From cf93a04501926c3afca1f1d4f51ab11fee59afca Mon Sep 17 00:00:00 2001 From: The MMGen Project Date: Sun, 11 Apr 2021 20:06:26 +0000 Subject: [PATCH] Support disk unlocking via SSH over USB (USB gadget, g_ether) - both static and dynamic (DHCP) IP are supported - interface is configured both in initrd and booted system --- scripts/armbian_rootenc_setup.sh | 74 ++++++++++++++++++++++++++++++-- 1 file changed, 71 insertions(+), 3 deletions(-) diff --git a/scripts/armbian_rootenc_setup.sh b/scripts/armbian_rootenc_setup.sh index 8b95734..6289f94 100755 --- a/scripts/armbian_rootenc_setup.sh +++ b/scripts/armbian_rootenc_setup.sh @@ -16,6 +16,7 @@ CONFIG_VARS=' ADD_ALL_MODS ADD_MODS USE_LOCAL_AUTHORIZED_KEYS + USB_GADGET ' STATES=' card_partitioned @@ -39,6 +40,7 @@ USER_OPTS_INFO=" ROOTENC_PAUSE - pause along the way ROOTENC_IGNORE_APT_ERRORS - continue even if apt update fails SERIAL_CONSOLE - enable disk unlocking via serial console + USB_GADGET - enable disk unlocking via SSH over USB (g_ether) VERBOSE - produce verbose output " RSYNC_VERBOSITY='--info=progress2' @@ -376,6 +378,13 @@ _get_user_vars() { Enable unlocking via serial console? (y/n):" \ 'bool' + _get_user_var 'USB_GADGET' 'disk unlocking via SSH over USB (g_ether)' '' \ + "Unlock the disk via SSH over USB (g_ether). Enable this only if your board + supports USB gadget mode, i.e. if it has a USB OTG port. WARNING: enabling this + will make it impossible to unlock the disk over the Ethernet interface (eth0). + Enable unlocking via SSH over USB? (y/n):" \ + 'bool' + true } @@ -544,6 +553,7 @@ _confirm_user_vars() { echo " Disk password: $DISK_PASSWD" [ "$UNLOCKING_USERHOST" ] && echo " user@host of unlocking host: $UNLOCKING_USERHOST" echo " Serial console unlocking: ${SERIAL_CONSOLE:-no}" + echo " SSH over USB unlocking: ${USB_GADGET:-no}" echo _user_confirm ' Are these settings correct?' 'yes' } @@ -595,6 +605,7 @@ _update_state_from_config_vars() { [ "$cNETMASK" != "$NETMASK" ] && cfgvar_changed+=' NETMASK' target_configured='n' [ "$cADD_ALL_MODS" != "$ADD_ALL_MODS" ] && cfgvar_changed+=' ADD_ALL_MODS' target_configured='n' [ "$cADD_MODS" != "$ADD_MODS" ] && cfgvar_changed+=' ADD_MODS' target_configured='n' + [ "$cUSB_GADGET" != "$USB_GADGET" ] && cfgvar_changed+=' USB_GADGET' target_configured='n' [ "$IP_ADDRESS" -a "$cUSE_LOCAL_AUTHORIZED_KEYS" != "$USE_LOCAL_AUTHORIZED_KEYS" ] && { cfgvar_changed+=' USE_LOCAL_AUTHORIZED_KEYS' target_configured='n' } @@ -959,7 +970,8 @@ bootlogo=false" # correct static IP address after 'IP='. If it will be configured via # DHCP, omit the IP line entirely: edit_initramfs_conf() { - local file="$TARGET_ROOT/etc/initramfs-tools/initramfs.conf" + local file="$TARGET_ROOT/etc/initramfs-tools/initramfs.conf" dev='eth0' + [ "$USB_GADGET" ] && dev='usb0' ed $file <<-'EOF' g/^\s*IP=/s/^/# / g/^\s*DEVICE=/d @@ -968,13 +980,13 @@ edit_initramfs_conf() { [ "$IP_ADDRESS" == 'dhcp' -o "$IP_ADDRESS" == 'none' ] || { echo "IP=$IP_ADDRESS:::$NETMASK::$dev:off" >> $file } - [ "$IP_ADDRESS" == 'none' ] || echo "DEVICE=eth0" >> $file + [ "$IP_ADDRESS" == 'none' ] || echo "DEVICE=$dev" >> $file _display_file $file } edit_initramfs_modules() { local modlist file hdr - [ "$ADD_ALL_MODS" -o "$ADD_MODS" ] && { + [ "$ADD_ALL_MODS" -o "$ADD_MODS" -o "$USB_GADGET" ] && { if ! _kernels_match; then warn 'Host and target kernels do not match. Not adding modules to initramfs' elif ! _distros_match; then @@ -983,6 +995,7 @@ edit_initramfs_modules() { local g_mods='libcomposite u_ether usb_f_rndis g_ether usb_f_eem' [ "$ADD_ALL_MODS" ] && modlist=$(lsmod | cut -d ' ' -f1 | tail -n+2) [ "$ADD_MODS" ] && modlist+=$(echo; for m in ${ADD_MODS//,/ }; do echo $m; done) + [ "$USB_GADGET" ] && modlist+=$(echo; for m in $g_mods; do echo $m; done) fi } file="$TARGET_ROOT/etc/initramfs-tools/modules" @@ -1032,6 +1045,59 @@ DROPBEAR=y' fi } +netman_manage_usb0() { + local file bu_file text + file="$TARGET_ROOT/etc/NetworkManager/NetworkManager.conf" + bu_file="$file.rootenc.orig" + text=' +[device] +match-device=interface-name:eth0 +managed=0 +match-device=interface-name:usb0 +managed=1' + if [ -e $file ]; then + if [ "$USB_GADGET" ]; then + grep -q '^match-device=interface-name:usb0' $file || { + /bin/cp $file $bu_file + echo "$text" >> $file + } + else + [ -e $bu_file ] && /bin/mv $bu_file $file + fi + _display_file $file + else + warn "$file does not exist, not enabling managed usb0" + fi +} + +ifupdown_config_usb0() { + local file bu_file text + file="$TARGET_ROOT/etc/network/interfaces" + bu_file="$file.rootenc.orig" + text=" + +auto usb0 +iface usb0 inet static + address $IP_ADDRESS + netmask $NETMASK +" + if [ -e $file ]; then + if [ "$USB_GADGET" -a "$IP_ADDRESS" != 'dhcp' ]; then + grep -q '^auto usb0' $file || { + /bin/cp $file $bu_file + echo "$text" >> $file + } + systemctl mask network-manager + else + [ -e $bu_file ] && /bin/mv $bu_file $file + systemctl unmask network-manager + fi + _display_file $file + else + warn "$file does not exist, not configuring static usb0" + fi +} + create_cryptroot_unlock_sh() { local dest file text dest="$TARGET_ROOT/etc/initramfs-tools/hooks" @@ -1125,6 +1191,8 @@ configure_target() { create_etc_crypttab create_fstab edit_dropbear_cfg + netman_manage_usb0 + ifupdown_config_usb0 [ "$IP_ADDRESS" == 'none' ] || create_cryptroot_unlock_sh edit_armbianEnv _debug_pause