search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge remote-tracking branch 'weblate/main' into HEAD
[systemd.io.git] / mkosi.postinst.chroot
blob310a26fa1414055966945cec916ff09892767b65
1 #!/bin/bash
2 # SPDX-License-Identifier: LGPL-2.1-or-later
3 set -e
4 set -o nounset
5
6 find "$BUILDDIR" \( -name "*.rpm" -o -name "*.deb" -o -name "*.pkg.tar" -o -name systemd.raw \) -exec cp -t "$OUTPUTDIR" {} \;
7
8 useradd \
9 --uid 4711 \
10 --user-group \
11 --create-home \
12 --password "$(openssl passwd -1 testuser)" \
13 --shell /bin/bash \
14 testuser
15
16 if command -v authselect >/dev/null; then
17 # authselect 1.5.0 renamed the minimal profile to the local profile without keeping backwards compat so
18 # let's use the new name if it exists.
19 if [ -d /usr/share/authselect/default/local ]; then
20 PROFILE=local
21 else
22 PROFILE=minimal
23 fi
24
25 authselect select "$PROFILE"
26
27 if authselect list-features "$PROFILE" | grep -q "with-systemd-homed"; then
28 authselect enable-feature with-systemd-homed
29 fi
30 fi
31
32 # Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that
33 # if that's the case.
34 mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf
35 rm -f /etc/resolv.conf
36
37 for f in "$BUILDROOT"/usr/share/*.verity.sig; do
38 jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash"
39 done
40
41 # We want /var/log/journal to be created on first boot so it can be created with the right chattr settings by
42 # systemd-journald.
43 rm -rf "$BUILDROOT/var/log/journal"
44
45 rm -f /etc/nsswitch.conf
46 cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf
47
48 # Remove to make TEST-73-LOCALE pass on Ubuntu.
49 rm -f /etc/default/keyboard
50
51 # These don't ship proper units with [Install] directives so we have to mask them instead.
52 systemctl mask isc-dhcp-server.service
53 systemctl mask mdmonitor.service
54
55 # This is executed inside the chroot so no need to disable any features as the default features will match
56 # the kernel's supported features.
57 SYSTEMD_REPART_MKFS_OPTIONS_EXT4="" \
58 systemd-repart \
59 --empty=create \
60 --dry-run=no \
61 --size=auto \
62 --offline=true \
63 --root test/TEST-24-CRYPTSETUP \
64 --definitions test/TEST-24-CRYPTSETUP/keydev.repart \
65 "$OUTPUTDIR/keydev.raw"
66
67 can_test_pkcs11() {
68 if ! command -v "softhsm2-util" >/dev/null; then
69 echo "softhsm2-util not available, skipping the PKCS#11 test" >&2
70 return 1
71 fi
72 if ! command -v "pkcs11-tool" >/dev/null; then
73 echo "pkcs11-tool not available, skipping the PKCS#11 test" >&2
74 return 1
75 fi
76 if ! command -v "certtool" >/dev/null; then
77 echo "certtool not available, skipping the PKCS#11 test" >&2
78 return 1
79 fi
80 if ! systemctl --version | grep -q "+P11KIT"; then
81 echo "Support for p11-kit is disabled, skipping the PKCS#11 test" >&2
82 return 1
83 fi
84 if ! systemctl --version | grep -q "+OPENSSL"; then
85 echo "Support for openssl is disabled, skipping the PKCS#11 test" >&2
86 return 1
87 fi
88 if ! systemctl --version | grep -q "+LIBCRYPTSETUP\b"; then
89 echo "Support for libcryptsetup is disabled, skipping the PKCS#11 test" >&2
90 return 1
91 fi
92 if ! systemctl --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then
93 echo "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test" >&2
94 return 1
95 fi
96
97 return 0
98 }
99
100 setup_pkcs11_token() {
101 echo "Setup PKCS#11 token" >&2
102 local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
103
104 export SOFTHSM2_CONF="/tmp/softhsm2.conf"
105 mkdir -p /usr/lib/softhsm/tokens/
106 cat >$SOFTHSM2_CONF <<EOF
107 directories.tokendir = /usr/lib/softhsm/tokens/
108 objectstore.backend = file
109 slots.removable = false
110 slots.mechanisms = ALL
111 EOF
112 export GNUTLS_PIN="1234"
113 export GNUTLS_SO_PIN="12345678"
114 softhsm2-util --init-token --free --label "TestToken" --pin "$GNUTLS_PIN" --so-pin "$GNUTLS_SO_PIN"
115
116 if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then
117 echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
118 P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules"
119 fi
120
121 if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then
122 echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
123 P11_MODULE_DIR="/usr/lib/pkcs11"
124 fi
125
126 SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs)
127 if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then
128 SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE"
129 fi
130
131 # RSA #####################################################
132 pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt
133
134 certtool --generate-self-signed \
135 --load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
136 --load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
137 --template "test/TEST-24-CRYPTSETUP/template.cfg" \
138 --outder --outfile "/tmp/rsa_test.crt"
139
140 pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey"
141 rm "/tmp/rsa_test.crt"
142
143 # prime256v1 ##############################################
144 pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive
145
146 certtool --generate-self-signed \
147 --load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
148 --load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
149 --template "test/TEST-24-CRYPTSETUP/template.cfg" \
150 --outder --outfile "/tmp/ec_test.crt"
151
152 pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey"
153 rm "/tmp/ec_test.crt"
154
155 ###########################################################
156 rm "$SOFTHSM2_CONF"
157 unset SOFTHSM2_CONF
158
159 cat >/etc/softhsm2.conf <<EOF
160 directories.tokendir = /usr/lib/softhsm/tokens/
161 objectstore.backend = file
162 slots.removable = false
163 slots.mechanisms = ALL
164 log.level = INFO
165 EOF
166
167 mkdir -p /etc/systemd/system/systemd-cryptsetup@.service.d
168 cat >/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf <<EOF
169 [Unit]
170 # Make sure we can start systemd-cryptsetup@empty_pkcs11_auto.service many times
171 StartLimitBurst=10
172
173 [Service]
174 Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
175 Environment="PIN=$GNUTLS_PIN"
176 EOF
177
178 unset GNUTLS_PIN
179 unset GNUTLS_SO_PIN
180 }
181
182 if can_test_pkcs11; then
183 setup_pkcs11_token
184 fi
The systemd System and Service Manager systemd.io Topics c linux services system systemd init Resources Readme License GPL-2.0 License Code of conduct Code of conduct Releases 48 systemd v249 Latest on 7 Jul + 47 releases Sponsor this project https://spi-inc.org/projects/systemd/ Packages No packages published Contributors 1,650 @poettering @keszybz @yuwata @kaysievers @teg @ssahani @zonque @gregkh @evverx @martinpitt @dvdhrm + 1,639 contributors Environments 1 github-pages Active Languages C 89.4% Python 5.8% Shell 2.1% Meson 1.3% HTML 0.9% Perl 0.4% Other 0.1%