Package: cryptsetup-initramfs Version: 2:2.4.0-1 Severity: wishlist
Hi. I think it would be nice if askpass was only included when actually needed. That seems to be the case, when no keyscript is set, and the KEY field is none, cause: - if a keyscript is set, either this shall perform reading a passphrase (if needed a all) on it's own or include askpass by itself (via a hook) - if KEY is not "none", a key file would be used rather than as passphrase Does the attached patch seem reasonable (haven't had the time to test it). Cheers, Chris.
--- /usr/share/initramfs-tools/hooks/cryptroot 2021-08-19 03:11:11.000000000 +0200 +++ cryptroot 2021-09-16 17:37:21.670792197 +0200 @@ -67,45 +67,51 @@ # luck with the unchanged _CRYPTTAB_SOURCE value fi - # if keyscript is set, the "key" is just an argument to the script - if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then - crypttab_key_check || return 1 - case "$CRYPTTAB_KEY" in - $KEYFILE_PATTERN) - mkdir -pm0700 -- "$DESTDIR/cryptroot/keyfiles" - # $CRYPTTAB_NAME can't contain '/' (even after unmangling) - keyfile="/cryptroot/keyfiles/$CRYPTTAB_NAME.key" - if [ ! -f "$DESTDIR$keyfile" ] && ! copy_file keyfile "$CRYPTTAB_KEY" "$keyfile"; then - cryptsetup_message "WARNING: couldn't copy keyfile $CRYPTTAB_KEY" - fi - _CRYPTTAB_KEY="/cryptroot/keyfiles/$_CRYPTTAB_NAME.key" # preserve mangled name - ;; - *) - if [ "$usage" = rootfs ]; then - cryptsetup_message "WARNING: Skipping root target $CRYPTTAB_NAME: uses a key file" - return 1 - elif [ "$usage" = resume ]; then - cryptsetup_message "WARNING: Resume target $CRYPTTAB_NAME uses a key file" - fi - if [ -L "$CRYPTTAB_KEY" ] && keyfile="$(readlink -- "$CRYPTTAB_KEY")" && - [ "${keyfile#/}" != "$keyfile" ]; then - cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is a symlink with absolute target" - return 1 - elif [ -f "$CRYPTTAB_KEY" ] && [ "$(stat -L -c"%m" -- "$CRYPTTAB_KEY" 2>/dev/null)" != "/" ]; then - cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is not on the root FS" - return 1 - fi - if [ ! -e "$CRYPTTAB_KEY" ]; then - cryptsetup_message "WARNING: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY" - else - _CRYPTTAB_KEY="/FIXME-initramfs-rootmnt$_CRYPTTAB_KEY" # preserve mangled name - fi - esac - fi - + # if a keyscript is set if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ]; then + # in this case the "key field" is just an argument to the keyscript + copy_exec "$CRYPTTAB_OPTION_keyscript" + else + # if a key file is set + if [ "$CRYPTTAB_KEY" != "none" ]; then + crypttab_key_check || return 1 + case "$CRYPTTAB_KEY" in + $KEYFILE_PATTERN) + mkdir -pm0700 -- "$DESTDIR/cryptroot/keyfiles" + # $CRYPTTAB_NAME can't contain '/' (even after unmangling) + keyfile="/cryptroot/keyfiles/$CRYPTTAB_NAME.key" + if [ ! -f "$DESTDIR$keyfile" ] && ! copy_file keyfile "$CRYPTTAB_KEY" "$keyfile"; then + cryptsetup_message "WARNING: couldn't copy keyfile $CRYPTTAB_KEY" + fi + _CRYPTTAB_KEY="/cryptroot/keyfiles/$_CRYPTTAB_NAME.key" # preserve mangled name + ;; + *) + if [ "$usage" = rootfs ]; then + cryptsetup_message "WARNING: Skipping root target $CRYPTTAB_NAME: uses a key file" + return 1 + elif [ "$usage" = resume ]; then + cryptsetup_message "WARNING: Resume target $CRYPTTAB_NAME uses a key file" + fi + if [ -L "$CRYPTTAB_KEY" ] && keyfile="$(readlink -- "$CRYPTTAB_KEY")" && + [ "${keyfile#/}" != "$keyfile" ]; then + cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is a symlink with absolute target" + return 1 + elif [ -f "$CRYPTTAB_KEY" ] && [ "$(stat -L -c"%m" -- "$CRYPTTAB_KEY" 2>/dev/null)" != "/" ]; then + cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is not on the root FS" + return 1 + fi + if [ ! -e "$CRYPTTAB_KEY" ]; then + cryptsetup_message "WARNING: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY" + else + _CRYPTTAB_KEY="/FIXME-initramfs-rootmnt$_CRYPTTAB_KEY" # preserve mangled name + fi + esac + else + copy_exec /lib/cryptsetup/askpass + fi fi + if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_derived" ]; then # (recursively) list first the device to derive the key from (so # the boot scripts unlock it first); since _CRYPTTAB_* are local @@ -295,7 +301,6 @@ copy_exec /sbin/cryptsetup copy_exec /sbin/dmsetup -copy_exec /lib/cryptsetup/askpass # We need sed. Either via busybox or as standalone binary. if [ "$BUSYBOX" = n ] || [ ! -e "$BUSYBOXDIR/busybox" ]; then