Bug#465901: cryptroot remote unlocking on boot feature
Package: initramfs-tools
Version: 0.91e
Severity: wishlist
Tags: patch
this patch is part of three patches (initramfs-tools, cryptsetup,
dropbear) which enable mkinitramfs to create initramfss that provide the
ability to log in and unlock a cryptroot during the boot process from
remote via ssh.
calling configure_networking from /scripts/functions might appear more
than once, so just try if it hasn't been done/wasn't successful yet.
check that by testing for existence of /tmp/net-$DEVICE.conf which is
created by ipconfig.
in mkinitramfs CONFDIR is exported, as this is necessary for hooks (see
related dropbear patch) to find the config without relying on something
hardcoded that's otherwise (mkinitramfs) dynamic.
diff -rNc initramfs-tools.orig/mkinitramfs initramfs-tools/mkinitramfs
*** initramfs-tools.orig/mkinitramfs 2007-12-25 17:03:57.0 +0100
--- initramfs-tools/mkinitramfs 2008-02-14 14:01:07.0 +0100
***
*** 168,173
--- 168,174
# Export environment for hook scripts.
#
+ export CONFDIR
export MODULESDIR
export version
export CONFDIR
diff -rNc initramfs-tools.orig/scripts/functions initramfs-tools/scripts/functions
*** initramfs-tools.orig/scripts/functions 2007-12-25 17:03:57.0 +0100
--- initramfs-tools/scripts/functions 2008-02-14 13:58:53.0 +0100
***
*** 273,307
configure_networking()
{
! # support ip options see linux sources Documentation/nfsroot.txt
! case ${IPOPTS} in
! none|off)
! # Do nothing
! ;;
! |on|any)
! # Bring up device
! ipconfig ${DEVICE}
! ;;
! dhcp|bootp|rarp|both)
! ipconfig -c ${IPOPTS} -d ${DEVICE}
! ;;
! *)
! ipconfig -d $IPOPTS
! # grab device entry from ip option
! NEW_DEVICE=${IPOPTS#*:*:*:*:*:*}
! if [ ${NEW_DEVICE} != ${IPOPTS} ]; then
! NEW_DEVICE=${NEW_DEVICE%:*}
! else
! # wrong parse, possibly only a partial string
! NEW_DEVICE=
! fi
! if [ -n ${NEW_DEVICE} ]; then
! DEVICE=${NEW_DEVICE}
! fi
! ;;
! esac
! # source relevant ipconfig output
! . /tmp/net-${DEVICE}.conf
}
--- 273,310
configure_networking()
{
! if [ ! -e /tmp/net-${DEVICE}.conf ]; then
! # support ip options see linux sources Documentation/nfsroot.txt
! case ${IPOPTS} in
! none|off)
! # Do nothing
! ;;
! |on|any)
! # Bring up device
! ipconfig ${DEVICE}
! ;;
! dhcp|bootp|rarp|both)
! ipconfig -c ${IPOPTS} -d ${DEVICE}
! ;;
! *)
! ipconfig -d $IPOPTS
! # grab device entry from ip option
! NEW_DEVICE=${IPOPTS#*:*:*:*:*:*}
! if [ ${NEW_DEVICE} != ${IPOPTS} ]; then
! NEW_DEVICE=${NEW_DEVICE%:*}
! else
! # wrong parse, possibly only a partial string
! NEW_DEVICE=
! fi
! if [ -n ${NEW_DEVICE} ]; then
! DEVICE=${NEW_DEVICE}
! fi
! ;;
! esac
!
! # source relevant ipconfig output
! . /tmp/net-${DEVICE}.conf
! fi
}
Bug#465901: cryptroot remote unlocking on boot feature
On Fri, Feb 15, 2008 at 03:47:40PM +0100, [EMAIL PROTECTED] wrote: diff -rNc initramfs-tools.orig/mkinitramfs initramfs-tools/mkinitramfs thanks haven't read it yet, but *please* send that it in with unified format unified diffs are so much easier to read: u .. unified p .. function context aka output diff -pruN initramfs-tools.org/ initramfs-tools if you want do yourself a favour of course you can clone the git repo and use git for it aka: (as root apt-get install git-core gitk git-email git-gui) git clone git://git.debian.org/git/kernel/initramfs-tools.git # add a new local branch git checkout -b ssh # see the diff git diff # hack + test + commit git commit -a # get the patches in mail format git format-patch -M master # send them over git send-email --to [EMAIL PROTECTED] --cc [EMAIL PROTECTED] 0001-ssh-subject.patch i must say i'm not a big fan of shipping ssh in initramfs enabled by default needed fixes in networking and such are of course taken. thanks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#465901: cryptroot remote unlocking on boot feature
[...] git send-email --to [EMAIL PROTECTED] --cc [EMAIL PROTECTED] 0001-ssh-subject.patch ok thanks for directions i must say i'm not a big fan of shipping ssh in initramfs enabled by default needed fixes in networking and such are of course taken. the hook script in the dropbear patch will only add dropbear to the initramfs if it's explicitly enabled (which it isn't by default), or a cryptroot is detected (and dropbear isn't explicitly disabled). adding to the initramfs is certainly generally to be avoided, but not being able to bring a machine up again from remote is quite some motivation, i guess ;) plus it turns out the increase in size and complexity is a lot less than (at least i) expected. Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#465901: cryptroot remote unlocking on boot feature
On Fri, 15 Feb 2008, [EMAIL PROTECTED] wrote: [...] git send-email --to [EMAIL PROTECTED] --cc [EMAIL PROTECTED] 0001-ssh-subject.patch ok thanks for directions np, cool you picked it up so nicely :) i must say i'm not a big fan of shipping ssh in initramfs enabled by default needed fixes in networking and such are of course taken. the hook script in the dropbear patch will only add dropbear to the initramfs if it's explicitly enabled (which it isn't by default), or a cryptroot is detected (and dropbear isn't explicitly disabled). adding to the initramfs is certainly generally to be avoided, but not being able to bring a machine up again from remote is quite some motivation, i guess ;) plus it turns out the increase in size and complexity is a lot less than (at least i) expected. Chris ack -- maks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
