find_module "dm-crypt"
# TODO: autodetect
- find_module "aes"
- find_module "cbc"
+ find_module "-aes"
+ find_module "-cbc"
+ find_module "-cbc(aes)"
+ find_module "-xts(aes)"
find_module "-af-alg"
find_module "-algif_hash"
find_module "-algif_skcipher"
local LUKSNAME="$1"
# copy from /etc/rc.d/init.d/cryptsetup
- local dst src key opt mode owner
+ local dst src key opt mode owner failsafe token libdir cryptdir
while read dst src key opt; do
[ "$dst" != "$LUKSNAME" ] && continue
- if [ -n "$key" -a "x$key" != "xnone" ]; then
- if test -e "$key" ; then
- mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
- owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
- if [ "$mode" != "------" ] && ! key_is_random "$key"; then
- die "INSECURE MODE FOR $key"
- fi
- if [ "$owner" != root ]; then
- die "INSECURE OWNER FOR $key"
- fi
- else
- die "Key file for $dst not found"
+ failsafe=""
+
+ if [ -z "$key" ] || [ "x$key" = "xnone" ] || [ "x$key" = "x-" ]; then
+ failsafe=1
+ key="/etc/cryptsetup-keys.d/$LUKSNAME.key"
+ fi
+
+ if test -e "$key" ; then
+ mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
+ owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
+ if [ "$mode" != "------" ] && ! key_is_random "$key"; then
+ die "INSECURE MODE FOR $key"
fi
- else
+ if [ "$owner" != root ]; then
+ die "INSECURE OWNER FOR $key"
+ fi
+ elif [ -n "$failsafe" ]; then
key=""
+ else
+ die "Key file for $dst not found"
fi
src=$(find_devname "$src")
keyfile=/etc/.$dst.key
inst $key $keyfile
fi
+ for libdir in $(get_libdir /usr/LIBDIR); do
+ if [ -d $libdir/cryptsetup ]; then
+ cryptdir=$libdir/cryptsetup
+ break
+ fi
+ done
+ if ! is_no "$USE_LUKS_TOKEN" && [ -n "$cryptdir" ]; then
+ for token in $(/sbin/cryptsetup luksDump $src | sed -n -e '/^Tokens:/,/^[^[:space:]]/ { /^[[:space:]]*[[:digit:]]*:/ { s/^[[:space:]]*[[:digit:]]*:[[:space:]]*// p } }'); do
+ verbose "Found cryptsetup token: $token"
+ case "$token" in
+ systemd-fido2)
+ inst_d $cryptdir
+ inst_exec $cryptdir/libcryptsetup-token-$token.so $cryptdir
+ inst_exec $libdir/libfido2.so.1 $libdir
+ ;;
+ systemd-tpm2)
+ inst_d $cryptdir
+ inst_exec $cryptdir/libcryptsetup-token-$token.so $cryptdir
+ inst_exec $libdir/libtss2-esys.so.0 $libdir/libtss2-rc.so.0 $libdir/libtss2-mu.so.0 $libdir
+ ;;
+ *)
+ inst_d $cryptdir
+ inst_exec $cryptdir/libcryptsetup-token-$token.so $cryptdir
+ ;;
+ esac
+ done
+ fi
crypttab_opt=""
old_IFS="$IFS"
done
IFS="$old_IFS"
- verbose "+ cryptsetup --timeout=120 ${keyfile:+-d $keyfile} open $crypttab_opt '$src' '$dst'"
+ verbose "+ cryptsetup ${keyfile:+-d $keyfile} open $crypttab_opt '$src' '$dst'"
add_linuxrc <<-EOF
debugshell
crypt_status=\$(cryptsetup \$cryptsetup_opt status '$dst')
if [ "\${crypt_status%%is inactive*}" != "\$crypt_status" ]; then
# is inactive
- cryptsetup \$cryptsetup_opt ${keyfile:+-d $keyfile} --timeout 120 open $crypttab_opt "\$luksdev" '$dst' <&1
+ cryptsetup \$cryptsetup_opt ${keyfile:+-d $keyfile} open $crypttab_opt "\$luksdev" '$dst' <&1
fi
fi