1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
|
if [ "${0#/usr/share/initramfs-tools/hooks/}" != "$0" ] ||
[ "${0#/etc/initramfs-tools/hooks/}" != "$0" ]; then
# called from an initramfs-tools hook script
TABFILE="$DESTDIR/cryptroot/crypttab"
elif [ "${0#/scripts/}" != "$0" ]; then
# called at initramfs stage from a boot script
TABFILE="/cryptroot/crypttab"
CRYPTROOT_COUNT_FILE="/run/cryptroot.initrd.cnt"
else
TABFILE="${TABFILE-/etc/crypttab}"
fi
export DM_DEFAULT_NAME_MANGLING_MODE=hex # for dmsetup(8)
# Logging helpers. Send the argument list to plymouth(1), or fold it
# and print it to the standard error.
cryptsetup_message() {
local IFS=' '
if [ "${0#/scripts/}" != "$0" ] && [ -x /bin/plymouth ] && plymouth --ping; then
plymouth message --text="cryptsetup: $*"
elif [ ${#*} -lt 70 ]; then
echo "cryptsetup: $*" >&2
else
# use busybox's fold(1) and sed(1) at initramfs stage
echo "cryptsetup: $*" | fold -s | sed '1! s/^/ /' >&2
fi
return 0
}
# crypttab_parse_options([--export], [--quiet], [--missing-path={ignore|warn|fail}])
# Parse $_CRYPTTAB_OPTIONS, a comma-separated option string from the
# crypttab(5) 4th column, and sets corresponding variables
# CRYPTTAB_OPTION_<option>=<value> (which are added to the environment
# if --export is set). If --path-exists isn't set to "ignore" (the
# default), then options taking a file name, such as header=<path>,
# need to point to an existing path, otherwise a warning is printed;
# and an error is raised if the value is set to "fail".
# For error and warning messages, CRYPTTAB_NAME, (resp. CRYPTTAB_KEY)
# should be set to the (unmangled) mapped device name (resp. key
# file).
# Moreover CRYPTTAB_TYPE is set the device type.
# Return 1 on parsing error, 0 otherwise (incl. if unknown options
# were encountered).
crypttab_parse_options() {
local quiet="n" export="n" missing_path="ignore"
while [ $# -gt 0 ]; do
case "$1" in
--quiet) quiet="y";;
--export) export="y";;
--missing-path=*) missing_path="${1#--missing-path=}";;
*) cryptsetup_message "WARNING: crypttab_parse_options(): unknown option $1"
esac
shift
done
local IFS=',' x OPTION VALUE
unset -v CRYPTTAB_OPTION_cipher \
CRYPTTAB_OPTION_size \
CRYPTTAB_OPTION_sector_size \
CRYPTTAB_OPTION_hash \
CRYPTTAB_OPTION_offset \
CRYPTTAB_OPTION_skip \
CRYPTTAB_OPTION_verify \
CRYPTTAB_OPTION_readonly \
CRYPTTAB_OPTION_discard \
CRYPTTAB_OPTION_plain \
CRYPTTAB_OPTION_luks \
CRYPTTAB_OPTION_tcrypt \
CRYPTTAB_OPTION_veracrypt \
CRYPTTAB_OPTION_bitlk \
CRYPTTAB_OPTION_swap \
CRYPTTAB_OPTION_tmp \
CRYPTTAB_OPTION_check \
CRYPTTAB_OPTION_checkargs \
CRYPTTAB_OPTION_tries \
CRYPTTAB_OPTION_initramfs \
CRYPTTAB_OPTION_noearly \
CRYPTTAB_OPTION_noauto \
CRYPTTAB_OPTION_loud \
CRYPTTAB_OPTION_quiet \
CRYPTTAB_OPTION_keyscript \
CRYPTTAB_OPTION_keyslot \
CRYPTTAB_OPTION_header \
CRYPTTAB_OPTION_tcrypthidden
# use $_CRYPTTAB_OPTIONS not $CRYPTTAB_OPTIONS as options values may
# contain '\054' which is decoded to ',' in the latter
for x in $_CRYPTTAB_OPTIONS; do
OPTION="${x%%=*}"
VALUE="${x#*=}"
if [ "$x" = "$OPTION" ]; then
unset -v VALUE
else
VALUE="$(printf '%b' "$VALUE")"
fi
if ! crypttab_validate_option; then
if [ "$quiet" = "n" ]; then
cryptsetup_message "ERROR: $CRYPTTAB_NAME: invalid value for '${x%%=*}' option, skipping"
fi
return 1
elif [ -z "${OPTION+x}" ]; then
continue
fi
if [ "$export" = "y" ]; then
export "CRYPTTAB_OPTION_$OPTION"="${VALUE-yes}"
else
eval "CRYPTTAB_OPTION_$OPTION"='${VALUE-yes}'
fi
done
IFS=" "
# use decrypt_keyctl by default if no keyscript in /etc/crypttab
if [ -z "$CRYPTTAB_OPTION_keyscript" ]; then
CRYPTTAB_OPTION_keyscript="/lib/cryptsetup/scripts/decrypt_keyctl"
fi
if ! _get_crypt_type; then # set CRYPTTAB_TYPE to the type of crypt device
CRYPTTAB_TYPE="plain"
if [ "$quiet" = "n" ]; then
cryptsetup_message "WARNING: $CRYPTTAB_NAME: couldn't determine device type," \
"assuming default ($CRYPTTAB_TYPE)."
fi
fi
if [ "$quiet" = "n" ] && [ -n "${CRYPTTAB_OPTION_header+x}" ] && [ "$CRYPTTAB_TYPE" != "luks" ]; then
cryptsetup_message "WARNING: $CRYPTTAB_NAME: Headers are only supported for LUKS devices."
fi
if [ "$CRYPTTAB_TYPE" = "plain" ]; then
# the compiled-in default for these are subject to change
options='cipher size'
if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ] || [ "$CRYPTTAB_KEY" = "none" ]; then
options="$options hash" # --hash is being ignored in plain mode with keyfile specified
fi
for o in $options; do
if [ "$quiet" = "n" ] && eval [ -z "\${CRYPTTAB_OPTION_$o+x}" ]; then
cryptsetup_message "WARNING: Option '$o' missing in crypttab for plain dm-crypt" \
"mapping $CRYPTTAB_NAME. Please read /usr/share/doc/cryptsetup-initramfs/README.initramfs.gz and" \
"add the correct '$o' option to your crypttab(5)."
fi
done
fi
}
# crypttab_validate_option()
# Validate $OPTION=$VALUE (or flag $OPTION if VALUE is unset). return
# 1 on error, unsets OPTION for unknown or useless options.
crypttab_validate_option() {
# option aliases
case "$OPTION" in
read-only) OPTION="readonly";;
key-slot) OPTION="keyslot";;
tcrypt-hidden) OPTION="tcrypthidden";;
tcrypt-veracrypt) OPTION="veracrypt";;
esac
# sanitize the option name so CRYPTTAB_OPTION_$OPTION is a valid variable name
local o="$OPTION"
case "$o" in
keyfile-offset) OPTION="keyfile_offset";;
keyfile-size) OPTION="keyfile_size";;
sector-size) OPTION="sector_size";;
esac
case "$o" in
# value must be a non-empty string
cipher|hash)
[ -n "${VALUE:+x}" ] || return 1
;;
# value must be a non-empty string, and an existing path if --missing-path is set
header)
[ -n "${VALUE:+x}" ] || return 1
if [ "$missing_path" != "ignore" ]; then
if [ ! -e "$VALUE" ]; then
cryptsetup_message "WARNING: $CRYPTTAB_NAME: $VALUE does not exist";
[ "$missing_path" = "warn" ] || return 1
fi
fi
;;
# numeric options >0
size|keyfile-size|sector-size)
if ! printf '%s' "${VALUE-}" | grep -Exq "0*[1-9][0-9]*"; then
return 1
fi
;;
# numeric options >=0
offset|skip|tries|keyslot|keyfile-offset)
if ! printf '%s' "${VALUE-}" | grep -Exq "[0-9]+"; then
return 1
fi
;;
tmp)
if [ -z "${VALUE+x}" ]; then
VALUE="ext4" # 'tmp flag'
elif [ -z "$VALUE" ]; then
return 1
fi
;;
check)
if [ -z "${VALUE+x}" ]; then
if [ -n "${CRYPTDISKS_CHECK-}" ]; then
VALUE="$CRYPTDISKS_CHECK"
else
unset -v OPTION
return 0
fi
fi
if [ -x "/lib/cryptsetup/checks/$VALUE" ] && [ -f "/lib/cryptsetup/checks/$VALUE" ]; then
VALUE="/lib/cryptsetup/checks/$VALUE"
elif [ ! -x "$VALUE" ] || [ ! -f "$VALUE" ]; then
return 1
fi
;;
checkargs)
[ -n "${VALUE+x}" ] || return 1 # must have a value (possibly empty)
;;
keyscript)
[ -n "${VALUE:+x}" ] || return 1 # must have a value
if [ "${VALUE#/}" = "$VALUE" ]; then
VALUE="/lib/cryptsetup/scripts/$VALUE"
fi
if [ ! -x "$VALUE" ] || [ ! -f "$VALUE" ]; then
return 1
fi
;;
# and now the flags
verify) ;;
loud) ;;
quiet) ;;
initramfs) ;;
noearly) ;;
noauto) ;;
readonly) ;;
discard) ;;
plain) ;;
luks) ;;
swap) ;;
tcrypt) ;;
veracrypt) ;;
tcrypthidden) ;;
bitlk) ;;
*)
if [ "${quiet:-n}" = "n" ]; then
cryptsetup_message "WARNING: $CRYPTTAB_NAME: ignoring unknown option '$o'";
fi
unset -v OPTION
;;
esac
}
# crypttab_resolve_source()
# Resolve the CRYPTTAB_SOURCE variable, containing value of the second
# field of a crypttab(5)-like file.
# On error (non-existing source), CRYPTTAB_SOURCE is not changed and 1
# is returned.
crypttab_resolve_source() {
# return immediately if source is a regular file
[ ! -f "$CRYPTTAB_SOURCE" ] || return 0
# otherwise resolve the block device specification
local dev="$CRYPTTAB_SOURCE"
dev="$(_resolve_device_spec "$dev")" && CRYPTTAB_SOURCE="$dev" || return 1
}
# run_keyscript($keyscriptarg, $tried_count)
# exec()'ute `$CRYPTTAB_OPTION_keyscript $keyscriptarg`.
# If $CRYPTTAB_OPTION_keyscript is unset or null and $keyscriptarg is
# "none" (meaning the passphrase is to be read interactively from the
# console), use `/lib/cryptsetup/askpass` as keyscript with a suitable
# prompt message.
# Since the shell process is replaced with the $CRYPTTAB_OPTION_keyscript
# program, run_keyscript() must be used on the left-hand side of a
# pipe, or similar.
run_keyscript() {
local keyscriptarg="$1" CRYPTTAB_TRIED="$2" keyscript;
export CRYPTTAB_NAME CRYPTTAB_SOURCE CRYPTTAB_OPTIONS
export CRYPTTAB_TRIED
if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ] && \
[ "$CRYPTTAB_OPTION_keyscript" != "/lib/cryptsetup/askpass" ]; then
# 'keyscript' option is present: export its argument as
# $CRYPTTAB_KEY
export CRYPTTAB_KEY="$keyscriptarg"
keyscript="$CRYPTTAB_OPTION_keyscript"
elif [ "$keyscriptarg" = none ]; then
# don't export the prompt message as CRYPTTAB_KEY
keyscript="/lib/cryptsetup/askpass"
keyscriptarg="Please unlock disk $CRYPTTAB_NAME: "
fi
exec "$keyscript" "$keyscriptarg"
}
# _get_crypt_type()
# Set CRYPTTAB_TYPE to the mapping type, depending on its
# $CRYPTTAB_OPTION_<option> values
# Return a non-zero status if the mapping couldn't be determined
_get_crypt_type() {
local s="$CRYPTTAB_SOURCE" t="" blk_t
if [ "${CRYPTTAB_OPTION_luks-}" = "yes" ]; then
t="luks"
elif [ "${CRYPTTAB_OPTION_tcrypt-}" = "yes" ]; then
t="tcrypt"
elif [ "${CRYPTTAB_OPTION_plain-}" = "yes" ]; then
t="plain"
elif [ "${CRYPTTAB_OPTION_bitlk-}" = "yes" ]; then
t="bitlk"
elif [ -n "${CRYPTTAB_OPTION_header+x}" ]; then
# detached headers are only supported for LUKS devices
if [ -e "$CRYPTTAB_OPTION_header" ] && /sbin/cryptsetup isLuks -- "$CRYPTTAB_OPTION_header"; then
t="luks"
fi
elif [ -f "$s" ] || s="$(_resolve_device_spec "$CRYPTTAB_SOURCE")"; then
if /sbin/cryptsetup isLuks -- "$s"; then
t="luks"
elif blk_t="$(blkid -s TYPE -o value -- "$s")" && [ "$blk_t" = "BitLocker" ]; then
t="bitlk"
fi
fi
[ -n "$t" ] || return 1
CRYPTTAB_TYPE="$t"
}
# unlock_mapping([$keyfile])
# Run cryptsetup(8) with suitable options and arguments to unlock
# $CRYPTTAB_SOURCE and setup dm-crypt managed device-mapper mapping
# $CRYPTTAB_NAME.
unlock_mapping() {
local keyfile="${1:--}"
if [ "$CRYPTTAB_TYPE" = "luks" ] || [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then
# ignored for LUKS and TCRYPT devices
unset -v CRYPTTAB_OPTION_cipher \
CRYPTTAB_OPTION_size \
CRYPTTAB_OPTION_hash \
CRYPTTAB_OPTION_offset \
CRYPTTAB_OPTION_skip
fi
if [ "$CRYPTTAB_TYPE" = "plain" ] || [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then
unset -v CRYPTTAB_OPTION_keyfile_size
fi
if [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then
# ignored for TCRYPT devices
unset -v CRYPTTAB_OPTION_keyfile_offset
else
# ignored for non-TCRYPT devices
unset -v CRYPTTAB_OPTION_veracrypt CRYPTTAB_OPTION_tcrypthidden
fi
if [ "$CRYPTTAB_TYPE" != "luks" ]; then
# ignored for non-LUKS devices
unset -v CRYPTTAB_OPTION_keyslot
fi
/sbin/cryptsetup -T1 \
${CRYPTTAB_OPTION_header:+--header="$CRYPTTAB_OPTION_header"} \
${CRYPTTAB_OPTION_cipher:+--cipher="$CRYPTTAB_OPTION_cipher"} \
${CRYPTTAB_OPTION_size:+--key-size="$CRYPTTAB_OPTION_size"} \
${CRYPTTAB_OPTION_sector_size:+--sector-size="$CRYPTTAB_OPTION_sector_size"} \
${CRYPTTAB_OPTION_hash:+--hash="$CRYPTTAB_OPTION_hash"} \
${CRYPTTAB_OPTION_offset:+--offset="$CRYPTTAB_OPTION_offset"} \
${CRYPTTAB_OPTION_skip:+--skip="$CRYPTTAB_OPTION_skip"} \
${CRYPTTAB_OPTION_verify:+--verify-passphrase} \
${CRYPTTAB_OPTION_readonly:+--readonly} \
${CRYPTTAB_OPTION_discard:+--allow-discards} \
${CRYPTTAB_OPTION_veracrypt:+--veracrypt} \
${CRYPTTAB_OPTION_keyslot:+--key-slot="$CRYPTTAB_OPTION_keyslot"} \
${CRYPTTAB_OPTION_tcrypthidden:+--tcrypt-hidden} \
${CRYPTTAB_OPTION_keyfile_size:+--keyfile-size="$CRYPTTAB_OPTION_keyfile_size"} \
${CRYPTTAB_OPTION_keyfile_offset:+--keyfile-offset="$CRYPTTAB_OPTION_keyfile_offset"} \
--type="$CRYPTTAB_TYPE" --key-file="$keyfile" \
open -- "$CRYPTTAB_SOURCE" "$CRYPTTAB_NAME"
}
# resume_mapping([$keyfile])
# Run cryptsetup(8) with suitable options and arguments to resume
# $CRYPTTAB_NAME.
resume_mapping() {
local keyfile="${1:--}"
if [ "$CRYPTTAB_TYPE" != "luks" ]; then
cryptsetup_message "ERROR: $CRYPTTAB_NAME: unable to resume non-luks device"
return 1
fi
/sbin/cryptsetup -T1 \
${CRYPTTAB_OPTION_header:+--header="$CRYPTTAB_OPTION_header"} \
${CRYPTTAB_OPTION_keyslot:+--key-slot="$CRYPTTAB_OPTION_keyslot"} \
${CRYPTTAB_OPTION_keyfile_size:+--keyfile-size="$CRYPTTAB_OPTION_keyfile_size"} \
${CRYPTTAB_OPTION_keyfile_offset:+--keyfile-offset="$CRYPTTAB_OPTION_keyfile_offset"} \
--type="$CRYPTTAB_TYPE" --key-file="$keyfile" \
luksResume "$CRYPTTAB_NAME"
}
# resume_device($device)
# Resume $device with endless retries. Used by cryptsetup-suspend-wrapper.
resume_device() {
local device="$1"
# check if device is really suspended
if dmsetup info -c --noheadings -o suspended -- "$device" 2>/dev/null | grep -Fxq "Active"; then
cryptsetup_message "ERROR: $CRYPTTAB_NAME: device was not suspendend"
sleep 5
return 1
fi
crypttab_find_entry "$device"
crypttab_parse_options --quiet
_get_crypt_type
# Loop endlessly until the resume command succeeded
while true; do
if [ "$CRYPTTAB_KEY" != "none" ]; then
resume_mapping "$CRYPTTAB_KEY" && break || true
else
run_keyscript "$CRYPTTAB_KEY" 1 | resume_mapping && break || true
fi
done
}
# crypttab_key_check()
# Sanity checks for keyfile $CRYPTTAB_KEY. CRYPTTAB_NAME and
# CRYPTTAB_OPTION_<option> must be set appropriately.
crypttab_key_check() {
if [ ! -f "$CRYPTTAB_KEY" ] && [ ! -b "$CRYPTTAB_KEY" ] && [ ! -c "$CRYPTTAB_KEY" ] ; then
cryptsetup_message "WARNING: $CRYPTTAB_NAME: keyfile '$CRYPTTAB_KEY' not found"
return 0
fi
if [ "$CRYPTTAB_KEY" = "/dev/random" ] || [ "$CRYPTTAB_KEY" = "/dev/urandom" ]; then
if [ -n "${CRYPTTAB_OPTION_luks+x}" ] || [ -n "${CRYPTTAB_OPTION_tcrypt+x}" ]; then
cryptsetup_message "WARNING: $CRYPTTAB_NAME: has random data as key"
return 1
else
return 0
fi
fi
local mode="$(stat -L -c"%04a" -- "$CRYPTTAB_KEY")"
if [ $(stat -L -c"%u" -- "$CRYPTTAB_KEY") -ne 0 ] || [ "${mode%00}" = "$mode" ]; then
cryptsetup_message "WARNING: $CRYPTTAB_NAME: key file $CRYPTTAB_KEY has" \
"insecure ownership, see /usr/share/doc/cryptsetup/README.Debian.gz."
fi
}
# _resolve_device_spec($spec)
# Resolve LABEL=<label>, UUID=<uuid>, PARTUUID=<partuuid> and
# PARTLABEL=<partlabel> to a block special device. If $spec is
# already a (link to a block special device) then it is echoed as is.
# Return 1 if $spec doesn't correspond to a block special device.
_resolve_device_spec() {
local spec="$1"
case "$spec" in
UUID=*|LABEL=*|PARTUUID=*|PARTLABEL=*)
# don't use /dev/disk/by-label/... to avoid gessing udev mangling
spec="$(blkid -l -t "$spec" -o device)" || spec=
;;
esac
[ -b "$spec" ] && printf '%s\n' "$spec" || return 1
}
# dm_blkdevname($name)
# Print the mapped device name, or return 1 if the the device doesn't exist.
dm_blkdevname() {
local name="$1" dev
# /dev/mapper/$name isn't reliable due to udev mangling
if dev="$(dmsetup info -c --noheadings -o blkdevname -- "$name" 2>/dev/null)" &&
[ -n "$dev" ] && [ -b "/dev/$dev" ]; then
echo "/dev/$dev"
return 0
else
return 1
fi
}
# dm_active_crypt_devices()
# Print list of active dm-crypt devices.
dm_active_crypt_devices() {
# XXX: that's not robust wrt udev mangling of special characters such as blank or colons
dmsetup table --target crypt | sed -n 's/:.*//p'
}
# crypttab_find_entry([--quiet], $target)
# Search in the crypttab(5) for the given $target, and sets the
# variables CRYPTTAB_NAME, CRYPTTAB_SOURCE, CRYPTTAB_KEY and
# CRYPTTAB_OPTIONS accordingly. (In addition _CRYPTTAB_NAME,
# _CRYPTTAB_SOURCE, _CRYPTTAB_KEY and _CRYPTTAB_OPTIONS are set to the
# unmangled values before decoding the escape sequence.) If there are
# duplicates then only the first match is considered.
# Return 0 if a match is found, and 1 otherwise.
crypttab_find_entry() {
local target="$1" quiet="n" IFS
if [ "$target" = "--quiet" ] && [ $# -eq 2 ]; then
quiet="y"
target="$2"
fi
if [ -f "$TABFILE" ]; then
while IFS=" " read -r _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS; do
if [ "${_CRYPTTAB_NAME#\#}" != "$_CRYPTTAB_NAME" ] || [ -z "$_CRYPTTAB_NAME" ]; then
# ignore comments and empty lines
continue
fi
# unmangle names
CRYPTTAB_NAME="$(printf '%b' "$_CRYPTTAB_NAME")"
if [ -z "$_CRYPTTAB_SOURCE" ] || [ -z "$_CRYPTTAB_KEY" ]; then
cryptsetup_message "WARNING: '$CRYPTTAB_NAME' is missing some arguments, see crypttab(5)"
continue
elif [ "$CRYPTTAB_NAME" = "$target" ]; then
CRYPTTAB_SOURCE="$( printf '%b' "$_CRYPTTAB_SOURCE" )"
CRYPTTAB_KEY="$( printf '%b' "$_CRYPTTAB_KEY" )"
CRYPTTAB_OPTIONS="$(printf '%b' "$_CRYPTTAB_OPTIONS")"
return 0
fi
done <"$TABFILE"
fi
if [ "$quiet" = "n" ]; then
cryptsetup_message "WARNING: target '$target' not found in $TABFILE"
fi
return 1
}
# crypttab_foreach_entry($callback)
# Iterate through the crypttab(5) and run the given $callback for each
# entry found. Variables CRYPTTAB_NAME, CRYPTTAB_SOURCE, CRYPTTAB_KEY
# and CRYPTTAB_OPTIONS are set accordingly and available to the
# $callback. (In addition _CRYPTTAB_NAME, _CRYPTTAB_SOURCE,
# _CRYPTTAB_KEY and _CRYPTTAB_OPTIONS are set to the original values
# before decoding the escape sequence.)
# Return 0 if a match is found, and 1 otherwise.
crypttab_foreach_entry() {
local callback="$1" IFS
local _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS \
CRYPTTAB_NAME CRYPTTAB_SOURCE CRYPTTAB_KEY CRYPTTAB_OPTIONS
[ -f "$TABFILE" ] || return
while IFS=" " read -r _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS <&9; do
if [ "${_CRYPTTAB_NAME#\#}" != "$_CRYPTTAB_NAME" ] || [ -z "$_CRYPTTAB_NAME" ]; then
# ignore comments and empty lines
continue
fi
# unmangle names
CRYPTTAB_NAME="$(printf '%b' "$_CRYPTTAB_NAME")"
if [ -z "$_CRYPTTAB_SOURCE" ] || [ -z "$_CRYPTTAB_KEY" ]; then
cryptsetup_message "WARNING: '$CRYPTTAB_NAME' is missing some arguments, see crypttab(5)"
continue
fi
CRYPTTAB_SOURCE="$( printf '%b' "$_CRYPTTAB_SOURCE" )"
CRYPTTAB_KEY="$( printf '%b' "$_CRYPTTAB_KEY" )"
CRYPTTAB_OPTIONS="$(printf '%b' "$_CRYPTTAB_OPTIONS")"
"$callback" 9<&-
done 9<"$TABFILE"
}
# _device_uuid($device)
# Print the UUID attribute of given block special $device. Return 0
# on success, 1 on error.
_device_uuid() {
local device="$1" uuid
if uuid="$(blkid -s UUID -o value -- "$device")" && [ -n "$uuid" ]; then
printf '%s\n' "$uuid"
else
return 1
fi
}
# _resolve_device({$device | $spec})
# Take a path to (or spec for) a block special device, and set DEV to
# the (symlink to block) device, and MAJ (resp. MIN) to its major-ID
# (resp. minor ID) decimal value. On error these variables are not
# changed and 1 is returned.
_resolve_device() {
local spec="$1" dev devno maj min
if dev="$(_resolve_device_spec "$spec")" &&
devno="$(stat -L -c"%t:%T" -- "$dev" 2>/dev/null)" &&
maj="${devno%:*}" && min="${devno#*:}" &&
[ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] &&
maj=$(( 0x$maj )) && min=$(( 0x$min )) && [ $maj -gt 0 ]; then
DEV="$dev"
MAJ="$maj"
MIN="$min"
return 0
else
cryptsetup_message "ERROR: Couldn't resolve device $spec"
fi
return 1
}
# get_mnt_devno($mountpoint)
# Print the major:minor device ID(s) holding the file system currently
# mounted currenty mounted on $mountpoint.
# Return 0 on success, 1 on error (if $mountpoint is not a mountpoint).
get_mnt_devno() {
local wantmount="$1" devnos="" uuid dev IFS
local spec mountpoint fstype _ DEV MAJ MIN
while IFS=" " read -r spec mountpoint fstype _; do
# treat lines starting with '#' as comments; /proc/mounts
# doesn't seem to contain these but per procfs(5) the format of
# that file is analogous to fstab(5)'s
if [ "${spec#\#}" = "$spec" ] && [ -n "$spec" ] &&
[ "$(printf '%b' "$mountpoint")" = "$wantmount" ]; then
# take the last mountpoint if used several times (shadowed)
unset -v devnos
spec="$(printf '%b' "$spec")"
_resolve_device "$spec" || continue # _resolve_device() already warns on error
fstype="$(printf '%b' "$fstype")"
if [ "$fstype" = "btrfs" ]; then
# btrfs can span over multiple devices
if uuid="$(_device_uuid "$DEV")"; then
for dev in "/sys/fs/$fstype/$uuid/devices"/*/dev; do
devnos="${devnos:+$devnos }$(cat "$dev")"
done
else
cryptsetup_message "ERROR: $spec: Couldn't determine UUID"
fi
elif [ -n "$fstype" ]; then
devnos="$MAJ:$MIN"
fi
fi
done </proc/mounts
if [ -z "${devnos:+x}" ]; then
return 1 # not found
else
printf '%s' "$devnos"
fi
}
# foreach_cryptdev($callback, $maj:$min, [$maj:$min ..])
# Run $callback on the (unmangled) name of each dm-crypt device
# recursively holding $maj:$min (typically corresponding to an md,
# linear, or dm-crypt device). Slaves that aren't dm-crypt devices
# are ignored.
foreach_cryptdev() {
local callback="$1" devno base
shift
for devno in "$@"; do
base="/sys/dev/block/$devno"
if [ ! -d "$base" ]; then
cryptsetup_message "ERROR: Couldn't find sysfs directory for $devno"
return 1
fi
_foreach_cryptdev "$callback" "$base"
done
}
_foreach_cryptdev() {
local callback="$1" d="$2" devno maj min name slave
[ -d "$d/slaves" ] || return 0
if [ -d "$d/dm" ] && devno="$(cat "$d/dev")" &&
maj="${devno%:*}" && min="${devno#*:}" &&
[ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] &&
[ "$(dmsetup info -c --noheadings -o subsystem -j "$maj" -m "$min")" = "CRYPT" ] &&
name="$(dmsetup info -c --noheadings -o unmangled_name -j "$maj" -m "$min")"; then
"$callback" "$name"
fi
for slave in "$d/slaves"/*; do
if [ -d "$slave" ] && slave="$(realpath -e -- "$slave")"; then
_foreach_cryptdev "$callback" "$slave"
fi
done
}
# vim: set filetype=sh :
|