]> git.pld-linux.org Git - projects/geninitrd.git/blob - mod-luks.sh
projects / projects / geninitrd.git / blob
? search:


06c0a2c977efcb5ea867ffe350e29b110c7e35ce
[projects/geninitrd.git] / mod-luks.sh
1 #!/bin/sh
2 #
3 # geninitrd mod: cryptsetup luks
4 USE_LUKS=${USE_LUKS:-yes}
5
6 # true if root device is crypted with cryptsetup luks
7 # and we should init cryptsetup luks at boot
8 have_luks=no
9
10 # device to use for name for cryptsetup luks
11 LUKSDEV=""
12
13 # setup geninitrd module
14 # @access       public
15 setup_mod_luks() {
16         cryptsetup=$(find_tool $initrd_dir/cryptsetup /sbin/cryptsetup-initrd)
17
18         if [ ! -x /sbin/cryptsetup ] || [ ! -x "$cryptsetup" ]; then
19                 USE_LUKS=no
20         fi
21 }
22
23 # return true if node is cryptsetup luks encrypted
24 # @param        string $node device node to be examined
25 # @access       public
26 is_luks() {
27         local node="$1"
28
29         # luks not wanted
30         if is_no "$USE_LUKS"; then
31                 return 1
32         fi
33
34         if [ ! -e "$node" ]; then
35                 warn "is_luks(): node $node doesn't exist!"
36                 return 1
37         fi
38
39         local dev dm_name=${node#/dev/mapper/}
40         if [ "$node" = "$dm_name" ]; then
41                 debug "is_luks: $node is not device mapper name"
42                 return 1
43         fi
44
45         dev=$(/sbin/cryptsetup status $dm_name 2>/dev/null | awk '/device:/{print $2}')
46         /sbin/cryptsetup isLuks $dev
47         rc=$?
48
49         if [ $rc = 0 ]; then
50                 debug "is_luks: $node is cryptsetup luks"
51         else
52                 debug "is_luks: $node is not cryptsetup luks"
53         fi
54         return $rc
55 }
56
57 # find modules for $devpath
58 # @param        $devpath        device to be examined
59 # @access       public
60 find_modules_luks() {
61         local devpath="$1"
62         local dev
63
64         local name=${devpath#/dev/mapper/}
65         LUKSDEV=$(/sbin/cryptsetup status $name 2>/dev/null | awk '/device:/{print $2}')
66         if [ -z "$LUKSDEV" ]; then
67                 die "Lost cryptsetup device meanwhile?"
68         fi
69
70         find_module "dm-crypt"
71
72         # TODO: autodetect
73         find_module "aes"
74         find_module "cbc"
75
76         have_luks=yes
77
78         # recurse
79         find_modules_for_devpath $LUKSDEV
80 }
81
82
83 # generate initrd fragment for cryptsetup luks init
84 # @access       public
85 initrd_gen_luks() {
86         inst_d /bin
87         inst_exec $cryptsetup /bin/cryptsetup
88
89         mount_dev
90         mount_sys
91         initrd_gen_devices
92         # TODO: 'udevadm settle' is called by lukssetup, is udev optional?
93
94         debug "luks: process /etc/crypttab $LUKSDEV"
95         luks_crypttab $LUKSDEV
96 }
97
98
99 # PRIVATE METHODS
100 key_is_random() {
101         [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ]
102 }
103
104 # produce cryptsetup from $name from /etc/crypttab
105 luks_crypttab() {
106         local LUKSDEV="$1"
107
108         # copy from /etc/rc.d/init.d/cryptsetup
109         local dst src key opt mode owner
110
111         while read dst src key opt; do
112                 [ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue
113                 [ "$src" != "$LUKSDEV" ] && continue
114
115                 if [ -n "$key" -a "x$key" != "xnone" ]; then
116                         if test -e "$key" ; then
117                                 mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
118                                 owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
119                                 if [ "$mode" != "------" ] && ! key_is_random "$key"; then
120                                         die "INSECURE MODE FOR $key"
121                                 fi
122                                 if [ "$owner" != root ]; then
123                                         die "INSECURE OWNER FOR $key"
124                                 fi
125                         else
126                                 die "Key file for $dst not found"
127                         fi
128                 else
129                         key=""
130                 fi
131
132                 if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
133                         if key_is_random "$key"; then
134                                 die "$dst: LUKS requires non-random key, skipping"
135                         fi
136                         if [ -n "$opt" ]; then
137                                 warn "$dst: options are invalid for LUKS partitions, ignoring them"
138                         fi
139                         if [ "$key" ]; then
140                                 keyfile=/etc/.$dst.key
141                                 inst $key $keyfile
142                         fi
143
144                         debug "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'"
145                         add_linuxrc <<-EOF
146                         cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst' <&1
147
148                         debugshell
149                         EOF
150                 else
151                         die "$dst: only LUKS encryption supported"
152                 fi
153         done < /etc/crypttab
154 }
Scripts to create an initial ramdisk image for preloading modules
This page took 1.127843 seconds and 2 git commands to generate.