summaryrefslogtreecommitdiffstats
path: root/misc/dracut_90reencrypt/reencrypt.sh
blob: db09e64e69ad2ccf307fe7296d7f08d2c2c94ee9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#!/bin/sh
#
# $1=$device [$2=keyfile|none [$3=keyslot|any [$4=size]]]
#

[ -d /sys/module/dm_crypt ] || modprobe dm_crypt

[ -d /sys/module/loop ] || modprobe loop

[ -f /tmp/reencrypted ] && exit 0

. /lib/dracut-lib.sh

# if device name is /dev/dm-X, convert to /dev/mapper/name
if [ "${1##/dev/dm-}" != "$1" ]; then
    device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
else
    device="$1"
fi

PARAMS="$device -T 1 --use-fsync --progress-frequency 5 -B 32"
if [ "$3" != "any" ]; then
    PARAMS="$PARAMS -S $3"
fi

if [ -n "$4" ]; then
    PARAMS="$PARAMS --device-size $4"
fi

reenc_readkey() {
    keypath="${1#*:}"
    keydev="${1%%:*}"

    mntp="/tmp/reencrypted-mount-tmp"
    mkdir "$mntp"
    mount -r "$keydev" "$mntp" && cat "$mntp/$keypath"
    umount "$mntp"
    rm -r "$mntp"
}

# shellcheck disable=SC2086
# shellcheck disable=SC2164
reenc_run() {
    cwd=$(pwd)
    _prompt="LUKS password for REENCRYPTING $device"
    cd /tmp
    udevadm settle
    if [ "$1" = "none" ] ; then
	if [ "$2" != "any" ]; then
		_prompt="$_prompt, using keyslot $2"
	fi
        /bin/plymouth ask-for-password \
        --prompt "$_prompt" \
        --command="/sbin/cryptsetup-reencrypt-verbose $PARAMS"
    else
        info "REENCRYPT using key $1"
        reenc_readkey "$1" | /sbin/cryptsetup-reencrypt-verbose -d - $PARAMS
    fi
    _ret=$?
    cd $cwd
}

info "REENCRYPT $device requested"
# flock against other interactive activities
# shellcheck disable=SC2086
{ flock -s 9;
    reenc_run $2 $3
} 9>/.console_lock

if [ $_ret -eq 0 ]; then
    # do not ask again
    # shellcheck disable=SC2188
    >> /tmp/reencrypted
    warn "Reencryption of device $device has finished successfully. Use previous"
    warn "initramfs image (without reencrypt module) to boot the system. When"
    warn "you leave the emergency shell, the system will reboot."

    emergency_shell -n "(reboot)"
    [ -x /usr/bin/systemctl ] && /usr/bin/systemctl reboot
    [ -x /sbin/shutdown ] && /sbin/shutdown -r now
fi

# panic the kernel otherwise
exit 1