Prompt for LUKS password at first boot

ks.cfg

@@ -0,0 +1,66 @@
+#version=DEVEL
+# System authorization information
+auth --enableshadow --passalgo=sha512
+# Use graphical install
+graphical
+# Run the Setup Agent on first boot
+firstboot --enable
+ignoredisk --only-use=sda
+# Keyboard layouts
+keyboard --vckeymap=us --xlayouts='us'
+# System language
+lang en_US.UTF-8
+
+# Network information
+network  --hostname=dom0
+# System timezone
+timezone UTC --isUtc
+#user --groups=wheel,qubes --name=user
+# X Window System configuration information
+xconfig  --startxonboot
+# System bootloader configuration
+bootloader --location=mbr --boot-drive=sda
+#Root password
+rootpw --lock
+# Partition clearing information
+clearpart --all --initlabel --drives=sda
+# Disk partitioning information
+autopart --type thinp --encrypted --passphrase="PleaseChangeMe"
+
+# Poweroff after installation
+poweroff
+
+%packages
+@^qubes-xfce
+@debian
+@whonix
+
+%end
+
+%post --nochroot
+
+set -e
+
+oem_dir=/run/install/repo/
+mkdir /mnt/sysimage/srv/formulas/base/nitrokey-formula/
+cp -a $oem_dir/nitrokey /mnt/sysimage/srv/formulas/base/nitrokey-formula/
+mkdir -p /mnt/sysimage/srv/salt/_tops/base
+ln -s /srv/formulas/base/nitrokey-formula/nitrokey/init.top \
+  /mnt/sysimage/srv/salt/_tops/base/nitrokey.top
+printf 'file_roots:\n  base:\n    - %s\n' \
+  '/srv/formulas/base/nitrokey-formula' \
+  > /mnt/sysimage/etc/salt/minion.d/formula-nitrokey.conf
+
+cp -a $oem_dir/purism/anaconda/* /mnt/sysimage/usr/share/anaconda/
+cp -a $oem_dir/purism/pyanaconda/* /mnt/sysimage/usr/lib64/python3.5/site-packages/pyanaconda/
+echo -n 'PleaseChangeMe' > /dev/shm/oldpass
+echo -n '' > /dev/shm/newpass
+cryptsetup luksChangeKey --key-file /dev/shm/oldpass /dev/sda2 /dev/shm/newpass
+
+%end
+
+%anaconda
+pwpolicy root --minlen=0 --minquality=1 --notstrict --nochanges --emptyok
+pwpolicy user --minlen=0 --minquality=1 --notstrict --nochanges --emptyok
+pwpolicy luks --minlen=0 --minquality=1 --notstrict --nochanges --emptyok
+%end

make-image.sh

@@ -5,22 +5,10 @@ command -v wget >/dev/null 2>&1 || { echo >&2 "Please install 'wget' first.  Abo
 
 set -xe
 
-if [ "$1" = "de" ]; then
-    mv ./ks-DE.cfg ./ks.cfg
-    echo Build DE
-elif [ "$1" = "en" ]; then
-    mv ./ks-EN.cfg ./ks.cfg
-    echo Build EN
-else
-    echo Select Language: ./make-image.sh en
-    exit
-fi
-
 # Basic parameters
 QUBES_RELEASE="R4.0.4"
-DEVICE="nitropad"
 RELEASE_ISO_FILENAME="Qubes-${QUBES_RELEASE}-x86_64.iso"
-CUSTOM_ISO_FILENAME="Qubes-${QUBES_RELEASE}-${DEVICE}-oem-x86_64-${1}.iso"
+CUSTOM_ISO_FILENAME="Qubes-${QUBES_RELEASE}-nitrokey-oem-x86_64.iso"
 
 UNPACKED_IMAGE_PATH="./unpacked-iso/"
 MBR_IMAGE_FILENAME="${RELEASE_ISO_FILENAME}.mbr"
@@ -47,6 +35,7 @@ pushd unpacked-iso
 cp ../isolinux.cfg isolinux/
 cp ../ks.cfg ./
 cp -r ../nitrokey ./
+cp -r ../purism ./
 popd
 
 # Build the new ISO

purism/pyanaconda/constants.py

@@ -0,0 +1,222 @@
+#
+# constants.py: anaconda constants
+#
+# Copyright (C) 2001  Red Hat, Inc.  All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# Used for digits, ascii_letters, punctuation constants
+import string # pylint: disable=deprecated-module
+from pyanaconda.i18n import N_
+
+# Use -1 to indicate that the selinux configuration is unset
+SELINUX_DEFAULT = -1
+
+# where to look for 3rd party addons
+ADDON_PATHS = ["/usr/share/anaconda/addons"]
+
+from pykickstart.constants import AUTOPART_TYPE_LVM_THINP
+
+# common string needs to be easy to change
+from pyanaconda import product
+productName = product.productName
+productVersion = product.productVersion
+productArch = product.productArch
+bugzillaUrl = product.bugUrl
+isFinal = product.isFinal
+
+# for use in device names, eg: "fedora", "rhel"
+shortProductName = productName.lower()          # pylint: disable=no-member
+if productName.count(" "):                      # pylint: disable=no-member
+    shortProductName = ''.join(s[0] for s in shortProductName.split())
+
+# DriverDisc Paths
+DD_ALL = "/tmp/DD"
+DD_FIRMWARE = "/tmp/DD/lib/firmware"
+DD_RPMS = "/tmp/DD-*"
+
+TRANSLATIONS_UPDATE_DIR = "/tmp/updates/po"
+
+ANACONDA_CLEANUP = "anaconda-cleanup"
+MOUNT_DIR = "/run/install"
+DRACUT_REPODIR = "/run/install/repo"
+DRACUT_ISODIR = "/run/install/source"
+ISO_DIR = MOUNT_DIR + "/isodir"
+IMAGE_DIR = MOUNT_DIR + "/image"
+INSTALL_TREE = MOUNT_DIR + "/source"
+BASE_REPO_NAME = "anaconda"
+
+# NOTE: this should be LANG_TERRITORY.CODESET, e.g. en_US.UTF-8
+DEFAULT_LANG = "en_US.UTF-8"
+
+DEFAULT_VC_FONT = "eurlatgr"
+
+DEFAULT_KEYBOARD = "us"
+
+DRACUT_SHUTDOWN_EJECT = "/run/initramfs/usr/lib/dracut/hooks/shutdown/99anaconda-eject.sh"
+
+# VNC questions
+USEVNC = N_("Start VNC")
+USETEXT = N_("Use text mode")
+
+# Runlevel files
+TEXT_ONLY_TARGET = 'multi-user.target'
+GRAPHICAL_TARGET = 'graphical.target'
+
+# Network
+NETWORK_CONNECTION_TIMEOUT = 45  # in seconds
+NETWORK_CONNECTED_CHECK_INTERVAL = 0.1  # in seconds
+
+# DBus
+DEFAULT_DBUS_TIMEOUT = -1       # use default
+
+# Thread names
+THREAD_EXECUTE_STORAGE = "AnaExecuteStorageThread"
+THREAD_STORAGE = "AnaStorageThread"
+THREAD_STORAGE_WATCHER = "AnaStorageWatcher"
+THREAD_CHECK_STORAGE = "AnaCheckStorageThread"
+THREAD_CUSTOM_STORAGE_INIT = "AnaCustomStorageInit"
+THREAD_WAIT_FOR_CONNECTING_NM = "AnaWaitForConnectingNMThread"
+THREAD_PAYLOAD = "AnaPayloadThread"
+THREAD_PAYLOAD_RESTART = "AnaPayloadRestartThread"
+THREAD_INPUT_BASENAME = "AnaInputThread"
+THREAD_SYNC_TIME_BASENAME = "AnaSyncTime"
+THREAD_EXCEPTION_HANDLING_TEST = "AnaExceptionHandlingTest"
+THREAD_LIVE_PROGRESS = "AnaLiveProgressThread"
+THREAD_SOFTWARE_WATCHER = "AnaSoftwareWatcher"
+THREAD_CHECK_SOFTWARE = "AnaCheckSoftwareThread"
+THREAD_SOURCE_WATCHER = "AnaSourceWatcher"
+THREAD_INSTALL = "AnaInstallThread"
+THREAD_CONFIGURATION = "AnaConfigurationThread"
+THREAD_FCOE = "AnaFCOEThread"
+THREAD_ISCSI_DISCOVER = "AnaIscsiDiscoverThread"
+THREAD_ISCSI_LOGIN = "AnaIscsiLoginThread"
+THREAD_GEOLOCATION_REFRESH = "AnaGeolocationRefreshThread"
+THREAD_DATE_TIME = "AnaDateTimeThread"
+THREAD_TIME_INIT = "AnaTimeInitThread"
+THREAD_DASDFMT = "AnaDasdfmtThread"
+THREAD_KEYBOARD_INIT = "AnaKeyboardThread"
+THREAD_ADD_LAYOUTS_INIT = "AnaAddLayoutsInitThread"
+THREAD_NTP_SERVER_CHECK = "AnaNTPserver"
+
+# Geolocation constants
+
+# geolocation providers
+# - values are used by the geoloc CLI/boot option
+GEOLOC_PROVIDER_FEDORA_GEOIP = "provider_fedora_geoip"
+GEOLOC_PROVIDER_HOSTIP = "provider_hostip"
+GEOLOC_PROVIDER_GOOGLE_WIFI = "provider_google_wifi"
+# geocoding provider
+GEOLOC_GEOCODER_NOMINATIM = "geocoder_nominatim"
+# default providers
+GEOLOC_DEFAULT_PROVIDER = GEOLOC_PROVIDER_FEDORA_GEOIP
+GEOLOC_DEFAULT_GEOCODER = GEOLOC_GEOCODER_NOMINATIM
+# timeout (in seconds)
+GEOLOC_TIMEOUT = 3
+
+
+ANACONDA_ENVIRON = "anaconda"
+FIRSTBOOT_ENVIRON = "firstboot"
+
+# Tainted hardware
+UNSUPPORTED_HW = 1 << 28
+
+# Password validation
+PASSWORD_MIN_LEN = 8
+PASSWORD_EMPTY_ERROR = N_("The password is empty.")
+PASSWORD_CONFIRM_ERROR_GUI = N_("The passwords do not match.")
+PASSWORD_CONFIRM_ERROR_TUI = N_("The passwords you entered were different.  Please try again.")
+PASSWORD_WEAK = N_("The password you have provided is weak. %s")
+PASSWORD_WEAK_WITH_ERROR = N_("The password you have provided is weak: %s.")
+PASSWORD_WEAK_CONFIRM = N_("You have provided a weak password. Press Done again to use anyway.")
+PASSWORD_WEAK_CONFIRM_WITH_ERROR = N_("You have provided a weak password: %s. Press Done again to use anyway.")
+PASSWORD_ASCII = N_("The password you have provided contains non-ASCII characters. You may not be able to switch between keyboard layouts to login. Press Done to continue.")
+PASSWORD_DONE_TWICE = N_("You will have to press Done twice to confirm it.")
+
+PASSWORD_STRENGTH_DESC = [N_("Empty"), N_("Weak"), N_("Fair"), N_("Good"), N_("Strong")]
+
+PASSWORD_HIDE = N_("Hide password.")
+PASSWORD_SHOW = N_("Show password.")
+
+PASSWORD_HIDE_ICON = "anaconda-password-show-off"
+PASSWORD_SHOW_ICON = "anaconda-password-show-on"
+
+# LUKS Password validation
+LUKS_PASSWORD_MIN_LEN = 8
+LUKS_PASSWORD_EMPTY_ERROR = N_("The disk encryption password is empty.")
+LUKS_PASSWORD_CONFIRM_ERROR_GUI = N_("The disk encryption passwords do not match.")
+LUKS_PASSWORD_CONFIRM_ERROR_TUI = N_("The disk encryption passwords you entered were different.  Please try again.")
+LUKS_PASSWORD_WEAK = N_("The disk encryption password you have provided is weak. %s")
+LUKS_PASSWORD_WEAK_WITH_ERROR = N_("The disk encryption password you have provided is weak: %s.")
+LUKS_PASSWORD_WEAK_CONFIRM = N_("You have provided a weak disk encryption password. Press Done again to use anyway.")
+LUKS_PASSWORD_WEAK_CONFIRM_WITH_ERROR = N_("You have provided a weak disk encryption password: %s. Press Done again to use anyway.")
+LUKS_PASSWORD_ASCII = N_("The disk encryption password you have provided contains non-ASCII characters. You may not be able to switch between keyboard layouts to login. Press Done to continue.")
+LUKS_PASSWORD_DONE_TWICE = N_("You will have to press Done twice to confirm it.")
+
+LUKS_PASSWORD_STRENGTH_DESC = [N_("Empty"), N_("Weak"), N_("Fair"), N_("Good"), N_("Strong")]
+
+LUKS_PASSWORD_HIDE = N_("Hide disk encryption password.")
+LUKS_PASSWORD_SHOW = N_("Show disk encryption password.")
+
+LUKS_PASSWORD_HIDE_ICON = "anaconda-password-show-off"
+LUKS_PASSWORD_SHOW_ICON = "anaconda-password-show-on"
+
+# the number of seconds we consider a noticeable freeze of the UI
+NOTICEABLE_FREEZE = 0.1
+
+# all ASCII characters
+PW_ASCII_CHARS = string.digits + string.ascii_letters + string.punctuation + " "
+
+# Recognizing a tarfile
+TAR_SUFFIX = (".tar", ".tbz", ".tgz", ".txz", ".tar.bz2", "tar.gz", "tar.xz")
+
+# screenshots
+SCREENSHOTS_DIRECTORY = "/tmp/anaconda-screenshots"
+SCREENSHOTS_TARGET_DIRECTORY = "/root/anaconda-screenshots"
+
+# cmdline arguments that append instead of overwrite
+CMDLINE_APPEND = ["modprobe.blacklist", "ifname"]
+
+DEFAULT_AUTOPART_TYPE = AUTOPART_TYPE_LVM_THINP
+
+# Default to these units when reading user input when no units given
+SIZE_UNITS_DEFAULT = "MiB"
+
+# Constants for reporting status to IPMI.  These are from the IPMI spec v2 rev1.1, page 512.
+IPMI_STARTED = 0x7          # installation started
+IPMI_FINISHED = 0x8         # installation finished successfully
+IPMI_ABORTED = 0x9          # installation finished unsuccessfully, due to some non-exn error
+IPMI_FAILED = 0xA           # installation hit an exception
+
+
+# for how long (in seconds) we try to wait for enough entropy for LUKS
+# keep this a multiple of 60 (minutes)
+MAX_ENTROPY_WAIT = 10 * 60
+
+# X display number to use
+X_DISPLAY_NUMBER = 1
+
+# Payload status messages
+PAYLOAD_STATUS_PROBING_STORAGE = N_("Probing storage...")
+PAYLOAD_STATUS_PACKAGE_MD = N_("Downloading package metadata...")
+PAYLOAD_STATUS_GROUP_MD = N_("Downloading group metadata...")
+
+# Window title text
+WINDOW_TITLE_TEXT = N_("Anaconda Installer")
+
+# NTP server checking
+NTP_SERVER_OK = 0
+NTP_SERVER_NOK = 1
+NTP_SERVER_QUERY = 2