Hi!
Attached is a patch that will allow encrypted (using LUKS) root
partitions to be used in rescue mode.
The patch is fairly simple, and ask a passphrase for every LUKS
partitions found before the root partition is choosen.
This only affects rescue-mode.postinst, add a template and a dependency
on crypto-modules and cryptsetup-udeb.
In the long term, it is not probably the best solution as it does
neither support loop-aes partitions, nor plain dm-crypt. It would
probably better to support re-use of already encrypted partitions in
partman and use these facilities in rescue-mode instead of custom code.
Anyway, it works nicely with the guided partitioning for crypto root,
and that actually covers quite a lot of our users, so it might still be
a worthy addition.
Cheers,
--
Jérémy Bobbio .''`.
lunar@debian.org : :Ⓐ : # apt-get install anarchism
`. `'`
`-
Index: debian/control
===================================================================
--- debian/control (revision 48544)
+++ debian/control (working copy)
@@ -18,5 +18,5 @@
Priority: optional
XC-Package-Type: udeb
XB-Installer-Menu-Item: 3900
-Depends: rescue-check, cdebconf-udeb (>= 0.73), harddrive-detection, ext2-modules, ext3-modules, fat-modules, jfs-modules, md-modules, reiserfs-modules, xfs-modules, lvm2-udeb, mdadm-udeb (>= 2.5.2), di-utils (>= 1.15)
+Depends: rescue-check, cdebconf-udeb (>= 0.73), harddrive-detection, ext2-modules, ext3-modules, fat-modules, jfs-modules, md-modules, reiserfs-modules, xfs-modules, lvm2-udeb, mdadm-udeb (>= 2.5.2), di-utils (>= 1.15), crypto-modules, cryptsetup-udeb
Description: mount requested partition and start a rescue shell
Index: debian/rescue-mode.templates
===================================================================
--- debian/rescue-mode.templates (revision 48544)
+++ debian/rescue-mode.templates (working copy)
@@ -81,3 +81,11 @@
environment. If you want to make it your root file system temporarily, run
"chroot /target". If you need any other file systems (such as a separate
"/usr"), you will have to mount those yourself.
+
+Template: rescue/passphrase
+Type: password
+_Description: Passphrase for ${DEVICE}:
+ Please enter the passphrase for the encrypted volume ${DEVICE}.
+ .
+ If you don't enter anything, the volume will not be available during
+ rescue operations.
Index: debian/rescue-mode.postinst
===================================================================
--- debian/rescue-mode.postinst (revision 48544)
+++ debian/rescue-mode.postinst (working copy)
@@ -14,6 +14,55 @@
log-output -t rescue modprobe "$1" || true
}
+rescan_lvm () {
+ log-output -t rescue pvscan || true
+ log-output -t rescue vgscan || true
+}
+
+get_passphrase () {
+ db_set rescue/passphrase ""
+ db_fset rescue/passphrase seen false
+ db_subst rescue/passphrase DEVICE "$dev"
+ db_input critical rescue/passphrase
+
+ db_go || return 1
+
+ db_get rescue/passphrase || RET=''
+ echo -n "$RET"
+}
+
+do_cryptsetup () {
+ local pass_ok pass dev cryptdev
+
+ dev="$1"
+ pass_ok=0
+ cryptdev="${dev##*/}_crypt"
+ while [ $pass_ok -eq 0 ]; do
+ pass="$(get_passphrase)" || return 1
+ if [ -z "$pass" ]; then
+ return 1
+ fi
+ echo -n "$pass" | log-output -t rescue \
+ cryptsetup -d - luksOpen "$dev" "$cryptdev" && pass_ok=1
+ done
+}
+
+open_encrypted_partitions () {
+ local found pass_ok
+
+ found=0
+ for dev in $(list-devices partition); do
+ if cryptsetup isLuks "$dev" 2> /dev/null; then
+ do_cryptsetup "$dev" && found=1
+ fi
+ done
+
+ if [ $found -eq 0 ]; then
+ return 1
+ fi
+ try_load_module aes
+}
+
try_load_module ext2
try_load_module ext3
try_load_module jfs
@@ -39,9 +88,13 @@
# LVM support
try_load_module dm-mod
try_load_module lvm-mod
-log-output -t rescue pvscan || true
-log-output -t rescue vgscan || true
+rescan_lvm
+# Crypto support
+open_encrypted_partitions &&
+ # Scan for LVM partitions again as we just added encrypted volumes
+ rescan_lvm
+
db_capb backup
MOUNTED=
Attachment:
signature.asc
Description: Digital signature