]>
Commit | Line | Data |
---|---|---|
8d07ddab ER |
1 | #!/bin/sh |
2 | # | |
3 | # geninitrd mod: cryptsetup luks | |
6e49b0b1 | 4 | USE_LUKS=${USE_LUKS:-yes} |
8d07ddab ER |
5 | |
6 | # true if root device is crypted with cryptsetup luks | |
7 | # and we should init cryptsetup luks at boot | |
8 | have_luks=no | |
9 | ||
8d07ddab ER |
10 | # device to use for name for cryptsetup luks |
11 | LUKSDEV="" | |
12 | ||
c124d0cf ER |
13 | # setup geninitrd module |
14 | # @access public | |
15 | setup_mod_luks() { | |
16 | cryptsetup=$(find_tool $initrd_dir/cryptsetup /sbin/cryptsetup-initrd) | |
6e49b0b1 ER |
17 | |
18 | if [ ! -x /sbin/cryptsetup ] || [ ! -x "$cryptsetup" ]; then | |
c124d0cf ER |
19 | USE_LUKS=no |
20 | fi | |
21 | } | |
22 | ||
8d07ddab ER |
23 | # return true if node is cryptsetup luks encrypted |
24 | # @param string $node device node to be examined | |
25 | # @access public | |
26 | is_luks() { | |
27 | local node="$1" | |
f7385874 ER |
28 | |
29 | # luks not wanted | |
30 | if is_no "$USE_LUKS"; then | |
31 | return 1 | |
32 | fi | |
33 | ||
8d07ddab ER |
34 | if [ ! -e "$node" ]; then |
35 | warn "is_luks(): node $node doesn't exist!" | |
36 | return 1 | |
37 | fi | |
38 | ||
39 | local dev dm_name=${node#/dev/mapper/} | |
40 | if [ "$node" = "$dm_name" ]; then | |
41 | debug "is_luks: $node is not device mapper name" | |
42 | return 1 | |
43 | fi | |
44 | ||
378e5f2b | 45 | dev=$(/sbin/cryptsetup status $dm_name 2>/dev/null | awk '/device:/{print $2}') |
1d96f045 ER |
46 | if [ "$dev" ]; then |
47 | /sbin/cryptsetup isLuks $dev | |
48 | rc=$? | |
49 | else | |
50 | rc=1 | |
51 | fi | |
8d07ddab ER |
52 | |
53 | if [ $rc = 0 ]; then | |
54 | debug "is_luks: $node is cryptsetup luks" | |
55 | else | |
56 | debug "is_luks: $node is not cryptsetup luks" | |
57 | fi | |
58 | return $rc | |
59 | } | |
60 | ||
61 | # find modules for $devpath | |
62 | # @param $devpath device to be examined | |
63 | # @access public | |
64 | find_modules_luks() { | |
65 | local devpath="$1" | |
66 | local dev | |
67 | ||
68 | local name=${devpath#/dev/mapper/} | |
f7385874 | 69 | LUKSDEV=$(/sbin/cryptsetup status $name 2>/dev/null | awk '/device:/{print $2}') |
8d07ddab ER |
70 | if [ -z "$LUKSDEV" ]; then |
71 | die "Lost cryptsetup device meanwhile?" | |
72 | fi | |
73 | ||
b02a6b13 | 74 | find_module "dm-crypt" |
8d07ddab ER |
75 | |
76 | # TODO: autodetect | |
b02a6b13 ER |
77 | find_module "aes" |
78 | find_module "cbc" | |
8d07ddab ER |
79 | |
80 | have_luks=yes | |
81 | ||
82 | # recurse | |
83 | find_modules_for_devpath $LUKSDEV | |
84 | } | |
85 | ||
86 | ||
87 | # generate initrd fragment for cryptsetup luks init | |
88 | # @access public | |
89 | initrd_gen_luks() { | |
8d07ddab | 90 | inst_d /bin |
684d5d2a | 91 | inst_exec $cryptsetup /bin/cryptsetup |
8d07ddab ER |
92 | |
93 | mount_dev | |
94 | mount_sys | |
95 | initrd_gen_devices | |
96 | # TODO: 'udevadm settle' is called by lukssetup, is udev optional? | |
97 | ||
98 | debug "luks: process /etc/crypttab $LUKSDEV" | |
99 | luks_crypttab $LUKSDEV | |
100 | } | |
101 | ||
102 | ||
103 | # PRIVATE METHODS | |
104 | key_is_random() { | |
105 | [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ] | |
106 | } | |
107 | ||
108 | # produce cryptsetup from $name from /etc/crypttab | |
109 | luks_crypttab() { | |
110 | local LUKSDEV="$1" | |
111 | ||
112 | # copy from /etc/rc.d/init.d/cryptsetup | |
113 | local dst src key opt mode owner | |
114 | ||
115 | while read dst src key opt; do | |
116 | [ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue | |
117 | [ "$src" != "$LUKSDEV" ] && continue | |
118 | ||
119 | if [ -n "$key" -a "x$key" != "xnone" ]; then | |
120 | if test -e "$key" ; then | |
121 | mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10) | |
122 | owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }') | |
123 | if [ "$mode" != "------" ] && ! key_is_random "$key"; then | |
124 | die "INSECURE MODE FOR $key" | |
125 | fi | |
126 | if [ "$owner" != root ]; then | |
127 | die "INSECURE OWNER FOR $key" | |
128 | fi | |
129 | else | |
130 | die "Key file for $dst not found" | |
131 | fi | |
132 | else | |
133 | key="" | |
134 | fi | |
135 | ||
136 | if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then | |
137 | if key_is_random "$key"; then | |
138 | die "$dst: LUKS requires non-random key, skipping" | |
139 | fi | |
140 | if [ -n "$opt" ]; then | |
141 | warn "$dst: options are invalid for LUKS partitions, ignoring them" | |
142 | fi | |
143 | if [ "$key" ]; then | |
144 | keyfile=/etc/.$dst.key | |
145 | inst $key $keyfile | |
146 | fi | |
147 | ||
148 | debug "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'" | |
149 | add_linuxrc <<-EOF | |
97074bda | 150 | if [ -e "$src" ]; then |
abce1a7f AF |
151 | cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst' <&1 |
152 | fi | |
8d07ddab ER |
153 | |
154 | debugshell | |
155 | EOF | |
156 | else | |
157 | die "$dst: only LUKS encryption supported" | |
158 | fi | |
159 | done < /etc/crypttab | |
160 | } |