diff --git a/README.md b/README.md index 009b221..77a3bac 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ There are a few overridable variables that control configuration elements of Hal - `SECBOOT`: Default is `true`. This will control whether or not Secure Boot keys are generated and enrolled. Disable if your system does not support Secure Boot. - `REQSIG`: Default is `true`. This will control whether or not update images and overlays require signatures. Disable ONLY for testing or development purposes. -Disabling `SECBOOT` or `REQSIG` sets a flag in the system partition indicating that the installation has a fundamentally insecure configuration, as important system files could be tampered with easily. +Disabling `SECBOOT`, `TPM`, or `REQSIG` sets a flag in the system partition indicating that the installation has a fundamentally insecure configuration, as important system files could be tampered with easily. ## Signing Keys diff --git a/build/build-image.sh b/build/build-image.sh index 4245056..5e009ed 100755 --- a/build/build-image.sh +++ b/build/build-image.sh @@ -12,7 +12,7 @@ echo "========== VERSION ===========" echo "Version: $VERSION" echo "Distfiles path: $DISTPATH" echo -n "Distribution URL: " -if [ -n "$DISTURL" ]; then echo "Not set, OTA disabled" +if [ -n "$DISTURL" ]; then echo "Not set, OTA disabled"; DISTURL="none" else echo "$DISTURL"; fi echo "========== SECURITY ==========" echo -en "Secure Boot: \t\t" @@ -20,10 +20,10 @@ if [ "$SECBOOT" == "true" ]; then echo "Enabled" else echo "Disabled"; SECURESYS="false"; fi echo -en "TPM Security: \t" if [ "$TPM" == "true" ]; then echo "Enabled" -else echo "Disabled"; fi +else echo "Disabled"; SECURESYS="false"; fi echo -en "Signature required: \t" if [ "$REQSIG" == "true" ]; then echo "Enabled" -else echo "Disabled"; unset SECURESYS="false"; fi +else echo "Disabled"; SECURESYS="false"; fi echo -en "Overall security: \t" if [ "$SECURESYS" == "true" ]; then echo "Intact" else echo "Degraded"; fi @@ -31,6 +31,7 @@ echo "==============================" set -x +export $DISTPATH mkdir -p "$DISTPATH" # Gentoo setup @@ -38,13 +39,23 @@ mkdir -p /var/db/repos/gentoo rm -f /var/db/repos/gentoo/metadata/timestamp.x emerge-webrsync --quiet eselect profile set default/linux/amd64/23.0/musl/hardened/selinux +# STOP TELLING ME ABOUT THE NEWS +eselect news read new > /dev/null -# SquashFS tools needed for image generation -emerge --quiet squashfs-tools +# squashfs-tools needed for image mksquashfs for image generation +# gentoolkit needed for euse for setting use flags +emerge --quiet squashfs-tools gentoolkit # Copy in package list mkdir -p /etc/portage/sets -cp /build/packages.txt /etc/portage/sets/halogenos +cp /build/emerge/packages.txt /etc/portage/sets/halogenos +cp -r /build/emerge/package.use /etc/portage/ + +# We have to ensure use.disable contains at least one flag +# Otherwise euse -D will disable all global use flags +if [[ "$(cat /build/emerge/use.disable)" = *[![:space:]]* ]]; then + euse -D "$(cat /build/emerge/use.disable)" +fi # Set install location export ROOT="$DISTPATH" @@ -65,6 +76,11 @@ mkdir -p "$DISTPATH"/usr/share/halogenos mkdir "$DISTPATH"/usr/share/halogenos/keys mkdir "$DISTPATH"/usr/share/halogenos/bin +cp -r /build/include/* "$DISTPATH"/ + +# Install gvisor OCI runtime +/build/external/gvisor.sh + # Require inclusion of public key if $REQSIG is true if [ "$REQSIG" == "true" ]; then cp /run/secrets/signing_key_public "$DISTPATH"/usr/share/halogenos/keys/release_key_pub.asc @@ -79,20 +95,18 @@ fi # Metadata & build-time configs mkdir "$DISTPATH"/usr/share/halogenos/meta -echo "$VERSION" > "$DISTPATH"/usr/share/halogenos/meta/version -if [ -n "$DISTURL" ]; then echo "$DISTURL" > "$DISTPATH"/usr/share/halogenos/meta/ota -else echo "DISABLED" > "$DISTPATH"/usr/share/halogenos/meta/ota; fi -if [ "$SECBOOT" == "true" ]; then echo "ENABLED" > "$DISTPATH"/usr/share/halogenos/meta/secboot -else echo "DISABLED" > "$DISTPATH"/usr/share/halogenos/meta/secboot; fi -if [ "$TPM" == "true" ]; then echo "ENABLED" > "$DISTPATH"/usr/share/halogenos/meta/tpm -else echo "DISABLED" > "$DISTPATH"/usr/share/halogenos/meta/tpm; fi -if [ "$SECURESYS" == "true" ]; then echo "TRUE" > "$DISTPATH"/usr/share/halogenos/meta/securesys -else echo "FALSE" > "$DISTPATH"/usr/share/halogenos/meta/securesys; fi +echo "VERSION=$VERSION +OTA=$DISTURL +TPM=$TPM +REQSIG=$REQSIG +SECBOOT=$SECBOOT +SECURESYS=$SECURESYS" > "$DISTPATH"/usr/share/halogenos/release.meta # Make any additional config changes # Create images dir and img files mkdir -p /build/images +cp "$DISTPATH"/usr/share/halogenos/release.meta /build/images/ dd if=/dev/zero of=/build/images/usr.img bs=1 count=0 seek=2G mkfs.ext4 /build/images/usr.img dd if=/dev/zero of=/build/images/verity.img bs=1 count=0 seek=2000M @@ -106,4 +120,6 @@ mount /build/images/usr.img /mnt/usr cp /build/artifacts/usr.squashfs /mnt/usr umount /mnt/usr -# Build verity \ No newline at end of file +# Build verity + +tar -czf /build/images/usr.img /build/images/verity.img /build/images/ \ No newline at end of file diff --git a/build/emerge/packages.txt b/build/emerge/packages.txt new file mode 100644 index 0000000..b0890fe --- /dev/null +++ b/build/emerge/packages.txt @@ -0,0 +1,13 @@ +app-containers/distrobox +app-containers/podman +app-crypt/gnupg +app-shells/bash +app-misc/hyfetch +kde-plasma/flatpak-kcm +kde-plasma/plasma-desktop +kde-plasma/plasma-vault +sys-apps/bubblewrap +sys-apps/flatpak +sys-apps/fwupd +sys-libs/musl +virtual/tmpfiles \ No newline at end of file diff --git a/build/emerge/use.disable b/build/emerge/use.disable new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/build/emerge/use.disable @@ -0,0 +1 @@ + diff --git a/build/external/gvisor.sh b/build/external/gvisor.sh new file mode 100644 index 0000000..27e134e --- /dev/null +++ b/build/external/gvisor.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +ARCH=$(uname -m) +URL=https://storage.googleapis.com/gvisor/releases/release/latest/"${ARCH}" +wget "${URL}"/runsc "${URL}"/runsc.sha512 "${URL}"/containerd-shim-runsc-v1 "${URL}"/containerd-shim-runsc-v1.sha512 + +sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512 +rm -f ./*.sha512 + +chmod a+rx runsc containerd-shim-runsc-v1 +mv runsc containerd-shim-runsc-v1 "$DISTPATH"/usr/local/bin \ No newline at end of file diff --git a/build/include/usr/etc/containers.conf b/build/include/usr/etc/containers.conf new file mode 100644 index 0000000..229ee94 --- /dev/null +++ b/build/include/usr/etc/containers.conf @@ -0,0 +1,29 @@ +[containers] + +cgroupns = "private" +cgroups = "enabled" + +default_capabilities = [] + +default_sysctls = [ + "net.ipv4.ping_group_range=0 0", +] + +label = true +label_users = true + +ipcns = "private" +netns = "private" +pidns = "private" +userns = "auto" +utsns = "private" + +privileged = false + +[engine] +runtime = "runsc" + +[engine.runtimes] +runsc = [ + "/usr/local/bin/runsc", +] diff --git a/build/include/usr/sbin/sysupd.sh b/build/include/usr/sbin/sysupd.sh new file mode 100644 index 0000000..a4be1b4 --- /dev/null +++ b/build/include/usr/sbin/sysupd.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +set -euxo pipefail + +# These are expected to happen +ERR_GEN = 1 # General error +ERR_NET = 2 # Network link error +ERR_DNS = 3 # DNS error or resolution failure +ERR_SSL = 4 # HTTPS failure +ERR_SIG = 5 # Update file fails signature + +# These should probably never happen +ERR_PRM = 6 # Insufficient permission +ERR_BLK = 7 # Block device or partition error +ERR_MNT = 8 # Mounting failure + +err_exit() { + >&2 echo $2 +} \ No newline at end of file diff --git a/build/packages.txt b/build/packages.txt deleted file mode 100644 index 0a8e651..0000000 --- a/build/packages.txt +++ /dev/null @@ -1,3 +0,0 @@ -app-shells/bash -app-misc/hyfetch -sys-libs/musl \ No newline at end of file