]>
Commit | Line | Data |
---|---|---|
8d07ddab ER |
1 | #!/bin/sh |
2 | # | |
3 | # geninitrd mod: cryptsetup luks | |
6e49b0b1 | 4 | USE_LUKS=${USE_LUKS:-yes} |
8d07ddab ER |
5 | |
6 | # true if root device is crypted with cryptsetup luks | |
7 | # and we should init cryptsetup luks at boot | |
8 | have_luks=no | |
9 | ||
8d07ddab ER |
10 | # device to use for name for cryptsetup luks |
11 | LUKSDEV="" | |
12 | ||
c124d0cf ER |
13 | # setup geninitrd module |
14 | # @access public | |
15 | setup_mod_luks() { | |
16 | cryptsetup=$(find_tool $initrd_dir/cryptsetup /sbin/cryptsetup-initrd) | |
6e49b0b1 ER |
17 | |
18 | if [ ! -x /sbin/cryptsetup ] || [ ! -x "$cryptsetup" ]; then | |
c124d0cf ER |
19 | USE_LUKS=no |
20 | fi | |
21 | } | |
22 | ||
8d07ddab ER |
23 | # return true if node is cryptsetup luks encrypted |
24 | # @param string $node device node to be examined | |
25 | # @access public | |
26 | is_luks() { | |
27 | local node="$1" | |
f7385874 ER |
28 | |
29 | # luks not wanted | |
30 | if is_no "$USE_LUKS"; then | |
31 | return 1 | |
32 | fi | |
33 | ||
8d07ddab ER |
34 | if [ ! -e "$node" ]; then |
35 | warn "is_luks(): node $node doesn't exist!" | |
36 | return 1 | |
37 | fi | |
38 | ||
39 | local dev dm_name=${node#/dev/mapper/} | |
40 | if [ "$node" = "$dm_name" ]; then | |
41 | debug "is_luks: $node is not device mapper name" | |
42 | return 1 | |
43 | fi | |
44 | ||
378e5f2b | 45 | dev=$(/sbin/cryptsetup status $dm_name 2>/dev/null | awk '/device:/{print $2}') |
f7385874 | 46 | /sbin/cryptsetup isLuks $dev |
8d07ddab ER |
47 | rc=$? |
48 | ||
49 | if [ $rc = 0 ]; then | |
50 | debug "is_luks: $node is cryptsetup luks" | |
51 | else | |
52 | debug "is_luks: $node is not cryptsetup luks" | |
53 | fi | |
54 | return $rc | |
55 | } | |
56 | ||
57 | # find modules for $devpath | |
58 | # @param $devpath device to be examined | |
59 | # @access public | |
60 | find_modules_luks() { | |
61 | local devpath="$1" | |
62 | local dev | |
63 | ||
64 | local name=${devpath#/dev/mapper/} | |
f7385874 | 65 | LUKSDEV=$(/sbin/cryptsetup status $name 2>/dev/null | awk '/device:/{print $2}') |
8d07ddab ER |
66 | if [ -z "$LUKSDEV" ]; then |
67 | die "Lost cryptsetup device meanwhile?" | |
68 | fi | |
69 | ||
b02a6b13 | 70 | find_module "dm-crypt" |
8d07ddab ER |
71 | |
72 | # TODO: autodetect | |
b02a6b13 ER |
73 | find_module "aes" |
74 | find_module "cbc" | |
8d07ddab ER |
75 | |
76 | have_luks=yes | |
77 | ||
78 | # recurse | |
79 | find_modules_for_devpath $LUKSDEV | |
80 | } | |
81 | ||
82 | ||
83 | # generate initrd fragment for cryptsetup luks init | |
84 | # @access public | |
85 | initrd_gen_luks() { | |
8d07ddab | 86 | inst_d /bin |
684d5d2a | 87 | inst_exec $cryptsetup /bin/cryptsetup |
8d07ddab ER |
88 | |
89 | mount_dev | |
90 | mount_sys | |
91 | initrd_gen_devices | |
92 | # TODO: 'udevadm settle' is called by lukssetup, is udev optional? | |
93 | ||
94 | debug "luks: process /etc/crypttab $LUKSDEV" | |
95 | luks_crypttab $LUKSDEV | |
96 | } | |
97 | ||
98 | ||
99 | # PRIVATE METHODS | |
100 | key_is_random() { | |
101 | [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ] | |
102 | } | |
103 | ||
104 | # produce cryptsetup from $name from /etc/crypttab | |
105 | luks_crypttab() { | |
106 | local LUKSDEV="$1" | |
107 | ||
108 | # copy from /etc/rc.d/init.d/cryptsetup | |
109 | local dst src key opt mode owner | |
110 | ||
111 | while read dst src key opt; do | |
112 | [ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue | |
113 | [ "$src" != "$LUKSDEV" ] && continue | |
114 | ||
115 | if [ -n "$key" -a "x$key" != "xnone" ]; then | |
116 | if test -e "$key" ; then | |
117 | mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10) | |
118 | owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }') | |
119 | if [ "$mode" != "------" ] && ! key_is_random "$key"; then | |
120 | die "INSECURE MODE FOR $key" | |
121 | fi | |
122 | if [ "$owner" != root ]; then | |
123 | die "INSECURE OWNER FOR $key" | |
124 | fi | |
125 | else | |
126 | die "Key file for $dst not found" | |
127 | fi | |
128 | else | |
129 | key="" | |
130 | fi | |
131 | ||
132 | if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then | |
133 | if key_is_random "$key"; then | |
134 | die "$dst: LUKS requires non-random key, skipping" | |
135 | fi | |
136 | if [ -n "$opt" ]; then | |
137 | warn "$dst: options are invalid for LUKS partitions, ignoring them" | |
138 | fi | |
139 | if [ "$key" ]; then | |
140 | keyfile=/etc/.$dst.key | |
141 | inst $key $keyfile | |
142 | fi | |
143 | ||
144 | debug "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'" | |
145 | add_linuxrc <<-EOF | |
146 | cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst' <&1 | |
147 | ||
148 | debugshell | |
149 | EOF | |
150 | else | |
151 | die "$dst: only LUKS encryption supported" | |
152 | fi | |
153 | done < /etc/crypttab | |
154 | } |