luks: initial support for luks2 tokens

[projects/geninitrd.git] / mod-luks.sh

diff --git a/mod-luks.sh b/mod-luks.sh
index ff877f779c21e269061fd55658ab70c4a4cf5ee5..468489afbb3c6d67bcefd941c34200b22b7b3bb2 100644 (file)
--- a/mod-luks.sh
+++ b/mod-luks.sh
@@ -65,8 +65,10 @@ find_modules_luks() {
        find_module "dm-crypt"
 
        # TODO: autodetect
-       find_module "aes"
-       find_module "cbc"
+       find_module "-aes"
+       find_module "-cbc"
+       find_module "-cbc(aes)"
+       find_module "-xts(aes)"
        find_module "-af-alg"
        find_module "-algif_hash"
        find_module "-algif_skcipher"
@@ -115,26 +117,31 @@ luks_crypttab() {
        local LUKSNAME="$1"
 
        # copy from /etc/rc.d/init.d/cryptsetup
-       local dst src key opt mode owner
+       local dst src key opt mode owner failsafe token libdir cryptdir
 
        while read dst src key opt; do
                [ "$dst" != "$LUKSNAME" ] && continue
 
-               if [ -n "$key" -a "x$key" != "xnone" ]; then
-                       if test -e "$key" ; then
-                               mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
-                               owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
-                               if [ "$mode" != "------" ] && ! key_is_random "$key"; then
-                                       die "INSECURE MODE FOR $key"
-                               fi
-                               if [ "$owner" != root ]; then
-                                       die "INSECURE OWNER FOR $key"
-                               fi
-                       else
-                               die "Key file for $dst not found"
+               failsafe=""
+
+               if [ -z "$key" ] || [ "x$key" = "xnone" ] || [ "x$key" = "x-" ]; then
+                       failsafe=1
+                       key="/etc/cryptsetup-keys.d/$LUKSNAME.key"
+               fi
+
+               if test -e "$key" ; then
+                       mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
+                       owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
+                       if [ "$mode" != "------" ] && ! key_is_random "$key"; then
+                               die "INSECURE MODE FOR $key"
                        fi
-               else
+                       if [ "$owner" != root ]; then
+                               die "INSECURE OWNER FOR $key"
+                       fi
+               elif [ -n "$failsafe" ]; then
                        key=""
+               else
+                       die "Key file for $dst not found"
                fi
 
                src=$(find_devname "$src")
@@ -146,6 +153,33 @@ luks_crypttab() {
                                keyfile=/etc/.$dst.key
                                inst $key $keyfile
                        fi
+                       for libdir in $(get_libdir /usr/LIBDIR); do
+                               if [ -d $libdir/cryptsetup ]; then
+                                       cryptdir=$libdir/cryptsetup
+                                       break
+                               fi
+                       done
+                       if ! is_no "$USE_LUKS_TOKEN" && [ -n "$cryptdir" ]; then
+                               for token in $(/sbin/cryptsetup luksDump $src | sed -n -e '/^Tokens:/,/^[^[:space:]]/ { /^[[:space:]]*[[:digit:]]*:/ { s/^[[:space:]]*[[:digit:]]*:[[:space:]]*// p } }'); do
+                                       verbose "Found cryptsetup token: $token"
+                                       case "$token" in
+                                               systemd-fido2)
+                                                       inst_d $cryptdir
+                                                       inst_exec $cryptdir/libcryptsetup-token-$token.so $cryptdir
+                                                       inst_exec $libdir/libfido2.so.1 $libdir
+                                                       ;;
+                                               systemd-tpm2)
+                                                       inst_d $cryptdir
+                                                       inst_exec $cryptdir/libcryptsetup-token-$token.so $cryptdir
+                                                       inst_exec $libdir/libtss2-esys.so.0 $libdir/libtss2-rc.so.0 $libdir/libtss2-mu.so.0 $libdir
+                                                       ;;
+                                               *)
+                                                       inst_d $cryptdir
+                                                       inst_exec $cryptdir/libcryptsetup-token-$token.so $cryptdir
+                                                       ;;
+                                       esac
+                               done
+                       fi
 
                        crypttab_opt=""
                        old_IFS="$IFS"
@@ -162,7 +196,7 @@ luks_crypttab() {
                        done
                        IFS="$old_IFS"
 
-                       verbose "+ cryptsetup --timeout=120 ${keyfile:+-d $keyfile} open $crypttab_opt '$src' '$dst'"
+                       verbose "+ cryptsetup ${keyfile:+-d $keyfile} open $crypttab_opt '$src' '$dst'"
                        add_linuxrc <<-EOF
                        debugshell
 
@@ -189,7 +223,7 @@ luks_crypttab() {
                                crypt_status=\$(cryptsetup \$cryptsetup_opt status '$dst')
                                if [ "\${crypt_status%%is inactive*}" != "\$crypt_status" ]; then
                                        # is inactive
-                                       cryptsetup \$cryptsetup_opt ${keyfile:+-d $keyfile} --timeout 120 open $crypttab_opt "\$luksdev" '$dst' <&1
+                                       cryptsetup \$cryptsetup_opt ${keyfile:+-d $keyfile} open $crypttab_opt "\$luksdev" '$dst' <&1
                                fi
                        fi