cryptsetup-generator: add support for rd.luks.key=

Also clarify rd.luks.uuid and luks.uuid in the manual.

https://bugzilla.redhat.com/show_bug.cgi?id=905683

3 files changed, 46 insertions, 4 deletions

diff --git a/man/kernel-command-line.xml b/man/kernel-command-line.xml
index f249798171..6d064f6373 100644
--- a/man/kernel-command-line.xml
+++ b/man/kernel-command-line.xml
@@ -237,6 +237,8 @@
                                 <term><varname>rd.luks.crypttab=</varname></term>
                                 <term><varname>luks.uuid=</varname></term>
                                 <term><varname>rd.luks.uuid=</varname></term>
+                                <term><varname>luks.key=</varname></term>
+                                <term><varname>rd.luks.key=</varname></term>
 
                                 <listitem>
                                         <para>Configures the LUKS
diff --git a/man/systemd-cryptsetup-generator.xml b/man/systemd-cryptsetup-generator.xml
index 292e967bea..7950032941 100644
--- a/man/systemd-cryptsetup-generator.xml
+++ b/man/systemd-cryptsetup-generator.xml
@@ -128,7 +128,31 @@
                                 (initrd) while
                                 <varname>luks.uuid=</varname> is
                                 honored by both the main system and
-                                the initrd.</para></listitem>
+                                the initrd.</para>
+                                <para>If /etc/crypttab contains entries with
+                                the same UUID, then the options for this entry
+                                will be used.</para>
+                                <para>If /etc/crypttab exists, only those UUID
+                                specified on the kernel command line
+                                will be activated in the initrd or the real root.</para>
+                                </listitem>
+                        </varlistentry>
+                        <varlistentry>
+                                <term><varname>luks.key=</varname></term>
+                                <term><varname>rd.luks.key=</varname></term>
+
+                                <listitem><para>Takes a password file as argument.</para>
+                                <para>For those entries specified with
+                                <varname>rd.luks.uuid=</varname> or <varname>luks.uuid=</varname>,
+                                the password file will be set to the password file specified by
+                                <varname>rd.luks.key=</varname> or <varname>luks.key</varname></para>
+                                <para><varname>rd.luks.key=</varname>
+                                is honored only by initial RAM disk
+                                (initrd) while
+                                <varname>luks.key=</varname> is
+                                honored by both the main system and
+                                the initrd.</para>
+                                </listitem>
                         </varlistentry>
                 </variablelist>
         </refsect1>
diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
index fd2080b539..fd634ae74c 100644
--- a/src/cryptsetup/cryptsetup-generator.c
+++ b/src/cryptsetup/cryptsetup-generator.c
@@ -233,7 +233,7 @@ static int create_disk(
         return 0;
 }
 
-static int parse_proc_cmdline(char ***arg_proc_cmdline_disks) {
+static int parse_proc_cmdline(char ***arg_proc_cmdline_disks, char **arg_proc_cmdline_keyfile) {
         char _cleanup_free_ *line = NULL;
         char *w = NULL, *state = NULL;
         int r;
@@ -300,6 +300,21 @@ static int parse_proc_cmdline(char ***arg_proc_cmdline_disks) {
                                         return log_oom();
                         }
 
+                } else if (startswith(word, "luks.key=")) {
+                        *arg_proc_cmdline_keyfile = strdup(word + 9);
+                        if (! arg_proc_cmdline_keyfile)
+                                return log_oom();
+
+                } else if (startswith(word, "rd.luks.key=")) {
+
+                        if (in_initrd()) {
+                                if (*arg_proc_cmdline_keyfile)
+                                        free(*arg_proc_cmdline_keyfile);
+                                *arg_proc_cmdline_keyfile = strdup(word + 12);
+                                if (!arg_proc_cmdline_keyfile)
+                                        return log_oom();
+                        }
+
                 } else if (startswith(word, "luks.") ||
                            (in_initrd() && startswith(word, "rd.luks."))) {
 
@@ -319,6 +334,7 @@ int main(int argc, char *argv[]) {
         char **i;
         char _cleanup_strv_free_ **arg_proc_cmdline_disks_done = NULL;
         char _cleanup_strv_free_ **arg_proc_cmdline_disks = NULL;
+        char _cleanup_free_ *arg_proc_cmdline_keyfile = NULL;
 
         if (argc > 1 && argc != 4) {
                 log_error("This program takes three or no arguments.");
@@ -334,7 +350,7 @@ int main(int argc, char *argv[]) {
 
         umask(0022);
 
-        if (parse_proc_cmdline(&arg_proc_cmdline_disks) < 0)
+        if (parse_proc_cmdline(&arg_proc_cmdline_disks, &arg_proc_cmdline_keyfile) < 0)
                 return EXIT_FAILURE;
 
         if (!arg_enabled)
@@ -425,7 +441,7 @@ int main(int argc, char *argv[]) {
                 if (!name || !device)
                         return log_oom();
 
-                if (create_disk(name, device, NULL, "timeout=0") < 0)
+                if (create_disk(name, device, arg_proc_cmdline_keyfile, "timeout=0") < 0)
                         r = EXIT_FAILURE;
         }