hrmm.. gpg throwing errors and killing chroot

This commit is contained in:
brent s. 2015-09-23 15:27:49 -04:00
parent f4397354a9
commit 673a54ef2e
10 changed files with 152 additions and 16 deletions

View File

@ -22,6 +22,7 @@

## Building ##

-GUMMIBOOT IS GONE FROM THE REPOS. I could repackage it, but better to just see what the hell archiso's doing.
-WISH: Better logging[0]
-WISH: signing for secureboot releases (PreLoader and gummiboot handle this okay, but require manual intervention
-use manual chrooting functions ONLY if distro not detected as arch. if /usr/bin/systemd-nspawn exists, use that instead
@ -36,11 +37,7 @@
--http://ipxe.org/crypto
--http://ipxe.org/cmd/imgtrust
--http://ipxe.org/cmd/imgverify
--enable use of custom CA/self-signed certs for HTTPS etc.
-X-platform
--what distros are supported?
--automatically install what we need for buildtime
---need to finish pkg lists and then test, but meta files should be done as well as lib script
--enable use of custom CA/self-signed certs for HTTPS etc. DONE, partially. need to incorporate codesign certs/keys. routines, conf variables
-enable mirror= kernel commandline.
--if mirror_(NAME) is present, use that as repo name.
--if it starts with /, treat as mirrorlist (Include); otherwise use Server =

View File

@ -71,6 +71,35 @@ BUILDMINI="no"
# This currently does not work for HTTPS with self-signed certificates.
IPXE_URI="https://bdisk.square-r00t.net"

# Path to the (root) CA certificate file (in PEM/X509 format) iPXE should use.
# If one is not specified, one will be generated.
# Only used if BUILDMINI is set to yes.
# Please properly escape any spaces or other funky characters.
# Note that you can use your own CA to sign existing certs. See http://ipxe.org/crypto for
# more info. This is handy if you run a third-party/"Trusted" root-CA-signed certificate
# for the HTTPS target.
# Requires IPXE_SSL_CAKEY if specified.
IPXE_SSL_CA=""

# Path to the (root) CA key file (in PEM/X509 format) iPXE should use.
# If one is not specified, one will be generated.
# Only used if BUILDMINI is set to yes.
# Please properly escape any spaces or other funky characters.
# Requires IPXE_SSL_CA if specified.
IPXE_SSL_CAKEY=""

# Path to the CLIENT certificate (in PEM/X509). If one is not specified, one will be generated.
# Only used if BUILDMINI is set to yes.
# Please properly escape any spaces or other funky characters.
# Requires IPXE_SSL_KEY if specified.
IPXE_SSL_CRT=""

# Path to the CLIENT key (in PEM/X509). If one is not specified, one will be generated.
# Only used if BUILDMINI is set to yes.
# Please properly escape any spaces or other funky characters.
# Requires IPXE_SSL_CRT if specified.
IPXE_SSL_KEY=""

# Set to "yes" to enable pushing new changes to a git repo/committing to a local repo
GIT="no"


View File

@ -180,6 +180,7 @@ EOF
echo "Done."
echo -n "...Upgrading any outdated packages..."
${CHROOTCMD} ${i}/ pacman -Syyu --noconfirm >> "${LOGFILE}.${FUNCNAME}" 2>&1
${CHROOTCMD} ${i}/ pacman-key --refresh-keys >> "${LOGFILE}.${FUNCNAME}" 2>&1
for x in $(find ${i}/etc/ -type f -iname "*.pacorig");do mv -f ${x} ${x%%.pacorig} ; done
echo "Done. Finishing/cleaning up..."
${CHROOTCMD} ${i}/ pacman -S --noconfirm --needed base-devel >> "${LOGFILE}.${FUNCNAME}" 2>&1

View File

@ -14,10 +14,10 @@ function stuffy {
echo "Setting up EFI stuff..."

mkdir -p ${TEMPDIR}/{EFI/{${DISTNAME},boot},loader/entries}
# this stuff comes from the prebootloader pkg and gummiboot pkg. lets us boot on UEFI machines with secureboot still enabled.
# this stuff comes from the prebootloader pkg and systemd-boot. lets us boot on UEFI machines with secureboot still enabled.
cp ${BASEDIR}/root.x86_64/usr/lib/prebootloader/PreLoader.efi ${TEMPDIR}/EFI/boot/bootx64.efi
cp ${BASEDIR}/root.x86_64/usr/lib/prebootloader/HashTool.efi ${TEMPDIR}/EFI/boot/.
cp ${BASEDIR}/root.x86_64/usr/lib/gummiboot/gummibootx64.efi ${TEMPDIR}/EFI/boot/loader.efi # TODO: can i use syslinux.efi instead?
cp ${BASEDIR}/root.x86_64/usr/lib/systemd/boot/efi/systemd-bootx64.efi ${TEMPDIR}/EFI/boot/loader.efi # TODO: can i use syslinux.efi instead?

echo "Checking/fetching UEFI shells..."
if [ ! -f "${TEMPDIR}/EFI/shellx64_v2.efi" ];
@ -71,7 +71,7 @@ EOF
FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${TEMPDIR}/boot/${UXNAME}.64.img))) # EFI/BDISK/bdisk.img
FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${BASEDIR}/root.x86_64/usr/lib/prebootloader/PreLoader.efi))) # EFI/boot/bootx64.efi
FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${BASEDIR}/root.x86_64/usr/lib/prebootloader/HashTool.efi))) # EFI/boot/HashTool.efi
FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${BASEDIR}/root.x86_64/usr/lib/gummiboot/gummibootx64.efi))) # EFI/boot/loader.efi
FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${BASEDIR}/root.x86_64/usr/lib/systemd/boot/efi/systemd-bootx64.efi))) # EFI/boot/loader.efi
FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${TEMPDIR}/EFI/shellx64_v1.efi)))
FATSIZE=$((${FATSIZE} + $(stat --format="%s" ${TEMPDIR}/EFI/shellx64_v2.efi)))
FATSIZE=$((${FATSIZE} + $(du -sb ${TEMPDIR}/loader | tail -n1 | awk '{print $1}'))) # loader/* (okay so i cheated a little here.)
@ -112,7 +112,7 @@ EOF

cp ${BASEDIR}/root.x86_64/usr/lib/prebootloader/PreLoader.efi ${SRCDIR}/efiboot/EFI/boot/bootx64.efi
cp ${BASEDIR}/root.x86_64/usr/lib/prebootloader/HashTool.efi ${SRCDIR}/efiboot/EFI/boot/.
cp ${BASEDIR}/root.x86_64/usr/lib/gummiboot/gummibootx64.efi ${SRCDIR}/efiboot/EFI/boot/loader.efi # TODO: can i use syslinux.efi instead?
cp ${BASEDIR}/root.x86_64/usr/lib/systemd/boot/efi/systemd-bootx64.efi ${SRCDIR}/efiboot/EFI/boot/loader.efi # TODO: can i use syslinux.efi instead?
cp ${TEMPDIR}/EFI/shellx64_v{1,2}.efi ${SRCDIR}/efiboot/EFI/.
umount ${SRCDIR}/efiboot
echo "EFI configuration complete..."

View File

@ -284,6 +284,7 @@ EOF
if [[ "${BUILDMINI}" == "y" ]];
then
echo "Now generating the iPXE images; please wait..."
## Get the latest version of ipxe from git.
git submodule init >> "${LOGFILE}.${FUNCNAME}" 2>&1
git submodule update >> "${LOGFILE}.${FUNCNAME}" 2>&1
cd ${BASEDIR}/src/ipxe/src
@ -292,24 +293,93 @@ EOF
git checkout master >> "${LOGFILE}.${FUNCNAME}" 2>&1
git pull >> "${LOGFILE}.${FUNCNAME}" 2>&1
git checkout master >> "${LOGFILE}.${FUNCNAME}" 2>&1
## Apply our patches.
for i in $(find ${BASEDIR}/src/ipxe_local/patches/ -type f -iname "*.patch" -printf '%P\n' | sort);
do
patch -Np2 < ${BASEDIR}/src/ipxe_local/patches/${i} >> "${LOGFILE}.${FUNCNAME}" 2>&1
done
## SSL
SSLDIR="${BASEDIR}/src/ipxe_local/ssl"
mkdir -p ${SSLDIR}/{keys,crts,txt}
chmod 000 ${SSLDIR}/keys
chown root:root ${SSLDIR}/keys
if [[ -z "${IPXE_SSL_CA}" && -z "${IPXE_SSL_KEY}" ]];
then
# Generate SSL CA
#rm -rf ${SSLDIR}/*
cd "${SSLDIR}"
IPXE_SSL_CA="${SSLDIR}/crts/ca.crt"
IPXE_SSL_CAKEY="${SSLDIR}/keys/ca.key"
IPXE_DOMAIN=$(echo ${IPXE_URI} | sed -re 's/^(f|ht)tps?:\/\/// ; s/\/.*//')
if [[ ! -f "${SSLDIR}/txt/ca.srl" ]];
then
echo 01 > ${SSLDIR}/txt/ca.srl
fi
touch ${SSLDIR}/txt/ca.idx
openssl req -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -x509 -newkey rsa:4096 -nodes -out ${IPXE_SSL_CA} -keyout ${IPXE_SSL_CAKEY} -sha512
openssl req -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -newkey rsa:4096 -keyout ${SSLDIR}/keys/server.key -nodes -out ${SSLDIR}/crts/server.csr -sha512
openssl ca -batch -config ${SSLDIR}/openssl.cnf -keyfile ${IPXE_SSL_CAKEY} -in ${SSLDIR}/crts/server.csr -out ${SSLDIR}/crts/server.crt
#cat crts/server.crt crts/ca.crt > crts/server_chained.crt
elif [[ -z "${IPXE_SSL_CA}" && -e "${IPXE_SSL_CAKEY}" ]];
then
echo "ERROR: You specified IPXE_SSL_CAKEY but not IPXE_SSL_CA. If one is specified, the other must be also."
exit 1
elif [[ -z "${IPXE_SSL_CAKEY}" && -e "${IPXE_SSL_CA}" ]];
then
echo "ERROR: You specified IPXE_SSL_CA but not IPXE_SSL_CAKEY. If one is specified, the other must be also."
exit 1
elif [[ ! -e "${IPXE_SSL_CA}" || ! -e "${IPXE_SSL_CAKEY}" ]];
then
echo "ERROR: You have specified both IPXE_SSL_CA and IPXE_SSL_CAKEY but one (or both) are not valid paths/files."
exit 1
fi
if [[ -z "${IPXE_SSL_KEY}" && -z "${IPXE_SSL_CRT}" ]];
then
IPXE_SSL_KEY="${SSLDIR}/keys/client.key"
IPXE_SSL_CRT="${SSLDIR}/crts/client.crt"
IPXE_DOMAIN=$(echo ${IPXE_URI} | sed -re 's/^(f|ht)tps?:\/\/// ; s/\/.*//')
# Generate SSL client key.
openssl req -subj "/CN=${IPXE_DOMAIN}/O=${PNAME}/C=NA" -newkey rsa:4096 -keyout ${IPXE_SSL_KEY} -nodes -out ${SSLDIR}/crts/client.csr -sha512
# Sign the crt.
openssl ca -batch -config ${SSLDIR}/openssl.cnf -keyfile ${IPXE_SSL_CAKEY} -in ${SSLDIR}/crts/client.csr -out ${IPXE_SSL_CRT}
elif [[ -z "${IPXE_SSL_CRT}" && -e "${IPXE_SSL_KEY}" ]];
then
echo "ERROR: You specified IPXE_SSL_KEY but not IPXE_SSL_CRT. If one is specified, the other must be also."
exit 1
elif [[ -z "${IPXE_SSL_KEY}" && -e "${IPXE_SSL_CRT}" ]];
then
echo "ERROR: You specified IPXE_SSL_CRT but not IPXE_SSL_KEY. If one is specified, the other must be also."
exit 1
elif [[ ! -e "${IPXE_SSL_CRT}" || ! -e "${IPXE_SSL_KEY}" ]];
then
echo "ERROR: You have specified both IPXE_SSL_CRT and IPXE_SSL_KEY but one (or both) are not valid paths/files."
exit 1
fi
cd ${BASEDIR}/src/ipxe/src
# Generate the iPXE EMBED script...
sed -re "s,^(chain\ ).*$,\1${IPXE_URI},g" \
-e 's/%%COMMA%%/,/g' ${BASEDIR}/src/ipxe_local/EMBED > ${SRCDIR}/EMBED
# And now we build!
#make everything EMBED="${SRCDIR}/EMBED" >> "${LOGFILE}.${FUNCNAME}" 2>&1
make bin-i386-efi/ipxe.efi bin-x86_64-efi/ipxe.efi EMBED="${SRCDIR}/EMBED" >> "${LOGFILE}.${FUNCNAME}" 2>&1
make bin/ipxe.eiso bin/ipxe.usb EMBED="${SRCDIR}/EMBED" >> "${LOGFILE}.${FUNCNAME}" 2>&1
make bin-i386-efi/ipxe.efi bin-x86_64-efi/ipxe.efi \
EMBED="${SRCDIR}/EMBED" \
TRUST="${IPXE_SSL_CA}" \
CERT="${IPXE_SSL_CA},${IPXE_SSL_CRT}" \
PRIVKEY="${IPXE_SSL_KEY}" >> "${LOGFILE}.${FUNCNAME}" 2>&1
make bin/ipxe.eiso bin/ipxe.usb \
EMBED="${SRCDIR}/EMBED" \
TRUST="${IPXE_SSL_CA}" \
CERT="${IPXE_SSL_CA},${IPXE_SSL_CRT}" \
PRIVKEY="${IPXE_SSL_KEY}" >> "${LOGFILE}.${FUNCNAME}" 2>&1
# Change this to USB-only...
#make all EMBED="${BASEDIR}/src/ipxe_local/EMBED" >> "${LOGFILE}.${FUNCNAME}" 2>&1
mv -f ${BASEDIR}/src/ipxe/src/bin/ipxe.usb ${ISODIR}/${USBFILENAME}
mv -f ${BASEDIR}/src/ipxe/src/bin/ipxe.eiso ${ISODIR}/${MINIFILENAME}
make clean >> "${LOGFILE}.${FUNCNAME}" 2>&1
cd ${BASEDIR}/src/ipxe
git reset --hard >> "${LOGFILE}.${FUNCNAME}" 2>&1
git clean -xdf > /dev/null 2>&1
git checkout master > /dev/null 2>&1
git checkout master . > /dev/null 2>&1
#git reset --hard HEAD > /dev/null 2>&1
echo
fi

View File

@ -12,7 +12,6 @@ efivar
ethtool
file
findutils
gummiboot
iproute2
iputils
libisoburn

@ -1 +1 @@
Subproject commit c522c11c7b7adedf0bf339b954e30951f02d568f
Subproject commit 3f8da985aa81e31b6e9482970f6ec594aecca552

View File

@ -1,7 +1,10 @@
## Enable IPv6 support
s/^#undef([[:space:]]*NET_PROTO_IPV6)/#define\1/g
## Enable HTTPS
s/^#undef([[:space:]]*DOWNLOAD_PROTO_HTTPS)/#define\1/g
s@^//(#define[[:space:]]*IMAGE_TRUST_CMD@\1@g
## Enable FTP
s/^#undef([[:space:]]*DOWNLOAD_PROTO_FTP)/#define\1/g
## Currently broken for EFI building
#s@^//(#define[[:space:]]*CONSOLE_CMD)@\1@g
#s@^//(#define[[:space:]]*IMAGE_PNG@\1@g
s@^//(#define[[:space:]]*IMAGE_TRUST_CMD@\1@g

View File

@ -1,4 +1,8 @@
#!ipxe

dhcp
## TODO: signed kernel and initrd
#imgtrust --permanent
#imgverify vmlinuz path/to/vmlinuz.sig
#imgverify initrd path/to/initrd.sig
chain https://bdisk.square-r00t.net

View File

@ -0,0 +1,33 @@
[ ca ]
default_ca = ca_default

[ ca_default ]
certificate = crts/ca.crt
private_key = keys/ca.key
serial = txt/ca.srl
database = txt/ca.idx
#new_certs_dir = signed
new_certs_dir = crts
#default_md = default
default_md = sha512
policy = policy_anything
preserve = yes
default_days = 90
unique_subject = no

[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional

[ cross ]
basicConstraints = critical,CA:true
keyUsage = critical,cRLSign,keyCertSign

[ codesigning ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning