--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: Add support for cryptoroot
- From: David Härdeman <david@2gen.com>
- Date: Sun, 15 Jan 2006 11:08:58 +0100
- Message-id: <20060115100858.GA5714@hardeman.nu>
Package: initramfs-tools
Version: 0.49
Severity: wishlist
Tags: patch
I've attached a first attempt at adding cryptroot support.
It adds two new boot options:
cryptroot: the device which the encrypted filesystem resides on
example: cryptroot=/dev/hda1
cryptopts: a comma-separated list of arguments to cryptsetup, currently
supported options are hash, size and cipher. If none are
specified, defaults (the example below) will be used.
example:
cryptopts=hash=sha256,size=256,cipher=aes-cbc-essiv:sha256
if cryptroot is present, the root argument is expected to be the node
where cryptsetup should setup the unencrypted fs, so it should be under
the /dev/mapper hierarchy. An example of a complete set of arguments
for cryptroot is:
root=/dev/mapper/cryptroot cryptroot=/dev/hda1 cryptopts=hash=sha256,size=256,cipher=aes-cbc-essiv:sha256
Admittedly, having both a root and a cryptroot command line option is
somewhat ugly, but avoiding it would require the init script to source
the files under scripts instead of executing them. The ROOT variable
could then be set to the encrypted node (/dev/hda1 in the example above)
until the cryptroot script is run which could setup the
/dev/mapper/cryptroot node and change the ROOT variable accordingly.
This would for instance have the advantage of making any changes to the
lvm script unnecessary. Alas, this is not possible without major changes...
The cryptroot hook copies cryptsetup to the initramfs (if present) and
if /etc/mkinitramfs/cryptgetpw is present on the system it is also
included.
If no cryptgetpw script is present, the cryptroot script will ask the
user to input the password via keyboard. If the script is present, it is
executed and its output piped to cryptsetup. This allows users to create
more complex password schemes (for example, I currently use a cryptgetpw
which loads the password from a USB key) by creating an appropriate
script.
Comments/suggestions are very welcome (especially a clean way of
altering the ROOT variable from the scripts/local-top/cryptroot would be
nice)...
Re,
David Härdeman
diff -Nur -x udev initramfs-tools-bak/hooks/cryptroot initramfs-tools/hooks/cryptroot
--- initramfs-tools-bak/hooks/cryptroot 1970-01-01 01:00:00.000000000 +0100
+++ initramfs-tools/hooks/cryptroot 2006-01-14 20:50:37.000000000 +0100
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+if [ -x "/sbin/cryptsetup" ]; then
+ copy_exec /sbin/cryptsetup /sbin
+ if [ -x "/etc/mkinitramfs/cryptgetpw" ]; then
+ copy_exec /etc/mkinitramfs/cryptgetpw /sbin
+ fi
+fi
+
+exit 0
diff -Nur -x udev initramfs-tools-bak/init initramfs-tools/init
--- initramfs-tools-bak/init 2005-12-28 01:27:43.000000000 +0100
+++ initramfs-tools/init 2006-01-12 22:06:29.000000000 +0100
@@ -28,6 +28,9 @@
export resume=${RESUME}
export rootmnt=/root
export debug=
+export cryptroot=
+export cryptopts=
+
for x in $(cat /proc/cmdline); do
case $x in
init=*)
@@ -59,6 +62,12 @@
exec >/tmp/initramfs.debug 2>&1
set -x
;;
+ cryptroot=*)
+ cryptroot=${x#cryptroot=}
+ ;;
+ cryptopts=*)
+ cryptopts=${x#cryptopts=}
+ ;;
break=*)
break=${x#break=}
;;
diff -Nur -x udev initramfs-tools-bak/scripts/local-top/cryptroot initramfs-tools/scripts/local-top/cryptroot
--- initramfs-tools-bak/scripts/local-top/cryptroot 1970-01-01 01:00:00.000000000 +0100
+++ initramfs-tools/scripts/local-top/cryptroot 2006-01-15 09:27:03.000000000 +0100
@@ -0,0 +1,75 @@
+#!/bin/sh
+
+PREREQ="md lvm evms"
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+# get pre-requisites
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+if [ ! -x "/sbin/cryptsetup" ]; then
+ echo "$0: no cryptsetup present"
+ exit 0
+fi
+
+# If we have a cryptroot, root must be a device-mapper partition
+if [ -n "$cryptroot" ]; then
+ cryptnode=${ROOT#/dev/mapper/}
+ if [ "$cryptnode" = "$ROOT" ]; then
+ panic "$0: root must be a device-mapper partition"
+ fi
+else
+ exit 0
+fi
+
+cryptciper=aes-cbc-essiv:sha256
+cryptsize=256
+crypthash=sha256
+
+if [ -n "$cryptopts" ]; then
+ argc=0
+ while [ 1 ]; do
+ arg=$( echo "$cryptopts" | cut -d "," -f $argc )
+ [ -n "$arg" ] || break
+ argc=$(( argc + 1 ))
+
+ case "$arg" in
+ hash=*)
+ crypthash=${arg#hash=}
+ ;;
+ size=*)
+ cryptsize=${arg#size=}
+ ;;
+ cipher=*)
+ cryptcipher=${arg#cipher=}
+ ;;
+ esac
+ done
+fi
+
+while [ 1 ]; do
+ if [ -x "/sbin/cryptgetpw" ]; then
+ /sbin/cryptgetpw | /sbin/cryptsetup -c $cryptcipher -s $cryptsize -h $crypthash create $cryptnode $cryptroot
+ else
+ /sbin/cryptsetup -c $cryptcipher -s $cryptsize -h $crypthash create $cryptnode $cryptroot
+ fi
+
+ eval $( fstype < "$ROOT" )
+ if [ "$FSTYPE" = "unknown" ]; then
+ echo "$0: fstype not recognized, bad password?"
+ /sbin/cryptsetup remove $cryptnode
+ sleep 3
+ continue
+ fi
+ break
+done
+
+exit 0
diff -Nur -x udev initramfs-tools-bak/scripts/local-top/lvm initramfs-tools/scripts/local-top/lvm
--- initramfs-tools-bak/scripts/local-top/lvm 2006-01-14 21:21:51.000000000 +0100
+++ initramfs-tools/scripts/local-top/lvm 2006-01-14 21:21:36.000000000 +0100
@@ -15,7 +15,11 @@
;;
esac
-vg=${ROOT#/dev/mapper/}
+if [ -n "$cryptroot" ]; then
+ vg=${cryptroot#/dev/mapper/}
+else
+ vg=${ROOT#/dev/mapper/}
+fi
case ${vg} in
/dev/root)
--- End Message ---
--- Begin Message ---
Source: initramfs-tools
Source-Version: 0.60
We believe that the bug you reported is fixed in the latest version of
initramfs-tools, which is due to be installed in the Debian FTP archive:
initramfs-tools_0.60.dsc
to pool/main/i/initramfs-tools/initramfs-tools_0.60.dsc
initramfs-tools_0.60.tar.gz
to pool/main/i/initramfs-tools/initramfs-tools_0.60.tar.gz
initramfs-tools_0.60_all.deb
to pool/main/i/initramfs-tools/initramfs-tools_0.60_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 348147@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
maximilian attems <maks@sternwelten.at> (supplier of updated initramfs-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 18 Apr 2006 13:33:18 +0200
Source: initramfs-tools
Binary: initramfs-tools
Architecture: source all
Version: 0.60
Distribution: unstable
Urgency: low
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: maximilian attems <maks@sternwelten.at>
Description:
initramfs-tools - tools for generating an initramfs
Closes: 348147 358649 358917 362568 362816
Changes:
initramfs-tools (0.60) unstable; urgency=low
.
"E ho trovato l'invasor"
.
* scripts/functions: Allow boot scripts to modify exported boot parameters.
Thanks David Härdeman <david@2gen.com> for the patch. (closes: 348147)
This allows the inclusion of cryptoroot hooks to cryptsetup!
.
* init: add cryptopts parsing and export.
.
* init: Move parse_numeric down to the "mounting root" block.
.
* init, scripts/local: Allow rootflags to be passed in kernel cmdline.
Thanks Thomas Luzat <thomas.luzat@gmx.net> for the patch. (closes: #358917)
.
* init: Allow passing nfs root mount option in kernel cmdline. Thanks
Brian Brunswick <bdb@forbidden.co.uk> for the patch. (closes: #358649)
.
* update-initramfs: s/ALL/all/, fix it to actually run on update in non
verbose mode. (closes: #362568)
.
* update-initramfs: Warn in big letters about grub and lilo installs.
(closes: #362816)
.
* debian/bug: Add reportbug script with info about cmdline, fs and lsmod.
.
* initramfs-tools(8): Document the /conf/param.conf feature.
.
* mkinitramfs-kpkg(8): Spell out, why the wrapper script is needed.
Files:
0786e9cffe33196a2389d3f42a67899b 629 utils optional initramfs-tools_0.60.dsc
885180fc00f9e98da0d1c5a5f3d9236c 37338 utils optional initramfs-tools_0.60.tar.gz
5c42f6e800e87b6b7f184ad610214bfc 43460 utils optional initramfs-tools_0.60_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFERO9b6n7So0GVSSARApyGAJ9SHAGjt/wSOWtMjvmnl8NRIGR7+wCeP5BH
X5hmYN6Wbum45lb/hKhyzig=
=MRhR
-----END PGP SIGNATURE-----
--- End Message ---