Initial commit.

8c308eb9 · Ophélie Gagnard · 8c308eb9 · 8c308eb9 · 8c308eb9 · 8c308eb9
Commit 8c308eb9 authored Mar 24, 2022 by Ophélie Gagnard
9 changed files
--- a/dracut.module/90metadata-collect/collect.sh
+++ b/dracut.module/90metadata-collect/collect.sh
+#!/bin/bash
+
+. /lib/dracut-lib.sh
+
+#>&2 echo "$NEWROOT" # DEBUG: display the path of newroot before the pivot
+#sleep 10 # DEBUG
+
+/sbin/metadata-collect-agent "$NEWROOT"
+
+#sleep 10 " DEBUG
+
--- a/dracut.module/90metadata-collect/flb.conf
+++ b/dracut.module/90metadata-collect/flb.conf
+[SERVICE]
+  flush 5
+
+[INPUT]
+  name tail
+  path /var/log/metadata_collect.log 
+
+[output]
+  name fluentbit_wendelin
+  match *
+  streamtool_uri https://softinst157546.host.vifib.net/erp5/portal_ingestion_policies/metadata_upload
+  user zope
+  password qxrfkwod
+  buffer_type memory
+  flush_interval 60s
+  disable_retry_limit true
+  reference c-light-data_05
--- a/dracut.module/90metadata-collect/module-setup.sh
+++ b/dracut.module/90metadata-collect/module-setup.sh
+#!/bin/bash
+
+check() {
+    require_binaries grep head ip || return 1
+    return 255
+}
+
+depends() {
+    echo network
+}
+
+install() {
+    inst_multiple head ip grep
+    inst "$moddir"/metadata-collect-agent "/sbin/metadata-collect-agent"
+    inst "$moddir"/fluent-bit "/sbin/fluent-bit"
+    inst "$moddir"/flb.conf "/etc/flb.conf"
+    inst "$moddir"/fluentbit_wendelin.so "/etc/fluentbit_wendelin.so"
+    inst_hook pre-pivot 10 "$moddir"/collect.sh
+}
--- a/dracut.module/Makefile
+++ b/dracut.module/Makefile
+.PHONY: all
+all: 90metadata-collect/fluent-bit 90metadata-collect/fluentbit_wendelin.so 90metadata-collect/metadata-collect-agent 90metadata-collect/flb.conf
+
+ifeq ($(MCA_PATH),)
+	MCA_PATH=/opt/dep--mca-static_1-1/
+endif
+
+ifeq ($(FLB_PATH),)
+	FLB_PATH=/opt/dep--fluent-bit_1-1/
+endif
+
+DRACUT_MODULE_NAME=90metadata-collect
+LOCAL_DRACUT_MODULE=$(DRACUT_MODULE_NAME)/
+
+90metadata-collect/metadata-collect-agent:
+	cp $(MCA_PATH)/bin/metadata-collect-agent $(LOCAL_DRACUT_MODULE)
+
+90metadata-collect/fluent-bit:
+	cp $(FLB_PATH)/bin/fluent-bit $(LOCAL_DRACUT_MODULE)
+
+90metadata-collect/fluentbit_wendelin.so:
+	# TODO:
+	# + name libfluentbit_wendelin.so
+	# + put it in /lib...?
+	cp $(MCA_PATH)/lib/fluentbit_wendelin.so $(LOCAL_DRACUT_MODULE)
+
+90metadata-collect/flb.conf:
+	cp $(MCA_PATH)/etc/flb.conf $(LOCAL_DRACUT_MODULE)
+
+ .PHONY: clean
+clean:
+	rm -f $(LOCAL_DRACUT_MODULE)/metadata-collect-agent
+	rm -f $(LOCAL_DRACUT_MODULE)/fluent-bit
+	rm -f $(LOCAL_DRACUT_MODULE)/fluentbit_wendelin.so
+	rm -f $(LOCAL_DRACUT_MODULE)/flb.conf
+
+.PHONY: install
+install: all
+	cp -vLr "90metadata-collect" /usr/lib/dracut/modules.d
+
+.PHONY: uninstall
+uninstall:
+	rm -rfv /usr/lib/dracut/modules.d/90metadata-collect
--- a/dracut.module/dracut.conf
+++ b/dracut.module/dracut.conf
+add_dracutmodules="metadata-collect"
+compress=xz
+hostonly=no
+hostonly_cmdline=no
+kernel_cmdline="root=LABEL=ROOT ip=dhcp rd.neednet=1"
+show_modules=yes
+reproducible=yes
+loginstall=./loginstall/
+uefi=yes
+uefi_stub=/usr/lib/systemd/boot/efi/linuxx64.efi.stub
+uefi_secureboot_cert=/etc/uefi-key/db.crt
+uefi_secureboot_key=/etc/uefi-key/db.key
--- a/install.sh
+++ b/install.sh
+#!/bin/bash
+
+set -eux
+
+# installing miscellaneous useful packages
+apt -y install make autopoint autoconf libtool libattr1-dev musl-tools mmv sbsigntool
+# installing more necessary packages to activate Secure Boot with our own keys
+apt -y install efitools
+# installing (download and compile)a specific version of python to make sure the whole installation process work
+if [ ! -d "/opt/python-3.7.12/include/python3.7m" ]; then
+  wget https://www.python.org/ftp/python/3.7.12/Python-3.7.12.tgz
+  tar zxf Python-3.7.12.tgz
+  cd Python-3.7.12/
+  ./configure --prefix=/opt/python-3.7.12
+  make
+  make install
+  cd ..
+fi
+rm -f Python-3.7.12.tgz
+rm -rf Python-3.7.12/
+
+## Install dracut
+if ! which dracut ; then
+  wget http://ftp.us.debian.org/debian/pool/main/d/dracut/dracut-core_051-1_amd64.deb
+  wget http://ftp.us.debian.org/debian/pool/main/d/dracut/dracut_051-1_all.deb
+  wget http://ftp.us.debian.org/debian/pool/main/d/dracut/dracut-network_051-1_all.deb
+  apt -y install ./dracut-core_051-1_amd64.deb ./dracut_051-1_all.deb ./dracut-network_051-1_all.deb
+  rm dracut*.deb
+fi
+
+#if [ ! -e "$HOME/.cargo/bin" ]; then
+#  curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
+#fi
+#export PATH=$PATH:$HOME/.cargo/bin
+#rustup target add x86_64-unknown-linux-musl
+
+## Install others
+apt -y install libssl-dev
+# needed to build fmt library
+apt -y install cmake
+
+## Install Go
+# needed for dracut.module/ make install
+GOVERSION=1.16.5
+if [ ! -e "/usr/local/go/VERSION" ] || [ go${GOVERSION} != $(cat /usr/local/go/VERSION) ]; then
+  wget https://golang.org/dl/go${GOVERSION}.linux-amd64.tar.gz
+  rm -rf /usr/local/go
+  tar -C /usr/local -xzf go${GOVERSION}.linux-amd64.tar.gz
+  rm go*.tar.gz*
+  # TODO: write in /etc/profile.d/ instead
+  echo -e "\n" >> /etc/profile
+  echo 'export PATH=$PATH:/usr/local/go/bin' >> /etc/profile
+  source /etc/profile
+fi
+
+## Install Cython+
+# needed for scan-filesystem/ make nopython
+# WARNING: it does not differentiate Cython+ from Cython
+if ! which cython3 ; then
+  mkdir -p build_cythonplus && cd build_cythonplus
+  wget https://lab.nexedi.com/nexedi/cython/raw/debian/build_cythonplus
+  chmod 744 build_cythonplus
+  ./build_cythonplus
+  apt -y install ./cython3_*
+  cd ..
+fi
+
+## Install fmt library
+# needed for scan-filesystem/ make nopython
+if [ ! -d "fmt" ]; then
+  git clone https://github.com/fmtlib/fmt.git
+  cd fmt && mkdir -p build_fmt && cd build_fmt
+  cmake -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE ..
+  make
+  make install
+  cd ../..
+fi
+
+cd dracut.module
+make install
+cd ..
+
+apt -y autoremove
+
+
+echo -e '\nInstallation finished.\nType ^C (ctrl+C) to exit.\nType Enter to proceed to building the UEFI application.\n'
+read
+
+## Build UEFI application
+
+if [ ! -e uefi-key ]; then
+  mkdir uefi-key
+  cd uefi-key
+  ../mkkeys.sh
+  cd ..
+fi
+if [ ! -e /etc/uefi-key ]; then
+  mkdir /etc/uefi-key
+  cp uefi-key/DB.cer /etc/uefi-key/db.cer
+  cp uefi-key/DB.crt /etc/uefi-key/db.crt
+  cp uefi-key/DB.key /etc/uefi-key/db.key
+fi
+
+# TODO: write a separate script: one to install stuff, the other to build the UEFI application
+: '
+# creates the keys needed to sign the UEFI application if they do not exist
+# when creating and copying (or simply copying) the keys in /etc/uefi-key/ by hand,
+# the following lines wont be executed
+if [ ! -e /etc/uefi-key/db.crt ]; then
+  openssl req -newkey rsa:2048 -nodes -keyout /etc/uefi-key/db.key -new -x509 -sha256 -days 36500 -subj "/CN=TEST" -out /etc/uefi-key/db.crt
+  openssl x509 -outform DER -in /etc/uefi-key/db.crt -out /etc/uefi-key/db.cer
+fi
+#'
+#source secure-boot-automation.sh
+
+rm -rf dracut_tmp
+mkdir dracut_tmp
+
+disk_info=$(/sbin/fdisk -l | grep '^/dev' | cut -d' ' -f1)
+
+disk_info_list=(${disk_info//' '/})
+
+
+/sbin/e2label ${disk_info_list[4]} ROOT
+
+rm -rf /boot/efi/EFI/Linux/*
+#mmv '/boot/efi/EFI/Linux/*.*' '/boot/efi/EFI/Linux/#1_1.#2'
+dracut --force  -c ./dracut.module/dracut.conf --confdir dracut_tmp
+
+cp -r /boot/efi/EFI /EFI
+#maybe not necessary
+cp /etc/uefi-key/db.cer /EFI/db.cer
+cp /etc/uefi-key/db.cer /boot/efi/db.cer
+uefi=$(ls /EFI/Linux)
+
+efibootmgr --quiet --create --disk ${disk_info_list[3]} --label 'debian UEFI test_root' --loader /EFI/Linux/$uefi
--- a/mkkeys.sh
+++ b/mkkeys.sh
+#!/bin/bash
+# Copyright (c) 2015 by Roderick W. Smith
+# Licensed under the terms of the GPL v3
+
+echo -n "Enter a Common Name to embed in the keys: "
+read NAME
+
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key \
+        -out PK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout KEK.key \
+        -out KEK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout DB.key \
+        -out DB.crt -days 3650 -nodes -sha256
+openssl x509 -in PK.crt -out PK.cer -outform DER
+openssl x509 -in KEK.crt -out KEK.cer -outform DER
+openssl x509 -in DB.crt -out DB.cer -outform DER
+
+GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'`
+echo $GUID > myGUID.txt
+
+cert-to-efi-sig-list -g $GUID PK.crt PK.esl
+cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl
+cert-to-efi-sig-list -g $GUID DB.crt DB.esl
+rm -f noPK.esl
+touch noPK.esl
+
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+                  -k PK.key -c PK.crt PK PK.esl PK.auth
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+                  -k PK.key -c PK.crt PK noPK.esl noPK.auth
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+                  -k PK.key -c PK.crt KEK KEK.esl KEK.auth
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+                  -k KEK.key -c KEK.crt db DB.esl DB.auth
+
+chmod 0600 *.key
+
+echo ""
+echo ""
+echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB"
+echo "flash drive or to your EFI System Partition (ESP)."
+echo "For use with most UEFIs' built-in key managers, copy the *.cer files;"
+echo "but some UEFIs require the *.auth files."
+echo ""
--- a/secure-boot-automation.sh
+++ b/secure-boot-automation.sh
+#!/bin/bash
+# Copyright (c) 2015 by Roderick W. Smith
+# Licensed under the terms of the GPL v3
+
+
+## KEYS CREATION
+if false; then # DEBUG
+rm -rf secure-boot-automation
+mkdir -p secure-boot-automation
+cd secure-boot-automation
+
+echo -n "Enter a Common Name to embed in the keys: "
+read NAME
+
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key \
+        -out PK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout KEK.key \
+        -out KEK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout DB.key \
+        -out DB.crt -days 3650 -nodes -sha256
+openssl x509 -in PK.crt -out PK.cer -outform DER
+openssl x509 -in KEK.crt -out KEK.cer -outform DER
+openssl x509 -in DB.crt -out DB.cer -outform DER
+
+GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'`
+echo $GUID > myGUID.txt
+
+cert-to-efi-sig-list -g $GUID PK.crt PK.esl
+cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl
+cert-to-efi-sig-list -g $GUID DB.crt DB.esl
+rm -f noPK.esl
+touch noPK.esl
+
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+                  -k PK.key -c PK.crt PK PK.esl PK.auth
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+                  -k PK.key -c PK.crt PK noPK.esl noPK.auth
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+                  -k PK.key -c PK.crt KEK KEK.esl KEK.auth
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+                  -k KEK.key -c KEK.crt db DB.esl DB.auth
+
+chmod 0600 *.key
+fi # DEBUG
+if [ ! -e /etc/uefi-key/db.crt ]; then
+  cp DB.crt /etc/uefi-key/db.crt
+  cp DB.cer /etc/uefi-key/db.cer
+  cp DB.key /etc/uefi-key/db.key
+fi
+if false; then # DEBUG
+
+## SECURE BOOT SETUP
+
+# if one of the following fails, refer to signing_uefi_application.txt
+efi-updatevar -f PK.auth PK
+efi-updatevar -a -c KEK.crt -k PK.key KEK
+efi-updatevar -a -c DB.crt -k KEK.key db
+fi # DEBUG
+cd ..
--- a/signing_uefi_application.txt
+++ b/signing_uefi_application.txt
+# To perform the following instructions, some packages are needed.
+# They are all installed with apt at the begining of install.sh.
+
+## Create the keys:
+# run the script mkkeys.sh (better in a dedicated directory)
+mkdir -p generate_keys && cd generate_keys && cp ../mkkeys.sh . && ./mkkeys.sh
+
+## Signing a UEFI application:
+# before running the following line (from install.sh)
+dracut --force  -c ./dracut.module/dracut.conf --confdir dracut_tmp
+# put the following from the signing key in /etc/uefi-key/
+# db.cer	db.crt	db.key
+
+## Add keys to the firmware:
+# run
+efi-readvar
+# if PK, KEK or db is not empty then
+# reboot and, in the BIOS, disable Secure Boot (SB) and remove every keys
+# then if we assume the keys have the name mkkeys.sh gives them:
+# Add the Platform Key (the authority key for the machine).
+efi-updatevar -f PK.auth PK
+# Add the Key Exchange Key (the authority key for the db and dbx certificates and hashes)
+efi-updatevar -a -c KEK.crt -k PK.key KEK
+# Replace the current whitelist certificate
+efi-updatevar -f -c DB.crt -k KEK.key db
+# (replace -f with -a to append another whitelist certificate instead of replacing the old one)
+
+### Troubleshooting
+# Some general informations:
+# 1) As a general matter, with Secure Boot (SB) disabled and no key, every key should addable.
+# 2) A Platform Key is needed for Secure Boot (SB) to be enabled.
+# 3) To add or modify a key, you need the private key of the upper level (the Platform Key is its own upper level key).
+
+## Common errors:
+
+# error: "Failed to update <var>: Operation not permitted"
+# when trying to delete or replace a key, may be resolved by making it mutable:
+lsattr /sys/firmware/efi/efivars/{db,dbx,KEK,PK}*
+# "----i--------------" before the key means it is set as immutable
+# to make it mutable
+chattr -i /sys/firmware/efi/efivars/<key>
+# (example:)
+chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
+# recommanded: make everything immutable after your operation
+# to do so, perform the same command with +i instead of -i (same example:)
+chattr +i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
+
+# error: "Cannot write to db, wrong filesystem permissions"
+# may be resolved providing the upper level private key
+# (note that it can happen even with root mode, as keys are stored on a separate filesystem)
+