Git-Mirrors/reliant-system
1
0
Fork 0
mirror of https://codeberg.org/andersonarc/reliant-system.git synced 2025-11-13 12:50:38 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
reliant-system/install.sh
Anderson Rosenberg 73363c8160
dev release
2025-08-26 17:25:16 -04:00

159 lines
5.8 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/bash
set -eo pipefail
# Must be root inside dom0 to run this script
if [ "$EUID" -ne 0 ]; then
echo "[ERROR]: must be superuser"
exit 1
fi
if [ ! "$HOSTNAME" = "dom0" ]; then
echo "[ERROR]: must be in dom0"
exit 1
fi
# Set up the defaults
: "${RELIANT_PARANOID=false}"
: "${RELIANT_EXEC_DIR:=/usr/local/bin}"
: "${RELIANT_SHARE_DIR:=/usr/local/share/scripts}"
: "${RELIANT_RW_DOMAINS:=sys-net sys-whonix}"
: "${RELIANT_DRACUT_DIR:=/usr/lib/dracut/modules.d/99reliant}"
: "${RELIANT_SYSTEM_ROOT:=/home/$USER/reliant-system}"
: "${RELIANT_SKIP_CHECKSUM:=}"
: "${RELIANT_SPARSE_SAMPLES:=512}"
: "${RELIANT_BOOTSTRAP_QUBE:=bootstrap}"
# Validate configuration values
if [ -z "$RELIANT_SECURE_DEVICE" ]; then
echo "[ERROR]: RELIANT_SECURE_DEVICE: required value"
exit 1
fi
# Used block devices must be present
if [ ! -b "$RELIANT_SECURE_DEVICE" ]; then
echo "[ERROR]: RELIANT_SECURE_DEVICE: $RELIANT_SECURE_DEVICE is not a valid block device"
exit 1
fi
IFS=' '
for device in $RELIANT_SKIP_CHECKSUM; do
if [ ! -b "$device" ]; then
echo "[ERROR]: RELIANT_SKIP_CHECKSUM: $device is not a valid block device"
exit 1
fi
done
# RELIANT_PARANOID must be a boolean value
case "$RELIANT_PARANOID" in
"true") ;;
"false") ;;
*) echo "[ERROR]: RELIANT_PARANOID: $RELIANT_PARANOID is not a valid boolean value"
exit 1 ;;
esac
# RELIANT_SPARSE_SAMPLES must be an integer
if ! [ "$RELIANT_SPARSE_SAMPLES" -eq "$RELIANT_SPARSE_SAMPLES" ] 2>/dev/null; then
echo "[ERROR]: RELIANT_SPARSE_SAMPLES: $RELIANT_SPARSE_SAMPLES is not a valid integer"
fi
# Copies $1 from the bootstrap qube into dom0 with filename $2, permissions $3, owner $4 and group $5
reliant_install_file() {
# Verify the number of arguments
if [ "$#" -ne 4 ]; then
echo "[ERROR]: reliant_install_file: expected 5 arguments, got $#"
fi
# Report the operation
echo "[INFO]: reliant_install_file: $1 $2 $3 $4 $5"
# Install the file into dom0
qvm-run --pass-io "$RELIANT_BOOTSTRAP_QUBE" "cat $RELIANT_SYSTEM_ROOT/$1" | install -D -m "$3" -o "$4" -g "$5" /dev/stdin "$2"
}
# Shorthand functions
reliant_install_exec() {
reliant_install_file "$1" "$RELIANT_EXEC_DIR/$2" "$3" "$4" "$5"
}
reliant_install_share() {
reliant_install_file "$1" "$RELIANT_SHARE_DIR/$2" "$3" "$4" "$5"
}
reliant_install_dracut() {
reliant_install_file "$1" "$RELIANT_DRACUT_DIR/$2" "$3" "$4" "$5"
}
# Begin the installation process
echo "[INFO]: Installing reliant-system from $RELIANT_BOOTSTRAP_QUBE:$RELIANT_SYSTEM_ROOT..."
# reliant-system/common
reliant_install_share common/reliant-common.sh reliant-common.sh 0644 root root
# reliant-system/extra
reliant_install_file extra/overlay.conf /etc/dracut.conf.d/overlay.conf 0644 root root
reliant_install_file extra/grub.systemd-volatile-overlay /etc/default/grub.systemd-volatile-overlay 0644 root root
reliant_install_file extra/shufflecake-close.service /etc/systemd/system/shufflecake-close.service 0644 root root
reliant_install_share extra/shufflecake-close.sh shufflecake-close.sh 0744 root root
# reliant-system/tools
reliant_install_exec tools/reliant-hash reliant-hash 0744 root root
reliant_install_exec tools/reliant-seal reliant-seal 0744 root root
reliant_install_exec tools/reliant-mount reliant-mount 0744 root root
reliant_install_exec tools/reliant-unseal reliant-unseal 0744 root root
reliant_install_exec tools/reliant-status reliant-status 0744 root root
reliant_install_exec tools/surgeon-suture surgeon-suture 0744 root root
reliant_install_exec tools/surgeon-dissect surgeon-dissect 0744 root root
reliant_install_exec tools/reliant-security reliant-security 0744 root root
reliant_install_exec tools/reliant-snapshot-rw reliant-snapshot-rw 0744 root root
reliant_install_exec tools/reliant-print-config reliant-print-config 0744 root root
# reliant-system/dracut
reliant_install_dracut dracut/99reliant/module-setup.sh module-setup.sh 0744 root root
reliant_install_dracut dracut/99reliant/hooks/readonly.sh hooks/readonly.sh 0744 root root
reliant_install_dracut dracut/99reliant/reliant.service reliant.service 0644 root root
reliant_install_dracut dracut/99reliant/scripts/reliant-initramfs.sh scripts/reliant-initramfs.sh 0744 root root
reliant_install_dracut dracut/99reliant/scripts/modified-create-snapshot.sh scripts/modified-create-snapshot.sh 0744 root root
# reliant-system/qubes-sflc
reliant_install_exec qubes-sflc/dm-sflc.ko "/usr/lib/modules/$(uname -r)/extra"
reliant_install_exec qubes-sflc/shufflecake shufflecake 0744 root root
echo
echo "[INFO]: Running post-installation commands..."
# reliant-system/common
reliant_write_config() {
echo "[INFO]: Writing new configuration to /etc/reliant.conf..."
cat > /etc/reliant.conf << EOF
RELIANT_PARANOID=$RELIANT_PARANOID
RELIANT_RW_DOMAINS=$RELIANT_RW_DOMAINS
RELIANT_SECURE_DEVICE=$RELIANT_SECURE_DEVICE
RELIANT_SKIP_CHECKSUM=$RELIANT_SKIP_CHECKSUM
RELIANT_SPARSE_SAMPLES=$RELIANT_SPARSE_SAMPLES
EOF
}
if [ -f /etc/reliant.conf ]; then
read -rp "[WARN]: /etc/reliant.conf exists. Overwrite? [Y/N]: "
case "$REPLY" in
[Yy]* ) reliant_write_config ;;
[Nn]* ) echo "[INFO]: Aborted." ;;
*) echo "[INFO]: Aborted." ;;
esac
fi
# reliant-system/extra
if ! grep -xq ". /etc/default/grub.systemd-volatile-overlay" /etc/default/grub; then
echo ". /etc/default/grub.systemd-volatile-overlay" >> /etc/default/grub
fi
grub2-mkconfig -o /boot/grub2/grub.cfg
systemctl daemon-reload
systemctl enable shufflecake-close.service
# reliant-system/tools
surgeon-dissect -t varlibqubes
reliant-snapshot-rw
# reliant-system/dracut
dracut --force --regenerate-all
# reliant-system/qubes-sflc
depmod
echo
echo "[INFO]: Installation complete. Reboot to enter protected mode."
Reference in a new issue View git blame Copy permalink