Author: glen
Date: Mon Nov 10 02:04:57 2008
New Revision: 9976
Modified:
geninitrd/trunk/geninitrd
Log:
- add cryptsetup luks support on rootfs
Modified: geninitrd/trunk/geninitrd
==============================================================================
--- geninitrd/trunk/geninitrd (original)
+++ geninitrd/trunk/geninitrd Mon Nov 10 02:04:57 2008
@@ -73,6 +73,9 @@
# VG for suspend resume dev
SUSPENDVG=""
+# DM name for cryptsetup luks
+LUKSNAME=""
+
# resume device
resume_dev=""
@@ -84,6 +87,8 @@
have_md=no
# if we should init dmraid at boot
have_dmraid=no
+# if we should init cryptsetup luks at boot
+have_luks=no
# if we should init dm-multipath at boot
have_multipath=no
# dm-multipath wwid which is used for rootfs
@@ -102,7 +107,7 @@
echo " [--with-suspend] [--without-suspend]"
echo " [--with-tuxonice] [--without-tuxonice]"
echo " [--without-dmraid] [--without-multipath]"
- echo " [--without-blkid]"
+ echo " [--without-blkid] [--without-luks]"
echo " <initrd-image> <kernel-version>"
echo ""
echo "example:"
@@ -673,6 +678,32 @@
return $rc
}
+# return true if node is cryptsetup luks encrypted
+is_luks() {
+ local node="$1"
+ if [ ! -e "$node" ]; then
+ warn "is_luks(): node $node doesn't exist!"
+ return 1
+ fi
+
+ local dev dm_name=${node#/dev/mapper/}
+ if [ "$node" = "$dm_name" ]; then
+ debug "is_luks: $node is not device mapper name"
+ return 1
+ fi
+
+ dev=$(cryptsetup status $dm_name 2>/dev/null | awk '/device:/{print
$2}')
+ cryptsetup isLuks $dev
+ rc=$?
+
+ if [ $rc = 0 ]; then
+ debug "is_luks: $node is cryptsetup luks"
+ else
+ debug "is_luks: $node is not cryptsetup luks"
+ fi
+ return $rc
+}
+
# return dependencies MAJOR:MINOR [MAJOR:MINOR] for DM_NAME
# TODO: patch `dmsetup export`
dm_deps() {
@@ -782,6 +813,26 @@
}
# find modules for $devpath
+find_modules_luks() {
+ local devpath="$1"
+ local dev
+
+ LUKSNAME=${devpath#/dev/mapper/}
+ LUKSDEV=$(cryptsetup status $LUKSNAME 2>/dev/null | awk
'/device:/{print $2}')
+ if [ -z "$LUKSDEV" ]; then
+ die "Lost cryptsetup device meanwhile?"
+ fi
+
+ findmodule "dm-crypt"
+
+ have_luks=yes
+
+ # recurse
+ find_modules_for_devpath $LUKSDEV
+ return 0
+}
+
+# find modules for $devpath
find_modules_for_devpath() {
local devpath="$1"
if [ -z "$devpath" ]; then
@@ -796,6 +847,11 @@
esac
debug "Finding modules for device path $devpath"
+ if is_luks "$devpath"; then
+ find_modules_luks "$devpath"
+ return
+ fi
+
if is_yes "`echo "$devpath" | awk
'/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:|\/dev\/nfs)/ { print "yes"; }'`"; then
if [ ! -x /usr/bin/pcidev -a -z "$NFS_ETH_MODULES" ]; then
die "root on NFS but /usr/bin/pcidev not found. Please
install correct pci-database package and rerun $PROGRAM."
@@ -1199,6 +1255,68 @@
EOF
}
+key_is_random() {
+ [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" =
"/dev/random" ]
+}
+
+# produce cryptsetup from $name from /etc/crypttab
+luks_crypttab() {
+ local LUKSNAME="$1"
+ local LUKSDEV="$2"
+
+ # copy from /etc/rc.d/init.d/cryptsetup
+ local dst src key opt mode owner
+
+ while read dst src key opt; do
+ [ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue
+ [ "$dst" != "$LUKSNAME" ] && continue
+
+ if [ -n "$key" -a "x$key" != "xnone" ]; then
+ if test -e "$key" ; then
+ mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
+ owner=$(LC_ALL=C ls -l $key | awk '{ print $3
}')
+ if [ "$mode" != "------" ] && ! key_is_random
"$key"; then
+ die "INSECURE MODE FOR $key"
+ fi
+ if [ "$owner" != root ]; then
+ die "INSECURE OWNER FOR $key"
+ fi
+ else
+ die "Key file for $dst not found"
+ fi
+ else
+ key=""
+ fi
+
+ if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
+ if key_is_random "$key"; then
+ die "$dst: LUKS requires non-random key,
skipping"
+ fi
+ if [ -n "$opt" ]; then
+ warn "$dst: options are invalid for LUKS
partitions, ignoring them"
+ fi
+ echo "/sbin/cryptsetup ${key:+-d $key} luksOpen '$src'
'$dst' <&1" | add_linuxrc
+ else
+ die "$dst: only LUKS encryption supported"
+ fi
+ done < /etc/crypttab
+}
+
+initrd_gen_luks() {
+ if [ ! -x /sbin/cryptsetup-initrd ]; then
+ die "/sbin/cryptsetup-initrd is missing!"
+ fi
+
+ inst_d /sbin
+ inst_exec /sbin/cryptsetup-initrd /sbin/cryptsetup
+
+ mount_dev
+ mount_sys
+ initrd_gen_devices
+
+ luks_crypttab $LUKSNAME $LUKSDEV
+}
+
initrd_gen_bootsplash() {
local target="$1"
@@ -1601,6 +1719,10 @@
USE_DMRAID=yes
fi
+if [ -x /sbin/cryptsetup ]; then
+ USE_LUKS=yes
+fi
+
if [ -x /sbin/multipath ]; then
USE_MULTIPATH=yes
fi
@@ -1704,6 +1826,9 @@
--without-blkid)
USE_BLKID=no
;;
+ --without-luks)
+ USE_LUKS=no
+ ;;
--with=*)
BASICMODULES="$BASICMODULES ${1#--with=}"
;;
@@ -2040,6 +2165,10 @@
initrd_gen_v86d
fi
+if is_yes "$have_luks"; then
+ initrd_gen_luks
+fi
+
if is_yes "$have_dmraid"; then
initrd_gen_dmraid
fi
_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
