+2008-11-12 23:07 +0000 [r9984] Elan Ruusamäe <glen/at/pld-linux.org>
+
+ * geninitrd: - cleanup: do not need LUKSNAME to pass around
+
+2008-11-12 21:24 +0000 [r9983] Elan Ruusamäe <glen/at/pld-linux.org>
+
+ * geninitrd: - luks: add keyfile sypport - luks: process lukstab by
+ device name not LUKSNAME as these might not match - luks: load
+ aes and cbc modules
+
+2008-11-12 20:55 +0000 [r9982] Elan Ruusamäe <glen/at/pld-linux.org>
+
+ * geninitrd: - move ramfs rootdev finding and mounting to
+ initrd_gen_initramfs_switchroot function
+
+2008-11-10 10:26 +0000 [r9981] Paweł Sikora <pluto/at/pld-linux.org>
+
+ * geninitrd: - do not touch linux-vdso gate.
+
2008-11-10 02:36 +0000 [r9979] Elan Ruusamäe <glen/at/pld-linux.org>
* geninitrd: - use /bin/cryptsetup on initrd
# when making release, make sure you do it as RELEASE document describes
VERSION := 9000.16
-FILES := Makefile geninitrd.sysconfig geninitrd functions geninitrd.8 geninitrd.8.xml ChangeLog
+FILES := Makefile geninitrd.sysconfig geninitrd functions mod-luks.sh geninitrd.8 geninitrd.8.xml ChangeLog
prefix := /usr
mandir := $(prefix)/share/man
sbindir := /sbin
install geninitrd $(DESTDIR)$(sbindir)/geninitrd
install -m644 geninitrd.8 $(DESTDIR)$(mandir)/man8/geninitrd.8
install -m644 functions $(DESTDIR)$(sysconfdir)/functions
+ install -m644 mod-luks.sh $(DESTDIR)$(sysconfdir)
install -m644 geninitrd.sysconfig $(DESTDIR)$(sysconfigdir)/geninitrd
geninitrd.8: geninitrd.8.xml
# VG for suspend resume dev
SUSPENDVG=""
-# device to use for name for cryptsetup luks
-LUKSDEV=""
-
# resume device
resume_dev=""
have_md=no
# if we should init dmraid at boot
have_dmraid=no
-# if we should init cryptsetup luks at boot
-have_luks=no
# if we should init dm-multipath at boot
have_multipath=no
# dm-multipath wwid which is used for rootfs
return $rc
}
-# return true if node is cryptsetup luks encrypted
-is_luks() {
- local node="$1"
- if [ ! -e "$node" ]; then
- warn "is_luks(): node $node doesn't exist!"
- return 1
- fi
-
- local dev dm_name=${node#/dev/mapper/}
- if [ "$node" = "$dm_name" ]; then
- debug "is_luks: $node is not device mapper name"
- return 1
- fi
-
- dev=$(cryptsetup status $dm_name 2>/dev/null | awk '/device:/{print $2}')
- cryptsetup isLuks $dev
- rc=$?
-
- if [ $rc = 0 ]; then
- debug "is_luks: $node is cryptsetup luks"
- else
- debug "is_luks: $node is not cryptsetup luks"
- fi
- return $rc
-}
# return dependencies MAJOR:MINOR [MAJOR:MINOR] for DM_NAME
# TODO: patch `dmsetup export`
return 0
}
-# find modules for $devpath
-find_modules_luks() {
- local devpath="$1"
- local dev
-
- local name=${devpath#/dev/mapper/}
- LUKSDEV=$(cryptsetup status $name 2>/dev/null | awk '/device:/{print $2}')
- if [ -z "$LUKSDEV" ]; then
- die "Lost cryptsetup device meanwhile?"
- fi
-
- findmodule "dm-crypt"
-
- # TODO: autodetect
- findmodule "aes"
- findmodule "cbc"
-
- have_luks=yes
-
- # recurse
- find_modules_for_devpath $LUKSDEV
- return 0
-}
-
# find modules for $devpath
find_modules_for_devpath() {
local devpath="$1"
EOF
}
-key_is_random() {
- [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ]
-}
-
-# produce cryptsetup from $name from /etc/crypttab
-luks_crypttab() {
- local LUKSDEV="$1"
-
- # copy from /etc/rc.d/init.d/cryptsetup
- local dst src key opt mode owner
-
- while read dst src key opt; do
- [ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue
- [ "$src" != "$LUKSDEV" ] && continue
-
- if [ -n "$key" -a "x$key" != "xnone" ]; then
- if test -e "$key" ; then
- mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
- owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
- if [ "$mode" != "------" ] && ! key_is_random "$key"; then
- die "INSECURE MODE FOR $key"
- fi
- if [ "$owner" != root ]; then
- die "INSECURE OWNER FOR $key"
- fi
- else
- die "Key file for $dst not found"
- fi
- else
- key=""
- fi
-
- if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
- if key_is_random "$key"; then
- die "$dst: LUKS requires non-random key, skipping"
- fi
- if [ -n "$opt" ]; then
- warn "$dst: options are invalid for LUKS partitions, ignoring them"
- fi
- if [ "$key" ]; then
- keyfile=/etc/.$dst.key
- inst $key $keyfile
- fi
-
- debug "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'"
- add_linuxrc <<-EOF
- cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst' <&1
-
- debugshell
- EOF
- else
- die "$dst: only LUKS encryption supported"
- fi
- done < /etc/crypttab
-}
-
-initrd_gen_luks() {
- if [ ! -x /sbin/cryptsetup-initrd ]; then
- die "/sbin/cryptsetup-initrd is missing!"
- fi
-
- inst_d /bin
- inst_exec /sbin/cryptsetup-initrd /bin/cryptsetup
-
- mount_dev
- mount_sys
- initrd_gen_devices
- # TODO: 'udevadm settle' is called by lukssetup, is udev optional?
-
- debug "luks: process /etc/crypttab $LUKSDEV"
- luks_crypttab $LUKSDEV
-}
-
initrd_gen_bootsplash() {
local target="$1"
USE_DMRAID=yes
fi
-if [ -x /sbin/cryptsetup ]; then
- USE_LUKS=yes
-fi
+# cryptsetup luks addon
+. /etc/geninitrd/mod-luks.sh
if [ -x /sbin/multipath ]; then
USE_MULTIPATH=yes
--- /dev/null
+#!/bin/sh
+#
+# geninitrd mod: cryptsetup luks
+
+# true if root device is crypted with cryptsetup luks
+# and we should init cryptsetup luks at boot
+have_luks=no
+
+if [ -x /sbin/cryptsetup ]; then
+ USE_LUKS=yes
+else
+ USE_LUKS=no
+fi
+
+# device to use for name for cryptsetup luks
+LUKSDEV=""
+
+# return true if node is cryptsetup luks encrypted
+# @param string $node device node to be examined
+# @access public
+is_luks() {
+ local node="$1"
+ if [ ! -e "$node" ]; then
+ warn "is_luks(): node $node doesn't exist!"
+ return 1
+ fi
+
+ local dev dm_name=${node#/dev/mapper/}
+ if [ "$node" = "$dm_name" ]; then
+ debug "is_luks: $node is not device mapper name"
+ return 1
+ fi
+
+ dev=$(cryptsetup status $dm_name 2>/dev/null | awk '/device:/{print $2}')
+ cryptsetup isLuks $dev
+ rc=$?
+
+ if [ $rc = 0 ]; then
+ debug "is_luks: $node is cryptsetup luks"
+ else
+ debug "is_luks: $node is not cryptsetup luks"
+ fi
+ return $rc
+}
+
+# find modules for $devpath
+# @param $devpath device to be examined
+# @access public
+find_modules_luks() {
+ local devpath="$1"
+ local dev
+
+ local name=${devpath#/dev/mapper/}
+ LUKSDEV=$(cryptsetup status $name 2>/dev/null | awk '/device:/{print $2}')
+ if [ -z "$LUKSDEV" ]; then
+ die "Lost cryptsetup device meanwhile?"
+ fi
+
+ findmodule "dm-crypt"
+
+ # TODO: autodetect
+ findmodule "aes"
+ findmodule "cbc"
+
+ have_luks=yes
+
+ # recurse
+ find_modules_for_devpath $LUKSDEV
+}
+
+
+# generate initrd fragment for cryptsetup luks init
+# @access public
+initrd_gen_luks() {
+ if [ ! -x /sbin/cryptsetup-initrd ]; then
+ die "/sbin/cryptsetup-initrd is missing!"
+ fi
+
+ inst_d /bin
+ inst_exec /sbin/cryptsetup-initrd /bin/cryptsetup
+
+ mount_dev
+ mount_sys
+ initrd_gen_devices
+ # TODO: 'udevadm settle' is called by lukssetup, is udev optional?
+
+ debug "luks: process /etc/crypttab $LUKSDEV"
+ luks_crypttab $LUKSDEV
+}
+
+
+# PRIVATE METHODS
+key_is_random() {
+ [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ]
+}
+
+# produce cryptsetup from $name from /etc/crypttab
+luks_crypttab() {
+ local LUKSDEV="$1"
+
+ # copy from /etc/rc.d/init.d/cryptsetup
+ local dst src key opt mode owner
+
+ while read dst src key opt; do
+ [ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue
+ [ "$src" != "$LUKSDEV" ] && continue
+
+ if [ -n "$key" -a "x$key" != "xnone" ]; then
+ if test -e "$key" ; then
+ mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
+ owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
+ if [ "$mode" != "------" ] && ! key_is_random "$key"; then
+ die "INSECURE MODE FOR $key"
+ fi
+ if [ "$owner" != root ]; then
+ die "INSECURE OWNER FOR $key"
+ fi
+ else
+ die "Key file for $dst not found"
+ fi
+ else
+ key=""
+ fi
+
+ if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
+ if key_is_random "$key"; then
+ die "$dst: LUKS requires non-random key, skipping"
+ fi
+ if [ -n "$opt" ]; then
+ warn "$dst: options are invalid for LUKS partitions, ignoring them"
+ fi
+ if [ "$key" ]; then
+ keyfile=/etc/.$dst.key
+ inst $key $keyfile
+ fi
+
+ debug "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'"
+ add_linuxrc <<-EOF
+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst' <&1
+
+ debugshell
+ EOF
+ else
+ die "$dst: only LUKS encryption supported"
+ fi
+ done < /etc/crypttab
+}
projects / projects / geninitrd.git / commitdiff