ChubbyAnt · mkszuba · Jul 10, 2016 · Jul 10, 2016 · Jul 10, 2016 · May 29, 2016
diff --git a/images/BUILDING b/images/BUILDING
@@ -30,6 +30,20 @@ Getting TinyCore and syslinux.
 
 ./getresources
 
+If you wish to auto-unlock your SSDs using a USB device, or use a Yubikey's 
+challenge-response password you must first setup those devices here.  The syntax is:
+./setupautounlock <device> <password> [tpm_nvram_slot|usb_device...]
+
+You may specify multiple USB devices or TPM NVRam slots (or none at all).  You will be
+prompted to add Yubikey challenge-responses.  USB devices must have a vfat or ext*
+partition as it's first partition, and you should not delete the .key file written to
+that partition.  You may only have up to 8 keys.
+
+On boot, Unlocking will be attempted first via. TPM NVRam, then via. USB flash drives,
+then via Yubikey challenge-responses.  Failing these methods it will fall back to simply
+prompting for the OPAL unlock password.  This means if you wish to unlock using a USB
+flash device or yubikey it must be inserted when you boot!
+
 Build the PBA kernels and root filesystems
 ./buildpbaroot
 
@@ -55,4 +69,4 @@ cd ../sedutil/images
 
 
 
-
+
diff --git a/images/buildUEFI64 b/images/buildUEFI64
@@ -24,15 +24,17 @@ fi
   ] || { echo " prereqs are not available "; exit 1; }
 # recreate the initrd file with the latest PBA
 mkdir scratch/buildroot/PBA64/overlay/sbin/
+mkdir scratch/buildroot/PBA64/overlay/etc/init.d
 cp ../LinuxPBA/dist/${BUILDTYPE}_x86_64/GNU-Linux/linuxpba  scratch/buildroot/PBA64/overlay/sbin/linuxpba
 cp ../linux/CLI/dist/${BUILDTYPE}_x86_64/GNU-Linux/sedutil-cli  scratch/buildroot/PBA64/overlay/sbin/sedutil-cli
+cp buildroot/autounlock.sh scratch/buildroot/PBA64/overlay/etc/init.d/rcS
 cd scratch/buildroot
 make all O=PBA64 2>&1 >PBA64.log
 cd ../..
 # Start fresh
 sudo rm -rf UEFI64_${BUILDTYPE} ; mkdir UEFI64_${BUILDTYPE} ; cd UEFI64_${BUILDTYPE}
 # make an image file
-dd if=/dev/zero of=${BUILDIMG} bs=1M count=7
+dd if=/dev/zero of=${BUILDIMG} bs=1M count=15
 (echo "n";echo "";echo "";echo "";echo "ef00";echo w;echo Y) | gdisk ${BUILDIMG}
 
 LOOPDEV=`sudo losetup --show -f -o 1048576 ${BUILDIMG}`

diff --git a/images/buildbiosLinux b/images/buildbiosLinux
@@ -25,24 +25,26 @@ sudo rm -rf LINUXPBA${BUILDTYPE} ; mkdir LINUXPBA${BUILDTYPE} ; cd LINUXPBA${BUI
 #
 # recreate the initrd file with the latest PBA
 mkdir  ../scratch/buildroot/PBA32/overlay/sbin
+mkdir  ../scratch/buildroot/PBA32/overlay/etc/init.d
 cp ../../LinuxPBA/dist/${BUILDTYPE}/GNU-Linux/linuxpba  ../scratch/buildroot/PBA32/overlay/sbin/linuxpba
 cp ../../linux/CLI/dist/${BUILDTYPE}_i686/GNU-Linux/sedutil-cli  ../scratch/buildroot/PBA32/overlay/sbin/sedutil-cli
+cp ../buildroot/autounlock.sh ../scratch/buildroot/PBA32/overlay/etc/init.d/rcS
 cd ../scratch/buildroot
 make all O=PBA32 2>&1 >PBA32.log
 cd ../../LINUXPBA${BUILDTYPE}
-dd if=/dev/zero of=${BUILDIMG} bs=1M count=8
+dd if=/dev/zero of=${BUILDIMG} bs=1M count=16
 (echo o;echo n;echo p;echo 1;echo"";echo "";echo "";echo a;echo 1;echo w) | fdisk ${BUILDIMG}
 dd if=../scratch/${SYSLINUX}/bios/mbr/mbr.bin of=${BUILDIMG} count=1 conv=notrunc bs=512
 LOOPDEV=`sudo losetup --show -f -o 1048576 ${BUILDIMG}`
-sudo mkfs.ext4 $LOOPDEV -L ${BUILDTYPE}-${VERSIONINFO}
+sudo mkfs.ext2 $LOOPDEV -L ${BUILDTYPE}-${VERSIONINFO}
 mkdir image
 sudo mount $LOOPDEV image
 sudo chmod 777 image
-sudo mkdir -p image/boot/extlinux
-sudo ../scratch/${SYSLINUX}/bios/extlinux/extlinux --install image/boot/extlinux
-sudo cp ../scratch/buildroot/PBA32/images/bzImage  image/boot/extlinux/
-sudo cp ../scratch/buildroot/PBA32/images/rootfs.cpio.xz image/boot/extlinux/
-sudo cp ../buildroot/syslinux.cfg image/boot/extlinux/extlinux.conf
+sudo mkdir -p image/extlinux
+sudo ../scratch/${SYSLINUX}/bios/extlinux/extlinux --install image/extlinux
+sudo cp ../scratch/buildroot/PBA32/images/bzImage  image/extlinux
+sudo cp ../scratch/buildroot/PBA32/images/rootfs.cpio.xz image/extlinux
+sudo cp ../buildroot/syslinux.cfg image/extlinux/extlinux.conf
 sudo umount image
 sudo losetup -d $LOOPDEV
 gzip ${BUILDIMG}
diff --git a/images/buildpbaroot b/images/buildpbaroot
@@ -6,13 +6,19 @@ exit 99
 }
 . conf
 cd scratch
+
 # clean up and start over
-rm -rf buildroot
-git clone ${BUILDROOT} || die
+if [ "x$1" != "xnoclean" ]; then
+	rm -rf buildroot
+	git clone ${BUILDROOT} || die
+fi
 cd buildroot
-git checkout -b PBABUILD ${BUILDROOT_TAG}  || die
-git reset --hard
-git clean -df
+
+if [ "x$1" != "xnoclean" ]; then
+	git checkout -b PBABUILD ${BUILDROOT_TAG}  || die
+	git reset --hard
+	git clean -df
+fi
 #fix ncurses build to include libtinfo for compat
 cp ../../buildroot/ncurses.mk package/ncurses/
 # add out of tree build directoried and files
@@ -39,6 +45,112 @@ make O=PBA32 2>&1 | tee PBA32/build_output.txt
 echo Checking for customizations...... 
 grep -i pba PBA*/target/etc/inittab
 grep -i libtinfo PBA*/target/etc/ld.so.cache
+
+cd ..
+echo Building the Yubico utilities
+if [ "x$1" != "xnoclean" ]; then
+	rm -rf yubico-c
+	git clone ${YUBICOCROOT} yubico-c || die
+fi
+cd yubico-c
+if [ "x$1" != "xnoclean" ]; then
+	git checkout -b PBABUILD ${YUBICOCROOT_TAG}  || die
+	git reset --hard
+	git clean -df
+
+	aclocal --install
+	libtoolize
+	automake --add-missing
+	autoconf
+fi
+
+# 64 bit system
+mkdir PBA64
+CFLAGS="-m64 -L$PWD/../buildroot/PBA64/target/lib -L$PWD/../buildroot/PBA64/target/usr/lib" ./configure --host="x86_64-unknown-linux-gnu"
+make clean
+make -j $(nproc) 2>&1 | tee PBA64/build_output.log
+mkdir -p ../buildroot/PBA64/overlay/usr/lib
+cp -a .libs/libyubikey.so* ../buildroot/PBA64/overlay/usr/lib
+
+# 32 bit system
+mkdir PBA32
+CFLAGS="-m32 -L$PWD/../buildroot/PBA32/target/lib -L$PWD/../buildroot/PBA32/target/usr/lib" ./configure --host="i686-unknown-linux-gnu"
+make clean
+make -j $(nproc) 2>&1 | tee PBA32/build_output.log
+mkdir -p ../buildroot/PBA32/overlay/usr/lib
+cp -a .libs/libyubikey.so* ../buildroot/PBA32/overlay/usr/lib
+
+cd ..
+
+if [ "x$1" != "xnoclean" ]; then
+	rm -rf yubikey-personalization
+	git clone ${YUBIPERSROOT} yubikey-personalization || die
+fi
+cd yubikey-personalization
+if [ "x$1" != "xnoclean" ]; then
+	git checkout -b PBABUILD ${YUBIPERSROOT_TAG}  || die
+	git reset --hard
+	git clean -df
+
+	aclocal --install
+	libtoolize
+	automake --add-missing
+	autoconf
+fi
+
+# 64 bit system
+mkdir PBA64
+CFLAGS="-m64 -I$PWD/../yubico-c  -L$PWD/../buildroot/PBA64/overlay/lib -L$PWD/../buildroot/PBA64/overlay/usr/lib -L$PWD/../buildroot/PBA64/target/lib -L$PWD/../buildroot/PBA64/target/usr/lib" ./configure --host="x86_64-unknown-linux-gnu" --disable-rpath --without-json
+make clean
+make -j $(nproc) 2>&1 | tee PBA64/build_output.log
+mkdir -p ../buildroot/PBA64/overlay/usr/bin
+cp -a .libs/libykpers-*.so* ../buildroot/PBA64/overlay/usr/lib
+cp -a .libs/ykinfo ../buildroot/PBA64/overlay/usr/bin
+cp -a .libs/ykchalresp ../buildroot/PBA64/overlay/usr/bin
+
+# 32 bit system
+mkdir PBA32
+CFLAGS="-m32 -I$PWD/../yubico-c -L$PWD/../buildroot/PBA32/overlay/lib -L$PWD/../buildroot/PBA32/overlay/usr/lib -L$PWD/../buildroot/PBA32/target/lib -L$PWD/../buildroot/PBA32/target/usr/lib" ./configure --host="i686-unknown-linux-gnu" --disable-rpath --without-json
+make clean
+make -j $(nproc) 2>&1 | tee PBA32/build_output.log
+mkdir -p ../buildroot/PBA32/overlay/usr/bin
+cp -a .libs/libykpers-*.so* ../buildroot/PBA32/overlay/usr/lib
+cp -a .libs/ykinfo ../buildroot/PBA32/overlay/usr/bin
+cp -a .libs/ykchalresp ../buildroot/PBA32/overlay/usr/bin
+
+cd ..
+echo Building the TPM utilities
+if [ "x$1" != "noclean" ]; then
+	rm -rf tpm-luks
+	git clone ${TPMLUKSROOT} tpm-luks || die
+fi
+cd tpm-luks
+if [ "x$1" != "noclean" ]; then
+	git reset --hard
+	git clean -df
+
+	aclocal --install
+	libtoolize
+	automake --add-missing
+	autoconf
+fi
+
+# 64 bit system
+mkdir PBA64
+CFLAGS="-m64 -L$PWD/../buildroot/PBA64/target/lib -L$PWD/../buildroot/PBA64/target/usr/lib" ./configure --host="x86_64-unknown-linux-gnu"
+make clean
+make -j $(nproc) 2>&1 | tee PBA64/build_output.log
+cp swtpm-utils/nv_readvalue ../buildroot/PBA64/overlay/usr/bin
+cp swtpm-utils/getcapability ../buildroot/PBA64/overlay/usr/bin
+
+# 32 bit system
+mkdir PBA32
+CFLAGS="-m32 -L$PWD/../buildroot/PBA32/target/lib -L$PWD/../buildroot/PBA32/target/usr/lib" ./configure --host="i686-unknown-linux-gnu"
+make clean
+make -j $(nproc) 2>&1 | tee PBA32/build_output.log
+cp swtpm-utils/nv_readvalue ../buildroot/PBA32/overlay/usr/bin
+cp swtpm-utils/getcapability ../buildroot/PBA32/overlay/usr/bin
+
 # back to where we started
 cd ../..
-exit 0
+exit 0