[projects/geninitrd.git] / mod-luks.sh

#!/bin/sh
# geninitrd mod: cryptsetup luks
USE_LUKS=${USE_LUKS:-yes}

# true if root device is crypted with cryptsetup luks
# and we should init cryptsetup luks at boot
have_luks=no

# device to use for name for cryptsetup luks
LUKSNAME=""

# setup geninitrd module
# @access	public
setup_mod_luks() {
	cryptsetup=$(find_tool $initrd_dir/cryptsetup /sbin/cryptsetup-initrd)

	if [ ! -x /sbin/cryptsetup ] || [ ! -x "$cryptsetup" ]; then
		USE_LUKS=no
	fi
}

# return true if node is cryptsetup luks encrypted
# @param	string $node device node to be examined
# @access	public
is_luks() {
	local node="$1"

	# luks not wanted
	if is_no "$USE_LUKS"; then
		return 1
	fi

	local dev dm_name=${node#/dev/mapper/}
	if [ "$node" = "$dm_name" ]; then
		verbose "is_luks: $node is not device mapper name"
		return 1
	fi

	dev=$(awk -vdm_name="$dm_name" '$1 == dm_name { print $2 }' /etc/crypttab)
	if [ "$dev" ]; then
		/sbin/cryptsetup isLuks $dev
		rc=$?
	else
		rc=1
	fi

	if [ $rc = 0 ]; then
		verbose "is_luks: $node is cryptsetup luks"
	else
		verbose "is_luks: $node is not cryptsetup luks"
	fi
	return $rc
}

# find modules for $devpath
# @param	$devpath	device to be examined
# @access	public
find_modules_luks() {
	local devpath="$1"
	local dev=""

	LUKSNAME=${devpath#/dev/mapper/}

	find_module "dm-crypt"

	# TODO: autodetect
	find_module "aes"
	find_module "cbc"

	# recurse
	dev=$(awk -vLUKSNAME="$LUKSNAME" '$1 == LUKSNAME { print $2 }' /etc/crypttab)
	if [ -n "$dev" ]; then
		find_modules_for_devpath $dev
		have_luks=yes
	else
		die "Cannot find '$LUKSNAME' in /etc/crypttab"
	fi
}


# generate initrd fragment for cryptsetup luks init
# @access	public
initrd_gen_luks() {
	if ! is_yes "$have_luks"; then
		return
	fi

	inst_d /bin
	inst_exec $cryptsetup /bin/cryptsetup

	mount_dev
	mount_sys
	initrd_gen_devices
	# TODO: 'udevadm settle' is called by lukssetup, is udev optional?

	verbose "luks: process /etc/crypttab $LUKSNAME"
	luks_crypttab $LUKSNAME
}


# PRIVATE METHODS
key_is_random() {
	[ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ]
}

# produce cryptsetup from $name from /etc/crypttab
luks_crypttab() {
	local LUKSNAME="$1"

	# copy from /etc/rc.d/init.d/cryptsetup
	local dst src key opt mode owner

	while read dst src key opt; do
		[ "$dst" != "$LUKSNAME" ] && continue

		if [ -n "$key" -a "x$key" != "xnone" ]; then
			if test -e "$key" ; then
				mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
				owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
				if [ "$mode" != "------" ] && ! key_is_random "$key"; then
					die "INSECURE MODE FOR $key"
				fi
				if [ "$owner" != root ]; then
					die "INSECURE OWNER FOR $key"
				fi
			else
				die "Key file for $dst not found"
			fi
		else
			key=""
		fi

		if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
			if key_is_random "$key"; then
				die "$dst: LUKS requires non-random key, skipping"
			fi
			if [ -n "$opt" ]; then
				warn "$dst: options are invalid for LUKS partitions, ignoring them"
			fi
			if [ "$key" ]; then
				keyfile=/etc/.$dst.key
				inst $key $keyfile
			fi

			verbose "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'"
			add_linuxrc <<-EOF
			# cryptsetup can be called twice and in case on crypt on lvm only second
			# will succeed because there will be no src device in first cryptsetup call
			# this can be called multiple times, before lvm and after lvm.
			luksdev='$src'
			if [ \${luksdev##/dev/disk/by-uuid/} != \${luksdev} ]; then
			        src_uuid=\${luksdev##/dev/disk/by-uuid/}
			        while read x y z name; do
			                found_uuid=\$(cryptsetup luksUUID /dev/\${name} 2>/dev/null)
			                if [ "\$found_uuid" = "\$src_uuid" ]; then
			                        luksdev=/dev/\$name
			                        break
			                fi
			        done < /proc/partitions
			fi

			if [ -e "\$luksdev" ]; then
				crypt_status=\$(cryptsetup status '$dst')
				if [ "\${crypt_status%%is inactive.}" != "\$crypt_status" ]; then
					# is inactive
					cryptsetup ${keyfile:+-d $keyfile} luksOpen "\$luksdev" '$dst' <&1
				fi
			fi

			debugshell
			EOF
		else
			die "$dst: only LUKS encryption supported"
		fi
	done < /etc/crypttab
}
Commit	Line	Data
8d07ddab	1	#!/bin/sh
8d07ddab	2	# geninitrd mod: cryptsetup luks
6e49b0b1	3	USE_LUKS=${USE_LUKS:-yes}
8d07ddab ER	4
	5	# true if root device is crypted with cryptsetup luks
	6	# and we should init cryptsetup luks at boot
	7	have_luks=no
	8
8d07ddab	9	# device to use for name for cryptsetup luks
704c497d	10	LUKSNAME=""
8d07ddab	11
c124d0cf ER	12	# setup geninitrd module
	13	# @access public
	14	setup_mod_luks() {
	15	cryptsetup=$(find_tool $initrd_dir/cryptsetup /sbin/cryptsetup-initrd)
6e49b0b1 ER	16
6e49b0b1 ER	17	if [ ! -x /sbin/cryptsetup ] \|\| [ ! -x "$cryptsetup" ]; then
c124d0cf ER	18	USE_LUKS=no
	19	fi
	20	}
	21
8d07ddab ER	22	# return true if node is cryptsetup luks encrypted
	23	# @param string $node device node to be examined
	24	# @access public
	25	is_luks() {
	26	local node="$1"
f7385874 ER	27
	28	# luks not wanted
	29	if is_no "$USE_LUKS"; then
	30	return 1
	31	fi
	32
a5b35f50	33	local dev dm_name=${node#/dev/mapper/}
8d07ddab	34	if [ "$node" = "$dm_name" ]; then
02ba8ab7	35	verbose "is_luks: $node is not device mapper name"
8d07ddab ER	36	return 1
8d07ddab ER	37	fi
b892656c ER	38
b892656c ER	39	dev=$(awk -vdm_name="$dm_name" '$1 == dm_name { print $2 }' /etc/crypttab)
1d96f045 ER	40	if [ "$dev" ]; then
	41	/sbin/cryptsetup isLuks $dev
	42	rc=$?
	43	else
a5b35f50	44	rc=1
1d96f045	45	fi
8d07ddab ER	46
8d07ddab ER	47	if [ $rc = 0 ]; then
02ba8ab7	48	verbose "is_luks: $node is cryptsetup luks"
8d07ddab	49	else
02ba8ab7	50	verbose "is_luks: $node is not cryptsetup luks"
8d07ddab ER	51	fi
	52	return $rc
	53	}
	54
	55	# find modules for $devpath
	56	# @param $devpath device to be examined
	57	# @access public
	58	find_modules_luks() {
	59	local devpath="$1"
704c497d	60	local dev=""
f4dd815d	61
704c497d	62	LUKSNAME=${devpath#/dev/mapper/}
8d07ddab	63
b02a6b13	64	find_module "dm-crypt"
8d07ddab ER	65
8d07ddab ER	66	# TODO: autodetect
b02a6b13 ER	67	find_module "aes"
b02a6b13 ER	68	find_module "cbc"
8d07ddab	69
8d07ddab	70	# recurse
b892656c ER	71	dev=$(awk -vLUKSNAME="$LUKSNAME" '$1 == LUKSNAME { print $2 }' /etc/crypttab)
b892656c ER	72	if [ -n "$dev" ]; then
704c497d JK	73	find_modules_for_devpath $dev
	74	have_luks=yes
	75	else
	76	die "Cannot find '$LUKSNAME' in /etc/crypttab"
	77	fi
8d07ddab ER	78	}
	79
	80
	81	# generate initrd fragment for cryptsetup luks init
	82	# @access public
	83	initrd_gen_luks() {
1b481849 ER	84	if ! is_yes "$have_luks"; then
	85	return
	86	fi
	87
8d07ddab	88	inst_d /bin
684d5d2a	89	inst_exec $cryptsetup /bin/cryptsetup
8d07ddab ER	90
	91	mount_dev
	92	mount_sys
	93	initrd_gen_devices
	94	# TODO: 'udevadm settle' is called by lukssetup, is udev optional?
	95
02ba8ab7	96	verbose "luks: process /etc/crypttab $LUKSNAME"
704c497d	97	luks_crypttab $LUKSNAME
8d07ddab ER	98	}
	99
	100
	101	# PRIVATE METHODS
	102	key_is_random() {
	103	[ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ]
	104	}
	105
	106	# produce cryptsetup from $name from /etc/crypttab
	107	luks_crypttab() {
704c497d	108	local LUKSNAME="$1"
8d07ddab ER	109
	110	# copy from /etc/rc.d/init.d/cryptsetup
	111	local dst src key opt mode owner
	112
	113	while read dst src key opt; do
704c497d	114	[ "$dst" != "$LUKSNAME" ] && continue
8d07ddab ER	115
	116	if [ -n "$key" -a "x$key" != "xnone" ]; then
	117	if test -e "$key" ; then
	118	mode=$(LC_ALL=C ls -l "$key" \| cut -c 5-10)
	119	owner=$(LC_ALL=C ls -l $key \| awk '{ print $3 }')
	120	if [ "$mode" != "------" ] && ! key_is_random "$key"; then
	121	die "INSECURE MODE FOR $key"
	122	fi
	123	if [ "$owner" != root ]; then
	124	die "INSECURE OWNER FOR $key"
	125	fi
	126	else
	127	die "Key file for $dst not found"
	128	fi
	129	else
	130	key=""
	131	fi
	132
	133	if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
	134	if key_is_random "$key"; then
	135	die "$dst: LUKS requires non-random key, skipping"
	136	fi
	137	if [ -n "$opt" ]; then
	138	warn "$dst: options are invalid for LUKS partitions, ignoring them"
	139	fi
	140	if [ "$key" ]; then
	141	keyfile=/etc/.$dst.key
	142	inst $key $keyfile
	143	fi
	144
02ba8ab7	145	verbose "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'"
8d07ddab	146	add_linuxrc <<-EOF
2fcb6fc5 AM	147	# cryptsetup can be called twice and in case on crypt on lvm only second
	148	# will succeed because there will be no src device in first cryptsetup call
	149	# this can be called multiple times, before lvm and after lvm.
cb006694 AF	150	luksdev='$src'
	151	if [ \${luksdev##/dev/disk/by-uuid/} != \${luksdev} ]; then
	152	src_uuid=\${luksdev##/dev/disk/by-uuid/}
	153	while read x y z name; do
	154	found_uuid=\$(cryptsetup luksUUID /dev/\${name} 2>/dev/null)
	155	if [ "\$found_uuid" = "\$src_uuid" ]; then
	156	luksdev=/dev/\$name
	157	break
	158	fi
	159	done < /proc/partitions
	160	fi
	161
	162	if [ -e "\$luksdev" ]; then
2fcb6fc5 AM	163	crypt_status=\$(cryptsetup status '$dst')
	164	if [ "\${crypt_status%%is inactive.}" != "\$crypt_status" ]; then
	165	# is inactive
cb006694	166	cryptsetup ${keyfile:+-d $keyfile} luksOpen "\$luksdev" '$dst' <&1
2fcb6fc5	167	fi
abce1a7f	168	fi
8d07ddab ER	169
	170	debugshell
	171	EOF
	172	else
	173	die "$dst: only LUKS encryption supported"
	174	fi
	175	done < /etc/crypttab
	176	}