-
-
Notifications
You must be signed in to change notification settings - Fork 14
/
mortar.env
69 lines (64 loc) · 4.14 KB
/
mortar.env
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
WORKING_DIR='/etc/mortar/'
PRIVATE_DIR="$WORKING_DIR"'private/'
# Noah Bliss
# Note to reader: Most of these values can be left as-is. Some have good defaults or are auto-populated as part of the other scripts.
# You should, however specifically review or statically set (the CRYPTNAME auto logic is particularly weak, but getting better):
# EFI_ROOT
# CRYPTDEV
# CRYPTNAME
# SLOT
# TPMINDEX
# BINDPCR
# Permission checks.
if [ "$UID" -ne "0" ]; then echo "Must be run as root."; exit 1; fi
mkdir -p "$PRIVATE_DIR"
chown root:root -R "$PRIVATE_DIR"
chmod go-rwx -R "$PRIVATE_DIR"
chmod go-rwx -R "$WORKING_DIR"
cd "$WORKING_DIR"
TPM_MODE= #1.2 or 2 - not yet used.
# Stage 1.
EFI_ROOT= #Change this for your distro. This is the root of the efi partition and likely contains a directory called "EFI" `mount | grep -i efi` may be helpful. Must end with a / e.g. /efi/ /boot/efi/ etc. Next line tries its best if this isn't set.
if [ -z "$EFI_ROOT" ]; then if (mount | grep "on /boot/efi ">/dev/null); then EFI_ROOT="/boot/efi/"; elif (mount | grep "on /efi ">/dev/null); then EFI_ROOT="/efi/"; fi; fi
EFI_DIR="EFI/" # Path inside the efi_root to place the efi file. Must end in a /
EFI_NAME="mortarsecureboot-linux.efi" # Name of the efi file to generate and sign.
PRETTY_NAME="Mortar Secureboot Linux"
TARGET_EFI="$EFI_ROOT""$EFI_DIR""$EFI_NAME" # Ultimate location of the signed efi file. Use this to boot.
KEY_UUID=
hostname=$HOSTNAME
if [ -z $hostname ]; then hostname=$HOST; fi
SECUREBOOT_MODIFIER="-mortarsecureboot-$hostname" #Added in the secureboot key generation CN to denote that they are yours.
CMDLINEFILE="/etc/mortar/cmdline.conf"
EFISTUBFILE="/usr/lib/systemd/boot/efi/linuxx64.efi.stub"
SECUREBOOT_DB_KEY=$PRIVATE_DIR'db.key'
SECUREBOOT_DB_CRT=$PRIVATE_DIR'db.crt'
# Stage 2.
SECUREBOOT_DB_AUTH=$PRIVATE_DIR'db.auth'
SECUREBOOT_DB_ESL=$PRIVATE_DIR'db.esl'
SECUREBOOT_PK_CRT=$PRIVATE_DIR'PK.crt'
SECUREBOOT_PK_ESL=$PRIVATE_DIR'PK.esl'
SECUREBOOT_PK_KEY=$PRIVATE_DIR'PK.key'
SECUREBOOT_PK_AUTH=$PRIVATE_DIR'PK.auth'
SECUREBOOT_KEK_CRT=$PRIVATE_DIR'KEK.crt'
SECUREBOOT_KEK_ESL=$PRIVATE_DIR'KEK.esl'
SECUREBOOT_KEK_AUTH=$PRIVATE_DIR'KEK.auth'
SECUREBOOT_KEK_KEY=$PRIVATE_DIR'KEK.key'
# Stage 3.
CRYPTDEV= #LUKS Partition e.g. /dev/nvme0n1p3 next line will give it the old college try if this is left blank.
if [ -z "$CRYPTDEV" ]; then temp=$(grep "^[^#;]" /etc/crypttab | head -n1 | awk '{ print $2 }'); if [ -e "$temp" ]; then CRYPTDEV="$temp"; else if [[ "$temp" == "UUID="* ]]; then temp=$(echo "$temp" | cut -f2 -d'='); CRYPTDEV="/dev/disk/by-uuid/$temp"; unset temp; fi; fi; fi
CRYPTNAME= #Unlocked name (find in crypttab) e.g. luks-disk next line will give it the old college try if this is left blank.
if [ -z "$CRYPTNAME" ]; then CRYPTNAME=$(grep -v "^#" /etc/crypttab | head -n1 | awk '{ print $1 }'); fi
LUKSVER= #1 or 2 - best effort will be given if left blank.
SLOT="1" # LUKS keyslot number for use with automatic unlocks.
# Only used for LUKS1: UUID OF THE KEYSLOT, NOT THE DISK. Find with `luksmeta show -d /dev/nvmluks0p3` and check the slot uuid. Logic exists in the luks setup script if this is left blank. (hence why this comment is on a different line).
SLOTUUID=
TOKENID= # Only used for LUKS2 - Token ID in luks header for clevis. Usually 0. Logic below attempts to find out if left blank.
if [ -z "$TOKENID" ]; then TOKENID=$(cryptsetup luksDump "$CRYPTDEV" | grep clevis | sed -e 's/ \(.*\): clevis/\1/'); fi #clevis scripts used sed -rn 's|^\s+([0-9]+): clevis|\1|p' after the cryptsetup pipe. Maybe that is better? *shrug*
# Only used for TPM 1.2 - NVRAM index number for storing LUKS key in TPM.
TPMINDEX=1
HEADERFILE="./luksheaderbackup.raw" # Location to write the luksheaderbackup to for hash evaluation during boot. This location is in the ramdisk of the initramfs and removed once no longer needed.
# SHA256 hash of the LUKS header. This is populated automatically by the luks script.
HEADERSHA256=
BINDPCR="1,7" # PCR IDs to require match for before releasing key. 1 is for BIOS config, 7 is typically for secureboot. Comma-separate numbers with no spaces.
# TPM hash type when using TPM2. Ensure your TPM supports your chosen hash if not using sha256
TPMHASHTYPE="sha256"