diff options
| author | root <root@rshg054.dnsready.net> | 2012-05-26 00:02:35 +0000 |
|---|---|---|
| committer | root <root@rshg054.dnsready.net> | 2012-05-26 00:02:35 +0000 |
| commit | a5721a07196cf00c26ea1bfb651aab756d202ccb (patch) | |
| tree | b60f984dd22f98544c8d2fd9526cc24dea3dcd25 /core | |
| parent | aa30737839de3c2a4a1287442cb9859414fb4b0a (diff) | |
Sat May 26 00:02:35 UTC 2012
Diffstat (limited to 'core')
| -rw-r--r-- | core/cryptsetup/PKGBUILD | 17 | ||||
| -rw-r--r-- | core/cryptsetup/encrypt_hook | 249 | ||||
| -rw-r--r-- | core/cryptsetup/encrypt_install | 37 |
3 files changed, 153 insertions, 150 deletions
diff --git a/core/cryptsetup/PKGBUILD b/core/cryptsetup/PKGBUILD index 3e9f8bc8a..fedc9ea92 100644 --- a/core/cryptsetup/PKGBUILD +++ b/core/cryptsetup/PKGBUILD @@ -1,8 +1,8 @@ -# $Id: PKGBUILD 157320 2012-04-26 22:51:21Z eric $ +# $Id: PKGBUILD 159428 2012-05-24 08:14:23Z thomas $ # Maintainer: Thomas Bächler <thomas@archlinux.org> pkgname=cryptsetup -pkgver=1.4.1 -pkgrel=3 +pkgver=1.4.2 +pkgrel=1 pkgdesc="Userspace setup tool for transparent encryption of block devices using dm-crypt" arch=(i686 x86_64) license=('GPL') @@ -15,13 +15,14 @@ source=(http://cryptsetup.googlecode.com/files/${pkgname}-${pkgver}.tar.bz2 http://cryptsetup.googlecode.com/files/${pkgname}-${pkgver}.tar.bz2.asc encrypt_hook encrypt_install) -sha256sums=('82b143328c2b427ef2b89fb76c701d311c95b54093c21bbf22342f7b393bddcb' - '71c6506d4b6d0b22b9b6c2a68e604959e4c072af04680ed6acc0126c97bdbc88' - '811bbea1337106ad811731c746d73ee81039bad00aef52398e3a377ad0766757' - 'ddbbdcb8eff93a3a7622ec633e90d5c0d68e3afbeaf942dc2309adab345047d4') +sha256sums=('1fe80d7b19d24b3f65d2e446decfed859e2c4d17fdf7c19289d82dc7cd60dfe7' + '4e6dbece8d1baad861479aca70d0cf30887420da9b5eab45d65d064c656893ed' + 'e4c00e2da274bf4cab3f72a0de779790a11a946d36b83144e74d3791e230b262' + 'cba1dc38ff6cc4d3740d0badfb2b151bb03d19e8e9fa497569ac2fb6f4196e0e') + build() { cd "${srcdir}"/$pkgname-${pkgver} - ./configure --prefix=/usr --disable-static --sbindir=/sbin + ./configure --prefix=/usr --disable-static make } diff --git a/core/cryptsetup/encrypt_hook b/core/cryptsetup/encrypt_hook index 956b18023..0f35782c6 100644 --- a/core/cryptsetup/encrypt_hook +++ b/core/cryptsetup/encrypt_hook @@ -1,148 +1,137 @@ -# vim: set ft=sh: -# TODO this one needs some work to work with lots of different -# encryption schemes -run_hook () -{ - /sbin/modprobe -a -q dm-crypt >/dev/null 2>&1 - if [ -e "/sys/class/misc/device-mapper" ]; then - if [ ! -e "/dev/mapper/control" ]; then - mkdir /dev/mapper - mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |') - fi - [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" - - # Get keyfile if specified - ckeyfile="/crypto_keyfile.bin" - if [ "x${cryptkey}" != "x" ]; then - ckdev="$(echo "${cryptkey}" | cut -d: -f1)" - ckarg1="$(echo "${cryptkey}" | cut -d: -f2)" - ckarg2="$(echo "${cryptkey}" | cut -d: -f3)" - if poll_device "${ckdev}" ${rootdelay}; then - case ${ckarg1} in - *[!0-9]*) - # Use a file on the device - # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path - mkdir /ckey - mount -r -t ${ckarg1} ${ckdev} /ckey - dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1 - umount /ckey - ;; - *) - # Read raw data from the block device - # ckarg1 is numeric: ckarg1=offset, ckarg2=length - dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1 - ;; - esac - fi - [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." - fi +#!/usr/bin/ash - if [ -n "${cryptdevice}" ]; then - DEPRECATED_CRYPT=0 - cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)" - cryptname="$(echo "${cryptdevice}" | cut -d: -f2)" - cryptoptions="$(echo "${cryptdevice}" | cut -d: -f3)" - else - DEPRECATED_CRYPT=1 - cryptdev="${root}" - cryptname="root" - fi +run_hook() { + modprobe -a -q dm-crypt >/dev/null 2>&1 + [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" - warn_deprecated() { - echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" - echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." - } - - OLDIFS="${IFS}" - IFS="," - for cryptopt in ${cryptoptions}; do - case ${cryptopt} in - allow-discards) - echo "Enabling TRIM/discard support." - cryptargs="${cryptargs} --allow-discards" + # Get keyfile if specified + ckeyfile="/crypto_keyfile.bin" + if [ -n "$cryptkey" ]; then + IFS=: read ckdev ckarg1 ckarg2 <<EOF +$cryptkey +EOF + if poll_device "${ckdev}" ${rootdelay}; then + case ${ckarg1} in + *[!0-9]*) + # Use a file on the device + # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path + mkdir /ckey + mount -r -t "$ckarg1" "$ckdev" /ckey + dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1 + umount /ckey ;; *) - echo "Encryption option '${cryptopt}' not known, ignoring." >&2 + # Read raw data from the block device + # ckarg1 is numeric: ckarg1=offset, ckarg2=length + dd if="$ckdev" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1 ;; esac - done - IFS="${OLDIFS}" + fi + [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." + fi - if poll_device "${cryptdev}" ${rootdelay}; then - if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then - [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated - dopassphrase=1 - # If keyfile exists, try to use that - if [ -f ${ckeyfile} ]; then - if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${cryptargs} ${CSQUIET}; then - dopassphrase=0 - else - echo "Invalid keyfile. Reverting to passphrase." - fi - fi - # Ask for a passphrase - if [ ${dopassphrase} -gt 0 ]; then - echo "" - echo "A password is required to access the ${cryptname} volume:" + if [ -n "${cryptdevice}" ]; then + DEPRECATED_CRYPT=0 + IFS=: read cryptdev cryptname cryptoptions <<EOF +$cryptdevice +EOF + else + DEPRECATED_CRYPT=1 + cryptdev="${root}" + cryptname="root" + fi - #loop until we get a real password - while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${cryptargs} ${CSQUIET}; do - sleep 2; - done - fi - if [ -e "/dev/mapper/${cryptname}" ]; then - if [ ${DEPRECATED_CRYPT} -eq 1 ]; then - export root="/dev/mapper/root" - fi - else - err "Password succeeded, but ${cryptname} creation failed, aborting..." - exit 1 - fi - elif [ -n "${crypto}" ]; then - [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated - msg "Non-LUKS encrypted device found..." - if [ $# -ne 5 ]; then - err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" - err "Non-LUKS decryption not attempted..." - return 1 - fi - exe="/sbin/cryptsetup create ${cryptname} ${cryptdev} ${cryptargs}" - tmp=$(echo "${crypto}" | cut -d: -f1) - [ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\"" - tmp=$(echo "${crypto}" | cut -d: -f2) - [ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\"" - tmp=$(echo "${crypto}" | cut -d: -f3) - [ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\"" - tmp=$(echo "${crypto}" | cut -d: -f4) - [ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\"" - tmp=$(echo "${crypto}" | cut -d: -f5) - [ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\"" - if [ -f ${ckeyfile} ]; then - exe="${exe} --key-file ${ckeyfile}" + warn_deprecated() { + echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" + echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." + } + + for cryptopt in ${cryptoptions//,/ }; do + case ${cryptopt} in + allow-discards) + echo "Enabling TRIM/discard support." + cryptargs="${cryptargs} --allow-discards" + ;; + *) + echo "Encryption option '${cryptopt}' not known, ignoring." >&2 + ;; + esac + done + + if poll_device "${cryptdev}" ${rootdelay}; then + if cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + dopassphrase=1 + # If keyfile exists, try to use that + if [ -f ${ckeyfile} ]; then + if eval cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${cryptargs} ${CSQUIET}; then + dopassphrase=0 else - exe="${exe} --verify-passphrase" - echo "" - echo "A password is required to access the ${cryptname} volume:" + echo "Invalid keyfile. Reverting to passphrase." fi - eval "${exe} ${CSQUIET}" + fi + # Ask for a passphrase + if [ ${dopassphrase} -gt 0 ]; then + echo "" + echo "A password is required to access the ${cryptname} volume:" - if [ $? -ne 0 ]; then - err "Non-LUKS device decryption failed. verify format: " - err " crypto=hash:cipher:keysize:offset:skip" - exit 1 + #loop until we get a real password + while ! eval cryptsetup luksOpen ${cryptdev} ${cryptname} ${cryptargs} ${CSQUIET}; do + sleep 2; + done + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" fi - if [ -e "/dev/mapper/${cryptname}" ]; then - if [ ${DEPRECATED_CRYPT} -eq 1 ]; then - export root="/dev/mapper/root" - fi - else - err "Password succeeded, but ${cryptname} creation failed, aborting..." - exit 1 + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 + fi + elif [ -n "${crypto}" ]; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + msg "Non-LUKS encrypted device found..." + if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then + err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" + err "Non-LUKS decryption not attempted..." + return 1 + fi + exe="cryptsetup create $cryptname $cryptdev $cryptargs" + IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF +$crypto +EOF + [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'" + [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'" + [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'" + [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'" + [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'" + if [ -f "$ckeyfile" ]; then + exe="$exe --key-file $ckeyfile" + else + exe="$exe --verify-passphrase" + echo "" + echo "A password is required to access the ${cryptname} volume:" + fi + eval "$exe $CSQUIET" + + if [ $? -ne 0 ]; then + err "Non-LUKS device decryption failed. verify format: " + err " crypto=hash:cipher:keysize:offset:skip" + exit 1 + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" fi else - err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified." + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 fi + else + err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified." fi - rm -f ${ckeyfile} fi + rm -f ${ckeyfile} } + +# vim: set ft=sh ts=4 sw=4 et: diff --git a/core/cryptsetup/encrypt_install b/core/cryptsetup/encrypt_install index 9ed50e863..79d2f3e4b 100644 --- a/core/cryptsetup/encrypt_install +++ b/core/cryptsetup/encrypt_install @@ -1,26 +1,39 @@ -# vim: set ft=sh: +#!/bin/bash -build() -{ +build() { if [ -z "${CRYPTO_MODULES}" ]; then - MODULES=" dm-crypt $(all_modules "/crypto/") " + MODULES=" dm-crypt $(all_modules "/crypto/")" else - MODULES=" dm-crypt ${CRYPTO_MODULES} " + MODULES=" dm-crypt $CRYPTO_MODULES" fi FILES="" SCRIPT="encrypt" - [ -f "/sbin/cryptsetup" ] && add_binary "/sbin/cryptsetup" "/sbin/cryptsetup" - [ -f "/usr/sbin/cryptsetup" ] && add_binary "/usr/sbin/cryptsetup" "/sbin/cryptsetup" - add_binary "/sbin/dmsetup" + + add_binary "cryptsetup" + add_binary "dmsetup" add_file "/usr/lib/udev/rules.d/10-dm.rules" add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" } -help () -{ -cat<<HELPEOF - This hook allows for an encrypted root device. +help() { + cat <<HELPEOF +This hook allows for an encrypted root device. Users should specify the device +to be unlocked using 'cryptdevice=device:dmname' on the kernel command line, +where 'device' is the path to the raw device, and 'dmname' is the name given to +the device after unlocking, and will be available as /dev/mapper/dmname. + +For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on +the kernel cmdline, where 'device' represents the raw block device where the key +exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is +the absolute path of the keyfile within the device. + +Without specifying a keyfile, you will be prompted for the password at runtime. +This means you must have a keyboard available to input it, and you may need +the keymap hook as well to ensure that the keyboard is using the layout you +expect. HELPEOF } + +# vim: set ft=sh ts=4 sw=4 et: |