~siretart/cryptsetup/debian

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
#!/bin/sh

#
# Standard initramfs preamble
#
prereqs()
{
	# Make sure that cryptroot is run last in local-top
	for req in /scripts/local-top/*; do
		script=${req##*/}
		if [ $script != cryptroot ]; then
			echo $script
		fi
	done
}

case $1 in
prereqs)
	prereqs
	exit 0
	;;
esac


#
# Helper functions
#
message()
{
	if [ -p /dev/.initramfs/usplash_outfifo ] && [ -x /sbin/usplash_write ]; then
		usplash_write "TEXT-URGENT $@"
	else
		echo "$@" >&2
	fi
	return 0
}

udev_settle()
{
	# Wait for udev to be ready, see https://launchpad.net/bugs/85640
	if [ -x /sbin/udevadm ]; then
		/sbin/udevadm settle --timeout=30
	elif [ -x /sbin/udevsettle ]; then
		/sbin/udevsettle --timeout=30
	fi
	return 0
}

parse_options()
{
	local cryptopts
	cryptopts="$1"

	if [ -z "$cryptopts" ]; then
		return 1
	fi

	# Defaults
	cryptcipher=aes-cbc-essiv:sha256
	cryptsize=256
	crypthash=ripemd160
	crypttarget=cryptroot
	cryptsource=""
	cryptlvm=""
	cryptkeyscript=""
	cryptkey="" # This is only used as an argument to an eventual keyscript
	crypttries=3

	local IFS=" ,"
	for x in $cryptopts; do
		case $x in
		hash=*)
			crypthash=${x#hash=}
			;;
		size=*)
			cryptsize=${x#size=}
			;;
		cipher=*)
			cryptcipher=${x#cipher=}
			;;
		target=*)
			crypttarget=${x#target=}
			;;
		source=*)
			cryptsource=${x#source=}
			if [ ${cryptsource#UUID=} != $cryptsource ]; then
				cryptsource="/dev/disk/by-uuid/${cryptsource#UUID=}"
			elif [ ${cryptsource#LABEL=} != $cryptsource ]; then
				cryptsource="/dev/disk/by-label/${cryptsource#LABEL=}"
			fi
			;;
		lvm=*)
			cryptlvm=${x#lvm=}
			;;
		keyscript=*)
			cryptkeyscript=${x#keyscript=}
			;;
		key=*)
			if [ "${x#key=}" != "none" ]; then
				cryptkey=${x#key=}
			fi
			;;
		tries=*)
			crypttries="${x#tries=}"
			case "$crypttries" in
			  *[![:digit:].]*)
				crypttries=3
				;;
			esac
			;;
		esac
	done

	if [ -z "$cryptsource" ]; then
		message "cryptsetup: source parameter missing"
		return 1
	fi
	return 0
}

activate_vg()
{
	local vg
	vg="${1#/dev/mapper/}"

	# Sanity checks
	if [ ! -x /sbin/vgchange ] || [ "$vg" = "$1" ]; then
		return 1
	fi

	# Make sure that the device contains at least one dash
	if [ "${vg%%-*}" = "$vg" ]; then
		return 1
	fi

	# Split volume group from logical volume.
	vg=$(echo ${vg} | sed -e 's#\(.*\)\([^-]\)-[^-].*#\1\2#')

	# Reduce padded --'s to -'s
	vg=$(echo ${vg} | sed -e 's#--#-#g')

	vgchange -ay ${vg}
	return $?
}

activate_evms()
{
	local dev module
	dev="${1#/dev/evms/}"

	# Sanity checks
	if [ ! -x /sbin/evms_activate ] || [ "$dev" = "$1" ]; then
		return 1
	fi

	# Load modules used by evms
	for module in dm-mod linear raid0 raid1 raid10 raid5 raid6; do
		modprobe -q $module
	done

	# Activate it
	/sbin/evms_activate
	return $?
}

setup_mapping()
{
	local opts count cryptcreate cryptremove NEWROOT
	opts="$1"

	if [ -z "$opts" ]; then
		return 0
	fi

	parse_options "$opts" || return 1

	if [ -n "$cryptkeyscript" ] && [ ! -x "$cryptkeyscript" ]; then
		message "cryptsetup: error - script \"$cryptkeyscript\" missing"
		return 1
	fi

	# The same target can be specified multiple times
	# e.g. root and resume lvs-on-lvm-on-crypto
	if [ -e "/dev/mapper/$crypttarget" ]; then
		return 0
	fi

	modprobe -q dm_crypt

	# Make sure the cryptsource device is available
	if [ ! -e $cryptsource ]; then
		activate_vg $cryptsource
		activate_evms $cryptsource
	fi

	udev_settle

	if [ ! -e $cryptsource ]; then
		message "cryptsetup: source device $cryptsource not found"
		return 1
	fi

	# Prepare commands
	if /sbin/cryptsetup isLuks $cryptsource > /dev/null 2>&1; then
		cryptcreate="/sbin/cryptsetup -T 1 luksOpen $cryptsource $crypttarget"
	else
		cryptcreate="/sbin/cryptsetup -T 1 -c $cryptcipher -s $cryptsize -h $crypthash create $crypttarget $cryptsource"
	fi
	cryptremove="/sbin/cryptsetup remove $crypttarget"
	NEWROOT="/dev/mapper/$crypttarget"

	# Try to get a satisfactory password $crypttries times
	count=0
	while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do
		count=$(( $count + 1 ))

		if [ $count -gt 1 ]; then
			sleep 3
		fi

		if [ $crypttries -gt 0 ] && [ $count -gt $crypttries ]; then
			message "cryptsetup: maximum number of tries exceeded for $crypttarget"
			return 1
		fi

		if [ -z "$cryptkeyscript" ]; then
			cryptkeyscript="/lib/cryptsetup/askpass"
			cryptkey="Enter passphrase for $crypttarget ($cryptsource): "
		fi


		if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
		     $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ; then
			message "cryptsetup: cryptsetup failed, bad password or options?"
			continue
		fi

		if [ ! -e "$NEWROOT" ]; then
			message "cryptsetup: unknown error setting up device mapping"
			return 1
		fi

		FSTYPE=''
		eval $(fstype < "$NEWROOT")

		# See if we need to setup lvm on the crypto device
		if [ "$FSTYPE" = "lvm" ] || [ "$FSTYPE" = "lvm2" ]; then
			if [ -z "$cryptlvm" ]; then
				message "cryptsetup: lvm fs found but no lvm configured"
				return 1
			elif ! activate_vg "/dev/mapper/$cryptlvm"; then
				message "cryptsetup: failed to setup lvm device"
				return 1
			fi

			NEWROOT="/dev/mapper/$cryptlvm"
			eval $(fstype < "$NEWROOT")
		fi

		if [ -z "$FSTYPE" ] || [ "$FSTYPE" = "unknown" ]; then
			message "cryptsetup: unknown fstype, bad password or options?"
			$cryptremove
			continue
		fi

		message "cryptsetup: $crypttarget setup successfully"
		break
	done

	udev_settle
	return 0
}

#
# Begin real processing
#

# Do we have any kernel boot arguments?
found=''
for opt in $(cat /proc/cmdline); do
	case $opt in
	cryptopts=*)
		found=yes
		setup_mapping "${opt#cryptopts=}"
		;;
	esac
done

if [ -n "$found" ]; then
	exit 0
fi

# Do we have any settings from the /conf/conf.d/cryptroot file?
if [ -r /conf/conf.d/cryptroot ]; then
	while read mapping <&3; do
		setup_mapping "$mapping"
	done 3< /conf/conf.d/cryptroot
fi

exit 0