Hi! Attached is a patch that will allow encrypted (using LUKS) root partitions to be used in rescue mode. The patch is fairly simple, and ask a passphrase for every LUKS partitions found before the root partition is choosen. This only affects rescue-mode.postinst, add a template and a dependency on crypto-modules and cryptsetup-udeb. In the long term, it is not probably the best solution as it does neither support loop-aes partitions, nor plain dm-crypt. It would probably better to support re-use of already encrypted partitions in partman and use these facilities in rescue-mode instead of custom code. Anyway, it works nicely with the guided partitioning for crypto root, and that actually covers quite a lot of our users, so it might still be a worthy addition. Cheers, -- Jérémy Bobbio .''`. lunar@debian.org : :Ⓐ : # apt-get install anarchism `. `'` `-
Index: debian/control =================================================================== --- debian/control (revision 48544) +++ debian/control (working copy) @@ -18,5 +18,5 @@ Priority: optional XC-Package-Type: udeb XB-Installer-Menu-Item: 3900 -Depends: rescue-check, cdebconf-udeb (>= 0.73), harddrive-detection, ext2-modules, ext3-modules, fat-modules, jfs-modules, md-modules, reiserfs-modules, xfs-modules, lvm2-udeb, mdadm-udeb (>= 2.5.2), di-utils (>= 1.15) +Depends: rescue-check, cdebconf-udeb (>= 0.73), harddrive-detection, ext2-modules, ext3-modules, fat-modules, jfs-modules, md-modules, reiserfs-modules, xfs-modules, lvm2-udeb, mdadm-udeb (>= 2.5.2), di-utils (>= 1.15), crypto-modules, cryptsetup-udeb Description: mount requested partition and start a rescue shell Index: debian/rescue-mode.templates =================================================================== --- debian/rescue-mode.templates (revision 48544) +++ debian/rescue-mode.templates (working copy) @@ -81,3 +81,11 @@ environment. If you want to make it your root file system temporarily, run "chroot /target". If you need any other file systems (such as a separate "/usr"), you will have to mount those yourself. + +Template: rescue/passphrase +Type: password +_Description: Passphrase for ${DEVICE}: + Please enter the passphrase for the encrypted volume ${DEVICE}. + . + If you don't enter anything, the volume will not be available during + rescue operations. Index: debian/rescue-mode.postinst =================================================================== --- debian/rescue-mode.postinst (revision 48544) +++ debian/rescue-mode.postinst (working copy) @@ -14,6 +14,55 @@ log-output -t rescue modprobe "$1" || true } +rescan_lvm () { + log-output -t rescue pvscan || true + log-output -t rescue vgscan || true +} + +get_passphrase () { + db_set rescue/passphrase "" + db_fset rescue/passphrase seen false + db_subst rescue/passphrase DEVICE "$dev" + db_input critical rescue/passphrase + + db_go || return 1 + + db_get rescue/passphrase || RET='' + echo -n "$RET" +} + +do_cryptsetup () { + local pass_ok pass dev cryptdev + + dev="$1" + pass_ok=0 + cryptdev="${dev##*/}_crypt" + while [ $pass_ok -eq 0 ]; do + pass="$(get_passphrase)" || return 1 + if [ -z "$pass" ]; then + return 1 + fi + echo -n "$pass" | log-output -t rescue \ + cryptsetup -d - luksOpen "$dev" "$cryptdev" && pass_ok=1 + done +} + +open_encrypted_partitions () { + local found pass_ok + + found=0 + for dev in $(list-devices partition); do + if cryptsetup isLuks "$dev" 2> /dev/null; then + do_cryptsetup "$dev" && found=1 + fi + done + + if [ $found -eq 0 ]; then + return 1 + fi + try_load_module aes +} + try_load_module ext2 try_load_module ext3 try_load_module jfs @@ -39,9 +88,13 @@ # LVM support try_load_module dm-mod try_load_module lvm-mod -log-output -t rescue pvscan || true -log-output -t rescue vgscan || true +rescan_lvm +# Crypto support +open_encrypted_partitions && + # Scan for LVM partitions again as we just added encrypted volumes + rescan_lvm + db_capb backup MOUNTED=
Attachment:
signature.asc
Description: Digital signature