[projects/geninitrd.git] / mod-luks.sh

#!/bin/sh
#
# geninitrd mod: cryptsetup luks
USE_LUKS=${USE_LUKS:-yes}

# true if root device is crypted with cryptsetup luks
# and we should init cryptsetup luks at boot
have_luks=no

# device to use for name for cryptsetup luks
LUKSDEV=""

# setup geninitrd module
# @access	public
setup_mod_luks() {
	cryptsetup=$(find_tool $initrd_dir/cryptsetup /sbin/cryptsetup-initrd)

	if [ ! -x /sbin/cryptsetup ] || [ ! -x "$cryptsetup" ]; then
		USE_LUKS=no
	fi
}

# return true if node is cryptsetup luks encrypted
# @param	string $node device node to be examined
# @access	public
is_luks() {
	local node="$1"

	# luks not wanted
	if is_no "$USE_LUKS"; then
		return 1
	fi

	if [ ! -e "$node" ]; then
		warn "is_luks(): node $node doesn't exist!"
		return 1
	fi

	local dev dm_name=${node#/dev/mapper/}
	if [ "$node" = "$dm_name" ]; then
		debug "is_luks: $node is not device mapper name"
		return 1
	fi

	dev=$(/sbin/cryptsetup status $dm_name 2>/dev/null | awk '/device:/{print $2}')
	if [ "$dev" ]; then
		/sbin/cryptsetup isLuks $dev
		rc=$?
	else
		rc=1
	fi

	if [ $rc = 0 ]; then
		debug "is_luks: $node is cryptsetup luks"
	else
		debug "is_luks: $node is not cryptsetup luks"
	fi
	return $rc
}

# find modules for $devpath
# @param	$devpath	device to be examined
# @access	public
find_modules_luks() {
	local devpath="$1"
	local dev

	local name=${devpath#/dev/mapper/}
	LUKSDEV=$(/sbin/cryptsetup status $name 2>/dev/null | awk '/device:/{print $2}')
	if [ -z "$LUKSDEV" ]; then
		die "Lost cryptsetup device meanwhile?"
	fi

	find_module "dm-crypt"

	# TODO: autodetect
	find_module "aes"
	find_module "cbc"

	have_luks=yes

	# recurse
	find_modules_for_devpath $LUKSDEV
}


# generate initrd fragment for cryptsetup luks init
# @access	public
initrd_gen_luks() {
	inst_d /bin
	inst_exec $cryptsetup /bin/cryptsetup

	mount_dev
	mount_sys
	initrd_gen_devices
	# TODO: 'udevadm settle' is called by lukssetup, is udev optional?

	debug "luks: process /etc/crypttab $LUKSDEV"
	luks_crypttab $LUKSDEV
}


# PRIVATE METHODS
key_is_random() {
	[ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ]
}

# produce cryptsetup from $name from /etc/crypttab
luks_crypttab() {
	local LUKSDEV="$1"

	# copy from /etc/rc.d/init.d/cryptsetup
	local dst src key opt mode owner

	while read dst src key opt; do
		[ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue
		[ "$src" != "$LUKSDEV" ] && continue

		if [ -n "$key" -a "x$key" != "xnone" ]; then
			if test -e "$key" ; then
				mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
				owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
				if [ "$mode" != "------" ] && ! key_is_random "$key"; then
					die "INSECURE MODE FOR $key"
				fi
				if [ "$owner" != root ]; then
					die "INSECURE OWNER FOR $key"
				fi
			else
				die "Key file for $dst not found"
			fi
		else
			key=""
		fi

		if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
			if key_is_random "$key"; then
				die "$dst: LUKS requires non-random key, skipping"
			fi
			if [ -n "$opt" ]; then
				warn "$dst: options are invalid for LUKS partitions, ignoring them"
			fi
			if [ "$key" ]; then
				keyfile=/etc/.$dst.key
				inst $key $keyfile
			fi

			debug "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'"
			add_linuxrc <<-EOF
			if [ -e "$src" ]; then
				cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst' <&1
			fi

			debugshell
			EOF
		else
			die "$dst: only LUKS encryption supported"
		fi
	done < /etc/crypttab
}
Commit	Line	Data
8d07ddab ER	1	#!/bin/sh
	2	#
	3	# geninitrd mod: cryptsetup luks
6e49b0b1	4	USE_LUKS=${USE_LUKS:-yes}
8d07ddab ER	5
	6	# true if root device is crypted with cryptsetup luks
	7	# and we should init cryptsetup luks at boot
	8	have_luks=no
	9
8d07ddab ER	10	# device to use for name for cryptsetup luks
	11	LUKSDEV=""
	12
c124d0cf ER	13	# setup geninitrd module
	14	# @access public
	15	setup_mod_luks() {
	16	cryptsetup=$(find_tool $initrd_dir/cryptsetup /sbin/cryptsetup-initrd)
6e49b0b1 ER	17
6e49b0b1 ER	18	if [ ! -x /sbin/cryptsetup ] \|\| [ ! -x "$cryptsetup" ]; then
c124d0cf ER	19	USE_LUKS=no
	20	fi
	21	}
	22
8d07ddab ER	23	# return true if node is cryptsetup luks encrypted
	24	# @param string $node device node to be examined
	25	# @access public
	26	is_luks() {
	27	local node="$1"
f7385874 ER	28
	29	# luks not wanted
	30	if is_no "$USE_LUKS"; then
	31	return 1
	32	fi
	33
8d07ddab ER	34	if [ ! -e "$node" ]; then
	35	warn "is_luks(): node $node doesn't exist!"
	36	return 1
	37	fi
	38
	39	local dev dm_name=${node#/dev/mapper/}
	40	if [ "$node" = "$dm_name" ]; then
	41	debug "is_luks: $node is not device mapper name"
	42	return 1
	43	fi
	44
378e5f2b	45	dev=$(/sbin/cryptsetup status $dm_name 2>/dev/null \| awk '/device:/{print $2}')
1d96f045 ER	46	if [ "$dev" ]; then
	47	/sbin/cryptsetup isLuks $dev
	48	rc=$?
	49	else
	50	rc=1
	51	fi
8d07ddab ER	52
	53	if [ $rc = 0 ]; then
	54	debug "is_luks: $node is cryptsetup luks"
	55	else
	56	debug "is_luks: $node is not cryptsetup luks"
	57	fi
	58	return $rc
	59	}
	60
	61	# find modules for $devpath
	62	# @param $devpath device to be examined
	63	# @access public
	64	find_modules_luks() {
	65	local devpath="$1"
	66	local dev
	67
	68	local name=${devpath#/dev/mapper/}
f7385874	69	LUKSDEV=$(/sbin/cryptsetup status $name 2>/dev/null \| awk '/device:/{print $2}')
8d07ddab ER	70	if [ -z "$LUKSDEV" ]; then
	71	die "Lost cryptsetup device meanwhile?"
	72	fi
	73
b02a6b13	74	find_module "dm-crypt"
8d07ddab ER	75
8d07ddab ER	76	# TODO: autodetect
b02a6b13 ER	77	find_module "aes"
b02a6b13 ER	78	find_module "cbc"
8d07ddab ER	79
	80	have_luks=yes
	81
	82	# recurse
	83	find_modules_for_devpath $LUKSDEV
	84	}
	85
	86
	87	# generate initrd fragment for cryptsetup luks init
	88	# @access public
	89	initrd_gen_luks() {
8d07ddab	90	inst_d /bin
684d5d2a	91	inst_exec $cryptsetup /bin/cryptsetup
8d07ddab ER	92
	93	mount_dev
	94	mount_sys
	95	initrd_gen_devices
	96	# TODO: 'udevadm settle' is called by lukssetup, is udev optional?
	97
	98	debug "luks: process /etc/crypttab $LUKSDEV"
	99	luks_crypttab $LUKSDEV
	100	}
	101
	102
	103	# PRIVATE METHODS
	104	key_is_random() {
	105	[ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ]
	106	}
	107
	108	# produce cryptsetup from $name from /etc/crypttab
	109	luks_crypttab() {
	110	local LUKSDEV="$1"
	111
	112	# copy from /etc/rc.d/init.d/cryptsetup
	113	local dst src key opt mode owner
	114
	115	while read dst src key opt; do
	116	[ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue
	117	[ "$src" != "$LUKSDEV" ] && continue
	118
	119	if [ -n "$key" -a "x$key" != "xnone" ]; then
	120	if test -e "$key" ; then
	121	mode=$(LC_ALL=C ls -l "$key" \| cut -c 5-10)
	122	owner=$(LC_ALL=C ls -l $key \| awk '{ print $3 }')
	123	if [ "$mode" != "------" ] && ! key_is_random "$key"; then
	124	die "INSECURE MODE FOR $key"
	125	fi
	126	if [ "$owner" != root ]; then
	127	die "INSECURE OWNER FOR $key"
	128	fi
	129	else
	130	die "Key file for $dst not found"
	131	fi
	132	else
	133	key=""
	134	fi
	135
	136	if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
	137	if key_is_random "$key"; then
	138	die "$dst: LUKS requires non-random key, skipping"
	139	fi
	140	if [ -n "$opt" ]; then
	141	warn "$dst: options are invalid for LUKS partitions, ignoring them"
	142	fi
	143	if [ "$key" ]; then
	144	keyfile=/etc/.$dst.key
	145	inst $key $keyfile
	146	fi
	147
	148	debug "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'"
	149	add_linuxrc <<-EOF
97074bda	150	if [ -e "$src" ]; then
abce1a7f AF	151	cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst' <&1
abce1a7f AF	152	fi
8d07ddab ER	153
	154	debugshell
	155	EOF
	156	else
	157	die "$dst: only LUKS encryption supported"
	158	fi
	159	done < /etc/crypttab
	160	}