armbian_rootenc_setup.sh 34 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198
  1. #!/bin/bash
  2. PATH="$PATH:/usr/sbin:/sbin"
  3. RED="\e[31;1m" GREEN="\e[32;1m" YELLOW="\e[33;1m" BLUE="\e[34;1m" PURPLE="\e[35;1m" RESET="\e[0m"
  4. PROGNAME=$(basename $0)
  5. TITLE='Armbian Encrypted Root Filesystem Setup'
  6. CONFIG_VARS='
  7. ARMBIAN_IMAGE
  8. BOOTPART_LABEL
  9. ROOTFS_NAME
  10. DISK_PASSWD
  11. UNLOCKING_USERHOST
  12. IP_ADDRESS
  13. ADD_ALL_MODS
  14. USE_LOCAL_AUTHORIZED_KEYS
  15. '
  16. STATES='
  17. card_partitioned
  18. bootpart_copied
  19. bootpart_label_created
  20. rootpart_copied
  21. target_configured
  22. '
  23. USER_OPTS_INFO="
  24. NO_CLEANUP no cleanup of mounts after program run
  25. FORCE_REBUILD force full rebuild
  26. FORCE_RECONFIGURE force reconfiguration
  27. FORCE_REFORMAT_ROOT force reformat of encrypted root partition
  28. ADD_ALL_MODS add all currently loaded modules to initramfs
  29. USE_LOCAL_AUTHORIZED_KEYS use local 'authorized_keys' file
  30. PARTITION_ONLY partition and create filesystems only
  31. ERASE zero boot sector, boot partition and beginning of root partition
  32. ROOTENC_REUSE_FS reuse existing filesystems (for development only)
  33. ROOTENC_TESTING developer tweaks
  34. ROOTENC_PAUSE pause along the way
  35. ROOTENC_IGNORE_APT_ERRORS continue even if apt update fails
  36. "
  37. RSYNC_VERBOSITY='--info=progress2'
  38. print_help() {
  39. echo " ${PROGNAME^^}: Create an Armbian image with encrypted root filesystem
  40. USAGE: $PROGNAME [options] <SD card device name>
  41. OPTIONS: '-h' Print this help message
  42. '-C' Don't perform unmounts or clean up build directory at exit
  43. '-d' Produce tons of debugging output
  44. '-f' Force reconfiguration of target system
  45. '-F' Force a complete rebuild of target system
  46. '-m' Add all currently loaded modules to the initramfs (may help
  47. fix blank screen on bootup issues)
  48. '-p' Partition and create filesystems only. Do not copy data
  49. '-R' Force reformat of encrypted root partition
  50. '-s' Use 'authorized_keys' file from working directory, if available
  51. (see below)
  52. '-v' Be more verbose
  53. '-u' Perform an 'apt upgrade' after each 'apt update'
  54. '-z' Erase boot sector and first partition of SD card before partitioning
  55. (an extra paranoia step, but it can’t hurt)
  56. For non-interactive operation, set the following variables in your environment
  57. or on the command line:
  58. ROOTFS_NAME - device mapper name of target root filesystem
  59. IP_ADDRESS - IP address of target (set to 'dhcp' for dynamic IP
  60. or 'none' to disable remote SSH unlocking support)
  61. BOOTPART_LABEL - Boot partition label of target
  62. DISK_PASSWD - Disk password of target root filesystem
  63. UNLOCKING_USERHOST - USER@HOST of remote unlocking host
  64. SERIAL_CONSOLE - Set this to 'y' to enable disk unlocking from the
  65. serial console
  66. INSTRUCTIONS FOR USE
  67. This script must be invoked as superuser on a running Armbian system.
  68. Packages will be installed using APT, so the system must be Internet-
  69. connected and its clock correctly set.
  70. If remote unlocking via SSH is desired, the unlocking host must be reachable.
  71. Alternatively, SSH public keys for the unlocking host or hosts may be listed
  72. in the file 'authorized_keys' in the current directory. This file has the
  73. same format as a standard SSH 'authorized_keys' file.
  74. Architecture of host and target (e.g. 64-bit or 32-bit ARM) must be the same.
  75. For best results, the host and target hardware should also be identical or
  76. similar. Building on a host with more memory than the target, for example,
  77. may lead to disk unlocking failure on the target. For most users, who’ll be
  78. building for the currently-running board, this point is a non-issue.
  79. 1. Place an Armbian boot image file for the target system in the current
  80. directory. For best results, the image file should match the Debian
  81. or Ubuntu release of the host system.
  82. 2. Insert a USB card reader with a blank micro-SD card for the target
  83. system into the host’s USB port.
  84. 3. Determine the SD card’s device name using 'dmesg' or 'lsblk'.
  85. 4. Invoke the script with the device name as argument. If any options
  86. are desired, they must precede the device name.
  87. If the board has an eMMC, it may be used as the target device instead of
  88. an SD card." | less
  89. }
  90. pause() {
  91. echo -ne $GREEN'(Press any key to continue)'$RESET >&$stderr_dup
  92. read
  93. no_fmsg=1
  94. }
  95. _debug_pause() { [ "$ROOTENC_PAUSE" ] && pause; true; }
  96. imsg() { echo -e "$1" >&$stdout_dup; no_fmsg=1; }
  97. imsg_nonl() { echo -ne "$1" >&$stdout_dup; no_fmsg=1; }
  98. tmsg() {
  99. no_fmsg=1
  100. [ "$ROOTENC_TESTING" ] || return 0
  101. echo -e "$1" >&$stdout_dup
  102. }
  103. warn() { echo -e "$YELLOW$1$RESET" >&$stdout_dup; no_fmsg=1; }
  104. warn_nonl() { echo -ne "$YELLOW$1$RESET" >&$stdout_dup; no_fmsg=1; }
  105. rmsg() { echo -e "$RED$1$RESET" >&$stdout_dup; no_fmsg=1; }
  106. gmsg() { echo -e "$GREEN$1$RESET" >&$stdout_dup; no_fmsg=1; }
  107. pu_msg() { echo -e "$PURPLE$1$RESET" >&$stdout_dup; no_fmsg=1; }
  108. do_partprobe() {
  109. if [ "$VERBOSE" ]; then partprobe; else partprobe 2>/dev/null; fi
  110. no_fmsg=1
  111. }
  112. _show_output() { [ "$VERBOSE" ] || exec 1>&$stdout_dup 2>&$stderr_dup; }
  113. _hide_output() { [ "$VERBOSE" ] || exec &>'/dev/null'; }
  114. bail() { exit; }
  115. die() {
  116. echo -e "$RED$1$RESET" >&$stdout_dup
  117. no_fmsg=1
  118. exit 1
  119. }
  120. _fmsg() {
  121. local funcname=$1 errval=$2 res
  122. if [ "${funcname:0:1}" == '_' -o "$no_fmsg" ]; then
  123. no_fmsg=
  124. return 0
  125. fi
  126. if [ "$errval" -eq 0 ]; then res='OK'; else res="False ($errval)"; fi
  127. printf "$BLUE%-32s $res$RESET\n" "$funcname" >&$stdout_dup
  128. }
  129. _sigint_handler() {
  130. warn "\nExiting at user request"
  131. usr_exit=1
  132. exit 1
  133. }
  134. _exit_handler() {
  135. local err=$?
  136. _show_output
  137. [ $err -ne 0 -a -z "$usr_exit" ] && {
  138. rmsg "$SCRIPT_DESC exiting with error (exit code $err)"
  139. }
  140. return $err
  141. }
  142. _do_header() {
  143. echo
  144. local reply
  145. if banner=$(toilet --filter border --filter gay --width 51 -s -f smbraille "$TITLE" 2>/dev/null); then
  146. while read reply; do
  147. echo -e " $reply"
  148. done <<-EOF
  149. $banner
  150. EOF
  151. else
  152. echo -n ' '
  153. echo $TITLE
  154. echo
  155. fi
  156. echo " For detailed usage information,"
  157. echo " invoke with the '-h' switch"
  158. echo
  159. }
  160. _warn_user_opts() {
  161. local out
  162. while read opt text; do
  163. [ "$opt" ] || continue
  164. [ $(eval echo -n \$$opt) ] && out+=" + $text\n"
  165. done <<-EOF
  166. $USER_OPTS_INFO
  167. EOF
  168. [ "$out" ] && {
  169. warn " The following user options are in effect:"
  170. warn_nonl "${out}"
  171. }
  172. }
  173. _set_host_vars() {
  174. BUILD_DIR='armbian_rootenc_build'
  175. SRC_ROOT="$BUILD_DIR/src"
  176. BOOT_ROOT="$BUILD_DIR/boot"
  177. TARGET_ROOT="$BUILD_DIR/target"
  178. CONFIG_VARS_FILE="$BOOT_ROOT/.rootenc_config_vars"
  179. host_distro=$(lsb_release --short --codename)
  180. host_kernel=$(ls '/boot' | egrep '^vmlinu[xz]') # allow 'vmlinux' or 'vmlinuz'
  181. }
  182. check_sdcard_name_and_params() {
  183. local dev chk
  184. dev=$1
  185. [ "$dev" ] || die "You must supply a device name"
  186. [ "${dev:0:5}" == '/dev/' ] || dev="/dev/$dev"
  187. [ -e "$dev" ] || die "$dev does not exist"
  188. chk="$(lsblk --noheadings --nodeps --list --output=TYPE $dev 2>/dev/null)"
  189. [ "$chk" != 'disk' ] && {
  190. [ "$chk" == 'part' ] && die "$dev is a partition, not a block device!"
  191. die "$dev is not a block device!"
  192. }
  193. local pttype size nodos oversize removable non_removable part_sep
  194. pttype=$(blkid --output=udev $dev | grep TYPE | cut -d '=' -f2)
  195. size="$(lsblk --noheadings --nodeps --list --output=SIZE --bytes $dev 2>/dev/null)"
  196. removable="$(lsblk --noheadings --nodeps --list --output=RM $dev 2>/dev/null)"
  197. nodos=$([ "$pttype" -a "$pttype" != 'dos' ] && echo "Partition type is ${pttype^^}")
  198. oversize=$([ $size -gt 137438953472 ] && echo 'Size is > 128GiB')
  199. non_removable=$([ $removable -ne 0 ] || echo 'Device is non-removable')
  200. SD_INFO="$(lsblk --noheadings --nodeps --list --output=VENDOR,MODEL,SIZE $dev 2>/dev/null)"
  201. SD_INFO=${SD_INFO// / }
  202. [ "$nodos" -o "$oversize" -o "$non_removable" ] && {
  203. warn " $dev ($SD_INFO) doesn’t appear to be an SD card"
  204. warn " for the following reasons:"
  205. [ "$non_removable" ] && warn " $non_removable"
  206. [ "$nodos" ] && warn " $nodos"
  207. [ "$oversize" ] && warn " $oversize"
  208. _user_confirm ' Are you sure this is the correct device of your blank SD card?' 'no'
  209. }
  210. SDCARD_DEVNAME=${dev:5}
  211. [ "${SDCARD_DEVNAME%[0-9]}" == $SDCARD_DEVNAME ] || part_sep='p'
  212. BOOT_DEVNAME=$SDCARD_DEVNAME${part_sep}1
  213. ROOT_DEVNAME=$SDCARD_DEVNAME${part_sep}2
  214. [ "$SDCARD_DEVNAME" ] || die 'You must supply a device name for the SD card!'
  215. pu_msg "Will write to target $dev ($SD_INFO)"
  216. }
  217. _get_user_var() {
  218. local var desc dfl prompt pat pat_errmsg vtest cprompt seen_prompt reply redo
  219. var=$1 desc=$2 dfl=$3 prompt=$4 pat=$5 pat_errmsg=$6 vtest=$7
  220. while true; do
  221. [ -z "${!var}" -o "$seen_prompt" -o "$redo" ] && {
  222. if [ "$seen_prompt" ]; then
  223. echo -n " Enter $desc: "
  224. else
  225. cprompt=
  226. while read reply; do
  227. cprompt+=" ${reply## }\n"
  228. done <<-EOF
  229. $prompt
  230. EOF
  231. echo
  232. if [ "$dfl" ]; then
  233. printf "${cprompt:0:-2} " "$dfl"
  234. else
  235. echo -ne "${cprompt:0:-2} "
  236. fi
  237. seen_prompt=1
  238. fi
  239. eval "read $var"
  240. }
  241. redo=1
  242. [ -z "${!var}" -a "$dfl" ] && eval "$var=$dfl"
  243. [ "${!var}" ] || {
  244. rmsg " $desc must not be empty"
  245. continue
  246. }
  247. [ "$pat" ] && {
  248. echo "${!var}" | egrep -qi "$pat" || {
  249. rmsg " ${!var}: $pat_errmsg"
  250. continue
  251. }
  252. }
  253. [ "$vtest" ] && {
  254. $vtest || continue
  255. }
  256. break
  257. done
  258. }
  259. _get_user_vars() {
  260. _get_user_var 'IP_ADDRESS' 'IP address' '' \
  261. "Enter the IP address of the target machine.
  262. Enter 'dhcp' for a dynamic IP or 'none' for no remote SSH unlocking support
  263. IP address:" \
  264. '^(dhcp|none|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]+\.[0-9]{1,3})$' \
  265. 'malformed IP address'
  266. IP_ADDRESS=${IP_ADDRESS,,}
  267. _get_user_var 'BOOTPART_LABEL' 'boot partition label' 'ARMBIAN_BOOT' \
  268. "Enter a boot partition label for the target machine,
  269. or hit ENTER for the default (%s): " \
  270. '^[A-Za-z0-9_]{1,16}$' \
  271. "Label must contain no more than 16 characters in the set 'A-Za-z0-9_'"
  272. _get_user_var 'ROOTFS_NAME' 'root filesystem device name' 'rootfs' \
  273. "Enter a device name for the encrypted root filesystem,
  274. or hit ENTER for the default (%s):" \
  275. '^[a-z0-9_]{1,48}$' \
  276. "Name must contain no more than 48 characters in the set 'a-z0-9_'" \
  277. '_test_rootfs_mounted'
  278. _get_user_var 'DISK_PASSWD' 'disk password' '' \
  279. "Choose a simple disk password for the installation process.
  280. Once your encrypted system is up and running, you can change
  281. the password using the 'cryptsetup' command.
  282. Enter password:" \
  283. '^[A-Za-z0-9_ ]{1,10}$' \
  284. "Temporary disk password must contain no more than 10 characters in the set 'A-Za-z0-9_ '"
  285. if [ "$IP_ADDRESS" == 'none' ]; then
  286. UNLOCKING_USERHOST=
  287. elif [ -e 'authorized_keys' -a "$USE_LOCAL_AUTHORIZED_KEYS" ]; then
  288. UNLOCKING_USERHOST=
  289. else
  290. _get_user_var 'UNLOCKING_USERHOST' 'USER@HOST' '' \
  291. "Enter the user@host of the machine you'll be unlocking from:" \
  292. '\S+@\S+' \
  293. 'malformed USER@HOST' \
  294. '_test_unlocking_host_available'
  295. fi
  296. _get_user_var 'SERIAL_CONSOLE' 'serial console unlocking' '' \
  297. "Unlock the disk from the serial console. WARNING: enabling this will
  298. make it impossible to unlock the disk using the keyboard and monitor,
  299. though unlocking via SSH will still work.
  300. Enable serial console unlocking? (y/n):" \
  301. '^[ynYN]*$' \
  302. "You must type 'y' or 'n'"
  303. if [[ $SERIAL_CONSOLE =~ ^[Yy]$ ]]; then SERIAL_CONSOLE='yes'; else SERIAL_CONSOLE='no'; fi
  304. true
  305. }
  306. _test_rootfs_mounted() {
  307. [ -e "/dev/mapper/$ROOTFS_NAME" ] && {
  308. local mnt=$(lsblk --list --noheadings --output=MOUNTPOINT /dev/mapper/$ROOTFS_NAME)
  309. [ "$mnt" ] && {
  310. rmsg " Device '$ROOTFS_NAME' is in use and mounted on $mnt"
  311. return 1
  312. }
  313. }
  314. return 0
  315. }
  316. _test_unlocking_host_available() {
  317. local ul_host=${UNLOCKING_USERHOST#*@}
  318. ping -c1 $ul_host &>/dev/null || {
  319. rmsg " Unable to ping host '$ul_host'"
  320. return 1
  321. }
  322. }
  323. _test_sdcard_mounted() {
  324. local chk="$(lsblk --noheadings --list --output=MOUNTPOINT /dev/$SDCARD_DEVNAME)"
  325. [ -z "$chk" ] || {
  326. lsblk --output=NAME,SIZE,TYPE,FSTYPE,MOUNTPOINT /dev/$SDCARD_DEVNAME
  327. die "Device /dev/$SDCARD_DEVNAME has mounted partitions!"
  328. }
  329. }
  330. get_authorized_keys() {
  331. [ -e 'authorized_keys' -a "$USE_LOCAL_AUTHORIZED_KEYS" ] || {
  332. rsync "$UNLOCKING_USERHOST:.ssh/id_*.pub" 'authorized_keys'
  333. }
  334. }
  335. _apt_update() {
  336. [ "$ROOTENC_IGNORE_APT_ERRORS" ] && set +e
  337. apt --yes update
  338. [ "$APT_UPGRADE" ] && apt --yes upgrade
  339. [ "$ROOTENC_IGNORE_APT_ERRORS" ] && set -e
  340. true
  341. }
  342. _print_pkgs_to_install() {
  343. local pkgs pkgs_ssh
  344. case $1 in
  345. 'host')
  346. case "$host_distro" in
  347. focal|bionic|buster) pkgs='cryptsetup-bin ed' ;;
  348. *) pkgs='cryptsetup ed'
  349. warn "Warning: unrecognized host distribution '$host_distro'" ;;
  350. esac ;;
  351. 'target')
  352. case "$target_distro" in
  353. focal|buster) pkgs='cryptsetup-initramfs' pkgs_ssh='dropbear-initramfs' ;;
  354. bionic) pkgs='cryptsetup' pkgs_ssh='dropbear-initramfs' ;;
  355. *) pkgs='cryptsetup' pkgs_ssh='dropbear'
  356. warn "Warning: unrecognized target distribution '$target_distro'" ;;
  357. esac
  358. [ "$IP_ADDRESS" != 'none' ] && pkgs+=" $pkgs_ssh" ;;
  359. esac
  360. for i in $pkgs; do
  361. dpkg -l $i 2>/dev/null | grep -q ^ii || echo $i
  362. done
  363. }
  364. apt_install_host() {
  365. local pkgs=$(_print_pkgs_to_install 'host')
  366. [ "$pkgs" ] && {
  367. _apt_update
  368. apt --yes install $pkgs
  369. }
  370. true
  371. }
  372. create_build_dir() {
  373. mkdir -p $BUILD_DIR
  374. mkdir -p $SRC_ROOT
  375. mkdir -p $BOOT_ROOT
  376. mkdir -p $TARGET_ROOT
  377. }
  378. umount_target() {
  379. for i in $BOOT_ROOT $TARGET_ROOT; do
  380. while mountpoint -q $i; do
  381. umount -Rl $i
  382. done
  383. done
  384. }
  385. remove_build_dir() {
  386. [ -d $TARGET_ROOT ] && rmdir $TARGET_ROOT
  387. [ -d $BOOT_ROOT ] && rmdir $BOOT_ROOT
  388. [ -d $SRC_ROOT ] && rmdir $SRC_ROOT
  389. [ -d $BUILD_DIR ] && rmdir $BUILD_DIR
  390. true
  391. }
  392. _get_device_maps() {
  393. local dm_type=$1
  394. local varname="device_maps_${dm_type}"
  395. eval "$varname="
  396. local data=$(lsblk --list --noheadings --output=KNAME,MOUNTPOINT | egrep '^dm-[0-9]')
  397. while read kname mountpoint; do
  398. [ "$dm_type" == 'unmounted' -a "$mountpoint" ] && continue
  399. [ "$dm_type" == 'mounted_on_target' -a \
  400. "${mountpoint: -${#TARGET_ROOT}}" != "$TARGET_ROOT" ] && continue
  401. eval "$varname+=/dev/$kname "
  402. done <<-EOF
  403. $data
  404. EOF
  405. tmsg "$varname=[${!varname}]"
  406. }
  407. _close_device_maps() {
  408. local dm_type=$1
  409. local varname="device_maps_${dm_type}"
  410. for i in ${!varname}; do
  411. tmsg "closing $i"
  412. cryptsetup status $i > '/dev/null' && cryptsetup luksClose $i
  413. done
  414. }
  415. _preclean() {
  416. close_loopmount
  417. _get_device_maps 'unmounted'
  418. _close_device_maps 'unmounted'
  419. _get_device_maps 'mounted_on_target'
  420. umount_target
  421. _close_device_maps 'mounted_on_target'
  422. remove_build_dir
  423. }
  424. _clean() {
  425. local err=$?
  426. [ $err -ne 0 -a -z "$usr_exit" ] && rmsg "$SCRIPT_DESC exiting with error (exit code $err)"
  427. pu_msg "Cleaning up, please wait..."
  428. _show_output
  429. close_loopmount
  430. _get_device_maps 'mounted_on_target'
  431. umount_target
  432. update_config_vars_file
  433. _close_device_maps 'mounted_on_target'
  434. [ -e 'authorized_keys' -a -z "$USE_LOCAL_AUTHORIZED_KEYS" ] && shred -u 'authorized_keys'
  435. remove_build_dir
  436. }
  437. get_armbian_image() {
  438. ARMBIAN_IMAGE="$(ls *.img)"
  439. [ "$ARMBIAN_IMAGE" ] || die 'You must place an Armbian image in the current directory!'
  440. local count=$(echo "$ARMBIAN_IMAGE" | wc -l)
  441. [ "$count" == 1 ] || die "More than one image file present!:\n$ARMBIAN_IMAGE"
  442. }
  443. _confirm_user_vars() {
  444. echo
  445. echo " Armbian image: $ARMBIAN_IMAGE"
  446. echo " Target device: /dev/$SDCARD_DEVNAME ($SD_INFO)"
  447. echo " Root filesystem device name: /dev/mapper/$ROOTFS_NAME"
  448. echo " Target IP address: $IP_ADDRESS"
  449. echo " Boot partition label: $BOOTPART_LABEL"
  450. echo " Disk password: $DISK_PASSWD"
  451. echo " Serial console unlocking: $SERIAL_CONSOLE"
  452. [ "$UNLOCKING_USERHOST" ] && echo " user@host of unlocking machine: $UNLOCKING_USERHOST"
  453. echo
  454. _user_confirm ' Are these settings correct?' 'yes'
  455. }
  456. setup_loopmount() {
  457. LOOP_DEV=$(losetup -f)
  458. losetup -P $LOOP_DEV $ARMBIAN_IMAGE
  459. mount ${LOOP_DEV}p1 $SRC_ROOT
  460. START_SECTOR=$(fdisk -l $LOOP_DEV -o Start | tail -n1 | tr -d ' ') # usually 32768
  461. BOOT_SECTORS=409600 # 200MB
  462. }
  463. _umount_with_check() {
  464. mountpoint -q $1 && umount $1
  465. }
  466. update_config_vars_file() {
  467. mount "/dev/$BOOT_DEVNAME" $BOOT_ROOT
  468. _print_config_vars $CONFIG_VARS_FILE
  469. umount $BOOT_ROOT
  470. }
  471. _print_states() {
  472. for i in $STATES; do
  473. echo $i: ${!i}
  474. done
  475. }
  476. _update_state_from_config_vars() {
  477. [ -e $CONFIG_VARS_FILE ] || return 0
  478. local reply
  479. while read reply; do eval "c$reply"; done <<-EOF
  480. $(cat $CONFIG_VARS_FILE)
  481. EOF
  482. local saved_states cfgvar_changed
  483. saved_states="$(_print_states)"
  484. cfgvar_changed=
  485. [ $cARMBIAN_IMAGE != $ARMBIAN_IMAGE ] && cfgvar_changed+=' ARMBIAN_IMAGE' card_partitioned='n'
  486. [ $cBOOTPART_LABEL != $BOOTPART_LABEL ] && cfgvar_changed+=' BOOTPART_LABEL' bootpart_label_created='n'
  487. [ $cROOTFS_NAME != $ROOTFS_NAME ] && cfgvar_changed+=' ROOTFS_NAME' target_configured='n'
  488. [ $cDISK_PASSWD != $DISK_PASSWD ] && cfgvar_changed+=' DISK_PASSWD' rootpart_copied='n'
  489. [ "$UNLOCKING_USERHOST" -a "$cUNLOCKING_USERHOST" != "$UNLOCKING_USERHOST" ] && {
  490. cfgvar_changed+=' UNLOCKING_USERHOST' target_configured='n'
  491. }
  492. [ $cIP_ADDRESS != $IP_ADDRESS ] && cfgvar_changed+=' IP_ADDRESS' target_configured='n'
  493. [ "$cADD_ALL_MODS" != "$ADD_ALL_MODS" ] && cfgvar_changed+=' ADD_ALL_MODS' target_configured='n'
  494. [ "$IP_ADDRESS" -a "$cUSE_LOCAL_AUTHORIZED_KEYS" != "$USE_LOCAL_AUTHORIZED_KEYS" ] && {
  495. cfgvar_changed+=' USE_LOCAL_AUTHORIZED_KEYS' target_configured='n'
  496. }
  497. [ $card_partitioned == 'n' ] && {
  498. bootpart_copied='n'
  499. bootpart_label_created='n'
  500. rootpart_copied='n'
  501. target_configured='n'
  502. }
  503. [ $bootpart_copied == 'n' ] && bootpart_label_created='n'
  504. [ $rootpart_copied == 'n' ] && target_configured='n'
  505. [ "$saved_states" != "$(_print_states)" ] && {
  506. warn "Install state altered due to changed config vars:$cfgvar_changed"
  507. for i in $STATES; do
  508. if [ "${!i}" == 'n' ]; then
  509. imsg " $i: ${RED}no$RESET"
  510. else
  511. imsg " $i: ${GREEN}yes$RESET"
  512. fi
  513. done
  514. _delete_state_files
  515. }
  516. true
  517. }
  518. _add_state_file() {
  519. local state=$1 cmd=$2
  520. if [ "$cmd" == 'target' ]; then
  521. touch "$TARGET_ROOT/boot/.rootenc_install_state/$state"
  522. else
  523. [ "$cmd" == 'mount' ] && mount "/dev/$BOOT_DEVNAME" $BOOT_ROOT
  524. mkdir -p "$BOOT_ROOT/.rootenc_install_state"
  525. touch "$BOOT_ROOT/.rootenc_install_state/$state"
  526. [ "$cmd" == 'mount' ] && umount $BOOT_ROOT
  527. fi
  528. eval "$state='y'"
  529. tmsg "added state file '$state'"
  530. }
  531. _delete_state_files() {
  532. for i in $STATES; do
  533. local fn="$BOOT_ROOT/.rootenc_install_state/$i"
  534. [ ${!i} == 'n' -a -e $fn ] && /bin/rm $fn
  535. done
  536. true
  537. }
  538. _get_state_from_state_files() {
  539. for i in $STATES; do
  540. if [ -e "$BOOT_ROOT/.rootenc_install_state/$i" ]; then
  541. eval "$i=y"
  542. else
  543. eval "$i=n"
  544. fi
  545. done
  546. }
  547. _print_state_from_state_files() {
  548. imsg 'Install state:'
  549. for i in $STATES; do
  550. if [ -e "$BOOT_ROOT/.rootenc_install_state/$i" ]; then
  551. imsg " $i: ${GREEN}yes$RESET"
  552. else
  553. imsg " $i: ${RED}no$RESET"
  554. fi
  555. done
  556. }
  557. check_install_state() {
  558. for i in $STATES; do eval "$i=n"; done
  559. if [ "$FORCE_REBUILD" ]; then
  560. return
  561. else
  562. do_partprobe
  563. lsblk --noheadings --list /dev/$SDCARD_DEVNAME -o 'NAME' | grep -q $BOOT_DEVNAME || return 0
  564. lsblk --noheadings --list /dev/$BOOT_DEVNAME -o 'FSTYPE' | grep -q 'ext4' || return 0
  565. mount "/dev/$BOOT_DEVNAME" $BOOT_ROOT
  566. _get_state_from_state_files
  567. if [ "$target_configured" == 'y' -a "$FORCE_RECONFIGURE" ]; then
  568. target_configured='n'
  569. _delete_state_files
  570. fi
  571. _print_state_from_state_files
  572. _update_state_from_config_vars
  573. _umount_with_check $BOOT_ROOT
  574. fi
  575. }
  576. close_loopmount() {
  577. while mountpoint -q $SRC_ROOT; do
  578. umount $SRC_ROOT
  579. done
  580. for i in $(losetup --noheadings --raw --list -j $ARMBIAN_IMAGE | awk '{print $1}'); do
  581. losetup -d $i
  582. done
  583. }
  584. _user_confirm() {
  585. local prompt1 prompt2 dfl_action reply
  586. prompt1=$1 dfl_action=$2
  587. if [ "$dfl_action" == 'yes' ]; then
  588. prompt2='(Y/n)'
  589. else
  590. prompt2='(y/N)'
  591. fi
  592. imsg_nonl "$prompt1 $prompt2 "
  593. read -n1 reply
  594. [ "$reply" ] && imsg ''
  595. [ "$dfl_action" == 'yes' -a -z "$reply" ] && return
  596. [ "$reply" == 'y' -o "$reply" == 'Y' ] && return
  597. warn "Exiting at user request"
  598. usr_exit=1
  599. exit 1
  600. }
  601. erase_boot_sector_and_first_partition() {
  602. local sectors count
  603. sectors=$((START_SECTOR+BOOT_SECTORS+100))
  604. count=$(((sectors/8192)+1))
  605. pu_msg "Erasing up to beginning of second partition ($sectors sectors, ${count}M):"
  606. _show_output
  607. dd if=/dev/zero \
  608. of=/dev/$SDCARD_DEVNAME \
  609. status=progress \
  610. bs=$((512*8192)) \
  611. count=$count
  612. _hide_output
  613. }
  614. create_partition_label() {
  615. pu_msg "Creating new partition label on /dev/$SDCARD_DEVNAME"
  616. local fdisk_cmds="o\nw\n"
  617. set +e
  618. echo -e "$fdisk_cmds" | fdisk "/dev/$SDCARD_DEVNAME"
  619. set -e
  620. do_partprobe
  621. }
  622. copy_boot_loader() {
  623. local count
  624. count=$((START_SECTOR/2048))
  625. pu_msg "Copying boot loader ($START_SECTOR sectors, ${count}M):"
  626. _show_output
  627. dd if=$ARMBIAN_IMAGE \
  628. of=/dev/$SDCARD_DEVNAME \
  629. status=progress \
  630. bs=$((512*2048)) \
  631. count=$count
  632. _hide_output
  633. do_partprobe
  634. }
  635. _print_config_vars() {
  636. local outfile=$1
  637. local data="$(for i in $CONFIG_VARS; do echo "$i=${!i}"; done)"
  638. if [ "$outfile" ]; then echo "$data" > $outfile; else echo "$data"; fi
  639. }
  640. partition_sd_card() {
  641. local p1_end p2_start fdisk_cmds bname rname fstype
  642. p1_end=$((START_SECTOR+BOOT_SECTORS-1))
  643. p2_start=$((p1_end+1))
  644. fdisk_cmds="o\nn\np\n1\n$START_SECTOR\n$p1_end\nn\np\n2\n$p2_start\n\nw\n"
  645. set +e
  646. echo -e "$fdisk_cmds" | fdisk "/dev/$SDCARD_DEVNAME"
  647. set -e
  648. do_partprobe
  649. bname="$(lsblk --noheadings --list --output=NAME /dev/$BOOT_DEVNAME)"
  650. [ "$bname" == $BOOT_DEVNAME ] || die 'Partitioning failed!'
  651. rname="$(lsblk --noheadings --list --output=NAME /dev/$ROOT_DEVNAME)"
  652. [ "$rname" == $ROOT_DEVNAME ] || die 'Partitioning failed!'
  653. # filesystem is required by call to _add_state_file(), so we must create it here
  654. fstype=$(lsblk --noheadings --list --output=FSTYPE "/dev/$BOOT_DEVNAME")
  655. [ "$fstype" == 'ext4' -a "$ROOTENC_REUSE_FS" ] || mkfs.ext4 -F "/dev/$BOOT_DEVNAME"
  656. do_partprobe
  657. _add_state_file 'card_partitioned' 'mount'
  658. }
  659. _do_partition() {
  660. imsg "All data on /dev/$SDCARD_DEVNAME ($SD_INFO) will be destroyed!!!"
  661. _user_confirm 'Are you sure you want to continue?' 'no'
  662. if [ "$ERASE" ]; then
  663. erase_boot_sector_and_first_partition
  664. else
  665. create_partition_label
  666. fi
  667. copy_boot_loader
  668. partition_sd_card
  669. }
  670. copy_system_boot() {
  671. [ "$PARTITION_ONLY" ] && {
  672. _add_state_file 'bootpart_copied' 'mount'
  673. return
  674. }
  675. mount "/dev/$BOOT_DEVNAME" $BOOT_ROOT
  676. pu_msg "Copying files to boot partition:"
  677. _show_output
  678. rsync $RSYNC_VERBOSITY --archive $SRC_ROOT/boot/* $BOOT_ROOT
  679. _hide_output
  680. [ -e "$BOOT_ROOT/boot" ] || (cd $BOOT_ROOT && ln -s . 'boot')
  681. _add_state_file 'bootpart_copied'
  682. umount $BOOT_ROOT
  683. }
  684. create_bootpart_label() {
  685. e2label "/dev/$BOOT_DEVNAME" "$BOOTPART_LABEL"
  686. do_partprobe
  687. _add_state_file 'bootpart_label_created' 'mount'
  688. }
  689. copy_system_root() {
  690. if [ "$FORCE_REFORMAT_ROOT" ] || ! cryptsetup isLuks "/dev/$ROOT_DEVNAME"; then
  691. pu_msg "Formatting encrypted root partition:"
  692. echo -n $DISK_PASSWD | cryptsetup luksFormat "/dev/$ROOT_DEVNAME" '-'
  693. fi
  694. echo $DISK_PASSWD | cryptsetup luksOpen "/dev/$ROOT_DEVNAME" $ROOTFS_NAME
  695. local fstype=$(lsblk --noheadings --list --output=FSTYPE "/dev/mapper/$ROOTFS_NAME")
  696. [ "$fstype" == 'ext4' -a "$ROOTENC_REUSE_FS" ] || mkfs.ext4 -F "/dev/mapper/$ROOTFS_NAME"
  697. [ "$PARTITION_ONLY" ] || {
  698. mount "/dev/mapper/$ROOTFS_NAME" $TARGET_ROOT
  699. pu_msg "Copying system to encrypted root partition:"
  700. _show_output
  701. rsync $RSYNC_VERBOSITY --archive --exclude=boot $SRC_ROOT/* $TARGET_ROOT
  702. _hide_output
  703. sync
  704. mkdir -p "$TARGET_ROOT/boot"
  705. touch "$TARGET_ROOT/root/.no_rootfs_resize"
  706. umount $TARGET_ROOT
  707. }
  708. cryptsetup luksClose $ROOTFS_NAME
  709. do_partprobe
  710. _add_state_file 'rootpart_copied' 'mount'
  711. }
  712. mount_target() {
  713. echo $DISK_PASSWD | cryptsetup luksOpen "/dev/$ROOT_DEVNAME" $ROOTFS_NAME
  714. mount "/dev/mapper/$ROOTFS_NAME" $TARGET_ROOT
  715. mount "/dev/$BOOT_DEVNAME" "$TARGET_ROOT/boot"
  716. local src dest args
  717. while read src dest args; do
  718. mount $args $src $TARGET_ROOT/$dest
  719. done <<-EOF
  720. udev dev -t devtmpfs -o rw,relatime,nosuid,mode=0755
  721. devpts dev/pts -t devpts
  722. tmpfs dev/shm -t tmpfs -o rw,nosuid,nodev,relatime
  723. proc proc -t proc
  724. sys sys -t sysfs
  725. EOF
  726. }
  727. _copy_to_target() {
  728. local fn=$1
  729. if [ -e $fn ]; then
  730. echo "Copying '$fn'"
  731. cat $fn > $TARGET_ROOT/$fn
  732. else
  733. imsg "Unable to copy '$fn' to target (file does not exist)"
  734. false
  735. fi
  736. }
  737. create_etc_crypttab() {
  738. local root_uuid="$(lsblk --noheadings --list --nodeps --output=UUID /dev/$ROOT_DEVNAME)"
  739. echo "$ROOTFS_NAME UUID=$root_uuid none initramfs,luks" > "$TARGET_ROOT/etc/crypttab"
  740. _display_file "$TARGET_ROOT/etc/crypttab"
  741. }
  742. copy_etc_files() {
  743. _copy_to_target '/etc/resolv.conf'
  744. _copy_to_target '/etc/hosts'
  745. set +e
  746. _copy_to_target /etc/apt/apt.conf.d/*proxy
  747. set -e
  748. }
  749. _set_target_vars() {
  750. target_distro=$(chroot $TARGET_ROOT 'lsb_release' '--short' '--codename')
  751. target_kernel=$(chroot $TARGET_ROOT 'ls' '/boot' | egrep '^vmlinu[xz]')
  752. imsg "$(printf '%-8s %-28s %s' '' 'Host' 'Target')"
  753. imsg "$(printf '%-8s %-28s %s' '' '----' '------')"
  754. imsg "$(printf '%-8s %-28s %s' 'distro:' $host_distro $target_distro)"
  755. imsg "$(printf '%-8s %-28s %s' 'kernel:' $host_kernel $target_kernel)"
  756. }
  757. _distros_match() {
  758. [ $host_distro == $target_distro ]
  759. }
  760. _kernels_match() {
  761. [ ${host_kernel%.*} == ${target_kernel%.*} ] || return 1
  762. [ ${host_kernel##*-} == ${target_kernel##*-} ]
  763. }
  764. copy_etc_files_distro_specific() {
  765. local files='/etc/apt/sources.list /etc/apt/sources.list.d/armbian.list'
  766. if _distros_match; then
  767. for i in $files; do _copy_to_target $i; done
  768. else
  769. warn 'Warning: host and target distros do not match:'
  770. for i in $files; do imsg " not copying $i"; done
  771. fi
  772. }
  773. _display_file() {
  774. local name text reply
  775. if [ "$2" ]; then
  776. name="$1"
  777. text="$2"
  778. else
  779. name=${1#$TARGET_ROOT}
  780. text="$(cat $1)"
  781. fi
  782. hl='────────────────────────────────────────'
  783. hl="$hl$hl$hl"
  784. hls=${hl:0:${#name}+1}
  785. echo "┌─$hls─┐"
  786. echo "│ $name: │"
  787. echo "├─$hls─┘"
  788. echo "$text" | sed 's/^/│ /'
  789. }
  790. edit_armbianEnv() {
  791. local file text console_arg
  792. file="$TARGET_ROOT/boot/armbianEnv.txt"
  793. ed $file <<-'EOF'
  794. g/^\s*rootdev=/d
  795. g/^\s*console=/d
  796. g/^\s*bootlogo=/d
  797. wq
  798. EOF
  799. case $SERIAL_CONSOLE in
  800. 'yes') console_arg='serial' ;;
  801. *) console_arg='display' ;;
  802. esac
  803. text="rootdev=/dev/mapper/$ROOTFS_NAME
  804. console=$console_arg
  805. bootlogo=false"
  806. echo "$text" >> $file
  807. _display_file $file
  808. }
  809. # Add the following lines to '/etc/initramfs-tools/initramfs.conf'. If
  810. # your board’s IP address will be statically configured, substitute the
  811. # correct static IP address after 'IP='. If it will be configured via
  812. # DHCP, omit the IP line entirely:
  813. edit_initramfs_conf() {
  814. local file="$TARGET_ROOT/etc/initramfs-tools/initramfs.conf"
  815. ed $file <<-'EOF'
  816. g/^\s*IP=/s/^/# /
  817. g/^\s*DEVICE=/d
  818. wq
  819. EOF
  820. [ "$IP_ADDRESS" == 'dhcp' -o "$IP_ADDRESS" == 'none' ] || {
  821. echo "IP=$IP_ADDRESS:::255.255.255.0::eth0:off" >> $file
  822. }
  823. [ "$IP_ADDRESS" == 'none' ] || echo "DEVICE=eth0" >> $file
  824. _display_file $file
  825. }
  826. edit_initramfs_modules() {
  827. local modlist file hdr
  828. [ "$ADD_ALL_MODS" ] && {
  829. if ! _kernels_match; then
  830. warn 'Host and target kernels do not match. Not adding modules to initramfs'
  831. elif ! _distros_match; then
  832. warn 'Host and target distros do not match. Not adding modules to initramfs'
  833. else
  834. modlist=$(lsmod | cut -d ' ' -f1 | tail -n+2)
  835. fi
  836. }
  837. file="$TARGET_ROOT/etc/initramfs-tools/modules"
  838. hdr="# List of modules that you want to include in your initramfs.
  839. # They will be loaded at boot time in the order below.
  840. #
  841. # Syntax: module_name [args ...]
  842. #
  843. # You must run update-initramfs(8) to effect this change.
  844. #
  845. "
  846. echo "$hdr$modlist" > $file
  847. _display_file $file
  848. }
  849. copy_authorized_keys() {
  850. local dest="$TARGET_ROOT/etc/dropbear-initramfs"
  851. mkdir -p $dest
  852. /bin/cp 'authorized_keys' $dest
  853. _display_file "$dest/authorized_keys"
  854. }
  855. create_fstab() {
  856. local boot_uuid file text
  857. boot_uuid="$(lsblk --noheadings --list --output=UUID /dev/$BOOT_DEVNAME)"
  858. file="$TARGET_ROOT/etc/fstab"
  859. text="/dev/mapper/$ROOTFS_NAME / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1
  860. UUID=$boot_uuid /boot ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 2
  861. tmpfs /tmp tmpfs defaults,nosuid 0 0"
  862. echo "$text" > $file
  863. _display_file $file
  864. }
  865. edit_dropbear_cfg() {
  866. local dest file text
  867. dest="$TARGET_ROOT/etc/dropbear-initramfs"
  868. file="$dest/config"
  869. text='DROPBEAR_OPTIONS="-p 2222"
  870. DROPBEAR=y'
  871. if [ "$IP_ADDRESS" == 'none' ]; then
  872. [ -e $file ] && rm -v $file
  873. true
  874. else
  875. mkdir -p $dest
  876. [ -e $file ] && grep -q '^DROPBEAR_OPTIONS="-p 2222"' $file || echo "$text" >> $file
  877. _display_file $file
  878. fi
  879. }
  880. create_cryptroot_unlock_sh() {
  881. local dest file text
  882. dest="$TARGET_ROOT/etc/initramfs-tools/hooks"
  883. file="$dest/cryptroot-unlock.sh"
  884. text='#!/bin/sh
  885. if [ "$1" = "prereqs" ]; then echo "dropbear-initramfs"; exit 0; fi
  886. . /usr/share/initramfs-tools/hook-functions
  887. source="/tmp/cryptroot-unlock-profile"
  888. root_home=$(echo $DESTDIR/root-*)
  889. root_home=${root_home#$DESTDIR}
  890. echo "if [ \"\$SSH_CLIENT\" ]; then /usr/bin/cryptroot-unlock; fi" > $source
  891. copy_file ssh_login_profile $source $root_home/.profile
  892. exit 0'
  893. mkdir -p $dest
  894. echo "$text" > $file
  895. chmod 755 $file
  896. _display_file $file
  897. }
  898. # begin chroot functions:
  899. apt_install_target() {
  900. local pkgs=$(_print_pkgs_to_install 'target')
  901. [ "$pkgs" ] && {
  902. echo "target packages to install: $pkgs"
  903. local ls1 ls2
  904. _show_output
  905. ls1=$(ls -l /boot/initrd.img-*)
  906. # DEBUG:
  907. # dpkg-reconfigure $pkgs # doesn't work in chroot
  908. # apt --yes purge $pkgs
  909. # apt-get --yes --purge autoremove
  910. dpkg --configure --pending --force-confdef
  911. set +e
  912. apt --yes purge 'bash-completion'
  913. apt --yes purge 'command-not-found'
  914. set -e
  915. _apt_update
  916. echo 'force-confdef' > /root/.dpkg.cfg
  917. apt --yes install $pkgs
  918. rm /root/.dpkg.cfg
  919. apt --yes autoremove
  920. ls2=$(ls -l /boot/initrd.img-*)
  921. [ "$ls1" != "$ls2" ] && initramfs_updated='y'
  922. _hide_output
  923. }
  924. true
  925. }
  926. update_initramfs() {
  927. [ "$ROOTENC_TESTING" ] && return 0
  928. _show_output
  929. local ver=$(echo /boot/vmlinu?-* | sed 's/.boot.vmlinu.-//')
  930. update-initramfs -k $ver -u
  931. _hide_output
  932. }
  933. check_initramfs() {
  934. local text chk count
  935. text="$(lsinitramfs /boot/initrd.img*)"
  936. set +e
  937. chk=$(echo "$text" | grep 'cryptsetup')
  938. count=$(echo "$chk" | wc -l)
  939. [ "$count" -gt 5 ] || { echo "$text"; die 'Cryptsetup scripts missing in initramfs image'; }
  940. _display_file "lsinitramfs /boot/initrd.img* | grep 'cryptsetup'" "$chk"
  941. [ "$IP_ADDRESS" == 'none' ] || {
  942. chk=$(echo "$text" | grep 'dropbear')
  943. count=$(echo "$chk" | wc -l)
  944. [ "$count" -gt 5 ] || { echo "$text"; die 'Dropbear scripts missing in initramfs image'; }
  945. _display_file "lsinitramfs /boot/initrd.img* | grep 'dropbear'" "$chk"
  946. chk=$(echo "$text" | grep 'authorized_keys')
  947. count=$(echo "$chk" | wc -l)
  948. [ "$count" -eq 1 ] || { echo "$text"; die 'authorized_keys missing in initramfs image'; }
  949. _display_file "lsinitramfs /boot/initrd.img* | grep 'authorized_keys'" "$chk"
  950. }
  951. set -e
  952. }
  953. configure_target() {
  954. [ "$PARTITION_ONLY" ] && return
  955. mount_target
  956. _set_target_vars
  957. copy_etc_files
  958. copy_etc_files_distro_specific
  959. edit_initramfs_conf
  960. edit_initramfs_modules
  961. [ "$IP_ADDRESS" == 'none' ] || copy_authorized_keys
  962. create_etc_crypttab
  963. create_fstab
  964. edit_dropbear_cfg
  965. [ "$IP_ADDRESS" == 'none' ] || create_cryptroot_unlock_sh
  966. edit_armbianEnv
  967. _debug_pause
  968. _show_output # this must be done before entering chroot
  969. /bin/cp $0 $TARGET_ROOT
  970. export 'ROOTFS_NAME' 'IP_ADDRESS' 'target_distro' 'ROOTENC_TESTING' 'ROOTENC_PAUSE' 'ROOTENC_IGNORE_APT_ERRORS' 'APT_UPGRADE'
  971. chroot $TARGET_ROOT "./$PROGNAME" $ORIG_OPTS 'in_target'
  972. /bin/cp -a '/etc/resolv.conf' "$TARGET_ROOT/etc" # this could be a symlink
  973. /bin/rm "$TARGET_ROOT/$PROGNAME"
  974. _add_state_file 'target_configured' 'target'
  975. }
  976. _set_env_vars() {
  977. shopt -s extglob
  978. local name val
  979. while [ $# -gt 0 ]; do
  980. name=${1%=?*} val=${1#+([A-Z_])=}
  981. [ "$name" == "$1" -o "$val" == "$1" ] && die "$1: illegal argument (must be in format 'NAME=value')"
  982. eval "$name=$val"
  983. shift
  984. done
  985. shopt -u extglob
  986. }
  987. # begin execution
  988. while getopts hCdmfFpRsuvz OPT
  989. do
  990. case "$OPT" in
  991. h) print_help; exit ;;
  992. C) NO_CLEANUP='y' ;;
  993. F) FORCE_REBUILD='y' ;;
  994. f) FORCE_RECONFIGURE='y' ;;
  995. m) ADD_ALL_MODS='y' ;;
  996. p) PARTITION_ONLY='y' ;;
  997. R) FORCE_REFORMAT_ROOT='y' ;;
  998. s) USE_LOCAL_AUTHORIZED_KEYS='y' ;;
  999. u) APT_UPGRADE='y' ;;
  1000. d) DEBUG='y' ;&
  1001. v) VERBOSE='y' RSYNC_VERBOSITY='--verbose' ;;
  1002. z) ERASE='y' ;;
  1003. *) exit ;;
  1004. esac
  1005. ORIG_OPTS+="-$OPT "
  1006. done
  1007. shift $((OPTIND-1))
  1008. trap '_fmsg "$FUNCNAME" $?' RETURN
  1009. trap '_sigint_handler' INT
  1010. trap '_exit_handler' EXIT
  1011. set -o functrace
  1012. exec {stdout_dup}>&1
  1013. exec {stderr_dup}>&2
  1014. [ $UID == 0 -o $EUID == 0 ] || die 'This program must be run as root!'
  1015. export HOME='/root'
  1016. [ "$DEBUG" ] && set -x
  1017. ARG1=$1; shift
  1018. _set_env_vars $@
  1019. if [ "$ARG1" == 'in_target' ]; then
  1020. SCRIPT_DESC='Target script'
  1021. set -e
  1022. _hide_output
  1023. [ "$target_distro" == 'bionic' ] && {
  1024. echo 'export CRYPTSETUP=y' > '/etc/initramfs-tools/conf.d/cryptsetup'
  1025. }
  1026. apt_install_target
  1027. [ "$initramfs_updated" ] || update_initramfs
  1028. check_initramfs
  1029. else
  1030. SCRIPT_DESC='Host script'
  1031. _do_header
  1032. _set_host_vars
  1033. get_armbian_image
  1034. apt_install_host # we need cryptsetup in next cmd
  1035. _preclean
  1036. check_sdcard_name_and_params $ARG1
  1037. _get_user_vars
  1038. _test_sdcard_mounted
  1039. _warn_user_opts
  1040. _confirm_user_vars
  1041. set -e
  1042. [ "$IP_ADDRESS" == 'none' ] || get_authorized_keys
  1043. create_build_dir
  1044. [ "$NO_CLEANUP" ] || trap '_clean' EXIT
  1045. setup_loopmount
  1046. _debug_pause
  1047. check_install_state
  1048. _hide_output
  1049. [ "$card_partitioned" == 'n' ] && _do_partition
  1050. _debug_pause
  1051. [ "$bootpart_copied" == 'n' ] && copy_system_boot
  1052. [ "$bootpart_label_created" == 'n' ] && create_bootpart_label
  1053. [ "$rootpart_copied" == 'n' ] && copy_system_root
  1054. [ "$target_configured" == 'n' ] && configure_target
  1055. sync
  1056. gmsg 'All done!'
  1057. if [ "$IP_ADDRESS" != 'none' ]; then
  1058. imsg "To unlock the target disk, execute the following from the unlocking host:"
  1059. imsg " ssh -p 2222 root@${IP_ADDRESS/dhcp/TARGET_IP}"
  1060. fi
  1061. fi