From 673a54ef2e196c089dbf34b1e6c00020b9576994 Mon Sep 17 00:00:00 2001 From: r00t Date: Wed, 23 Sep 2015 15:27:49 -0400 Subject: [PATCH] hrmm.. gpg throwing errors and killing chroot --- docs/TODO | 9 ++-- extra/build.conf.sample | 29 +++++++++++++ lib/01-mk.chroot.func.sh | 1 + lib/09-stuffy.func.sh | 8 ++-- lib/10-yo_dj.func.sh | 76 ++++++++++++++++++++++++++++++++-- lib/prereqs/iso.pkgs.lst | 1 - src/ipxe | 2 +- src/ipxe_local/00-general.sed | 5 ++- src/ipxe_local/EMBED | 4 ++ src/ipxe_local/ssl/openssl.cnf | 33 +++++++++++++++ 10 files changed, 152 insertions(+), 16 deletions(-) create mode 100644 src/ipxe_local/ssl/openssl.cnf diff --git a/docs/TODO b/docs/TODO index 046b0a8..f8d509b 100644 --- a/docs/TODO +++ b/docs/TODO @@ -22,6 +22,7 @@ ## Building ## +-GUMMIBOOT IS GONE FROM THE REPOS. I could repackage it, but better to just see what the hell archiso's doing. -WISH: Better logging[0] -WISH: signing for secureboot releases (PreLoader and gummiboot handle this okay, but require manual intervention -use manual chrooting functions ONLY if distro not detected as arch. if /usr/bin/systemd-nspawn exists, use that instead @@ -33,14 +34,10 @@ --yes, see e.g. https://www.reddit.com/r/archlinux/comments/3bwgf0/where_put_the_splasharchbmp_to_splash_screen_boot/ -strip out/remove unnecessary and orphan packages (e.g. gcc, make, automake, etc.) -incorporate iPXE tweaks: ---http://ipxe.org/crypto +--http://ipxe.org/crypto --http://ipxe.org/cmd/imgtrust --http://ipxe.org/cmd/imgverify ---enable use of custom CA/self-signed certs for HTTPS etc. --X-platform ---what distros are supported? ---automatically install what we need for buildtime ----need to finish pkg lists and then test, but meta files should be done as well as lib script +--enable use of custom CA/self-signed certs for HTTPS etc. DONE, partially. need to incorporate codesign certs/keys. routines, conf variables -enable mirror= kernel commandline. --if mirror_(NAME) is present, use that as repo name. --if it starts with /, treat as mirrorlist (Include); otherwise use Server = diff --git a/extra/build.conf.sample b/extra/build.conf.sample index 2ac9f19..9af356f 100644 --- a/extra/build.conf.sample +++ b/extra/build.conf.sample @@ -71,6 +71,35 @@ BUILDMINI="no" # This currently does not work for HTTPS with self-signed certificates. IPXE_URI="https://bdisk.square-r00t.net" +# Path to the (root) CA certificate file (in PEM/X509 format) iPXE should use. +# If one is not specified, one will be generated. +# Only used if BUILDMINI is set to yes. +# Please properly escape any spaces or other funky characters. +# Note that you can use your own CA to sign existing certs. See http://ipxe.org/crypto for +# more info. This is handy if you run a third-party/"Trusted" root-CA-signed certificate +# for the HTTPS target. +# Requires IPXE_SSL_CAKEY if specified. +IPXE_SSL_CA="" + +# Path to the (root) CA key file (in PEM/X509 format) iPXE should use. +# If one is not specified, one will be generated. +# Only used if BUILDMINI is set to yes. +# Please properly escape any spaces or other funky characters. +# Requires IPXE_SSL_CA if specified. +IPXE_SSL_CAKEY="" + +# Path to the CLIENT certificate (in PEM/X509). If one is not specified, one will be generated. +# Only used if BUILDMINI is set to yes. +# Please properly escape any spaces or other funky characters. +# Requires IPXE_SSL_KEY if specified. +IPXE_SSL_CRT="" + +# Path to the CLIENT key (in PEM/X509). If one is not specified, one will be generated. +# Only used if BUILDMINI is set to yes. +# Please properly escape any spaces or other funky characters. +# Requires IPXE_SSL_CRT if specified. +IPXE_SSL_KEY="" + # Set to "yes" to enable pushing new changes to a git repo/committing to a local repo GIT="no" diff --git a/lib/01-mk.chroot.func.sh b/lib/01-mk.chroot.func.sh index e2a55e7..ec01552 100755 --- a/lib/01-mk.chroot.func.sh +++ b/lib/01-mk.chroot.func.sh @@ -180,6 +180,7 @@ EOF echo "Done." echo -n "...Upgrading any outdated packages..." ${CHROOTCMD} ${i}/ pacman -Syyu --noconfirm >> "${LOGFILE}.${FUNCNAME}" 2>&1 + ${CHROOTCMD} ${i}/ pacman-key --refresh-keys >> "${LOGFILE}.${FUNCNAME}" 2>&1 for x in $(find ${i}/etc/ -type f -iname "*.pacorig");do mv -f ${x} ${x%%.pacorig} ; done echo "Done. Finishing/cleaning up..." ${CHROOTCMD} ${i}/ pacman -S --noconfirm --needed base-devel >> "${LOGFILE}.${FUNCNAME}" 2>&1 diff --git a/lib/09-stuffy.func.sh b/lib/09-stuffy.func.sh index 5a5c900..e0d3015 100644 --- a/lib/09-stuffy.func.sh +++ b/lib/09-stuffy.func.sh @@ -14,10 +14,10 @@ function stuffy { echo "Setting up EFI stuff..." mkdir -p ${TEMPDIR}/{EFI/{${DISTNAME},boot},loader/entries} - # this stuff comes from the prebootloader pkg and gummiboot pkg. lets us boot on UEFI machines with secureboot still enabled. + # this stuff comes from the prebootloader pkg and systemd-boot. lets us boot on UEFI machines with secureboot still enabled. cp ${BASEDIR}/root.x86_64/usr/lib/prebootloader/PreLoader.efi ${TEMPDIR}/EFI/boot/bootx64.efi cp ${BASEDIR}/root.x86_64/usr/lib/prebootloader/HashTool.efi ${TEMPDIR}/EFI/boot/. - cp ${BASEDIR}/root.x86_64/usr/lib/gummiboot/gummibootx64.efi ${TEMPDIR}/EFI/boot/loader.efi # TODO: can i use syslinux.efi instead? + cp ${BASEDIR}/root.x86_64/usr/lib/systemd/boot/efi/systemd-bootx64.efi ${TEMPDIR}/EFI/boot/loader.efi # TODO: can i use syslinux.efi instead? echo "Checking/fetching UEFI shells..." if [ ! -f "${TEMPDIR}/EFI/shellx64_v2.efi" ]; @@ -71,7 +71,7 @@ EOF FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${TEMPDIR}/boot/${UXNAME}.64.img))) # EFI/BDISK/bdisk.img FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${BASEDIR}/root.x86_64/usr/lib/prebootloader/PreLoader.efi))) # EFI/boot/bootx64.efi FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${BASEDIR}/root.x86_64/usr/lib/prebootloader/HashTool.efi))) # EFI/boot/HashTool.efi - FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${BASEDIR}/root.x86_64/usr/lib/gummiboot/gummibootx64.efi))) # EFI/boot/loader.efi + FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${BASEDIR}/root.x86_64/usr/lib/systemd/boot/efi/systemd-bootx64.efi))) # EFI/boot/loader.efi FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${TEMPDIR}/EFI/shellx64_v1.efi))) FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${TEMPDIR}/EFI/shellx64_v2.efi))) FATSIZE=$((${FATSIZE} + $(du -sb ${TEMPDIR}/loader | tail -n1 | awk '{print $1}'))) # loader/* (okay so i cheated a little here.) @@ -112,7 +112,7 @@ EOF cp ${BASEDIR}/root.x86_64/usr/lib/prebootloader/PreLoader.efi ${SRCDIR}/efiboot/EFI/boot/bootx64.efi cp ${BASEDIR}/root.x86_64/usr/lib/prebootloader/HashTool.efi ${SRCDIR}/efiboot/EFI/boot/. - cp ${BASEDIR}/root.x86_64/usr/lib/gummiboot/gummibootx64.efi ${SRCDIR}/efiboot/EFI/boot/loader.efi # TODO: can i use syslinux.efi instead? + cp ${BASEDIR}/root.x86_64/usr/lib/systemd/boot/efi/systemd-bootx64.efi ${SRCDIR}/efiboot/EFI/boot/loader.efi # TODO: can i use syslinux.efi instead? cp ${TEMPDIR}/EFI/shellx64_v{1,2}.efi ${SRCDIR}/efiboot/EFI/. umount ${SRCDIR}/efiboot echo "EFI configuration complete..." diff --git a/lib/10-yo_dj.func.sh b/lib/10-yo_dj.func.sh index 170de6d..be1dfe1 100644 --- a/lib/10-yo_dj.func.sh +++ b/lib/10-yo_dj.func.sh @@ -284,6 +284,7 @@ EOF if [[ "${BUILDMINI}" == "y" ]]; then echo "Now generating the iPXE images; please wait..." + ## Get the latest version of ipxe from git. git submodule init >> "${LOGFILE}.${FUNCNAME}" 2>&1 git submodule update >> "${LOGFILE}.${FUNCNAME}" 2>&1 cd ${BASEDIR}/src/ipxe/src @@ -292,24 +293,93 @@ EOF git checkout master >> "${LOGFILE}.${FUNCNAME}" 2>&1 git pull >> "${LOGFILE}.${FUNCNAME}" 2>&1 git checkout master >> "${LOGFILE}.${FUNCNAME}" 2>&1 + ## Apply our patches. for i in $(find ${BASEDIR}/src/ipxe_local/patches/ -type f -iname "*.patch" -printf '%P\n' | sort); do patch -Np2 < ${BASEDIR}/src/ipxe_local/patches/${i} >> "${LOGFILE}.${FUNCNAME}" 2>&1 done + ## SSL + SSLDIR="${BASEDIR}/src/ipxe_local/ssl" + mkdir -p ${SSLDIR}/{keys,crts,txt} + chmod 000 ${SSLDIR}/keys + chown root:root ${SSLDIR}/keys + if [[ -z "${IPXE_SSL_CA}" && -z "${IPXE_SSL_KEY}" ]]; + then + # Generate SSL CA + #rm -rf ${SSLDIR}/* + cd "${SSLDIR}" + IPXE_SSL_CA="${SSLDIR}/crts/ca.crt" + IPXE_SSL_CAKEY="${SSLDIR}/keys/ca.key" + IPXE_DOMAIN=$(echo ${IPXE_URI} | sed -re 's/^(f|ht)tps?:\/\/// ; s/\/.*//') + if [[ ! -f "${SSLDIR}/txt/ca.srl" ]]; + then + echo 01 > ${SSLDIR}/txt/ca.srl + fi + touch ${SSLDIR}/txt/ca.idx + openssl req -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -x509 -newkey rsa:4096 -nodes -out ${IPXE_SSL_CA} -keyout ${IPXE_SSL_CAKEY} -sha512 + openssl req -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -newkey rsa:4096 -keyout ${SSLDIR}/keys/server.key -nodes -out ${SSLDIR}/crts/server.csr -sha512 + openssl ca -batch -config ${SSLDIR}/openssl.cnf -keyfile ${IPXE_SSL_CAKEY} -in ${SSLDIR}/crts/server.csr -out ${SSLDIR}/crts/server.crt + #cat crts/server.crt crts/ca.crt > crts/server_chained.crt + elif [[ -z "${IPXE_SSL_CA}" && -e "${IPXE_SSL_CAKEY}" ]]; + then + echo "ERROR: You specified IPXE_SSL_CAKEY but not IPXE_SSL_CA. If one is specified, the other must be also." + exit 1 + elif [[ -z "${IPXE_SSL_CAKEY}" && -e "${IPXE_SSL_CA}" ]]; + then + echo "ERROR: You specified IPXE_SSL_CA but not IPXE_SSL_CAKEY. If one is specified, the other must be also." + exit 1 + elif [[ ! -e "${IPXE_SSL_CA}" || ! -e "${IPXE_SSL_CAKEY}" ]]; + then + echo "ERROR: You have specified both IPXE_SSL_CA and IPXE_SSL_CAKEY but one (or both) are not valid paths/files." + exit 1 + fi + if [[ -z "${IPXE_SSL_KEY}" && -z "${IPXE_SSL_CRT}" ]]; + then + IPXE_SSL_KEY="${SSLDIR}/keys/client.key" + IPXE_SSL_CRT="${SSLDIR}/crts/client.crt" + IPXE_DOMAIN=$(echo ${IPXE_URI} | sed -re 's/^(f|ht)tps?:\/\/// ; s/\/.*//') + # Generate SSL client key. + openssl req -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -newkey rsa:4096 -keyout ${IPXE_SSL_KEY} -nodes -out ${SSLDIR}/crts/client.csr -sha512 + # Sign the crt. + openssl ca -batch -config ${SSLDIR}/openssl.cnf -keyfile ${IPXE_SSL_CAKEY} -in ${SSLDIR}/crts/client.csr -out ${IPXE_SSL_CRT} + elif [[ -z "${IPXE_SSL_CRT}" && -e "${IPXE_SSL_KEY}" ]]; + then + echo "ERROR: You specified IPXE_SSL_KEY but not IPXE_SSL_CRT. If one is specified, the other must be also." + exit 1 + elif [[ -z "${IPXE_SSL_KEY}" && -e "${IPXE_SSL_CRT}" ]]; + then + echo "ERROR: You specified IPXE_SSL_CRT but not IPXE_SSL_KEY. If one is specified, the other must be also." + exit 1 + elif [[ ! -e "${IPXE_SSL_CRT}" || ! -e "${IPXE_SSL_KEY}" ]]; + then + echo "ERROR: You have specified both IPXE_SSL_CRT and IPXE_SSL_KEY but one (or both) are not valid paths/files." + exit 1 + fi + cd ${BASEDIR}/src/ipxe/src # Generate the iPXE EMBED script... sed -re "s,^(chain\ ).*$,\1${IPXE_URI},g" \ -e 's/%%COMMA%%/,/g' ${BASEDIR}/src/ipxe_local/EMBED > ${SRCDIR}/EMBED + # And now we build! #make everything EMBED="${SRCDIR}/EMBED" >> "${LOGFILE}.${FUNCNAME}" 2>&1 - make bin-i386-efi/ipxe.efi bin-x86_64-efi/ipxe.efi EMBED="${SRCDIR}/EMBED" >> "${LOGFILE}.${FUNCNAME}" 2>&1 - make bin/ipxe.eiso bin/ipxe.usb EMBED="${SRCDIR}/EMBED" >> "${LOGFILE}.${FUNCNAME}" 2>&1 + make bin-i386-efi/ipxe.efi bin-x86_64-efi/ipxe.efi \ + EMBED="${SRCDIR}/EMBED" \ + TRUST="${IPXE_SSL_CA}" \ + CERT="${IPXE_SSL_CA},${IPXE_SSL_CRT}" \ + PRIVKEY="${IPXE_SSL_KEY}" >> "${LOGFILE}.${FUNCNAME}" 2>&1 + make bin/ipxe.eiso bin/ipxe.usb \ + EMBED="${SRCDIR}/EMBED" \ + TRUST="${IPXE_SSL_CA}" \ + CERT="${IPXE_SSL_CA},${IPXE_SSL_CRT}" \ + PRIVKEY="${IPXE_SSL_KEY}" >> "${LOGFILE}.${FUNCNAME}" 2>&1 # Change this to USB-only... #make all EMBED="${BASEDIR}/src/ipxe_local/EMBED" >> "${LOGFILE}.${FUNCNAME}" 2>&1 mv -f ${BASEDIR}/src/ipxe/src/bin/ipxe.usb ${ISODIR}/${USBFILENAME} mv -f ${BASEDIR}/src/ipxe/src/bin/ipxe.eiso ${ISODIR}/${MINIFILENAME} make clean >> "${LOGFILE}.${FUNCNAME}" 2>&1 + cd ${BASEDIR}/src/ipxe git reset --hard >> "${LOGFILE}.${FUNCNAME}" 2>&1 git clean -xdf > /dev/null 2>&1 - git checkout master > /dev/null 2>&1 + git checkout master . > /dev/null 2>&1 #git reset --hard HEAD > /dev/null 2>&1 echo fi diff --git a/lib/prereqs/iso.pkgs.lst b/lib/prereqs/iso.pkgs.lst index 455519b..b879181 100644 --- a/lib/prereqs/iso.pkgs.lst +++ b/lib/prereqs/iso.pkgs.lst @@ -12,7 +12,6 @@ efivar ethtool file findutils -gummiboot iproute2 iputils libisoburn diff --git a/src/ipxe b/src/ipxe index c522c11..3f8da98 160000 --- a/src/ipxe +++ b/src/ipxe @@ -1 +1 @@ -Subproject commit c522c11c7b7adedf0bf339b954e30951f02d568f +Subproject commit 3f8da985aa81e31b6e9482970f6ec594aecca552 diff --git a/src/ipxe_local/00-general.sed b/src/ipxe_local/00-general.sed index 60c671e..5414cce 100644 --- a/src/ipxe_local/00-general.sed +++ b/src/ipxe_local/00-general.sed @@ -1,7 +1,10 @@ +## Enable IPv6 support s/^#undef([[:space:]]*NET_PROTO_IPV6)/#define\1/g +## Enable HTTPS s/^#undef([[:space:]]*DOWNLOAD_PROTO_HTTPS)/#define\1/g +s@^//(#define[[:space:]]*IMAGE_TRUST_CMD@\1@g +## Enable FTP s/^#undef([[:space:]]*DOWNLOAD_PROTO_FTP)/#define\1/g ## Currently broken for EFI building #s@^//(#define[[:space:]]*CONSOLE_CMD)@\1@g #s@^//(#define[[:space:]]*IMAGE_PNG@\1@g -s@^//(#define[[:space:]]*IMAGE_TRUST_CMD@\1@g diff --git a/src/ipxe_local/EMBED b/src/ipxe_local/EMBED index fda3392..ba0f33e 100644 --- a/src/ipxe_local/EMBED +++ b/src/ipxe_local/EMBED @@ -1,4 +1,8 @@ #!ipxe dhcp +## TODO: signed kernel and initrd +#imgtrust --permanent +#imgverify vmlinuz path/to/vmlinuz.sig +#imgverify initrd path/to/initrd.sig chain https://bdisk.square-r00t.net diff --git a/src/ipxe_local/ssl/openssl.cnf b/src/ipxe_local/ssl/openssl.cnf new file mode 100644 index 0000000..cbaccf8 --- /dev/null +++ b/src/ipxe_local/ssl/openssl.cnf @@ -0,0 +1,33 @@ +[ ca ] +default_ca = ca_default + +[ ca_default ] +certificate = crts/ca.crt +private_key = keys/ca.key +serial = txt/ca.srl +database = txt/ca.idx +#new_certs_dir = signed +new_certs_dir = crts +#default_md = default +default_md = sha512 +policy = policy_anything +preserve = yes +default_days = 90 +unique_subject = no + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +[ cross ] +basicConstraints = critical,CA:true +keyUsage = critical,cRLSign,keyCertSign + +[ codesigning ] +keyUsage = digitalSignature +extendedKeyUsage = codeSigning