From: Jakub Bogusz Date: Mon, 16 Apr 2012 19:08:08 +0000 (+0000) Subject: - moved back to cryptsetup package X-Git-Url: http://git.pld-linux.org/?p=packages%2Fcryptsetup-luks.git;a=commitdiff_plain - moved back to cryptsetup package Changed files: cryptsetup-luks-diet.patch -> 1.8 cryptsetup-luks-dont-drag-more-libs.patch -> 1.2 cryptsetup-luks-initramfs-README -> 1.2 cryptsetup-luks-initramfs-passdev-hook -> 1.2 cryptsetup-luks-initramfs-root-conf -> 1.2 cryptsetup-luks-initramfs-root-hook -> 1.2 cryptsetup-luks-initramfs-root-local-top -> 1.2 cryptsetup-luks.spec -> 1.59 --- diff --git a/cryptsetup-luks-diet.patch b/cryptsetup-luks-diet.patch deleted file mode 100644 index 1cc27e7..0000000 --- a/cryptsetup-luks-diet.patch +++ /dev/null @@ -1,50 +0,0 @@ ---- cryptsetup-1.2.0/lib/luks1/pbkdf.c~ 2009-09-11 16:11:50.000000000 +0200 -+++ cryptsetup-1.2.0/lib/luks1/pbkdf.c 2010-06-21 11:16:57.353421474 +0200 -@@ -174,7 +174,7 @@ - if (gcry_md_setkey(prf, P, Plen)) - goto out; - -- for (i = 1; (uint) i <= l; i++) { -+ for (i = 1; (unsigned int) i <= l; i++) { - memset(T, 0, hLen); - - for (u = 1; u <= c ; u++) { -@@ -198,7 +198,7 @@ - - memcpy(U, p, hLen); - -- for (k = 0; (uint) k < hLen; k++) -+ for (k = 0; (unsigned int) k < hLen; k++) - T[k] ^= U[k]; - - if (perfcheck && __PBKDF2_performance) { -@@ -210,7 +210,7 @@ - __PBKDF2_global_j++; - } - -- memcpy(DK + (i - 1) * hLen, T, (uint) i == l ? r : hLen); -+ memcpy(DK + (i - 1) * hLen, T, (unsigned int) i == l ? r : hLen); - } - rc = 0; - out: ---- cryptsetup-1.4.0/lib/luks1/keymanage.c.orig 2011-10-08 23:57:01.000000000 +0200 -+++ cryptsetup-1.4.0/lib/luks1/keymanage.c 2011-10-30 07:53:26.817195403 +0100 -@@ -19,6 +19,7 @@ - - #include - #include -+#include - #include - #include - #include -@@ -35,6 +36,10 @@ - #include "pbkdf.h" - #include "internal.h" - -+#ifndef UINT32_MAX -+#define UINT32_MAX UINT_MAX -+#endif -+ - #define div_round_up(a,b) ({ \ - typeof(a) __a = (a); \ - typeof(b) __b = (b); \ diff --git a/cryptsetup-luks-dont-drag-more-libs.patch b/cryptsetup-luks-dont-drag-more-libs.patch deleted file mode 100644 index 820c597..0000000 --- a/cryptsetup-luks-dont-drag-more-libs.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- cryptsetup-1.3.1/configure.in~ 2011-05-30 15:48:40.361712101 +0200 -+++ cryptsetup-1.3.1/configure.in 2011-05-30 15:52:03.021018901 +0200 -@@ -157,7 +157,7 @@ - [disable udev support]),[], enable_udev=yes) - - dnl Try to use pkg-config for devmapper, but fallback to old detection --PKG_CHECK_MODULES([DEVMAPPER], [devmapper >= 1.02.03],, [ -+PKG_CHECK_MODULES([DEVMAPPER], [devmapper-always-use-fallback-so-only-required-libs-will-go-in >= 1.02.03],, [ - AC_CHECK_LIB(devmapper, dm_task_set_name,, - [AC_MSG_ERROR([You need the device-mapper library.])]) - AC_CHECK_LIB(devmapper, dm_task_set_message,, ---- cryptsetup-1.3.1/configure.in~ 2011-05-30 16:04:32.645465788 +0200 -+++ cryptsetup-1.3.1/configure.in 2011-05-30 16:06:09.913262079 +0200 -@@ -208,7 +208,7 @@ - - dnl Try to detect needed device-mapper static libraries, try pkg-config first. - LIBS="$saved_LIBS -static" -- PKG_CHECK_MODULES([DEVMAPPER_STATIC], [devmapper >= 1.02.27],,[ -+ PKG_CHECK_MODULES([DEVMAPPER_STATIC], [devmapper-without-tons-of-deps >= 1.02.27],,[ - DEVMAPPER_STATIC_LIBS=$DEVMAPPER_LIBS - if test "x$enable_selinux" != xno; then - AC_CHECK_LIB(sepol, sepol_bool_set) diff --git a/cryptsetup-luks-initramfs-README b/cryptsetup-luks-initramfs-README deleted file mode 100644 index 245fe36..0000000 --- a/cryptsetup-luks-initramfs-README +++ /dev/null @@ -1,194 +0,0 @@ -1. Introduction ---------------- -Kernels more recent than 2.6.12 have dropped support for devfs, which -means that initrd-tools can no longer be used to boot into an encrypted -root partition. Instead, a similar functionality has been developed for -use with an initramfs-image. - - -2. A fresh installation ------------------------ -If you plan to perform a completely new installation of Debian onto a -machine and to do so using an encrypted root partition, you might want -to consider using a version of Debian Installer with partman-crypto -(see http://wiki.debian.org/DebianInstaller/PartmanCrypto). - -The installation will then take care of all the details and perform the -necessary configuration for you, meaning that you should not have to -read the rest of this document to get a machine with an encrypted -root fs up and running. - -However, if you are not planning to perform a new installation from scratch, -the following information might be useful to you. - - -3. Requirements ---------------- -In order to boot from an encrypted root fs, you need an initramfs-image -which includes the necessary kernel modules and scripts to setup -the root device after the kernel has been initialized, but before the rest -of the operating system is booted. - -To do so, you need two partitions: -- an unencrypted /boot partition -- an encrypted / partition - -In addition, you need to have initramfs-tools installed. - -NOTE: You should make sure that your swap partition is either encrypted, or -that you are using a swap file on an encrypted partition, as crypto keys and -other sensitive information might otherwise be written out to the swap -partition in unencrypted form. - - -4. Setup (regular dm-crypt) ---------------------------- -First of all, you must edit /etc/crypttab and add a line describing your -root device, for example: - - cryptroot /dev/hda2 none cipher=aes-cbc-essiv:sha256,size=256,hash=sha256 - -This will allow cryptsetup to create /dev/mapper/cryptroot from the -encrypted partition /dev/hda2 during boot. - -In addition, you must also make sure that the root device is listed in -/etc/fstab, for example: - - /dev/mapper/cryptroot / ext3 defaults 0 1 - -This will allow the initramfs support scripts to know which of the devices -in the crypttab that is the root device. - -After doing these changes, you should regenerate the initramfs by running -"initramfs-update -u", then make sure that your boot loader is configured -to feed the initramfs to the kernel when booting. The kernel root argument -should also be changed to /dev/mapper/cryptroot. - -Now, reboot the machine, and if everything is correctly configured, you -should be given a prompt to type in the passphrase for the encrypted -root partition before the boot can continue. - -NOTE: the initramfs scripts default to using the sha256 hash function while -the plain cryptsetup binary defaults to using the ripemd160 hash function. -In order to ensure that the crypto setup works in a consistant manner, you -should make sure that the hash function is specified in the /etc/crypttab file -if you are using regular dm-crypt (with LUKS the hash function to use is stored -in the LUKS header). - - -5. Setup (using LUKS) ---------------------- -If you are using the LUKS feature of cryptsetup, the above setup recipe should -still apply, but since most options can be derived from the information stored -in the LUKS header on-disk, the line to add to /etc/crypttab should look -something like this: - - cryptroot /dev/sda2 none luks - - -6. Exotic key types -------------------- -The above examples assume that you use a regular passphrase as the key to the -encrypted filesystem. However, if you wish to make use of more complex setups -(such as root-key-on-usb-memory), you can create a script which does all the -steps necessary to retrieve the key and then prints it to stdout. - -Then add a keyscript=/path/to/your/script.sh to the options (fourth column) in -the above mentioned /etc/crypttab line, so that it looks something like this: - - cryptroot /dev/sda2 none luks,keyscript=/usr/local/sbin/cryptkey - -Next, regenerate your initramfs image. This will copy the script into the -initramfs image under the /keyscripts/ directory. - -NOTE: there is a limited set of tools available when the script is executing -as part of the initramfs bootup, you have to make sure that you do not use -any tools which are not available or your script, and therefore boot, will -fail. - - -7. "cryptopts" boot argument ----------------------------- -In general, you should use the above approach with a line describing your -root partition in /etc/crypttab and /etc/fstab. However, if for some reason -you wish to override the settings that are derived from these files and -stored in the initramfs image, you can use the "cryptopts" boot argument -(this *only* works for the root partition). - -The format of cryptopts is: -cryptopts==,=... - -Beside the "hash", "size", "cipher" and "lvm" options that correspond to the -same options in the fourth field of /etc/crypttab, the options "target", -"source" and "key" are also supported. They correspond to the first, second -and third field of /etc/crypttab, respectively. See the crypttab man page -for further details. - -Several "cryptopts" boot arguments can also be specified in case more than -one mapping needs to be setup in the initramfs stage of the boot. - -Example boot arguments: -root=/dev/mapper/crypt0 cryptopts=target=crypt0,source=/dev/hda1,cipher=twofish - -8. Resume device support ------------------------- -The initramfs scripts will also try to automatically determine the devices, -if any, that are used for software suspend (swsusp, suspend2 or uswsusp) and -to set them up during the initramfs stage in order to allow suspend and resume -in combination with encryption to keep the resume image safe from potential -attackers. - -If your resume device and your root partition use two different cryptsetup -mappings, you might want to use the "decrypt_derived" keyscript as described -below. - -9. The "decrypt_derived" keyscript ----------------------------------- -Assume that you have two entries in /etc/crypttab: - -cryptroot /dev/hda1 none luks -cryptswap /dev/hda2 none luks - -If cryptswap is used as your suspend/resume device, you'd normally need to -enter two different passphrases during the boot, but the "decrypt_derived" -script can generate the key for the second mapping using a hash of the key -for the first mapping. - -In short, you'll need to do something like the following to take advantage -of the decrypt_derived script: - -1) swapoff -a -2) cryptsetup luksClose cryptswap -3) edit /etc/crypttab and change the cryptswap line to e.g.: -cryptswap /dev/hda2 cryptroot cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,keyscript=/lib/cryptsetup/scripts/decrypt_derived,swap -4) /etc/init.d/cryptdisks start -5) Make sure that /dev/mapper/cryptswap has been created -6) swapon -a -7) (optional) update-initramfs -u - -After you've followed the above steps, your swap device should be setup -automatically after the root device has been setup during the boot stage. - -Note: If you don't use suspend device support, it's better to use completely -random keys for your encrypted swap device. See the section '2. Encrypted -swap partition(s)' in /usr/share/doc/cryptsetup/README.Debian for information -on how to setup this. - -10. The "passdev" keyscript ----------------------------- -If you have a keyfile on a removable device (e.g. a USB-key), you can use the -passdev keyscript. It will wait for the device to appear, mount it read-only, -read the key and then unmount the device. - -The "key" part of /etc/crypttab will be interpreted as :, it is -strongly recommended that you use one of the persistent device names from -/dev/disk/*, e.g. /dev/disk/by-label/myusbkey. - -This is an example of a suitable line in cryptsetup: -cryptroot /dev/hda2 /dev/disk/by-label/myusbkey:/keys/root.key cipher=aes-cbc-essiv:sha256,size=256,hash=plain,keyscript=/lib/cryptsetup/scripts/passdev - -The above line would cause the boot to pause until /dev/disk/by-label/myusbkey -appears in the fs, then mount that device and use the file /keys/root.key -on the device as the key (without any hashing) as the key for the fs. - --- David Härdeman diff --git a/cryptsetup-luks-initramfs-passdev-hook b/cryptsetup-luks-initramfs-passdev-hook deleted file mode 100644 index ad6c484..0000000 --- a/cryptsetup-luks-initramfs-passdev-hook +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/sh - -set -e - -PREREQ="cryptroot" - -prereqs() -{ - echo "$PREREQ" -} - -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -. /usr/share/initramfs-tools/hook-functions - -# Hooks for adding filesystem modules to the initramfs when the passdev -# keyscript is used - -# Check whether the passdev script has been included -if [ ! -x "${DESTDIR}/keyscripts/passdev" ]; then - exit 0 -fi - -# The filesystem type of the removable device is probed at boot-time, so -# we add a generous list of filesystems to include. This also helps with -# recovery situation as including e.g. the vfat module might help a user -# who needs to create a new cryptkey (using a backup of a keyfile) on -# a windows-machine for example. - -# This list needs to be kept in sync with the one defined in passdev.c -for fs in ext3 ext2 vfat reiserfs xfs isofs udf; do - manual_add_modules "$fs" > /dev/null 2>&1 || true -done -exit 0 - diff --git a/cryptsetup-luks-initramfs-root-conf b/cryptsetup-luks-initramfs-root-conf deleted file mode 100644 index 0e5e64f..0000000 --- a/cryptsetup-luks-initramfs-root-conf +++ /dev/null @@ -1,6 +0,0 @@ -# This will setup non-us keyboards in early userspace, -# necessary for punching in passphrases. -KEYMAP=y - -# force busybox on initramfs -BUSYBOX=y diff --git a/cryptsetup-luks-initramfs-root-hook b/cryptsetup-luks-initramfs-root-hook deleted file mode 100644 index f237727..0000000 --- a/cryptsetup-luks-initramfs-root-hook +++ /dev/null @@ -1,487 +0,0 @@ -#!/bin/sh - -PREREQ="" - -prereqs() -{ - echo "$PREREQ" -} - -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -. /usr/share/initramfs-tools/hook-functions - -get_root_device() { - local device mount type options dump pass - - if [ ! -r /etc/fstab ]; then - return 1 - fi - - grep '^[^#]' /etc/fstab | \ - while read device mount type options dump pass; do - if [ "$mount" = "/" ]; then - echo "$device" - return - fi - done -} - -get_resume_devices() { - local device opt count dupe candidates devices - candidates="" - - # First, get a list of potential resume devices - - # uswsusp - if [ -e /etc/uswsusp.conf ]; then - device=$(sed -rn 's/^resume device[[:space:]]*[:=][[:space:]]*// p' /etc/uswsusp.conf) - if [ -n "$device" ]; then - candidates="$candidates $device" - fi - fi - - # uswsusp - again... - if [ -e /etc/suspend.conf ]; then - device=$(sed -rn 's/^resume device[[:space:]]*[:=][[:space:]]*// p' /etc/suspend.conf) - if [ -n "$device" ]; then - candidates="$candidates $device" - fi - fi - - # regular swsusp - for opt in $(cat /proc/cmdline); do - case $opt in - resume=*) - device="${opt#resume=}" - candidates="$candidates $device" - ;; - esac - done - - # initramfs-tools - if [ -e /etc/initramfs-tools/conf.d/resume ]; then - device=$(sed -rn 's/^RESUME[[:space:]]*=[[:space:]]*// p' /etc/initramfs-tools/conf.d/resume) - if [ -n "$device" ]; then - candidates="$candidates $device" - fi - fi - - # Now check the sanity of all candidates - devices="" - count=0 - for device in $candidates; do - # Weed out clever defaults - if [ "$device" = "" ]; then - continue - fi - - # Weed out duplicates - dupe=0 - for opt in $devices; do - if [ "$device" = "$opt" ]; then - dupe=1 - fi - done - if [ $dupe -eq 1 ]; then - continue - fi - - # This device seems ok - devices="$devices $device" - count=$(( $count + 1 )) - done - - if [ $count -gt 1 ]; then - echo "cryptsetup: WARNING: found more than one resume device candidate:" >&2 - for device in $devices; do - echo " $device" >&2 - done - fi - - if [ $count -gt 0 ]; then - echo $devices - fi - - return 0 -} - -node_is_in_crypttab() { - local node - node="$1" - - grep -q ^$node /etc/crypttab - return $? -} - -get_lvm_deps() { - local node deps maj min depnode - node="$1" - - if [ -z $node ]; then - echo "cryptsetup: WARNING: get_lvm_deps - invalid arguments" >&2 - return 1 - fi - - if ! deps=$(dmsetup deps "$node" 2> /dev/null | sed 's/[^:]*: *//;s/[ (]//g;s/)/ /g'); then - echo "cryptsetup: WARNING: failed to find deps for $node" >&2 - return 1 - fi - - # We should now have a list of major,minor pairs, e.g. "3,2 3,3" - for dep in $deps; do - maj=${dep%,*} - min=${dep#*,} - depnode=$(dmsetup ls | sed -n "s/\\([^ ]*\\) *($maj, $min)/\\1/p" | sed -e "s/[ \t]*$//") - if [ -z "$depnode" ]; then - continue - fi - if [ "$(dmsetup table "$depnode" 2> /dev/null | cut -d' ' -f3)" != "crypt" ]; then - get_lvm_deps "$depnode" - continue - fi - echo "$depnode" - done - - return 0 -} - -get_device_opts() { - local target source link extraopts rootopts opt - target="$1" - extraopts="$2" - KEYSCRIPT="" - OPTIONS="" - - if [ -z "$target" ]; then - echo "cryptsetup: WARNING: get_device_opts - invalid arguments" >&2 - return 1 - fi - - opt=$( grep ^$target /etc/crypttab | head -1 | sed 's/[[:space:]]\+/ /g' ) - source=$( echo $opt | cut -d " " -f2 ) - key=$( echo $opt | cut -d " " -f3 ) - rootopts=$( echo $opt | cut -d " " -f4- ) - - if [ -z "$opt" ] || [ -z "$source" ] || [ -z "$key" ] || [ -z "$rootopts" ]; then - echo "cryptsetup: WARNING: invalid line in /etc/crypttab - $opt" >&2 - return 1 - fi - - # Sanity checks for $source - if [ -h "$source" ]; then - link=$(readlink -nqe "$source") - if [ -z "$link" ]; then - echo "cryptsetup: WARNING: $source is a dangling symlink" >&2 - return 1 - fi - - if [ "$link" != "${link#/dev/mapper/}" ]; then - echo "cryptsetup: NOTE: using $link instead of $source for $target" >&2 - source="$link" - fi - fi - - # Sanity checks for $key - if [ "$key" = "/dev/random" ] || [ "$key" = "/dev/urandom" ]; then - echo "cryptsetup: WARNING: target $target has a random key, skipped" >&2 - return 1 - fi - - if [ -n "$extraopts" ]; then - rootopts="$extraopts,$rootopts" - fi - - # We have all the basic options, let's go trough them - OPTIONS="target=$target,source=$source,key=$key" - local IFS=", " - unset HASH_FOUND - unset LUKS_FOUND - for opt in $rootopts; do - case $opt in - cipher=*) - OPTIONS="$OPTIONS,$opt" - ;; - hash=*) - OPTIONS="$OPTIONS,$opt" - HASH_FOUND=1 - ;; - size=*) - OPTIONS="$OPTIONS,$opt" - ;; - lvm=*) - OPTIONS="$OPTIONS,$opt" - ;; - keyscript=*) - opt=${opt#keyscript=} - if [ ! -x "/lib/cryptsetup/scripts/$opt" ] && [ ! -x "$opt" ]; then - echo "cryptsetup: WARNING: target $target has an invalid keyscript, skipped" >&2 - return 1 - fi - KEYSCRIPT="$opt" - OPTIONS="$OPTIONS,keyscript=/keyscripts/$(basename "$opt")" - ;; - tries=*) - OPTIONS="$OPTIONS,$opt" - ;; - luks) - LUKS_FOUND=1 - ;; - *) - # Presumably a non-supported option - ;; - esac - done - - # Warn for missing hash option, unless we have a LUKS partition - if [ -z "$HASH_FOUND" ] && [ -z "$LUKS_FOUND" ]; then - echo "WARNING: Option hash missing in crypttab for target $target, assuming ripemd160." >&2 - echo " If this is wrong, this initramfs image will not boot." >&2 - echo " Please read /usr/share/doc/cryptsetup/README.initramfs.gz and add" >&2 - echo " the correct hash option to your /etc/crypttab." >&2 - fi - - # If keyscript is set, the "key" is just an argument to the script - if [ "$key" != "none" ] && [ -z "$KEYSCRIPT" ]; then - echo "cryptsetup: WARNING: target $target uses a key file, skipped" >&2 - return 1 - fi -} - -get_device_modules() { - local node value cipher blockcipher ivhash - node="$1" - - # Check the ciphers used by the active root mapping - value=$(dmsetup table "$node" | cut -d " " -f4) - cipher=$(echo "$value" | cut -d ":" -f1 | cut -d "-" -f1) - blockcipher=$(echo "$value" | cut -d ":" -f1 | cut -d "-" -f2) - ivhash=$(echo "$value" | cut -d ":" -s -f2) - - if [ -n "$cipher" ]; then - echo "$cipher" - else - return 1 - fi - - if [ -n "$blockcipher" ] && [ "$blockcipher" != "plain" ]; then - echo "$blockcipher" - fi - - if [ -n "$ivhash" ] && [ "$ivhash" != "plain" ]; then - echo "$ivhash" - fi - return 0 -} - -canonical_device() { - local dev altdev - dev="$1" - - altdev="${dev#LABEL=}" - if [ "$altdev" != "$dev" ]; then - dev="/dev/disk/by-label/$altdev" - fi - - altdev="${dev#UUID=}" - if [ "$altdev" != "$dev" ]; then - dev="/dev/disk/by-uuid/$altdev" - fi - - if [ -h "$dev" ]; then - dev=$(readlink -e "$dev") - fi - - altdev="${dev#/dev/mapper/}" - if [ "$altdev" != "$dev" ]; then - echo "$altdev" - return 0 - fi - - return 1 -} - -add_device() { - local node nodes opts lastopts i count - nodes="$1" - opts="" # Applied to all nodes - lastopts="" # Applied to last node - - if [ -z "$nodes" ]; then - return 0 - fi - - # Check that it is a node under /dev/mapper/ - nodes=$(canonical_device "$nodes") || return 0 - - # Can we find this node in crypttab - if ! node_is_in_crypttab "$nodes"; then - # dm node but not in crypttab, is it a lvm device backed by dm-crypt nodes? - lvmnodes=$(get_lvm_deps "$nodes") || return 1 - - # not backed by any dm-crypt nodes; stop here - if [ -z "$lvmnodes" ]; then - return 0 - fi - - # It is a lvm device! - lastopts="lvm=$nodes" - nodes="$lvmnodes" - fi - - # Prepare to setup each node - count=$(echo "$nodes" | wc -w) - i=1 - for node in $nodes; do - # Prepare the additional options - if [ $i -eq $count ]; then - if [ -z "$opts" ]; then - opts="$lastopts" - else - opts="$opts,$lastopts" - fi - fi - - # Get crypttab root options - if ! get_device_opts "$node" "$opts"; then - continue - fi - echo "$OPTIONS" >> "$DESTDIR/conf/conf.d/cryptroot" - - # If we have a keyscript, make sure it is included - if [ -n "$KEYSCRIPT" ]; then - if [ ! -d "$DESTDIR/keyscripts" ]; then - mkdir "$DESTDIR/keyscripts" - fi - - if [ -e "/lib/cryptsetup/scripts/$KEYSCRIPT" ]; then - copy_exec "/lib/cryptsetup/scripts/$KEYSCRIPT" /keyscripts - elif [ -e "$KEYSCRIPT" ]; then - copy_exec "$KEYSCRIPT" /keyscripts - else - echo "cryptsetup: WARNING: failed to find keyscript $KEYSCRIPT" >&2 - continue - fi - fi - - # Calculate needed modules - modules=$(get_device_modules $node | sort | uniq) - if [ -z "$modules" ]; then - echo "cryptsetup: WARNING: failed to determine cipher modules to load for $node" >&2 - continue - fi - echo dm_mod - echo dm_crypt - echo "$modules" - - i=$(( $i + 1 )) - done - - return 0 -} - -add_crypto_modules() { - local mod file altmod found genericfound - mod="$1" - found="" - genericfound="" - - if [ -z "$mod" ]; then - return 1 - fi - - # We have several potential sources of modules (in order of preference): - # - # a) /lib/modules/$VERSION/kernel/arch/$ARCH/crypto/$mod-$specific.ko - # b) /lib/modules/$VERSION/kernel/crypto/$mod_generic.ko - # c) /lib/modules/$VERSION/kernel/crypto/$mod.ko - # - # and (currently ignored): - # - # d) /lib/modules/$VERSION/kernel/drivers/crypto/$specific-$mod.ko - - for file in $(find "$MODULESDIR/kernel/arch/" -name "$mod-*.ko"); do - altmod="${file##*/}" - altmod="${altmod%.ko}" - manual_add_modules "$altmod" - found="yes" - done - - for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}_generic.ko"); do - altmod="${file##*/}" - altmod="${altmod%.ko}" - manual_add_modules "$altmod" - found="yes" - genericfound="yes" - done - - if [ -z "$genericfound" ]; then - for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}.ko"); do - altmod="${file##*/}" - altmod="${altmod%.ko}" - manual_add_modules "$altmod" - found="yes" - done - fi - - if [ -z "$found" ]; then - return 1 - fi - - return 0 -} - -# -# Begin real processing -# - -setup="no" -rootdev="" -resumedevs="" - -# Find the root and resume device(s) -if [ -r /etc/crypttab ]; then - rootdev=$(get_root_device) - if [ -z "$rootdev" ]; then - echo "cryptsetup: WARNING: could not determine root device from /etc/fstab" >&2 - fi - resumedevs=$(get_resume_devices) -fi - -# Load the config opts and modules for each device -for dev in $rootdev $resumedevs; do - if ! modules=$(add_device "$dev"); then - echo "cryptsetup: FAILURE: could not determine configuration for $dev" >&2 - continue - fi - - setup="yes" - for mod in $modules; do - add_crypto_modules $mod - done -done - -# With large initramfs, we always add a basic subset of modules -if [ "$MODULES" != "dep" ]; then - for mod in aes sha256 cbc; do - add_crypto_modules $mod - done -fi - -# See if we need to add the basic components -if [ "$MODULES" != "dep" ] || [ "$setup" = "yes" ]; then - for mod in dm_mod dm_crypt; do - manual_add_modules $mod - done - - copy_exec /sbin/cryptsetup - copy_exec /sbin/dmsetup -# copy_exec /lib/cryptsetup/askpass -fi - -exit 0 diff --git a/cryptsetup-luks-initramfs-root-local-top b/cryptsetup-luks-initramfs-root-local-top deleted file mode 100644 index e89e607..0000000 --- a/cryptsetup-luks-initramfs-root-local-top +++ /dev/null @@ -1,289 +0,0 @@ -#!/bin/sh - -# -# Standard initramfs preamble -# -prereqs() -{ - # Make sure that cryptroot is run last in local-top - for req in /scripts/local-top/*; do - script=${req##*/} - if [ $script != cryptroot ]; then - echo $script - fi - done -} - -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - - -# -# Helper functions -# -message() -{ - if [ -p /dev/.initramfs/usplash_outfifo ] && [ -x /sbin/usplash_write ]; then - usplash_write "TEXT-URGENT $@" - else - echo "$@" >&2 - fi - return 0 -} - -parse_options() -{ - local cryptopts - cryptopts="$1" - - if [ -z "$cryptopts" ]; then - return 1 - fi - - # Defaults - cryptcipher=aes-cbc-essiv:sha256 - cryptsize=256 - crypthash=ripemd160 - crypttarget=cryptroot - cryptsource="" - cryptlvm="" - cryptkeyscript="" - cryptkey="" # This is only used as an argument to an eventual keyscript - crypttries=3 - - local IFS=" ," - for x in $cryptopts; do - case $x in - hash=*) - crypthash=${x#hash=} - ;; - size=*) - cryptsize=${x#size=} - ;; - cipher=*) - cryptcipher=${x#cipher=} - ;; - target=*) - crypttarget=${x#target=} - ;; - source=*) - cryptsource=${x#source=} - if [ ${cryptsource#UUID=} != $cryptsource ]; then - cryptsource="/dev/disk/by-uuid/${cryptsource#UUID=}" - elif [ ${cryptsource#LABEL=} != $cryptsource ]; then - cryptsource="/dev/disk/by-label/${cryptsource#LABEL=}" - fi - ;; - lvm=*) - cryptlvm=${x#lvm=} - ;; - keyscript=*) - cryptkeyscript=${x#keyscript=} - ;; - key=*) - if [ "${x#key=}" != "none" ]; then - cryptkey=${x#key=} - fi - ;; - tries=*) - crypttries="${x#tries=}" - case "$crypttries" in - *[![:digit:].]*) - crypttries=3 - ;; - esac - ;; - esac - done - - if [ -z "$cryptsource" ]; then - message "cryptsetup: source parameter missing" - return 1 - fi - return 0 -} - -activate_vg() -{ - local vg - vg="${1#/dev/mapper/}" - - # Sanity checks - if [ ! -x /sbin/lvm ] || [ "$vg" = "$1" ]; then - return 1 - fi - - # Make sure that the device contains at least one dash - if [ "${vg%%-*}" = "$vg" ]; then - return 1 - fi - - # Split volume group from logical volume. - vg=$(echo ${vg} | sed -e 's#\(.*\)\([^-]\)-[^-].*#\1\2#') - - # Reduce padded --'s to -'s - vg=$(echo ${vg} | sed -e 's#--#-#g') - - lvm vgchange -ay ${vg} - return $? -} - -activate_evms() -{ - local dev module - dev="${1#/dev/evms/}" - - # Sanity checks - if [ ! -x /sbin/evms_activate ] || [ "$dev" = "$1" ]; then - return 1 - fi - - # Load modules used by evms - for module in dm-mod linear raid0 raid1 raid10 raid5 raid6; do - /sbin/modprobe -q $module - done - - # Activate it - /sbin/evms_activate - return $? -} - -setup_mapping() -{ - local opts count cryptcreate cryptremove NEWROOT - opts="$1" - - if [ -z "$opts" ]; then - return 0 - fi - - parse_options "$opts" || return 1 - - if [ -n "$cryptkeyscript" ] && [ ! -x "$cryptkeyscript" ]; then - message "cryptsetup: error - script \"$cryptkeyscript\" missing" - return 1 - fi - - # The same target can be specified multiple times - # e.g. root and resume lvs-on-lvm-on-crypto - if [ -e "/dev/mapper/$crypttarget" ]; then - return 0 - fi - - /sbin/modprobe -q dm_crypt - - # Make sure the cryptsource device is available - if [ ! -e $cryptsource ]; then - activate_vg $cryptsource - activate_evms $cryptsource - fi - - /sbin/udevadm settle --timeout=30 - - if [ ! -e $cryptsource ]; then - message "cryptsetup: source device $cryptsource not found" - return 1 - fi - - # Prepare commands - if /sbin/cryptsetup isLuks $cryptsource > /dev/null 2>&1; then - cryptcreate="/sbin/cryptsetup -T 1 luksOpen $cryptsource $crypttarget" - else - cryptcreate="/sbin/cryptsetup -T 1 -c $cryptcipher -s $cryptsize -h $crypthash create $crypttarget $cryptsource" - fi - cryptremove="/sbin/cryptsetup remove $crypttarget" - NEWROOT="/dev/mapper/$crypttarget" - - # Try to get a satisfactory password $crypttries times - count=0 - while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do - count=$(( $count + 1 )) - - if [ $count -gt 1 ]; then - sleep 3 - fi - - if [ $crypttries -gt 0 ] && [ $count -gt $crypttries ]; then - message "cryptsetup: maximum number of tries exceeded for $crypttarget" - return 1 - fi - - if [ -z "$cryptkeyscript" ]; then - cryptkeyscript="/lib/cryptsetup/askpass" - cryptkey="Enter passphrase to unlock the disk $cryptsource ($crypttarget): " - fi - - - if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \ - $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ; then - message "cryptsetup: cryptsetup failed, bad password or options?" - continue - fi - - if [ ! -e "$NEWROOT" ]; then - message "cryptsetup: unknown error setting up device mapping" - return 1 - fi - - FSTYPE='' - eval $(fstype < "$NEWROOT") - - # See if we need to setup lvm on the crypto device - if [ "$FSTYPE" = "lvm" ] || [ "$FSTYPE" = "lvm2" ]; then - if [ -z "$cryptlvm" ]; then - message "cryptsetup: lvm fs found but no lvm configured" - return 1 - elif ! activate_vg "/dev/mapper/$cryptlvm"; then - message "cryptsetup: failed to setup lvm device" - return 1 - fi - - NEWROOT="/dev/mapper/$cryptlvm" - eval $(fstype < "$NEWROOT") - fi - - if [ -z "$FSTYPE" ] || [ "$FSTYPE" = "unknown" ]; then - message "cryptsetup: unknown fstype, bad password or options?" - $cryptremove - continue - fi - - message "cryptsetup: $crypttarget setup successfully" - break - done - - /sbin/udevadm settle --timeout=30 - return 0 -} - -# -# Begin real processing -# - -# Do we have any kernel boot arguments? -found='' -for opt in $(cat /proc/cmdline); do - case $opt in - cryptopts=*) - found=yes - setup_mapping "${opt#cryptopts=}" - ;; - esac -done - -if [ -n "$found" ]; then - exit 0 -fi - -# Do we have any settings from the /conf/conf.d/cryptroot file? -if [ -r /conf/conf.d/cryptroot ]; then - while read mapping <&3; do - setup_mapping "$mapping" - done 3< /conf/conf.d/cryptroot -fi - -exit 0 diff --git a/cryptsetup-luks.spec b/cryptsetup-luks.spec deleted file mode 100644 index e32f867..0000000 --- a/cryptsetup-luks.spec +++ /dev/null @@ -1,289 +0,0 @@ -# -# Conditonal build: -%bcond_without initrd # don't build initrd version -%bcond_without dietlibc # build initrd version with static glibc instead of dietlibc -%bcond_without python # Python binding -# -%define realname cryptsetup -Summary: LUKS for dm-crypt implemented in cryptsetup -Summary(pl.UTF-8): LUKS dla dm-crypta zaimplementowany w cryptsetup -Name: cryptsetup-luks -Version: 1.4.1 -Release: 1 -License: GPL v2 -Group: Base -#Source0Download: http://code.google.com/p/cryptsetup/downloads/list -Source0: http://cryptsetup.googlecode.com/files/%{realname}-%{version}.tar.bz2 -# Source0-md5: 9253b3f29abf5c6f333eb74128b0df1c -Source1: %{name}-initramfs-root-conf -Source2: %{name}-initramfs-root-hook -Source3: %{name}-initramfs-root-local-top -Source4: %{name}-initramfs-passdev-hook -Source5: %{name}-initramfs-README -Patch0: %{name}-diet.patch -Patch1: %{name}-dont-drag-more-libs.patch -URL: http://code.google.com/p/cryptsetup/ -BuildRequires: autoconf >= 2.67 -BuildRequires: automake -BuildRequires: device-mapper-devel >= 1.02.03 -BuildRequires: gettext-devel >= 0.15 -BuildRequires: libgcrypt-devel >= 1.1.42 -BuildRequires: libselinux-devel -BuildRequires: libsepol-devel -BuildRequires: libtool >= 2:2.0 -BuildRequires: libuuid-devel -BuildRequires: popt-devel >= 1.7 -%if %{with python} -BuildRequires: python-devel >= 1:2.4 -BuildRequires: rpm-pythonprov -%endif -%if %{with initrd} -BuildRequires: libgpg-error-static - %if %{with dietlibc} -BuildRequires: device-mapper-dietlibc -BuildRequires: dietlibc-static -BuildRequires: libgcrypt-dietlibc -BuildRequires: libuuid-dietlibc -BuildRequires: popt-dietlibc - %else -BuildRequires: device-mapper-static >= 1.02.07 -BuildRequires: libgcrypt-static >= 1.1.42 -BuildRequires: libselinux-static -BuildRequires: libsepol-static -BuildRequires: libuuid-static -BuildRequires: popt-static - %endif -%endif -Requires: popt >= 1.7 -Provides: cryptsetup = %{version} -Obsoletes: cryptsetup -Conflicts: udev < 1:118-1 -Conflicts: udev-core < 1:115 -BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n) - -%define _sbindir /sbin - -%description -LUKS is the upcoming standard for Linux hard disk encryption. By -providing a standard on-disk-format, it does not only facilitate -compatibility among distributions, but also provide secure management -of multiple user passwords. In contrast to existing solution, LUKS -stores all setup necessary setup information in the partition header, -enabling the user to transport or migrate his data seamlessly. - -This package contains implementation of LUKS for dm-crypt implemented -in cryptsetup. - -%description -l pl.UTF-8 -LUKS to nadchodzący standard linuksowego szyfrowania twardego dysku. -Dostarczając standardowy format danych na dysku nie tylko ułatwia -utrzymanie kompatybilności między dystrybucjami, ale także dostarcza -bezpieczne zarządzanie wieloma hasłami użytkowników. W przeciwieństwie -do istniejącego rozwiązania LUKS przechowuje wszystkie potrzebne -informacje o konfiguracji w nagłówku partycji, pozwalając -użytkownikowi przenosić lub migrować dane w sposób przezroczysty. - -Ten pakiet zawiera implementację LUKS dla dm-crytpa zaimplementowaną w -cryptsetup. - -%package devel -Summary: Header files for cryptsetup library -Summary(pl.UTF-8): Pliki nagłówkowe biblioteki cryptsetup -Group: Development/Libraries -Requires: %{name} = %{version}-%{release} -Requires: device-mapper-devel -Requires: libgcrypt-devel >= 1.1.42 -Obsoletes: cryptsetup-devel - -%description devel -Header files for cryptsetup library. - -%description devel -l pl.UTF-8 -Pliki nagłówkowe biblioteki cryptsetup. - -%package static -Summary: Static cryptsetup library -Summary(pl.UTF-8): Statyczna biblioteka cryptsetup -Group: Development/Libraries -Requires: %{name}-devel = %{version}-%{release} -Obsoletes: cryptsetup-static - -%description static -Static version of cryptsetup library. - -%description static -l pl.UTF-8 -Statyczna wersja biblioteki cryptsetup. - -%package -n python-pycryptsetup -Summary: Python binding for cryptsetup library -Summary(pl.UTF-8): Wiązanie Pythona do biblioteki cryptsetup -Group: Libraries/Python -Requires: %{name}-libs = %{version}-%{release} -%pyrequires_eq python-libs - -%description -n python-pycryptsetup -Python binding for cryptsetup library. - -%description -n python-pycryptsetup -l pl.UTF-8 -Wiązanie Pythona do biblioteki cryptsetup. - -%package initrd -Summary: LUKS for dm-crypt implemented in cryptsetup - initrd version -Summary(pl.UTF-8): LUKS dla dm-crypta zaimplementowany w cryptsetup - wersja initrd -Group: Base -Requires: udev-initrd >= 1:115 -Conflicts: geninitrd < 10000.10 - -%description initrd -This package contains implementation of LUKS for dm-crypt implemented -in cryptsetup - statically linked for initrd. - -%description initrd -l pl.UTF-8 -Ten pakiet zawiera implementację LUKS dla dm-crypta zaimplementowaną -w cryptsetup - wersję statycznie zlinkowaną dla initrd. - -%package initramfs -Summary: LUKS for dm-crypt implemented in cryptsetup - support scripts for initramfs-tools -Summary(pl.UTF-8): LUKS dla dm-crypta zaimplementowany w cryptsetup - skrypty dla initramfs-tools -Group: Base -Requires: %{name} = %{version}-%{release} -Requires: initramfs-tools - -%description initramfs -LUKS for dm-crypt implemented in cryptsetup - support scripts -for initramfs-tools. - -%description initramfs -l pl.UTF-8 -LUKS dla dm-crypta zaimplementowany w cryptsetup - skrypty dla -initramfs-tools. - -%prep -%setup -q -n %{realname}-%{version} -%patch0 -p1 -%patch1 -p1 - -cp -a %{SOURCE5} README.initramfs - -%{__rm} po/stamp-po - -%build -%{__gettextize} -%{__libtoolize} -%{__aclocal} -I m4 -%{__autoconf} -%{__autoheader} -%{__automake} - -%if %{with initrd} -CC="%{__cc}" -%configure \ -%if %{with dietlibc} -%configure \ - CC="diet ${CC#ccache } %{rpmcppflags} %{rpmcflags} %{rpmldflags} -Os" \ - LIBS="-lcompat" \ - ac_cv_lib_popt_poptConfigFileToString=yes \ - ac_cv_lib_sepol_sepol_bool_set=no \ - ac_cv_lib_selinux_is_selinux_enabled=no \ -%endif -%if "%{?configure_cache}" == "1" - --cache-file=%{?configure_cache_file}%{!?configure_cache_file:configure}-initrd.cache \ -%endif - --disable-shared \ - --enable-static \ - --enable-static-cryptsetup \ - --disable-udev \ - --disable-nls - -%{__make} -C lib - -%if %{with dietlibc} -# we have to do it by hand cause libtool "know better" and forces -# static libs from /usr/lib -CC="%{__cc}" -diet ${CC#ccache } %{rpmcppflags} %{rpmcflags} %{rpmldflags} -Os -I. -I./lib -static \ - -o cryptsetup-initrd src/cryptsetup.c ./lib/.libs/libcryptsetup.a \ - -lpopt -lgcrypt -lgpg-error -ldevmapper -luuid -lcompat -%else -%{__make} -C src -mv src/cryptsetup cryptsetup-initrd -%endif - -%{__make} clean -%endif - -%configure \ - --enable-udev \ - --enable-static \ - %{?with_python:--enable-python} -%{__make} - -%install -rm -rf $RPM_BUILD_ROOT -install -d $RPM_BUILD_ROOT%{_datadir}/initramfs-tools/{conf-hooks.d,hooks,scripts/local-top} - -%{__make} install \ - DESTDIR=$RPM_BUILD_ROOT - -install -d $RPM_BUILD_ROOT/%{_lib} -mv -f $RPM_BUILD_ROOT%{_libdir}/libcryptsetup.so.* $RPM_BUILD_ROOT/%{_lib} -ln -sf /%{_lib}/$(basename $RPM_BUILD_ROOT/%{_lib}/libcryptsetup.so.*.*.*) \ - $RPM_BUILD_ROOT%{_libdir}/libcryptsetup.so - -%if %{with initrd} -install -d $RPM_BUILD_ROOT%{_libdir}/initrd -install -p cryptsetup-initrd $RPM_BUILD_ROOT%{_libdir}/initrd/cryptsetup -%endif - -install -p %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/initramfs-tools/conf-hooks.d/cryptsetup -install -p %{SOURCE2} $RPM_BUILD_ROOT%{_datadir}/initramfs-tools/hooks/cryptroot -install -p %{SOURCE3} $RPM_BUILD_ROOT%{_datadir}/initramfs-tools/scripts/local-top/cryptroot -install -p %{SOURCE4} $RPM_BUILD_ROOT%{_datadir}/initramfs-tools/hooks/cryptpassdev - -%{?with_python:%{__rm} $RPM_BUILD_ROOT%{py_sitedir}/pycryptsetup.{la,a}} - -%find_lang %{realname} - -%clean -rm -rf $RPM_BUILD_ROOT - -%post -p /sbin/ldconfig -%postun -p /sbin/ldconfig - -%files -f %{realname}.lang -%defattr(644,root,root,755) -%doc AUTHORS ChangeLog TODO -%attr(755,root,root) %{_sbindir}/cryptsetup -%attr(755,root,root) /%{_lib}/libcryptsetup.so.*.*.* -%attr(755,root,root) %ghost /%{_lib}/libcryptsetup.so.4 -%{_mandir}/man8/cryptsetup.8* - -%files devel -%defattr(644,root,root,755) -%attr(755,root,root) %{_libdir}/libcryptsetup.so -%{_libdir}/libcryptsetup.la -%{_includedir}/libcryptsetup.h -%{_pkgconfigdir}/libcryptsetup.pc - -%files static -%defattr(644,root,root,755) -%{_libdir}/libcryptsetup.a - -%if %{with python} -%files -n python-pycryptsetup -%defattr(644,root,root,755) -%attr(755,root,root) %{py_sitedir}/pycryptsetup.so -%endif - -%if %{with initrd} -%files initrd -%defattr(644,root,root,755) -%attr(755,root,root) %{_libdir}/initrd/cryptsetup -%endif - -%files initramfs -%defattr(644,root,root,755) -%doc README.initramfs -%attr(755,root,root) %{_datadir}/initramfs-tools/conf-hooks.d/cryptsetup -%attr(755,root,root) %{_datadir}/initramfs-tools/hooks/cryptroot -%attr(755,root,root) %{_datadir}/initramfs-tools/hooks/cryptpassdev -%attr(755,root,root) %{_datadir}/initramfs-tools/scripts/local-top/cryptroot