#!/bin/bash
#
# DESTROY the partition table on a selected drive!!! Turn the drive into an encrypted boot disk!!!
# BEWARE of the awful appearance of the drive names - /sd$13 expands into, eg, /sdb3 and the 13 is just a shock to look at
# NOTE that if run FROM a HARD DRIVE it can set up a BOOT STICK
# and that if run FROM a BOOT STICK it can set up a HARD DRIVE (or another boot stick)- it's reversible.
#
# The files for the eventual /boot are currently taken from /home/john/buildstick/b1
# and for / from /home/john/buildstick/broot
# Those directories might be made less specific eventually
#
case "$1" in
"") echo "USB boot stick creator. Usage: ${0##*/} <drive letter to DESTROY eg b or c>"; exit 1;;
esac
#
# blank the partition table and replace with vfat transfer, boot and LVM...
# NOTE! if vfat isn't the first partition, Vista (eg) will ask if it can format the first partition and not auto-open the vfat
#
echo "partitioning /dev/sd$1..."
/etc/rc.d/rc.hald stop
fdisk /dev/sd$1 <<EOF
o
n
p
1
+8G
t
1
b
n
p
2
+55M
n
p
3
t
3
8e
p
w
EOF
# fdisk ended
# the partition table now exists in the required state
echo "formatting xfer and boot..."
mkfs.vfat -n xfer /dev/sd$11
mount /dev/sd$11 /mnt/b1
mkfs.ext2 -L boot /dev/sd$12
mount /dev/sd$12 /mnt/b2
# and the partition formats are finished
#
# generate a hard-to-guess LVM slot 1 password and store it in open sight on the transfer partition
#
key=$(dd if=/dev/urandom bs=36 count=1 2>/dev/null | base64 | awk '{{gsub("/","q")} {gsub("+","J")} print $0}')
echo ${key:0:23} >/mnt/b1/originalpassword.luks
#
# store the password and key audit for escrow
#
line=`udevadm info -q all -n /dev/sd$1 | grep ID_SERIAL_SHORT | sed "s/E\: ID_SERIAL_SHORT=//g"`
cp /mnt/b1/originalpassword.luks /home/john/buildstick/serials/$line
udevadm info -q all -n /dev/sd$1 >>/home/john/buildstick/serials/$line
#
# this blanking is in case the stick is being recreated, cryptsetup doesn't like seeing an existing LVM header here
# create just swap - small, I don't much like the idea of swap on a stick - and a root which will hold home and var too
#
echo "formatting the logical volume..."
#
dd if=/dev/zero of=/dev/sd$13 bs=1024 count=1024 conv=notrunc
cryptsetup -v -c twofish-cbc-essiv:sha256 -s 256 -y --key-file /mnt/b1/originalpassword.luks luksFormat /dev/sd$13
lvmdev=`blkid | grep sd$13 | awk -F'"' '{print $2 }'`
echo "lvmdev=$lvmdev"
#
cryptsetup --key-file /mnt/b1/originalpassword.luks luksOpen /dev/sd$13 fdp
pvcreate /dev/mapper/fdp
vgcreate fdv /dev/mapper/fdp
lvcreate -L 4G -n swap fdv
lvcreate -l 100%FREE -n root fdv
vgscan --mknodes
vgchange -ay
mkswap /dev/fdv/swap
mkfs.ext4 -L root /dev/fdv/root
# end of lvm setup
lvm=`blkid | grep "/dev/mapper/fdp" | awk -F'"' '{print $2 }'`
echo "lvm=$lvm"
mount /dev/fdv/root /mnt/broot
#
# the boot and root content are stored in those explicit directories to be copied now...
#
echo "copying boot..."
time cp -a /home/john/buildstick/b2 /mnt
echo "copying root..."
time cp -a /home/john/buildstick/broot /mnt
mount -o bind /proc /mnt/broot/proc
mount -o bind /sys /mnt/broot/sys
mount -o bind /dev /mnt/broot/dev
#
# jhlilo mounts boot, runs mkinitrd and lilo, umounts boot, self-deletes and exits...
#
cat >/mnt/broot/jhlilo <<EOF1
mount /dev/sd$12 /boot
cd /boot
mkinitrd -c -k 2.6.37.6-smp -m ext4 twofish -f ext4 -r /dev/fdv/root -C UUID="$lvm" -l uk -L -K LABEL=xfer:/originalpassword.luks
lilo
umount /boot
#rm /jhlilo
exit
EOF1
#
cat >/mnt/broot/etc/lilo.conf <<EOF2
boot = /dev/sd$1
lba32
compact
# Append any additional kernel parameters:
append=" vt.default_utf8=0 noacpi"
menu-title="USB flash drive boot screen"
vga = 773
image = /boot/vmlinuz-generic-smp-2.6.37.6-smp
initrd = /boot/initrd.gz
root = /dev/fdv/root
label = normally
read-only # Partitions should be mounted read-only for checking
EOF2
#
echo "initializing lilo..."
chmod +x /mnt/broot/jhlilo
chroot /mnt/broot ./jhlilo
umount /mnt/broot/proc
umount /mnt/broot/sys
umount /mnt/broot/dev
umount /mnt/b2
umount /mnt/b1
umount /mnt/broot
#
/etc/rc.d/rc.hald start
echo "the stick is now ready to boot, step1 ended."
#