| #!/bin/bash |
| |
| # Copyright 2022 Google LLC |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # https://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| set -o errexit |
| set -o pipefail |
| set -o nounset |
| |
| if [[ -z "$1" ]]; then |
| echo "Usage: protect-stateful-partition.sh <block device of stateful partition>" |
| exit 1 |
| fi |
| |
| UNDERLYING_BLOCK_DEVICE=$1 |
| |
| mkdir -p /tmp/integrity_fs |
| head -c 32 /dev/random > /tmp/integrity_fs/stateful_partition_key |
| |
| |
| /sbin/cryptsetup -v --type luks2 --cipher "aes-gcm-random" --integrity aead \ |
| --key-file /tmp/integrity_fs/stateful_partition_key --key-size 256 \ |
| --sector-size 4096 --pbkdf pbkdf2 --iter-time 1 \ |
| luksFormat "${UNDERLYING_BLOCK_DEVICE}" |
| |
| /sbin/cryptsetup -v --type luks2 \ |
| --key-file /tmp/integrity_fs/stateful_partition_key \ |
| --integrity-no-journal \ |
| open "${UNDERLYING_BLOCK_DEVICE}" protected_stateful_partition |
| |
| /sbin/mkfs -t ext4 -E lazy_journal_init /dev/mapper/protected_stateful_partition |
| |
| rm /tmp/integrity_fs/stateful_partition_key |
| rmdir /tmp/integrity_fs |
