripts/armbian_rootenc_setup.sh | 44 +++++++++++++++++++++++++++-----
 1 file changed, 37 insertions(+), 7 deletions(-)

diff --git a/scripts/armbian_rootenc_setup.sh b/scripts/armbian_rootenc_setup.sh
index c381618..cbacfb0 100755
--- a/scripts/armbian_rootenc_setup.sh
+++ b/scripts/armbian_rootenc_setup.sh
@@ -47,9 +47,11 @@ print_help() {
                    fix blank screen on bootup issues)
              '-p'  Partition and create filesystems only.  Do not copy data
              '-s'  Use 'authorized_keys' file from working directory, if available
+                   (see below)
              '-v'  Be more verbose
              '-u'  Perform an 'apt upgrade' after each 'apt update'
              '-z'  Erase boot sector and first partition of SD card before partitioning
+                   (an extra paranoia step, but it can’t hurt)
 
   For non-interactive operation, set the following variables in your environment
   or on the command line:
@@ -69,8 +71,9 @@ print_help() {
   connected and its clock correctly set.
 
   If remote unlocking via SSH is desired, the unlocking host must be reachable.
-  Alternatively, SSH public keys for the unlocking host or hosts may be placed
-  in the file 'authorized_keys' in the current directory.
+  Alternatively, SSH public keys for the unlocking host or hosts may be listed
+  in the file 'authorized_keys' in the current directory.  This file has the
+  same format as a standard SSH 'authorized_keys' file.
 
   Architecture of host and target (e.g. 64-bit or 32-bit ARM) must be the same.
 
@@ -953,20 +956,40 @@ tmpfs /tmp tmpfs defaults,nosuid 0 0"
 }
 
 edit_dropbear_cfg() {
-	local file text
-	file="$TARGET_ROOT/etc/dropbear-initramfs/config"
+	local dest file text
+	dest="$TARGET_ROOT/etc/dropbear-initramfs"
+	file="$dest/config"
+	text='DROPBEAR_OPTIONS="-p 2222"
+DROPBEAR=y'
 	if [ "$IP_ADDRESS" == 'none' ]; then
 		[ -e $file ] && rm -v $file
 		true
 	else
-		mkdir -p '/etc/dropbear-initramfs'
-		text='DROPBEAR_OPTIONS="-p 2222"
-DROPBEAR=y'
+		mkdir -p $dest
 		[ -e $file ] && grep -q '^DROPBEAR_OPTIONS="-p 2222"' $file || echo "$text" >> $file
 		_display_file $file
 	fi
 }
 
+create_cryptroot_unlock_sh() {
+	local dest file text
+	dest="$TARGET_ROOT/etc/initramfs-tools/hooks"
+	file="$dest/cryptroot-unlock.sh"
+	text='#!/bin/sh
+if [ "$1" = "prereqs" ]; then echo "dropbear-initramfs"; exit 0; fi
+. /usr/share/initramfs-tools/hook-functions
+source="/tmp/cryptroot-unlock-profile"
+root_home=$(echo $DESTDIR/root-*)
+root_home=${root_home#$DESTDIR}
+echo "if [ \"\$SSH_CLIENT\" ]; then /usr/bin/cryptroot-unlock; fi" > $source
+copy_file ssh_login_profile $source $root_home/.profile
+exit 0'
+	mkdir -p $dest
+	echo "$text" > $file
+	chmod 755 $file
+	_display_file $file
+}
+
 # begin chroot functions:
 
 make_image() {
@@ -1049,6 +1072,7 @@ configure_target() {
 	create_etc_crypttab
 	create_fstab
 	edit_dropbear_cfg
+	[ "$IP_ADDRESS" == 'none' ] || create_cryptroot_unlock_sh
 	edit_armbianEnv
 	_debug_pause
 
@@ -1161,5 +1185,11 @@ else
 	[ "$rootpart_copied" == 'n' ]        && copy_system_root
 	[ "$target_configured" == 'n' ]      && configure_target
 
+	sync
 	gmsg 'All done!'
+
+	if [ "$IP_ADDRESS" != 'none' ]; then
+		imsg "To unlock the target disk, execute the following from the unlocking host:"
+		imsg "    ssh -p 2222 root@${IP_ADDRESS/dhcp/TARGET_IP}"
+	fi
 fi