From 6fe21269e5d54c52c168eac40225dca12a79c355 Mon Sep 17 00:00:00 2001 From: Tom Gundersen Date: Thu, 28 Jun 2012 01:55:40 +0200 Subject: cryptsetup: use systemd-cryptsetup rather than rolling our own WORK IN PROGRESS; COMPLETELY UNTESTED! In addition to supporting whatever systemd supports, we also support all our own ways of specifying passphrases. We have to look into how our "options" support differs from systemd's and what we want to do about that. Signed-off-by: Tom Gundersen --- functions | 73 ++++++++++++++++----------------------------------------------- 1 file changed, 18 insertions(+), 55 deletions(-) (limited to 'functions') diff --git a/functions b/functions index 000cd60..d8fdb34 100644 --- a/functions +++ b/functions @@ -382,52 +382,21 @@ activate_vgs() { } do_unlock() { - # $1 = requested name - # $2 = source device - # $3 = password - # $4 = options - stat_append "${1}.." - local open=create a=$1 b=$2 failed=0 - # Ordering of options is different if you are using LUKS vs. not. - # Use ugly swizzling to deal with it. - # isLuks only gives an exit code but no output to stdout or stderr. - if cryptsetup isLuks "$2" 2>/dev/null; then - open=luksOpen - a=$2 - b=$1 + local name=$1 device=$2 password=$3 options=$4 fi case $3 in SWAP) - local _overwriteokay=0 - if [[ -b $2 && -r $2 ]]; then - # This is DANGEROUS! If there is any known file system, - # partition table, RAID or LVM volume on the device - # we don't overwrite it. - # - # 'blkid' returns 2 if no valid signature has been found. - # Only in this case we should allow overwriting the device. - # - # This sanity check _should_ be sufficient, but it might not. - # This may cause dataloss if it is not used carefully. - blkid -p "$2" &>/dev/null - (( $? == 2 )) && _overwriteokay=1 - fi - if (( _overwriteokay == 0 )); then - false - elif cryptsetup -d /dev/urandom $4 $open "$a" "$b" >/dev/null; then - stat_append "creating swapspace.." - mkswap -f -L $1 /dev/mapper/$1 >/dev/null - fi;; + $password="/dev/urandom" + $options+=",swap" ASK) - printf "\nOpening '$1' volume:\n" - cryptsetup $4 $open "$a" "$b" < /dev/console;; + $password="none" /dev*) local ckdev=${3%%:*} local cka=${3#*:} local ckb=${cka#*:} local cka=${cka%:*} - local ckfile=/dev/ckfile - local ckdir=/dev/ckdir + local ckfile=$(mktemp /run/initscripts-cryptsetup/key-XXXXXX) + local ckdir=/run/initscripts-cryptsetup/drive case ${cka} in *[!0-9]*) # Use a file on the device @@ -442,36 +411,30 @@ do_unlock() { # cka is numeric: cka=offset, ckb=length dd if=${ckdev} of=${ckfile} bs=1 skip=${cka} count=${ckb} >/dev/null 2>&1;; esac - cryptsetup -d ${ckfile} $4 $open "$a" "$b" >/dev/null - dd if=/dev/urandom of=${ckfile} bs=1 count=$(stat -c %s ${ckfile}) conv=notrunc >/dev/null 2>&1 - rm ${ckfile};; + $password="${ckfile}" /*) - cryptsetup -d "$3" $4 $open "$a" "$b" >/dev/null;; *) printf "${C_FAIL}crypttab contains a literal encryption key. This will stop working in the future.${C_OTHER}\n" - echo "$3" | cryptsetup $4 $open "$a" "$b" >/dev/null;; + $password=$(mktemp /run/initscripts-cryptsetup/key-XXXXXX) + echo "$3" > $password esac - if (( $? )); then - failed=1 - stat_append "failed " - else - stat_append "ok " - fi - return $failed + /usr/lib/systemd/systemd-cryptsetup $name $device $password $options & } read_crypttab() { # $1 = function to call with the split out line from the crypttab - local line nspo failed=0 + local line nspo failed + mkdir -p /run/initscripts-cryptsetup while read line; do [[ $line && $line != '#'* ]] || continue eval nspo=("${line%#*}") - if $1 "${nspo[0]}" "${nspo[1]}" "${nspo[2]}" "${nspo[*]:3}"; then - crypto_unlocked=1 - else - failed=1 - fi + $1 "${nspo[0]}" "${nspo[1]}" "${nspo[2]}" "${nspo[*]:3}" done < /etc/crypttab + systemd-tty-ask-password-agent --query --console + failed=$? + wait + shred /run/initsrcipts-cryptsetup/key* + rm -rf /run/initscripts-cryptsetup return $failed } -- cgit v1.2.3-54-g00ecf From b2c9096cf0be6d655550ae880da8735ef048fc10 Mon Sep 17 00:00:00 2001 From: Tom Gundersen Date: Fri, 29 Jun 2012 15:26:59 +0200 Subject: Revert "cryptsetup: use systemd-cryptsetup rather than rolling our own" This reverts commit 6fe21269e5d54c52c168eac40225dca12a79c355. git failure. this was not meant to be in master. nowhere near ready for that :) --- functions | 73 +++++++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 55 insertions(+), 18 deletions(-) (limited to 'functions') diff --git a/functions b/functions index d8fdb34..000cd60 100644 --- a/functions +++ b/functions @@ -382,21 +382,52 @@ activate_vgs() { } do_unlock() { - local name=$1 device=$2 password=$3 options=$4 + # $1 = requested name + # $2 = source device + # $3 = password + # $4 = options + stat_append "${1}.." + local open=create a=$1 b=$2 failed=0 + # Ordering of options is different if you are using LUKS vs. not. + # Use ugly swizzling to deal with it. + # isLuks only gives an exit code but no output to stdout or stderr. + if cryptsetup isLuks "$2" 2>/dev/null; then + open=luksOpen + a=$2 + b=$1 fi case $3 in SWAP) - $password="/dev/urandom" - $options+=",swap" + local _overwriteokay=0 + if [[ -b $2 && -r $2 ]]; then + # This is DANGEROUS! If there is any known file system, + # partition table, RAID or LVM volume on the device + # we don't overwrite it. + # + # 'blkid' returns 2 if no valid signature has been found. + # Only in this case we should allow overwriting the device. + # + # This sanity check _should_ be sufficient, but it might not. + # This may cause dataloss if it is not used carefully. + blkid -p "$2" &>/dev/null + (( $? == 2 )) && _overwriteokay=1 + fi + if (( _overwriteokay == 0 )); then + false + elif cryptsetup -d /dev/urandom $4 $open "$a" "$b" >/dev/null; then + stat_append "creating swapspace.." + mkswap -f -L $1 /dev/mapper/$1 >/dev/null + fi;; ASK) - $password="none" + printf "\nOpening '$1' volume:\n" + cryptsetup $4 $open "$a" "$b" < /dev/console;; /dev*) local ckdev=${3%%:*} local cka=${3#*:} local ckb=${cka#*:} local cka=${cka%:*} - local ckfile=$(mktemp /run/initscripts-cryptsetup/key-XXXXXX) - local ckdir=/run/initscripts-cryptsetup/drive + local ckfile=/dev/ckfile + local ckdir=/dev/ckdir case ${cka} in *[!0-9]*) # Use a file on the device @@ -411,30 +442,36 @@ do_unlock() { # cka is numeric: cka=offset, ckb=length dd if=${ckdev} of=${ckfile} bs=1 skip=${cka} count=${ckb} >/dev/null 2>&1;; esac - $password="${ckfile}" + cryptsetup -d ${ckfile} $4 $open "$a" "$b" >/dev/null + dd if=/dev/urandom of=${ckfile} bs=1 count=$(stat -c %s ${ckfile}) conv=notrunc >/dev/null 2>&1 + rm ${ckfile};; /*) + cryptsetup -d "$3" $4 $open "$a" "$b" >/dev/null;; *) printf "${C_FAIL}crypttab contains a literal encryption key. This will stop working in the future.${C_OTHER}\n" - $password=$(mktemp /run/initscripts-cryptsetup/key-XXXXXX) - echo "$3" > $password + echo "$3" | cryptsetup $4 $open "$a" "$b" >/dev/null;; esac - /usr/lib/systemd/systemd-cryptsetup $name $device $password $options & + if (( $? )); then + failed=1 + stat_append "failed " + else + stat_append "ok " + fi + return $failed } read_crypttab() { # $1 = function to call with the split out line from the crypttab - local line nspo failed - mkdir -p /run/initscripts-cryptsetup + local line nspo failed=0 while read line; do [[ $line && $line != '#'* ]] || continue eval nspo=("${line%#*}") - $1 "${nspo[0]}" "${nspo[1]}" "${nspo[2]}" "${nspo[*]:3}" + if $1 "${nspo[0]}" "${nspo[1]}" "${nspo[2]}" "${nspo[*]:3}"; then + crypto_unlocked=1 + else + failed=1 + fi done < /etc/crypttab - systemd-tty-ask-password-agent --query --console - failed=$? - wait - shred /run/initsrcipts-cryptsetup/key* - rm -rf /run/initscripts-cryptsetup return $failed } -- cgit v1.2.3-54-g00ecf From 267d36a1c80a69342d9dda264b4b60f656ea20cf Mon Sep 17 00:00:00 2001 From: Florian Pritz Date: Fri, 29 Jun 2012 16:14:58 +0200 Subject: Remove sed from bootlog_stop() bootlogd from our sysvinit package now removes all escape codes directly so this (incomplete) sed call is no longer needed. Signed-off-by: Florian Pritz Signed-off-by: Tom Gundersen --- functions | 2 -- 1 file changed, 2 deletions(-) (limited to 'functions') diff --git a/functions b/functions index 000cd60..16f8d8f 100644 --- a/functions +++ b/functions @@ -588,8 +588,6 @@ bootlogd_stop() { touch /var/log/boot kill $(< /run/bootlogd.pid) rm -f /run/bootlogd.pid - sed -i -r -e 's/\^\[\[[0-9]?;?[0-9]?[0-9]?;?[0-9]?[0-9]?[ms]//g' \ - -e 's/\^\[(\[1?[0-9][0-9]|%)G//g' -e 's/\^\[\[0;1//g' /var/log/boot } ############################### -- cgit v1.2.3-54-g00ecf