]>
Commit | Line | Data |
---|---|---|
8d07ddab ER |
1 | #!/bin/sh |
2 | # | |
3 | # geninitrd mod: cryptsetup luks | |
4 | ||
5 | # true if root device is crypted with cryptsetup luks | |
6 | # and we should init cryptsetup luks at boot | |
7 | have_luks=no | |
8 | ||
9 | if [ -x /sbin/cryptsetup ]; then | |
10 | USE_LUKS=yes | |
11 | else | |
12 | USE_LUKS=no | |
13 | fi | |
14 | ||
15 | # device to use for name for cryptsetup luks | |
16 | LUKSDEV="" | |
17 | ||
18 | # return true if node is cryptsetup luks encrypted | |
19 | # @param string $node device node to be examined | |
20 | # @access public | |
21 | is_luks() { | |
22 | local node="$1" | |
f7385874 ER |
23 | |
24 | # luks not wanted | |
25 | if is_no "$USE_LUKS"; then | |
26 | return 1 | |
27 | fi | |
28 | ||
8d07ddab ER |
29 | if [ ! -e "$node" ]; then |
30 | warn "is_luks(): node $node doesn't exist!" | |
31 | return 1 | |
32 | fi | |
33 | ||
34 | local dev dm_name=${node#/dev/mapper/} | |
35 | if [ "$node" = "$dm_name" ]; then | |
36 | debug "is_luks: $node is not device mapper name" | |
37 | return 1 | |
38 | fi | |
39 | ||
40 | dev=$(cryptsetup status $dm_name 2>/dev/null | awk '/device:/{print $2}') | |
f7385874 | 41 | /sbin/cryptsetup isLuks $dev |
8d07ddab ER |
42 | rc=$? |
43 | ||
44 | if [ $rc = 0 ]; then | |
45 | debug "is_luks: $node is cryptsetup luks" | |
46 | else | |
47 | debug "is_luks: $node is not cryptsetup luks" | |
48 | fi | |
49 | return $rc | |
50 | } | |
51 | ||
52 | # find modules for $devpath | |
53 | # @param $devpath device to be examined | |
54 | # @access public | |
55 | find_modules_luks() { | |
56 | local devpath="$1" | |
57 | local dev | |
58 | ||
59 | local name=${devpath#/dev/mapper/} | |
f7385874 | 60 | LUKSDEV=$(/sbin/cryptsetup status $name 2>/dev/null | awk '/device:/{print $2}') |
8d07ddab ER |
61 | if [ -z "$LUKSDEV" ]; then |
62 | die "Lost cryptsetup device meanwhile?" | |
63 | fi | |
64 | ||
65 | findmodule "dm-crypt" | |
66 | ||
67 | # TODO: autodetect | |
68 | findmodule "aes" | |
69 | findmodule "cbc" | |
70 | ||
71 | have_luks=yes | |
72 | ||
73 | # recurse | |
74 | find_modules_for_devpath $LUKSDEV | |
75 | } | |
76 | ||
77 | ||
78 | # generate initrd fragment for cryptsetup luks init | |
79 | # @access public | |
80 | initrd_gen_luks() { | |
81 | if [ ! -x /sbin/cryptsetup-initrd ]; then | |
82 | die "/sbin/cryptsetup-initrd is missing!" | |
83 | fi | |
84 | ||
85 | inst_d /bin | |
86 | inst_exec /sbin/cryptsetup-initrd /bin/cryptsetup | |
87 | ||
88 | mount_dev | |
89 | mount_sys | |
90 | initrd_gen_devices | |
91 | # TODO: 'udevadm settle' is called by lukssetup, is udev optional? | |
92 | ||
93 | debug "luks: process /etc/crypttab $LUKSDEV" | |
94 | luks_crypttab $LUKSDEV | |
95 | } | |
96 | ||
97 | ||
98 | # PRIVATE METHODS | |
99 | key_is_random() { | |
100 | [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ] | |
101 | } | |
102 | ||
103 | # produce cryptsetup from $name from /etc/crypttab | |
104 | luks_crypttab() { | |
105 | local LUKSDEV="$1" | |
106 | ||
107 | # copy from /etc/rc.d/init.d/cryptsetup | |
108 | local dst src key opt mode owner | |
109 | ||
110 | while read dst src key opt; do | |
111 | [ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue | |
112 | [ "$src" != "$LUKSDEV" ] && continue | |
113 | ||
114 | if [ -n "$key" -a "x$key" != "xnone" ]; then | |
115 | if test -e "$key" ; then | |
116 | mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10) | |
117 | owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }') | |
118 | if [ "$mode" != "------" ] && ! key_is_random "$key"; then | |
119 | die "INSECURE MODE FOR $key" | |
120 | fi | |
121 | if [ "$owner" != root ]; then | |
122 | die "INSECURE OWNER FOR $key" | |
123 | fi | |
124 | else | |
125 | die "Key file for $dst not found" | |
126 | fi | |
127 | else | |
128 | key="" | |
129 | fi | |
130 | ||
131 | if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then | |
132 | if key_is_random "$key"; then | |
133 | die "$dst: LUKS requires non-random key, skipping" | |
134 | fi | |
135 | if [ -n "$opt" ]; then | |
136 | warn "$dst: options are invalid for LUKS partitions, ignoring them" | |
137 | fi | |
138 | if [ "$key" ]; then | |
139 | keyfile=/etc/.$dst.key | |
140 | inst $key $keyfile | |
141 | fi | |
142 | ||
143 | debug "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'" | |
144 | add_linuxrc <<-EOF | |
145 | cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst' <&1 | |
146 | ||
147 | debugshell | |
148 | EOF | |
149 | else | |
150 | die "$dst: only LUKS encryption supported" | |
151 | fi | |
152 | done < /etc/crypttab | |
153 | } |