|
#!/bin/bash |
|
|
|
build() { |
|
local mod |
|
|
|
# OpenSC tools and libs |
|
add_binary "pkcs11-tool" |
|
add_binary "opensc-tool" |
|
add_binary "opensc-asn1" |
|
add_binary "opensc-explorer" |
|
add_file "/etc/opensc.conf" |
|
add_file "/usr/lib/libsmm-local.so" |
|
add_file "/usr/lib/libsmm-local.so.6" |
|
add_file "/usr/lib/libsmm-local.so.6.0.0" |
|
add_file "/usr/lib/opensc-pkcs11.so" |
|
add_file "/usr/lib/onepin-opensc-pkcs11.so" |
|
add_file "/usr/lib/pkcs11-spy.so" |
|
add_file "/usr/lib/pkcs11/onepin-opensc-pkcs11.so" |
|
add_file "/usr/lib/pkcs11/opensc-pkcs11.so" |
|
add_file "/usr/lib/pkcs11/pkcs11-spy.so" |
|
add_file "/usr/share/opensc/asepcos.profile" |
|
add_file "/usr/share/opensc/authentic.profile" |
|
add_file "/usr/share/opensc/cardos.profile" |
|
add_file "/usr/share/opensc/cyberflex.profile" |
|
add_file "/usr/share/opensc/entersafe.profile" |
|
add_file "/usr/share/opensc/epass2003.profile" |
|
add_file "/usr/share/opensc/flex.profile" |
|
add_file "/usr/share/opensc/gids.profile" |
|
add_file "/usr/share/opensc/gpk.profile" |
|
add_file "/usr/share/opensc/ias_adele_admin1.profile" |
|
add_file "/usr/share/opensc/ias_adele_admin2.profile" |
|
add_file "/usr/share/opensc/ias_adele_common.profile" |
|
add_file "/usr/share/opensc/iasecc.profile" |
|
add_file "/usr/share/opensc/iasecc_admin_eid.profile" |
|
add_file "/usr/share/opensc/iasecc_generic_oberthur.profile" |
|
add_file "/usr/share/opensc/iasecc_generic_pki.profile" |
|
add_file "/usr/share/opensc/incrypto34.profile" |
|
add_file "/usr/share/opensc/isoApplet.profile" |
|
add_file "/usr/share/opensc/jcop.profile" |
|
add_file "/usr/share/opensc/miocos.profile" |
|
add_file "/usr/share/opensc/muscle.profile" |
|
add_file "/usr/share/opensc/myeid.profile" |
|
add_file "/usr/share/opensc/oberthur.profile" |
|
add_file "/usr/share/opensc/openpgp.profile" |
|
add_file "/usr/share/opensc/pkcs15.profile" |
|
add_file "/usr/share/opensc/rutoken.profile" |
|
add_file "/usr/share/opensc/rutoken_ecp.profile" |
|
add_file "/usr/share/opensc/rutoken_lite.profile" |
|
add_file "/usr/share/opensc/sc-hsm.profile" |
|
add_file "/usr/share/opensc/setcos.profile" |
|
add_file "/usr/share/opensc/starcos.profile" |
|
add_file "/usr/share/opensc/westcos.profile" |
|
|
|
# PCSC card reader daemon |
|
add_binary "pcscd" |
|
add_file "/usr/lib/libpcsclite.so" |
|
add_file "/usr/lib/libpcsclite.so.1" |
|
add_file "/usr/lib/libpcsclite.so.1.0.0" |
|
add_file "/usr/lib/libpcscspy.so" |
|
add_file "/usr/lib/libpcscspy.so.0" |
|
add_file "/usr/lib/libpcscspy.so.0.0.0" |
|
add_file "/usr/lib/libusb-1.0.so" |
|
add_file "/usr/lib/libusb-1.0.so.0" |
|
add_file "/usr/lib/libusb-1.0.so.0.2.0" |
|
|
|
# Needed to handle common card readers |
|
add_file "/usr/lib/pcsc/drivers/serial/libccidtwin.so" |
|
add_file "/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist" |
|
add_file "/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so" |
|
|
|
# ...and ACS card readers. |
|
add_file "/usr/lib/pcsc/drivers/ifd-acsccid.bundle/Contents/Info.plist" |
|
add_file "/usr/lib/pcsc/drivers/ifd-acsccid.bundle/Contents/Linux/libacsccid.so" |
|
|
|
# libusb-compat (for ACS) |
|
add_binary "libusb-config" |
|
add_file "/usr/lib/libusb.so" |
|
add_file "/usr/lib/libusb-0.1.so.4" |
|
add_file "/usr/lib/libusb-0.1.so.4.4.4" |
|
|
|
add_runscript |
|
} |
|
|
|
help() { |
|
cat <<HELPEOF |
|
This hook allows unlocking an encrypted root device using a LUKS key stored on |
|
a smart card. OpenSC and related tools are added to the initrd so that they're |
|
available for card manipulation during early boot. |
|
|
|
The way this works is that we run pcscd and wait for reader availability before |
|
the encrypt hook. If a reader is not detected, the hook continues regular boot. |
|
With a reader, the user is prompted to insert a card. If a card is still not |
|
available, continue regular boot. Then prompt to log into the card. |
|
|
|
A data object called "luks" is fetched via the pkcs11-tool. If the object does |
|
not exist or the user couldn't authenticate, we also continue regular boot. |
|
|
|
The key file is placed in the location expected by the encrypt hook to be used |
|
a moment later in the boot process. |
|
HELPEOF |
|
} |