From 36ebeb2ed38df08d501e5587ccec364d8e6c9add Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Tue, 26 Sep 2023 10:26:28 +0000 Subject: [PATCH] /etc/rc.d/cerctl_init: New script for certctl rehash in live images. This is very limited -- it does not supplant postinstall to rehash certificates on upgrade; it only runs certctl rehash if /etc/openssl/certs is an empty directory, as you get in live images not created with sysinst. We could also have a more general-purpose way to run postinstall(8) on first boot of an image, but that has a lot more moving parts to think about, so let's start with this limited-scope low-risk approach. --- .../amd64/liveimage/emuimage/rc.conf.emuimage | 1 + .../liveimage/armimage/rc.conf.armimage | 1 + distrib/sets/lists/etc/mi | 1 + distrib/utils/embedded/conf/evbarm.conf | 1 + distrib/utils/embedded/conf/evbmips.conf | 1 + distrib/utils/embedded/conf/riscv.conf | 1 + distrib/utils/embedded/conf/usermode.conf | 1 + distrib/utils/embedded/conf/x86.conf | 1 + etc/rc.d/Makefile | 2 +- etc/rc.d/certctl_init | 45 +++++++++++++++++++ 10 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 etc/rc.d/certctl_init diff --git a/distrib/amd64/liveimage/emuimage/rc.conf.emuimage b/distrib/amd64/liveimage/emuimage/rc.conf.emuimage index afeaa3d69fbc..502147d9ccd4 100644 --- a/distrib/amd64/liveimage/emuimage/rc.conf.emuimage +++ b/distrib/amd64/liveimage/emuimage/rc.conf.emuimage @@ -24,6 +24,7 @@ is_ec2() { printf $val } +certctl_init=YES resize_disklabel=YES resize_root=YES resize_root_flags="-p" diff --git a/distrib/evbarm/liveimage/armimage/rc.conf.armimage b/distrib/evbarm/liveimage/armimage/rc.conf.armimage index b8ecfca185cf..1a4e6fab79cf 100644 --- a/distrib/evbarm/liveimage/armimage/rc.conf.armimage +++ b/distrib/evbarm/liveimage/armimage/rc.conf.armimage @@ -23,6 +23,7 @@ is_ec2() { printf $val } +certctl_init=YES resize_gpt=YES resize_root=YES resize_root_flags="-p" diff --git a/distrib/sets/lists/etc/mi b/distrib/sets/lists/etc/mi index aaad540d043d..f5df35fa5521 100644 --- a/distrib/sets/lists/etc/mi +++ b/distrib/sets/lists/etc/mi @@ -204,6 +204,7 @@ ./etc/rc.d/bthcid etc-obsolete obsolete ./etc/rc.d/btuartd etc-obsolete obsolete ./etc/rc.d/ccd etc-sys-rc +./etc/rc.d/certctl_init etc-sys-rc ./etc/rc.d/cgd etc-sys-rc ./etc/rc.d/clearcritlocal etc-sys-rc ./etc/rc.d/cleartmp etc-sys-rc diff --git a/distrib/utils/embedded/conf/evbarm.conf b/distrib/utils/embedded/conf/evbarm.conf index affd8d0f1f14..2ed4100d5ede 100644 --- a/distrib/utils/embedded/conf/evbarm.conf +++ b/distrib/utils/embedded/conf/evbarm.conf @@ -173,6 +173,7 @@ ntpd=YES ntpd_flags="-g" creds_msdos=YES creds_msdos_partition=/boot +certctl_init=YES EOF if $resize; then diff --git a/distrib/utils/embedded/conf/evbmips.conf b/distrib/utils/embedded/conf/evbmips.conf index 21c1c2f35cb1..ec1d0f946731 100644 --- a/distrib/utils/embedded/conf/evbmips.conf +++ b/distrib/utils/embedded/conf/evbmips.conf @@ -155,6 +155,7 @@ ntpd=YES ntpd_flags="-g" creds_msdos=YES creds_msdos_partition=/boot +certctl_init=YES EOF if $resize; then diff --git a/distrib/utils/embedded/conf/riscv.conf b/distrib/utils/embedded/conf/riscv.conf index 32e063ba5684..9430ffe06e75 100644 --- a/distrib/utils/embedded/conf/riscv.conf +++ b/distrib/utils/embedded/conf/riscv.conf @@ -122,6 +122,7 @@ ntpd=YES ntpd_flags="-g" creds_msdos=YES creds_msdos_partition=/boot +certctl_init=YES EOF if $resize; then diff --git a/distrib/utils/embedded/conf/usermode.conf b/distrib/utils/embedded/conf/usermode.conf index 9cfdab40fd42..231ea063e459 100644 --- a/distrib/utils/embedded/conf/usermode.conf +++ b/distrib/utils/embedded/conf/usermode.conf @@ -40,6 +40,7 @@ critical_filesystems_local="/var.cow /var /etc.cow /etc /root.cow /root" # dhcpcd=YES sshd=YES +certctl_init=YES EOF echo "${bar} making extra directories ${bar}" diff --git a/distrib/utils/embedded/conf/x86.conf b/distrib/utils/embedded/conf/x86.conf index aa3b0bae36ed..5a3b0bbb19c5 100644 --- a/distrib/utils/embedded/conf/x86.conf +++ b/distrib/utils/embedded/conf/x86.conf @@ -111,6 +111,7 @@ sshd=YES dhcpcd=YES wscons=YES devpubd=YES +certctl_init=YES EOF echo "./etc/rc.conf type=file uname=root gname=wheel mode=0644" \ >> "$tmp/selected_sets" diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile index 1fd48709fe31..d6e1ec29ce42 100755 --- a/etc/rc.d/Makefile +++ b/etc/rc.d/Makefile @@ -17,7 +17,7 @@ CONFIGFILES=\ CRITLOCALMOUNTED DAEMON DISKS LOGIN NETWORKING SERVERS \ accounting altqd amd apmd automount automountd autounmountd \ bluetooth bootconf.sh bootparams \ - ccd cgd clearcritlocal cleartmp cron \ + ccd certctl_init cgd clearcritlocal cleartmp cron \ devpubd dhcpcd dhcpd dhcpd6 dhcrelay dmesg \ downinterfaces \ entropy envsys \ diff --git a/etc/rc.d/certctl_init b/etc/rc.d/certctl_init new file mode 100644 index 000000000000..ddfb1912c20b --- /dev/null +++ b/etc/rc.d/certctl_init @@ -0,0 +1,45 @@ +#!/bin/sh +# +# $NetBSD$ +# +# PROVIDE: certctl_init +# REQUIRE: CRITLOCALMOUNTED +# +# This script ensures that we run `certctl rehash' on first boot of a +# live image to configure TLS trust anchors for OpenSSL in +# /etc/openssl/certs. We do this only on first boot by testing whether +# /etc/openssl/certs is an empty directory. +# +# This is a stop-gap measure to ensure we get TLS trust anchors with +# live images, which we can't prepare at build time because the +# preparation requires running openssl(1) as a tool. This stop-gap +# measure should perhaps be replaced by a more general-purpose way to +# run postinstall on first boot of the image, but that's a riskier +# proposition to implement on short notice for netbsd-10. + +$_rc_subr_loaded . /etc/rc.subr + +name="certctl_init" +rcvar=${name} +start_cmd="certctl_init" +stop_cmd=":" + +certctl_init() +{ + local certsdir + + certsdir=/etc/openssl/certs + + # If /etc/openssl/certs is a symlink, or exists but is not a + # directory, or is a directory but is nonempty, then we're not + # in the first boot's initial configuration. So do nothing. + [ -h "$certsdir" ] || + [ -e "$certsdir" -a ! -d "$certsdir" ] || + ([ -d "$certsdir" ] && + find -f "$certsdir" -- \ + -maxdepth 0 -type d -empty -exit 1) || + certctl rehash +} + +load_rc_config $name +run_rc_command "$1"