From 0399df8c25caccd26ef61b703d6b1c43a7ddcec9 Mon Sep 17 00:00:00 2001 From: Anton Hvornum Date: Tue, 30 Jun 2020 21:22:28 +0000 Subject: Working partition and encryption+mount phase. Now to the installer and re-work that. --- .gitignore | 1 + helpers/disk.py | 185 ++++++++++++++++++++++++++++++++------------ helpers/general.py | 32 ++------ helpers/user_interaction.py | 2 +- installer.py | 34 ++++---- 5 files changed, 166 insertions(+), 88 deletions(-) diff --git a/.gitignore b/.gitignore index 38e33532..181ea78b 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ SAFETY_LOCK **/**old.* **/**.img +**/**pwfile diff --git a/helpers/disk.py b/helpers/disk.py index ad72565d..1c0a544c 100644 --- a/helpers/disk.py +++ b/helpers/disk.py @@ -1,6 +1,7 @@ import glob, re, os, json from collections import OrderedDict from helpers.general import sys_command +from exceptions import * ROOT_DIR_PATTERN = re.compile('^.*?/devices') GPT = 0b00000001 @@ -9,76 +10,164 @@ class BlockDevice(): def __init__(self, path, info): self.path = path self.info = info - if not 'backplane' in self.info: - self.info['backplane'] = self.find_backplane(self.info) - def find_backplane(self, info): - if not 'type' in info: raise DiskError(f'Could not locate backplane info for "{self.path}"') - - if info['type'] == 'loop': + @property + def device(self): + """ + Returns the actual device-endpoint of the BlockDevice. + If it's a loop-back-device it returns the back-file, + If it's a ATA-drive it returns the /dev/X device + And if it's a crypto-device it returns the parent device + """ + if not 'type' in self.info: raise DiskError(f'Could not locate backplane info for "{self.path}"') + + if self.info['type'] == 'loop': for drive in json.loads(b''.join(sys_command(f'losetup --json', hide_from_log=True)).decode('UTF_8'))['loopdevices']: if not drive['name'] == self.path: continue return drive['back-file'] - elif info['type'] == 'disk': + elif self.info['type'] == 'disk': return self.path - elif info['type'] == 'crypt': - if not 'pkname' in info: raise DiskError(f'A crypt device ({self.path}) without a parent kernel device name.') - return f"/dev/{info['pkname']}" + elif self.info['type'] == 'crypt': + if not 'pkname' in self.info: raise DiskError(f'A crypt device ({self.path}) without a parent kernel device name.') + return f"/dev/{self.info['pkname']}" + + @property + def partitions(self): + o = b''.join(sys_command(f'partprobe {self.path}')) + + parts = OrderedDict() + #o = b''.join(sys_command('/usr/bin/lsblk -o name -J -b {dev}'.format(dev=dev))) + o = b''.join(sys_command(f'/usr/bin/lsblk -J {self.path}')) + if b'not a block device' in o: + raise DiskError(f'Can not read partitions off something that isn\'t a block device: {self.path}') + + if not o[:1] == b'{': + raise DiskError(f'Error getting JSON output from:', f'/usr/bin/lsblk -J {self.path}') + + r = json.loads(o.decode('UTF-8')) + if len(r['blockdevices']) and 'children' in r['blockdevices'][0]: + root_path = f"/dev/{r['blockdevices'][0]['name']}" + for part in r['blockdevices'][0]['children']: + part_id = part['name'][len(os.path.basename(self.path)):] + parts[part_id] = { + 'size' : part['size'], + 'id' : part_id, + 'path' : root_path + part_id + } + + return {k: parts[k] for k in sorted(parts)} + + @property + def partition(self): + all_partitions = self.partitions + return [all_partitions[k] for k in all_partitions] def __repr__(self, *args, **kwargs): - return f'BlockDevice(path={self.path})' + return f"BlockDevice({self.device})" def __getitem__(self, key, *args, **kwargs): if not key in self.info: raise KeyError(f'{self} does not contain information: "{key}"') return self.info[key] -# def __enter__(self, *args, **kwargs): -# return self -# -# def __exit__(self, *args, **kwargs): -# print('Exit:', args, kwargs) -# b''.join(sys_command(f'sync', *args, **kwargs, hide_from_log=True)) +class luks2(): + def __init__(self, filesystem): + self.filesystem = filesystem + + def __enter__(self): + return self -class Formatter(): + def __exit__(self, *args, **kwargs): + # TODO: https://stackoverflow.com/questions/28157929/how-to-safely-handle-an-exception-inside-a-context-manager + if len(args): + raise args[1] + return True + + def encrypt(self, partition, password, key_size=512, hash_type='sha512', iter_time=10000, key_file=None): + if not key_file: key_file = f'/tmp/{os.path.basename(self.filesystem.blockdevice.device)}.disk_pw' #TODO: Make disk-pw-file randomly unique? + if type(password) != bytes: password = bytes(password, 'UTF-8') + + with open(key_file, 'wb') as fh: + fh.write(password) + + o = b''.join(sys_command(f'/usr/bin/cryptsetup -q -v --type luks2 --pbkdf argon2i --hash {hash_type} --key-size {key_size} --iter-time {iter_time} --key-file {os.path.abspath(key_file)} --use-urandom luksFormat {partition["path"]}')) + if not b'Command successful.' in o: + raise DiskError(f'Could not encrypt volume "{partition["path"]}": {o}') + + return key_file + + def mount(self, partition, mountpoint, key_file): + """ + Mounts a lukts2 compatible partition to a certain mountpoint. + Keyfile must be specified as there's no way to interact with the pw-prompt atm. + + :param mountpoint: The name without absolute path, for instance "luksdev" will point to /dev/mapper/luksdev + :type mountpoint: str + """ + if '/' in mountpoint: os.path.basename(mountpoint) # TODO: Raise exception instead? + sys_command(f'/usr/bin/cryptsetup open {partition["path"]} {mountpoint} --key-file {os.path.abspath(key_file)} --type luks2') + return os.path.islink(f'/dev/mapper/{mountpoint}') + + def close(self, mountpoint): + sys_command(f'cryptsetup close /dev/mapper/{mountpoint}') + return os.path.islink(f'/dev/mapper/{mountpoint}') is False + +class Filesystem(): + # TODO: + # When instance of a HDD is selected, check all usages and gracefully unmount them + # as well as close any crypto handles. def __init__(self, blockdevice, mode=GPT): self.blockdevice = blockdevice self.mode = mode def __enter__(self, *args, **kwargs): - print(f'Formatting {self.blockdevice} as {self.mode}:', args, kwargs) - return self + if self.mode == GPT: + if sys_command(f'/usr/bin/parted -s {self.blockdevice.device} mklabel gpt',).exit_code == 0: + return self + else: + raise DiskError(f'Problem setting the partition format to GPT:', f'/usr/bin/parted -s {self.blockdevice.device} mklabel gpt') + else: + raise DiskError(f'Unknown mode selected to format in: {self.mode}') def __exit__(self, *args, **kwargs): - print('Exit:', args, kwargs) - b''.join(sys_command(f'sync', *args, **kwargs, hide_from_log=True)) - - def format_disk(drive='drive', start='start', end='size', emulate=False, *positionals, **kwargs): - drive = args[drive] - start = args[start] - end = args[end] - if not drive: - raise ValueError('Need to supply a drive path, for instance: /dev/sdx') - - if not SAFETY_LOCK: - # dd if=/dev/random of=args['drive'] bs=4096 status=progress - # https://github.com/dcantrell/pyparted would be nice, but isn't officially in the repo's #SadPanda - #if sys_command(f'/usr/bin/parted -s {drive} mklabel gpt', emulate=emulate, *positionals, **kwargs).exit_code != 0: - # return None - if sys_command(f'/usr/bin/parted -s {drive} mklabel gpt', emulate=emulate, *positionals, **kwargs).exit_code != 0: - return None - if sys_command(f'/usr/bin/parted -s {drive} mkpart primary FAT32 1MiB {start}', emulate=emulate, *positionals, **kwargs).exit_code != 0: - return None - if sys_command(f'/usr/bin/parted -s {drive} name 1 "EFI"', emulate=emulate, *positionals, **kwargs).exit_code != 0: - return None - if sys_command(f'/usr/bin/parted -s {drive} set 1 esp on', emulate=emulate, *positionals, **kwargs).exit_code != 0: - return None - if sys_command(f'/usr/bin/parted -s {drive} set 1 boot on', emulate=emulate, *positionals, **kwargs).exit_code != 0: - return None - if sys_command(f'/usr/bin/parted -s {drive} mkpart primary {start} {end}', emulate=emulate, *positionals, **kwargs).exit_code != 0: - return None - + b''.join(sys_command(f'sync')) + + def raw_parted(self, string:str): + x = sys_command(f'/usr/bin/parted -s {string}') + o = b''.join(x) + return x + + def parted(self, string:str): + """ + Performs a parted execution of the given string + + :param string: A raw string passed to /usr/bin/parted -s + :type string: str + """ + return self.raw_parted(string).exit_code + + def use_entire_disk(self, prep_mode=None): + self.add_partition('primary', start='1MiB', end='513MiB', format='fat32') + self.set_name(0, 'EFI') + self.set(0, 'boot on') + self.set(0, 'esp on') # TODO: Redundant, as in GPT mode it's an alias for "boot on"? https://www.gnu.org/software/parted/manual/html_node/set.html + if prep_mode == 'luks2': + self.add_partition('primary', start='513MiB', end='100%') + else: + self.add_partition('primary', start='1MiB', end='513MiB', format='ext4') + + def add_partition(self, type, start, end, format=None): + if format: + return self.parted(f'{self.blockdevice.device} mkpart {type} {format} {start} {end}') == 0 + else: + return self.parted(f'{self.blockdevice.device} mkpart {type} {start} {end}') == 0 + + def set_name(self, partition:int, name:str): + return self.parted(f'{self.blockdevice.device} name {partition+1} "{name}"') == 0 + + def set(self, partition:int, string:str): + return self.parted(f'{self.blockdevice.device} set {partition+1} {string}') == 0 def device_state(name, *args, **kwargs): # Based out of: https://askubuntu.com/questions/528690/how-to-get-list-of-all-non-removable-disk-device-names-ssd-hdd-and-sata-ide-onl/528709#528709 diff --git a/helpers/general.py b/helpers/general.py index 2b730c60..036d2d68 100644 --- a/helpers/general.py +++ b/helpers/general.py @@ -16,9 +16,9 @@ class sys_command():#Thread): def __init__(self, cmd, callback=None, start_callback=None, *args, **kwargs): if not 'worker_id' in kwargs: kwargs['worker_id'] = gen_uid() if not 'emulate' in kwargs: kwargs['emulate'] = False - #Thread.__init__(self) if kwargs['emulate']: log(f"Starting command '{cmd}' in emulation mode.") + self.raw_cmd = cmd self.cmd = shlex.split(cmd) self.args = args self.kwargs = kwargs @@ -37,22 +37,15 @@ class sys_command():#Thread): self.exec_dir = f'{self.cwd}/{os.path.basename(self.cmd[0])}_workingdir' if not self.cmd[0][0] == '/': - log('Worker command is not executed with absolute path, trying to find: {}'.format(self.cmd[0]), origin='spawn', level=5) + #log('Worker command is not executed with absolute path, trying to find: {}'.format(self.cmd[0]), origin='spawn', level=5) o = check_output(['/usr/bin/which', self.cmd[0]]) - log('This is the binary {} for {}'.format(o.decode('UTF-8'), self.cmd[0]), origin='spawn', level=5) + #log('This is the binary {} for {}'.format(o.decode('UTF-8'), self.cmd[0]), origin='spawn', level=5) self.cmd[0] = o.decode('UTF-8').strip() if not os.path.isdir(self.exec_dir): os.makedirs(self.exec_dir) - if self.kwargs['emulate']: - commandlog.append(cmd + ' # (emulated)') - elif 'hide_from_log' in self.kwargs and self.kwargs['hide_from_log']: - pass - else: - commandlog.append(cmd) if start_callback: start_callback(self, *args, **kwargs) - #self.start() self.run() def __iter__(self, *args, **kwargs): @@ -78,16 +71,6 @@ class sys_command():#Thread): } def run(self): - #main = None - #for t in tenum(): - # if t.name == 'MainThread': - # main = t - # break - - #if not main: - # log('Main thread not existing') - # return - self.status = 'running' old_dir = os.getcwd() os.chdir(self.exec_dir) @@ -124,8 +107,7 @@ class sys_command():#Thread): break if 'debug' in self.kwargs and self.kwargs['debug'] and len(output): - log(self.cmd[0], 'gave:', output.decode('UTF-8')) - log(self.cmd[0],'gave:', output.decode('UTF-8'), origin='spawn', level=4) + log(self.cmd, 'gave:', output.decode('UTF-8')) if 'on_output' in self.kwargs: self.kwargs['on_output'](self.kwargs['worker'], output) @@ -189,10 +171,10 @@ class sys_command():#Thread): self.exit_code = 0 if self.exit_code != 0: - log(f"{self.cmd} did not exit gracefully, exit code {self.exit_code}.", origin='spawn', level=3) + log(f"'{self.raw_cmd}' did not exit gracefully, exit code {self.exit_code}.", origin='spawn', level=3) log(self.trace_log.decode('UTF-8'), origin='spawn', level=3) - else: - log(f"{self.cmd[0]} exit nicely.", origin='spawn', level=5) + #else: + #log(f"{self.cmd[0]} exit nicely.", origin='spawn', level=5) self.ended = time.time() with open(f'{self.cwd}/trace.log', 'wb') as fh: diff --git a/helpers/user_interaction.py b/helpers/user_interaction.py index 1b7e85cf..c19919c6 100644 --- a/helpers/user_interaction.py +++ b/helpers/user_interaction.py @@ -4,7 +4,7 @@ def select_disk(dict_o_disks): drives = sorted(list(dict_o_disks.keys())) if len(drives) > 1: for index, drive in enumerate(drives): - print(f"{index}: {drive} ({dict_o_disks[drive]['size'], dict_o_disks[drive]['backplane'], dict_o_disks[drive]['label']})") + print(f"{index}: {drive} ({dict_o_disks[drive]['size'], dict_o_disks[drive].device, dict_o_disks[drive]['label']})") drive = input('Select one of the above disks (by number or full path): ') if drive.isdigit(): drive = dict_o_disks[drives[int(drive)]] diff --git a/installer.py b/installer.py index 5c7d4467..91a8139a 100644 --- a/installer.py +++ b/installer.py @@ -1,22 +1,28 @@ import archinstall, getpass -selected_hdd = archinstall.select_disk(archinstall.all_disks()) -disk_password = getpass.getpass(prompt='Disk password (won\'t echo): ') +archinstall.sys_command(f'cryptsetup close /dev/mapper/luksloop') -with archinstall.Formatter(selected_hdd, archinstall.GPT) as formatter: - exit(1) - disk.encrypt('luks2', password=disk_password, key_size=512, hash_type='sha512', iter_time=10000, key_file='./pwfile') +#selected_hdd = archinstall.select_disk(archinstall.all_disks()) +selected_hdd = archinstall.all_disks()['/dev/loop0'] +disk_password = '1234' # getpass.getpass(prompt='Disk password (won\'t echo): ') - root_partition = disk.partition['/'] +with archinstall.Filesystem(selected_hdd, archinstall.GPT) as fs: + fs.use_entire_disk('luks2') + with archinstall.luks2(fs) as crypt: + if selected_hdd.partition[1]['size'] == '512M': + raise OSError('Trying to encrypt the boot partition for petes sake..') -with archinstall.installer(root_partition, hostname='testmachine') as installation: - if installation.minimal_installation(): - installation.add_bootloader() + key_file = crypt.encrypt(selected_hdd.partition[1], password=disk_password, key_size=512, hash_type='sha512', iter_time=10000, key_file='./pwfile') + crypt.mount(selected_hdd.partition[1], 'luksloop', key_file) + exit(1) + with archinstall.installer(root_partition, hostname='testmachine') as installation: + if installation.minimal_installation(): + installation.add_bootloader() - installation.add_additional_packages(['nano', 'wget', 'git']) - installation.install_profile('desktop') + installation.add_additional_packages(['nano', 'wget', 'git']) + installation.install_profile('desktop') - installation.user_create('anton', 'test') - installation.user_set_pw('root', 'toor') + installation.user_create('anton', 'test') + installation.user_set_pw('root', 'toor') - installation.add_AUR_support() \ No newline at end of file + installation.add_AUR_support() \ No newline at end of file -- cgit v1.2.3-70-g09d2