diff --git a/.env b/.env index cf6db02..879932b 100644 --- a/.env +++ b/.env @@ -1,4 +1,5 @@ SECBOOT=true TPM=true REQSIG=true -MINOR=00 \ No newline at end of file +MINOR=00 +DISTURL=none \ No newline at end of file diff --git a/build/build-image.sh b/build/build-image.sh index ff070d2..a598867 100755 --- a/build/build-image.sh +++ b/build/build-image.sh @@ -10,13 +10,13 @@ export VERSION="$VERSION" # This variable gets unset if any security-critical elements are disabled SECURESYS=true -echo "========== VERSION ===========" +echo "=========== VERSION ============" echo "Version: $VERSION" echo "Distfiles path: $DISTPATH" echo -n "Distribution URL: " -if [ -n "$DISTURL" ]; then echo "Not set, OTA disabled"; DISTURL="none" +if [ "$DISTURL" == "none" ]; then echo "Not set, OTA disabled"; else echo "$DISTURL"; fi -echo "========== SECURITY ==========" +echo "=========== SECURITY ===========" echo -en "Secure Boot: \t\t" if [ "$SECBOOT" == "true" ]; then echo "Enabled" else echo "Disabled"; SECURESYS="false"; fi @@ -29,7 +29,7 @@ else echo "Disabled"; SECURESYS="false"; fi echo -en "Overall security: \t" if [ "$SECURESYS" == "true" ]; then echo "Intact" else echo "Degraded"; fi -echo "==============================" +echo "================================" set -x @@ -50,7 +50,7 @@ cp -r /build/include-host/* / # squashfs-tools needed for image mksquashfs for image generation # gentoolkit needed for euse for setting use flags # btrfs-progs needed for mkfs.btrfs for generating usr partition fs -emerge --quiet @halogenos-host +#emerge -j "$NPROC" --quiet --noreplace @halogenos-host # We have to ensure use.disable contains at least one flag # Otherwise euse -D will disable all global use flags @@ -65,8 +65,11 @@ export ROOT="$DISTPATH" #emerge -j "$NPROC" --quiet --update --deep --newuse @world # Emerge all packages -#emerge -j "$NPROC" --quiet @halogenos-image -emerge --unmerge portage +emerge -j "$NPROC" --quiet --noreplace @halogenos-image +emerge -j "$NPROC" --quiet --update --deep --noreplace @world +emerge -j "$NPROC" --quiet --autounmask=y sys-kernel/vanilla-kernel +emerge --depclean +emerge --unmerge --nodeps portage perl-cleaner # Include any additional files mkdir -p "$DISTPATH"/usr/share/halogenos @@ -86,6 +89,12 @@ echo "IMAGE_ID=$IMAGE_ID" >> "$DISTPATH"/usr/lib/os-release # Install gvisor OCI runtime /build/external/gvisor.sh +# Install GrapheneOS hardened malloc +cd /build/hardened_malloc/ +make +cd - +cp /build/hardened_malloc/out/libhardened_malloc.so "$DISTPATH"/usr/local/lib/libhardened_malloc.so + # Require inclusion of public key if $REQSIG is true if [ "$REQSIG" == "true" ]; then # This will cause an exit if the key is missing @@ -112,9 +121,7 @@ SECURESYS=$SECURESYS" > "$DISTPATH"/usr/share/halogenos/release.meta # Remove unwanted files rm "$DISTPATH"/usr/etc/gentoo-release -rm -r "$DISTPATH"/usr/lib/gentoo -rm -r "$DISTPATH"/usr/lib/portage -rm -r "$DISTPATH"/usr/share/portage +rm -rf "$DISTPATH"/usr/lib/gentoo # Create images dir and img files mkdir -p /build/images @@ -123,13 +130,11 @@ dd if=/dev/zero of=/build/images/usr.img bs=1 count=0 seek=2G mkfs.btrfs /build/images/usr.img dd if=/dev/zero of=/build/images/verity.img bs=1 count=0 seek=2000M -# Create squashfs -mksquashfs "$DISTPATH" /build/artifacts/usr.squashfs - # Install squashfs filesystem onto usr img mkdir -p /mnt/usr mount /build/images/usr.img /mnt/usr -cp /build/artifacts/usr.squashfs /mnt/usr +mksquashfs "$DISTPATH" /mnt/usr/usr.sfs +sync /mnt/usr/usr.sfs umount /mnt/usr # Build verity diff --git a/build/include-host/etc/portage/package.use/kernel b/build/include-host/etc/portage/package.use/kernel new file mode 100644 index 0000000..0531ce4 --- /dev/null +++ b/build/include-host/etc/portage/package.use/kernel @@ -0,0 +1 @@ +sys-kernel/vanilla-kernel amd64 \ No newline at end of file diff --git a/build/include-host/usr/src/initramfs/init b/build/include-host/usr/src/initramfs/init new file mode 100755 index 0000000..28c8f8b --- /dev/null +++ b/build/include-host/usr/src/initramfs/init @@ -0,0 +1,11 @@ +#!/bin/busybox sh + +# 1. Locate the UUID of System Partition A +# 2. Locate the UUID of System Partition B +# 3. Determine which partition has the highest nonzero counter +# 4. Perform verity checks +# 5. If check succeeds, continue. Else decrement and reboot. +# 6. If System Partition B does not exist, create it. +# 7. If the root partition does not exist, create it. +# 8. Mount /usr and create essential link files +# 9. Switch root and run true init (OpenRC) \ No newline at end of file diff --git a/build/include-image/usr/etc/docker/ld.so.preload b/build/include-image/usr/etc/docker/ld.so.preload new file mode 100644 index 0000000..271bd3f --- /dev/null +++ b/build/include-image/usr/etc/docker/ld.so.preload @@ -0,0 +1 @@ +/usr/local/lib/libhardened_malloc.so \ No newline at end of file diff --git a/build/include-image/usr/etc/sysctl.d/hardened_malloc.conf b/build/include-image/usr/etc/sysctl.d/hardened_malloc.conf new file mode 100644 index 0000000..3341f70 --- /dev/null +++ b/build/include-image/usr/etc/sysctl.d/hardened_malloc.conf @@ -0,0 +1 @@ +vm.max_map_count = 1048576 \ No newline at end of file diff --git a/compose.yml b/compose.yml index 2aa6f94..f09b4e9 100644 --- a/compose.yml +++ b/compose.yml @@ -10,6 +10,7 @@ services: SECBOOT: ${SECBOOT} TPM: ${TPM} REQSIG: ${REQSIG} + DISTURL: ${DISTURL} secrets: - signing_key_public volumes: