diff options
| -rw-r--r-- | Makefile | 4 | ||||
| -rw-r--r-- | README-dracut.md | 15 | ||||
| -rw-r--r-- | README-mkinitcpio.md | 15 | ||||
| -rw-r--r-- | bin/Makefile | 13 | ||||
| -rw-r--r-- | bin/worker.c | 4 | ||||
| -rw-r--r-- | bin/ykfde-cpio.c | 2 | ||||
| -rw-r--r-- | bin/ykfde.c | 6 | ||||
| -rw-r--r-- | config.def.h | 2 | ||||
| -rwxr-xr-x | dracut/module-setup.sh | 7 | ||||
| -rw-r--r-- | mkinitcpio/ykfde | 2 | ||||
| -rw-r--r-- | systemd/ykfde-2f.service | 2 | ||||
| -rw-r--r-- | systemd/ykfde-worker.service | 2 | ||||
| -rw-r--r-- | systemd/ykfde.service | 2 |
13 files changed, 53 insertions, 23 deletions
@@ -6,7 +6,7 @@ CP := cp SED := sed # this is just a fallback in case you do not use git but downloaded # a release tarball... -VERSION := 0.7.6 +VERSION := 0.7.9 .DELETE_ON_ERROR: @@ -21,7 +21,7 @@ bin/ykfde: bin/ykfde.c config.h version.h bin/ykfde-cpio: bin/ykfde-cpio.c config.h version.h $(MAKE) -C bin ykfde-cpio -config.h: config.def.h +config.h: $(CP) config.def.h config.h version.h: $(wildcard .git/HEAD .git/index .git/refs/tags/*) Makefile diff --git a/README-dracut.md b/README-dracut.md index 108e2af..2d3a7a8 100644 --- a/README-dracut.md +++ b/README-dracut.md @@ -124,7 +124,8 @@ Build the initramfs: ### Boot loader Make sure to load the cpio archive `/boot/ykfde-challenges.img` -as an additional initramfs. +as an additional initramfs. It has to be listed *after* microcode +updates (if available), but *before* main initramfs. With `grub` you need to list `ykfde-challenges.img` in configuration variable `GRUB_EARLY_INITRD_LINUX_CUSTOM` in `/etc/default/grub`: @@ -135,4 +136,16 @@ Then update your `grub` configuration by running: > grub-mkconfig -o /boot/grub/grub.cfg +A valid configuration for `systemd-boot` should be placed in +`/boot/loader/entries/default.conf` and look something like this: + +``` +title Default +linux /vmlinuz-linux +initrd /intel-ucode.img +initrd /ykfde-challenges.img +initrd /initramfs-linux.img +options root=... rw quiet +``` + Reboot and have fun! diff --git a/README-mkinitcpio.md b/README-mkinitcpio.md index ae1d420..31a3047 100644 --- a/README-mkinitcpio.md +++ b/README-mkinitcpio.md @@ -128,7 +128,8 @@ Now rebuild your initramfs with: ### Boot loader Make sure to load the cpio archive `/boot/ykfde-challenges.img` -as an additional initramfs. +as an additional initramfs. It has to be listed *after* microcode +updates (if available), but *before* main initramfs. With `grub` you need to list `ykfde-challenges.img` in configuration variable `GRUB_EARLY_INITRD_LINUX_CUSTOM` in `/etc/default/grub`: @@ -139,4 +140,16 @@ Then update your `grub` configuration by running: > grub-mkconfig -o /boot/grub/grub.cfg +A valid configuration for `systemd-boot` should be placed in +`/boot/loader/entries/default.conf` and look something like this: + +``` +title Default +linux /vmlinuz-linux +initrd /intel-ucode.img +initrd /ykfde-challenges.img +initrd /initramfs-linux.img +options root=... rw quiet +``` + Reboot and have fun! diff --git a/bin/Makefile b/bin/Makefile index 67d3066..e1c8ed2 100644 --- a/bin/Makefile +++ b/bin/Makefile @@ -4,17 +4,22 @@ INSTALL := install RM := rm # flags CFLAGS += -std=gnu11 -O2 -fPIC -Wall -Werror -CFLAGS_YUBIKEY += -liniparser -lkeyutils -lykpers-1 -lyubikey -CFLAGS_SYSTEMD += $(shell pkg-config --cflags --libs libsystemd 2>/dev/null) +CFLAGS_EXTRA += $(shell pkg-config --cflags --libs iniparser) +CFLAGS_EXTRA += $(shell pkg-config --cflags --libs libkeyutils) +CFLAGS_EXTRA += $(shell pkg-config --cflags --libs ykpers-1) -lyubikey +CFLAGS_SYSTEMD := $(shell pkg-config --cflags --libs libsystemd 2>/dev/null) +ifneq ($(CFLAGS_SYSTEMD),) +CFLAGS_EXTRA += -DHAVE_SYSTEMD $(CFLAGS_SYSTEMD) +endif LDFLAGS += -Wl,-z,now -Wl,-z,relro -pie all: worker ykfde ykfde-cpio worker: worker.c ../config.h - $(CC) worker.c $(CFLAGS) $(CFLAGS_YUBIKEY) $(CFLAGS_SYSTEMD) $(LDFLAGS) -o worker + $(CC) worker.c $(CFLAGS) $(CFLAGS_EXTRA) $(LDFLAGS) -o worker ykfde: ykfde.c ../config.h ../version.h - $(CC) ykfde.c $(CFLAGS) $(CFLAGS_YUBIKEY) $(CFLAGS_SYSTEMD) -lcryptsetup $(LDFLAGS) -o ykfde + $(CC) ykfde.c $(CFLAGS) $(CFLAGS_EXTRA) -lcryptsetup $(LDFLAGS) -o ykfde ykfde-cpio: ykfde-cpio.c ../config.h ../version.h $(CC) ykfde-cpio.c $(CFLAGS) -larchive $(LDFLAGS) -o ykfde-cpio diff --git a/bin/worker.c b/bin/worker.c index 3c0c7d3..a32ed09 100644 --- a/bin/worker.c +++ b/bin/worker.c @@ -1,5 +1,5 @@ /* - * (C) 2014-2020 by Christian Hesse <mail@eworm.de> + * (C) 2014-2025 by Christian Hesse <mail@eworm.de> * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -33,7 +33,7 @@ #include <systemd/sd-daemon.h> -#include <iniparser.h> +#include <iniparser/iniparser.h> #include <keyutils.h> diff --git a/bin/ykfde-cpio.c b/bin/ykfde-cpio.c index 7e98443..8259d73 100644 --- a/bin/ykfde-cpio.c +++ b/bin/ykfde-cpio.c @@ -1,5 +1,5 @@ /* - * (C) 2014-2020 by Christian Hesse <mail@eworm.de> + * (C) 2014-2025 by Christian Hesse <mail@eworm.de> * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/bin/ykfde.c b/bin/ykfde.c index 52ad370..82401f5 100644 --- a/bin/ykfde.c +++ b/bin/ykfde.c @@ -1,5 +1,5 @@ /* - * (C) 2014-2020 by Christian Hesse <mail@eworm.de> + * (C) 2014-2025 by Christian Hesse <mail@eworm.de> * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -30,7 +30,7 @@ #include <systemd/sd-daemon.h> -#include <iniparser.h> +#include <iniparser/iniparser.h> #include <keyutils.h> @@ -304,7 +304,7 @@ int main(int argc, char **argv) { We generate an array of unsigned int, the use modulo to limit to printable ASCII characters (32 to 127). */ if ((len = getrandom(challenge_int, CHALLENGELEN * sizeof(unsigned int), GRND_RANDOM|GRND_NONBLOCK)) != CHALLENGELEN * sizeof(unsigned int)) - getrandom((void *)((size_t)challenge_int + len), CHALLENGELEN * sizeof(unsigned int) - len, 0); + len += getrandom((void *)((size_t)challenge_int + len), CHALLENGELEN * sizeof(unsigned int) - len, 0); for (i = 0; i < CHALLENGELEN; i++) challenge_new[i] = (challenge_int[i] % (127 - 32)) + 32; diff --git a/config.def.h b/config.def.h index 18e0875..e5fe664 100644 --- a/config.def.h +++ b/config.def.h @@ -1,5 +1,5 @@ /* - * (C) 2014-2020 by Christian Hesse <mail@eworm.de> + * (C) 2014-2025 by Christian Hesse <mail@eworm.de> * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/dracut/module-setup.sh b/dracut/module-setup.sh index a7cce66..901cd2d 100755 --- a/dracut/module-setup.sh +++ b/dracut/module-setup.sh @@ -14,18 +14,17 @@ install() { inst_rules "$moddir/20-ykfde.rules" inst_hook cmdline 30 "$moddir/parse-mod.sh" inst_simple "$moddir/ykfde.sh" /sbin/ykfde.sh - inst_simple /usr/lib/ykfde/worker + inst_binary /usr/lib/ykfde/worker inst_simple /etc/ykfde.conf inst_simple /usr/lib/systemd/system/ykfde-worker.service ln_r $systemdsystemunitdir/ykfde-worker.service $systemdsystemunitdir/sysinit.target.wants/ykfde-worker.service # this is required for second factor - if egrep -qi 'second factor = (yes|true|1)' /etc/ykfde.conf; then + if grep -E -qi 'second factor = (yes|true|1)' /etc/ykfde.conf; then inst_simple /usr/lib/systemd/system/cryptsetup-pre.target inst_simple /usr/lib/systemd/system/ykfde-2f.service ln_r $systemdsystemunitdir/ykfde-2f.service $systemdsystemunitdir/sysinit.target.wants/ykfde-2f.service - inst_simple /usr/bin/systemd-ask-password - + inst_binary /usr/bin/systemd-ask-password fi dracut_need_initqueue diff --git a/mkinitcpio/ykfde b/mkinitcpio/ykfde index 3e8e485..adb403c 100644 --- a/mkinitcpio/ykfde +++ b/mkinitcpio/ykfde @@ -9,7 +9,7 @@ build() { add_symlink /usr/lib/systemd/system/sysinit.target.wants/ykfde-worker.service ../ykfde-worker.service # this is required for second factor - if egrep -qi 'second factor = (yes|true|1)' /etc/ykfde.conf; then + if grep -E -qi 'second factor = (yes|true|1)' /etc/ykfde.conf; then add_systemd_unit cryptsetup-pre.target add_systemd_unit ykfde-2f.service add_symlink /usr/lib/systemd/system/sysinit.target.wants/ykfde-2f.service ../ykfde-2f.service diff --git a/systemd/ykfde-2f.service b/systemd/ykfde-2f.service index 93b94d5..bf9b6e3 100644 --- a/systemd/ykfde-2f.service +++ b/systemd/ykfde-2f.service @@ -1,4 +1,4 @@ -# (C) 2016-2020 by Christian Hesse <mail@eworm.de> +# (C) 2016-2025 by Christian Hesse <mail@eworm.de> # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/systemd/ykfde-worker.service b/systemd/ykfde-worker.service index 20a03ff..bee2c20 100644 --- a/systemd/ykfde-worker.service +++ b/systemd/ykfde-worker.service @@ -1,4 +1,4 @@ -# (C) 2016-2020 by Christian Hesse <mail@eworm.de> +# (C) 2016-2025 by Christian Hesse <mail@eworm.de> # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/systemd/ykfde.service b/systemd/ykfde.service index 7d989bb..768f0fd 100644 --- a/systemd/ykfde.service +++ b/systemd/ykfde.service @@ -1,4 +1,4 @@ -# (C) 2016-2020 by Christian Hesse <mail@eworm.de> +# (C) 2016-2025 by Christian Hesse <mail@eworm.de> # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by |