Merge pull request #102 from herpiko/secure14

Separate installation process for secure installation

scripts/Makefile.am

@@ -1,4 +1,4 @@
 sbindir = /sbin
-sbin_SCRIPTS = b-i-cleanup  b-i-copy-fs  b-i-install-grub b-i-setup-fs b-i-encrypt-fs b-i-is-efi b-i-wipe-disk b-i-pre b-i-post
+sbin_SCRIPTS = b-i-cleanup  b-i-copy-fs  b-i-install-grub b-i-setup-fs b-i-encrypt-fs b-i-is-efi b-i-wipe-disk b-i-pre b-i-post b-i-secure-post-install
 bin_SCRIPTS = blankon-session-try-installer 
 

scripts/b-i-install-grub

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# Any code blocks under [ -f /tmp/pass ] are written for secure installation purpose
+
 set -e
 
 # If this is an EFI system, this script will be called with two parameters,
@@ -28,7 +30,7 @@ then
     cat << @@EOF >> /target/etc/default/grub
 GRUB_CMDLINE_LINUX_DEFAULT="rw quiet splash cryptopts=target=root,source=/dev/lvm/root,lvm=root CRYPTSETUP=y"
 GRUB_GFXPAYLOAD_LINUX=1024x768
-GRUB_TIMEOUT=0
+GRUB_TIMEOUT=5
 @@EOF
 
 #GRUB_ENABLE_CRYPTODISK=y

scripts/b-i-secure-post-install

@@ -0,0 +1,85 @@
+#!/bin/bash
+
+# This secure-post-install script only run on secure installation and will reconfigure the system with real values from post installation step.
+
+# Needed by apt-get
+export PATH=$PATH:/usr/sbin:/usr/bin:/bin:/sbin
+
+# The /postinstall/config was generated by secure's b-i-ui
+read PASSPHRASE ROOTPASSWORD HOSTNAME FULLNAME USERNAME PASSWORD < /postinstall/config
+echo -n $PASSPHRASE > /postinstall/config-passphrase
+RANDOMPASS=`cat /postinstall/pass`
+RANDOMUSERNAME=`cat /postinstall/user-pass | cut -d':' -f1`
+
+set -e
+
+###### REMOVE PACKAGES
+echo "Remove packages"
+/usr/bin/apt-get --yes purge blankon-installer blankon-repository-setup
+echo "Removing unused dependencies"
+/usr/bin/apt-get --yes autoremove
+rm -f /etc/xdg/autostart/blankon-installer.desktop
+
+###### ENCRYPTION SPECIFIC SETTING UP
+echo "Encryption specific setting up"
+
+# Add new luks key
+echo -n $RANDOMPASS | cryptsetup luksAddKey /dev/lvm/root /postinstall/config-passphrase
+echo -n $RANDOMPASS | cryptsetup luksRemoveKey /dev/lvm/root
+# To bypass encryption on first reboot, the original askpass script has been manipulated. Put it back.
+sed -i 's/cp -a \/tmp\/askpass \$DESTDIR\/lib\/cryptsetup\/askpass//' /etc/initramfs-tools/hooks/cryptroot
+
+###### HOSTNAME
+echo "Setting up hostname $HOSTNAME"
+echo $HOSTNAME >  /etc/hostname
+    cat << @@EOF > /etc/hosts 
+127.0.0.1   localhost $HOSTNAME
+
+# The following lines are desirable for IPv6 capable hosts
+::1     ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+@@EOF
+
+###### USER
+echo "Configuring user $USERNAME"
+
+USER_GROUPS=`groups $RANDOMUSERNAME | cut -d':' -f2 | sed -r "s/$RANDOMUSERNAME//g" | sed -r "s/ /,/g" | sed -r "s/,,//g"`
+echo $USER_GROUPS
+/usr/sbin/useradd -G $USER_GROUPS -m -s /bin/bash $USERNAME
+echo "$USERNAME:$PASSWORD" | /usr/sbin/chpasswd $USERNAME
+#/usr/bin/chfn < $ROOTFS/tmp/user-info
+echo "root:$ROOTPASSWORD" | /usr/sbin/chpasswd root
+
+# Disable nopasswd
+sed -i -r -e "/%sudo/c\%sudo ALL=(ALL:ALL) ALL" /etc/sudoers
+# Delete the random user
+/usr/sbin/userdel -rf $RANDOMUSERNAME
+
+###### CUSTOM GROUP
+if [ -n "$BI_CUSTOM_GROUPS" ];then
+  for i in $BI_CUSTOM_GROUPS;do
+    do_chroot /usr/sbin/groupadd -r $i
+    do_chroot /usr/sbin/adduser $USERNAME $i
+  done
+fi
+
+###### DISABLE AUTOLOGIN
+echo "Disable autologin"
+sed -i -r -e "s/autologin-/#autologin-/g" /usr/share/lightdm/lightdm.conf.d/40-lightdm-webkit-greeter.conf
+
+###### Accounts service
+echo "Account service"
+if [ -f /run/accounts-service ];then
+  cp /run/accounts-service /var/lib/AccountsService/users/$USERNAME
+fi
+
+##### UPDATE INITRAMFS
+echo "Update initramfs"
+CRYPTSETUP=y /usr/sbin/update-initramfs -u -k all
+
+##### REMOVE POST INSTALLATION FILE
+echo "Remove post install files"
+rm -rf /postinstall

scripts/b-i-setup-fs

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# Any code blocks under [ -f /tmp/pass ] are written for secure installation purpose
+
 /bin/mkdir -p $ROOTFS/target/dev
 /bin/mkdir -p $ROOTFS/target/proc
 /bin/mkdir -p $ROOTFS/target/sys
@@ -35,6 +37,12 @@ if [ -f $ROOTFS/lib/live/mount/medium/live/packages-to-remove ];then
     done
     echo "Removing packages: $P"
 fi
+if [ -f /tmp/pass ];then
+    # Do not remove blankon-installer. 
+    # It still needed for post installation step after first reboot.
+    P=`echo $P | sed 's/blankon-installer//' | sed 's/blankon-repository-setup//'`
+    do_chroot /usr/bin/apt-get --yes purge libparted-fs-resize0 live-boot-doc live-boot-initramfs-tools live-config-doc live-config-systemd live-tools rsync user-setup
+fi
 
 if [ "x$P" != "x" ];then
     do_chroot /usr/bin/apt-get --yes purge $P
@@ -45,16 +53,24 @@ if [ -f /tmp/pass ];
 then
   echo "Encryption specific setting up"
 	# Add the hook file
-  cp $ROOTFS/usr/share/initramfs-tools/hooks/cryptroot $ROOTFS/target/etc/initramfs-tools/hooks/cryptroot
-
+  cp $ROOTFS/usr/share/initramfs-tools/hooks/cryptroot  $ROOTFS/target/etc/initramfs-tools/hooks/cryptroot
+
+  # Bypass askpas. Inject the passphrase directly to askpass script.
+  # The original askpass will put back by b-i-secure-post-install script
+  PASS=`cat /tmp/pass`
+  echo "#!/bin/sh" > $ROOTFS/target/tmp/askpass
+  echo "echo -n $PASS" >> $ROOTFS/target/tmp/askpass
+  chmod a+x $ROOTFS/target/tmp/askpass
+  sed -i '/askpass/a cp -a \/tmp\/askpass \$DESTDIR\/lib\/cryptsetup\/askpass' $ROOTFS/target/etc/initramfs-tools/hooks/cryptroot
+
   touch $ROOTFS/target/etc/crypttab
-  echo "root /dev/lvm/root none luks,retry=1" > $ROOTFS/target/etc/crypttab
+  echo "root /dev/lvm/root none luks" > $ROOTFS/target/etc/crypttab
   touch $ROOTFS/target/etc/fstab
   echo "/dev/mapper/root / ext4 relatime,errors=remount-ro 0 1" >> $ROOTFS/target/etc/fstab
   echo "/dev/mapper/lvm-swap    none    swap    sw  0   0" >> $ROOTFS/target/etc/fstab
   echo "UUID=$BOOT /boot ext3 rw,relatime,errors=remount-ro 0 2" >> $ROOTFS/target/etc/fstab
 
-  # Adding more module to initramfs
+  # Adding more encryption-related module to initramfs
   echo "aes-i586" >> $ROOTFS/target/etc/initramfs-tools/modules
   echo "dm-crypt" >> $ROOTFS/target/etc/initramfs-tools/modules
   echo "dm-mod" >> $ROOTFS/target/etc/initramfs-tools/modules
@@ -66,8 +82,10 @@ fi
 
 ###### CLEAN UP PACKAGES
 
-echo "Removing unused packages"
-do_chroot /usr/bin/apt-get --yes autoremove
+if ! [ -f /tmp/root-pass ];then
+  echo "Removing unused packages"
+  do_chroot /usr/bin/apt-get --yes autoremove
+fi
 
 echo "Clean up packaging system"
 do_chroot /usr/bin/apt-get --yes clean 
@@ -76,7 +94,6 @@ do_chroot /usr/bin/apt-get --yes clean
 
 read AUTOLOGIN USERNAME < $ROOTFS/tmp/user-setup
 echo "Configuring user $USERNAME"
-rm -f $ROOTFS/tmp/user-setup
 
 
 # This is the original group used in full ISO of BlankOn, since the current ISO generate the minimum packages,
@@ -88,12 +105,12 @@ do_chroot /usr/sbin/useradd -G $USER_GROUPS -m -s /bin/bash $USERNAME
 
 do_chroot /usr/sbin/chpasswd $USERNAME < $ROOTFS/tmp/user-pass
 do_chroot /usr/bin/chfn < $ROOTFS/tmp/user-info
-rm -f $ROOTFS/tmp/user-pass
 
 if [ -f /tmp/root-pass ];
 then
     do_chroot /usr/sbin/chpasswd root < $ROOTFS/tmp/root-pass
-    rm -f $ROOTFS/tmp/root-pass
+    # Allow nopasswd. This will be removed by b-i-secure-post-install
+    sed -i -r -e "/%sudo/c\%sudo ALL=(ALL:ALL) NOPASSWD:ALL" $ROOTFS/target/etc/sudoers
 fi
 
 ###### CUSTOM GROUP
@@ -128,11 +145,13 @@ else
     sed -i -r -e "s/autologin-/#autologin-/g" $ROOTFS/target/usr/share/lightdm/lightdm.conf.d/40-lightdm-webkit-greeter.conf
 
 fi
+
+
 ###### HOSTNAME
 
 read HOSTNAME < $ROOTFS/tmp/hostname
 echo "Setting up hostname $HOSTNAME"
-mv $ROOTFS/tmp/hostname $ROOTFS/target/etc/
+cp $ROOTFS/tmp/hostname $ROOTFS/target/etc/
     cat << @@EOF > $ROOTFS/target/etc/hosts 
 127.0.0.1   localhost $HOSTNAME
 
@@ -240,3 +259,22 @@ set -e
 
 LSB_RELEASE=`cat $ROOTFS/target/etc/lsb-release | sed -n 2p | cut -d"-" -f1`
 sed -i "2s/.*/$LSB_RELEASE/" $ROOTFS/target/etc/lsb-release
+
+if [ -f /tmp/pass ];then
+    # Add blankon-installer to autostart
+    cp $ROOTFS/target/usr/share/applications/blankon-installer.desktop $ROOTFS/target/etc/xdg/autostart/
+    ###### Copy all credential & setup file to target. They will be used again.
+    mkdir $ROOTFS/target/postinstall
+    cp $ROOTFS/tmp/hostname $ROOTFS/target/postinstall/
+    cp $ROOTFS/tmp/pass $ROOTFS/target/postinstall/
+    cp $ROOTFS/tmp/user-pass $ROOTFS/target/postinstall/
+    cp $ROOTFS/tmp/root-pass $ROOTFS/target/postinstall/
+    cp $ROOTFS/tmp/user-setup $ROOTFS/target/postinstall/
+else
+    ###### Remove them
+    rm -f $ROOTFS/tmp/hostname
+    rm -f $ROOTFS/tmp/user-pass
+    rm -f $ROOTFS/tmp/root-pass
+    rm -f $ROOTFS/tmp/user-setup
+fi
+

scripts/blankon-session-try-installer

@@ -7,33 +7,49 @@ LIVEDEVICE=`mount | grep \/lib\/live\/mount\/medium | cut -d" " -f1 | cut -d"/"
 # Check for mounted partition
 for i in `mount | grep '/dev/sd' | cut -d' ' -f1 | cut -d'/' -f3`
 do
-    if [ ! "x$i" = "x$LIVEDEVICE" ];then
-        zenity --info --text="/dev/$i still mounted.\n Please unmount it first." --title="Mounted Partition"
-        exit
+
+    if ! [ -f /postinstall/pass ];then
+      if [ ! "x$i" = "x$LIVEDEVICE" ];then
+          zenity --info --text="/dev/$i still mounted.\n Please unmount it first." --title="Mounted Partition"
+          exit
+      fi
     fi
 done
-
-grep "boot=live" /proc/cmdline
+if [ -f /postinstall/pass ];then
+    echo "Secure post installation"
+else
+    grep "boot=live" /proc/cmdline
+fi
 if [ $? -eq 0 -a -x /usr/bin/blankon-installer ];then
 
     rm -f /run/locale
     chown -R 1000:1000 /run/user/1000/dconf
-
+
+    if [ -f /postinstall/pass ];then
+        # If this file exists, then system just rebooted from an installation attempt
+        # SECURE_POST_INSTALL envar will continue the installation step
+        export SECURE_POST_INSTALL=1		
+        sudo -E bash -c 'echo $SECURE_POST_INSTALL' 
+    fi
+
     # Check for BIFT instance
-    BIFTADDR="10.0.2.2"
-    nc -z $BIFTADDR 2121
-    BIFT=`echo $?`
-    if [ "x$BIFT" = "x0" ];then
-        curl ftp://$BIFTADDR:2121/scenario > /tmp/scenario
-        if [ "x$?" = "x0" ];then
-            SCENARIO=`cat /tmp/scenario`
-            export DEBUG=1		
-            export AUTOFILL=1		
-            export SCENARIO=$SCENARIO		
-            sudo -E bash -c 'echo $DEBUG' 
-            sudo -E bash -c 'echo $AUTOFILL' 
-            sudo -E bash -c 'echo $SCENARIO' 
-        fi
+    ip a | grep "10.0.2."
+    if [ $? -eq 0 ];then
+      BIFTADDR="10.0.2.2"
+      nc -z $BIFTADDR 2121
+      BIFT=`echo $?`
+      if [ "x$BIFT" = "x0" ];then
+          curl ftp://$BIFTADDR:2121/scenario > /tmp/scenario
+          if [ "x$?" = "x0" ];then
+              SCENARIO=`cat /tmp/scenario`
+              export DEBUG=1		
+              export AUTOFILL=1		
+              export SCENARIO=$SCENARIO		
+              sudo -E bash -c 'echo $DEBUG' 
+              sudo -E bash -c 'echo $AUTOFILL' 
+              sudo -E bash -c 'echo $SCENARIO' 
+          fi
+      fi
     fi
     sudo -E nice -n -20 blankon-installer
 
@@ -77,7 +93,7 @@ WantedBy=shutdown.target
     fi
 
     # Source timezone environment variable generated by installer
-    if [ -f /run/timezone];then
+    if [ -f /run/timezone ];then
         . /run/timezone
     fi