diff options
Diffstat (limited to 'debian/initramfs/scripts')
-rw-r--r-- | debian/initramfs/scripts/local-block/cryptroot | 20 | ||||
-rw-r--r-- | debian/initramfs/scripts/local-bottom/cryptgnupg-sc | 18 | ||||
-rw-r--r-- | debian/initramfs/scripts/local-bottom/cryptopensc | 32 | ||||
-rw-r--r-- | debian/initramfs/scripts/local-top/cryptopensc | 37 | ||||
-rw-r--r-- | debian/initramfs/scripts/local-top/cryptroot | 223 |
5 files changed, 330 insertions, 0 deletions
diff --git a/debian/initramfs/scripts/local-block/cryptroot b/debian/initramfs/scripts/local-block/cryptroot new file mode 100644 index 0000000..8a9b4c0 --- /dev/null +++ b/debian/initramfs/scripts/local-block/cryptroot @@ -0,0 +1,20 @@ +#!/bin/sh + +PREREQ="" + +prereqs() +{ + echo $PREREQ +} + +case $1 in +# get pre-requisites +prereqs) + prereqs + exit 0 + ;; +esac + +if [ -x /scripts/local-top/cryptroot ]; then + exec /scripts/local-top/cryptroot +fi diff --git a/debian/initramfs/scripts/local-bottom/cryptgnupg-sc b/debian/initramfs/scripts/local-bottom/cryptgnupg-sc new file mode 100644 index 0000000..47be70b --- /dev/null +++ b/debian/initramfs/scripts/local-bottom/cryptgnupg-sc @@ -0,0 +1,18 @@ +#!/bin/sh + +PREREQ="" + +prereqs() { + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +if [ -x /usr/bin/gpgconf ] && [ -d "/cryptroot/gnupghome" ]; then + gpgconf --homedir="/cryptroot/gnupghome" --kill all +fi diff --git a/debian/initramfs/scripts/local-bottom/cryptopensc b/debian/initramfs/scripts/local-bottom/cryptopensc new file mode 100644 index 0000000..4de8f48 --- /dev/null +++ b/debian/initramfs/scripts/local-bottom/cryptopensc @@ -0,0 +1,32 @@ +#!/bin/sh + +set -e + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +# Hook for stopping smartcard reading software + +if [ ! -x /usr/sbin/pcscd ]; then + exit 0 +fi + +. /scripts/functions + +if PID="$(cat /run/pcscd.pid)" 2>/dev/null && + [ "$(readlink -f "/proc/$PID/exe")" = "/usr/sbin/pcscd" ]; then + log_begin_msg "Stopping pcscd" + kill -TERM "$PID" + log_end_msg +fi diff --git a/debian/initramfs/scripts/local-top/cryptopensc b/debian/initramfs/scripts/local-top/cryptopensc new file mode 100644 index 0000000..344acc6 --- /dev/null +++ b/debian/initramfs/scripts/local-top/cryptopensc @@ -0,0 +1,37 @@ +#!/bin/sh + +set -e + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in + prereqs) + prereqs + exit 0 + ;; +esac + +# Hook for starting smartcard reading software + +if [ ! -x /usr/sbin/pcscd ]; then + exit 0 +fi + +. /scripts/functions + +# Start pcscd daemon normally: +# start-stop-daemon --start --quiet \ +# --pidfile /run/pcscd.pid \ +# --exec /usr/sbin/pcscd +# Alternatively, start pcscd daemon in foreground so that it's pretty colored +# output may be seen on the console, useful for watching error messages since +# pcscd uses syslog which is not available (use --error or --critical to filter +# out debug message clutter): +# /usr/sbin/pcscd --error --foreground & +/usr/sbin/pcscd --foreground & +echo $! >/run/pcscd.pid diff --git a/debian/initramfs/scripts/local-top/cryptroot b/debian/initramfs/scripts/local-top/cryptroot new file mode 100644 index 0000000..6a831cd --- /dev/null +++ b/debian/initramfs/scripts/local-top/cryptroot @@ -0,0 +1,223 @@ +#!/bin/sh + +PREREQ="cryptroot-prepare" + +# +# Standard initramfs preamble +# +prereqs() +{ + # Make sure that cryptroot is run last in local-top + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ]; then + printf '%s\n' "$script" + fi + done +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +[ -f /lib/cryptsetup/functions ] || return 0 +. /lib/cryptsetup/functions + + +# wait_for_source() +# Wait for encrypted $CRYPTTAB_SOURCE for up to 180s. Set +# $CRYPTTAB_SOURCE to its normalized device name when it shows up; +# return 1 if timeout. +wait_for_source() { + wait_for_udev 10 + + if crypttab_resolve_source; then + # the device is here already, no need to loop + return 0 + fi + + # The lines below has been taken from + # /usr/share/initramfs-tools/scripts/local's local_device_setup(), + # as suggested per https://launchpad.net/bugs/164044 + + # If the source device hasn't shown up yet, give it a little while + # to allow for asynchronous device discovery (e.g. USB). + + cryptsetup_message "Waiting for encrypted source device $CRYPTTAB_SOURCE..." + + # Default delay is 180s, cf. initramfs-tools(8) + local slumber="${ROOTDELAY:-180}" + while [ $slumber -gt 0 ]; do + sleep 1 + + if [ -x /scripts/local-block/lvm2 ]; then + # activate any VG that might hold $CRYPTTAB_SOURCE + /scripts/local-block/lvm2 "$CRYPTTAB_SOURCE" + fi + + if crypttab_resolve_source; then + wait_for_udev 10 + return 0 + fi + + slumber=$(( $slumber - 1 )) + done + return 1 +} + +# setup_mapping() +# Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME, +# $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS. +setup_mapping() { + local dev + + # The same target can be specified multiple times + # e.g. root and resume lvs-on-lvm-on-crypto + if dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then + return 0 + fi + + crypttab_parse_options --export --missing-path=fail || return 1 + + if ! wait_for_source; then + # we've given up + if [ -n "$panic" ]; then + panic "ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME." + else + # let the user fix matters if they can + echo " ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME." + echo " Check cryptopts=source= bootarg: cat /proc/cmdline" + echo " or missing modules, devices: cat /proc/modules; ls /dev" + panic "Dropping to a shell." + fi + return 1 # can't continue because environment is lost + fi + + # our `cryptroot-unlock` script searches for cryptsetup processes + # with a given CRYPTTAB_NAME it their environment + export CRYPTTAB_NAME + + if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ]; then + # no keyscript: interactive unlocking, or key file + + if [ "${CRYPTTAB_KEY#/FIXME-initramfs-rootmnt/}" != "$CRYPTTAB_KEY" ]; then + # skip the mapping for now if the root FS is not mounted yet + sed -rn 's/^\s*[^#[:blank:]]\S*\s+(\S+)\s.*/\1/p' /proc/mounts | grep -Fxq -- "$rootmnt" || return 1 + # substitute the "/FIXME-initramfs-rootmnt/" prefix by the real root FS mountpoint otherwise + CRYPTTAB_KEY="$rootmnt/${CRYPTTAB_KEY#/FIXME-initramfs-rootmnt/}" + fi + + if [ "$CRYPTTAB_KEY" != "none" ]; then + if [ ! -e "$CRYPTTAB_KEY" ]; then + cryptsetup_message "ERROR: Skipping target $CRYPTTAB_NAME: non-existing key file $CRYPTTAB_KEY" + return 1 + fi + # try only once if we have a key file + CRYPTTAB_OPTION_tries=1 + fi + fi + + get_crypt_type # set CRYPTTAB_TYPE to the type of crypt device + local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype vg rv + while [ $maxtries -le 0 ] || [ $count -lt $maxtries ]; do + if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then + # unlock via keyfile + unlock_mapping "$CRYPTTAB_KEY" + else + # unlock interactively or via keyscript + run_keyscript "$CRYPTTAB_KEY" "$count" | unlock_mapping + fi + rv=$? + count=$(( $count + 1 )) + + if [ $rv -ne 0 ]; then + cryptsetup_message "ERROR: $CRYPTTAB_NAME: cryptsetup failed, bad password or options?" + sleep 1 + continue + elif ! dev="$(dm_blkdevname "$CRYPTTAB_NAME")"; then + cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown error setting up device mapping" + return 1 + fi + + if ! fstype="$(get_fstype "$dev")" || [ "$fstype" = "unknown" ]; then + if [ "$CRYPTTAB_TYPE" != "luks" ]; then + # bad password for plain dm-crypt device? or mkfs not run yet? + cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown fstype, bad password or options?" + wait_for_udev 10 + /sbin/cryptsetup remove -- "$CRYPTTAB_NAME" + sleep 1 + continue + fi + elif [ "$fstype" = lvm2 ]; then + if [ ! -x /sbin/lvm ]; then + cryptsetup_message "WARNING: $CRYPTTAB_NAME: lvm is not available" + return 1 + elif vg="$(lvm pvs --noheadings -o vg_name --config 'log{prefix=""}' -- "$dev")"; then + # activate the VG held by the PV we just unlocked + lvm lvchange -a y --sysinit --ignoreskippedcluster -- "$vg" + fi + fi + + cryptsetup_message "$CRYPTTAB_NAME: set up successfully" + wait_for_udev 10 + return 0 + done + + cryptsetup_message "ERROR: $CRYPTTAB_NAME: maximum number of tries exceeded" + exit 1 +} + + +####################################################################### +# Begin real processing + +mkdir -p /cryptroot # might not exist yet if the main system has no crypttab(5) + +# Do we have any kernel boot arguments? +if ! grep -qE '^(.*\s)?cryptopts=' /proc/cmdline; then + # ensure $TABFILE exists and has a mtime greater than the boot time + # (existing $TABFILE is preserved) + touch -- "$TABFILE" +else + # let the read builtin unescape the '\' as GRUB substitutes '\' by '\\' in the cmdline + tr ' ' '\n' </proc/cmdline | sed -n 's/^cryptopts=//p' | while IFS= read cryptopts; do + # skip empty values (which can be used to disable the initramfs + # scripts for a particular boot, cf. #873840) + [ -n "$cryptopts" ] || continue + unset -v target source key options + + IFS="," + for x in $cryptopts; do + case "$x" in + target=*) target="${x#target=}";; + source=*) source="${x#source=}";; + key=*) key="${x#key=}";; + *) options="${options+$options,}$x";; + esac + done + + if [ -z "${source:+x}" ]; then + cryptsetup_message "ERROR: Missing source= value in kernel parameter cryptopts=$cryptopts" + else + # preserve mangling + printf '%s %s %s %s\n' "${target:-cryptroot}" "$source" "${key:-none}" "${options-}" + fi + done >"$TABFILE" +fi + +# Do we have any settings from the $TABFILE? +if [ -s "$TABFILE" ]; then + # Create locking directory before invoking cryptsetup(8) to avoid warnings + mkdir -pm0700 /run/cryptsetup + modprobe -q dm_crypt + + crypttab_foreach_entry setup_mapping +fi + +exit 0 |