[packages/cryptsetup-luks.git] / cryptsetup-luks-initramfs-root-hook

#!/bin/sh

PREREQ=""

prereqs()
{
	echo "$PREREQ"
}

case $1 in
prereqs)
	prereqs
	exit 0
	;;
esac

. /usr/share/initramfs-tools/hook-functions

get_root_device() {
	local device mount type options dump pass

	if [ ! -r /etc/fstab ]; then
		return 1
	fi

	grep '^[^#]' /etc/fstab | \
	while read device mount type options dump pass; do
		if [ "$mount" = "/" ]; then
			echo "$device"
			return
		fi
	done
}

get_resume_devices() {
	local device opt count dupe candidates devices
	candidates=""

	# First, get a list of potential resume devices

	# uswsusp
	if [ -e /etc/uswsusp.conf ]; then
		device=$(sed -rn 's/^resume device[[:space:]]*[:=][[:space:]]*// p' /etc/uswsusp.conf)
		if [ -n "$device" ]; then
			candidates="$candidates $device"
		fi
	fi

	# uswsusp - again...
	if [ -e /etc/suspend.conf ]; then
		device=$(sed -rn 's/^resume device[[:space:]]*[:=][[:space:]]*// p' /etc/suspend.conf)
		if [ -n "$device" ]; then
			candidates="$candidates $device"
		fi
	fi

	# regular swsusp
	for opt in $(cat /proc/cmdline); do
		case $opt in
		resume=*)
			device="${opt#resume=}"
			candidates="$candidates $device"
			;;
		esac
	done

	# initramfs-tools
	if [ -e /etc/initramfs-tools/conf.d/resume ]; then
		device=$(sed -rn 's/^RESUME[[:space:]]*=[[:space:]]*// p' /etc/initramfs-tools/conf.d/resume)
		if [ -n "$device" ]; then
			candidates="$candidates $device"
		fi
	fi

	# Now check the sanity of all candidates
	devices=""
	count=0
	for device in $candidates; do
		# Weed out clever defaults
		if [ "$device" = "<path_to_resume_device_file>" ]; then
			continue
		fi

		# Weed out duplicates
		dupe=0
		for opt in $devices; do
			if [ "$device" = "$opt" ]; then
				dupe=1
			fi
		done
		if [ $dupe -eq 1 ]; then
			continue
		fi

		# This device seems ok
		devices="$devices $device"
		count=$(( $count + 1 ))
	done

	if [ $count -gt 1 ]; then
		echo "cryptsetup: WARNING: found more than one resume device candidate:" >&2
		for device in $devices; do
			echo "                     $device" >&2
		done
	fi

	if [ $count -gt 0 ]; then
		echo $devices
	fi

	return 0
}

node_is_in_crypttab() {
	local node
	node="$1"

	grep -q ^$node /etc/crypttab
	return $?
}

get_lvm_deps() {
	local node deps maj min depnode
	node="$1"

	if [ -z $node ]; then
		echo "cryptsetup: WARNING: get_lvm_deps - invalid arguments" >&2
		return 1
	fi

	if ! deps=$(dmsetup deps "$node" 2> /dev/null | sed 's/[^:]*: *//;s/[ (]//g;s/)/ /g'); then
		echo "cryptsetup: WARNING: failed to find deps for $node" >&2
		return 1
	fi

	# We should now have a list of major,minor pairs, e.g. "3,2 3,3"
	for dep in $deps; do
		maj=${dep%,*}
		min=${dep#*,}
		depnode=$(dmsetup ls | sed -n "s/\\([^ ]*\\) *($maj, $min)/\\1/p" | sed -e "s/[ \t]*$//")
		if [ -z "$depnode" ]; then
			continue
		fi
		if [ "$(dmsetup table "$depnode" 2> /dev/null | cut -d' ' -f3)" != "crypt" ]; then
			get_lvm_deps "$depnode"
			continue
		fi
		echo "$depnode"
	done

	return 0
}

get_device_opts() {
	local target source link extraopts rootopts opt
	target="$1"
	extraopts="$2"
	KEYSCRIPT=""
	OPTIONS=""

	if [ -z "$target" ]; then
		echo "cryptsetup: WARNING: get_device_opts - invalid arguments" >&2
		return 1
	fi

	opt=$( grep ^$target /etc/crypttab | head -1 | sed 's/[[:space:]]\+/ /g' )
	source=$( echo $opt | cut -d " " -f2 )
	key=$( echo $opt | cut -d " " -f3 )
	rootopts=$( echo $opt | cut -d " " -f4- )

	if [ -z "$opt" ] || [ -z "$source" ] || [ -z "$key" ] || [ -z "$rootopts" ]; then
		echo "cryptsetup: WARNING: invalid line in /etc/crypttab - $opt" >&2
		return 1
	fi

	# Sanity checks for $source
	if [ -h "$source" ]; then
		link=$(readlink -nqe "$source")
		if [ -z "$link" ]; then
			echo "cryptsetup: WARNING: $source is a dangling symlink" >&2
			return 1
		fi

		if [ "$link" != "${link#/dev/mapper/}" ]; then
			echo "cryptsetup: NOTE: using $link instead of $source for $target" >&2
			source="$link"
		fi
	fi

	# Sanity checks for $key
	if [ "$key" = "/dev/random" ] || [ "$key" = "/dev/urandom" ]; then
		echo "cryptsetup: WARNING: target $target has a random key, skipped" >&2
		return 1
	fi

	if [ -n "$extraopts" ]; then
		rootopts="$extraopts,$rootopts"
	fi

	# We have all the basic options, let's go trough them
	OPTIONS="target=$target,source=$source,key=$key"
	local IFS=", "
	unset HASH_FOUND
	unset LUKS_FOUND
	for opt in $rootopts; do
		case $opt in
			cipher=*)
				OPTIONS="$OPTIONS,$opt"
				;;
			hash=*)
				OPTIONS="$OPTIONS,$opt"
				HASH_FOUND=1
				;;
			size=*)
				OPTIONS="$OPTIONS,$opt"
				;;
			lvm=*)
				OPTIONS="$OPTIONS,$opt"
				;;
			keyscript=*)
				opt=${opt#keyscript=}
				if [ ! -x "/lib/cryptsetup/scripts/$opt" ] && [ ! -x "$opt" ]; then
					echo "cryptsetup: WARNING: target $target has an invalid keyscript, skipped" >&2
					return 1
				fi
				KEYSCRIPT="$opt"
				OPTIONS="$OPTIONS,keyscript=/keyscripts/$(basename "$opt")"
				;;
			tries=*)
				OPTIONS="$OPTIONS,$opt"
				;;
			luks)
				LUKS_FOUND=1
				;;
			*)
				# Presumably a non-supported option
				;;
		esac
	done

	# Warn for missing hash option, unless we have a LUKS partition
	if [ -z "$HASH_FOUND" ] && [ -z "$LUKS_FOUND" ]; then
		echo "WARNING: Option hash missing in crypttab for target $target, assuming ripemd160." >&2
		echo "         If this is wrong, this initramfs image will not boot." >&2
		echo "         Please read /usr/share/doc/cryptsetup/README.initramfs.gz and add" >&2
		echo "         the correct hash option to your /etc/crypttab."  >&2
	fi

	# If keyscript is set, the "key" is just an argument to the script
	if [ "$key" != "none" ] && [ -z "$KEYSCRIPT" ]; then
		echo "cryptsetup: WARNING: target $target uses a key file, skipped" >&2
		return 1
	fi
}

get_device_modules() {
	local node value cipher blockcipher ivhash
	node="$1"

	# Check the ciphers used by the active root mapping
	value=$(dmsetup table "$node" | cut -d " " -f4)
	cipher=$(echo "$value" | cut -d ":" -f1 | cut -d "-" -f1)
	blockcipher=$(echo "$value" | cut -d ":" -f1 | cut -d "-" -f2)
	ivhash=$(echo "$value" | cut -d ":" -s -f2)

	if [ -n "$cipher" ]; then
		echo "$cipher"
	else
		return 1
	fi

	if [ -n "$blockcipher" ] && [ "$blockcipher" != "plain" ]; then
		echo "$blockcipher"
	fi

	if [ -n "$ivhash" ] && [ "$ivhash" != "plain" ]; then
		echo "$ivhash"
	fi
	return 0
}

canonical_device() {
	local dev altdev
	dev="$1"

	altdev="${dev#LABEL=}"
	if [ "$altdev" != "$dev" ]; then
		dev="/dev/disk/by-label/$altdev"
	fi

	altdev="${dev#UUID=}"
	if [ "$altdev" != "$dev" ]; then
		dev="/dev/disk/by-uuid/$altdev"
	fi

	if [ -h "$dev" ]; then
		dev=$(readlink -e "$dev")
	fi

	altdev="${dev#/dev/mapper/}"
	if [ "$altdev" != "$dev" ]; then
		echo "$altdev"
		return 0
	fi

	return 1
}

add_device() {
	local node nodes opts lastopts i count
	nodes="$1"
	opts=""     # Applied to all nodes
	lastopts="" # Applied to last node

	if [ -z "$nodes" ]; then
		return 0
	fi

	# Check that it is a node under /dev/mapper/
	nodes=$(canonical_device "$nodes") || return 0

	# Can we find this node in crypttab
	if ! node_is_in_crypttab "$nodes"; then
		# dm node but not in crypttab, is it a lvm device backed by dm-crypt nodes?
		lvmnodes=$(get_lvm_deps "$nodes") || return 1

		# not backed by any dm-crypt nodes; stop here
		if [ -z "$lvmnodes" ]; then
		    return 0
		fi

		# It is a lvm device!
		lastopts="lvm=$nodes"
		nodes="$lvmnodes"
	fi

	# Prepare to setup each node
	count=$(echo "$nodes" | wc -w)
	i=1
	for node in $nodes; do
		# Prepare the additional options
		if [ $i -eq $count ]; then
			if [ -z "$opts" ]; then
				opts="$lastopts"
			else
				opts="$opts,$lastopts"
			fi
		fi

		# Get crypttab root options
		if ! get_device_opts "$node" "$opts"; then
			continue
		fi
		echo "$OPTIONS" >> "$DESTDIR/conf/conf.d/cryptroot"

		# If we have a keyscript, make sure it is included
		if [ -n "$KEYSCRIPT" ]; then
			if [ ! -d "$DESTDIR/keyscripts" ]; then
				mkdir "$DESTDIR/keyscripts"
			fi

			if [ -e "/lib/cryptsetup/scripts/$KEYSCRIPT" ]; then
				copy_exec "/lib/cryptsetup/scripts/$KEYSCRIPT" /keyscripts
			elif [ -e "$KEYSCRIPT" ]; then
				copy_exec "$KEYSCRIPT" /keyscripts
			else
				echo "cryptsetup: WARNING: failed to find keyscript $KEYSCRIPT" >&2
				continue
			fi
		fi

		# Calculate needed modules
		modules=$(get_device_modules $node | sort | uniq)
		if [ -z "$modules" ]; then
			echo "cryptsetup: WARNING: failed to determine cipher modules to load for $node" >&2
			continue
		fi
		echo dm_mod
		echo dm_crypt
		echo "$modules"

		i=$(( $i + 1 ))
	done

	return 0
}

add_crypto_modules() {
	local mod file altmod found genericfound
	mod="$1"
	found=""
	genericfound=""

	if [ -z "$mod" ]; then
		return 1
	fi

	# We have several potential sources of modules (in order of preference):
	#
	#   a) /lib/modules/$VERSION/kernel/arch/$ARCH/crypto/$mod-$specific.ko
	#   b) /lib/modules/$VERSION/kernel/crypto/$mod_generic.ko
	#   c) /lib/modules/$VERSION/kernel/crypto/$mod.ko
	#
	# and (currently ignored):
	#
	#   d) /lib/modules/$VERSION/kernel/drivers/crypto/$specific-$mod.ko

	for file in $(find "$MODULESDIR/kernel/arch/" -name "$mod-*.ko"); do
		altmod="${file##*/}"
		altmod="${altmod%.ko}"
		manual_add_modules "$altmod"
		found="yes"
	done

	for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}_generic.ko"); do
		altmod="${file##*/}"
		altmod="${altmod%.ko}"
		manual_add_modules "$altmod"
		found="yes"
		genericfound="yes"
	done

	if [ -z "$genericfound" ]; then
		for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}.ko"); do
			altmod="${file##*/}"
			altmod="${altmod%.ko}"
			manual_add_modules "$altmod"
			found="yes"
		done
	fi

	if [ -z "$found" ]; then
		return 1
	fi

	return 0
}

#
# Begin real processing
#

setup="no"
rootdev=""
resumedevs=""

# Find the root and resume device(s)
if [ -r /etc/crypttab ]; then
	rootdev=$(get_root_device)
	if [ -z "$rootdev" ]; then
		echo "cryptsetup: WARNING: could not determine root device from /etc/fstab" >&2
	fi
	resumedevs=$(get_resume_devices)
fi

# Load the config opts and modules for each device
for dev in $rootdev $resumedevs; do
	if ! modules=$(add_device "$dev"); then
		echo "cryptsetup: FAILURE: could not determine configuration for $dev" >&2
		continue
	fi

	setup="yes"
	for mod in $modules; do
		add_crypto_modules $mod
	done
done

# With large initramfs, we always add a basic subset of modules
if [ "$MODULES" != "dep" ]; then
	for mod in aes sha256 cbc; do
		add_crypto_modules $mod
	done
fi

# See if we need to add the basic components
if [ "$MODULES" != "dep" ] || [ "$setup" = "yes" ]; then
	for mod in dm_mod dm_crypt; do
		manual_add_modules $mod
	done

	copy_exec /sbin/cryptsetup
	copy_exec /sbin/dmsetup
#	copy_exec /lib/cryptsetup/askpass
fi

exit 0
Commit	Line	Data
b32f9594 JR	1	#!/bin/sh
	2
	3	PREREQ=""
	4
	5	prereqs()
	6	{
	7	echo "$PREREQ"
	8	}
	9
	10	case $1 in
	11	prereqs)
	12	prereqs
	13	exit 0
	14	;;
	15	esac
	16
	17	. /usr/share/initramfs-tools/hook-functions
	18
	19	get_root_device() {
	20	local device mount type options dump pass
	21
	22	if [ ! -r /etc/fstab ]; then
	23	return 1
	24	fi
	25
	26	grep '^[^#]' /etc/fstab \| \
	27	while read device mount type options dump pass; do
	28	if [ "$mount" = "/" ]; then
	29	echo "$device"
	30	return
	31	fi
	32	done
	33	}
	34
	35	get_resume_devices() {
	36	local device opt count dupe candidates devices
	37	candidates=""
	38
	39	# First, get a list of potential resume devices
	40
	41	# uswsusp
	42	if [ -e /etc/uswsusp.conf ]; then
	43	device=$(sed -rn 's/^resume device[[:space:]][:=][[:space:]]// p' /etc/uswsusp.conf)
	44	if [ -n "$device" ]; then
	45	candidates="$candidates $device"
	46	fi
	47	fi
	48
	49	# uswsusp - again...
	50	if [ -e /etc/suspend.conf ]; then
	51	device=$(sed -rn 's/^resume device[[:space:]][:=][[:space:]]// p' /etc/suspend.conf)
	52	if [ -n "$device" ]; then
	53	candidates="$candidates $device"
	54	fi
	55	fi
	56
	57	# regular swsusp
	58	for opt in $(cat /proc/cmdline); do
	59	case $opt in
	60	resume=*)
	61	device="${opt#resume=}"
	62	candidates="$candidates $device"
	63	;;
	64	esac
65	done
66
67	# initramfs-tools
68	if [ -e /etc/initramfs-tools/conf.d/resume ]; then
69	device=$(sed -rn 's/^RESUME[[:space:]]=[[:space:]]// p' /etc/initramfs-tools/conf.d/resume)
70	if [ -n "$device" ]; then
71	candidates="$candidates $device"
72	fi
73	fi
74
75	# Now check the sanity of all candidates
76	devices=""
77	count=0
78	for device in $candidates; do
79	# Weed out clever defaults
80	if [ "$device" = "<path_to_resume_device_file>" ]; then
81	continue
82	fi
83
84	# Weed out duplicates
85	dupe=0
86	for opt in $devices; do
87	if [ "$device" = "$opt" ]; then
88	dupe=1
89	fi
90	done
91	if [ $dupe -eq 1 ]; then
92	continue
93	fi
94
95	# This device seems ok
96	devices="$devices $device"
97	count=$(( $count + 1 ))
98	done
99
100	if [ $count -gt 1 ]; then
101	echo "cryptsetup: WARNING: found more than one resume device candidate:" >&2
102	for device in $devices; do
103	echo " $device" >&2
104	done
105	fi
106
107	if [ $count -gt 0 ]; then
108	echo $devices
109	fi
110
111	return 0
112	}
113
114	node_is_in_crypttab() {
115	local node
116	node="$1"
117
118	grep -q ^$node /etc/crypttab
119	return $?
120	}
121
122	get_lvm_deps() {
123	local node deps maj min depnode
124	node="$1"
125
126	if [ -z $node ]; then
127	echo "cryptsetup: WARNING: get_lvm_deps - invalid arguments" >&2
128	return 1
129	fi
130
131	if ! deps=$(dmsetup deps "$node" 2> /dev/null \| sed 's/[^:]: //;s/[ (]//g;s/)/ /g'); then
132	echo "cryptsetup: WARNING: failed to find deps for $node" >&2
133	return 1
134	fi
135
136	# We should now have a list of major,minor pairs, e.g. "3,2 3,3"
137	for dep in $deps; do
138	maj=${dep%,*}
139	min=${dep#*,}
140	depnode=$(dmsetup ls \| sed -n "s/\\([^ ]\\) ($maj, $min)/\\1/p" \| sed -e "s/[ \t]*$//")
141	if [ -z "$depnode" ]; then
142	continue
143	fi
144	if [ "$(dmsetup table "$depnode" 2> /dev/null \| cut -d' ' -f3)" != "crypt" ]; then
145	get_lvm_deps "$depnode"
146	continue
147	fi
148	echo "$depnode"
149	done
150
151	return 0
152	}
153
154	get_device_opts() {
155	local target source link extraopts rootopts opt
156	target="$1"
157	extraopts="$2"
158	KEYSCRIPT=""
159	OPTIONS=""
160
161	if [ -z "$target" ]; then
162	echo "cryptsetup: WARNING: get_device_opts - invalid arguments" >&2
163	return 1
164	fi
165
166	opt=$( grep ^$target /etc/crypttab \| head -1 \| sed 's/[[:space:]]\+/ /g' )
167	source=$( echo $opt \| cut -d " " -f2 )
168	key=$( echo $opt \| cut -d " " -f3 )
169	rootopts=$( echo $opt \| cut -d " " -f4- )
170
171	if [ -z "$opt" ] \|\| [ -z "$source" ] \|\| [ -z "$key" ] \|\| [ -z "$rootopts" ]; then
172	echo "cryptsetup: WARNING: invalid line in /etc/crypttab - $opt" >&2
173	return 1
174	fi
175
176	# Sanity checks for $source
177	if [ -h "$source" ]; then
178	link=$(readlink -nqe "$source")
179	if [ -z "$link" ]; then
180	echo "cryptsetup: WARNING: $source is a dangling symlink" >&2
181	return 1
182	fi
183
184	if [ "$link" != "${link#/dev/mapper/}" ]; then
185	echo "cryptsetup: NOTE: using $link instead of $source for $target" >&2
186	source="$link"
187	fi
188	fi
189
190	# Sanity checks for $key
191	if [ "$key" = "/dev/random" ] \|\| [ "$key" = "/dev/urandom" ]; then
192	echo "cryptsetup: WARNING: target $target has a random key, skipped" >&2
193	return 1
194	fi
195
196	if [ -n "$extraopts" ]; then
197	rootopts="$extraopts,$rootopts"
198	fi
199
200	# We have all the basic options, let's go trough them
201	OPTIONS="target=$target,source=$source,key=$key"
202	local IFS=", "
203	unset HASH_FOUND
204	unset LUKS_FOUND
205	for opt in $rootopts; do
206	case $opt in
207	cipher=*)
208	OPTIONS="$OPTIONS,$opt"
209	;;
210	hash=*)
211	OPTIONS="$OPTIONS,$opt"
212	HASH_FOUND=1
213	;;
214	size=*)
215	OPTIONS="$OPTIONS,$opt"
216	;;
217	lvm=*)
218	OPTIONS="$OPTIONS,$opt"
219	;;
220	keyscript=*)
221	opt=${opt#keyscript=}
222	if [ ! -x "/lib/cryptsetup/scripts/$opt" ] && [ ! -x "$opt" ]; then
223	echo "cryptsetup: WARNING: target $target has an invalid keyscript, skipped" >&2
224	return 1
225	fi
226	KEYSCRIPT="$opt"
227	OPTIONS="$OPTIONS,keyscript=/keyscripts/$(basename "$opt")"
228	;;
229	tries=*)
230	OPTIONS="$OPTIONS,$opt"
231	;;
232	luks)
233	LUKS_FOUND=1
234	;;
235	*)
236	# Presumably a non-supported option
237	;;
238	esac
239	done
240
241	# Warn for missing hash option, unless we have a LUKS partition
242	if [ -z "$HASH_FOUND" ] && [ -z "$LUKS_FOUND" ]; then
243	echo "WARNING: Option hash missing in crypttab for target $target, assuming ripemd160." >&2
244	echo " If this is wrong, this initramfs image will not boot." >&2
245	echo " Please read /usr/share/doc/cryptsetup/README.initramfs.gz and add" >&2
246	echo " the correct hash option to your /etc/crypttab." >&2
247	fi
248
249	# If keyscript is set, the "key" is just an argument to the script
250	if [ "$key" != "none" ] && [ -z "$KEYSCRIPT" ]; then
251	echo "cryptsetup: WARNING: target $target uses a key file, skipped" >&2
252	return 1
253	fi
254	}
255
256	get_device_modules() {
257	local node value cipher blockcipher ivhash
258	node="$1"
259
260	# Check the ciphers used by the active root mapping
261	value=$(dmsetup table "$node" \| cut -d " " -f4)
262	cipher=$(echo "$value" \| cut -d ":" -f1 \| cut -d "-" -f1)
263	blockcipher=$(echo "$value" \| cut -d ":" -f1 \| cut -d "-" -f2)
264	ivhash=$(echo "$value" \| cut -d ":" -s -f2)
265
266	if [ -n "$cipher" ]; then
267	echo "$cipher"
268	else
269	return 1
270	fi
271
272	if [ -n "$blockcipher" ] && [ "$blockcipher" != "plain" ]; then
273	echo "$blockcipher"
274	fi
275
276	if [ -n "$ivhash" ] && [ "$ivhash" != "plain" ]; then
277	echo "$ivhash"
278	fi
279	return 0
280	}
281
282	canonical_device() {
283	local dev altdev
284	dev="$1"
285
286	altdev="${dev#LABEL=}"
287	if [ "$altdev" != "$dev" ]; then
288	dev="/dev/disk/by-label/$altdev"
289	fi
290
291	altdev="${dev#UUID=}"
292	if [ "$altdev" != "$dev" ]; then
293	dev="/dev/disk/by-uuid/$altdev"
294	fi
295
296	if [ -h "$dev" ]; then
297	dev=$(readlink -e "$dev")
298	fi
299
300	altdev="${dev#/dev/mapper/}"
301	if [ "$altdev" != "$dev" ]; then
302	echo "$altdev"
303	return 0
304	fi
305
306	return 1
307	}
308
309	add_device() {
310	local node nodes opts lastopts i count
311	nodes="$1"
312	opts="" # Applied to all nodes
313	lastopts="" # Applied to last node
314
315	if [ -z "$nodes" ]; then
316	return 0
317	fi
318
319	# Check that it is a node under /dev/mapper/
320	nodes=$(canonical_device "$nodes") \|\| return 0
321
322	# Can we find this node in crypttab
323	if ! node_is_in_crypttab "$nodes"; then
324	# dm node but not in crypttab, is it a lvm device backed by dm-crypt nodes?
325	lvmnodes=$(get_lvm_deps "$nodes") \|\| return 1
326
327	# not backed by any dm-crypt nodes; stop here
328	if [ -z "$lvmnodes" ]; then
329	return 0
330	fi
331
332	# It is a lvm device!
333	lastopts="lvm=$nodes"
334	nodes="$lvmnodes"
335	fi
336
337	# Prepare to setup each node
338	count=$(echo "$nodes" \| wc -w)
339	i=1
340	for node in $nodes; do
341	# Prepare the additional options
342	if [ $i -eq $count ]; then
343	if [ -z "$opts" ]; then
344	opts="$lastopts"
345	else
346	opts="$opts,$lastopts"
347	fi
348	fi
349
350	# Get crypttab root options
351	if ! get_device_opts "$node" "$opts"; then
352	continue
353	fi
354	echo "$OPTIONS" >> "$DESTDIR/conf/conf.d/cryptroot"
355
356	# If we have a keyscript, make sure it is included
357	if [ -n "$KEYSCRIPT" ]; then
358	if [ ! -d "$DESTDIR/keyscripts" ]; then
359	mkdir "$DESTDIR/keyscripts"
360	fi
361
362	if [ -e "/lib/cryptsetup/scripts/$KEYSCRIPT" ]; then
363	copy_exec "/lib/cryptsetup/scripts/$KEYSCRIPT" /keyscripts
364	elif [ -e "$KEYSCRIPT" ]; then
365	copy_exec "$KEYSCRIPT" /keyscripts
366	else
367	echo "cryptsetup: WARNING: failed to find keyscript $KEYSCRIPT" >&2
368	continue
369	fi
370	fi
371
372	# Calculate needed modules
373	modules=$(get_device_modules $node \| sort \| uniq)
374	if [ -z "$modules" ]; then
375	echo "cryptsetup: WARNING: failed to determine cipher modules to load for $node" >&2
376	continue
377	fi
378	echo dm_mod
379	echo dm_crypt
380	echo "$modules"
381
382	i=$(( $i + 1 ))
383	done
384
385	return 0
386	}
387
388	add_crypto_modules() {
389	local mod file altmod found genericfound
390	mod="$1"
391	found=""
392	genericfound=""
393
394	if [ -z "$mod" ]; then
395	return 1
396	fi
397
398	# We have several potential sources of modules (in order of preference):
399	#
400	# a) /lib/modules/$VERSION/kernel/arch/$ARCH/crypto/$mod-$specific.ko
401	# b) /lib/modules/$VERSION/kernel/crypto/$mod_generic.ko
402	# c) /lib/modules/$VERSION/kernel/crypto/$mod.ko
403	#
404	# and (currently ignored):
405	#
406	# d) /lib/modules/$VERSION/kernel/drivers/crypto/$specific-$mod.ko
407
408	for file in $(find "$MODULESDIR/kernel/arch/" -name "$mod-*.ko"); do
409	altmod="${file##*/}"
410	altmod="${altmod%.ko}"
411	manual_add_modules "$altmod"
412	found="yes"
413	done
414
415	for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}_generic.ko"); do
416	altmod="${file##*/}"
417	altmod="${altmod%.ko}"
418	manual_add_modules "$altmod"
419	found="yes"
420	genericfound="yes"
421	done
422
423	if [ -z "$genericfound" ]; then
424	for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}.ko"); do
425	altmod="${file##*/}"
426	altmod="${altmod%.ko}"
427	manual_add_modules "$altmod"
428	found="yes"
429	done
430	fi
431
432	if [ -z "$found" ]; then
433	return 1
434	fi
435
436	return 0
437	}
438
439	#
440	# Begin real processing
441	#
442
443	setup="no"
444	rootdev=""
445	resumedevs=""
446
447	# Find the root and resume device(s)
448	if [ -r /etc/crypttab ]; then
449	rootdev=$(get_root_device)
450	if [ -z "$rootdev" ]; then
451	echo "cryptsetup: WARNING: could not determine root device from /etc/fstab" >&2
452	fi
453	resumedevs=$(get_resume_devices)
454	fi
455
456	# Load the config opts and modules for each device
457	for dev in $rootdev $resumedevs; do
458	if ! modules=$(add_device "$dev"); then
459	echo "cryptsetup: FAILURE: could not determine configuration for $dev" >&2
460	continue
461	fi
462
463	setup="yes"
464	for mod in $modules; do
465	add_crypto_modules $mod
466	done
467	done
468
469	# With large initramfs, we always add a basic subset of modules
470	if [ "$MODULES" != "dep" ]; then
471	for mod in aes sha256 cbc; do
472	add_crypto_modules $mod
473	done
474	fi
475
476	# See if we need to add the basic components
477	if [ "$MODULES" != "dep" ] \|\| [ "$setup" = "yes" ]; then
478	for mod in dm_mod dm_crypt; do
479	manual_add_modules $mod
480	done
481
482	copy_exec /sbin/cryptsetup
483	copy_exec /sbin/dmsetup
484	# copy_exec /lib/cryptsetup/askpass
485	fi
486
487	exit 0