#!/usr/bin/bash set -eo pipefail # Must be root inside dom0 to run this script if [ "$EUID" -ne 0 ]; then echo "[ERROR]: must be superuser" exit 1 fi if [ ! "$HOSTNAME" = "dom0" ]; then echo "[ERROR]: must be in dom0" exit 1 fi # Set up the defaults : "${RELIANT_PARANOID=false}" : "${RELIANT_EXEC_DIR:=/usr/local/bin}" : "${RELIANT_SHARE_DIR:=/usr/local/share/scripts}" : "${RELIANT_RW_DOMAINS:=sys-net sys-whonix}" : "${RELIANT_DRACUT_DIR:=/usr/lib/dracut/modules.d/99reliant}" : "${RELIANT_SYSTEM_ROOT:=/home/$USER/reliant-system}" : "${RELIANT_SKIP_CHECKSUM:=}" : "${RELIANT_SPARSE_SAMPLES:=512}" : "${RELIANT_BOOTSTRAP_QUBE:=bootstrap}" # Validate configuration values if [ -z "$RELIANT_SECURE_DEVICE" ]; then echo "[ERROR]: RELIANT_SECURE_DEVICE: required value" exit 1 fi # Used block devices must be present if [ ! -b "$RELIANT_SECURE_DEVICE" ]; then echo "[ERROR]: RELIANT_SECURE_DEVICE: $RELIANT_SECURE_DEVICE is not a valid block device" exit 1 fi IFS=' ' for device in $RELIANT_SKIP_CHECKSUM; do if [ ! -b "$device" ]; then echo "[ERROR]: RELIANT_SKIP_CHECKSUM: $device is not a valid block device" exit 1 fi done # RELIANT_PARANOID must be a boolean value case "$RELIANT_PARANOID" in "true") ;; "false") ;; *) echo "[ERROR]: RELIANT_PARANOID: $RELIANT_PARANOID is not a valid boolean value" exit 1 ;; esac # RELIANT_SPARSE_SAMPLES must be an integer if ! [ "$RELIANT_SPARSE_SAMPLES" -eq "$RELIANT_SPARSE_SAMPLES" ] 2>/dev/null; then echo "[ERROR]: RELIANT_SPARSE_SAMPLES: $RELIANT_SPARSE_SAMPLES is not a valid integer" fi # Copies $1 from the bootstrap qube into dom0 with filename $2, permissions $3, owner $4 and group $5 reliant_install_file() { # Verify the number of arguments if [ "$#" -ne 4 ]; then echo "[ERROR]: reliant_install_file: expected 5 arguments, got $#" fi # Report the operation echo "[INFO]: reliant_install_file: $1 $2 $3 $4 $5" # Install the file into dom0 qvm-run --pass-io "$RELIANT_BOOTSTRAP_QUBE" "cat $RELIANT_SYSTEM_ROOT/$1" | install -D -m "$3" -o "$4" -g "$5" /dev/stdin "$2" } # Shorthand functions reliant_install_exec() { reliant_install_file "$1" "$RELIANT_EXEC_DIR/$2" "$3" "$4" "$5" } reliant_install_share() { reliant_install_file "$1" "$RELIANT_SHARE_DIR/$2" "$3" "$4" "$5" } reliant_install_dracut() { reliant_install_file "$1" "$RELIANT_DRACUT_DIR/$2" "$3" "$4" "$5" } # Begin the installation process echo "[INFO]: Installing reliant-system from $RELIANT_BOOTSTRAP_QUBE:$RELIANT_SYSTEM_ROOT..." # reliant-system/common reliant_install_share common/reliant-common.sh reliant-common.sh 0644 root root # reliant-system/extra reliant_install_file extra/overlay.conf /etc/dracut.conf.d/overlay.conf 0644 root root reliant_install_file extra/grub.systemd-volatile-overlay /etc/default/grub.systemd-volatile-overlay 0644 root root reliant_install_file extra/shufflecake-close.service /etc/systemd/system/shufflecake-close.service 0644 root root reliant_install_share extra/shufflecake-close.sh shufflecake-close.sh 0744 root root # reliant-system/tools reliant_install_exec tools/reliant-hash reliant-hash 0744 root root reliant_install_exec tools/reliant-seal reliant-seal 0744 root root reliant_install_exec tools/reliant-mount reliant-mount 0744 root root reliant_install_exec tools/reliant-unseal reliant-unseal 0744 root root reliant_install_exec tools/reliant-status reliant-status 0744 root root reliant_install_exec tools/surgeon-suture surgeon-suture 0744 root root reliant_install_exec tools/surgeon-dissect surgeon-dissect 0744 root root reliant_install_exec tools/reliant-security reliant-security 0744 root root reliant_install_exec tools/reliant-snapshot-rw reliant-snapshot-rw 0744 root root reliant_install_exec tools/reliant-print-config reliant-print-config 0744 root root # reliant-system/dracut reliant_install_dracut dracut/99reliant/module-setup.sh module-setup.sh 0744 root root reliant_install_dracut dracut/99reliant/hooks/readonly.sh hooks/readonly.sh 0744 root root reliant_install_dracut dracut/99reliant/reliant.service reliant.service 0644 root root reliant_install_dracut dracut/99reliant/scripts/reliant-initramfs.sh scripts/reliant-initramfs.sh 0744 root root reliant_install_dracut dracut/99reliant/scripts/modified-create-snapshot.sh scripts/modified-create-snapshot.sh 0744 root root # reliant-system/qubes-sflc reliant_install_exec qubes-sflc/dm-sflc.ko "/usr/lib/modules/$(uname -r)/extra" reliant_install_exec qubes-sflc/shufflecake shufflecake 0744 root root echo echo "[INFO]: Running post-installation commands..." # reliant-system/common reliant_write_config() { echo "[INFO]: Writing new configuration to /etc/reliant.conf..." cat > /etc/reliant.conf << EOF RELIANT_PARANOID=$RELIANT_PARANOID RELIANT_RW_DOMAINS=$RELIANT_RW_DOMAINS RELIANT_SECURE_DEVICE=$RELIANT_SECURE_DEVICE RELIANT_SKIP_CHECKSUM=$RELIANT_SKIP_CHECKSUM RELIANT_SPARSE_SAMPLES=$RELIANT_SPARSE_SAMPLES EOF } if [ -f /etc/reliant.conf ]; then read -rp "[WARN]: /etc/reliant.conf exists. Overwrite? [Y/N]: " case "$REPLY" in [Yy]* ) reliant_write_config ;; [Nn]* ) echo "[INFO]: Aborted." ;; *) echo "[INFO]: Aborted." ;; esac fi # reliant-system/extra if ! grep -xq ". /etc/default/grub.systemd-volatile-overlay" /etc/default/grub; then echo ". /etc/default/grub.systemd-volatile-overlay" >> /etc/default/grub fi grub2-mkconfig -o /boot/grub2/grub.cfg systemctl daemon-reload systemctl enable shufflecake-close.service # reliant-system/tools surgeon-dissect -t varlibqubes reliant-snapshot-rw # reliant-system/dracut dracut --force --regenerate-all # reliant-system/qubes-sflc depmod echo echo "[INFO]: Installation complete. Reboot to enter protected mode."