4. Rescue System
Info
A feature request has been opened to have SystemRescue support "measured boot".
While we are still on SystemRescue and not within chroot, download the SystemRescue .iso file and create a customised one out of it.
4.1. Downloads And Verification¶
Prepare the working directory:
mkdir -p /mnt/gentoo/etc/gentoo-installation/systemrescuecd && \
chown meh:meh /mnt/gentoo/etc/gentoo-installation/systemrescuecd && \
echo -e "\e[1;32mSUCCESS\e[0m"
Import the GnuPG public key used to sign the SystemRescue .iso:
su -l meh -c "
mkdir --mode=0700 /tmp/gpg_home_dir_systemrescue && \
curl -fsSL --proto '=https' --tlsv1.3 https://www.system-rescue.org/security/signing-keys/gnupg-pubkey-fdupoux-20210704-v001.pem | gpg --homedir /tmp/gpg_home_dir_systemrescue --import && \
gpg --homedir /tmp/gpg_home_dir_systemrescue --import-ownertrust <<<'62989046EB5C7E985ECDF5DD3B0FEA9BE13CA3C9:6:' && \
gpgconf --homedir /tmp/gpg_home_dir_systemrescue --kill all && \
echo -e '\e[1;32mSUCCESS\e[0m'
"
Download the .iso and .asc files:
rescue_system_version="$(su -l meh -c "curl -fsS --proto '=https' --tlsv1.3 https://gitlab.com/systemrescue/systemrescue-sources/-/raw/main/VERSION")" && \
su -l meh -c "
curl --continue-at - -L --proto '=https' --tlsv1.2 --ciphers 'ECDHE+AESGCM:ECDHE+CHACHA20' --output /mnt/gentoo/etc/gentoo-installation/systemrescuecd/systemrescue.iso \"https://fastly-cdn.system-rescue.org/releases/${rescue_system_version}/systemrescue-${rescue_system_version}-amd64.iso\" && \
curl -fsSL --proto '=https' --tlsv1.3 --output /mnt/gentoo/etc/gentoo-installation/systemrescuecd/systemrescue.iso.asc \"https://www.system-rescue.org/releases/${rescue_system_version}/systemrescue-${rescue_system_version}-amd64.iso.asc\" && \
echo -e '\e[1;32mSUCCESS\e[0m'
"
Verify the .iso file with GnuPG:
su -l meh -c '
gpg_status="$(gpg --homedir /tmp/gpg_home_dir_systemrescue --batch --status-fd 1 --verify /mnt/gentoo/etc/gentoo-installation/systemrescuecd/systemrescue.iso.asc /mnt/gentoo/etc/gentoo-installation/systemrescuecd/systemrescue.iso 2>/dev/null)" && \
gpgconf --homedir /tmp/gpg_home_dir_systemrescue --kill all && \
grep -E -q "^\[GNUPG:\][[:space:]]+GOODSIG[[:space:]]+" <<< "${gpg_status}" && \
grep -E -q "^\[GNUPG:\][[:space:]]+VALIDSIG[[:space:]]+" <<< "${gpg_status}" && \
grep -E -q "^\[GNUPG:\][[:space:]]+TRUST_ULTIMATE[[:space:]]+" <<< "${gpg_status}" && \
echo -e "\e[1;32mSUCCESS (1/2)\e[0m"
' && \
chown -R 0:0 /mnt/gentoo/etc/gentoo-installation/systemrescuecd && \
echo -e "\e[1;32mSUCCESS (2/2)\e[0m"
4.2. Configuration¶
Create the folder structure which will contain SystemRescue customisations:
mkdir -p /mnt/gentoo/etc/gentoo-installation/systemrescuecd/{recipe/{iso_delete,iso_add/{autorun,sysresccd,sysrescue.d},iso_patch_and_script,build_into_srm/{etc/sysctl.d,usr/local/sbin}},work} && \
echo -e "\e[1;32mSUCCESS\e[0m"
Disable "magic SysRq" for security sake:
echo "kernel.sysrq = 0" > /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/etc/sysctl.d/99sysrq.conf && \
echo -e "\e[1;32mSUCCESS\e[0m"
Copy chroot.sh created by disk.sh:
rsync -av --numeric-ids --chown=0:0 --chmod=u=rwx,go=r /tmp/chroot.sh /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/usr/local/sbin/ && \
echo -e "\e[1;32mSUCCESS\e[0m"
Copy the firewall script:
# set firewall rules upon bootup.
rsync -av --numeric-ids --chown=0:0 --chmod=u=rw,go=r /tmp/firewall.sh /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/iso_add/autorun/autorun && \
echo -e "\e[1;32mSUCCESS\e[0m"
Create the settings YAML (copy&paste one command after the other):
# set the password you want to use to login via TTY on the rescue system
crypt_pass="$(openssl passwd -6)"
# set default settings
echo "\
---
global:
copytoram: true
checksum: true
nofirewall: true
loadsrm: true
setkmap: de-latin1-nodeadkeys
dostartx: false
dovnc: false
rootshell: /bin/bash
rootcryptpass: '${crypt_pass}'
autorun:
ar_disable: false
ar_nowait: true
ar_nodel: false
ar_ignorefail: false\
" > /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/iso_add/sysrescue.d/500-settings.yaml
# unset the password variable
unset crypt_pass
Integrate additional packages required for chroot.sh to work:
pacman -Sy clevis efitools libpwquality luksmeta sbctl sbsigntools systemd-ukify tpm2-tools && \
cowpacman2srm /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/iso_add/sysresccd/zz_additional_packages.srm && \
echo -e "\e[1;32mSUCCESS\e[0m"
4.3 (Optional) SSH Server¶
Info
This section is only required if you want to access the rescue system over SSH.
Take care of public key authentication (copy&paste one command after the other):
mkdir -p /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/root/.ssh
# add your ssh public keys to
# /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/root/.ssh/authorized_keys
# set correct modes
chmod u=rwx,g=rx,o= /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/root
chmod -R u=rwX,go= /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/root/.ssh
Configure the SSH server:
mkdir -p /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/etc/ssh && \
rsync -a /etc/ssh/sshd_config /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/etc/ssh/sshd_config && \
# do some ssh server hardening
sed -i \
-e 's/^#Port 22$/Port 50023/' \
-e 's/^#X11Forwarding no$/X11Forwarding no/' /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/etc/ssh/sshd_config && \
echo "
AuthenticationMethods publickey" >> /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/etc/ssh/sshd_config && \
# create ssh_host_* files in build_into_srm/etc/ssh/
ssh-keygen -A -f /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm && \
{ diff /etc/ssh/sshd_config /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/etc/ssh/sshd_config || true; } && \
echo -e "\e[1;32mSUCCESS\e[0m"
Open the SSH port:
echo "
iptables -A INPUT -p tcp --dport 50023 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 50023 -j ACCEPT" >> /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/iso_add/autorun/autorun
Write down fingerprints to double check upon initial SSH connection to the rescue system:
find /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe/build_into_srm/etc/ssh/ -type f -name "ssh_host*\.pub" -exec ssh-keygen -vlf {} \; && \
echo -e "\e[1;32mSUCCESS\e[0m"
4.4. Folder Structure¶
After running through above installation steps, you should have the following file/folder structure:
❯ tree -a /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe
/mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe
├── build_into_srm
│ ├── etc
│ │ ├── ssh
│ │ │ ├── sshd_config
│ │ │ ├── ssh_host_ecdsa_key
│ │ │ ├── ssh_host_ecdsa_key.pub
│ │ │ ├── ssh_host_ed25519_key
│ │ │ ├── ssh_host_ed25519_key.pub
│ │ │ ├── ssh_host_rsa_key
│ │ │ └── ssh_host_rsa_key.pub
│ │ └── sysctl.d
│ │ └── 99sysrq.conf
│ ├── root
│ │ └── .ssh
│ │ └── authorized_keys
│ └── usr
│ └── local
│ └── sbin
│ └── chroot.sh
├── iso_add
│ ├── autorun
│ │ └── autorun
│ ├── sysresccd
│ │ └── zz_additional_packages.srm
│ └── sysrescue.d
│ └── 500-settings.yaml
├── iso_delete
└── iso_patch_and_script
16 directories, 13 files
❯ tree -a /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe
/mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe
├── build_into_srm
│ ├── etc
│ │ └── sysctl.d
│ │ └── 99sysrq.conf
│ └── usr
│ └── local
│ └── sbin
│ └── chroot.sh
├── iso_add
│ ├── autorun
│ │ └── autorun
│ ├── sysresccd
│ │ └── zz_additional_packages.srm
│ └── sysrescue.d
│ └── 500-settings.yaml
├── iso_delete
└── iso_patch_and_script
13 directories, 5 files
4.5. ISO And Rescue Partition¶
Create an installation medium with above changes:
sysrescue-customize \
--auto --overwrite \
-s /mnt/gentoo/etc/gentoo-installation/systemrescuecd/systemrescue.iso \
-d /mnt/gentoo/etc/gentoo-installation/systemrescuecd/systemrescue_custom.iso \
-r /mnt/gentoo/etc/gentoo-installation/systemrescuecd/recipe \
-w /mnt/gentoo/etc/gentoo-installation/systemrescuecd/work && \
echo -e "\e[1;32mSUCCESS\e[0m"
Copy the content of the custom installation medium to the "rescue" partition:
mkdir /mnt/iso /mnt/gentoo/mnt/rescue && \
mount -o loop,ro /mnt/gentoo/etc/gentoo-installation/systemrescuecd/systemrescue_custom.iso /mnt/iso && \
mount -o noatime /mnt/gentoo/mapperRescue /mnt/gentoo/mnt/rescue && \
rsync -HAXSacv --delete /mnt/iso/{autorun,sysresccd,sysrescue.d} /mnt/gentoo/mnt/rescue/ && \
umount /mnt/iso && \
echo -e "\e[1;32mSUCCESS\e[0m"
4.6. Kernel Installation¶
Create the unified kernel image which will be used to boot the rescue system:
ukify build \
--linux=/mnt/gentoo/mnt/rescue/sysresccd/boot/x86_64/vmlinuz \
--initrd=/mnt/gentoo/mnt/rescue/sysresccd/boot/x86_64/sysresccd.img \
--cmdline="cryptdevice=UUID=$(blkid -s UUID -o value /mnt/gentoo/devRescue):root root=/dev/mapper/root archisobasedir=sysresccd archisolabel=rescue31415fs noautologin loadsrm=y" \
--os-release=@/usr/lib/os-release \
--output=/tmp/systemrescuecd.efi && \
while read -r my_esp; do
mkdir "${my_esp/devE/boot\/e}" && \
mount -o noatime,dmask=0027,fmask=0137 "${my_esp}" "${my_esp/devE/boot\/e}" && \
rsync -av "/tmp/systemrescuecd.efi" "${my_esp/devE/boot\/e}/" && \
echo -e "\e[1;32mSUCCESS\e[0m"
done < <(find /mnt/gentoo/devEfi* -maxdepth 0)