[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#348147: New version of patch



I've attached an updated version of the previous patch. The changes are:

* Adds support for cryptsetup-luks (see http://luks.endorphin.org/). LUKS support is now present in the regular Debian cryptsetup package. If root points at a partition with a luks header, it will be automagically recognized. This depends on support for luks detection in fstype in klibc (patch submitted upstream).

* Adds support for changing variables in the main init script, this is performed by checking for the file /dev/.initramfs/source.me after running each script and sourcing it if it does. This is probably necessary if we ever want to support features such as ROOT=probe as it would require changing the ROOT variable as the real root is found.

* Uses the above feature to remove the cryptroot boot option and also makes changes to other files (such as lvm script) unnecessary.

Regards,
David

--

diffstat for the previous patch:
hooks/cryptroot             |   26 +++++++++++++++
init                        |    9 +++++
scripts/local-top/cryptroot |   75 ++++++++++++++++++++++++++++++++++++++++++++
scripts/local-top/lvm       |    6 ++-
4 files changed, 115 insertions(+), 1 deletion(-)

diffstat for the new patch:
hooks/cryptroot                  |   26 ++++++++++
init                             |    5 +
scripts/functions                |    4 +
scripts/local-premount/cryptroot |   99 +++++++++++++++++++++++++++++++++++++++
4 files changed, 134 insertions(+)

Index: initramfs-tools-quilt/hooks/cryptroot
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ initramfs-tools-quilt/hooks/cryptroot	2006-02-05 00:11:39.000000000 +0100
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs()
+{
+	echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+if [ -x "/sbin/cryptsetup" ]; then
+	copy_exec /sbin/cryptsetup /sbin
+	if [ -x "/etc/mkinitramfs/cryptgetpw" ]; then
+		copy_exec /etc/mkinitramfs/cryptgetpw /sbin
+	fi
+fi
+
+exit 0
Index: initramfs-tools-quilt/init
===================================================================
--- initramfs-tools-quilt.orig/init	2006-01-24 11:29:32.000000000 +0100
+++ initramfs-tools-quilt/init	2006-02-05 00:12:17.000000000 +0100
@@ -34,6 +34,8 @@
 export resume=${RESUME}
 export rootmnt=/root
 export debug=
+export cryptopts=${CRYPTOPTS}
+
 for x in $(cat /proc/cmdline); do
 	case $x in
 	init=*)
@@ -65,6 +67,9 @@
 		exec >/tmp/initramfs.debug 2>&1
 		set -x
 		;;
+	cryptopts=*)
+		cryptopts=${x#cryptopts=}
+		;;
 	break=*)
 		break=${x#break=}
 		;;
Index: initramfs-tools-quilt/scripts/functions
===================================================================
--- initramfs-tools-quilt.orig/scripts/functions	2006-01-24 13:11:16.000000000 +0100
+++ initramfs-tools-quilt/scripts/functions	2006-02-05 00:12:56.000000000 +0100
@@ -162,6 +162,10 @@
 {
 	for cs_x in ${runlist}; do
 		${initdir}/${cs_x}
+		if [ -e /dev/.initramfs/source.me ]; then
+			. /dev/.initramfs/source.me
+			rm -f /dev/.initramfs/source.me
+		fi
 	done
 }
 
Index: initramfs-tools-quilt/scripts/local-premount/cryptroot
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ initramfs-tools-quilt/scripts/local-premount/cryptroot	2006-02-05 00:13:58.000000000 +0100
@@ -0,0 +1,99 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs()
+{
+	echo "$PREREQ"
+}
+
+case $1 in
+# get pre-requisites
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+# Sanity checks
+if [ "$FSTYPE" != "luks" -a -z "$cryptopts" ]; then
+	# Apparently the root partition isn't encrypted
+	exit 0
+elif [ ! -x "/sbin/cryptsetup" ]; then
+	echo "$0: no cryptsetup present"
+	exit 0
+fi
+
+# There are two possible scenarios here:
+#
+# 1) The fstype of the root device has been identified as "luks"
+# 2) The fstype is not "luks" but cryptopts has been set
+#
+# The former means that we use the luks functionality of cryptsetup, the
+# latter means that we do it the old-fashioned way.
+
+# Start by parsing some options, all options are relevant to regular cryptsetup
+# but only cryptnode is relevant to luks which picks up the rest of the
+# parameters by reading the partition header
+cryptcipher=aes-cbc-essiv:sha256
+cryptsize=256
+crypthash=sha256
+cryptnode=cryptroot
+if [ -n "$cryptopts" ]; then
+	IFS=" ,"
+	for x in $cryptopts; do
+		case $x in
+		hash=*)
+			crypthash=${x#hash=}
+			;;
+		size=*)
+			cryptsize=${x#size=}
+			;;
+		cipher=*)
+			cryptcipher=${x#cipher=}
+			;;
+		node=*)
+			cryptnode=${x#node=}
+			;;
+		esac
+	done
+	unset IFS
+fi
+NEWROOT="/dev/mapper/$cryptnode"
+
+# Check which cryptosolution we want
+if [ "$FSTYPE" = "luks" ]; then
+	# 1) The fstype of the root device has been identified as "luks"
+	cryptcreate="/sbin/cryptsetup luksOpen $ROOT $cryptnode"
+	cryptremove=""
+else
+	# 2) The fstype is not "luks" but cryptopts has been set
+	cryptcreate="/sbin/cryptsetup -c $cryptcipher -s $cryptsize -h $crypthash create $cryptnode $ROOT"
+	cryptremove="/sbin/cryptsetup remove $cryptnode"
+fi
+
+# Loop until we have a satisfactory password
+while [ 1 ]; do
+	if [ -x "/sbin/cryptgetpw" ]; then
+		/sbin/cryptgetpw | $cryptcreate
+	else
+		$cryptcreate
+	fi
+
+	if [ $? -eq 0 ]; then
+		fstype < "$NEWROOT" > /dev/.initramfs/source.me
+		. /dev/.initramfs/source.me
+		if [ "$FSTYPE" != "unknown" ]; then
+			break
+		fi
+	fi
+
+	echo "$0: cryptsetup failed or fstype not recognized, bad password or options?"
+	$cryptremove
+	sleep 3
+done
+
+# init can now pick up new FSTYPE, FSSIZE and ROOT
+echo "ROOT=\"$NEWROOT\"" >> /dev/.initramfs/source.me
+
+exit 0

Reply to: