[projects/geninitrd.git] / mod-luks.sh

#!/bin/sh
#
# geninitrd mod: cryptsetup luks

# true if root device is crypted with cryptsetup luks
# and we should init cryptsetup luks at boot
have_luks=no

if [ -x /sbin/cryptsetup ]; then
	USE_LUKS=yes
else
	USE_LUKS=no
fi

# device to use for name for cryptsetup luks
LUKSDEV=""

# return true if node is cryptsetup luks encrypted
# @param	string $node device node to be examined
# @access	public
is_luks() {
	local node="$1"

	# luks not wanted
	if is_no "$USE_LUKS"; then
		return 1
	fi

	if [ ! -e "$node" ]; then
		warn "is_luks(): node $node doesn't exist!"
		return 1
	fi

	local dev dm_name=${node#/dev/mapper/}
	if [ "$node" = "$dm_name" ]; then
		debug "is_luks: $node is not device mapper name"
		return 1
	fi

	dev=$(cryptsetup status $dm_name 2>/dev/null | awk '/device:/{print $2}')
	/sbin/cryptsetup isLuks $dev
	rc=$?

	if [ $rc = 0 ]; then
		debug "is_luks: $node is cryptsetup luks"
	else
		debug "is_luks: $node is not cryptsetup luks"
	fi
	return $rc
}

# find modules for $devpath
# @param	$devpath	device to be examined
# @access	public
find_modules_luks() {
	local devpath="$1"
	local dev

	local name=${devpath#/dev/mapper/}
	LUKSDEV=$(/sbin/cryptsetup status $name 2>/dev/null | awk '/device:/{print $2}')
	if [ -z "$LUKSDEV" ]; then
		die "Lost cryptsetup device meanwhile?"
	fi

	findmodule "dm-crypt"

	# TODO: autodetect
	findmodule "aes"
	findmodule "cbc"

	have_luks=yes

	# recurse
	find_modules_for_devpath $LUKSDEV
}


# generate initrd fragment for cryptsetup luks init
# @access	public
initrd_gen_luks() {
	if [ ! -x /sbin/cryptsetup-initrd ]; then
		die "/sbin/cryptsetup-initrd is missing!"
	fi

	inst_d /bin
	inst_exec /sbin/cryptsetup-initrd /bin/cryptsetup

	mount_dev
	mount_sys
	initrd_gen_devices
	# TODO: 'udevadm settle' is called by lukssetup, is udev optional?

	debug "luks: process /etc/crypttab $LUKSDEV"
	luks_crypttab $LUKSDEV
}


# PRIVATE METHODS
key_is_random() {
	[ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ]
}

# produce cryptsetup from $name from /etc/crypttab
luks_crypttab() {
	local LUKSDEV="$1"

	# copy from /etc/rc.d/init.d/cryptsetup
	local dst src key opt mode owner

	while read dst src key opt; do
		[ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue
		[ "$src" != "$LUKSDEV" ] && continue

		if [ -n "$key" -a "x$key" != "xnone" ]; then
			if test -e "$key" ; then
				mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
				owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
				if [ "$mode" != "------" ] && ! key_is_random "$key"; then
					die "INSECURE MODE FOR $key"
				fi
				if [ "$owner" != root ]; then
					die "INSECURE OWNER FOR $key"
				fi
			else
				die "Key file for $dst not found"
			fi
		else
			key=""
		fi

		if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
			if key_is_random "$key"; then
				die "$dst: LUKS requires non-random key, skipping"
			fi
			if [ -n "$opt" ]; then
				warn "$dst: options are invalid for LUKS partitions, ignoring them"
			fi
			if [ "$key" ]; then
				keyfile=/etc/.$dst.key
				inst $key $keyfile
			fi

			debug "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'"
			add_linuxrc <<-EOF
			cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst' <&1

			debugshell
			EOF
		else
			die "$dst: only LUKS encryption supported"
		fi
	done < /etc/crypttab
}
Commit	Line	Data
8d07ddab ER	1	#!/bin/sh
	2	#
	3	# geninitrd mod: cryptsetup luks
	4
	5	# true if root device is crypted with cryptsetup luks
	6	# and we should init cryptsetup luks at boot
	7	have_luks=no
	8
	9	if [ -x /sbin/cryptsetup ]; then
	10	USE_LUKS=yes
	11	else
	12	USE_LUKS=no
	13	fi
	14
	15	# device to use for name for cryptsetup luks
	16	LUKSDEV=""
	17
	18	# return true if node is cryptsetup luks encrypted
	19	# @param string $node device node to be examined
	20	# @access public
	21	is_luks() {
	22	local node="$1"
f7385874 ER	23
	24	# luks not wanted
	25	if is_no "$USE_LUKS"; then
	26	return 1
	27	fi
	28
8d07ddab ER	29	if [ ! -e "$node" ]; then
	30	warn "is_luks(): node $node doesn't exist!"
	31	return 1
	32	fi
	33
	34	local dev dm_name=${node#/dev/mapper/}
	35	if [ "$node" = "$dm_name" ]; then
	36	debug "is_luks: $node is not device mapper name"
	37	return 1
	38	fi
	39
	40	dev=$(cryptsetup status $dm_name 2>/dev/null \| awk '/device:/{print $2}')
f7385874	41	/sbin/cryptsetup isLuks $dev
8d07ddab ER	42	rc=$?
	43
	44	if [ $rc = 0 ]; then
	45	debug "is_luks: $node is cryptsetup luks"
	46	else
	47	debug "is_luks: $node is not cryptsetup luks"
	48	fi
	49	return $rc
	50	}
	51
	52	# find modules for $devpath
	53	# @param $devpath device to be examined
	54	# @access public
	55	find_modules_luks() {
	56	local devpath="$1"
	57	local dev
	58
	59	local name=${devpath#/dev/mapper/}
f7385874	60	LUKSDEV=$(/sbin/cryptsetup status $name 2>/dev/null \| awk '/device:/{print $2}')
8d07ddab ER	61	if [ -z "$LUKSDEV" ]; then
	62	die "Lost cryptsetup device meanwhile?"
	63	fi
	64
	65	findmodule "dm-crypt"
	66
	67	# TODO: autodetect
	68	findmodule "aes"
	69	findmodule "cbc"
	70
	71	have_luks=yes
	72
	73	# recurse
	74	find_modules_for_devpath $LUKSDEV
	75	}
	76
	77
	78	# generate initrd fragment for cryptsetup luks init
	79	# @access public
	80	initrd_gen_luks() {
	81	if [ ! -x /sbin/cryptsetup-initrd ]; then
	82	die "/sbin/cryptsetup-initrd is missing!"
	83	fi
	84
	85	inst_d /bin
	86	inst_exec /sbin/cryptsetup-initrd /bin/cryptsetup
	87
	88	mount_dev
	89	mount_sys
	90	initrd_gen_devices
	91	# TODO: 'udevadm settle' is called by lukssetup, is udev optional?
	92
	93	debug "luks: process /etc/crypttab $LUKSDEV"
	94	luks_crypttab $LUKSDEV
	95	}
	96
	97
	98	# PRIVATE METHODS
	99	key_is_random() {
	100	[ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ]
	101	}
	102
	103	# produce cryptsetup from $name from /etc/crypttab
	104	luks_crypttab() {
	105	local LUKSDEV="$1"
	106
	107	# copy from /etc/rc.d/init.d/cryptsetup
	108	local dst src key opt mode owner
	109
	110	while read dst src key opt; do
	111	[ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue
	112	[ "$src" != "$LUKSDEV" ] && continue
	113
	114	if [ -n "$key" -a "x$key" != "xnone" ]; then
	115	if test -e "$key" ; then
	116	mode=$(LC_ALL=C ls -l "$key" \| cut -c 5-10)
	117	owner=$(LC_ALL=C ls -l $key \| awk '{ print $3 }')
	118	if [ "$mode" != "------" ] && ! key_is_random "$key"; then
	119	die "INSECURE MODE FOR $key"
	120	fi
	121	if [ "$owner" != root ]; then
	122	die "INSECURE OWNER FOR $key"
	123	fi
	124	else
125	die "Key file for $dst not found"
126	fi
127	else
128	key=""
129	fi
130
131	if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
132	if key_is_random "$key"; then
133	die "$dst: LUKS requires non-random key, skipping"
134	fi
135	if [ -n "$opt" ]; then
136	warn "$dst: options are invalid for LUKS partitions, ignoring them"
137	fi
138	if [ "$key" ]; then
139	keyfile=/etc/.$dst.key
140	inst $key $keyfile
141	fi
142
143	debug "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'"
144	add_linuxrc <<-EOF
145	cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst' <&1
146
147	debugshell
148	EOF
149	else
150	die "$dst: only LUKS encryption supported"
151	fi
152	done < /etc/crypttab
153	}