forked from r-pufky/wireguard-initramfs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathMakefile
89 lines (79 loc) · 3.05 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# Makefile for wireguard initramfs boot.
TARGETDIR = $(DESTDIR)/etc/wireguard-initramfs
TPMDIR = ./tpm
INITRAMFS = $(DESTDIR)/etc/initramfs-tools
DOCSDIR = $(DESTDIR)/usr/local/share/docs/wireguard-initramfs
include config
.PHONY: help
help:
@echo "USAGE:"
@echo " make install"
@echo " Install wireguard-initramfs and default configuration files."
@echo " Requires additional configuration!"
@echo
@echo " make uninstall"
@echo " Remove wireguard-initramfs from initramfs, leaves "
@echo " $(TARGETDIR). Does not need to be installed."
@echo
@echo "Example configuration located at: $(DOCSDIR)"
@echo
.PHONY: root_check
root_check:
@if ! [ "$(shell id -u)" = 0 ]; then echo "You must be root to perform this action."; exit 1; fi
.PHONY: install_deps
install_deps: root_check
@apt update && apt install initramfs-tools
.PHONY: install_files
install_files:
@mkdir -p "$(TARGETDIR)"
@touch "$(TARGETDIR)/private_key"
@chmod 0600 "$(TARGETDIR)/private_key"
@touch "$(TARGETDIR)/pre_shared_key"
@chmod 0600 "$(TARGETDIR)/pre_shared_key"
@cp -vn config "$(TARGETDIR)/config"
@chmod 0644 "$(TARGETDIR)/config"
@install -vD hooks "$(INITRAMFS)/hooks/wireguard"
@install -vD init-premount "$(INITRAMFS)/scripts/init-premount/wireguard"
@install -vD init-bottom "$(INITRAMFS)/scripts/init-bottom/wireguard"
@install -vD -m0644 config "$(DOCSDIR)/examples/config"
.PHONY: install
install: root_check remove_legacy install_deps
@echo "Sealing private key in tpm ..."
+$(MAKE) seal
@echo "Done."
@echo
@echo "Installing wireguard-initramfs ..."
+$(MAKE) install_files
@echo "Done."
@echo
@echo "Setup $(TARGETDIR)/config and run:"
@echo
@echo " update-initramfs -u && update-grub"
@echo
@echo "Done."
.PHONY: seal
seal: root_check
@mkdir -p "$(TPMDIR)"
@tpm2_createprimary -c "$(TPMDIR)/primary.ctx"
@tpm2_startauthsession -S "$(TPMDIR)/session.ctx"
@echo "Using PCRs $(PCRS)"
@tpm2_policypcr -Q -S "$(TPMDIR)/session.ctx" -l "sha256:$(PCRS)" -L "$(TPMDIR)/policy.pol"
@tpm2_flushcontext "$(TPMDIR)/session.ctx"
@tpm2_create -C "$(TPMDIR)/primary.ctx" -u "$(TPMDIR)/key.pub" -r "$(TPMDIR)/key.priv"
@tpm2_create -Q --hash-algorithm=sha256 --public="$(TPMDIR)/key.pub" --private="$(TPMDIR)/key.priv" --sealing-input="$(TARGETDIR)/private_key" --parent-context="$(TPMDIR)/primary.ctx" --policy="$(TPMDIR)/policy.pol" -c "$(TPMDIR)/seal.ctx"
@tpm2_evictcontrol -c "$(TPMDIR)/seal.ctx" | grep -Eo '0x[0-9]{8}' > "$(TPMDIR)/handle.txt"
@grep -q 'HANDLE' config || echo "HANDLE=\"$$(cat $(TPMDIR)/handle.txt)\"" >> config
.PHONY: uninstall
uninstall: root_check remove_legacy
@echo "Uninstalling wireguard-initramfs ..."
@rm -f "$(INITRAMFS)/hooks/wireguard"
@rm -f "$(INITRAMFS)/scripts/init-premount/wireguard"
@rm -f "$(INITRAMFS)/scripts/init-bottom/wireguard"
@rm -rf "$(DOCSDIR)"
@echo
@echo "Done."
.PHONY: remove_legacy
remove_legacy: root_check
@rm -f "/usr/share/initramfs-tools/hooks/wireguard"
@rm -f "/usr/share/initramfs-tools/scripts/init-premount/wireguard"
@rm -f "/usr/share/initramfs-tools/scripts/init-bottom/wireguard"