Bug#348147: New version of patch
I've attached an updated version of the previous patch. The changes are:
* Adds support for cryptsetup-luks (see http://luks.endorphin.org/).
LUKS support is now present in the regular Debian cryptsetup package.
If root points at a partition with a luks header, it will be
automagically recognized. This depends on support for luks detection
in fstype in klibc (patch submitted upstream).
* Adds support for changing variables in the main init script, this is
performed by checking for the file /dev/.initramfs/source.me after
running each script and sourcing it if it does. This is probably
necessary if we ever want to support features such as ROOT=probe as it
would require changing the ROOT variable as the real root is found.
* Uses the above feature to remove the cryptroot boot option and also
makes changes to other files (such as lvm script) unnecessary.
Regards,
David
--
diffstat for the previous patch:
hooks/cryptroot | 26 +++++++++++++++
init | 9 +++++
scripts/local-top/cryptroot | 75 ++++++++++++++++++++++++++++++++++++++++++++
scripts/local-top/lvm | 6 ++-
4 files changed, 115 insertions(+), 1 deletion(-)
diffstat for the new patch:
hooks/cryptroot | 26 ++++++++++
init | 5 +
scripts/functions | 4 +
scripts/local-premount/cryptroot | 99 +++++++++++++++++++++++++++++++++++++++
4 files changed, 134 insertions(+)
Index: initramfs-tools-quilt/hooks/cryptroot
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ initramfs-tools-quilt/hooks/cryptroot 2006-02-05 00:11:39.000000000 +0100
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+if [ -x "/sbin/cryptsetup" ]; then
+ copy_exec /sbin/cryptsetup /sbin
+ if [ -x "/etc/mkinitramfs/cryptgetpw" ]; then
+ copy_exec /etc/mkinitramfs/cryptgetpw /sbin
+ fi
+fi
+
+exit 0
Index: initramfs-tools-quilt/init
===================================================================
--- initramfs-tools-quilt.orig/init 2006-01-24 11:29:32.000000000 +0100
+++ initramfs-tools-quilt/init 2006-02-05 00:12:17.000000000 +0100
@@ -34,6 +34,8 @@
export resume=${RESUME}
export rootmnt=/root
export debug=
+export cryptopts=${CRYPTOPTS}
+
for x in $(cat /proc/cmdline); do
case $x in
init=*)
@@ -65,6 +67,9 @@
exec >/tmp/initramfs.debug 2>&1
set -x
;;
+ cryptopts=*)
+ cryptopts=${x#cryptopts=}
+ ;;
break=*)
break=${x#break=}
;;
Index: initramfs-tools-quilt/scripts/functions
===================================================================
--- initramfs-tools-quilt.orig/scripts/functions 2006-01-24 13:11:16.000000000 +0100
+++ initramfs-tools-quilt/scripts/functions 2006-02-05 00:12:56.000000000 +0100
@@ -162,6 +162,10 @@
{
for cs_x in ${runlist}; do
${initdir}/${cs_x}
+ if [ -e /dev/.initramfs/source.me ]; then
+ . /dev/.initramfs/source.me
+ rm -f /dev/.initramfs/source.me
+ fi
done
}
Index: initramfs-tools-quilt/scripts/local-premount/cryptroot
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ initramfs-tools-quilt/scripts/local-premount/cryptroot 2006-02-05 00:13:58.000000000 +0100
@@ -0,0 +1,99 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+# get pre-requisites
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+# Sanity checks
+if [ "$FSTYPE" != "luks" -a -z "$cryptopts" ]; then
+ # Apparently the root partition isn't encrypted
+ exit 0
+elif [ ! -x "/sbin/cryptsetup" ]; then
+ echo "$0: no cryptsetup present"
+ exit 0
+fi
+
+# There are two possible scenarios here:
+#
+# 1) The fstype of the root device has been identified as "luks"
+# 2) The fstype is not "luks" but cryptopts has been set
+#
+# The former means that we use the luks functionality of cryptsetup, the
+# latter means that we do it the old-fashioned way.
+
+# Start by parsing some options, all options are relevant to regular cryptsetup
+# but only cryptnode is relevant to luks which picks up the rest of the
+# parameters by reading the partition header
+cryptcipher=aes-cbc-essiv:sha256
+cryptsize=256
+crypthash=sha256
+cryptnode=cryptroot
+if [ -n "$cryptopts" ]; then
+ IFS=" ,"
+ for x in $cryptopts; do
+ case $x in
+ hash=*)
+ crypthash=${x#hash=}
+ ;;
+ size=*)
+ cryptsize=${x#size=}
+ ;;
+ cipher=*)
+ cryptcipher=${x#cipher=}
+ ;;
+ node=*)
+ cryptnode=${x#node=}
+ ;;
+ esac
+ done
+ unset IFS
+fi
+NEWROOT="/dev/mapper/$cryptnode"
+
+# Check which cryptosolution we want
+if [ "$FSTYPE" = "luks" ]; then
+ # 1) The fstype of the root device has been identified as "luks"
+ cryptcreate="/sbin/cryptsetup luksOpen $ROOT $cryptnode"
+ cryptremove=""
+else
+ # 2) The fstype is not "luks" but cryptopts has been set
+ cryptcreate="/sbin/cryptsetup -c $cryptcipher -s $cryptsize -h $crypthash create $cryptnode $ROOT"
+ cryptremove="/sbin/cryptsetup remove $cryptnode"
+fi
+
+# Loop until we have a satisfactory password
+while [ 1 ]; do
+ if [ -x "/sbin/cryptgetpw" ]; then
+ /sbin/cryptgetpw | $cryptcreate
+ else
+ $cryptcreate
+ fi
+
+ if [ $? -eq 0 ]; then
+ fstype < "$NEWROOT" > /dev/.initramfs/source.me
+ . /dev/.initramfs/source.me
+ if [ "$FSTYPE" != "unknown" ]; then
+ break
+ fi
+ fi
+
+ echo "$0: cryptsetup failed or fstype not recognized, bad password or options?"
+ $cryptremove
+ sleep 3
+done
+
+# init can now pick up new FSTYPE, FSSIZE and ROOT
+echo "ROOT=\"$NEWROOT\"" >> /dev/.initramfs/source.me
+
+exit 0
Reply to: