]>
Commit | Line | Data |
---|---|---|
8d07ddab | 1 | #!/bin/sh |
8d07ddab | 2 | # geninitrd mod: cryptsetup luks |
6e49b0b1 | 3 | USE_LUKS=${USE_LUKS:-yes} |
8d07ddab ER |
4 | |
5 | # true if root device is crypted with cryptsetup luks | |
6 | # and we should init cryptsetup luks at boot | |
7 | have_luks=no | |
8 | ||
8d07ddab | 9 | # device to use for name for cryptsetup luks |
704c497d | 10 | LUKSNAME="" |
8d07ddab | 11 | |
c124d0cf ER |
12 | # setup geninitrd module |
13 | # @access public | |
14 | setup_mod_luks() { | |
15 | cryptsetup=$(find_tool $initrd_dir/cryptsetup /sbin/cryptsetup-initrd) | |
6e49b0b1 ER |
16 | |
17 | if [ ! -x /sbin/cryptsetup ] || [ ! -x "$cryptsetup" ]; then | |
c124d0cf ER |
18 | USE_LUKS=no |
19 | fi | |
20 | } | |
21 | ||
8d07ddab ER |
22 | # return true if node is cryptsetup luks encrypted |
23 | # @param string $node device node to be examined | |
24 | # @access public | |
25 | is_luks() { | |
26 | local node="$1" | |
f7385874 ER |
27 | |
28 | # luks not wanted | |
29 | if is_no "$USE_LUKS"; then | |
30 | return 1 | |
31 | fi | |
32 | ||
a5b35f50 | 33 | local dev dm_name=${node#/dev/mapper/} |
8d07ddab | 34 | if [ "$node" = "$dm_name" ]; then |
02ba8ab7 | 35 | verbose "is_luks: $node is not device mapper name" |
8d07ddab ER |
36 | return 1 |
37 | fi | |
b892656c ER |
38 | |
39 | dev=$(awk -vdm_name="$dm_name" '$1 == dm_name { print $2 }' /etc/crypttab) | |
1d96f045 ER |
40 | if [ "$dev" ]; then |
41 | /sbin/cryptsetup isLuks $dev | |
42 | rc=$? | |
43 | else | |
a5b35f50 | 44 | rc=1 |
1d96f045 | 45 | fi |
8d07ddab ER |
46 | |
47 | if [ $rc = 0 ]; then | |
02ba8ab7 | 48 | verbose "is_luks: $node is cryptsetup luks" |
8d07ddab | 49 | else |
02ba8ab7 | 50 | verbose "is_luks: $node is not cryptsetup luks" |
8d07ddab ER |
51 | fi |
52 | return $rc | |
53 | } | |
54 | ||
55 | # find modules for $devpath | |
56 | # @param $devpath device to be examined | |
57 | # @access public | |
58 | find_modules_luks() { | |
59 | local devpath="$1" | |
704c497d | 60 | local dev="" |
f4dd815d | 61 | |
704c497d | 62 | LUKSNAME=${devpath#/dev/mapper/} |
8d07ddab | 63 | |
b02a6b13 | 64 | find_module "dm-crypt" |
8d07ddab ER |
65 | |
66 | # TODO: autodetect | |
b02a6b13 ER |
67 | find_module "aes" |
68 | find_module "cbc" | |
8d07ddab | 69 | |
8d07ddab | 70 | # recurse |
b892656c ER |
71 | dev=$(awk -vLUKSNAME="$LUKSNAME" '$1 == LUKSNAME { print $2 }' /etc/crypttab) |
72 | if [ -n "$dev" ]; then | |
704c497d JK |
73 | find_modules_for_devpath $dev |
74 | have_luks=yes | |
75 | else | |
76 | die "Cannot find '$LUKSNAME' in /etc/crypttab" | |
77 | fi | |
8d07ddab ER |
78 | } |
79 | ||
80 | ||
81 | # generate initrd fragment for cryptsetup luks init | |
82 | # @access public | |
83 | initrd_gen_luks() { | |
1b481849 ER |
84 | if ! is_yes "$have_luks"; then |
85 | return | |
86 | fi | |
87 | ||
8d07ddab | 88 | inst_d /bin |
684d5d2a | 89 | inst_exec $cryptsetup /bin/cryptsetup |
8d07ddab ER |
90 | |
91 | mount_dev | |
92 | mount_sys | |
93 | initrd_gen_devices | |
94 | # TODO: 'udevadm settle' is called by lukssetup, is udev optional? | |
95 | ||
02ba8ab7 | 96 | verbose "luks: process /etc/crypttab $LUKSNAME" |
704c497d | 97 | luks_crypttab $LUKSNAME |
8d07ddab ER |
98 | } |
99 | ||
100 | ||
101 | # PRIVATE METHODS | |
102 | key_is_random() { | |
103 | [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ] | |
104 | } | |
105 | ||
106 | # produce cryptsetup from $name from /etc/crypttab | |
107 | luks_crypttab() { | |
704c497d | 108 | local LUKSNAME="$1" |
8d07ddab ER |
109 | |
110 | # copy from /etc/rc.d/init.d/cryptsetup | |
111 | local dst src key opt mode owner | |
112 | ||
113 | while read dst src key opt; do | |
704c497d | 114 | [ "$dst" != "$LUKSNAME" ] && continue |
8d07ddab ER |
115 | |
116 | if [ -n "$key" -a "x$key" != "xnone" ]; then | |
117 | if test -e "$key" ; then | |
118 | mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10) | |
119 | owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }') | |
120 | if [ "$mode" != "------" ] && ! key_is_random "$key"; then | |
121 | die "INSECURE MODE FOR $key" | |
122 | fi | |
123 | if [ "$owner" != root ]; then | |
124 | die "INSECURE OWNER FOR $key" | |
125 | fi | |
126 | else | |
127 | die "Key file for $dst not found" | |
128 | fi | |
129 | else | |
130 | key="" | |
131 | fi | |
132 | ||
133 | if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then | |
134 | if key_is_random "$key"; then | |
135 | die "$dst: LUKS requires non-random key, skipping" | |
136 | fi | |
137 | if [ -n "$opt" ]; then | |
138 | warn "$dst: options are invalid for LUKS partitions, ignoring them" | |
139 | fi | |
140 | if [ "$key" ]; then | |
141 | keyfile=/etc/.$dst.key | |
142 | inst $key $keyfile | |
143 | fi | |
144 | ||
02ba8ab7 | 145 | verbose "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'" |
8d07ddab | 146 | add_linuxrc <<-EOF |
2fcb6fc5 AM |
147 | # cryptsetup can be called twice and in case on crypt on lvm only second |
148 | # will succeed because there will be no src device in first cryptsetup call | |
149 | # this can be called multiple times, before lvm and after lvm. | |
cb006694 AF |
150 | luksdev='$src' |
151 | if [ \${luksdev##/dev/disk/by-uuid/} != \${luksdev} ]; then | |
152 | src_uuid=\${luksdev##/dev/disk/by-uuid/} | |
153 | while read x y z name; do | |
154 | found_uuid=\$(cryptsetup luksUUID /dev/\${name} 2>/dev/null) | |
155 | if [ "\$found_uuid" = "\$src_uuid" ]; then | |
156 | luksdev=/dev/\$name | |
157 | break | |
158 | fi | |
159 | done < /proc/partitions | |
160 | fi | |
161 | ||
162 | if [ -e "\$luksdev" ]; then | |
2fcb6fc5 AM |
163 | crypt_status=\$(cryptsetup status '$dst') |
164 | if [ "\${crypt_status%%is inactive.}" != "\$crypt_status" ]; then | |
165 | # is inactive | |
cb006694 | 166 | cryptsetup ${keyfile:+-d $keyfile} luksOpen "\$luksdev" '$dst' <&1 |
2fcb6fc5 | 167 | fi |
abce1a7f | 168 | fi |
8d07ddab ER |
169 | |
170 | debugshell | |
171 | EOF | |
172 | else | |
173 | die "$dst: only LUKS encryption supported" | |
174 | fi | |
175 | done < /etc/crypttab | |
176 | } |