diff options
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/naskconf | 2 | ||||
| -rw-r--r-- | scripts/naskpass.initscript | 133 |
2 files changed, 85 insertions, 50 deletions
diff --git a/scripts/naskconf b/scripts/naskconf index 2452799..4a4a7e0 100644 --- a/scripts/naskconf +++ b/scripts/naskconf @@ -1,6 +1,6 @@ #!/bin/sh -export ORGCHKSM="5924c70e5c9fabf0398050349c3f4f283ab80091b23ea8c677249ee7bdd41f6e4910ce5e1bc32577e67763dc30d9b96cc3528256e1cc63dba959a5e3866ec21f" +export ORGCHKSM="2057abcd4c0038fb3357680ac3057b208672d5d81bca85e1cc668f17d4060a23bda4c34352682b289d17a18f6ab75c4b9ea9df1a9f85709e3042ff7fdc83e245" export ORGFILE="/usr/share/initramfs-tools/scripts/local-top/cryptroot" diff --git a/scripts/naskpass.initscript b/scripts/naskpass.initscript index 3f9be2c..4be0aa8 100644 --- a/scripts/naskpass.initscript +++ b/scripts/naskpass.initscript @@ -42,10 +42,10 @@ message() udev_settle() { # Wait for udev to be ready, see https://launchpad.net/bugs/85640 - if [ -x /sbin/udevadm ]; then - /sbin/udevadm settle --timeout=30 - elif [ -x /sbin/udevsettle ]; then - /sbin/udevsettle --timeout=30 + if command -v udevadm >/dev/null 2>&1; then + udevadm settle --timeout=30 + elif command -v udevsettle >/dev/null 2>&1; then + udevsettle --timeout=30 fi return 0 } @@ -65,10 +65,12 @@ parse_options() crypthash=ripemd160 crypttarget=cryptroot cryptsource="" + cryptheader="" cryptlvm="" cryptkeyscript="" cryptkey="" # This is only used as an argument to an eventual keyscript crypttries=3 + crypttcrypt="" cryptrootdev="" cryptdiscard="" CRYPTTAB_OPTIONS="" @@ -98,6 +100,13 @@ parse_options() fi export CRYPTTAB_SOURCE="$cryptsource" ;; + header=*) + cryptheader=${x#header=} + if [ ! -e "$cryptheader" ] && [ -e "/conf/conf.d/cryptheader/$cryptheader" ]; then + cryptheader="/conf/conf.d/cryptheader/$cryptheader" + fi + export CRYPTTAB_HEADER="$cryptheader" + ;; lvm=*) cryptlvm=${x#lvm=} ;; @@ -118,6 +127,9 @@ parse_options() ;; esac ;; + tcrypt) + crypttcrypt="yes" + ;; rootdev) cryptrootdev="yes" ;; @@ -157,29 +169,9 @@ activate_vg() return $? } -activate_evms() -{ - local dev module - - # Sanity checks - if [ ! -x /sbin/evms_activate ]; then - message "cryptsetup: evms_activate is not available" - return 1 - fi - - # Load modules used by evms - for module in dm-mod linear raid0 raid1 raid10 raid5 raid6; do - modprobe -q $module - done - - # Activate it - /sbin/evms_activate - return $? -} - setup_mapping() { - local opts count cryptcreate cryptremove NEWROOT + local opts count cryptopen cryptremove NEWROOT opts="$1" if [ -z "$opts" ]; then @@ -193,6 +185,11 @@ setup_mapping() return 1 fi + if [ -n "$cryptheader" ] && ! type "$cryptheader" >/dev/null; then + message "cryptsetup: error - LUKS header \"$cryptheader\" missing" + return 1 + fi + # The same target can be specified multiple times # e.g. root and resume lvs-on-lvm-on-crypto if [ -e "/dev/mapper/$crypttarget" ]; then @@ -204,7 +201,6 @@ setup_mapping() # Make sure the cryptsource device is available if [ ! -e $cryptsource ]; then activate_vg - activate_evms fi # If the encrypted source device hasn't shown up yet, give it a @@ -225,6 +221,11 @@ setup_mapping() slumber=$(( ${slumber} * 10 )) while [ ! -e "$cryptsource" ]; do + # retry for LVM devices every 10 seconds + if [ ${slumber} -eq $(( ${slumber}/100*100 )) ]; then + activate_vg + fi + /bin/sleep 0.1 slumber=$(( ${slumber} - 1 )) [ ${slumber} -gt 0 ] || break @@ -239,21 +240,33 @@ setup_mapping() udev_settle # We've given up, but we'll let the user fix matters if they can - while [ ! -e "${cryptsource}" ]; do + if [ ! -e "${cryptsource}" ]; then + + echo " ALERT! ${cryptsource} does not exist." echo " Check cryptopts=source= bootarg: cat /proc/cmdline" echo " or missing modules, devices: cat /proc/modules; ls /dev" - panic -r "ALERT! ${cryptsource} does not exist. Dropping to a shell!" - done + panic -r "Dropping to a shell. Will skip ${cryptsource} if you can't fix." + fi + + if [ ! -e "${cryptsource}" ]; then + return 1 + fi + # Prepare commands - cryptcreate="/sbin/cryptsetup -T 1" + cryptopen="/sbin/cryptsetup -T 1" if [ "$cryptdiscard" = "yes" ]; then - cryptcreate="$cryptcreate --allow-discards" + cryptopen="$cryptopen --allow-discards" fi - if /sbin/cryptsetup isLuks $cryptsource >/dev/null 2>&1; then - cryptcreate="$cryptcreate luksOpen $cryptsource $crypttarget" + if [ -n "$cryptheader" ]; then + cryptopen="$cryptopen --header=$cryptheader" + fi + if /sbin/cryptsetup isLuks ${cryptheader:-$cryptsource} >/dev/null 2>&1; then + cryptopen="$cryptopen open --type luks $cryptsource $crypttarget --key-file=-" + elif [ "$crypttcrypt" = "yes" ]; then + cryptopen="$cryptopen open --type tcrypt $cryptsource $crypttarget" else - cryptcreate="$cryptcreate -c $cryptcipher -s $cryptsize -h $crypthash create $crypttarget $cryptsource" + cryptopen="$cryptopen -c $cryptcipher -s $cryptsize -h $crypthash open --type plain $cryptsource $crypttarget --key-file=-" fi cryptremove="/sbin/cryptsetup remove $crypttarget" NEWROOT="/dev/mapper/$crypttarget" @@ -261,19 +274,29 @@ setup_mapping() # Try to get a satisfactory password $crypttries times count=0 while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do + export CRYPTTAB_TRIED="$count" count=$(( $count + 1 )) - if [ $count -gt 1 ]; then - /bin/sleep 3 - fi - if [ -z "$cryptkeyscript" ]; then - cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: " + if [ ${cryptsource#/dev/disk/by-uuid/} != $cryptsource ]; then + # UUIDs are not very helpful + diskname="$crypttarget" + else + diskname="$cryptsource ($crypttarget)" + fi + if [ -x /bin/plymouth ] && plymouth --ping; then cryptkeyscript="plymouth ask-for-password --prompt" - cryptkey=$(printf "$cryptkey") + # Plymouth will add a : if it is a non-graphical prompt + cryptkey="Please unlock disk $diskname" else - cryptkeyscript="/lib/cryptsetup/naskpass" + if [ -x /lib/cryptsetup/naskpass ]; then + cryptkeyscript="/lib/cryptsetup/naskpass" + cryptkey="" + else + cryptkeyscript="/lib/cryptsetup/askpass" + cryptkey="Please unlock disk $diskname: " + fi fi fi @@ -282,12 +305,17 @@ setup_mapping() if [ -x /bin/plymouth ] && plymouth --ping; then message "naskpass does not work with playmouth, falling back to default askpass .." if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \ - $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ; then + $cryptkeyscript "$cryptkey" | $cryptopen; then message "cryptsetup: cryptsetup failed, bad password or options?" continue fi else - $cryptkeyscript -c "$cryptcreate" + if ! $cryptkeyscript -c "cryptsetup -T 1 open $cryptsource $crypttarget"; then + message "naskpass: failed" + continue + else + message "naskpass: success" + fi fi fi @@ -298,7 +326,7 @@ setup_mapping() #FSTYPE='' #eval $(fstype < "$NEWROOT") - FSTYPE="$(blkid -s TYPE -o value "$NEWROOT")" + FSTYPE="$(/sbin/blkid -s TYPE -o value "$NEWROOT")" # See if we need to setup lvm on the crypto device #if [ "$FSTYPE" = "lvm" ] || [ "$FSTYPE" = "lvm2" ]; then @@ -312,12 +340,19 @@ setup_mapping() return 1 fi - NEWROOT=${cmdline_root:-/dev/mapper/$cryptlvm} - if [ "$cryptrootdev" = "yes" ]; then - # required for lilo to find the root device - echo "ROOT=$NEWROOT" >>/conf/param.conf + # Apparently ROOT is already set in /conf/param.conf for + # flashed kernels at least. See bugreport #759720. + if [ -f /conf/param.conf ] && grep -q "^ROOT=" /conf/param.conf; then + NEWROOT=$(sed -n 's/^ROOT=//p' /conf/param.conf) + else + NEWROOT=${cmdline_root:-/dev/mapper/$cryptlvm} + if [ "$cryptrootdev" = "yes" ]; then + # required for lilo to find the root device + echo "ROOT=$NEWROOT" >>/conf/param.conf + fi fi - eval $(fstype < "$NEWROOT") + #eval $(fstype < "$NEWROOT") + FSTYPE="$(/sbin/blkid -s TYPE -o value "$NEWROOT")" fi #if [ -z "$FSTYPE" ] || [ "$FSTYPE" = "unknown" ]; then |