Bug#247054: Crypto-root patch updated to initrd-tools 0.1.70

To: Martin Michlmayr <tbm@cyrius.com>
Cc: Loïc Minier <lool@dooz.org>, 247054@bugs.debian.org
Subject: Bug#247054: Crypto-root patch updated to initrd-tools 0.1.70
From: "Wesley W. Terpstra" <terpstra@gkec.tu-darmstadt.de>
Date: Sat, 20 Nov 2004 15:12:26 +0100
Message-id: <[🔎] 20041120141225.GA3804@muffin>
Reply-to: "Wesley W. Terpstra" <terpstra@gkec.tu-darmstadt.de>, 247054@bugs.debian.org
In-reply-to: <[🔎] 20041119182853.GA16559@deprecation.cyrius.com>
References: <20040607100214.GA4371@muffin> <20040607100716.GA15714@gondor.apana.org.au> <20040607111521.GA4106@muffin> <20040607112428.GB18294@gondor.apana.org.au> <20040607124551.GA4662@muffin> <20040608231622.GA31349@gondor.apana.org.au> <20040811143631.GA23344@via.ecp.fr> <[🔎] 20041116132514.GA10340@deprecation.cyrius.com> <[🔎] 20041116134637.GB19855@via.ecp.fr> <[🔎] 20041119182853.GA16559@deprecation.cyrius.com>

On Fri, Nov 19, 2004 at 06:28:53PM +0000, Martin Michlmayr wrote:
> if [ "`dmsetup table disk | awk ' { print $3 } '`" = "crypt" ]; then
> +       devname=$(grep -m 1 "^$dmname[[:space:]]" /etc/crypttab | sed 's/^[^[:space:]]*[[:space:]]\([^[:space:]]*\).*/\1/')

Yep, both look like a good improvement.

> With those two changes, I've been able to boot from an encrypted root
> on PowerPC.  Nice!

Cool. :)

> I'd like to hear from Wesley before I'll apply this in SVN, but I
> think it looks ok.  Also, I'd really like someone to give me an
> example script to mount secret keys from a USB stick.

I've attached my script. I haven't made it public b/c it has my USB stick
hard-coded. ;)

> I'll also have to see whether LVM on top of crypto works.  I think I saw
> a problem with this.

I use RAID1->LVM->crypto->reiserfs; it works fine (except for everytime when
initrd-tools gets upgraded and my system becomes unbootable...).

-- 
Wesley W. Terpstra

#! /bin/bash
modules="usb-storage sd-mod nls_cp437 ehci-hcd uhci-hcd nls_iso8859-1"

mkdir $INITRDDIR/keys
cp /boot/keys/* $INITRDDIR/keys

for mod in $modules; do
  for ko in `modprobe --set-version $VERSION --show-depends $mod | cut -b8-`; do
    install -d $INITRDDIR/${ko%/*}
    install $ko $INITRDDIR/$ko
  done
done

cp /usr/local/bin/xor   $INITRDDIR/bin
cp /usr/local/bin/delay $INITRDDIR/bin

cat <<EOF >$INITRDDIR/keyscripts/usbkeys
modprobe uhci-hcd
modprobe ehci-hcd
modprobe usb-storage
modprobe sd-mod

read old nil < /proc/sys/kernel/printk
echo 0 > /proc/sys/kernel/printk

echo
echo
echo "Root disk is encrypted. Failure to authenticate will destroy boot key."
echo
echo -n "Waiting for thumb-print verification "
while [ ! -f /dev2/rootkey ]; do
  echo -n "."
  /bin/delay
  for d in	/devfs/scsi/host0/bus0/target0/lun0/part1 \\
		/devfs/scsi/host0/bus0/target0/lun1/disc; do
    if ! mount -n \$d /mnt -o ro -t vfat 2>/dev/null >/dev/null; then continue; fi
    for i in keys/*; do
      if [ -f /mnt/\${i%.*}.key ]; then
        /bin/xor /mnt/\${i%.*}.key \$i > /dev2/rootkey
      fi
    done
    umount -n /mnt
  done
done

echo " Found"
echo $old > /proc/sys/kernel/printk

if [ -f /dev2/rootkey ]; then
  /sbin/cryptsetup -d /dev2/rootkey -c \$cipher_mode create \$dmname \$device
fi
EOF

chmod +x $INITRDDIR/keyscripts/usbkeys

Reply to:

Follow-Ups:
- Bug#247054: Crypto-root patch updated to initrd-tools 0.1.70
  - From: Loïc Minier <lool@dooz.org>

References:
- Bug#247054: Crypto-root patch updated to initrd-tools 0.1.70
  - From: Martin Michlmayr <tbm@cyrius.com>
- Bug#247054: Crypto-root patch updated to initrd-tools 0.1.70
  - From: Loïc Minier <lool@dooz.org>
- Bug#247054: Crypto-root patch updated to initrd-tools 0.1.70
  - From: Martin Michlmayr <tbm@cyrius.com>

Prev by Date: Bug#100421: Fw: nielson
Next by Date: Bug#280571: initrd-tools: Should initialize only LVM VG needed for root fs, not all
Previous by thread: Bug#247054: Crypto-root patch updated to initrd-tools 0.1.70
Next by thread: Bug#247054: Crypto-root patch updated to initrd-tools 0.1.70
Index(es):
- Date
- Thread