dell · superm1 · Dec 6, 2019 · Dec 9, 2019 · Dec 9, 2019 · Dec 6, 2019
diff --git a/Dell/recovery_common.py b/Dell/recovery_common.py
@@ -560,17 +560,20 @@ def create_new_uuid(old_initrd_directory, old_casper_directory,
             continue
         chain0 = subprocess.Popen(['find'], cwd=root,
                                 stdout=subprocess.PIPE)
-        chain1 = subprocess.Popen(['cpio', '--quiet', '-o', '-H', 'newc'],
-                                cwd=root, stdin=chain0.stdout,
+        chain1 = subprocess.Popen(['sort'], cwd=root,
+                                stdin=chain0.stdout,
+                                stdout=subprocess.PIPE)
+        chain2 = subprocess.Popen(['cpio', '-R', '0:0', '--reproducible', '--quiet', '-o', '-H', 'newc'],
+                                cwd=root, stdin=chain1.stdout,
                                 stdout=subprocess.PIPE)
         with open(new_initrd_file, 'ab') as initrd_fd:
             if component == 'main':
-                chain2 = subprocess.Popen(compress_command,
-                                        stdin=chain1.stdout,
-                                        stdout=subprocess.PIPE)
-                initrd_fd.write(chain2.communicate()[0])
+                chain3 = subprocess.Popen(compress_command,
+                                          stdin=chain2.stdout,
+                                          stdout=subprocess.PIPE)
+                initrd_fd.write(chain3.communicate()[0])
             else:
-                initrd_fd.write(chain1.communicate()[0])
+                initrd_fd.write(chain2.communicate()[0])
 
     walk_cleanup(tmpdir)
 

diff --git a/casper/scripts/99dell_bootstrap b/casper/scripts/99dell_bootstrap
@@ -106,14 +106,16 @@ for seed in dell-recovery gfx wlan; do
     fi
 done
 
+#HACK: make ubiquity think partitioning is done
+#if db_get dell-recovery/encryption && [ "$RET" = true ]; then
+#    sed -i "s,self.partitioned = False,self.partitioned = True," /root/usr/lib/ubiquity/ubiquity/frontend/gtk_ui.py
+#    rm -f /root/usr/lib/ubiquity/plugins/ubi-partman.py
+#fi
+#alternatively include https://code.launchpad.net/~ubuntu-installer/ubiquity/+git/ubiquity/+merge/376777
+
 # Now load all the defaults included in all installs
 casper-set-selections "/root/usr/share/dell/casper/seeds/ubuntu.seed"
 
-# If we have a dual boot option, load the dual boot preseed
-if db_get dell-recovery/dual_boot && [ "$RET" = true ]; then
-    casper-set-selections "/root/usr/share/dell/casper/seeds/dual.seed"
-fi
-
 # Lastly, reload the override / configurations preseeds so that it is allowed to override stuff from ubuntu.seed and dual.seed
 for seed in dell-recovery gfx wlan; do
     if [ -e /root/cdrom/preseed/$seed.seed ]; then

diff --git a/casper/seeds/dual.seed b/casper/seeds/dual.seed
diff --git a/casper/seeds/ubuntu.seed b/casper/seeds/ubuntu.seed
@@ -87,7 +87,7 @@
        method{ efi }                   \
        format{ } .                     \
                                        \
-       500 10000 4000000 ext4          \
+       500 10000 -1 ext4               \
        $primary{ }                     \
        method{ format }                \
        format{ }                       \

diff --git a/debian/control b/debian/control
@@ -34,7 +34,8 @@ Depends: ${python3:Depends},
          uuid-runtime,
 Replaces: dell-artwork, dell-oobe
 Conflicts: dell-oobe
-Recommends: cryptsetup,
+Recommends: clevis-tpm2,
+            cryptsetup,
             cryptsetup-bin,
             dvd+rw-tools,
             isolinux,

diff --git a/debian/dell-recovery.templates b/debian/dell-recovery.templates
@@ -3,16 +3,6 @@ Type: boolean
 Default: false
 Description: for internal use; determines if wyse mode is on.
 
-Template: dell-recovery/dual_boot
-Type: boolean
-Default: false
-Description: for internal use; determines if EFI enabled dual boot enabled
-
-Template: dell-recovery/os_partition
-Type: string
-Default: 
-Description: for internal use; determines the label of the OS partition to remove
-
 Template: dell-recovery/destination
 Type: string
 Default: none
@@ -21,9 +11,14 @@ Description: for internal use; determines whether to generate recovery media
 Template: dell-recovery/recovery_type
 Type: string
 Default: dynamic
-Description: for internal use;determines whether to offer the bootstrap 
+Description: for internal use;determines whether to offer the bootstrap
  ubiquity plugin to the user. valid: [dynamic, factory, usb, dvd]
 
+Template: dell-recovery/encryption
+Type: boolean
+Default: false
+Description: for internal use; determines whether to encrypt the disk
+
 Template: dell-recovery/build_start
 Type: text
 _Description: Building Dell Recovery Media...

diff --git a/late/chroot_scripts/99-encrypt.sh b/late/chroot_scripts/99-encrypt.sh
@@ -0,0 +1,35 @@
+#!/bin/bash -ex
+#
+#       <99-encrypt.sh>
+#
+#       Binds FDE key to the TPM
+#
+#       Copyright 2020 Dell Inc.
+#           Mario Limonciello <Mario_Limonciello@Dell.com>
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of the GNU General Public License as published by
+#       the Free Software Foundation; either version 2 of the License, or
+#       (at your option) any later version.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+#       MA 02110-1301, USA.
+
+# Detect if user selected encryption
+if [ -f /etc/default/dell-recovery ]; then
+    . /etc/default/dell-recovery
+fi
+if [ "$ENCRYPTION" = "true" ]; then
+    # bind to the TPM (no PCR's; will be added later)
+    clevis luks bind -d /dev/dell_lvm/rootfs -k /tmp/key tpm2 '{}'
+
+    #remove our installer key
+    cryptsetup luksRemoveKey /dev/dell_lvm/rootfs --key-file /tmp/key
+fi
diff --git a/late/scripts/FAIL-SCRIPT b/late/scripts/FAIL-SCRIPT
@@ -49,13 +49,6 @@ if [ "$BOOTDEV" = "$TARGETDEV" ]; then
     mount -o remount,rw $RP
     fistlog="/tmp/fist.err"
 
-    if [ -f $RP/SDR ]; then
-        dualos=`sed -n '/DUALOS/=' $RP/SDR`
-        if [ $dualos ]; then
-            fistlog="/tmp/DUALOS_FIST.ERR"
-        fi
-    fi
-
     IFHALT "Resetting grub fail state"
     [ -s $RP/factory/grubenv ] || rm -f $RP/factory/grubenv
     grub-editenv $RP/factory/grubenv set recordfail=1

diff --git a/late/scripts/SUCCESS-SCRIPT b/late/scripts/SUCCESS-SCRIPT
@@ -52,7 +52,11 @@ if [ -f "$TARGET/etc/init/network-manager.conf.orig" ]; then
     mv $TARGET/etc/init/network-manager.conf.orig $TARGET/etc/init/network-manager.conf
 fi
 
-if [ "$BOOTDEV" = "$TARGETDEV" ]; then
+# Dell Recovery initiated encryption can not be selected if user does custom partitions
+if [ -f $TARGET/etc/default/dell-recovery ]; then
+    . $TARGET/etc/default/dell-recovery
+fi
+if [ "$ENCRYPTION" = "true" ] || [ "$BOOTDEV" = "$TARGETDEV" ]; then
     if [ -d "/isodevice" ]; then
         RP="/isodevice"
     else
@@ -70,12 +74,6 @@ if [ "$BOOTDEV" = "$TARGETDEV" ]; then
     fi
 
     fistlog="/tmp/fist.log"
-    if [ -f $RP/SDR ]; then
-        dualos=`sed -n '/DUALOS/=' $RP/SDR`
-        if [ $dualos ]; then
-            fistlog="/tmp/DUALOS_FIST.LOG"
-        fi
-    fi
 
     IFHALT "Clean up FI Env..."
     rm -rf $RP/scripts/chroot-scripts/os-post/95-set_UTC_TZ.sh

diff --git a/late/scripts/chroot.sh b/late/scripts/chroot.sh
@@ -164,8 +164,7 @@ fi
 #check the checked_uninstalled file is empty or not, we will turn to FAIL-SCRIPT if it is not empty
 [ ! -s "$TARGET/var/lib/ubiquity/dell_uninstalled" ]
 
-
 # reset traps, as we are now exiting normally
 trap - TERM INT HUP EXIT QUIT
 
-. /usr/share/dell/scripts/SUCCESS-SCRIPT $BOOT_DEV $BOOT_PART_NUM
+. /usr/share/dell/scripts/SUCCESS-SCRIPT
diff --git a/late/scripts/oem_config.sh b/late/scripts/oem_config.sh
@@ -70,6 +70,14 @@ elif [ "$1" = "late" ]; then
     done
     #if this was installed to work around secure boot, clean it up
     rm -f /boot/efi/EFI/ubuntu/MokSBStateSet.efi
+
+    #Update encryption policy to match secure boot status
+    if [ -f /etc/default/dell-recovery ]; then
+        . /etc/default/dell-recovery
+    fi
+    if [ "$ENCRYPTION" = "true" ]; then
+        /usr/share/dell/scripts/update_tpm_policy.sh -d /dev/dell_lvm/rootfs
+    fi
 else
     echo "Unknown arguments $1 $2"
 fi
diff --git a/late/scripts/simple_partitioner.sh b/late/scripts/simple_partitioner.sh
@@ -0,0 +1,95 @@
+#!/bin/bash -ex
+#
+#       <simple_partitioner.sh>
+#
+#       Creates a simple partition layout
+#
+#       Copyright 2020 Dell Inc.
+#           Mario Limonciello <Mario_Limonciello@Dell.com>
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of the GNU General Public License as published by
+#       the Free Software Foundation; either version 2 of the License, or
+#       (at your option) any later version.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+#       MA 02110-1301, USA.
+
+DEVICE=$1
+ESP_PART=$2
+OS_PART=$3
+GROUP=dell_lvm
+
+#create new ones in free space
+sfdisk --force -a ${DEVICE} <<EOF
+-,- V
+EOF
+
+#setup LVM
+partprobe
+if [ -d /dev/${GROUP} ]; then
+    dmsetup remove_all
+fi
+dd if=/dev/zero of=${DEVICE}${OS_PART} bs=512 count=4096
+pvcreate -ff -y ${DEVICE}${OS_PART}
+vgcreate -y ${GROUP} ${DEVICE}${OS_PART}
+lvcreate -y -L 500M ${GROUP} -n boot
+lvcreate -y -l 100%FREE ${GROUP} -n rootfs
+mkfs.ext4 /dev/${GROUP}/boot
+BOOT_UUID=`blkid /dev/${GROUP}/boot -s UUID -o value`
+
+#setup LUKS
+echo -n "password" > /tmp/key
+cryptsetup luksFormat /dev/${GROUP}/rootfs < /tmp/key
+LUKS_UUID=`blkid /dev/${GROUP}/rootfs -s UUID -o value`
+cryptsetup luksOpen /dev/${GROUP}/rootfs decrypted_rootfs --key-file /tmp/key
+mkfs.ext4 /dev/mapper/decrypted_rootfs
+DECRYPTED_UUID=`blkid /dev/mapper/decrypted_rootfs -s UUID -o value`
+
+#mount the disks
+mkdir -p /target
+mount /dev/mapper/decrypted_rootfs /target
+mkdir -p /target/boot
+mount /dev/${GROUP}/boot /target/boot
+mkdir -p /target/boot/efi
+mount ${DEVICE}${ESP_PART} /target/boot/efi
+ESP_UUID=`blkid ${DEVICE}${ESP_PART} -s UUID -o value`
+
+#create swapfile
+available=$(df -P /target/ | sed 1d | while read fs size used available usep mounted on; do
+	echo $available
+done)
+size=$((available/100))
+size=$((size*5))
+limit=$((1024*2048))
+if [ $size -gt $limit ]
+then
+    size=$limit
+fi
+fallocate -l ${size}KiB /target/swapfile
+dd if=/dev/zero of=/target/swapfile bs=1024 count=$size
+chmod 600 /target/swapfile
+mkswap /target/swapfile
+swapon /target/swapfile
+
+#write out fstab
+mkdir -p /target/etc
+cat > /target/etc/fstab << EOF
+UUID=$DECRYPTED_UUID /              ext4    errors=remount-ro 0       1
+UUID=$BOOT_UUID /boot               ext4    errors=remount-ro 0       1
+UUID=$ESP_UUID /boot/efi            vfat    umask=0077      0       1
+EOF
+cat > /target/etc/crypttab << EOF
+decrypted_rootfs UUID=$LUKS_UUID none luks,initramfs
+EOF
+
+#copy key into target (will be discarded later)
+mkdir -p /target/tmp
+cp /tmp/key /target/tmp/key