# # This file is for inclusion with # . /lib/cryptsetup/cryptdisks-functions # and should not be executed directly. PATH="/usr/sbin:/usr/bin:/sbin:/bin" CRYPTDISKS_ENABLE="Yes" #set -x # Sanity check #1 [ -x /sbin/cryptsetup ] || exit 0 . /lib/lsb/init-functions . /lib/cryptsetup/functions if [ -r /etc/default/cryptdisks ]; then . /etc/default/cryptdisks fi MOUNT="$CRYPTDISKS_MOUNT" # do_start() # Unlock all devices in the crypttab(5) do_start() { [ -s "$TABFILE" ] || return 0 # Create locking directory before invoking cryptsetup(8) to avoid warnings mkdir -pm0700 /run/cryptsetup modprobe -qb dm-mod || true modprobe -qb dm-crypt || true dmsetup mknodes >/dev/null 2>&1 || true if [ "$INITSTATE" != "init" ]; then log_action_begin_msg "Starting $INITSTATE crypto disks" fi mount_fs crypttab_foreach_entry _do_start_callback umount_fs log_action_end_msg 0 } _do_start_callback() { setup_mapping || log_action_end_msg $? } # mount_fs() # Premounts file systems mount_fs() { local point MOUNTED="" for point in $MOUNT; do if mount "$point" >/dev/null; then MOUNTED="$MOUNTED $point" fi done } # Postunmounts file systems umount_fs() { local point for point in $MOUNTED; do umount "$point" >/dev/null done } # setup_mapping() # Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME, # $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS. setup_mapping() { if dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then device_msg "running" return 0 fi local loud="${DEFAULT_LOUD:-}" crypttab_parse_options --export --missing-path=fail || return 1 if [ -n "${CRYPTTAB_OPTION_quiet+x}" ]; then loud="no" elif [ -n "${CRYPTTAB_OPTION_loud+x}" ]; then loud="yes" fi if [ -z "${FORCE_START-}" ]; then if [ "$INITSTATE" = "early" -a -n "${CRYPTTAB_OPTION_noearly+x}" ] || [ "$INITSTATE" != "manual" -a -n "${CRYPTTAB_OPTION_noauto+x}" ]; then device_msg "ignored" return 0 fi fi if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then if ! crypttab_key_check; then device_msg "invalid key" return 1 fi CRYPTTAB_OPTION_tries=1 fi if ! crypttab_resolve_source; then if [ "$loud" = "yes" ]; then device_msg "skipped, device $CRYPTTAB_SOURCE does not exist" fi return 1 fi device_msg "starting" local out tmpdev if [ "$CRYPTTAB_TYPE" != "luks" ] && [ "$CRYPTTAB_TYPE" != "bitlk" ]; then # fail if the device has a filesystem and the disk encryption format doesn't # verify the key digest (unlike LUKS); unless it's swap, otherwise people can't # easily convert an existing plainttext swap partition to an encrypted one if ! out="$(/lib/cryptsetup/checks/un_blkid "$CRYPTTAB_SOURCE" 2>/dev/null)" && ! /lib/cryptsetup/checks/blkid "$CRYPTTAB_SOURCE" swap >/dev/null; then log_warning_msg "$CRYPTTAB_NAME: the precheck for '$CRYPTTAB_SOURCE' failed: $out" return 1 fi fi local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype rv local target="$CRYPTTAB_NAME" CRYPTTAB_NAME="${CRYPTTAB_NAME}_unformatted" # XXX potential conflict while [ $maxtries -le 0 ] || [ $count -lt $maxtries ]; do if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then # unlock via keyfile unlock_mapping "$CRYPTTAB_KEY" else # unlock interactively or via keyscript CRYPTTAB_NAME="$target" run_keyscript "$CRYPTTAB_KEY" "$count" | unlock_mapping fi rv=$? count=$(( $count + 1 )) if [ $rv -ne 0 ] || ! tmpdev="$(dm_blkdevname "$CRYPTTAB_NAME")"; then continue fi if [ -n "${CRYPTTAB_OPTION_check+x}" ] && \ ! "$CRYPTTAB_OPTION_check" "$tmpdev" $CRYPTTAB_OPTION_checkargs ; then log_warning_msg "$target: the check for '$CRYPTTAB_NAME' failed" cryptsetup remove -- "$CRYPTTAB_NAME" continue fi if [ "${CRYPTTAB_OPTION_swap+x}" ]; then if out="$(/lib/cryptsetup/checks/un_blkid "$tmpdev" 2>/dev/null)" || /lib/cryptsetup/checks/blkid "$tmpdev" swap >/dev/null 2>&1; then mkswap "$tmpdev" >/dev/null 2>&1 else log_warning_msg "$target: the check for '$CRYPTTAB_NAME' failed. $CRYPTTAB_NAME contains data: $out" cryptsetup remove -- "$CRYPTTAB_NAME" return 1 fi elif [ "${CRYPTTAB_OPTION_tmp+x}" ]; then local tmpdir="$(mktemp --tmpdir="/run/cryptsetup" --directory)" rv=0 if ! mkfs -t "$CRYPTTAB_OPTION_tmp" -q "$tmpdev" >/dev/null 2>&1 || ! mount -t "$CRYPTTAB_OPTION_tmp" "$tmpdev" "$tmpdir" || ! chmod 1777 "$tmpdir"; then rv=1 fi umount "$tmpdir" || true rmdir "$tmpdir" || true [ $rv -eq 0 ] || return $rv fi if command -v udevadm >/dev/null 2>&1; then udevadm settle fi dmsetup rename -- "$CRYPTTAB_NAME" "$target" device_msg "$target" "started" return 0 done device_msg "$target" "failed" return 1 } # Removes all mappings in crypttab, except the ones holding the root # file system or /usr do_stop() { local devno_rootfs devno_usr dmsetup mknodes log_action_begin_msg "Stopping $INITSTATE crypto disks" devno_rootfs="$(get_mnt_devno /)" || devno_rootfs="" devno_usr="$(get_mnt_devno /usr)" || devno_usr="" crypttab_foreach_entry _do_stop_callback log_action_end_msg 0 } _do_stop_callback() { local i rv=0 skip="n" # traverse the device tree for each crypttab(5) entry, that's # suboptimal but we can't use mapped device names as they might # contain any character other than NUL. shouldn't be much overhead # anyway as the device tree is likely not that long foreach_cryptdev _do_stop_skipped $devno_rootfs $devno_usr if [ "$skip" = "n" ]; then for i in 1 2 4 8 16 32; do remove_mapping "$CRYPTTAB_NAME" 3<&- && break || rv=$? if [ $rv -eq 1 ] || [ $rv -eq 2 -a $i -gt 16 ]; then log_action_end_msg $rv break fi log_action_cont_msg "$CRYPTTAB_NAME busy..." sleep $i done fi } _do_stop_skipped() { if [ "$1" = "$CRYPTTAB_NAME" ]; then skip="y" fi } # device_msg([$name], $message) # Convenience function to handle $VERBOSE device_msg() { local name message if [ $# -eq 1 ]; then name="$CRYPTTAB_NAME" message="$1" else name="$1" message="$2" fi if [ "$VERBOSE" != "no" ]; then log_action_cont_msg "$name ($message)" fi } # remove_mapping($target) # Remove mapping $target remove_mapping() { local CRYPTTAB_NAME="$1" if ! dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then device_msg "stopped" return 0 fi if [ "$(dmsetup info --noheadings -c -o subsystem -- "$CRYPTTAB_NAME")" != "CRYPT" ]; then device_msg "error" return 1 fi local opencount="$(dmsetup info -c --noheadings -o open -- "$CRYPTTAB_NAME" 2>/dev/null || true)" if [ -z "$opencount" ]; then device_msg "error" return 1 elif [ "$opencount" != "0" ]; then device_msg "busy" if [ "$INITSTATE" = "early" ] || [ "$INITSTATE" = "manual" ]; then return 1 elif [ "$INITSTATE" = "remaining" ]; then return 2 fi return 0 fi if cryptsetup remove -- "$CRYPTTAB_NAME"; then device_msg "stopping" return 0 else device_msg "error" return 1 fi } # vim: set filetype=sh :