+++ /dev/null
---- cryptsetup-1.2.0/lib/luks1/pbkdf.c~ 2009-09-11 16:11:50.000000000 +0200
-+++ cryptsetup-1.2.0/lib/luks1/pbkdf.c 2010-06-21 11:16:57.353421474 +0200
-@@ -174,7 +174,7 @@
- if (gcry_md_setkey(prf, P, Plen))
- goto out;
-
-- for (i = 1; (uint) i <= l; i++) {
-+ for (i = 1; (unsigned int) i <= l; i++) {
- memset(T, 0, hLen);
-
- for (u = 1; u <= c ; u++) {
-@@ -198,7 +198,7 @@
-
- memcpy(U, p, hLen);
-
-- for (k = 0; (uint) k < hLen; k++)
-+ for (k = 0; (unsigned int) k < hLen; k++)
- T[k] ^= U[k];
-
- if (perfcheck && __PBKDF2_performance) {
-@@ -210,7 +210,7 @@
- __PBKDF2_global_j++;
- }
-
-- memcpy(DK + (i - 1) * hLen, T, (uint) i == l ? r : hLen);
-+ memcpy(DK + (i - 1) * hLen, T, (unsigned int) i == l ? r : hLen);
- }
- rc = 0;
- out:
---- cryptsetup-1.4.0/lib/luks1/keymanage.c.orig 2011-10-08 23:57:01.000000000 +0200
-+++ cryptsetup-1.4.0/lib/luks1/keymanage.c 2011-10-30 07:53:26.817195403 +0100
-@@ -19,6 +19,7 @@
-
- #include <sys/types.h>
- #include <sys/stat.h>
-+#include <limits.h>
- #include <netinet/in.h>
- #include <fcntl.h>
- #include <errno.h>
-@@ -35,6 +36,10 @@
- #include "pbkdf.h"
- #include "internal.h"
-
-+#ifndef UINT32_MAX
-+#define UINT32_MAX UINT_MAX
-+#endif
-+
- #define div_round_up(a,b) ({ \
- typeof(a) __a = (a); \
- typeof(b) __b = (b); \
+++ /dev/null
---- cryptsetup-1.3.1/configure.in~ 2011-05-30 15:48:40.361712101 +0200
-+++ cryptsetup-1.3.1/configure.in 2011-05-30 15:52:03.021018901 +0200
-@@ -157,7 +157,7 @@
- [disable udev support]),[], enable_udev=yes)
-
- dnl Try to use pkg-config for devmapper, but fallback to old detection
--PKG_CHECK_MODULES([DEVMAPPER], [devmapper >= 1.02.03],, [
-+PKG_CHECK_MODULES([DEVMAPPER], [devmapper-always-use-fallback-so-only-required-libs-will-go-in >= 1.02.03],, [
- AC_CHECK_LIB(devmapper, dm_task_set_name,,
- [AC_MSG_ERROR([You need the device-mapper library.])])
- AC_CHECK_LIB(devmapper, dm_task_set_message,,
---- cryptsetup-1.3.1/configure.in~ 2011-05-30 16:04:32.645465788 +0200
-+++ cryptsetup-1.3.1/configure.in 2011-05-30 16:06:09.913262079 +0200
-@@ -208,7 +208,7 @@
-
- dnl Try to detect needed device-mapper static libraries, try pkg-config first.
- LIBS="$saved_LIBS -static"
-- PKG_CHECK_MODULES([DEVMAPPER_STATIC], [devmapper >= 1.02.27],,[
-+ PKG_CHECK_MODULES([DEVMAPPER_STATIC], [devmapper-without-tons-of-deps >= 1.02.27],,[
- DEVMAPPER_STATIC_LIBS=$DEVMAPPER_LIBS
- if test "x$enable_selinux" != xno; then
- AC_CHECK_LIB(sepol, sepol_bool_set)
+++ /dev/null
-1. Introduction
----------------
-Kernels more recent than 2.6.12 have dropped support for devfs, which
-means that initrd-tools can no longer be used to boot into an encrypted
-root partition. Instead, a similar functionality has been developed for
-use with an initramfs-image.
-
-
-2. A fresh installation
------------------------
-If you plan to perform a completely new installation of Debian onto a
-machine and to do so using an encrypted root partition, you might want
-to consider using a version of Debian Installer with partman-crypto
-(see http://wiki.debian.org/DebianInstaller/PartmanCrypto).
-
-The installation will then take care of all the details and perform the
-necessary configuration for you, meaning that you should not have to
-read the rest of this document to get a machine with an encrypted
-root fs up and running.
-
-However, if you are not planning to perform a new installation from scratch,
-the following information might be useful to you.
-
-
-3. Requirements
----------------
-In order to boot from an encrypted root fs, you need an initramfs-image
-which includes the necessary kernel modules and scripts to setup
-the root device after the kernel has been initialized, but before the rest
-of the operating system is booted.
-
-To do so, you need two partitions:
-- an unencrypted /boot partition
-- an encrypted / partition
-
-In addition, you need to have initramfs-tools installed.
-
-NOTE: You should make sure that your swap partition is either encrypted, or
-that you are using a swap file on an encrypted partition, as crypto keys and
-other sensitive information might otherwise be written out to the swap
-partition in unencrypted form.
-
-
-4. Setup (regular dm-crypt)
----------------------------
-First of all, you must edit /etc/crypttab and add a line describing your
-root device, for example:
-
- cryptroot /dev/hda2 none cipher=aes-cbc-essiv:sha256,size=256,hash=sha256
-
-This will allow cryptsetup to create /dev/mapper/cryptroot from the
-encrypted partition /dev/hda2 during boot.
-
-In addition, you must also make sure that the root device is listed in
-/etc/fstab, for example:
-
- /dev/mapper/cryptroot / ext3 defaults 0 1
-
-This will allow the initramfs support scripts to know which of the devices
-in the crypttab that is the root device.
-
-After doing these changes, you should regenerate the initramfs by running
-"initramfs-update -u", then make sure that your boot loader is configured
-to feed the initramfs to the kernel when booting. The kernel root argument
-should also be changed to /dev/mapper/cryptroot.
-
-Now, reboot the machine, and if everything is correctly configured, you
-should be given a prompt to type in the passphrase for the encrypted
-root partition before the boot can continue.
-
-NOTE: the initramfs scripts default to using the sha256 hash function while
-the plain cryptsetup binary defaults to using the ripemd160 hash function.
-In order to ensure that the crypto setup works in a consistant manner, you
-should make sure that the hash function is specified in the /etc/crypttab file
-if you are using regular dm-crypt (with LUKS the hash function to use is stored
-in the LUKS header).
-
-
-5. Setup (using LUKS)
----------------------
-If you are using the LUKS feature of cryptsetup, the above setup recipe should
-still apply, but since most options can be derived from the information stored
-in the LUKS header on-disk, the line to add to /etc/crypttab should look
-something like this:
-
- cryptroot /dev/sda2 none luks
-
-
-6. Exotic key types
--------------------
-The above examples assume that you use a regular passphrase as the key to the
-encrypted filesystem. However, if you wish to make use of more complex setups
-(such as root-key-on-usb-memory), you can create a script which does all the
-steps necessary to retrieve the key and then prints it to stdout.
-
-Then add a keyscript=/path/to/your/script.sh to the options (fourth column) in
-the above mentioned /etc/crypttab line, so that it looks something like this:
-
- cryptroot /dev/sda2 none luks,keyscript=/usr/local/sbin/cryptkey
-
-Next, regenerate your initramfs image. This will copy the script into the
-initramfs image under the /keyscripts/ directory.
-
-NOTE: there is a limited set of tools available when the script is executing
-as part of the initramfs bootup, you have to make sure that you do not use
-any tools which are not available or your script, and therefore boot, will
-fail.
-
-
-7. "cryptopts" boot argument
-----------------------------
-In general, you should use the above approach with a line describing your
-root partition in /etc/crypttab and /etc/fstab. However, if for some reason
-you wish to override the settings that are derived from these files and
-stored in the initramfs image, you can use the "cryptopts" boot argument
-(this *only* works for the root partition).
-
-The format of cryptopts is:
-cryptopts=<opt1>=<value1>,<opt2>=<value2>...
-
-Beside the "hash", "size", "cipher" and "lvm" options that correspond to the
-same options in the fourth field of /etc/crypttab, the options "target",
-"source" and "key" are also supported. They correspond to the first, second
-and third field of /etc/crypttab, respectively. See the crypttab man page
-for further details.
-
-Several "cryptopts" boot arguments can also be specified in case more than
-one mapping needs to be setup in the initramfs stage of the boot.
-
-Example boot arguments:
-root=/dev/mapper/crypt0 cryptopts=target=crypt0,source=/dev/hda1,cipher=twofish
-
-8. Resume device support
-------------------------
-The initramfs scripts will also try to automatically determine the devices,
-if any, that are used for software suspend (swsusp, suspend2 or uswsusp) and
-to set them up during the initramfs stage in order to allow suspend and resume
-in combination with encryption to keep the resume image safe from potential
-attackers.
-
-If your resume device and your root partition use two different cryptsetup
-mappings, you might want to use the "decrypt_derived" keyscript as described
-below.
-
-9. The "decrypt_derived" keyscript
-----------------------------------
-Assume that you have two entries in /etc/crypttab:
-
-cryptroot /dev/hda1 none luks
-cryptswap /dev/hda2 none luks
-
-If cryptswap is used as your suspend/resume device, you'd normally need to
-enter two different passphrases during the boot, but the "decrypt_derived"
-script can generate the key for the second mapping using a hash of the key
-for the first mapping.
-
-In short, you'll need to do something like the following to take advantage
-of the decrypt_derived script:
-
-1) swapoff -a
-2) cryptsetup luksClose cryptswap
-3) edit /etc/crypttab and change the cryptswap line to e.g.:
-cryptswap /dev/hda2 cryptroot cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,keyscript=/lib/cryptsetup/scripts/decrypt_derived,swap
-4) /etc/init.d/cryptdisks start
-5) Make sure that /dev/mapper/cryptswap has been created
-6) swapon -a
-7) (optional) update-initramfs -u
-
-After you've followed the above steps, your swap device should be setup
-automatically after the root device has been setup during the boot stage.
-
-Note: If you don't use suspend device support, it's better to use completely
-random keys for your encrypted swap device. See the section '2. Encrypted
-swap partition(s)' in /usr/share/doc/cryptsetup/README.Debian for information
-on how to setup this.
-
-10. The "passdev" keyscript
-----------------------------
-If you have a keyfile on a removable device (e.g. a USB-key), you can use the
-passdev keyscript. It will wait for the device to appear, mount it read-only,
-read the key and then unmount the device.
-
-The "key" part of /etc/crypttab will be interpreted as <device>:<path>, it is
-strongly recommended that you use one of the persistent device names from
-/dev/disk/*, e.g. /dev/disk/by-label/myusbkey.
-
-This is an example of a suitable line in cryptsetup:
-cryptroot /dev/hda2 /dev/disk/by-label/myusbkey:/keys/root.key cipher=aes-cbc-essiv:sha256,size=256,hash=plain,keyscript=/lib/cryptsetup/scripts/passdev
-
-The above line would cause the boot to pause until /dev/disk/by-label/myusbkey
-appears in the fs, then mount that device and use the file /keys/root.key
-on the device as the key (without any hashing) as the key for the fs.
-
--- David Härdeman <david@hardeman.nu>
+++ /dev/null
-#!/bin/sh
-
-set -e
-
-PREREQ="cryptroot"
-
-prereqs()
-{
- echo "$PREREQ"
-}
-
-case $1 in
-prereqs)
- prereqs
- exit 0
- ;;
-esac
-
-. /usr/share/initramfs-tools/hook-functions
-
-# Hooks for adding filesystem modules to the initramfs when the passdev
-# keyscript is used
-
-# Check whether the passdev script has been included
-if [ ! -x "${DESTDIR}/keyscripts/passdev" ]; then
- exit 0
-fi
-
-# The filesystem type of the removable device is probed at boot-time, so
-# we add a generous list of filesystems to include. This also helps with
-# recovery situation as including e.g. the vfat module might help a user
-# who needs to create a new cryptkey (using a backup of a keyfile) on
-# a windows-machine for example.
-
-# This list needs to be kept in sync with the one defined in passdev.c
-for fs in ext3 ext2 vfat reiserfs xfs isofs udf; do
- manual_add_modules "$fs" > /dev/null 2>&1 || true
-done
-exit 0
-
+++ /dev/null
-# This will setup non-us keyboards in early userspace,
-# necessary for punching in passphrases.
-KEYMAP=y
-
-# force busybox on initramfs
-BUSYBOX=y
+++ /dev/null
-#!/bin/sh
-
-PREREQ=""
-
-prereqs()
-{
- echo "$PREREQ"
-}
-
-case $1 in
-prereqs)
- prereqs
- exit 0
- ;;
-esac
-
-. /usr/share/initramfs-tools/hook-functions
-
-get_root_device() {
- local device mount type options dump pass
-
- if [ ! -r /etc/fstab ]; then
- return 1
- fi
-
- grep '^[^#]' /etc/fstab | \
- while read device mount type options dump pass; do
- if [ "$mount" = "/" ]; then
- echo "$device"
- return
- fi
- done
-}
-
-get_resume_devices() {
- local device opt count dupe candidates devices
- candidates=""
-
- # First, get a list of potential resume devices
-
- # uswsusp
- if [ -e /etc/uswsusp.conf ]; then
- device=$(sed -rn 's/^resume device[[:space:]]*[:=][[:space:]]*// p' /etc/uswsusp.conf)
- if [ -n "$device" ]; then
- candidates="$candidates $device"
- fi
- fi
-
- # uswsusp - again...
- if [ -e /etc/suspend.conf ]; then
- device=$(sed -rn 's/^resume device[[:space:]]*[:=][[:space:]]*// p' /etc/suspend.conf)
- if [ -n "$device" ]; then
- candidates="$candidates $device"
- fi
- fi
-
- # regular swsusp
- for opt in $(cat /proc/cmdline); do
- case $opt in
- resume=*)
- device="${opt#resume=}"
- candidates="$candidates $device"
- ;;
- esac
- done
-
- # initramfs-tools
- if [ -e /etc/initramfs-tools/conf.d/resume ]; then
- device=$(sed -rn 's/^RESUME[[:space:]]*=[[:space:]]*// p' /etc/initramfs-tools/conf.d/resume)
- if [ -n "$device" ]; then
- candidates="$candidates $device"
- fi
- fi
-
- # Now check the sanity of all candidates
- devices=""
- count=0
- for device in $candidates; do
- # Weed out clever defaults
- if [ "$device" = "<path_to_resume_device_file>" ]; then
- continue
- fi
-
- # Weed out duplicates
- dupe=0
- for opt in $devices; do
- if [ "$device" = "$opt" ]; then
- dupe=1
- fi
- done
- if [ $dupe -eq 1 ]; then
- continue
- fi
-
- # This device seems ok
- devices="$devices $device"
- count=$(( $count + 1 ))
- done
-
- if [ $count -gt 1 ]; then
- echo "cryptsetup: WARNING: found more than one resume device candidate:" >&2
- for device in $devices; do
- echo " $device" >&2
- done
- fi
-
- if [ $count -gt 0 ]; then
- echo $devices
- fi
-
- return 0
-}
-
-node_is_in_crypttab() {
- local node
- node="$1"
-
- grep -q ^$node /etc/crypttab
- return $?
-}
-
-get_lvm_deps() {
- local node deps maj min depnode
- node="$1"
-
- if [ -z $node ]; then
- echo "cryptsetup: WARNING: get_lvm_deps - invalid arguments" >&2
- return 1
- fi
-
- if ! deps=$(dmsetup deps "$node" 2> /dev/null | sed 's/[^:]*: *//;s/[ (]//g;s/)/ /g'); then
- echo "cryptsetup: WARNING: failed to find deps for $node" >&2
- return 1
- fi
-
- # We should now have a list of major,minor pairs, e.g. "3,2 3,3"
- for dep in $deps; do
- maj=${dep%,*}
- min=${dep#*,}
- depnode=$(dmsetup ls | sed -n "s/\\([^ ]*\\) *($maj, $min)/\\1/p" | sed -e "s/[ \t]*$//")
- if [ -z "$depnode" ]; then
- continue
- fi
- if [ "$(dmsetup table "$depnode" 2> /dev/null | cut -d' ' -f3)" != "crypt" ]; then
- get_lvm_deps "$depnode"
- continue
- fi
- echo "$depnode"
- done
-
- return 0
-}
-
-get_device_opts() {
- local target source link extraopts rootopts opt
- target="$1"
- extraopts="$2"
- KEYSCRIPT=""
- OPTIONS=""
-
- if [ -z "$target" ]; then
- echo "cryptsetup: WARNING: get_device_opts - invalid arguments" >&2
- return 1
- fi
-
- opt=$( grep ^$target /etc/crypttab | head -1 | sed 's/[[:space:]]\+/ /g' )
- source=$( echo $opt | cut -d " " -f2 )
- key=$( echo $opt | cut -d " " -f3 )
- rootopts=$( echo $opt | cut -d " " -f4- )
-
- if [ -z "$opt" ] || [ -z "$source" ] || [ -z "$key" ] || [ -z "$rootopts" ]; then
- echo "cryptsetup: WARNING: invalid line in /etc/crypttab - $opt" >&2
- return 1
- fi
-
- # Sanity checks for $source
- if [ -h "$source" ]; then
- link=$(readlink -nqe "$source")
- if [ -z "$link" ]; then
- echo "cryptsetup: WARNING: $source is a dangling symlink" >&2
- return 1
- fi
-
- if [ "$link" != "${link#/dev/mapper/}" ]; then
- echo "cryptsetup: NOTE: using $link instead of $source for $target" >&2
- source="$link"
- fi
- fi
-
- # Sanity checks for $key
- if [ "$key" = "/dev/random" ] || [ "$key" = "/dev/urandom" ]; then
- echo "cryptsetup: WARNING: target $target has a random key, skipped" >&2
- return 1
- fi
-
- if [ -n "$extraopts" ]; then
- rootopts="$extraopts,$rootopts"
- fi
-
- # We have all the basic options, let's go trough them
- OPTIONS="target=$target,source=$source,key=$key"
- local IFS=", "
- unset HASH_FOUND
- unset LUKS_FOUND
- for opt in $rootopts; do
- case $opt in
- cipher=*)
- OPTIONS="$OPTIONS,$opt"
- ;;
- hash=*)
- OPTIONS="$OPTIONS,$opt"
- HASH_FOUND=1
- ;;
- size=*)
- OPTIONS="$OPTIONS,$opt"
- ;;
- lvm=*)
- OPTIONS="$OPTIONS,$opt"
- ;;
- keyscript=*)
- opt=${opt#keyscript=}
- if [ ! -x "/lib/cryptsetup/scripts/$opt" ] && [ ! -x "$opt" ]; then
- echo "cryptsetup: WARNING: target $target has an invalid keyscript, skipped" >&2
- return 1
- fi
- KEYSCRIPT="$opt"
- OPTIONS="$OPTIONS,keyscript=/keyscripts/$(basename "$opt")"
- ;;
- tries=*)
- OPTIONS="$OPTIONS,$opt"
- ;;
- luks)
- LUKS_FOUND=1
- ;;
- *)
- # Presumably a non-supported option
- ;;
- esac
- done
-
- # Warn for missing hash option, unless we have a LUKS partition
- if [ -z "$HASH_FOUND" ] && [ -z "$LUKS_FOUND" ]; then
- echo "WARNING: Option hash missing in crypttab for target $target, assuming ripemd160." >&2
- echo " If this is wrong, this initramfs image will not boot." >&2
- echo " Please read /usr/share/doc/cryptsetup/README.initramfs.gz and add" >&2
- echo " the correct hash option to your /etc/crypttab." >&2
- fi
-
- # If keyscript is set, the "key" is just an argument to the script
- if [ "$key" != "none" ] && [ -z "$KEYSCRIPT" ]; then
- echo "cryptsetup: WARNING: target $target uses a key file, skipped" >&2
- return 1
- fi
-}
-
-get_device_modules() {
- local node value cipher blockcipher ivhash
- node="$1"
-
- # Check the ciphers used by the active root mapping
- value=$(dmsetup table "$node" | cut -d " " -f4)
- cipher=$(echo "$value" | cut -d ":" -f1 | cut -d "-" -f1)
- blockcipher=$(echo "$value" | cut -d ":" -f1 | cut -d "-" -f2)
- ivhash=$(echo "$value" | cut -d ":" -s -f2)
-
- if [ -n "$cipher" ]; then
- echo "$cipher"
- else
- return 1
- fi
-
- if [ -n "$blockcipher" ] && [ "$blockcipher" != "plain" ]; then
- echo "$blockcipher"
- fi
-
- if [ -n "$ivhash" ] && [ "$ivhash" != "plain" ]; then
- echo "$ivhash"
- fi
- return 0
-}
-
-canonical_device() {
- local dev altdev
- dev="$1"
-
- altdev="${dev#LABEL=}"
- if [ "$altdev" != "$dev" ]; then
- dev="/dev/disk/by-label/$altdev"
- fi
-
- altdev="${dev#UUID=}"
- if [ "$altdev" != "$dev" ]; then
- dev="/dev/disk/by-uuid/$altdev"
- fi
-
- if [ -h "$dev" ]; then
- dev=$(readlink -e "$dev")
- fi
-
- altdev="${dev#/dev/mapper/}"
- if [ "$altdev" != "$dev" ]; then
- echo "$altdev"
- return 0
- fi
-
- return 1
-}
-
-add_device() {
- local node nodes opts lastopts i count
- nodes="$1"
- opts="" # Applied to all nodes
- lastopts="" # Applied to last node
-
- if [ -z "$nodes" ]; then
- return 0
- fi
-
- # Check that it is a node under /dev/mapper/
- nodes=$(canonical_device "$nodes") || return 0
-
- # Can we find this node in crypttab
- if ! node_is_in_crypttab "$nodes"; then
- # dm node but not in crypttab, is it a lvm device backed by dm-crypt nodes?
- lvmnodes=$(get_lvm_deps "$nodes") || return 1
-
- # not backed by any dm-crypt nodes; stop here
- if [ -z "$lvmnodes" ]; then
- return 0
- fi
-
- # It is a lvm device!
- lastopts="lvm=$nodes"
- nodes="$lvmnodes"
- fi
-
- # Prepare to setup each node
- count=$(echo "$nodes" | wc -w)
- i=1
- for node in $nodes; do
- # Prepare the additional options
- if [ $i -eq $count ]; then
- if [ -z "$opts" ]; then
- opts="$lastopts"
- else
- opts="$opts,$lastopts"
- fi
- fi
-
- # Get crypttab root options
- if ! get_device_opts "$node" "$opts"; then
- continue
- fi
- echo "$OPTIONS" >> "$DESTDIR/conf/conf.d/cryptroot"
-
- # If we have a keyscript, make sure it is included
- if [ -n "$KEYSCRIPT" ]; then
- if [ ! -d "$DESTDIR/keyscripts" ]; then
- mkdir "$DESTDIR/keyscripts"
- fi
-
- if [ -e "/lib/cryptsetup/scripts/$KEYSCRIPT" ]; then
- copy_exec "/lib/cryptsetup/scripts/$KEYSCRIPT" /keyscripts
- elif [ -e "$KEYSCRIPT" ]; then
- copy_exec "$KEYSCRIPT" /keyscripts
- else
- echo "cryptsetup: WARNING: failed to find keyscript $KEYSCRIPT" >&2
- continue
- fi
- fi
-
- # Calculate needed modules
- modules=$(get_device_modules $node | sort | uniq)
- if [ -z "$modules" ]; then
- echo "cryptsetup: WARNING: failed to determine cipher modules to load for $node" >&2
- continue
- fi
- echo dm_mod
- echo dm_crypt
- echo "$modules"
-
- i=$(( $i + 1 ))
- done
-
- return 0
-}
-
-add_crypto_modules() {
- local mod file altmod found genericfound
- mod="$1"
- found=""
- genericfound=""
-
- if [ -z "$mod" ]; then
- return 1
- fi
-
- # We have several potential sources of modules (in order of preference):
- #
- # a) /lib/modules/$VERSION/kernel/arch/$ARCH/crypto/$mod-$specific.ko
- # b) /lib/modules/$VERSION/kernel/crypto/$mod_generic.ko
- # c) /lib/modules/$VERSION/kernel/crypto/$mod.ko
- #
- # and (currently ignored):
- #
- # d) /lib/modules/$VERSION/kernel/drivers/crypto/$specific-$mod.ko
-
- for file in $(find "$MODULESDIR/kernel/arch/" -name "$mod-*.ko"); do
- altmod="${file##*/}"
- altmod="${altmod%.ko}"
- manual_add_modules "$altmod"
- found="yes"
- done
-
- for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}_generic.ko"); do
- altmod="${file##*/}"
- altmod="${altmod%.ko}"
- manual_add_modules "$altmod"
- found="yes"
- genericfound="yes"
- done
-
- if [ -z "$genericfound" ]; then
- for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}.ko"); do
- altmod="${file##*/}"
- altmod="${altmod%.ko}"
- manual_add_modules "$altmod"
- found="yes"
- done
- fi
-
- if [ -z "$found" ]; then
- return 1
- fi
-
- return 0
-}
-
-#
-# Begin real processing
-#
-
-setup="no"
-rootdev=""
-resumedevs=""
-
-# Find the root and resume device(s)
-if [ -r /etc/crypttab ]; then
- rootdev=$(get_root_device)
- if [ -z "$rootdev" ]; then
- echo "cryptsetup: WARNING: could not determine root device from /etc/fstab" >&2
- fi
- resumedevs=$(get_resume_devices)
-fi
-
-# Load the config opts and modules for each device
-for dev in $rootdev $resumedevs; do
- if ! modules=$(add_device "$dev"); then
- echo "cryptsetup: FAILURE: could not determine configuration for $dev" >&2
- continue
- fi
-
- setup="yes"
- for mod in $modules; do
- add_crypto_modules $mod
- done
-done
-
-# With large initramfs, we always add a basic subset of modules
-if [ "$MODULES" != "dep" ]; then
- for mod in aes sha256 cbc; do
- add_crypto_modules $mod
- done
-fi
-
-# See if we need to add the basic components
-if [ "$MODULES" != "dep" ] || [ "$setup" = "yes" ]; then
- for mod in dm_mod dm_crypt; do
- manual_add_modules $mod
- done
-
- copy_exec /sbin/cryptsetup
- copy_exec /sbin/dmsetup
-# copy_exec /lib/cryptsetup/askpass
-fi
-
-exit 0
+++ /dev/null
-#!/bin/sh
-
-#
-# Standard initramfs preamble
-#
-prereqs()
-{
- # Make sure that cryptroot is run last in local-top
- for req in /scripts/local-top/*; do
- script=${req##*/}
- if [ $script != cryptroot ]; then
- echo $script
- fi
- done
-}
-
-case $1 in
-prereqs)
- prereqs
- exit 0
- ;;
-esac
-
-
-#
-# Helper functions
-#
-message()
-{
- if [ -p /dev/.initramfs/usplash_outfifo ] && [ -x /sbin/usplash_write ]; then
- usplash_write "TEXT-URGENT $@"
- else
- echo "$@" >&2
- fi
- return 0
-}
-
-parse_options()
-{
- local cryptopts
- cryptopts="$1"
-
- if [ -z "$cryptopts" ]; then
- return 1
- fi
-
- # Defaults
- cryptcipher=aes-cbc-essiv:sha256
- cryptsize=256
- crypthash=ripemd160
- crypttarget=cryptroot
- cryptsource=""
- cryptlvm=""
- cryptkeyscript=""
- cryptkey="" # This is only used as an argument to an eventual keyscript
- crypttries=3
-
- local IFS=" ,"
- for x in $cryptopts; do
- case $x in
- hash=*)
- crypthash=${x#hash=}
- ;;
- size=*)
- cryptsize=${x#size=}
- ;;
- cipher=*)
- cryptcipher=${x#cipher=}
- ;;
- target=*)
- crypttarget=${x#target=}
- ;;
- source=*)
- cryptsource=${x#source=}
- if [ ${cryptsource#UUID=} != $cryptsource ]; then
- cryptsource="/dev/disk/by-uuid/${cryptsource#UUID=}"
- elif [ ${cryptsource#LABEL=} != $cryptsource ]; then
- cryptsource="/dev/disk/by-label/${cryptsource#LABEL=}"
- fi
- ;;
- lvm=*)
- cryptlvm=${x#lvm=}
- ;;
- keyscript=*)
- cryptkeyscript=${x#keyscript=}
- ;;
- key=*)
- if [ "${x#key=}" != "none" ]; then
- cryptkey=${x#key=}
- fi
- ;;
- tries=*)
- crypttries="${x#tries=}"
- case "$crypttries" in
- *[![:digit:].]*)
- crypttries=3
- ;;
- esac
- ;;
- esac
- done
-
- if [ -z "$cryptsource" ]; then
- message "cryptsetup: source parameter missing"
- return 1
- fi
- return 0
-}
-
-activate_vg()
-{
- local vg
- vg="${1#/dev/mapper/}"
-
- # Sanity checks
- if [ ! -x /sbin/lvm ] || [ "$vg" = "$1" ]; then
- return 1
- fi
-
- # Make sure that the device contains at least one dash
- if [ "${vg%%-*}" = "$vg" ]; then
- return 1
- fi
-
- # Split volume group from logical volume.
- vg=$(echo ${vg} | sed -e 's#\(.*\)\([^-]\)-[^-].*#\1\2#')
-
- # Reduce padded --'s to -'s
- vg=$(echo ${vg} | sed -e 's#--#-#g')
-
- lvm vgchange -ay ${vg}
- return $?
-}
-
-activate_evms()
-{
- local dev module
- dev="${1#/dev/evms/}"
-
- # Sanity checks
- if [ ! -x /sbin/evms_activate ] || [ "$dev" = "$1" ]; then
- return 1
- fi
-
- # Load modules used by evms
- for module in dm-mod linear raid0 raid1 raid10 raid5 raid6; do
- /sbin/modprobe -q $module
- done
-
- # Activate it
- /sbin/evms_activate
- return $?
-}
-
-setup_mapping()
-{
- local opts count cryptcreate cryptremove NEWROOT
- opts="$1"
-
- if [ -z "$opts" ]; then
- return 0
- fi
-
- parse_options "$opts" || return 1
-
- if [ -n "$cryptkeyscript" ] && [ ! -x "$cryptkeyscript" ]; then
- message "cryptsetup: error - script \"$cryptkeyscript\" missing"
- return 1
- fi
-
- # The same target can be specified multiple times
- # e.g. root and resume lvs-on-lvm-on-crypto
- if [ -e "/dev/mapper/$crypttarget" ]; then
- return 0
- fi
-
- /sbin/modprobe -q dm_crypt
-
- # Make sure the cryptsource device is available
- if [ ! -e $cryptsource ]; then
- activate_vg $cryptsource
- activate_evms $cryptsource
- fi
-
- /sbin/udevadm settle --timeout=30
-
- if [ ! -e $cryptsource ]; then
- message "cryptsetup: source device $cryptsource not found"
- return 1
- fi
-
- # Prepare commands
- if /sbin/cryptsetup isLuks $cryptsource > /dev/null 2>&1; then
- cryptcreate="/sbin/cryptsetup -T 1 luksOpen $cryptsource $crypttarget"
- else
- cryptcreate="/sbin/cryptsetup -T 1 -c $cryptcipher -s $cryptsize -h $crypthash create $crypttarget $cryptsource"
- fi
- cryptremove="/sbin/cryptsetup remove $crypttarget"
- NEWROOT="/dev/mapper/$crypttarget"
-
- # Try to get a satisfactory password $crypttries times
- count=0
- while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do
- count=$(( $count + 1 ))
-
- if [ $count -gt 1 ]; then
- sleep 3
- fi
-
- if [ $crypttries -gt 0 ] && [ $count -gt $crypttries ]; then
- message "cryptsetup: maximum number of tries exceeded for $crypttarget"
- return 1
- fi
-
- if [ -z "$cryptkeyscript" ]; then
- cryptkeyscript="/lib/cryptsetup/askpass"
- cryptkey="Enter passphrase to unlock the disk $cryptsource ($crypttarget): "
- fi
-
-
- if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
- $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ; then
- message "cryptsetup: cryptsetup failed, bad password or options?"
- continue
- fi
-
- if [ ! -e "$NEWROOT" ]; then
- message "cryptsetup: unknown error setting up device mapping"
- return 1
- fi
-
- FSTYPE=''
- eval $(fstype < "$NEWROOT")
-
- # See if we need to setup lvm on the crypto device
- if [ "$FSTYPE" = "lvm" ] || [ "$FSTYPE" = "lvm2" ]; then
- if [ -z "$cryptlvm" ]; then
- message "cryptsetup: lvm fs found but no lvm configured"
- return 1
- elif ! activate_vg "/dev/mapper/$cryptlvm"; then
- message "cryptsetup: failed to setup lvm device"
- return 1
- fi
-
- NEWROOT="/dev/mapper/$cryptlvm"
- eval $(fstype < "$NEWROOT")
- fi
-
- if [ -z "$FSTYPE" ] || [ "$FSTYPE" = "unknown" ]; then
- message "cryptsetup: unknown fstype, bad password or options?"
- $cryptremove
- continue
- fi
-
- message "cryptsetup: $crypttarget setup successfully"
- break
- done
-
- /sbin/udevadm settle --timeout=30
- return 0
-}
-
-#
-# Begin real processing
-#
-
-# Do we have any kernel boot arguments?
-found=''
-for opt in $(cat /proc/cmdline); do
- case $opt in
- cryptopts=*)
- found=yes
- setup_mapping "${opt#cryptopts=}"
- ;;
- esac
-done
-
-if [ -n "$found" ]; then
- exit 0
-fi
-
-# Do we have any settings from the /conf/conf.d/cryptroot file?
-if [ -r /conf/conf.d/cryptroot ]; then
- while read mapping <&3; do
- setup_mapping "$mapping"
- done 3< /conf/conf.d/cryptroot
-fi
-
-exit 0
+++ /dev/null
-#
-# Conditonal build:
-%bcond_without initrd # don't build initrd version
-%bcond_without dietlibc # build initrd version with static glibc instead of dietlibc
-%bcond_without python # Python binding
-#
-%define realname cryptsetup
-Summary: LUKS for dm-crypt implemented in cryptsetup
-Summary(pl.UTF-8): LUKS dla dm-crypta zaimplementowany w cryptsetup
-Name: cryptsetup-luks
-Version: 1.4.1
-Release: 1
-License: GPL v2
-Group: Base
-#Source0Download: http://code.google.com/p/cryptsetup/downloads/list
-Source0: http://cryptsetup.googlecode.com/files/%{realname}-%{version}.tar.bz2
-# Source0-md5: 9253b3f29abf5c6f333eb74128b0df1c
-Source1: %{name}-initramfs-root-conf
-Source2: %{name}-initramfs-root-hook
-Source3: %{name}-initramfs-root-local-top
-Source4: %{name}-initramfs-passdev-hook
-Source5: %{name}-initramfs-README
-Patch0: %{name}-diet.patch
-Patch1: %{name}-dont-drag-more-libs.patch
-URL: http://code.google.com/p/cryptsetup/
-BuildRequires: autoconf >= 2.67
-BuildRequires: automake
-BuildRequires: device-mapper-devel >= 1.02.03
-BuildRequires: gettext-devel >= 0.15
-BuildRequires: libgcrypt-devel >= 1.1.42
-BuildRequires: libselinux-devel
-BuildRequires: libsepol-devel
-BuildRequires: libtool >= 2:2.0
-BuildRequires: libuuid-devel
-BuildRequires: popt-devel >= 1.7
-%if %{with python}
-BuildRequires: python-devel >= 1:2.4
-BuildRequires: rpm-pythonprov
-%endif
-%if %{with initrd}
-BuildRequires: libgpg-error-static
- %if %{with dietlibc}
-BuildRequires: device-mapper-dietlibc
-BuildRequires: dietlibc-static
-BuildRequires: libgcrypt-dietlibc
-BuildRequires: libuuid-dietlibc
-BuildRequires: popt-dietlibc
- %else
-BuildRequires: device-mapper-static >= 1.02.07
-BuildRequires: libgcrypt-static >= 1.1.42
-BuildRequires: libselinux-static
-BuildRequires: libsepol-static
-BuildRequires: libuuid-static
-BuildRequires: popt-static
- %endif
-%endif
-Requires: popt >= 1.7
-Provides: cryptsetup = %{version}
-Obsoletes: cryptsetup
-Conflicts: udev < 1:118-1
-Conflicts: udev-core < 1:115
-BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
-
-%define _sbindir /sbin
-
-%description
-LUKS is the upcoming standard for Linux hard disk encryption. By
-providing a standard on-disk-format, it does not only facilitate
-compatibility among distributions, but also provide secure management
-of multiple user passwords. In contrast to existing solution, LUKS
-stores all setup necessary setup information in the partition header,
-enabling the user to transport or migrate his data seamlessly.
-
-This package contains implementation of LUKS for dm-crypt implemented
-in cryptsetup.
-
-%description -l pl.UTF-8
-LUKS to nadchodzący standard linuksowego szyfrowania twardego dysku.
-Dostarczając standardowy format danych na dysku nie tylko ułatwia
-utrzymanie kompatybilności między dystrybucjami, ale także dostarcza
-bezpieczne zarządzanie wieloma hasłami użytkowników. W przeciwieństwie
-do istniejącego rozwiązania LUKS przechowuje wszystkie potrzebne
-informacje o konfiguracji w nagłówku partycji, pozwalając
-użytkownikowi przenosić lub migrować dane w sposób przezroczysty.
-
-Ten pakiet zawiera implementację LUKS dla dm-crytpa zaimplementowaną w
-cryptsetup.
-
-%package devel
-Summary: Header files for cryptsetup library
-Summary(pl.UTF-8): Pliki nagłówkowe biblioteki cryptsetup
-Group: Development/Libraries
-Requires: %{name} = %{version}-%{release}
-Requires: device-mapper-devel
-Requires: libgcrypt-devel >= 1.1.42
-Obsoletes: cryptsetup-devel
-
-%description devel
-Header files for cryptsetup library.
-
-%description devel -l pl.UTF-8
-Pliki nagłówkowe biblioteki cryptsetup.
-
-%package static
-Summary: Static cryptsetup library
-Summary(pl.UTF-8): Statyczna biblioteka cryptsetup
-Group: Development/Libraries
-Requires: %{name}-devel = %{version}-%{release}
-Obsoletes: cryptsetup-static
-
-%description static
-Static version of cryptsetup library.
-
-%description static -l pl.UTF-8
-Statyczna wersja biblioteki cryptsetup.
-
-%package -n python-pycryptsetup
-Summary: Python binding for cryptsetup library
-Summary(pl.UTF-8): Wiązanie Pythona do biblioteki cryptsetup
-Group: Libraries/Python
-Requires: %{name}-libs = %{version}-%{release}
-%pyrequires_eq python-libs
-
-%description -n python-pycryptsetup
-Python binding for cryptsetup library.
-
-%description -n python-pycryptsetup -l pl.UTF-8
-Wiązanie Pythona do biblioteki cryptsetup.
-
-%package initrd
-Summary: LUKS for dm-crypt implemented in cryptsetup - initrd version
-Summary(pl.UTF-8): LUKS dla dm-crypta zaimplementowany w cryptsetup - wersja initrd
-Group: Base
-Requires: udev-initrd >= 1:115
-Conflicts: geninitrd < 10000.10
-
-%description initrd
-This package contains implementation of LUKS for dm-crypt implemented
-in cryptsetup - statically linked for initrd.
-
-%description initrd -l pl.UTF-8
-Ten pakiet zawiera implementację LUKS dla dm-crypta zaimplementowaną
-w cryptsetup - wersję statycznie zlinkowaną dla initrd.
-
-%package initramfs
-Summary: LUKS for dm-crypt implemented in cryptsetup - support scripts for initramfs-tools
-Summary(pl.UTF-8): LUKS dla dm-crypta zaimplementowany w cryptsetup - skrypty dla initramfs-tools
-Group: Base
-Requires: %{name} = %{version}-%{release}
-Requires: initramfs-tools
-
-%description initramfs
-LUKS for dm-crypt implemented in cryptsetup - support scripts
-for initramfs-tools.
-
-%description initramfs -l pl.UTF-8
-LUKS dla dm-crypta zaimplementowany w cryptsetup - skrypty dla
-initramfs-tools.
-
-%prep
-%setup -q -n %{realname}-%{version}
-%patch0 -p1
-%patch1 -p1
-
-cp -a %{SOURCE5} README.initramfs
-
-%{__rm} po/stamp-po
-
-%build
-%{__gettextize}
-%{__libtoolize}
-%{__aclocal} -I m4
-%{__autoconf}
-%{__autoheader}
-%{__automake}
-
-%if %{with initrd}
-CC="%{__cc}"
-%configure \
-%if %{with dietlibc}
-%configure \
- CC="diet ${CC#ccache } %{rpmcppflags} %{rpmcflags} %{rpmldflags} -Os" \
- LIBS="-lcompat" \
- ac_cv_lib_popt_poptConfigFileToString=yes \
- ac_cv_lib_sepol_sepol_bool_set=no \
- ac_cv_lib_selinux_is_selinux_enabled=no \
-%endif
-%if "%{?configure_cache}" == "1"
- --cache-file=%{?configure_cache_file}%{!?configure_cache_file:configure}-initrd.cache \
-%endif
- --disable-shared \
- --enable-static \
- --enable-static-cryptsetup \
- --disable-udev \
- --disable-nls
-
-%{__make} -C lib
-
-%if %{with dietlibc}
-# we have to do it by hand cause libtool "know better" and forces
-# static libs from /usr/lib
-CC="%{__cc}"
-diet ${CC#ccache } %{rpmcppflags} %{rpmcflags} %{rpmldflags} -Os -I. -I./lib -static \
- -o cryptsetup-initrd src/cryptsetup.c ./lib/.libs/libcryptsetup.a \
- -lpopt -lgcrypt -lgpg-error -ldevmapper -luuid -lcompat
-%else
-%{__make} -C src
-mv src/cryptsetup cryptsetup-initrd
-%endif
-
-%{__make} clean
-%endif
-
-%configure \
- --enable-udev \
- --enable-static \
- %{?with_python:--enable-python}
-%{__make}
-
-%install
-rm -rf $RPM_BUILD_ROOT
-install -d $RPM_BUILD_ROOT%{_datadir}/initramfs-tools/{conf-hooks.d,hooks,scripts/local-top}
-
-%{__make} install \
- DESTDIR=$RPM_BUILD_ROOT
-
-install -d $RPM_BUILD_ROOT/%{_lib}
-mv -f $RPM_BUILD_ROOT%{_libdir}/libcryptsetup.so.* $RPM_BUILD_ROOT/%{_lib}
-ln -sf /%{_lib}/$(basename $RPM_BUILD_ROOT/%{_lib}/libcryptsetup.so.*.*.*) \
- $RPM_BUILD_ROOT%{_libdir}/libcryptsetup.so
-
-%if %{with initrd}
-install -d $RPM_BUILD_ROOT%{_libdir}/initrd
-install -p cryptsetup-initrd $RPM_BUILD_ROOT%{_libdir}/initrd/cryptsetup
-%endif
-
-install -p %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/initramfs-tools/conf-hooks.d/cryptsetup
-install -p %{SOURCE2} $RPM_BUILD_ROOT%{_datadir}/initramfs-tools/hooks/cryptroot
-install -p %{SOURCE3} $RPM_BUILD_ROOT%{_datadir}/initramfs-tools/scripts/local-top/cryptroot
-install -p %{SOURCE4} $RPM_BUILD_ROOT%{_datadir}/initramfs-tools/hooks/cryptpassdev
-
-%{?with_python:%{__rm} $RPM_BUILD_ROOT%{py_sitedir}/pycryptsetup.{la,a}}
-
-%find_lang %{realname}
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%post -p /sbin/ldconfig
-%postun -p /sbin/ldconfig
-
-%files -f %{realname}.lang
-%defattr(644,root,root,755)
-%doc AUTHORS ChangeLog TODO
-%attr(755,root,root) %{_sbindir}/cryptsetup
-%attr(755,root,root) /%{_lib}/libcryptsetup.so.*.*.*
-%attr(755,root,root) %ghost /%{_lib}/libcryptsetup.so.4
-%{_mandir}/man8/cryptsetup.8*
-
-%files devel
-%defattr(644,root,root,755)
-%attr(755,root,root) %{_libdir}/libcryptsetup.so
-%{_libdir}/libcryptsetup.la
-%{_includedir}/libcryptsetup.h
-%{_pkgconfigdir}/libcryptsetup.pc
-
-%files static
-%defattr(644,root,root,755)
-%{_libdir}/libcryptsetup.a
-
-%if %{with python}
-%files -n python-pycryptsetup
-%defattr(644,root,root,755)
-%attr(755,root,root) %{py_sitedir}/pycryptsetup.so
-%endif
-
-%if %{with initrd}
-%files initrd
-%defattr(644,root,root,755)
-%attr(755,root,root) %{_libdir}/initrd/cryptsetup
-%endif
-
-%files initramfs
-%defattr(644,root,root,755)
-%doc README.initramfs
-%attr(755,root,root) %{_datadir}/initramfs-tools/conf-hooks.d/cryptsetup
-%attr(755,root,root) %{_datadir}/initramfs-tools/hooks/cryptroot
-%attr(755,root,root) %{_datadir}/initramfs-tools/hooks/cryptpassdev
-%attr(755,root,root) %{_datadir}/initramfs-tools/scripts/local-top/cryptroot