blob: 055bfe9aabc511ec0927e9cc3a116f8eb4d046bf (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
|
# /lib/rcscripts/addons/dm-crypt-start.sh
# For backwards compatability with baselayout < 1.13.0
dm_crypt_execute_checkfs() {
dm_crypt_execute_dmcrypt
}
dm_crypt_execute_volumes() {
dm_crypt_execute_dmcrypt
}
# Setup mappings for an individual target/swap
# Note: This relies on variables localized in the main body below.
dm_crypt_execute_dmcrypt() {
local dev ret mode
# some colors
local red='\x1b[31;01m' green='\x1b[32;01m' off='\x1b[0;0m'
if [ -n "$target" ]; then
# let user set options, otherwise leave empty
: ${options:=' '}
elif [ -n "$swap" ]; then
local foo
einfo "Checking swap is not LUKS"
cryptsetup isLuks ${source} 2>/dev/null >/dev/console </dev/console
foo="$?"
if [ "${foo}" -eq 0 ]; then
ewarn "The swap you have defined is a LUKS partition. Aborting crypt-swap setup."
return
fi
target=${swap}
# swap contents do not need to be preserved between boots, luks not required.
# suspend2 users should have initramfs's init handling their swap partition either way.
: ${options:='-c aes -h sha1 -d /dev/urandom'}
: ${pre_mount:='mkswap ${dev}'}
else
return
fi
if [ -z "$source" ] && [ ! -e "$source" ]; then
ewarn "source \"${source}\" for ${target} missing, skipping..."
return
fi
if [[ -n ${loop_file} ]] ; then
dev="/dev/mapper/${target}"
ebegin " Setting up loop device ${source}"
/sbin/losetup ${source} ${loop_file}
fi
# cryptsetup:
# luksOpen <device> <name> # <device> is $source
# create <name> <device> # <name> is $target
local arg1="create" arg2="$target" arg3="$source" luks=0
cryptsetup isLuks ${source} 2>/dev/null && { arg1="luksOpen"; arg2="$source"; arg3="$target"; luks=1; }
if /sbin/cryptsetup status ${target} | egrep -q '\<active:' ; then
einfo "dm-crypt mapping ${target} is already configured"
return
fi
splash svc_input_begin ${SVCNAME} >/dev/null 2>&1
# Handle keys
if [ -n "$key" ]; then
# Notes: sed not used to avoid case where /usr partition is encrypted.
mode=${key/*:/} && ( [ "$mode" == "$key" ] || [ -z "$mode" ] ) && mode=reg
key=${key/:*/}
case "$mode" in
gpg|reg)
# handle key on removable device
if [ -n "$remdev" ]; then
# temp directory to mount removable device
local mntrem=/mnt/remdev
local c=0 ans
for (( i = 0 ; i < 10 ; i++ ))
do
[ ! -d "$mntrem" ] && mkdir -p ${mntrem} 2>/dev/null >/dev/null
if mount -n -o ro ${remdev} ${mntrem} 2>/dev/null >/dev/null ; then
sleep 2
# keyfile exists?
if [ ! -e "${mntrem}${key}" ]; then
umount -n ${mntrem} 2>/dev/null >/dev/null
rmdir ${mntrem} 2>/dev/null >/dev/null
einfo "Cannot find ${key} on removable media."
echo -n -e " ${green}*${off} Abort?(${red}yes${off}/${green}no${off})" >/dev/console
read ${read_timeout} ans </dev/console
echo >/dev/console
[ "$ans" = "no" ] && { i=0; c=0; } || return
else
key="${mntrem}${key}"
break
fi
else
[ "$c" -eq 0 ] && einfo "Please insert removable device for ${target}"
c=1
sleep 2
# let user abort
if [ "$i" -eq 9 ]; then
rmdir ${mntrem} 2>/dev/null >/dev/null
einfo "Removable device for ${target} not present."
echo -n -e " ${green}*${off} Abort?(${red}yes${off}/${green}no${off})" >/dev/console
read ${read_timeout} ans </dev/console
echo >/dev/console
[ "$ans" = "no" ] && { i=0; c=0; } || return
fi
fi
done
else # keyfile ! on removable device
if [ ! -e "$key" ]; then
ewarn "${source} will not be decrypted ..."
einfo "Reason: keyfile ${key} does not exist."
return
fi
fi
;;
*)
ewarn "${source} will not be decrypted ..."
einfo "Reason: mode ${mode} is invalid."
return
;;
esac
else
mode=none
fi
ebegin "dm-crypt map ${target}"
einfo "cryptsetup will be called with : ${options} ${arg1} ${arg2} ${arg3}"
if [ "$mode" == "gpg" ]; then
: ${gpg_options:='-q -d'}
# gpg available ?
if type -p gpg >/dev/null ; then
for (( i = 0 ; i < 3 ; i++ ))
do
# paranoid, don't store key in a variable, pipe it so it stays very little in ram unprotected.
# save stdin stdout stderr "values"
exec 3>&0 4>&1 6>&2 # ABS says fd 5 is reserved
exec &>/dev/console </dev/console
gpg ${gpg_options} ${key} 2>/dev/null | cryptsetup ${options} ${arg1} ${arg2} ${arg3}
ret="$?"
# restore values and close file descriptors
exec 0>&3 1>&4 2>&6
exec 3>&- 4>&- 6>&-
[ "$ret" -eq 0 ] && break
done
eend "${ret}" "failure running cryptsetup"
else
ewarn "${source} will not be decrypted ..."
einfo "Reason: cannot find gpg application."
einfo "You have to install app-crypt/gnupg first."
einfo "If you have /usr on its own partition, try copying gpg to /bin ."
fi
else
if [ "$mode" == "reg" ]; then
cryptsetup ${options} -d ${key} ${arg1} ${arg2} ${arg3} >/dev/console </dev/console
ret="$?"
eend "${ret}" "failure running cryptsetup"
else
cryptsetup ${options} ${arg1} ${arg2} ${arg3} >/dev/console </dev/console
ret="$?"
eend "${ret}" "failure running cryptsetup"
fi
fi
if [ -d "$mntrem" ]; then
umount -n ${mntrem} 2>/dev/null >/dev/null
rmdir ${mntrem} 2>/dev/null >/dev/null
fi
splash svc_input_end ${SVCNAME} >/dev/null 2>&1
if [[ ${ret} != 0 ]] ; then
cryptfs_status=1
else
if [[ -n ${pre_mount} ]] ; then
dev="/dev/mapper/${target}"
ebegin " Running pre_mount commands for ${target}"
eval "${pre_mount}" > /dev/null
ewend $? || cryptfs_status=1
fi
fi
}
# Run any post_mount commands for an individual mount
#
# Note: This relies on variables localized in the main body below.
dm_crypt_execute_localmount() {
local mount_point
[ -z "$target" ] && [ -z "$post_mount" ] && return
if ! /sbin/cryptsetup status ${target} | egrep -q '\<active:' ; then
ewarn "Skipping unmapped target ${target}"
cryptfs_status=1
return
fi
mount_point=$(grep "/dev/mapper/${target}" /proc/mounts | cut -d' ' -f2)
if [[ -z ${mount_point} ]] ; then
ewarn "Failed to find mount point for ${target}, skipping"
cryptfs_status=1
fi
if [[ -n ${post_mount} ]] ; then
ebegin "Running post_mount commands for target ${target}"
eval "${post_mount}" >/dev/null
eend $? || cryptfs_status=1
fi
}
# Determine string lengths
strlen() {
if [ -z "$1" ]
then
echo "usage: strlen <variable_name>"
die
fi
eval echo "\${#${1}}"
}
# Lookup optional bootparams
parse_opt() {
case "$1" in
*\=*)
local key_name="`echo "$1" | cut -f1 -d=`"
local key_len=`strlen key_name`
local value_start=$((key_len+2))
echo "$1" | cut -c ${value_start}-
;;
esac
}
local cryptfs_status=0
local gpg_options key loop_file target targetline options pre_mount post_mount source swap remdev
CMDLINE="`cat /proc/cmdline`"
for x in ${CMDLINE}
do
case "${x}" in
key_timeout\=*)
KEY_TIMEOUT=`parse_opt "${x}"`
if [ ${KEY_TIMEOUT} -gt 0 ]; then
read_timeout="-t ${KEY_TIMEOUT}"
fi
;;
esac
done
if [[ -f /etc/conf.d/dmcrypt ]] && [[ -x /sbin/cryptsetup ]] ; then
ebegin "Setting up dm-crypt mappings"
# Fix for baselayout-1.12.10 (bug 174256)
[ -z ${SVCNAME} ] && SVCNAME="${myservice}"
while read targetline ; do
# skip comments and blank lines
[[ ${targetline}\# == \#* ]] && continue
# check for the start of a new target/swap
case ${targetline} in
target=*|swap=*)
# If we have a target queued up, then execute it
dm_crypt_execute_${SVCNAME}
# Prepare for the next target/swap by resetting variables
unset gpg_options key loop_file target options pre_mount post_mount source swap remdev
;;
gpg_options=*|remdev=*|key=*|loop_file=*|options=*|pre_mount=*|post_mount=*|source=*)
if [[ -z ${target} && -z ${swap} ]] ; then
ewarn "Ignoring setting outside target/swap section: ${targetline}"
continue
fi
;;
*)
ewarn "Skipping invalid line in /etc/conf.d/dmcrypt: ${targetline}"
;;
esac
# Queue this setting for the next call to dm_crypt_execute_${SVCNAME}
eval "${targetline}"
done < /etc/conf.d/dmcrypt
# If we have a target queued up, then execute it
dm_crypt_execute_${SVCNAME}
ewend ${cryptfs_status} "Failed to setup dm-crypt devices"
fi
# vim:ts=4
|