Sorry for not submitting this to Debian sooner; the cryptsetup delta in Ubuntu is rather large, including extensive changes for upstart support, so it's a challenge to pick out the bits that are currently relevant to Debian. I only caught sight of this bug report by way of Guido's blog.
I agree that this change would be good to have in Debian - I would quite
enjoy having plymouth working on my Debian systems for squeeze. However,
the patch Guido sent will only add plymouth support for decryption of the
rootfs and the swap partition, since other devices are decrypted
post-initramfs, so another patch will be needed there for the init scripts.
I think the attached diff to cryptdisks.functions, also lifted from Ubuntu,
does the job. If you have any questions, feel free to ask.
(This patch also changes the handling of random-crypted devices, by making
sure they're temp-mounted under /var/run/cryptsetup instead of under /tmp;
this is not immediately relevant to Debian, but paves the way for
udev-driven activation of crypted disks and upstart support, so I've
included it here rather than trying to disentangle the separate changes to
individual lines of code.)
The Ubuntu changelog entries corresponding to this change are as follows:
* debian/cryptdisks.functions:
- change interaction to use plymouth directly if present, and if not, to
fall back to /lib/cryptsetup/askpass as before
* debian/cryptdisk.functions: initially create the device under a temporary
name and rename it only at the end using 'dmsetup rename', to ensure that
upstart/mountall doesn't see our device before it's ready to go.
LP: #475936.
* cryptdisks.functions: do_tmp should mount under /var/run/cryptsetup for
changing the permissions of the filesystem root, not directly on /tmp,
since mounting on /tmp a) is racy, b) confuses mountall something fierce.
LP: #475936.
* cryptdisks.functions, debian/initramfs/cryptroot-script: fix the
invocation of plymouth, so that we actually get proper passphrase prompts
(once bug #496765 is fixed).
* cryptdisks.functions: replace 'echo -e' bashism with 'printf'.
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
[email protected] [email protected]
=== modified file 'debian/cryptdisks.functions'
--- debian/cryptdisks.functions 2009-11-11 13:50:18 +0000
+++ debian/cryptdisks.functions 2010-01-21 14:46:41 +0000
@@ -288,7 +288,12 @@
# no keyscript, no key => password
keyscriptarg="Unlocking the disk $src ($dst)\nEnter passphrase: "
key="-"
- KEYSCRIPT="/lib/cryptsetup/askpass"
+ if [ -x /bin/plymouth ] && plymouth --ping; then
+ KEYSCRIPT="plymouth ask-for-password --prompt"
+ keyscriptarg=$(printf "$keyscriptarg")
+ else
+ KEYSCRIPT="/lib/cryptsetup/askpass"
+ fi
elif [ "$key" != "${key%/dev/*}" ]; then
# no keyscript, device key => special treatment
keyscriptarg=""
@@ -354,7 +359,12 @@
# no keyscript, no key => password
keyscriptarg="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: "
key="-"
- KEYSCRIPT="/lib/cryptsetup/askpass"
+ if [ -x /bin/plymouth ] && plymouth --ping; then
+ KEYSCRIPT="plymouth ask-for-password --prompt"
+ keyscriptarg=$(printf "$keyscriptarg")
+ else
+ KEYSCRIPT="/lib/cryptsetup/askpass"
+ fi
else
# no keyscript, key => file input
keyscriptarg=""
@@ -366,16 +376,16 @@
while [ "$tried" -lt "$TRIES" ]; do
if [ -n "$KEYSCRIPT" ]; then
- "$KEYSCRIPT" "$keyscriptarg" | cryptsetup $PARAMS create "$dst" "$src"
+ $KEYSCRIPT "$keyscriptarg" | cryptsetup $PARAMS create "${dst}_unformatted" "$src"
else
- cryptsetup $PARAMS create "$dst" "$src"
+ cryptsetup $PARAMS create "${dst}_unformatted" "$src"
fi
- if [ -z "$CHECK" ] || "$CHECK" "/dev/mapper/$dst" $CHECKARGS; then
+ if [ -z "$CHECK" ] || "$CHECK" "/dev/mapper/${dst}_unformatted" $CHECKARGS; then
break
else
log_warning_msg "$dst: the check for '/dev/mapper/$dst' failed - maybe the password is wrong"
- cryptsetup remove "$dst"
+ cryptsetup remove "${dst}_unformatted"
fi
tried=$(( $tried + 1 ))
@@ -412,13 +422,14 @@
do_swap () {
local swap_out
- if [ "$MAKESWAP" != "yes" ] || [ ! -b "/dev/mapper/$dst" ]; then
+ if [ "$MAKESWAP" != "yes" ] || [ ! -b "/dev/mapper/${dst}_unformatted" ]
+ then
return 0
fi
- if swap_out=$(/lib/cryptsetup/checks/un_blkid "/dev/mapper/$dst" 2> /dev/null) || \
- /lib/cryptsetup/checks/blkid "/dev/mapper/$dst" swap > /dev/null 2>&1; then
- mkswap "/dev/mapper/$dst" > /dev/null 2>&1
+ if swap_out=$(/lib/cryptsetup/checks/un_blkid "/dev/mapper/${dst}_unformatted" 2> /dev/null) || \
+ /lib/cryptsetup/checks/blkid "/dev/mapper/${dst}_unformatted" swap > /dev/null 2>&1; then
+ mkswap "/dev/mapper/${dst}_unformatted" > /dev/null 2>&1
else
log_warning_msg "$dst: the check for '/dev/mapper/$dst' failed. /dev/mapper/$dst contains data: $swap_out"
do_close
@@ -430,17 +441,24 @@
# Prepares tmp partitions using random keys
do_tmp () {
- if [ "x$TMPFS" = "x" ] || [ ! -b "/dev/mapper/$dst" ]; then
+ if [ "x$TMPFS" = "x" ] || [ ! -b "/dev/mapper/${dst}_unformatted" ]; then
return 0
fi
- mkfs -t $TMPFS -q "/dev/mapper/$dst" > /dev/null 2>&1 || return 1
- mount -t $TMPFS "/dev/mapper/$dst" /tmp || return 1
- chmod 1777 /tmp
- umount /tmp
+ mkfs -t $TMPFS -q "/dev/mapper/${dst}_unformatted" > /dev/null 2>&1 || return 1
+ mkdir -p "/var/run/cryptsetup/$dst"
+ mount -t $TMPFS "/dev/mapper/${dst}_unformatted" "/var/run/cryptsetup/$dst" || return 1
+ chmod 1777 "/var/run/cryptsetup/$dst"
+ umount "/var/run/cryptsetup/$dst"
return 0
}
+# Rename the device from its temp name to its final name, which will
+# trigger mountall
+finalize_device () {
+ dmsetup rename "${dst}_unformatted" "$dst"
+}
+
# Removes a mapping
do_close () {
local found IFS opt
@@ -530,7 +548,8 @@
fi
# Make sure that target device doesn't exist
- if [ -b "/dev/mapper/$dst" ]; then
+ if [ -b "/dev/mapper/${dst}_unformatted" ] || [ -b "/dev/mapper/$dst" ]
+ then
device_msg "$dst" "running"
return 0
fi
@@ -552,6 +571,7 @@
else
do_swap
do_tmp
+ finalize_device
device_msg "$dst" "started"
fi
signature.asc
Description: Digital signature
