diff options
Diffstat (limited to 'misc/dracut_90reencrypt/reencrypt.sh')
| -rwxr-xr-x | misc/dracut_90reencrypt/reencrypt.sh | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh new file mode 100755 index 0000000..db09e64 --- /dev/null +++ b/misc/dracut_90reencrypt/reencrypt.sh @@ -0,0 +1,84 @@ +#!/bin/sh +# +# $1=$device [$2=keyfile|none [$3=keyslot|any [$4=size]]] +# + +[ -d /sys/module/dm_crypt ] || modprobe dm_crypt + +[ -d /sys/module/loop ] || modprobe loop + +[ -f /tmp/reencrypted ] && exit 0 + +. /lib/dracut-lib.sh + +# if device name is /dev/dm-X, convert to /dev/mapper/name +if [ "${1##/dev/dm-}" != "$1" ]; then + device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")" +else + device="$1" +fi + +PARAMS="$device -T 1 --use-fsync --progress-frequency 5 -B 32" +if [ "$3" != "any" ]; then + PARAMS="$PARAMS -S $3" +fi + +if [ -n "$4" ]; then + PARAMS="$PARAMS --device-size $4" +fi + +reenc_readkey() { + keypath="${1#*:}" + keydev="${1%%:*}" + + mntp="/tmp/reencrypted-mount-tmp" + mkdir "$mntp" + mount -r "$keydev" "$mntp" && cat "$mntp/$keypath" + umount "$mntp" + rm -r "$mntp" +} + +# shellcheck disable=SC2086 +# shellcheck disable=SC2164 +reenc_run() { + cwd=$(pwd) + _prompt="LUKS password for REENCRYPTING $device" + cd /tmp + udevadm settle + if [ "$1" = "none" ] ; then + if [ "$2" != "any" ]; then + _prompt="$_prompt, using keyslot $2" + fi + /bin/plymouth ask-for-password \ + --prompt "$_prompt" \ + --command="/sbin/cryptsetup-reencrypt-verbose $PARAMS" + else + info "REENCRYPT using key $1" + reenc_readkey "$1" | /sbin/cryptsetup-reencrypt-verbose -d - $PARAMS + fi + _ret=$? + cd $cwd +} + +info "REENCRYPT $device requested" +# flock against other interactive activities +# shellcheck disable=SC2086 +{ flock -s 9; + reenc_run $2 $3 +} 9>/.console_lock + +if [ $_ret -eq 0 ]; then + # do not ask again + # shellcheck disable=SC2188 + >> /tmp/reencrypted + warn "Reencryption of device $device has finished successfully. Use previous" + warn "initramfs image (without reencrypt module) to boot the system. When" + warn "you leave the emergency shell, the system will reboot." + + emergency_shell -n "(reboot)" + [ -x /usr/bin/systemctl ] && /usr/bin/systemctl reboot + [ -x /sbin/shutdown ] && /sbin/shutdown -r now +fi + +# panic the kernel otherwise +exit 1 |