Bug#247054: Crypto-root patch updated to initrd-tools 0.1.70
On Fri, Nov 19, 2004 at 06:28:53PM +0000, Martin Michlmayr wrote:
> if [ "`dmsetup table disk | awk ' { print $3 } '`" = "crypt" ]; then
> + devname=$(grep -m 1 "^$dmname[[:space:]]" /etc/crypttab | sed 's/^[^[:space:]]*[[:space:]]\([^[:space:]]*\).*/\1/')
Yep, both look like a good improvement.
> With those two changes, I've been able to boot from an encrypted root
> on PowerPC. Nice!
Cool. :)
> I'd like to hear from Wesley before I'll apply this in SVN, but I
> think it looks ok. Also, I'd really like someone to give me an
> example script to mount secret keys from a USB stick.
I've attached my script. I haven't made it public b/c it has my USB stick
hard-coded. ;)
> I'll also have to see whether LVM on top of crypto works. I think I saw
> a problem with this.
I use RAID1->LVM->crypto->reiserfs; it works fine (except for everytime when
initrd-tools gets upgraded and my system becomes unbootable...).
--
Wesley W. Terpstra
#! /bin/bash
modules="usb-storage sd-mod nls_cp437 ehci-hcd uhci-hcd nls_iso8859-1"
mkdir $INITRDDIR/keys
cp /boot/keys/* $INITRDDIR/keys
for mod in $modules; do
for ko in `modprobe --set-version $VERSION --show-depends $mod | cut -b8-`; do
install -d $INITRDDIR/${ko%/*}
install $ko $INITRDDIR/$ko
done
done
cp /usr/local/bin/xor $INITRDDIR/bin
cp /usr/local/bin/delay $INITRDDIR/bin
cat <<EOF >$INITRDDIR/keyscripts/usbkeys
modprobe uhci-hcd
modprobe ehci-hcd
modprobe usb-storage
modprobe sd-mod
read old nil < /proc/sys/kernel/printk
echo 0 > /proc/sys/kernel/printk
echo
echo
echo "Root disk is encrypted. Failure to authenticate will destroy boot key."
echo
echo -n "Waiting for thumb-print verification "
while [ ! -f /dev2/rootkey ]; do
echo -n "."
/bin/delay
for d in /devfs/scsi/host0/bus0/target0/lun0/part1 \\
/devfs/scsi/host0/bus0/target0/lun1/disc; do
if ! mount -n \$d /mnt -o ro -t vfat 2>/dev/null >/dev/null; then continue; fi
for i in keys/*; do
if [ -f /mnt/\${i%.*}.key ]; then
/bin/xor /mnt/\${i%.*}.key \$i > /dev2/rootkey
fi
done
umount -n /mnt
done
done
echo " Found"
echo $old > /proc/sys/kernel/printk
if [ -f /dev2/rootkey ]; then
/sbin/cryptsetup -d /dev2/rootkey -c \$cipher_mode create \$dmname \$device
fi
EOF
chmod +x $INITRDDIR/keyscripts/usbkeys
Reply to: