[projects/geninitrd] luks: initial support for luks2 tokens

Wed, 28 Sep 2022 09:47:50 -0700 

commit ddf87c79b74022a30cec286191d31d186be184cf
Author: Jan Palus <[email protected]>
Date:   Wed Sep 28 18:42:21 2022 +0200

    luks: initial support for luks2 tokens
    
    tested with fido2 token only. to disable set USE_LUKS_TOKEN=no
    
    systemd fido2 and tpm2 tokens need dlopened libraries for respective
    functionality (systemd avoids hard dependency on external deps)

 mod-luks.sh | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)
---
diff --git a/mod-luks.sh b/mod-luks.sh
index 94b6499..468489a 100644
--- a/mod-luks.sh
+++ b/mod-luks.sh
@@ -117,7 +117,7 @@ luks_crypttab() {
        local LUKSNAME="$1"
 
        # copy from /etc/rc.d/init.d/cryptsetup
-       local dst src key opt mode owner failsafe
+       local dst src key opt mode owner failsafe token libdir cryptdir
 
        while read dst src key opt; do
                [ "$dst" != "$LUKSNAME" ] && continue
@@ -153,6 +153,33 @@ luks_crypttab() {
                                keyfile=/etc/.$dst.key
                                inst $key $keyfile
                        fi
+                       for libdir in $(get_libdir /usr/LIBDIR); do
+                               if [ -d $libdir/cryptsetup ]; then
+                                       cryptdir=$libdir/cryptsetup
+                                       break
+                               fi
+                       done
+                       if ! is_no "$USE_LUKS_TOKEN" && [ -n "$cryptdir" ]; then
+                               for token in $(/sbin/cryptsetup luksDump $src | 
sed -n -e '/^Tokens:/,/^[^[:space:]]/ { /^[[:space:]]*[[:digit:]]*:/ { 
s/^[[:space:]]*[[:digit:]]*:[[:space:]]*// p } }'); do
+                                       verbose "Found cryptsetup token: $token"
+                                       case "$token" in
+                                               systemd-fido2)
+                                                       inst_d $cryptdir
+                                                       inst_exec 
$cryptdir/libcryptsetup-token-$token.so $cryptdir
+                                                       inst_exec 
$libdir/libfido2.so.1 $libdir
+                                                       ;;
+                                               systemd-tpm2)
+                                                       inst_d $cryptdir
+                                                       inst_exec 
$cryptdir/libcryptsetup-token-$token.so $cryptdir
+                                                       inst_exec 
$libdir/libtss2-esys.so.0 $libdir/libtss2-rc.so.0 $libdir/libtss2-mu.so.0 
$libdir
+                                                       ;;
+                                               *)
+                                                       inst_d $cryptdir
+                                                       inst_exec 
$cryptdir/libcryptsetup-token-$token.so $cryptdir
+                                                       ;;
+                                       esac
+                               done
+                       fi
 
                        crypttab_opt=""
                        old_IFS="$IFS"
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/projects/geninitrd.git/commitdiff/ddf87c79b74022a30cec286191d31d186be184cf

_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit

Reply via email to