[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#247054: Crypto-root patch updated to initrd-tools 0.1.70

On Fri, Nov 19, 2004 at 06:28:53PM +0000, Martin Michlmayr wrote:
> if [ "`dmsetup table disk | awk ' { print $3 } '`" = "crypt" ]; then
> +       devname=$(grep -m 1 "^$dmname[[:space:]]" /etc/crypttab | sed 's/^[^[:space:]]*[[:space:]]\([^[:space:]]*\).*/\1/')

Yep, both look like a good improvement.

> With those two changes, I've been able to boot from an encrypted root
> on PowerPC.  Nice!

Cool. :)

> I'd like to hear from Wesley before I'll apply this in SVN, but I
> think it looks ok.  Also, I'd really like someone to give me an
> example script to mount secret keys from a USB stick.

I've attached my script. I haven't made it public b/c it has my USB stick
hard-coded. ;)

> I'll also have to see whether LVM on top of crypto works.  I think I saw
> a problem with this.

I use RAID1->LVM->crypto->reiserfs; it works fine (except for everytime when
initrd-tools gets upgraded and my system becomes unbootable...).

Wesley W. Terpstra
#! /bin/bash
modules="usb-storage sd-mod nls_cp437 ehci-hcd uhci-hcd nls_iso8859-1"

mkdir $INITRDDIR/keys
cp /boot/keys/* $INITRDDIR/keys

for mod in $modules; do
  for ko in `modprobe --set-version $VERSION --show-depends $mod | cut -b8-`; do
    install -d $INITRDDIR/${ko%/*}
    install $ko $INITRDDIR/$ko

cp /usr/local/bin/xor   $INITRDDIR/bin
cp /usr/local/bin/delay $INITRDDIR/bin

cat <<EOF >$INITRDDIR/keyscripts/usbkeys
modprobe uhci-hcd
modprobe ehci-hcd
modprobe usb-storage
modprobe sd-mod

read old nil < /proc/sys/kernel/printk
echo 0 > /proc/sys/kernel/printk

echo "Root disk is encrypted. Failure to authenticate will destroy boot key."
echo -n "Waiting for thumb-print verification "
while [ ! -f /dev2/rootkey ]; do
  echo -n "."
  for d in	/devfs/scsi/host0/bus0/target0/lun0/part1 \\
		/devfs/scsi/host0/bus0/target0/lun1/disc; do
    if ! mount -n \$d /mnt -o ro -t vfat 2>/dev/null >/dev/null; then continue; fi
    for i in keys/*; do
      if [ -f /mnt/\${i%.*}.key ]; then
        /bin/xor /mnt/\${i%.*}.key \$i > /dev2/rootkey
    umount -n /mnt

echo " Found"
echo $old > /proc/sys/kernel/printk

if [ -f /dev2/rootkey ]; then
  /sbin/cryptsetup -d /dev2/rootkey -c \$cipher_mode create \$dmname \$device

chmod +x $INITRDDIR/keyscripts/usbkeys

Reply to: