| Age | Commit message (Collapse) | Author |
|---|
|
as password file
As special magic, don't create device dependencies for /dev/null. Of
course, there might be similar devices we might want to include, but
given that none of them really make sense to specify as password source
there's really no point in checking for anything else here.
https://bugs.freedesktop.org/show_bug.cgi?id=75816
|
|
Also stop warning about unknown kernel cmdline options in the various
tools, not just in PID 1
|
|
make sure they are started before and stopped after any LUKS setup
https://bugzilla.redhat.com/show_bug.cgi?id=1097938
|
|
Beef up the assert to protect against passing null to strlen.
Found with scan-build.
|
|
The command line key-size is in bits but the libcryptsetup API expects bytes.
Note that the modulo 8 check is in the original cryptsetup binary as well, so
it's no new limitation.
(v2: changed the point at which the /= 8 is performed, rebased, removed tabs)
|
|
Add an (optional) "Id" key in the password agent .ask files. The Id is
supposed to be a simple string in "<subsystem>:<target>" form which
is used to provide more information on what the requested passphrase
is to be used for (which e.g. allows an agent to only react to cryptsetup
requests).
(v2: rebased, fixed indentation, escape name, use strappenda)
|
|
|
|
|
|
all other tools
|
|
|
|
Already split variable assignments before invoking the callback. And
drop "rd." settings if we are not in an initrd.
|
|
|
|
In cryptsetup-generator automatic cleanup had to be replaced
with manual cleanup, and the code gets a bit longer. But existing
code had the issue that it returned negative values from main(),
which was wrong, so should be reworked anyway.
|
|
If the password is a device file, we can add Requires/After dependencies
on the device rather than requiring the user to do so.
|
|
Debian recently introduced the option key-slot to /etc/crypttab to
specify the LUKS key slot to be used for decrypting the device. On
systems where a keyfile is used and the key is not in the first slot,
this can speed up the boot process quite a bit, since cryptsetup does
not need to try all of the slots sequentially. (Unsuccessfully testing
a key slot typically takes up to about 1 second.)
This patch makes systemd aware of this option.
Debian bug that introduced the feature:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704470
|
|
Instead of individually checking for containers in each user do this
once in a new call proc_cmdline() that read the file only if we are not
in a container.
|
|
|
|
|
|
|
|
When crypttab contains noauto, cryptsetup service does not have any
explicit dependencies. If service is started later manually (directly or via
mount dependency) it will be stopped on isolate.
mount units already have IgnoreOnIsolate set by default. Set it by
default for cryptsetup units as well.
|
|
This service was merged with systemd-random-seed-save.service in
c35b956d34bbb8bb208e49e45de2c103ca11911c.
|
|
The main usecase for this is to make it possible to use cryptsetup in
the initrd without it having to include a host-specific /etc/crypttab.
Tested-by: Thomas Bächler <thomas@archlinux.org>
|
|
|
|
When running from initrd, entering a wrong passphrase usually means that
you cannot boot. Therefore, we allow trying indefinitely.
|
|
systemd-cryptsetup recognizes option 'allow-discards' in /etc/crypttab
to enable TRIM passthrough to underlying encrypted device. In Debian
this option was changed to 'discard' to avoid hyphen in option name.
(see: #648868 and `man crypttab`).
[zj: update crypttab(5) too, making "discard" the default.]
|
|
Tcrypt uses a different approach to passphrases/key files. The
passphrase and all key files are incorporated into the "password"
to open the volume. So, the idea of slots that provide a way to
open the volume with different passphrases/key files that are
independent from each other like with LUKS does not apply.
Therefore, we use the key file from /etc/crypttab as the source
for the passphrase. The actual key files that are combined with
the passphrase into a password are provided as a new option in
/etc/crypttab and can be given multiple times if more than one
key file is used by a volume.
|
|
|
|
Also use _cleanup_free_ where possible.
|
|
This semi-reverts 8973790ee6f62132b1b57de15c4edaef2c097004.
|
|
|
|
|
|
It's polite to print the name of the link that wasn't created,
and it makes little sense to print the target.
|
|
|
|
If the key file cannot be accessed, we can at least ask for the
password.
|
|
http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html
|
|
Also clarify rd.luks.uuid and luks.uuid in the manual.
https://bugzilla.redhat.com/show_bug.cgi?id=905683
|
|
cryptsetup itself has no timeout as default from the beginning. So the
default timeout has been "0" from the beginning.
https://bugzilla.redhat.com/show_bug.cgi?id=949702
|
|
Before, we would initialize many fields twice: first
by filling the structure with zeros, and then a second
time with the real values. We can let the compiler do
the job for us, avoiding one copy.
A downside of this patch is that text gets slightly
bigger. This is because all zero() calls are effectively
inlined:
$ size build/.libs/systemd
text data bss dec hex filename
before 897737 107300 2560 1007597 f5fed build/.libs/systemd
after 897873 107300 2560 1007733 f6075 build/.libs/systemd
… actually less than 1‰.
A few asserts that the parameter is not null had to be removed. I
don't think this changes much, because first, it is quite unlikely
for the assert to fail, and second, an immediate SEGV is almost as
good as an assert.
|
|
The password query for a crypto device currently times out after 90s,
which is too short to grab a cup of coffee when a machine boots up.
The resulting decrypted device /dev/mapper/luks-<uuid> might not
be a mountpoint (but part of a LVM PV or raid array)
and therefore the timeout cannot be controlled by the settings
in /etc/fstab. For this reason this device should not carry its own timeout.
Also the encrypted device /dev/disk/by-*/* already has a timeout and
additionally the timeout for the password query is set in /etc/crypttab.
This patch disables the timeout of the resulting decrypted devices by creating
<device-unit>.d/50-job-timeout-sec-0.conf files with "JobTimeoutSec=0".
|
|
Internally we store all time values in usec_t, however parse_usec()
actually was used mostly to parse values in seconds (unless explicit
units were specified to define a different unit). Hence, be clear about
this and name the function about what we pass into it, not what we get
out of it.
|
|
This ensures that the keyfile is available during the opening of the encrypted
device.
Also dropped the explicit ordering Before=local-fs.target, as the containers
are ordered implicitly by their content.
|
|
Fixes: https://bugzilla.novell.com/show_bug.cgi?id=730496
https://bugs.freedesktop.org/show_bug.cgi?id=60821
|
|
If there's a GPT partition label set for a LUKS partition, then it's
nicer to show that than the model number, when asking for a passphrase.
|
|
|
|
|
|
|
|
If rd.luks.uuid or luks.uuid is specified on the kernel command, only
generate units for these UUIDs. Additionally use the information in
/etc/crypttab unless rd.luks.crypttab=0 or luks.crypttab=0 is specified.
|
|
|
|
Mukund Sivaraman pointed out that cryptsetup(5) mentions the "read-only"
option, while the code understands "readonly".
We could just fix the manpage, but for consistency in naming of
multi-word options it would be prettier to have "read-only". So let's
accept both spellings.
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=903463
|
|
|
