mirror of
https://codeberg.org/andersonarc/reliant-system.git
synced 2025-11-13 12:50:38 -05:00
173 lines
6.5 KiB
Bash
Executable file
173 lines
6.5 KiB
Bash
Executable file
#!/usr/bin/bash
|
|
set -eo pipefail
|
|
|
|
# Must be root inside dom0 to run this script
|
|
if [ "$EUID" -ne 0 ]; then
|
|
echo "[ERROR]: must be superuser"
|
|
exit 1
|
|
fi
|
|
if [ ! "$HOSTNAME" = "dom0" ]; then
|
|
echo "[ERROR]: must be in dom0"
|
|
exit 1
|
|
fi
|
|
|
|
# Set up the defaults
|
|
: "${RELIANT_PARANOID=false}"
|
|
: "${RELIANT_BIN_DIR:=/usr/local/bin}"
|
|
: "${RELIANT_SBIN_DIR:=/usr/local/sbin}"
|
|
: "${RELIANT_SHARE_DIR:=/usr/local/share/scripts}"
|
|
: "${RELIANT_RW_DOMAINS:=sys-net sys-whonix}"
|
|
: "${RELIANT_DRACUT_DIR:=/usr/lib/dracut/modules.d/99reliant}"
|
|
: "${RELIANT_SYSTEM_ROOT:=/home/$SUDO_USER/reliant-system}"
|
|
: "${RELIANT_SKIP_CHECKSUM:=}"
|
|
: "${RELIANT_SPARSE_SAMPLES:=512}"
|
|
: "${RELIANT_BOOTSTRAP_QUBE:=bootstrap}"
|
|
: "${RELIANT_KERNEL_VERSION:=$(qvm-run --pass-io "$RELIANT_BOOTSTRAP_QUBE" 'uname -r')}"
|
|
|
|
# Validate configuration values
|
|
if [ -z "$RELIANT_SECURE_DEVICE" ]; then
|
|
echo "[ERROR]: RELIANT_SECURE_DEVICE: required value"
|
|
exit 1
|
|
fi
|
|
|
|
# No more variable checks needed
|
|
set -u
|
|
|
|
# Used block devices must be present
|
|
if [ ! -b "$RELIANT_SECURE_DEVICE" ]; then
|
|
echo "[ERROR]: RELIANT_SECURE_DEVICE: $RELIANT_SECURE_DEVICE is not a valid block device"
|
|
exit 1
|
|
fi
|
|
IFS=' '
|
|
for device in $RELIANT_SKIP_CHECKSUM; do
|
|
if [ ! -b "$device" ]; then
|
|
echo "[ERROR]: RELIANT_SKIP_CHECKSUM: $device is not a valid block device"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
# RELIANT_PARANOID must be a boolean value
|
|
case "$RELIANT_PARANOID" in
|
|
"true") ;;
|
|
"false") ;;
|
|
*) echo "[ERROR]: RELIANT_PARANOID: $RELIANT_PARANOID is not a valid boolean value"
|
|
exit 1 ;;
|
|
esac
|
|
|
|
# RELIANT_SPARSE_SAMPLES must be an integer
|
|
if ! [ "$RELIANT_SPARSE_SAMPLES" -eq "$RELIANT_SPARSE_SAMPLES" ] 2>/dev/null; then
|
|
echo "[ERROR]: RELIANT_SPARSE_SAMPLES: $RELIANT_SPARSE_SAMPLES is not a valid integer"
|
|
fi
|
|
|
|
# Copies $1 from the bootstrap qube into dom0 with filename $2, permissions $3, owner $4 and group $5
|
|
reliant_install_file() {
|
|
# Verify the number of arguments
|
|
if [ "$#" -ne 5 ]; then
|
|
echo "[ERROR]: reliant_install_file: expected 5 arguments, got $#"
|
|
fi
|
|
|
|
# Report the operation
|
|
echo "[INFO]: reliant_install_file: $1 $2 $3 $4 $5"
|
|
|
|
# Install the file into dom0
|
|
qvm-run --pass-io "$RELIANT_BOOTSTRAP_QUBE" "cat $RELIANT_SYSTEM_ROOT/$1" | install -D -m "$3" -o "$4" -g "$5" /dev/stdin "$2"
|
|
}
|
|
|
|
# Shorthand functions
|
|
reliant_install_bin() {
|
|
reliant_install_file "$1" "$RELIANT_BIN_DIR/$2" "$3" "$4" "$5"
|
|
}
|
|
reliant_install_sbin() {
|
|
reliant_install_file "$1" "$RELIANT_SBIN_DIR/$2" "$3" "$4" "$5"
|
|
}
|
|
reliant_install_share() {
|
|
reliant_install_file "$1" "$RELIANT_SHARE_DIR/$2" "$3" "$4" "$5"
|
|
}
|
|
reliant_install_dracut() {
|
|
reliant_install_file "$1" "$RELIANT_DRACUT_DIR/$2" "$3" "$4" "$5"
|
|
}
|
|
|
|
# Run the build script inside of the bootstrap qube
|
|
echo "[INFO]: Building $RELIANT_BOOTSTRAP_QUBE:$RELIANT_SYSTEM_ROOT for kernel $RELIANT_KERNEL_VERSION..."
|
|
qvm-run --pass-io "$RELIANT_BOOTSTRAP_QUBE" "sh -c 'cd $RELIANT_SYSTEM_ROOT && ./build.sh'"
|
|
|
|
# Begin the installation process
|
|
echo "[INFO]: Installing reliant-system from $RELIANT_BOOTSTRAP_QUBE:$RELIANT_SYSTEM_ROOT..."
|
|
|
|
# reliant-system/common
|
|
reliant_install_share common/reliant-common.sh reliant-common.sh 0644 root root
|
|
|
|
# reliant-system/extra
|
|
reliant_install_file extra/overlay.conf /etc/dracut.conf.d/overlay.conf 0644 root root
|
|
reliant_install_file extra/grub.systemd-volatile-overlay /etc/default/grub.systemd-volatile-overlay 0644 root root
|
|
reliant_install_file extra/shufflecake-close.service /etc/systemd/system/shufflecake-close.service 0644 root root
|
|
reliant_install_share extra/shufflecake-close.sh shufflecake-close.sh 0744 root root
|
|
|
|
# reliant-system/tools
|
|
reliant_install_sbin tools/reliant-hash reliant-hash 0744 root root
|
|
reliant_install_sbin tools/reliant-seal reliant-seal 0744 root root
|
|
reliant_install_sbin tools/reliant-mount reliant-mount 0744 root root
|
|
reliant_install_sbin tools/reliant-unseal reliant-unseal 0744 root root
|
|
reliant_install_sbin tools/reliant-status reliant-status 0744 root root
|
|
reliant_install_sbin tools/surgeon-suture surgeon-suture 0744 root root
|
|
reliant_install_sbin tools/surgeon-dissect surgeon-dissect 0744 root root
|
|
reliant_install_sbin tools/reliant-security reliant-security 0744 root root
|
|
reliant_install_sbin tools/reliant-snapshot-rw reliant-snapshot-rw 0744 root root
|
|
reliant_install_bin tools/reliant-print-config reliant-print-config 0755 root root
|
|
|
|
# reliant-system/dracut
|
|
reliant_install_dracut dracut/99reliant/module-setup.sh module-setup.sh 0744 root root
|
|
reliant_install_dracut dracut/99reliant/reliant.service reliant.service 0644 root root
|
|
reliant_install_dracut dracut/99reliant/scripts/readonly.sh scripts/readonly.sh 0744 root root
|
|
reliant_install_dracut dracut/99reliant/scripts/reliant-initramfs.sh scripts/reliant-initramfs.sh 0744 root root
|
|
reliant_install_dracut dracut/99reliant/patches/create-snapshot.sh patches/create-snapshot.sh 0755 root root
|
|
|
|
# reliant-system/qubes-sflc
|
|
reliant_install_file qubes-sflc/dm-sflc.ko "/usr/lib/modules/$RELIANT_KERNEL_VERSION/extra/dm-sflc.ko" 0644 root root
|
|
reliant_install_sbin qubes-sflc/shufflecake shufflecake 0744 root root
|
|
|
|
echo "[INFO]: Successfully copied files to dom0."
|
|
echo "[INFO]: Running post-installation commands..."
|
|
|
|
# reliant-system/common
|
|
reliant_write_config() {
|
|
echo "[INFO]: Writing new configuration to /etc/reliant.conf..."
|
|
cat > /etc/reliant.conf << EOF
|
|
RELIANT_PARANOID=$RELIANT_PARANOID
|
|
RELIANT_RW_DOMAINS=$RELIANT_RW_DOMAINS
|
|
RELIANT_SECURE_DEVICE=$RELIANT_SECURE_DEVICE
|
|
RELIANT_SKIP_CHECKSUM=$RELIANT_SKIP_CHECKSUM
|
|
RELIANT_SPARSE_SAMPLES=$RELIANT_SPARSE_SAMPLES
|
|
EOF
|
|
}
|
|
if [ -f /etc/reliant.conf ]; then
|
|
read -rp "[WARN]: /etc/reliant.conf exists. Overwrite? [Y/N]: "
|
|
case "$REPLY" in
|
|
[Yy]* ) reliant_write_config ;;
|
|
[Nn]* ) echo "[INFO]: Aborted." ;;
|
|
*) echo "[INFO]: Aborted." ;;
|
|
esac
|
|
else
|
|
reliant_write_config
|
|
fi
|
|
|
|
# reliant-system/extra
|
|
if ! grep -xq ". /etc/default/grub.systemd-volatile-overlay" /etc/default/grub; then
|
|
echo ". /etc/default/grub.systemd-volatile-overlay" >> /etc/default/grub
|
|
fi
|
|
grub2-mkconfig -o /boot/grub2/grub.cfg
|
|
systemctl daemon-reload
|
|
systemctl enable shufflecake-close.service
|
|
|
|
# reliant-system/tools
|
|
surgeon-dissect -t varlibqubes
|
|
reliant-snapshot-rw
|
|
|
|
# reliant-system/qubes-sflc
|
|
depmod -a "$RELIANT_KERNEL_VERSION"
|
|
|
|
# reliant-system/dracut
|
|
dracut --force --regenerate-all
|
|
|
|
# Report successful installation
|
|
echo "[INFO]: Installation complete. Reboot to enter Protected Mode."
|