summaryrefslogtreecommitdiffstats
path: root/debian/functions
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-17 08:04:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-17 08:04:29 +0000
commit409ea80402885dd937c6c37e4648d2afb7500414 (patch)
treeaf4ae653b1affe4e7190dd3854b2e2b029d71a36 /debian/functions
parentAdding upstream version 2:2.6.1. (diff)
downloadcryptsetup-409ea80402885dd937c6c37e4648d2afb7500414.tar.xz
cryptsetup-409ea80402885dd937c6c37e4648d2afb7500414.zip
Adding debian version 2:2.6.1-6.debian/2%2.6.1-6
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--debian/functions686
1 files changed, 686 insertions, 0 deletions
diff --git a/debian/functions b/debian/functions
new file mode 100644
index 0000000..917abad
--- /dev/null
+++ b/debian/functions
@@ -0,0 +1,686 @@
+if [ "${0#/usr/share/initramfs-tools/hooks/}" != "$0" ] ||
+ [ "${0#/etc/initramfs-tools/hooks/}" != "$0" ]; then
+ # called from an initramfs-tools hook script
+ TABFILE="$DESTDIR/cryptroot/crypttab"
+elif [ "${0#/scripts/}" != "$0" ]; then
+ # called at initramfs stage from a boot script
+ TABFILE="/cryptroot/crypttab"
+ CRYPTROOT_COUNT_FILE="/run/cryptroot.initrd.cnt"
+else
+ TABFILE="${TABFILE-/etc/crypttab}"
+fi
+export DM_DEFAULT_NAME_MANGLING_MODE=hex # for dmsetup(8)
+
+# Logging helpers. Send the argument list to plymouth(1), or fold it
+# and print it to the standard error.
+cryptsetup_message() {
+ local IFS=' '
+ if [ "${0#/scripts/}" != "$0" ] && [ -x /bin/plymouth ] && plymouth --ping; then
+ plymouth message --text="cryptsetup: $*"
+ elif [ ${#*} -lt 70 ]; then
+ echo "cryptsetup: $*" >&2
+ else
+ # use busybox's fold(1) and sed(1) at initramfs stage
+ echo "cryptsetup: $*" | fold -s | sed '1! s/^/ /' >&2
+ fi
+ return 0
+}
+
+# crypttab_parse_options([--export], [--quiet], [--missing-path={ignore|warn|fail}])
+# Parse $_CRYPTTAB_OPTIONS, a comma-separated option string from the
+# crypttab(5) 4th column, and sets corresponding variables
+# CRYPTTAB_OPTION_<option>=<value> (which are added to the environment
+# if --export is set). If --path-exists isn't set to "ignore" (the
+# default), then options taking a file name, such as header=<path>,
+# need to point to an existing path, otherwise a warning is printed;
+# and an error is raised if the value is set to "fail".
+# For error and warning messages, CRYPTTAB_NAME, (resp. CRYPTTAB_KEY)
+# should be set to the (unmangled) mapped device name (resp. key
+# file).
+# Moreover CRYPTTAB_TYPE is set the device type.
+# Return 1 on parsing error, 0 otherwise (incl. if unknown options
+# were encountered).
+crypttab_parse_options() {
+ local quiet="n" export="n" missing_path="ignore"
+ while [ $# -gt 0 ]; do
+ case "$1" in
+ --quiet) quiet="y";;
+ --export) export="y";;
+ --missing-path=*) missing_path="${1#--missing-path=}";;
+ *) cryptsetup_message "WARNING: crypttab_parse_options(): unknown option $1"
+ esac
+ shift
+ done
+
+ local IFS=',' x OPTION VALUE
+ CRYPTTAB_TYPE=""
+ unset -v CRYPTTAB_OPTION_cipher \
+ CRYPTTAB_OPTION_size \
+ CRYPTTAB_OPTION_sector_size \
+ CRYPTTAB_OPTION_hash \
+ CRYPTTAB_OPTION_offset \
+ CRYPTTAB_OPTION_skip \
+ CRYPTTAB_OPTION_verify \
+ CRYPTTAB_OPTION_readonly \
+ CRYPTTAB_OPTION_discard \
+ CRYPTTAB_OPTION_plain \
+ CRYPTTAB_OPTION_luks \
+ CRYPTTAB_OPTION_tcrypt \
+ CRYPTTAB_OPTION_veracrypt \
+ CRYPTTAB_OPTION_bitlk \
+ CRYPTTAB_OPTION_fvault2 \
+ CRYPTTAB_OPTION_swap \
+ CRYPTTAB_OPTION_tmp \
+ CRYPTTAB_OPTION_check \
+ CRYPTTAB_OPTION_checkargs \
+ CRYPTTAB_OPTION_tries \
+ CRYPTTAB_OPTION_initramfs \
+ CRYPTTAB_OPTION_noearly \
+ CRYPTTAB_OPTION_noauto \
+ CRYPTTAB_OPTION_loud \
+ CRYPTTAB_OPTION_quiet \
+ CRYPTTAB_OPTION_keyscript \
+ CRYPTTAB_OPTION_keyslot \
+ CRYPTTAB_OPTION_header \
+ CRYPTTAB_OPTION_tcrypthidden \
+ CRYPTTAB_OPTION_same_cpu_crypt \
+ CRYPTTAB_OPTION_submit_from_crypt_cpus \
+ CRYPTTAB_OPTION_no_read_workqueue \
+ CRYPTTAB_OPTION_no_write_workqueue
+ # use $_CRYPTTAB_OPTIONS not $CRYPTTAB_OPTIONS as options values may
+ # contain '\054' which is decoded to ',' in the latter
+ for x in $_CRYPTTAB_OPTIONS; do
+ OPTION="${x%%=*}"
+ VALUE="${x#*=}"
+ if [ "$x" = "$OPTION" ]; then
+ unset -v VALUE
+ else
+ VALUE="$(printf '%b' "$VALUE")"
+ fi
+ if ! crypttab_validate_option; then
+ if [ "$quiet" = "n" ]; then
+ cryptsetup_message "ERROR: $CRYPTTAB_NAME: invalid value for '${x%%=*}' option, skipping"
+ fi
+ return 1
+ elif [ -z "${OPTION+x}" ]; then
+ continue
+ fi
+ if [ "$export" = "y" ]; then
+ export "CRYPTTAB_OPTION_$OPTION"="${VALUE-yes}"
+ else
+ eval "CRYPTTAB_OPTION_$OPTION"='${VALUE-yes}'
+ fi
+ done
+ IFS=" "
+
+ if ! _get_crypt_type; then # set CRYPTTAB_TYPE to the type of crypt device
+ CRYPTTAB_TYPE="plain"
+ if [ "$quiet" = "n" ]; then
+ cryptsetup_message "WARNING: $CRYPTTAB_NAME: couldn't determine device type," \
+ "assuming default ($CRYPTTAB_TYPE)."
+ fi
+ fi
+
+ if [ "$quiet" = "n" ] && [ -n "${CRYPTTAB_OPTION_header+x}" ] && [ "$CRYPTTAB_TYPE" != "luks" ]; then
+ cryptsetup_message "WARNING: $CRYPTTAB_NAME: Headers are only supported for LUKS devices."
+ fi
+ if [ "$CRYPTTAB_TYPE" = "plain" ]; then
+ # the compiled-in default for these are subject to change
+ options='cipher size'
+ if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ] || [ "$CRYPTTAB_KEY" = "none" ]; then
+ options="$options hash" # --hash is being ignored in plain mode with keyfile specified
+ fi
+ for o in $options; do
+ if [ "$quiet" = "n" ] && eval [ -z "\${CRYPTTAB_OPTION_$o+x}" ]; then
+ cryptsetup_message "WARNING: Option '$o' missing in crypttab for plain dm-crypt" \
+ "mapping $CRYPTTAB_NAME. Please read /usr/share/doc/cryptsetup-initramfs/README.initramfs.gz and" \
+ "add the correct '$o' option to your crypttab(5)."
+ fi
+ done
+ fi
+}
+
+# crypttab_validate_option()
+# Validate $OPTION=$VALUE (or flag $OPTION if VALUE is unset). return
+# 1 on error, unsets OPTION for unknown or useless options.
+crypttab_validate_option() {
+ # option aliases
+ case "$OPTION" in
+ read-only) OPTION="readonly";;
+ key-slot) OPTION="keyslot";;
+ tcrypt-hidden) OPTION="tcrypthidden";;
+ tcrypt-veracrypt) OPTION="veracrypt";;
+ esac
+
+ # sanitize the option name so CRYPTTAB_OPTION_$OPTION is a valid variable name
+ local o="$OPTION"
+ case "$o" in
+ keyfile-offset) OPTION="keyfile_offset";;
+ keyfile-size) OPTION="keyfile_size";;
+ sector-size) OPTION="sector_size";;
+ same-cpu-crypt) OPTION="same_cpu_crypt";;
+ submit-from-crypt-cpus) OPTION="submit_from_crypt_cpus";;
+ no-read-workqueue) OPTION="no_read_workqueue";;
+ no-write-workqueue) OPTION="no_write_workqueue";;
+ esac
+
+ case "$o" in
+ # value must be a non-empty string
+ cipher|hash)
+ [ -n "${VALUE:+x}" ] || return 1
+ ;;
+ # value must be a non-empty string, and an existing path if --missing-path is set
+ header)
+ [ -n "${VALUE:+x}" ] || return 1
+ if [ "$missing_path" != "ignore" ]; then
+ if [ ! -e "$VALUE" ]; then
+ cryptsetup_message "WARNING: $CRYPTTAB_NAME: $VALUE does not exist";
+ [ "$missing_path" = "warn" ] || return 1
+ fi
+ fi
+ ;;
+ # numeric options >0
+ size|keyfile-size|sector-size)
+ if ! printf '%s' "${VALUE-}" | grep -Exq "0*[1-9][0-9]*"; then
+ return 1
+ fi
+ ;;
+ # numeric options >=0
+ offset|skip|tries|keyslot|keyfile-offset)
+ if ! printf '%s' "${VALUE-}" | grep -Exq "[0-9]+"; then
+ return 1
+ fi
+ ;;
+ tmp)
+ if [ -z "${VALUE+x}" ]; then
+ VALUE="ext4" # 'tmp flag'
+ elif [ -z "$VALUE" ]; then
+ return 1
+ fi
+ ;;
+ check)
+ if [ -z "${VALUE+x}" ]; then
+ if [ -n "${CRYPTDISKS_CHECK-}" ]; then
+ VALUE="$CRYPTDISKS_CHECK"
+ else
+ unset -v OPTION
+ return 0
+ fi
+ fi
+ if [ "${VALUE#/}" = "$VALUE" ]; then
+ VALUE="/lib/cryptsetup/checks/$VALUE"
+ fi
+ if [ ! -x "$VALUE" ] || [ ! -f "$VALUE" ]; then
+ return 1
+ fi
+ ;;
+ checkargs)
+ [ -n "${VALUE+x}" ] || return 1 # must have a value (possibly empty)
+ ;;
+ keyscript)
+ [ -n "${VALUE:+x}" ] || return 1 # must have a value
+ if [ "${VALUE#/}" = "$VALUE" ]; then
+ VALUE="/lib/cryptsetup/scripts/$VALUE"
+ fi
+ if [ ! -x "$VALUE" ] || [ ! -f "$VALUE" ]; then
+ return 1
+ fi
+ ;;
+ # and now the flags
+ verify) ;;
+ loud) ;;
+ quiet) ;;
+ initramfs) ;;
+ noearly) ;;
+ noauto) ;;
+ readonly) ;;
+ discard) ;;
+ plain) ;;
+ luks) ;;
+ swap) ;;
+ tcrypt) ;;
+ veracrypt) ;;
+ tcrypthidden) ;;
+ bitlk) ;;
+ fvault2) ;;
+ same-cpu-crypt) ;;
+ submit-from-crypt-cpus) ;;
+ no-read-workqueue) ;;
+ no-write-workqueue) ;;
+ *)
+ if [ "${quiet:-n}" = "n" ]; then
+ cryptsetup_message "WARNING: $CRYPTTAB_NAME: ignoring unknown option '$o'";
+ fi
+ unset -v OPTION
+ ;;
+ esac
+}
+
+# crypttab_resolve_source()
+# Resolve the CRYPTTAB_SOURCE variable, containing value of the second
+# field of a crypttab(5)-like file.
+# On error (non-existing source), CRYPTTAB_SOURCE is not changed and 1
+# is returned.
+crypttab_resolve_source() {
+ # return immediately if source is a regular file
+ [ ! -f "$CRYPTTAB_SOURCE" ] || return 0
+ # otherwise resolve the block device specification
+ local dev="$CRYPTTAB_SOURCE"
+ dev="$(_resolve_device_spec "$dev")" && CRYPTTAB_SOURCE="$dev" || return 1
+}
+
+# run_keyscript($tried_count)
+# exec()'ute `$CRYPTTAB_OPTION_keyscript "$CRYPTTAB_KEY"`.
+# If $CRYPTTAB_OPTION_keyscript is unset or null and $CRYPTTAB_KEY is
+# "none" (meaning the passphrase is to be read interactively from the
+# console), then use `/lib/cryptsetup/askpass` as keyscript with a
+# suitable prompt message instead.
+# Since the shell process is replaced with the $CRYPTTAB_OPTION_keyscript
+# program, run_keyscript() must be used on the left-hand side of a
+# pipe, or similar.
+run_keyscript() {
+ local keyscript keyscriptarg="$CRYPTTAB_KEY"
+ export CRYPTTAB_NAME CRYPTTAB_SOURCE CRYPTTAB_OPTIONS
+ export _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_OPTIONS
+ export CRYPTTAB_TRIED="$1"
+
+ if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ] && \
+ [ "$CRYPTTAB_OPTION_keyscript" != "/lib/cryptsetup/askpass" ]; then
+ # 'keyscript' option is present: export its argument as $CRYPTTAB_KEY
+ export CRYPTTAB_KEY _CRYPTTAB_KEY
+ keyscript="$CRYPTTAB_OPTION_keyscript"
+ elif [ "$keyscriptarg" = "none" ]; then
+ # don't export the prompt message as CRYPTTAB_KEY
+ keyscript="/lib/cryptsetup/askpass"
+ keyscriptarg="Please unlock disk $CRYPTTAB_NAME: "
+ fi
+
+ exec "$keyscript" "$keyscriptarg"
+}
+
+# _get_crypt_type()
+# Set CRYPTTAB_TYPE to the mapping type, depending on its
+# $CRYPTTAB_OPTION_<option> values
+# Return a non-zero status if the mapping couldn't be determined
+_get_crypt_type() {
+ local s="$CRYPTTAB_SOURCE" t="" blk_t
+
+ if [ "${CRYPTTAB_OPTION_luks-}" = "yes" ]; then
+ t="luks"
+ elif [ "${CRYPTTAB_OPTION_tcrypt-}" = "yes" ]; then
+ t="tcrypt"
+ elif [ "${CRYPTTAB_OPTION_plain-}" = "yes" ]; then
+ t="plain"
+ elif [ "${CRYPTTAB_OPTION_bitlk-}" = "yes" ]; then
+ t="bitlk"
+ elif [ "${CRYPTTAB_OPTION_fvault2-}" = "yes" ]; then
+ t="fvault2"
+ elif [ -n "${CRYPTTAB_OPTION_header+x}" ]; then
+ # detached headers are only supported for LUKS devices
+ if [ -e "$CRYPTTAB_OPTION_header" ] && /sbin/cryptsetup isLuks -- "$CRYPTTAB_OPTION_header"; then
+ t="luks"
+ fi
+ elif [ -f "$s" ] || s="$(_resolve_device_spec "$CRYPTTAB_SOURCE")"; then
+ if /sbin/cryptsetup isLuks -- "$s"; then
+ t="luks"
+ elif blk_t="$(blkid -s TYPE -o value -- "$s")" && [ "$blk_t" = "BitLocker" ]; then
+ t="bitlk"
+ fi
+ fi
+
+ [ -n "$t" ] || return 1
+ CRYPTTAB_TYPE="$t"
+}
+
+# unlock_mapping([$keyfile])
+# Run cryptsetup(8) with suitable options and arguments to unlock
+# $CRYPTTAB_SOURCE and setup dm-crypt managed device-mapper mapping
+# $CRYPTTAB_NAME.
+unlock_mapping() {
+ local keyfile="${1:--}"
+
+ if [ "$CRYPTTAB_TYPE" = "luks" ] || [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then
+ # ignored for LUKS and TCRYPT devices
+ unset -v CRYPTTAB_OPTION_cipher \
+ CRYPTTAB_OPTION_size \
+ CRYPTTAB_OPTION_hash \
+ CRYPTTAB_OPTION_offset \
+ CRYPTTAB_OPTION_skip
+ fi
+ if [ "$CRYPTTAB_TYPE" = "plain" ] || [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then
+ unset -v CRYPTTAB_OPTION_keyfile_size
+ fi
+ if [ "$CRYPTTAB_TYPE" = "tcrypt" ]; then
+ # ignored for TCRYPT devices
+ unset -v CRYPTTAB_OPTION_keyfile_offset
+ else
+ # ignored for non-TCRYPT devices
+ unset -v CRYPTTAB_OPTION_veracrypt CRYPTTAB_OPTION_tcrypthidden
+ fi
+
+ if [ "$CRYPTTAB_TYPE" != "luks" ]; then
+ # ignored for non-LUKS devices
+ unset -v CRYPTTAB_OPTION_keyslot
+ fi
+
+ /sbin/cryptsetup -T1 \
+ ${CRYPTTAB_OPTION_header:+--header="$CRYPTTAB_OPTION_header"} \
+ ${CRYPTTAB_OPTION_cipher:+--cipher="$CRYPTTAB_OPTION_cipher"} \
+ ${CRYPTTAB_OPTION_size:+--key-size="$CRYPTTAB_OPTION_size"} \
+ ${CRYPTTAB_OPTION_sector_size:+--sector-size="$CRYPTTAB_OPTION_sector_size"} \
+ ${CRYPTTAB_OPTION_hash:+--hash="$CRYPTTAB_OPTION_hash"} \
+ ${CRYPTTAB_OPTION_offset:+--offset="$CRYPTTAB_OPTION_offset"} \
+ ${CRYPTTAB_OPTION_skip:+--skip="$CRYPTTAB_OPTION_skip"} \
+ ${CRYPTTAB_OPTION_verify:+--verify-passphrase} \
+ ${CRYPTTAB_OPTION_readonly:+--readonly} \
+ ${CRYPTTAB_OPTION_discard:+--allow-discards} \
+ ${CRYPTTAB_OPTION_veracrypt:+--veracrypt} \
+ ${CRYPTTAB_OPTION_keyslot:+--key-slot="$CRYPTTAB_OPTION_keyslot"} \
+ ${CRYPTTAB_OPTION_tcrypthidden:+--tcrypt-hidden} \
+ ${CRYPTTAB_OPTION_keyfile_size:+--keyfile-size="$CRYPTTAB_OPTION_keyfile_size"} \
+ ${CRYPTTAB_OPTION_keyfile_offset:+--keyfile-offset="$CRYPTTAB_OPTION_keyfile_offset"} \
+ ${CRYPTTAB_OPTION_same_cpu_crypt:+--perf-same_cpu_crypt} \
+ ${CRYPTTAB_OPTION_submit_from_crypt_cpus:+--perf-submit_from_crypt_cpus} \
+ ${CRYPTTAB_OPTION_no_read_workqueue:+--perf-no_read_workqueue} \
+ ${CRYPTTAB_OPTION_no_write_workqueue:+--perf-no_write_workqueue} \
+ --type="$CRYPTTAB_TYPE" --key-file="$keyfile" \
+ open -- "$CRYPTTAB_SOURCE" "$CRYPTTAB_NAME"
+}
+
+# resume_mapping([$keyfile])
+# Run cryptsetup(8) with suitable options and arguments to resume
+# $CRYPTTAB_NAME.
+resume_mapping() {
+ local keyfile="${1:--}"
+
+ /sbin/cryptsetup -T1 \
+ ${CRYPTTAB_OPTION_header:+--header="$CRYPTTAB_OPTION_header"} \
+ ${CRYPTTAB_OPTION_keyslot:+--key-slot="$CRYPTTAB_OPTION_keyslot"} \
+ ${CRYPTTAB_OPTION_keyfile_size:+--keyfile-size="$CRYPTTAB_OPTION_keyfile_size"} \
+ ${CRYPTTAB_OPTION_keyfile_offset:+--keyfile-offset="$CRYPTTAB_OPTION_keyfile_offset"} \
+ --type="$CRYPTTAB_TYPE" --key-file="$keyfile" \
+ luksResume "$CRYPTTAB_NAME"
+}
+
+# resume_device($device)
+# Resume $device with endless retries. Used by cryptsetup-suspend-wrapper.
+resume_device() {
+ local device="$1"
+ # check if device is really suspended
+ if [ "$(dmsetup info -c --noheadings -o suspended -- "$device" 2>/dev/null)" != "Suspended" ]; then
+ cryptsetup_message "ERROR: $device: device was not suspendend"
+ return 1
+ fi
+
+ if ! crypttab_find_entry "$device" || ! crypttab_parse_options --quiet; then
+ cryptsetup_message "ERROR: $device: not found in $TABFILE"
+ return 1
+ fi
+
+ if [ "$CRYPTTAB_TYPE" != "luks" ]; then
+ cryptsetup_message "ERROR: $CRYPTTAB_NAME: unable to resume non-LUKS device"
+ return 1
+ fi
+
+ # Loop endlessly until the resume command succeeded
+ while true; do
+ if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
+ resume_mapping "$CRYPTTAB_KEY" && break || true
+ else
+ run_keyscript 1 | resume_mapping && break || true
+ fi
+ done
+}
+
+# crypttab_key_check()
+# Sanity checks for keyfile $CRYPTTAB_KEY. CRYPTTAB_NAME and
+# CRYPTTAB_OPTION_<option> must be set appropriately.
+crypttab_key_check() {
+ if [ ! -f "$CRYPTTAB_KEY" ] && [ ! -b "$CRYPTTAB_KEY" ] && [ ! -c "$CRYPTTAB_KEY" ] ; then
+ cryptsetup_message "WARNING: $CRYPTTAB_NAME: keyfile '$CRYPTTAB_KEY' not found"
+ return 0
+ fi
+
+ if [ "$CRYPTTAB_KEY" = "/dev/random" ] || [ "$CRYPTTAB_KEY" = "/dev/urandom" ]; then
+ if [ -n "${CRYPTTAB_OPTION_luks+x}" ] || [ -n "${CRYPTTAB_OPTION_tcrypt+x}" ]; then
+ cryptsetup_message "WARNING: $CRYPTTAB_NAME: has random data as key"
+ return 1
+ else
+ return 0
+ fi
+ fi
+
+ local mode="$(stat -L -c"%04a" -- "$CRYPTTAB_KEY")"
+ if [ $(stat -L -c"%u" -- "$CRYPTTAB_KEY") -ne 0 ] || [ "${mode%00}" = "$mode" ]; then
+ cryptsetup_message "WARNING: $CRYPTTAB_NAME: key file $CRYPTTAB_KEY has" \
+ "insecure ownership, see /usr/share/doc/cryptsetup/README.Debian.gz."
+ fi
+}
+
+# _resolve_device_spec($spec)
+# Resolve LABEL=<label>, UUID=<uuid>, PARTUUID=<partuuid> and
+# PARTLABEL=<partlabel> to a block special device. If $spec is
+# already a (link to a block special device) then it is echoed as is.
+# Return 1 if $spec doesn't correspond to a block special device.
+_resolve_device_spec() {
+ local spec="$1"
+ case "$spec" in
+ UUID=*|LABEL=*|PARTUUID=*|PARTLABEL=*)
+ # don't use /dev/disk/by-label/... to avoid gessing udev mangling
+ spec="$(blkid -l -t "$spec" -o device)" || spec=
+ ;;
+ esac
+ [ -b "$spec" ] && printf '%s\n' "$spec" || return 1
+}
+
+# dm_blkdevname($name)
+# Print the mapped device name, or return 1 if the the device doesn't exist.
+dm_blkdevname() {
+ local name="$1" dev
+ # /dev/mapper/$name isn't reliable due to udev mangling
+ if dev="$(dmsetup info -c --noheadings -o blkdevname -- "$name" 2>/dev/null)" &&
+ [ -n "$dev" ] && [ -b "/dev/$dev" ]; then
+ echo "/dev/$dev"
+ return 0
+ else
+ return 1
+ fi
+}
+
+# crypttab_find_entry([--quiet], $target)
+# Search in the crypttab(5) for the given $target, and sets the
+# variables CRYPTTAB_NAME, CRYPTTAB_SOURCE, CRYPTTAB_KEY and
+# CRYPTTAB_OPTIONS accordingly. (In addition _CRYPTTAB_NAME,
+# _CRYPTTAB_SOURCE, _CRYPTTAB_KEY and _CRYPTTAB_OPTIONS are set to the
+# unmangled values before decoding the escape sequence.) If there are
+# duplicates then only the first match is considered.
+# Return 0 if a match is found, and 1 otherwise.
+crypttab_find_entry() {
+ local target="$1" quiet="n" IFS
+ if [ "$target" = "--quiet" ] && [ $# -eq 2 ]; then
+ quiet="y"
+ target="$2"
+ fi
+
+ if [ -f "$TABFILE" ]; then
+ while IFS=" " read -r _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS; do
+ if [ "${_CRYPTTAB_NAME#\#}" != "$_CRYPTTAB_NAME" ] || [ -z "$_CRYPTTAB_NAME" ]; then
+ # ignore comments and empty lines
+ continue
+ fi
+
+ # unmangle names
+ CRYPTTAB_NAME="$(printf '%b' "$_CRYPTTAB_NAME")"
+ if [ -z "$_CRYPTTAB_SOURCE" ] || [ -z "$_CRYPTTAB_KEY" ]; then
+ cryptsetup_message "WARNING: '$CRYPTTAB_NAME' is missing some arguments, see crypttab(5)"
+ continue
+ elif [ "$CRYPTTAB_NAME" = "$target" ]; then
+ CRYPTTAB_SOURCE="$( printf '%b' "$_CRYPTTAB_SOURCE" )"
+ CRYPTTAB_KEY="$( printf '%b' "$_CRYPTTAB_KEY" )"
+ CRYPTTAB_OPTIONS="$(printf '%b' "$_CRYPTTAB_OPTIONS")"
+ return 0
+ fi
+ done <"$TABFILE"
+ fi
+
+ if [ "$quiet" = "n" ]; then
+ cryptsetup_message "WARNING: target '$target' not found in $TABFILE"
+ fi
+ return 1
+}
+
+# crypttab_foreach_entry($callback)
+# Iterate through the crypttab(5) and run the given $callback for each
+# entry found. Variables CRYPTTAB_NAME, CRYPTTAB_SOURCE, CRYPTTAB_KEY
+# and CRYPTTAB_OPTIONS are set accordingly and available to the
+# $callback. (In addition _CRYPTTAB_NAME, _CRYPTTAB_SOURCE,
+# _CRYPTTAB_KEY and _CRYPTTAB_OPTIONS are set to the original values
+# before decoding the escape sequence.)
+# Return 0 if a match is found, and 1 otherwise.
+crypttab_foreach_entry() {
+ local callback="$1" IFS
+ local _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS \
+ CRYPTTAB_NAME CRYPTTAB_SOURCE CRYPTTAB_KEY CRYPTTAB_OPTIONS
+
+ [ -f "$TABFILE" ] || return
+ while IFS=" " read -r _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS <&9; do
+ if [ "${_CRYPTTAB_NAME#\#}" != "$_CRYPTTAB_NAME" ] || [ -z "$_CRYPTTAB_NAME" ]; then
+ # ignore comments and empty lines
+ continue
+ fi
+
+ # unmangle names
+ CRYPTTAB_NAME="$(printf '%b' "$_CRYPTTAB_NAME")"
+
+ if [ -z "$_CRYPTTAB_SOURCE" ] || [ -z "$_CRYPTTAB_KEY" ]; then
+ cryptsetup_message "WARNING: '$CRYPTTAB_NAME' is missing some arguments, see crypttab(5)"
+ continue
+ fi
+
+ CRYPTTAB_SOURCE="$( printf '%b' "$_CRYPTTAB_SOURCE" )"
+ CRYPTTAB_KEY="$( printf '%b' "$_CRYPTTAB_KEY" )"
+ CRYPTTAB_OPTIONS="$(printf '%b' "$_CRYPTTAB_OPTIONS")"
+
+ "$callback" 9<&-
+ done 9<"$TABFILE"
+}
+
+# _device_uuid($device)
+# Print the UUID attribute of given block special $device. Return 0
+# on success, 1 on error.
+_device_uuid() {
+ local device="$1" uuid
+ if uuid="$(blkid -s UUID -o value -- "$device")" && [ -n "$uuid" ]; then
+ printf '%s\n' "$uuid"
+ else
+ return 1
+ fi
+}
+
+# _resolve_device({$device | $spec})
+# Take a path to (or spec for) a block special device, and set DEV to
+# the (symlink to block) device, and MAJ (resp. MIN) to its major-ID
+# (resp. minor ID) decimal value. On error these variables are not
+# changed and 1 is returned.
+_resolve_device() {
+ local spec="$1" dev devno maj min
+ if dev="$(_resolve_device_spec "$spec")" &&
+ devno="$(stat -L -c"%t:%T" -- "$dev" 2>/dev/null)" &&
+ maj="${devno%:*}" && min="${devno#*:}" &&
+ [ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] &&
+ maj=$(( 0x$maj )) && min=$(( 0x$min )) && [ $maj -gt 0 ]; then
+ DEV="$dev"
+ MAJ="$maj"
+ MIN="$min"
+ return 0
+ else
+ cryptsetup_message "ERROR: Couldn't resolve device $spec"
+ fi
+ return 1
+}
+
+# get_mnt_devno($mountpoint)
+# Print the major:minor device ID(s) holding the file system currently
+# mounted currenty mounted on $mountpoint.
+# Return 0 on success, 1 on error (if $mountpoint is not a mountpoint).
+get_mnt_devno() {
+ local wantmount="$1" devnos="" uuid dev IFS
+ local spec mountpoint fstype _ DEV MAJ MIN
+
+ while IFS=" " read -r spec mountpoint fstype _; do
+ # treat lines starting with '#' as comments; /proc/mounts
+ # doesn't seem to contain these but per procfs(5) the format of
+ # that file is analogous to fstab(5)'s
+ if [ "${spec#\#}" = "$spec" ] && [ -n "$spec" ] &&
+ [ "$(printf '%b' "$mountpoint")" = "$wantmount" ]; then
+ # take the last mountpoint if used several times (shadowed)
+ unset -v devnos
+ spec="$(printf '%b' "$spec")"
+ _resolve_device "$spec" || continue # _resolve_device() already warns on error
+ fstype="$(printf '%b' "$fstype")"
+ if [ "$fstype" = "btrfs" ]; then
+ # btrfs can span over multiple devices
+ if uuid="$(_device_uuid "$DEV")"; then
+ for dev in "/sys/fs/$fstype/$uuid/devices"/*/dev; do
+ devnos="${devnos:+$devnos }$(cat "$dev")"
+ done
+ else
+ cryptsetup_message "ERROR: $spec: Couldn't determine UUID"
+ fi
+ elif [ -n "$fstype" ]; then
+ devnos="$MAJ:$MIN"
+ fi
+ fi
+ done </proc/mounts
+
+ if [ -z "${devnos:+x}" ]; then
+ return 1 # not found
+ else
+ printf '%s' "$devnos"
+ fi
+}
+
+# foreach_cryptdev([--reverse], $callback, $maj:$min, [$maj:$min ..])
+# Run $callback on the (unmangled) name of each dm-crypt device
+# recursively holding $maj:$min (typically corresponding to an md,
+# linear, or dm-crypt device). Slaves that aren't dm-crypt devices
+# are ignored.
+# By default each device is processed after its *slaves*. If
+# --reverse is set then each device is processed after its *holders*
+# instead.
+foreach_cryptdev() {
+ local callback="$1" reverse="n" devno base
+ shift
+ if [ "$callback" = "--reverse" ]; then
+ reverse="y"
+ callback="$1"
+ shift
+ fi
+ for devno in "$@"; do
+ base="/sys/dev/block/$devno"
+ if [ ! -d "$base" ]; then
+ cryptsetup_message "ERROR: Couldn't find sysfs directory for $devno"
+ return 1
+ fi
+ _foreach_cryptdev "$base"
+ done
+}
+_foreach_cryptdev() {
+ local d="$1" devno maj min name t d2
+ [ "$reverse" = "y" ] && t="holders" || t="slaves"
+ [ -d "$d/$t" ] || return 0
+ for d2 in "$d/$t"/*; do
+ if [ -d "$d2" ] && d2="$(realpath -e -- "$d2")"; then
+ _foreach_cryptdev "$d2"
+ fi
+ done
+ if [ -d "$d/dm" ] && devno="$(cat "$d/dev")" &&
+ maj="${devno%:*}" && min="${devno#*:}" &&
+ [ "$devno" = "$maj:$min" ] && [ -n "$maj" ] && [ -n "$min" ] &&
+ [ "$(dmsetup info -c --noheadings -o subsystem -j "$maj" -m "$min")" = "CRYPT" ] &&
+ name="$(dmsetup info -c --noheadings -o unmangled_name -j "$maj" -m "$min")"; then
+ "$callback" "$name"
+ fi
+}
+
+# vim: set filetype=sh :