jess
/
manjaro-arm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'encryption' into 'master' 

add preliminary encryption support and fix a few btrfs issues

See merge request manjaro-arm/applications/manjaro-arm-installer!4
This commit is contained in:
Dan Johansen 2021-04-15 14:32:30 +00:00
parent 40068a60f0 9a8295f714
commit 5f96ab45ef
2 changed files with 46 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
README.md
View File

@ -19,12 +19,13 @@ This script is "interactive". Meaning that it asks you questions when run to cus
* dosfstools * dosfstools
* polkit * polkit
* btrfs-progs (for btrfs filesystem support) * btrfs-progs (for btrfs filesystem support)
* cryptsetup (for encryption support)
## Installing and using from Manjaro x64 repositories: ## Installing and using from Manjaro (x64 and ARM) repositories:
To use this script, please make sure that the following is correct: To use this script, please make sure that the following is correct:
* an **empty** SD/eMMC card with at least 8 GB storage is plugged in, but not mounted. * An SD/eMMC card with at least 8 GB storage is plugged in, but not mounted. This Script **will** remove everything on it.
* that your user account has `sudo` rights. * That your user account has `sudo` rights.
Then install the `manjaro-arm-installer` package with: Then install the `manjaro-arm-installer` package with:
``` ```
@ -34,18 +35,13 @@ Then reboot. You can now launch the installer with:
``` ```
sudo bash manjaro-arm-installer sudo bash manjaro-arm-installer
``` ```
Or with encryption support:
*Warning! Encryption support is experimental and only Pinebook Pro is supported at this time!*
```
sudo export CRYPT="y" && sudo bash manjaro-arm-installer
```
It will ask the crypt password twice (first to create it, the second one to open the device)
## Installing and using from gitlab: ## Installing and using from gitlab:
To use this script, please make sure that the following is correct: To use this script, please make sure that the following is correct:
* an **empty** SD/eMMC card with at least 8 GB storage is plugged in, but not mounted. * An SD/eMMC card with at least 8 GB storage is plugged in, but not mounted. This Script **will** remove everything on it.
* that your user account has `sudo` rights. * That your user account has `sudo` rights.
Then use this to get it: Then use this to get it:
``` ```
@ -59,13 +55,13 @@ sudo bash ./manjaro-arm-installer
* Because `dialog` is weird, the script needs to be run in `bash`. * Because `dialog` is weird, the script needs to be run in `bash`.
## Supported Devices: ## Supported Devices:
* Raspberry Pi 4 (and 3) * Raspberry Pi 4/400/3+/3
* Pinebook Pro * Pinebook Pro
* RockPro64 * RockPro64
* Rock Pi 4B * Rock Pi 4B
* Rock Pi 4C (new) * Rock Pi 4C
* Odroid N2 * Odroid N2
* Odroid N2+ (new) * Odroid N2+
* Odroid C4 * Odroid C4
* Odroid C2 * Odroid C2
* Pinebook * Pinebook

61
manjaro-arm-installer
View File

@ -1,7 +1,7 @@
#! /bin/bash #! /bin/bash
# ***************************** # *****************************
# Version 1.3.9 # Version 1.4.0
# ***************************** # *****************************
# Set globals # Set globals
@ -36,6 +36,7 @@ FSTYPE=""
TIMEZONE="" TIMEZONE=""
LOCALE="" LOCALE=""
HOSTNAME="" HOSTNAME=""
CRYPT=""
# check if root # check if root
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
@ -48,7 +49,7 @@ if [ "$EUID" -ne 0 ]; then
fi fi
# Sanity checks for dependencies # Sanity checks for dependencies
declare -a DEPENDENCIES=("git" "parted" "systemd-nspawn" "wget" "dialog" "bsdtar" "openssl" "awk" "btrfs" "mkfs.vfat" "mkfs.btrfs") declare -a DEPENDENCIES=("git" "parted" "systemd-nspawn" "wget" "dialog" "bsdtar" "openssl" "awk" "btrfs" "mkfs.vfat" "mkfs.btrfs" "cryptsetup")
for i in "${DEPENDENCIES[@]}"; do for i in "${DEPENDENCIES[@]}"; do
if ! [[ -f "/bin/$i" || -f "/sbin/$i" || -f "/usr/bin/$i" || -f "/usr/sbin/$i" ]] ; then if ! [[ -f "/bin/$i" || -f "/sbin/$i" || -f "/usr/bin/$i" || -f "/usr/sbin/$i" ]] ; then
@ -236,7 +237,9 @@ create_install() {
fi fi
[ ! -z "$CRYPT" ] && tweakinitrd_crypt if [[ "$CRYPT" = "yes" ]]; then
tweakinitrd_crypt
fi
info "Cleaning install for unwanted files..." info "Cleaning install for unwanted files..."
umount $TMPDIR/root/var/cache/pacman/pkg umount $TMPDIR/root/var/cache/pacman/pkg
@ -262,6 +265,11 @@ prepare_card () {
# Create partitions # Create partitions
#Clear first 32mb #Clear first 32mb
dd if=/dev/zero of=${SDCARD} bs=1M count=32 1> /dev/null 2>&1 dd if=/dev/zero of=${SDCARD} bs=1M count=32 1> /dev/null 2>&1
#remove previous partitions
for v_partition in $(parted -s $SDCARD print|awk '/^ / {print $1}')
do
parted -s $SDCARD rm ${v_partition} 1> /dev/null 2>&1
done
#partition with boot and root #partition with boot and root
parted -s $SDCARD mklabel msdos 1> /dev/null 2>&1 parted -s $SDCARD mklabel msdos 1> /dev/null 2>&1
parted -s $SDCARD mkpart primary fat32 32M 256M 1> /dev/null 2>&1 parted -s $SDCARD mkpart primary fat32 32M 256M 1> /dev/null 2>&1
@ -274,14 +282,7 @@ prepare_card () {
parted -s $SDCARD mkpart primary btrfs "${END_SECTOR}s" 100% 1> /dev/null 2>&1 parted -s $SDCARD mkpart primary btrfs "${END_SECTOR}s" 100% 1> /dev/null 2>&1
partprobe $SDCARD 1> /dev/null 2>&1 partprobe $SDCARD 1> /dev/null 2>&1
mkfs.vfat "${SDCARD}${SDDEV}1" -n BOOT_MNJRO 1> /dev/null 2>&1 mkfs.vfat "${SDCARD}${SDDEV}1" -n BOOT_MNJRO 1> /dev/null 2>&1
mkfs.btrfs -m single -L ROOT_MNJRO -f "${SDCARD}${SDDEV}2" 1> /dev/null 2>&1
if [ -z "$CRYPT" ]; then
mkfs.btrfs -m single -L ROOT_MNJRO -f "${SDCARD}${SDDEV}2" 1> /dev/null 2>&1
else
cryptsetup luksFormat -q "${SDCARD}${SDDEV}2"
cryptsetup open "${SDCARD}${SDDEV}2" ROOT_MNJRO
mkfs.btrfs -m single -f /dev/mapper/ROOT_MNJRO 1> /dev/null 2>&1
fi
mkdir -p $TMPDIR/root mkdir -p $TMPDIR/root
mkdir -p $TMPDIR/boot mkdir -p $TMPDIR/boot
@ -294,20 +295,18 @@ prepare_card () {
mkdir -p $TMPDIR/root/home mkdir -p $TMPDIR/root/home
mount -o compress=zstd,subvol=@home "${SDCARD}${SDDEV}2" $TMPDIR/root/home mount -o compress=zstd,subvol=@home "${SDCARD}${SDDEV}2" $TMPDIR/root/home
mount ${SDCARD}${SDDEV}1 $TMPDIR/boot mount ${SDCARD}${SDDEV}1 $TMPDIR/boot
if [ ! -z "$CRYPT" ]; then
[ ! -e /dev/mapper/ROOT_MNJRO ] && cryptsetup open "${SDCARD}${SDDEV}2" ROOT_MNJRO
mount /dev/mapper/ROOT_MNJRO $TMPDIR/root
fi
;; ;;
ext4) ext4)
parted -s $SDCARD mkpart primary ext4 "${END_SECTOR}s" 100% 1> /dev/null 2>&1 parted -s $SDCARD mkpart primary ext4 "${END_SECTOR}s" 100% 1> /dev/null 2>&1
partprobe $SDCARD 1> /dev/null 2>&1 partprobe $SDCARD 1> /dev/null 2>&1
mkfs.vfat "${SDCARD}${SDDEV}1" -n BOOT_MNJRO 1> /dev/null 2>&1 mkfs.vfat "${SDCARD}${SDDEV}1" -n BOOT_MNJRO 1> /dev/null 2>&1
if [ -z "$CRYPT" ]; then if [[ "$CRYPT" != "yes" ]]; then
mkfs.ext4 -O ^metadata_csum,^64bit "${SDCARD}${SDDEV}2" -L ROOT_MNJRO 1> /dev/null 2>&1 mkfs.ext4 -O ^metadata_csum,^64bit "${SDCARD}${SDDEV}2" -L ROOT_MNJRO 1> /dev/null 2>&1
else else
info "Create encryption password:"
cryptsetup luksFormat -q "${SDCARD}${SDDEV}2" cryptsetup luksFormat -q "${SDCARD}${SDDEV}2"
info "Confirm encryption password:"
cryptsetup open "${SDCARD}${SDDEV}2" ROOT_MNJRO cryptsetup open "${SDCARD}${SDDEV}2" ROOT_MNJRO
mkfs.ext4 -O ^metadata_csum,^64bit /dev/mapper/ROOT_MNJRO 1> /dev/null 2>&1 mkfs.ext4 -O ^metadata_csum,^64bit /dev/mapper/ROOT_MNJRO 1> /dev/null 2>&1
fi fi
@ -315,7 +314,7 @@ prepare_card () {
mkdir -p $TMPDIR/root mkdir -p $TMPDIR/root
mkdir -p $TMPDIR/boot mkdir -p $TMPDIR/boot
mount ${SDCARD}${SDDEV}1 $TMPDIR/boot mount ${SDCARD}${SDDEV}1 $TMPDIR/boot
if [ -z "$CRYPT" ]; then if [[ "$CRYPT" != "yes" ]]; then
mount ${SDCARD}${SDDEV}2 $TMPDIR/root mount ${SDCARD}${SDDEV}2 $TMPDIR/root
else else
[ ! -e /dev/mapper/ROOT_MNJRO ] && cryptsetup open "${SDCARD}${SDDEV}2" ROOT_MNJRO [ ! -e /dev/mapper/ROOT_MNJRO ] && cryptsetup open "${SDCARD}${SDDEV}2" ROOT_MNJRO
@ -354,16 +353,19 @@ cleanup () {
;; ;;
esac esac
[ ! -z "$CRYPT" ] && post_crypt if [[ "$CRYPT" = "yes" ]]; then
post_crypt
fi
#clean up #clean up
if [[ "$FSTYPE" = "btrfs" ]]; then if [[ "$FSTYPE" = "btrfs" ]]; then
umount $TMPDIR/root/home umount $TMPDIR/root/home
umount $TMPDIR/root umount $TMPDIR/root
umount $TMPDIR/boot
else else
umount $TMPDIR/root umount $TMPDIR/root
umount $TMPDIR/boot umount $TMPDIR/boot
if [ ! -z "$CRYPT" ]; then if [[ "$CRYPT" = "yes" ]]; then
cryptsetup close /dev/mapper/ROOT_MNJRO cryptsetup close /dev/mapper/ROOT_MNJRO
fi fi
fi fi
@ -376,7 +378,6 @@ tweakinitrd_crypt () {
case "$DEVICE" in case "$DEVICE" in
pbpro) pbpro)
# Use the proper mkinitcpio. # Use the proper mkinitcpio.
# NOTE: I've tried to modify only the HOOKS but it seems some kernel modules are required for the display to show stuff
cat << EOF > ${TMPDIR}/root/etc/mkinitcpio.conf cat << EOF > ${TMPDIR}/root/etc/mkinitcpio.conf
MODULES=(panfrost rockchipdrm drm_kms_helper hantro_vpu analogix_dp rockchip_rga panel_simple arc_uart cw2015_battery i2c-hid iscsi_boot_sysfs jsm pwm_bl uhid) MODULES=(panfrost rockchipdrm drm_kms_helper hantro_vpu analogix_dp rockchip_rga panel_simple arc_uart cw2015_battery i2c-hid iscsi_boot_sysfs jsm pwm_bl uhid)
BINARIES=() BINARIES=()
@ -399,7 +400,8 @@ post_crypt () {
case "$DEVICE" in case "$DEVICE" in
pbpro) pbpro)
# NOTE: I've tried to only modify the cryptdevice and root parameters but bootsplash and console=ttyS2 prevents to show the password prompt # NOTE: I've tried to only modify the cryptdevice and root parameters but bootsplash and console=ttyS2 prevents to show the password prompt
sed -i -e "s!APPEND.*!APPEND initrd=/initramfs-linux.img console=tty1 cryptdevice=UUID=${UUID}:ROOT_MNJRO root=/dev/mapper/ROOT_MNJRO rw rootwait video=eDP-1:1920x1080@60 video=HDMI-A-1:1920x1080@60!g" ${TMPDIR}/boot/extlinux/extlinux.conf # TODO: Need to add plymouth support
sed -i -e "s!APPEND.*!APPEND initrd=/initramfs-linux.img console=tty1 cryptdevice=UUID=${UUID}:ROOT_MNJRO root=/dev/mapper/ROOT_MNJRO rw rootwait!g" ${TMPDIR}/boot/extlinux/extlinux.conf
;; ;;
esac esac
@ -410,7 +412,7 @@ post_crypt () {
# Using Dialog to ask for user input for variables # Using Dialog to ask for user input for variables
DEVICE=$(dialog --clear --title "Manjaro ARM Installer" \ DEVICE=$(dialog --clear --title "Manjaro ARM Installer" \
--menu "Choose a device:" 20 75 10 \ --menu "Choose a device:" 20 75 10 \
"rpi4" "Raspberry Pi 4 (and 3)" \ "rpi4" "Raspberry Pi 4/400/3+/3" \
"pbpro" "Pinebook Pro" \ "pbpro" "Pinebook Pro" \
"rockpro64" "RockPro64" \ "rockpro64" "RockPro64" \
"rockpi4b" "Rock Pi 4B" \ "rockpi4b" "Rock Pi 4B" \
@ -457,7 +459,7 @@ fi
if [ ! -z "$EDITION" ]; then if [ ! -z "$EDITION" ]; then
USER=$(dialog --clear --title "Manjaro ARM Installer" \ USER=$(dialog --clear --title "Manjaro ARM Installer" \
--inputbox "Enter the username you want: --inputbox "Enter the username you want:
(usernames must be all lowercase and first character may not be a number)" 8 50 \ (usernames must be all lowercase and first character may not be a number)" 10 75 \
3>&1 1>&2 2>&3 3>&-) 3>&1 1>&2 2>&3 3>&-)
if [[ "$USER" =~ [A-Z] ]] || [[ "$USER" =~ ^[0-9] ]] || [[ "$USER" == *['!'@#\$%^\&*()_+]* ]]; then if [[ "$USER" =~ [A-Z] ]] || [[ "$USER" =~ ^[0-9] ]] || [[ "$USER" == *['!'@#\$%^\&*()_+]* ]]; then
clear clear
@ -473,7 +475,7 @@ if [ ! -z "$USER" ]
then then
USERGROUPS=$(dialog --clear --title "Manjaro ARM Installer" \ USERGROUPS=$(dialog --clear --title "Manjaro ARM Installer" \
--inputbox "Enter additional groups for $USER in a comma seperated list: (empty if none) --inputbox "Enter additional groups for $USER in a comma seperated list: (empty if none)
(default: wheel,sys,audio,input,video,storage,lp,network,users,power)" 8 90 \ (default: wheel,sys,audio,input,video,storage,lp,network,users,power)" 10 90 \
3>&1 1>&2 2>&3 3>&- \ 3>&1 1>&2 2>&3 3>&- \
) )
else else
@ -580,7 +582,7 @@ fi
if [ ! -z "$SDCARD" ]; then if [ ! -z "$SDCARD" ]; then
FSTYPE=$(dialog --clear --title "Manjaro ARM Installer" \ FSTYPE=$(dialog --clear --title "Manjaro ARM Installer" \
--menu "Choose a filesystem:" 20 75 10 \ --menu "Choose a filesystem:" 10 75 10 \
"ext4" "Regular ext4 filesystem" \ "ext4" "Regular ext4 filesystem" \
"btrfs" "Uses btrfs for root partition and makes / and /home subvolumes" \ "btrfs" "Uses btrfs for root partition and makes / and /home subvolumes" \
3>&1 1>&2 2>&3 3>&-) 3>&1 1>&2 2>&3 3>&-)
@ -590,6 +592,14 @@ else
exit 1 exit 1
fi fi
if [[ "$DEVICE" = "pbpro" ]] && [[ "$FSTYPE" != "btrfs" ]]; then
CRYPT=$(dialog --clear --title "Manjaro ARM Installer" \
--menu "[Experimental!] Do you want encryption on root partition?" 10 75 10 \
"yes" "Yes, please" \
"no" "No, thanks" \
3>&1 1>&2 2>&3 3>&-)
fi
if [ ! -z "$FSTYPE" ]; then if [ ! -z "$FSTYPE" ]; then
let i=0 let i=0
W=() W=()
@ -678,6 +688,7 @@ if [ ! -z "$HOSTNAME" ]; then
Password for root = (password hidden) Password for root = (password hidden)
SDCard/eMMC/USB = $SDCARD SDCard/eMMC/USB = $SDCARD
Filesystem = $FSTYPE Filesystem = $FSTYPE
Encryption (only on select devices) = $CRYPT
Timezone = $TIMEZONE Timezone = $TIMEZONE
Locale = $LOCALE Locale = $LOCALE
TTY Keyboard layout = $CLIKEYMAP TTY Keyboard layout = $CLIKEYMAP