Date: Monday, July 28, 2014 @ 19:24:35
Author: thomas
Revision: 218253
archrelease: copy trunk to testing-i686, testing-x86_64
Added:
cryptsetup/repos/testing-i686/
cryptsetup/repos/testing-i686/0001-Move-safe-table-params-wipe-into-function-which-allo.patch
(from rev 218252,
cryptsetup/trunk/0001-Move-safe-table-params-wipe-into-function-which-allo.patch)
cryptsetup/repos/testing-i686/0002-Re-check-flags-after-DM-device-creations.patch
(from rev 218252,
cryptsetup/trunk/0002-Re-check-flags-after-DM-device-creations.patch)
cryptsetup/repos/testing-i686/0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch
(from rev 218252,
cryptsetup/trunk/0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch)
cryptsetup/repos/testing-i686/PKGBUILD
(from rev 218252, cryptsetup/trunk/PKGBUILD)
cryptsetup/repos/testing-i686/encrypt_hook
(from rev 218252, cryptsetup/trunk/encrypt_hook)
cryptsetup/repos/testing-i686/encrypt_install
(from rev 218252, cryptsetup/trunk/encrypt_install)
cryptsetup/repos/testing-i686/sd-encrypt
(from rev 218252, cryptsetup/trunk/sd-encrypt)
cryptsetup/repos/testing-x86_64/
cryptsetup/repos/testing-x86_64/0001-Move-safe-table-params-wipe-into-function-which-allo.patch
(from rev 218252,
cryptsetup/trunk/0001-Move-safe-table-params-wipe-into-function-which-allo.patch)
cryptsetup/repos/testing-x86_64/0002-Re-check-flags-after-DM-device-creations.patch
(from rev 218252,
cryptsetup/trunk/0002-Re-check-flags-after-DM-device-creations.patch)
cryptsetup/repos/testing-x86_64/0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch
(from rev 218252,
cryptsetup/trunk/0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch)
cryptsetup/repos/testing-x86_64/PKGBUILD
(from rev 218252, cryptsetup/trunk/PKGBUILD)
cryptsetup/repos/testing-x86_64/encrypt_hook
(from rev 218252, cryptsetup/trunk/encrypt_hook)
cryptsetup/repos/testing-x86_64/encrypt_install
(from rev 218252, cryptsetup/trunk/encrypt_install)
cryptsetup/repos/testing-x86_64/sd-encrypt
(from rev 218252, cryptsetup/trunk/sd-encrypt)
--------------------------------------------------------------------------------+
testing-i686/0001-Move-safe-table-params-wipe-into-function-which-allo.patch
| 37 ++
testing-i686/0002-Re-check-flags-after-DM-device-creations.patch
| 62 ++++
testing-i686/0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch
| 92 ++++++
testing-i686/PKGBUILD
| 50 +++
testing-i686/encrypt_hook
| 139 ++++++++++
testing-i686/encrypt_install
| 44 +++
testing-i686/sd-encrypt
| 42 +++
testing-x86_64/0001-Move-safe-table-params-wipe-into-function-which-allo.patch
| 37 ++
testing-x86_64/0002-Re-check-flags-after-DM-device-creations.patch
| 62 ++++
testing-x86_64/0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch
| 92 ++++++
testing-x86_64/PKGBUILD
| 50 +++
testing-x86_64/encrypt_hook
| 139 ++++++++++
testing-x86_64/encrypt_install
| 44 +++
testing-x86_64/sd-encrypt
| 42 +++
14 files changed, 932 insertions(+)
Copied:
cryptsetup/repos/testing-i686/0001-Move-safe-table-params-wipe-into-function-which-allo.patch
(from rev 218252,
cryptsetup/trunk/0001-Move-safe-table-params-wipe-into-function-which-allo.patch)
===================================================================
---
testing-i686/0001-Move-safe-table-params-wipe-into-function-which-allo.patch
(rev 0)
+++
testing-i686/0001-Move-safe-table-params-wipe-into-function-which-allo.patch
2014-07-28 17:24:35 UTC (rev 218253)
@@ -0,0 +1,37 @@
+From 2250d5f71f9dd66112d5c63367169f4e6af8ad70 Mon Sep 17 00:00:00 2001
+From: Milan Broz <[email protected]>
+Date: Thu, 24 Jul 2014 11:37:24 +0200
+Subject: [PATCH 1/3] Move safe table params wipe into function which allocates
+ it.
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ lib/libdevmapper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
+index 3ed87c0..8e5a696 100644
+--- a/lib/libdevmapper.c
++++ b/lib/libdevmapper.c
+@@ -642,8 +642,6 @@ out_no_removal:
+ if (cookie && _dm_use_udev())
+ (void)_dm_udev_wait(cookie);
+
+- if (params)
+- crypt_safe_free(params);
+ if (dmt)
+ dm_task_destroy(dmt);
+
+@@ -674,6 +672,8 @@ int dm_create_device(struct crypt_device *cd, const char
*name,
+ r = _dm_create_device(name, type, dmd->data_device,
+ dmd->flags, dmd->uuid, dmd->size,
+ table_params, reload);
++
++ crypt_safe_free(table_params);
+ dm_exit_context();
+ return r;
+ }
+--
+2.0.1
+
Copied:
cryptsetup/repos/testing-i686/0002-Re-check-flags-after-DM-device-creations.patch
(from rev 218252,
cryptsetup/trunk/0002-Re-check-flags-after-DM-device-creations.patch)
===================================================================
--- testing-i686/0002-Re-check-flags-after-DM-device-creations.patch
(rev 0)
+++ testing-i686/0002-Re-check-flags-after-DM-device-creations.patch
2014-07-28 17:24:35 UTC (rev 218253)
@@ -0,0 +1,62 @@
+From 3640eaa726b7a9d761f1c67cd8620153d791688e Mon Sep 17 00:00:00 2001
+From: Milan Broz <[email protected]>
+Date: Thu, 24 Jul 2014 11:52:58 +0200
+Subject: [PATCH 2/3] Re-check flags after DM device creations.
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ lib/libdevmapper.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
+index 8e5a696..6138a6b 100644
+--- a/lib/libdevmapper.c
++++ b/lib/libdevmapper.c
+@@ -566,6 +566,9 @@ static int _dm_create_device(const char *name, const char
*type,
+ uint32_t cookie = 0;
+ uint16_t udev_flags = 0;
+
++ if (!params)
++ return -EINVAL;
++
+ if (flags & CRYPT_ACTIVATE_PRIVATE)
+ udev_flags = CRYPT_TEMP_UDEV_FLAGS;
+
+@@ -646,6 +649,10 @@ out_no_removal:
+ dm_task_destroy(dmt);
+
+ dm_task_update_nodes();
++
++ /* If code just loaded target module, update versions */
++ _dm_check_versions();
++
+ return r;
+ }
+
+@@ -655,7 +662,7 @@ int dm_create_device(struct crypt_device *cd, const char
*name,
+ int reload)
+ {
+ char *table_params = NULL;
+- int r = -EINVAL;
++ int r;
+
+ if (!type)
+ return -EINVAL;
+@@ -668,10 +675,9 @@ int dm_create_device(struct crypt_device *cd, const char
*name,
+ else if (dmd->target == DM_VERITY)
+ table_params = get_dm_verity_params(dmd->u.verity.vp, dmd);
+
+- if (table_params)
+- r = _dm_create_device(name, type, dmd->data_device,
+- dmd->flags, dmd->uuid, dmd->size,
+- table_params, reload);
++ r = _dm_create_device(name, type, dmd->data_device,
++ dmd->flags, dmd->uuid, dmd->size,
++ table_params, reload);
+
+ crypt_safe_free(table_params);
+ dm_exit_context();
+--
+2.0.1
+
Copied:
cryptsetup/repos/testing-i686/0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch
(from rev 218252,
cryptsetup/trunk/0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch)
===================================================================
---
testing-i686/0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch
(rev 0)
+++
testing-i686/0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch
2014-07-28 17:24:35 UTC (rev 218253)
@@ -0,0 +1,92 @@
+From 59fdf2a6bb461a39e6db6b7d515873419f8a8ada Mon Sep 17 00:00:00 2001
+From: Milan Broz <[email protected]>
+Date: Thu, 24 Jul 2014 22:11:58 +0200
+Subject: [PATCH 3/3] Properly allow activation of discard even if dm_crypt
+ module is not yet loaded.
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The dm_flags() call cannot be used if dmcrypt module is not present.
+
+Better try to activate volume with dicard flags and if it is not possible,
+try to activate device without the discard flag.
+---
+ lib/libdevmapper.c | 37 ++++++++++++++++++++++++-------------
+ 1 file changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
+index 6138a6b..dcc54fd 100644
+--- a/lib/libdevmapper.c
++++ b/lib/libdevmapper.c
+@@ -306,22 +306,19 @@ static void hex_key(char *hexkey, size_t key_size, const
char *key)
+ }
+
+ /* http://code.google.com/p/cryptsetup/wiki/DMCrypt */
+-static char *get_dm_crypt_params(struct crypt_dm_active_device *dmd)
++static char *get_dm_crypt_params(struct crypt_dm_active_device *dmd, uint32_t
flags)
+ {
+ int r, max_size, null_cipher = 0;
+ char *params, *hexkey;
+- const char *features = "";
++ const char *features;
+
+ if (!dmd)
+ return NULL;
+
+- if (dmd->flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) {
+- if (dm_flags() & DM_DISCARDS_SUPPORTED) {
+- features = " 1 allow_discards";
+- log_dbg("Discard/TRIM is allowed.");
+- } else
+- log_dbg("Discard/TRIM is not supported by the kernel.");
+- }
++ if (flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
++ features = " 1 allow_discards";
++ else
++ features = "";
+
+ if (!strncmp(dmd->u.crypt.cipher, "cipher_null-", 12))
+ null_cipher = 1;
+@@ -662,6 +659,7 @@ int dm_create_device(struct crypt_device *cd, const char
*name,
+ int reload)
+ {
+ char *table_params = NULL;
++ uint32_t dmd_flags;
+ int r;
+
+ if (!type)
+@@ -670,14 +668,27 @@ int dm_create_device(struct crypt_device *cd, const char
*name,
+ if (dm_init_context(cd))
+ return -ENOTSUP;
+
++ dmd_flags = dmd->flags;
++
+ if (dmd->target == DM_CRYPT)
+- table_params = get_dm_crypt_params(dmd);
++ table_params = get_dm_crypt_params(dmd, dmd_flags);
+ else if (dmd->target == DM_VERITY)
+ table_params = get_dm_verity_params(dmd->u.verity.vp, dmd);
+
+- r = _dm_create_device(name, type, dmd->data_device,
+- dmd->flags, dmd->uuid, dmd->size,
+- table_params, reload);
++ r = _dm_create_device(name, type, dmd->data_device, dmd_flags,
++ dmd->uuid, dmd->size, table_params, reload);
++
++ /* If discard not supported try to load without discard */
++ if (!reload && r && dmd->target == DM_CRYPT &&
++ (dmd->flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) &&
++ !(dm_flags() & DM_DISCARDS_SUPPORTED)) {
++ log_dbg("Discard/TRIM is not supported, retrying activation.");
++ dmd_flags = dmd_flags & ~CRYPT_ACTIVATE_ALLOW_DISCARDS;
++ crypt_safe_free(table_params);
++ table_params = get_dm_crypt_params(dmd, dmd_flags);
++ r = _dm_create_device(name, type, dmd->data_device, dmd_flags,
++ dmd->uuid, dmd->size, table_params,
reload);
++ }
+
+ crypt_safe_free(table_params);
+ dm_exit_context();
+--
+2.0.1
+
Copied: cryptsetup/repos/testing-i686/PKGBUILD (from rev 218252,
cryptsetup/trunk/PKGBUILD)
===================================================================
--- testing-i686/PKGBUILD (rev 0)
+++ testing-i686/PKGBUILD 2014-07-28 17:24:35 UTC (rev 218253)
@@ -0,0 +1,50 @@
+# $Id$
+# Maintainer: Thomas Bächler <[email protected]>
+pkgname=cryptsetup
+pkgver=1.6.5
+pkgrel=2
+pkgdesc="Userspace setup tool for transparent encryption of block devices
using dm-crypt"
+arch=(i686 x86_64)
+license=('GPL')
+url="http://code.google.com/p/cryptsetup/";
+groups=('base')
+depends=('device-mapper' 'libgcrypt' 'popt' 'libutil-linux')
+makedepends=('util-linux')
+options=('!emptydirs')
+source=(https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/${pkgname}-${pkgver}.tar.xz
+
#https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/${pkgname}-${pkgver}.tar.sign
+ encrypt_hook
+ encrypt_install
+ sd-encrypt
+ 0001-Move-safe-table-params-wipe-into-function-which-allo.patch
+ 0002-Re-check-flags-after-DM-device-creations.patch
+ 0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch)
+sha256sums=('267973f20be43f9d685f7193aa23954b60768c74a1d330243114d4b8bc17ca9a'
+ '4406f8dc83f4f1b408e49d557515f721d91b358355c71fbe51f74ab27e5c84ff'
+ 'cfe465bdad3d958bb2332a05e04f2e1e884422a5714dfd1a0a3b9b74bf7dc6ae'
+ 'd442304e6a78b3513ebc53be3fe2f1276a7df470c8da701b3ece971d59979bdd'
+ '54895ebba0cf1df27da7a53b6a256b7826f9b2d4cff577f840ab457dc32b5c49'
+ 'd022e43fa96ee60e295cf6041a8b9e15225eeb03b713f32675061c4063c17ea5'
+ '16d55306a5dde637db16cb219834095432bc8579528789ee52aa975df12284d4')
+
+prepare() {
+ cd "${srcdir}"/$pkgname-${pkgver}
+ patch -p1 -i
"${srcdir}"/0001-Move-safe-table-params-wipe-into-function-which-allo.patch
+ patch -p1 -i "${srcdir}"/0002-Re-check-flags-after-DM-device-creations.patch
+ patch -p1 -i
"${srcdir}"/0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch
+}
+
+build() {
+ cd "${srcdir}"/$pkgname-${pkgver}
+ ./configure --prefix=/usr --sbindir=/usr/bin --disable-static
--enable-cryptsetup-reencrypt
+ make
+}
+
+package() {
+ cd "${srcdir}"/$pkgname-${pkgver}
+ make DESTDIR="${pkgdir}" install
+ # install hook
+ install -D -m644 "${srcdir}"/encrypt_hook
"${pkgdir}"/usr/lib/initcpio/hooks/encrypt
+ install -D -m644 "${srcdir}"/encrypt_install
"${pkgdir}"/usr/lib/initcpio/install/encrypt
+ install -D -m644 "${srcdir}"/sd-encrypt
"${pkgdir}"/usr/lib/initcpio/install/sd-encrypt
+}
Copied: cryptsetup/repos/testing-i686/encrypt_hook (from rev 218252,
cryptsetup/trunk/encrypt_hook)
===================================================================
--- testing-i686/encrypt_hook (rev 0)
+++ testing-i686/encrypt_hook 2014-07-28 17:24:35 UTC (rev 218253)
@@ -0,0 +1,139 @@
+#!/usr/bin/ash
+
+run_hook() {
+ modprobe -a -q dm-crypt >/dev/null 2>&1
+ [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
+
+ # Get keyfile if specified
+ ckeyfile="/crypto_keyfile.bin"
+ if [ -n "$cryptkey" ]; then
+ IFS=: read ckdev ckarg1 ckarg2 <<EOF
+$cryptkey
+EOF
+
+ if [ "$ckdev" = "rootfs" ]; then
+ ckeyfile=$ckarg1
+ elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then
+ case ${ckarg1} in
+ *[!0-9]*)
+ # Use a file on the device
+ # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
+ mkdir /ckey
+ mount -r -t "$ckarg1" "$resolved" /ckey
+ dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1
+ umount /ckey
+ ;;
+ *)
+ # Read raw data from the block device
+ # ckarg1 is numeric: ckarg1=offset, ckarg2=length
+ dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1"
count="$ckarg2" >/dev/null 2>&1
+ ;;
+ esac
+ fi
+ [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting
to passphrase."
+ fi
+
+ if [ -n "${cryptdevice}" ]; then
+ DEPRECATED_CRYPT=0
+ IFS=: read cryptdev cryptname cryptoptions <<EOF
+$cryptdevice
+EOF
+ else
+ DEPRECATED_CRYPT=1
+ cryptdev="${root}"
+ cryptname="root"
+ fi
+
+ warn_deprecated() {
+ echo "The syntax 'root=${root}' where '${root}' is an encrypted volume
is deprecated"
+ echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
+ }
+
+ for cryptopt in ${cryptoptions//,/ }; do
+ case ${cryptopt} in
+ allow-discards)
+ cryptargs="${cryptargs} --allow-discards"
+ ;;
+ *)
+ echo "Encryption option '${cryptopt}' not known, ignoring." >&2
+ ;;
+ esac
+ done
+
+ if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
+ if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
+ [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
+ dopassphrase=1
+ # If keyfile exists, try to use that
+ if [ -f ${ckeyfile} ]; then
+ if eval cryptsetup --key-file ${ckeyfile} open --type luks
${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then
+ dopassphrase=0
+ else
+ echo "Invalid keyfile. Reverting to passphrase."
+ fi
+ fi
+ # Ask for a passphrase
+ if [ ${dopassphrase} -gt 0 ]; then
+ echo ""
+ echo "A password is required to access the ${cryptname}
volume:"
+
+ #loop until we get a real password
+ while ! eval cryptsetup open --type luks ${resolved}
${cryptname} ${cryptargs} ${CSQUIET}; do
+ sleep 2;
+ done
+ fi
+ if [ -e "/dev/mapper/${cryptname}" ]; then
+ if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+ export root="/dev/mapper/root"
+ fi
+ else
+ err "Password succeeded, but ${cryptname} creation failed,
aborting..."
+ exit 1
+ fi
+ elif [ -n "${crypto}" ]; then
+ [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
+ msg "Non-LUKS encrypted device found..."
+ if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then
+ err "Verify parameter format:
crypto=hash:cipher:keysize:offset:skip"
+ err "Non-LUKS decryption not attempted..."
+ return 1
+ fi
+ exe="cryptsetup open --type plain $resolved $cryptname $cryptargs"
+ IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF
+$crypto
+EOF
+ [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'"
+ [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'"
+ [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'"
+ [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'"
+ [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'"
+ if [ -f "$ckeyfile" ]; then
+ exe="$exe --key-file $ckeyfile"
+ else
+ exe="$exe --verify-passphrase"
+ echo ""
+ echo "A password is required to access the ${cryptname}
volume:"
+ fi
+ eval "$exe $CSQUIET"
+
+ if [ $? -ne 0 ]; then
+ err "Non-LUKS device decryption failed. verify format: "
+ err " crypto=hash:cipher:keysize:offset:skip"
+ exit 1
+ fi
+ if [ -e "/dev/mapper/${cryptname}" ]; then
+ if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+ export root="/dev/mapper/root"
+ fi
+ else
+ err "Password succeeded, but ${cryptname} creation failed,
aborting..."
+ exit 1
+ fi
+ else
+ err "Failed to open encryption mapping: The device ${cryptdev} is
not a LUKS volume and the crypto= paramater was not specified."
+ fi
+ fi
+ rm -f ${ckeyfile}
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
Copied: cryptsetup/repos/testing-i686/encrypt_install (from rev 218252,
cryptsetup/trunk/encrypt_install)
===================================================================
--- testing-i686/encrypt_install (rev 0)
+++ testing-i686/encrypt_install 2014-07-28 17:24:35 UTC (rev 218253)
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+build() {
+ local mod
+
+ add_module dm-crypt
+ if [[ $CRYPTO_MODULES ]]; then
+ for mod in $CRYPTO_MODULES; do
+ add_module "$mod"
+ done
+ else
+ add_all_modules '/crypto/'
+ fi
+
+ add_binary "cryptsetup"
+ add_binary "dmsetup"
+ add_file "/usr/lib/udev/rules.d/10-dm.rules"
+ add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
+ add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
+ add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules"
"/usr/lib/udev/rules.d/11-dm-initramfs.rules"
+
+ add_runscript
+}
+
+help() {
+ cat <<HELPEOF
+This hook allows for an encrypted root device. Users should specify the device
+to be unlocked using 'cryptdevice=device:dmname' on the kernel command line,
+where 'device' is the path to the raw device, and 'dmname' is the name given to
+the device after unlocking, and will be available as /dev/mapper/dmname.
+
+For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on
+the kernel cmdline, where 'device' represents the raw block device where the
key
+exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is
+the absolute path of the keyfile within the device.
+
+Without specifying a keyfile, you will be prompted for the password at runtime.
+This means you must have a keyboard available to input it, and you may need
+the keymap hook as well to ensure that the keyboard is using the layout you
+expect.
+HELPEOF
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
Copied: cryptsetup/repos/testing-i686/sd-encrypt (from rev 218252,
cryptsetup/trunk/sd-encrypt)
===================================================================
--- testing-i686/sd-encrypt (rev 0)
+++ testing-i686/sd-encrypt 2014-07-28 17:24:35 UTC (rev 218253)
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+build() {
+ local mod
+
+ add_module dm-crypt
+ if [[ $CRYPTO_MODULES ]]; then
+ for mod in $CRYPTO_MODULES; do
+ add_module "$mod"
+ done
+ else
+ add_all_modules '/crypto/'
+ fi
+
+ add_binary "dmsetup"
+ add_file "/usr/lib/udev/rules.d/10-dm.rules"
+ add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
+ add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
+ add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules"
"/usr/lib/udev/rules.d/11-dm-initramfs.rules"
+
+ add_systemd_unit cryptsetup.target
+ add_binary /usr/lib/systemd/system-generators/systemd-cryptsetup-generator
+ add_binary /usr/lib/systemd/systemd-cryptsetup
+
+ add_systemd_unit systemd-ask-password-console.path
+ add_systemd_unit systemd-ask-password-console.service
+
+ [[ -f /etc/crypttab.initramfs ]] && add_file /etc/crypttab.initramfs
/etc/crypttab
+}
+
+help() {
+ cat <<HELPEOF
+This hook allows for an encrypted root device with systemd initramfs.
+
+See the manpage of systemd-cryptsetup-generator(8) for available kernel
+command line options. Alternatively, if the file /etc/crypttab.initramfs
+exists, it will be added to the initramfs as /etc/crypttab. See the
+crypttab(5) manpage for more information on crypttab syntax.
+HELPEOF
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
Copied:
cryptsetup/repos/testing-x86_64/0001-Move-safe-table-params-wipe-into-function-which-allo.patch
(from rev 218252,
cryptsetup/trunk/0001-Move-safe-table-params-wipe-into-function-which-allo.patch)
===================================================================
---
testing-x86_64/0001-Move-safe-table-params-wipe-into-function-which-allo.patch
(rev 0)
+++
testing-x86_64/0001-Move-safe-table-params-wipe-into-function-which-allo.patch
2014-07-28 17:24:35 UTC (rev 218253)
@@ -0,0 +1,37 @@
+From 2250d5f71f9dd66112d5c63367169f4e6af8ad70 Mon Sep 17 00:00:00 2001
+From: Milan Broz <[email protected]>
+Date: Thu, 24 Jul 2014 11:37:24 +0200
+Subject: [PATCH 1/3] Move safe table params wipe into function which allocates
+ it.
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ lib/libdevmapper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
+index 3ed87c0..8e5a696 100644
+--- a/lib/libdevmapper.c
++++ b/lib/libdevmapper.c
+@@ -642,8 +642,6 @@ out_no_removal:
+ if (cookie && _dm_use_udev())
+ (void)_dm_udev_wait(cookie);
+
+- if (params)
+- crypt_safe_free(params);
+ if (dmt)
+ dm_task_destroy(dmt);
+
+@@ -674,6 +672,8 @@ int dm_create_device(struct crypt_device *cd, const char
*name,
+ r = _dm_create_device(name, type, dmd->data_device,
+ dmd->flags, dmd->uuid, dmd->size,
+ table_params, reload);
++
++ crypt_safe_free(table_params);
+ dm_exit_context();
+ return r;
+ }
+--
+2.0.1
+
Copied:
cryptsetup/repos/testing-x86_64/0002-Re-check-flags-after-DM-device-creations.patch
(from rev 218252,
cryptsetup/trunk/0002-Re-check-flags-after-DM-device-creations.patch)
===================================================================
--- testing-x86_64/0002-Re-check-flags-after-DM-device-creations.patch
(rev 0)
+++ testing-x86_64/0002-Re-check-flags-after-DM-device-creations.patch
2014-07-28 17:24:35 UTC (rev 218253)
@@ -0,0 +1,62 @@
+From 3640eaa726b7a9d761f1c67cd8620153d791688e Mon Sep 17 00:00:00 2001
+From: Milan Broz <[email protected]>
+Date: Thu, 24 Jul 2014 11:52:58 +0200
+Subject: [PATCH 2/3] Re-check flags after DM device creations.
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ lib/libdevmapper.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
+index 8e5a696..6138a6b 100644
+--- a/lib/libdevmapper.c
++++ b/lib/libdevmapper.c
+@@ -566,6 +566,9 @@ static int _dm_create_device(const char *name, const char
*type,
+ uint32_t cookie = 0;
+ uint16_t udev_flags = 0;
+
++ if (!params)
++ return -EINVAL;
++
+ if (flags & CRYPT_ACTIVATE_PRIVATE)
+ udev_flags = CRYPT_TEMP_UDEV_FLAGS;
+
+@@ -646,6 +649,10 @@ out_no_removal:
+ dm_task_destroy(dmt);
+
+ dm_task_update_nodes();
++
++ /* If code just loaded target module, update versions */
++ _dm_check_versions();
++
+ return r;
+ }
+
+@@ -655,7 +662,7 @@ int dm_create_device(struct crypt_device *cd, const char
*name,
+ int reload)
+ {
+ char *table_params = NULL;
+- int r = -EINVAL;
++ int r;
+
+ if (!type)
+ return -EINVAL;
+@@ -668,10 +675,9 @@ int dm_create_device(struct crypt_device *cd, const char
*name,
+ else if (dmd->target == DM_VERITY)
+ table_params = get_dm_verity_params(dmd->u.verity.vp, dmd);
+
+- if (table_params)
+- r = _dm_create_device(name, type, dmd->data_device,
+- dmd->flags, dmd->uuid, dmd->size,
+- table_params, reload);
++ r = _dm_create_device(name, type, dmd->data_device,
++ dmd->flags, dmd->uuid, dmd->size,
++ table_params, reload);
+
+ crypt_safe_free(table_params);
+ dm_exit_context();
+--
+2.0.1
+
Copied:
cryptsetup/repos/testing-x86_64/0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch
(from rev 218252,
cryptsetup/trunk/0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch)
===================================================================
---
testing-x86_64/0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch
(rev 0)
+++
testing-x86_64/0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch
2014-07-28 17:24:35 UTC (rev 218253)
@@ -0,0 +1,92 @@
+From 59fdf2a6bb461a39e6db6b7d515873419f8a8ada Mon Sep 17 00:00:00 2001
+From: Milan Broz <[email protected]>
+Date: Thu, 24 Jul 2014 22:11:58 +0200
+Subject: [PATCH 3/3] Properly allow activation of discard even if dm_crypt
+ module is not yet loaded.
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The dm_flags() call cannot be used if dmcrypt module is not present.
+
+Better try to activate volume with dicard flags and if it is not possible,
+try to activate device without the discard flag.
+---
+ lib/libdevmapper.c | 37 ++++++++++++++++++++++++-------------
+ 1 file changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
+index 6138a6b..dcc54fd 100644
+--- a/lib/libdevmapper.c
++++ b/lib/libdevmapper.c
+@@ -306,22 +306,19 @@ static void hex_key(char *hexkey, size_t key_size, const
char *key)
+ }
+
+ /* http://code.google.com/p/cryptsetup/wiki/DMCrypt */
+-static char *get_dm_crypt_params(struct crypt_dm_active_device *dmd)
++static char *get_dm_crypt_params(struct crypt_dm_active_device *dmd, uint32_t
flags)
+ {
+ int r, max_size, null_cipher = 0;
+ char *params, *hexkey;
+- const char *features = "";
++ const char *features;
+
+ if (!dmd)
+ return NULL;
+
+- if (dmd->flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) {
+- if (dm_flags() & DM_DISCARDS_SUPPORTED) {
+- features = " 1 allow_discards";
+- log_dbg("Discard/TRIM is allowed.");
+- } else
+- log_dbg("Discard/TRIM is not supported by the kernel.");
+- }
++ if (flags & CRYPT_ACTIVATE_ALLOW_DISCARDS)
++ features = " 1 allow_discards";
++ else
++ features = "";
+
+ if (!strncmp(dmd->u.crypt.cipher, "cipher_null-", 12))
+ null_cipher = 1;
+@@ -662,6 +659,7 @@ int dm_create_device(struct crypt_device *cd, const char
*name,
+ int reload)
+ {
+ char *table_params = NULL;
++ uint32_t dmd_flags;
+ int r;
+
+ if (!type)
+@@ -670,14 +668,27 @@ int dm_create_device(struct crypt_device *cd, const char
*name,
+ if (dm_init_context(cd))
+ return -ENOTSUP;
+
++ dmd_flags = dmd->flags;
++
+ if (dmd->target == DM_CRYPT)
+- table_params = get_dm_crypt_params(dmd);
++ table_params = get_dm_crypt_params(dmd, dmd_flags);
+ else if (dmd->target == DM_VERITY)
+ table_params = get_dm_verity_params(dmd->u.verity.vp, dmd);
+
+- r = _dm_create_device(name, type, dmd->data_device,
+- dmd->flags, dmd->uuid, dmd->size,
+- table_params, reload);
++ r = _dm_create_device(name, type, dmd->data_device, dmd_flags,
++ dmd->uuid, dmd->size, table_params, reload);
++
++ /* If discard not supported try to load without discard */
++ if (!reload && r && dmd->target == DM_CRYPT &&
++ (dmd->flags & CRYPT_ACTIVATE_ALLOW_DISCARDS) &&
++ !(dm_flags() & DM_DISCARDS_SUPPORTED)) {
++ log_dbg("Discard/TRIM is not supported, retrying activation.");
++ dmd_flags = dmd_flags & ~CRYPT_ACTIVATE_ALLOW_DISCARDS;
++ crypt_safe_free(table_params);
++ table_params = get_dm_crypt_params(dmd, dmd_flags);
++ r = _dm_create_device(name, type, dmd->data_device, dmd_flags,
++ dmd->uuid, dmd->size, table_params,
reload);
++ }
+
+ crypt_safe_free(table_params);
+ dm_exit_context();
+--
+2.0.1
+
Copied: cryptsetup/repos/testing-x86_64/PKGBUILD (from rev 218252,
cryptsetup/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD (rev 0)
+++ testing-x86_64/PKGBUILD 2014-07-28 17:24:35 UTC (rev 218253)
@@ -0,0 +1,50 @@
+# $Id$
+# Maintainer: Thomas Bächler <[email protected]>
+pkgname=cryptsetup
+pkgver=1.6.5
+pkgrel=2
+pkgdesc="Userspace setup tool for transparent encryption of block devices
using dm-crypt"
+arch=(i686 x86_64)
+license=('GPL')
+url="http://code.google.com/p/cryptsetup/";
+groups=('base')
+depends=('device-mapper' 'libgcrypt' 'popt' 'libutil-linux')
+makedepends=('util-linux')
+options=('!emptydirs')
+source=(https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/${pkgname}-${pkgver}.tar.xz
+
#https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/${pkgname}-${pkgver}.tar.sign
+ encrypt_hook
+ encrypt_install
+ sd-encrypt
+ 0001-Move-safe-table-params-wipe-into-function-which-allo.patch
+ 0002-Re-check-flags-after-DM-device-creations.patch
+ 0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch)
+sha256sums=('267973f20be43f9d685f7193aa23954b60768c74a1d330243114d4b8bc17ca9a'
+ '4406f8dc83f4f1b408e49d557515f721d91b358355c71fbe51f74ab27e5c84ff'
+ 'cfe465bdad3d958bb2332a05e04f2e1e884422a5714dfd1a0a3b9b74bf7dc6ae'
+ 'd442304e6a78b3513ebc53be3fe2f1276a7df470c8da701b3ece971d59979bdd'
+ '54895ebba0cf1df27da7a53b6a256b7826f9b2d4cff577f840ab457dc32b5c49'
+ 'd022e43fa96ee60e295cf6041a8b9e15225eeb03b713f32675061c4063c17ea5'
+ '16d55306a5dde637db16cb219834095432bc8579528789ee52aa975df12284d4')
+
+prepare() {
+ cd "${srcdir}"/$pkgname-${pkgver}
+ patch -p1 -i
"${srcdir}"/0001-Move-safe-table-params-wipe-into-function-which-allo.patch
+ patch -p1 -i "${srcdir}"/0002-Re-check-flags-after-DM-device-creations.patch
+ patch -p1 -i
"${srcdir}"/0003-Properly-allow-activation-of-discard-even-if-dm_cryp.patch
+}
+
+build() {
+ cd "${srcdir}"/$pkgname-${pkgver}
+ ./configure --prefix=/usr --sbindir=/usr/bin --disable-static
--enable-cryptsetup-reencrypt
+ make
+}
+
+package() {
+ cd "${srcdir}"/$pkgname-${pkgver}
+ make DESTDIR="${pkgdir}" install
+ # install hook
+ install -D -m644 "${srcdir}"/encrypt_hook
"${pkgdir}"/usr/lib/initcpio/hooks/encrypt
+ install -D -m644 "${srcdir}"/encrypt_install
"${pkgdir}"/usr/lib/initcpio/install/encrypt
+ install -D -m644 "${srcdir}"/sd-encrypt
"${pkgdir}"/usr/lib/initcpio/install/sd-encrypt
+}
Copied: cryptsetup/repos/testing-x86_64/encrypt_hook (from rev 218252,
cryptsetup/trunk/encrypt_hook)
===================================================================
--- testing-x86_64/encrypt_hook (rev 0)
+++ testing-x86_64/encrypt_hook 2014-07-28 17:24:35 UTC (rev 218253)
@@ -0,0 +1,139 @@
+#!/usr/bin/ash
+
+run_hook() {
+ modprobe -a -q dm-crypt >/dev/null 2>&1
+ [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
+
+ # Get keyfile if specified
+ ckeyfile="/crypto_keyfile.bin"
+ if [ -n "$cryptkey" ]; then
+ IFS=: read ckdev ckarg1 ckarg2 <<EOF
+$cryptkey
+EOF
+
+ if [ "$ckdev" = "rootfs" ]; then
+ ckeyfile=$ckarg1
+ elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then
+ case ${ckarg1} in
+ *[!0-9]*)
+ # Use a file on the device
+ # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
+ mkdir /ckey
+ mount -r -t "$ckarg1" "$resolved" /ckey
+ dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1
+ umount /ckey
+ ;;
+ *)
+ # Read raw data from the block device
+ # ckarg1 is numeric: ckarg1=offset, ckarg2=length
+ dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1"
count="$ckarg2" >/dev/null 2>&1
+ ;;
+ esac
+ fi
+ [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting
to passphrase."
+ fi
+
+ if [ -n "${cryptdevice}" ]; then
+ DEPRECATED_CRYPT=0
+ IFS=: read cryptdev cryptname cryptoptions <<EOF
+$cryptdevice
+EOF
+ else
+ DEPRECATED_CRYPT=1
+ cryptdev="${root}"
+ cryptname="root"
+ fi
+
+ warn_deprecated() {
+ echo "The syntax 'root=${root}' where '${root}' is an encrypted volume
is deprecated"
+ echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
+ }
+
+ for cryptopt in ${cryptoptions//,/ }; do
+ case ${cryptopt} in
+ allow-discards)
+ cryptargs="${cryptargs} --allow-discards"
+ ;;
+ *)
+ echo "Encryption option '${cryptopt}' not known, ignoring." >&2
+ ;;
+ esac
+ done
+
+ if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
+ if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
+ [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
+ dopassphrase=1
+ # If keyfile exists, try to use that
+ if [ -f ${ckeyfile} ]; then
+ if eval cryptsetup --key-file ${ckeyfile} open --type luks
${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then
+ dopassphrase=0
+ else
+ echo "Invalid keyfile. Reverting to passphrase."
+ fi
+ fi
+ # Ask for a passphrase
+ if [ ${dopassphrase} -gt 0 ]; then
+ echo ""
+ echo "A password is required to access the ${cryptname}
volume:"
+
+ #loop until we get a real password
+ while ! eval cryptsetup open --type luks ${resolved}
${cryptname} ${cryptargs} ${CSQUIET}; do
+ sleep 2;
+ done
+ fi
+ if [ -e "/dev/mapper/${cryptname}" ]; then
+ if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+ export root="/dev/mapper/root"
+ fi
+ else
+ err "Password succeeded, but ${cryptname} creation failed,
aborting..."
+ exit 1
+ fi
+ elif [ -n "${crypto}" ]; then
+ [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
+ msg "Non-LUKS encrypted device found..."
+ if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then
+ err "Verify parameter format:
crypto=hash:cipher:keysize:offset:skip"
+ err "Non-LUKS decryption not attempted..."
+ return 1
+ fi
+ exe="cryptsetup open --type plain $resolved $cryptname $cryptargs"
+ IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF
+$crypto
+EOF
+ [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'"
+ [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'"
+ [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'"
+ [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'"
+ [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'"
+ if [ -f "$ckeyfile" ]; then
+ exe="$exe --key-file $ckeyfile"
+ else
+ exe="$exe --verify-passphrase"
+ echo ""
+ echo "A password is required to access the ${cryptname}
volume:"
+ fi
+ eval "$exe $CSQUIET"
+
+ if [ $? -ne 0 ]; then
+ err "Non-LUKS device decryption failed. verify format: "
+ err " crypto=hash:cipher:keysize:offset:skip"
+ exit 1
+ fi
+ if [ -e "/dev/mapper/${cryptname}" ]; then
+ if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+ export root="/dev/mapper/root"
+ fi
+ else
+ err "Password succeeded, but ${cryptname} creation failed,
aborting..."
+ exit 1
+ fi
+ else
+ err "Failed to open encryption mapping: The device ${cryptdev} is
not a LUKS volume and the crypto= paramater was not specified."
+ fi
+ fi
+ rm -f ${ckeyfile}
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
Copied: cryptsetup/repos/testing-x86_64/encrypt_install (from rev 218252,
cryptsetup/trunk/encrypt_install)
===================================================================
--- testing-x86_64/encrypt_install (rev 0)
+++ testing-x86_64/encrypt_install 2014-07-28 17:24:35 UTC (rev 218253)
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+build() {
+ local mod
+
+ add_module dm-crypt
+ if [[ $CRYPTO_MODULES ]]; then
+ for mod in $CRYPTO_MODULES; do
+ add_module "$mod"
+ done
+ else
+ add_all_modules '/crypto/'
+ fi
+
+ add_binary "cryptsetup"
+ add_binary "dmsetup"
+ add_file "/usr/lib/udev/rules.d/10-dm.rules"
+ add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
+ add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
+ add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules"
"/usr/lib/udev/rules.d/11-dm-initramfs.rules"
+
+ add_runscript
+}
+
+help() {
+ cat <<HELPEOF
+This hook allows for an encrypted root device. Users should specify the device
+to be unlocked using 'cryptdevice=device:dmname' on the kernel command line,
+where 'device' is the path to the raw device, and 'dmname' is the name given to
+the device after unlocking, and will be available as /dev/mapper/dmname.
+
+For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on
+the kernel cmdline, where 'device' represents the raw block device where the
key
+exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is
+the absolute path of the keyfile within the device.
+
+Without specifying a keyfile, you will be prompted for the password at runtime.
+This means you must have a keyboard available to input it, and you may need
+the keymap hook as well to ensure that the keyboard is using the layout you
+expect.
+HELPEOF
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
Copied: cryptsetup/repos/testing-x86_64/sd-encrypt (from rev 218252,
cryptsetup/trunk/sd-encrypt)
===================================================================
--- testing-x86_64/sd-encrypt (rev 0)
+++ testing-x86_64/sd-encrypt 2014-07-28 17:24:35 UTC (rev 218253)
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+build() {
+ local mod
+
+ add_module dm-crypt
+ if [[ $CRYPTO_MODULES ]]; then
+ for mod in $CRYPTO_MODULES; do
+ add_module "$mod"
+ done
+ else
+ add_all_modules '/crypto/'
+ fi
+
+ add_binary "dmsetup"
+ add_file "/usr/lib/udev/rules.d/10-dm.rules"
+ add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
+ add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
+ add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules"
"/usr/lib/udev/rules.d/11-dm-initramfs.rules"
+
+ add_systemd_unit cryptsetup.target
+ add_binary /usr/lib/systemd/system-generators/systemd-cryptsetup-generator
+ add_binary /usr/lib/systemd/systemd-cryptsetup
+
+ add_systemd_unit systemd-ask-password-console.path
+ add_systemd_unit systemd-ask-password-console.service
+
+ [[ -f /etc/crypttab.initramfs ]] && add_file /etc/crypttab.initramfs
/etc/crypttab
+}
+
+help() {
+ cat <<HELPEOF
+This hook allows for an encrypted root device with systemd initramfs.
+
+See the manpage of systemd-cryptsetup-generator(8) for available kernel
+command line options. Alternatively, if the file /etc/crypttab.initramfs
+exists, it will be added to the initramfs as /etc/crypttab. See the
+crypttab(5) manpage for more information on crypttab syntax.
+HELPEOF
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
