hrmm.. gpg throwing errors and killing chroot

2015-09-23 15:27:49 -04:00 · 2015-09-23 15:27:49 -04:00 · 673a54ef2e
parent f4397354a9
commit 673a54ef2e
10 changed files with 152 additions and 16 deletions
--- a/docs/TODO
+++ b/docs/TODO
@ -22,6 +22,7 @@

 ## Building ##

+-GUMMIBOOT IS GONE FROM THE REPOS. I could repackage it, but better to just see what the hell archiso's doing.
 -WISH: Better logging[0]
 -WISH: signing for secureboot releases (PreLoader and gummiboot handle this okay, but require manual intervention
 -use manual chrooting functions ONLY if distro not detected as arch. if /usr/bin/systemd-nspawn exists, use that instead
@ -33,14 +34,10 @@
 --yes, see e.g. https://www.reddit.com/r/archlinux/comments/3bwgf0/where_put_the_splasharchbmp_to_splash_screen_boot/
 -strip out/remove unnecessary and orphan packages (e.g. gcc, make, automake, etc.)
 -incorporate iPXE tweaks:
--http://ipxe.org/crypto
+--http://ipxe.org/crypto 
 --http://ipxe.org/cmd/imgtrust
 --http://ipxe.org/cmd/imgverify
--enable use of custom CA/self-signed certs for HTTPS etc.
-X-platform
--what distros are supported?
--automatically install what we need for buildtime
---need to finish pkg lists and then test, but meta files should be done as well as lib script
+--enable use of custom CA/self-signed certs for HTTPS etc. DONE, partially. need to incorporate codesign certs/keys. routines, conf variables
 -enable mirror= kernel commandline.
 --if mirror_(NAME) is present, use that as repo name.
 --if it starts with /, treat as mirrorlist (Include); otherwise use Server = 
--- a/extra/build.conf.sample
+++ b/extra/build.conf.sample
@ -71,6 +71,35 @@ BUILDMINI="no"
 # This currently does not work for HTTPS with self-signed certificates.
 IPXE_URI="https://bdisk.square-r00t.net"

+# Path to the (root) CA certificate file (in PEM/X509 format) iPXE should use.
+# If one is not specified, one will be generated.
+# Only used if BUILDMINI is set to yes.
+# Please properly escape any spaces or other funky characters.
+# Note that you can use your own CA to sign existing certs. See http://ipxe.org/crypto for
+# more info. This is handy if you run a third-party/"Trusted" root-CA-signed certificate
+# for the HTTPS target.
+# Requires IPXE_SSL_CAKEY if specified.
+IPXE_SSL_CA=""
+
+# Path to the (root) CA key file (in PEM/X509 format) iPXE should use.
+# If one is not specified, one will be generated.
+# Only used if BUILDMINI is set to yes.
+# Please properly escape any spaces or other funky characters.
+# Requires IPXE_SSL_CA if specified.
+IPXE_SSL_CAKEY=""
+
+# Path to the CLIENT certificate (in PEM/X509). If one is not specified, one will be generated.
+# Only used if BUILDMINI is set to yes.
+# Please properly escape any spaces or other funky characters.
+# Requires IPXE_SSL_KEY if specified.
+IPXE_SSL_CRT=""
+
+# Path to the CLIENT key (in PEM/X509). If one is not specified, one will be generated.
+# Only used if BUILDMINI is set to yes.
+# Please properly escape any spaces or other funky characters.
+# Requires IPXE_SSL_CRT if specified.
+IPXE_SSL_KEY=""
+
 # Set to "yes" to enable pushing new changes to a git repo/committing to a local repo
 GIT="no"

--- a/lib/01-mk.chroot.func.sh
+++ b/lib/01-mk.chroot.func.sh
@ -180,6 +180,7 @@ EOF
    echo "Done."
    echo -n "...Upgrading any outdated packages..."
    ${CHROOTCMD} ${i}/ pacman -Syyu --noconfirm >> "${LOGFILE}.${FUNCNAME}" 2>&1
+    ${CHROOTCMD} ${i}/ pacman-key --refresh-keys >> "${LOGFILE}.${FUNCNAME}" 2>&1
    for x in $(find ${i}/etc/ -type f -iname "*.pacorig");do mv -f ${x} ${x%%.pacorig} ; done
    echo "Done. Finishing/cleaning up..."
    ${CHROOTCMD} ${i}/ pacman -S --noconfirm --needed base-devel >> "${LOGFILE}.${FUNCNAME}" 2>&1
--- a/lib/09-stuffy.func.sh
+++ b/lib/09-stuffy.func.sh
@ -14,10 +14,10 @@ function stuffy {
  echo "Setting up EFI stuff..."

  mkdir -p ${TEMPDIR}/{EFI/{${DISTNAME},boot},loader/entries}
-  # this stuff comes from the prebootloader pkg and gummiboot pkg. lets us boot on UEFI machines with secureboot still enabled.
+  # this stuff comes from the prebootloader pkg and systemd-boot. lets us boot on UEFI machines with secureboot still enabled.
  cp ${BASEDIR}/root.x86_64/usr/lib/prebootloader/PreLoader.efi ${TEMPDIR}/EFI/boot/bootx64.efi
  cp ${BASEDIR}/root.x86_64/usr/lib/prebootloader/HashTool.efi ${TEMPDIR}/EFI/boot/.
-  cp ${BASEDIR}/root.x86_64/usr/lib/gummiboot/gummibootx64.efi ${TEMPDIR}/EFI/boot/loader.efi # TODO: can i use syslinux.efi instead?
+  cp ${BASEDIR}/root.x86_64/usr/lib/systemd/boot/efi/systemd-bootx64.efi ${TEMPDIR}/EFI/boot/loader.efi # TODO: can i use syslinux.efi instead?

  echo "Checking/fetching UEFI shells..."
  if [ ! -f "${TEMPDIR}/EFI/shellx64_v2.efi" ];
@ -71,7 +71,7 @@ EOF
  FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${TEMPDIR}/boot/${UXNAME}.64.img))) # EFI/BDISK/bdisk.img
  FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${BASEDIR}/root.x86_64/usr/lib/prebootloader/PreLoader.efi))) # EFI/boot/bootx64.efi
  FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${BASEDIR}/root.x86_64/usr/lib/prebootloader/HashTool.efi))) # EFI/boot/HashTool.efi
-  FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${BASEDIR}/root.x86_64/usr/lib/gummiboot/gummibootx64.efi))) # EFI/boot/loader.efi
+  FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${BASEDIR}/root.x86_64/usr/lib/systemd/boot/efi/systemd-bootx64.efi))) # EFI/boot/loader.efi
  FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${TEMPDIR}/EFI/shellx64_v1.efi)))
  FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${TEMPDIR}/EFI/shellx64_v2.efi)))
  FATSIZE=$((${FATSIZE} + $(du -sb ${TEMPDIR}/loader | tail -n1 | awk '{print $1}'))) # loader/* (okay so i cheated a little here.)
@ -112,7 +112,7 @@ EOF

  cp ${BASEDIR}/root.x86_64/usr/lib/prebootloader/PreLoader.efi ${SRCDIR}/efiboot/EFI/boot/bootx64.efi
  cp ${BASEDIR}/root.x86_64/usr/lib/prebootloader/HashTool.efi ${SRCDIR}/efiboot/EFI/boot/.
-  cp ${BASEDIR}/root.x86_64/usr/lib/gummiboot/gummibootx64.efi ${SRCDIR}/efiboot/EFI/boot/loader.efi # TODO: can i use syslinux.efi instead?
+  cp ${BASEDIR}/root.x86_64/usr/lib/systemd/boot/efi/systemd-bootx64.efi ${SRCDIR}/efiboot/EFI/boot/loader.efi # TODO: can i use syslinux.efi instead?
  cp ${TEMPDIR}/EFI/shellx64_v{1,2}.efi ${SRCDIR}/efiboot/EFI/.
  umount ${SRCDIR}/efiboot
  echo "EFI configuration complete..."
--- a/lib/10-yo_dj.func.sh
+++ b/lib/10-yo_dj.func.sh
@ -284,6 +284,7 @@ EOF
  if [[ "${BUILDMINI}" == "y" ]];
  then
    echo "Now generating the iPXE images; please wait..."
+    ## Get the latest version of ipxe from git.
    git submodule init >> "${LOGFILE}.${FUNCNAME}" 2>&1
    git submodule update >> "${LOGFILE}.${FUNCNAME}" 2>&1
    cd ${BASEDIR}/src/ipxe/src
@ -292,24 +293,93 @@ EOF
    git checkout master >> "${LOGFILE}.${FUNCNAME}" 2>&1
    git pull >> "${LOGFILE}.${FUNCNAME}" 2>&1
    git checkout master >> "${LOGFILE}.${FUNCNAME}" 2>&1
+    ## Apply our patches.
    for i in $(find ${BASEDIR}/src/ipxe_local/patches/ -type f -iname "*.patch" -printf '%P\n' | sort);
    do
      patch -Np2 < ${BASEDIR}/src/ipxe_local/patches/${i} >> "${LOGFILE}.${FUNCNAME}" 2>&1
    done
+    ## SSL
+    SSLDIR="${BASEDIR}/src/ipxe_local/ssl"
+    mkdir -p ${SSLDIR}/{keys,crts,txt}
+    chmod 000 ${SSLDIR}/keys
+    chown root:root ${SSLDIR}/keys
+    if [[ -z "${IPXE_SSL_CA}" && -z "${IPXE_SSL_KEY}" ]];
+    then
+      # Generate SSL CA
+      #rm -rf ${SSLDIR}/*
+      cd "${SSLDIR}"
+      IPXE_SSL_CA="${SSLDIR}/crts/ca.crt"
+      IPXE_SSL_CAKEY="${SSLDIR}/keys/ca.key"
+      IPXE_DOMAIN=$(echo ${IPXE_URI} | sed -re 's/^(f|ht)tps?:\/\/// ; s/\/.*//')
+      if [[ ! -f "${SSLDIR}/txt/ca.srl" ]];
+      then
+        echo 01 > ${SSLDIR}/txt/ca.srl
+      fi
+      touch ${SSLDIR}/txt/ca.idx
+      openssl req -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -x509 -newkey rsa:4096 -nodes -out ${IPXE_SSL_CA} -keyout ${IPXE_SSL_CAKEY} -sha512
+      openssl req -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -newkey rsa:4096 -keyout ${SSLDIR}/keys/server.key -nodes -out ${SSLDIR}/crts/server.csr -sha512
+      openssl ca -batch -config ${SSLDIR}/openssl.cnf -keyfile ${IPXE_SSL_CAKEY} -in ${SSLDIR}/crts/server.csr -out ${SSLDIR}/crts/server.crt
+      #cat crts/server.crt crts/ca.crt > crts/server_chained.crt
+    elif [[ -z "${IPXE_SSL_CA}" && -e "${IPXE_SSL_CAKEY}" ]];
+    then
+      echo "ERROR: You specified IPXE_SSL_CAKEY but not IPXE_SSL_CA. If one is specified, the other must be also."
+      exit 1
+    elif [[ -z "${IPXE_SSL_CAKEY}" && -e "${IPXE_SSL_CA}" ]];
+    then
+      echo "ERROR: You specified IPXE_SSL_CA but not IPXE_SSL_CAKEY. If one is specified, the other must be also."
+      exit 1
+    elif [[ ! -e "${IPXE_SSL_CA}" || ! -e "${IPXE_SSL_CAKEY}" ]];
+    then
+      echo "ERROR: You have specified both IPXE_SSL_CA and IPXE_SSL_CAKEY but one (or both) are not valid paths/files."
+      exit 1
+    fi
+    if [[ -z "${IPXE_SSL_KEY}" && -z "${IPXE_SSL_CRT}" ]];
+    then
+      IPXE_SSL_KEY="${SSLDIR}/keys/client.key"
+      IPXE_SSL_CRT="${SSLDIR}/crts/client.crt"
+      IPXE_DOMAIN=$(echo ${IPXE_URI} | sed -re 's/^(f|ht)tps?:\/\/// ; s/\/.*//')
+      # Generate SSL client key.
+      openssl req -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -newkey rsa:4096 -keyout ${IPXE_SSL_KEY} -nodes -out ${SSLDIR}/crts/client.csr -sha512
+      # Sign the crt.
+      openssl ca -batch -config ${SSLDIR}/openssl.cnf -keyfile ${IPXE_SSL_CAKEY} -in ${SSLDIR}/crts/client.csr -out ${IPXE_SSL_CRT}
+    elif [[ -z "${IPXE_SSL_CRT}" && -e "${IPXE_SSL_KEY}" ]]; 
+    then
+      echo "ERROR: You specified IPXE_SSL_KEY but not IPXE_SSL_CRT. If one is specified, the other must be also."
+      exit 1
+    elif [[ -z "${IPXE_SSL_KEY}" && -e "${IPXE_SSL_CRT}" ]]; 
+    then
+      echo "ERROR: You specified IPXE_SSL_CRT but not IPXE_SSL_KEY. If one is specified, the other must be also."
+      exit 1
+    elif [[ ! -e "${IPXE_SSL_CRT}" || ! -e "${IPXE_SSL_KEY}" ]]; 
+    then
+      echo "ERROR: You have specified both IPXE_SSL_CRT and IPXE_SSL_KEY but one (or both) are not valid paths/files."
+      exit 1
+    fi
+    cd ${BASEDIR}/src/ipxe/src
    # Generate the iPXE EMBED script...
    sed -re "s,^(chain\ ).*$,\1${IPXE_URI},g" \
 	-e 's/%%COMMA%%/,/g' ${BASEDIR}/src/ipxe_local/EMBED > ${SRCDIR}/EMBED
+    # And now we build!
    #make everything EMBED="${SRCDIR}/EMBED" >> "${LOGFILE}.${FUNCNAME}" 2>&1
-    make bin-i386-efi/ipxe.efi bin-x86_64-efi/ipxe.efi EMBED="${SRCDIR}/EMBED" >> "${LOGFILE}.${FUNCNAME}" 2>&1
-    make bin/ipxe.eiso bin/ipxe.usb EMBED="${SRCDIR}/EMBED" >> "${LOGFILE}.${FUNCNAME}" 2>&1
+    make bin-i386-efi/ipxe.efi bin-x86_64-efi/ipxe.efi \
+         EMBED="${SRCDIR}/EMBED" \
+         TRUST="${IPXE_SSL_CA}" \
+         CERT="${IPXE_SSL_CA},${IPXE_SSL_CRT}" \
+         PRIVKEY="${IPXE_SSL_KEY}" >> "${LOGFILE}.${FUNCNAME}" 2>&1
+    make bin/ipxe.eiso bin/ipxe.usb \
+         EMBED="${SRCDIR}/EMBED" \
+         TRUST="${IPXE_SSL_CA}" \
+         CERT="${IPXE_SSL_CA},${IPXE_SSL_CRT}" \
+         PRIVKEY="${IPXE_SSL_KEY}" >> "${LOGFILE}.${FUNCNAME}" 2>&1
    # Change this to USB-only...
    #make all EMBED="${BASEDIR}/src/ipxe_local/EMBED" >> "${LOGFILE}.${FUNCNAME}" 2>&1
    mv -f ${BASEDIR}/src/ipxe/src/bin/ipxe.usb  ${ISODIR}/${USBFILENAME}
    mv -f ${BASEDIR}/src/ipxe/src/bin/ipxe.eiso  ${ISODIR}/${MINIFILENAME}
    make clean >> "${LOGFILE}.${FUNCNAME}" 2>&1
+    cd ${BASEDIR}/src/ipxe
    git reset --hard >> "${LOGFILE}.${FUNCNAME}" 2>&1
    git clean -xdf > /dev/null 2>&1
-    git checkout master > /dev/null 2>&1
+    git checkout master . > /dev/null 2>&1
    #git reset --hard HEAD > /dev/null 2>&1
    echo
  fi
--- a/lib/prereqs/iso.pkgs.lst
+++ b/lib/prereqs/iso.pkgs.lst
@ -12,7 +12,6 @@ efivar
 ethtool
 file
 findutils
-gummiboot
 iproute2
 iputils
 libisoburn
--- a/src/ipxe
+++ b/src/ipxe
@ -1 +1 @@
-Subproject commit c522c11c7b7adedf0bf339b954e30951f02d568f
+Subproject commit 3f8da985aa81e31b6e9482970f6ec594aecca552
--- a/src/ipxe_local/00-general.sed
+++ b/src/ipxe_local/00-general.sed
@ -1,7 +1,10 @@
+## Enable IPv6 support
 s/^#undef([[:space:]]*NET_PROTO_IPV6)/#define\1/g
+## Enable HTTPS
 s/^#undef([[:space:]]*DOWNLOAD_PROTO_HTTPS)/#define\1/g
+s@^//(#define[[:space:]]*IMAGE_TRUST_CMD@\1@g
+## Enable FTP
 s/^#undef([[:space:]]*DOWNLOAD_PROTO_FTP)/#define\1/g
 ## Currently broken for EFI building
 #s@^//(#define[[:space:]]*CONSOLE_CMD)@\1@g
 #s@^//(#define[[:space:]]*IMAGE_PNG@\1@g
-s@^//(#define[[:space:]]*IMAGE_TRUST_CMD@\1@g
--- a/src/ipxe_local/EMBED
+++ b/src/ipxe_local/EMBED
@ -1,4 +1,8 @@
 #!ipxe

 dhcp
+## TODO: signed kernel and initrd
+#imgtrust --permanent
+#imgverify vmlinuz path/to/vmlinuz.sig
+#imgverify initrd path/to/initrd.sig
 chain https://bdisk.square-r00t.net
--- a/src/ipxe_local/ssl/openssl.cnf
+++ b/src/ipxe_local/ssl/openssl.cnf
@ -0,0 +1,33 @@
+[ ca ]
+default_ca             = ca_default
+
+[ ca_default ]
+certificate            = crts/ca.crt
+private_key            = keys/ca.key
+serial                 = txt/ca.srl
+database               = txt/ca.idx
+#new_certs_dir          = signed
+new_certs_dir          = crts
+#default_md             = default
+default_md             = sha512
+policy                 = policy_anything
+preserve               = yes
+default_days           = 90
+unique_subject         = no
+
+[ policy_anything ]
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = optional
+emailAddress           = optional
+
+[ cross ]
+basicConstraints       = critical,CA:true
+keyUsage               = critical,cRLSign,keyCertSign
+
+[ codesigning ]
+keyUsage                = digitalSignature
+extendedKeyUsage        = codeSigning