summaryrefslogtreecommitdiffstats
path: root/modules.d/90crypt/cryptroot-ask.sh
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xmodules.d/90crypt/cryptroot-ask.sh207
1 files changed, 207 insertions, 0 deletions
diff --git a/modules.d/90crypt/cryptroot-ask.sh b/modules.d/90crypt/cryptroot-ask.sh
new file mode 100755
index 0000000..b1f8df8
--- /dev/null
+++ b/modules.d/90crypt/cryptroot-ask.sh
@@ -0,0 +1,207 @@
+#!/bin/sh
+
+PATH=/usr/sbin:/usr/bin:/sbin:/bin
+NEWROOT=${NEWROOT:-"/sysroot"}
+
+# do not ask, if we already have root
+[ -f "$NEWROOT"/proc ] && exit 0
+
+. /lib/dracut-lib.sh
+
+mkdir -p -m 0700 /run/cryptsetup
+
+# if device name is /dev/dm-X, convert to /dev/mapper/name
+if [ "${1##/dev/dm-}" != "$1" ]; then
+ device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
+else
+ device="$1"
+fi
+
+# default luksname - luks-UUID
+luksname=$2
+
+# is_keysource - ask for passphrase even if a rd.luks.key argument is set
+is_keysource=${3:-0}
+
+# number of tries
+numtries=${4:-10}
+
+# TODO: improve to support what cmdline does
+if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; then
+ while read -r name dev luksfile luksoptions || [ -n "$name" ]; do
+ # ignore blank lines and comments
+ if [ -z "$name" -o "${name#\#}" != "$name" ]; then
+ continue
+ fi
+
+ # PARTUUID used in crypttab
+ if [ "${dev%%=*}" = "PARTUUID" ]; then
+ if [ "luks-${dev##PARTUUID=}" = "$luksname" ]; then
+ luksname="$name"
+ break
+ fi
+
+ # UUID used in crypttab
+ elif [ "${dev%%=*}" = "UUID" ]; then
+ if [ "luks-${dev##UUID=}" = "$luksname" ]; then
+ luksname="$name"
+ break
+ fi
+
+ # ID used in crypttab
+ elif [ "${dev%%=*}" = "ID" ]; then
+ if [ "luks-${dev##ID=}" = "$luksname" ]; then
+ luksname="$name"
+ break
+ fi
+
+ # path used in crypttab
+ else
+ cdev=$(readlink -f "$dev")
+ mdev=$(readlink -f "$device")
+ if [ "$cdev" = "$mdev" ]; then
+ luksname="$name"
+ break
+ fi
+ fi
+ done < /etc/crypttab
+ unset name dev
+fi
+
+# check if destination already exists
+[ -b /dev/mapper/"$luksname" ] && exit 0
+
+# we already asked for this device
+asked_file=/tmp/cryptroot-asked-$luksname
+[ -f "$asked_file" ] && exit 0
+
+# load dm_crypt if it is not already loaded
+[ -d /sys/module/dm_crypt ] || modprobe dm_crypt
+
+. /lib/dracut-crypt-lib.sh
+
+#
+# Open LUKS device
+#
+
+info "luksOpen $device $luksname $luksfile $luksoptions"
+
+OLD_IFS="$IFS"
+IFS=,
+# shellcheck disable=SC2086
+set -- $luksoptions
+IFS="$OLD_IFS"
+
+while [ $# -gt 0 ]; do
+ case $1 in
+ noauto)
+ # skip this
+ exit 0
+ ;;
+ swap)
+ # skip this
+ exit 0
+ ;;
+ tmp)
+ # skip this
+ exit 0
+ ;;
+ allow-discards)
+ allowdiscards="--allow-discards"
+ ;;
+ header=*)
+ cryptsetupopts="${cryptsetupopts} --${1}"
+ ;;
+ esac
+ shift
+done
+
+# parse for allow-discards
+if strstr "$(cryptsetup --help)" "allow-discards"; then
+ if discarduuids=$(getargs "rd.luks.allow-discards"); then
+ discarduuids=$(str_replace "$discarduuids" 'luks-' '')
+ if strstr " $discarduuids " " ${luksdev##luks-}"; then
+ allowdiscards="--allow-discards"
+ fi
+ elif getargbool 0 rd.luks.allow-discards; then
+ allowdiscards="--allow-discards"
+ fi
+fi
+
+if strstr "$(cryptsetup --help)" "allow-discards"; then
+ cryptsetupopts="$cryptsetupopts $allowdiscards"
+fi
+
+unset allowdiscards
+
+# fallback to passphrase
+ask_passphrase=1
+
+if [ -n "$luksfile" -a "$luksfile" != "none" -a -e "$luksfile" ]; then
+ # shellcheck disable=SC2086
+ if readkey "$luksfile" / "$device" \
+ | cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname"; then
+ ask_passphrase=0
+ fi
+elif [ "$is_keysource" -ne 0 ]; then
+ info "Asking for passphrase because $device is a keysource."
+else
+ while [ -n "$(getarg rd.luks.key)" ]; do
+ if tmp=$(getkey /tmp/luks.keys "$device"); then
+ keydev="${tmp%%:*}"
+ keypath="${tmp#*:}"
+ else
+ if [ "$numtries" -eq 0 ]; then
+ warn "No key found for $device. Fallback to passphrase mode."
+ break
+ fi
+ sleep 1
+ info "No key found for $device. Will try $numtries time(s) more later."
+ initqueue --unique --onetime --settled \
+ --name cryptroot-ask-"$luksname" \
+ "$(command -v cryptroot-ask)" "$device" "$luksname" "$is_keysource" "$((numtries - 1))"
+ exit 0
+ fi
+ unset tmp
+
+ info "Using '$keypath' on '$keydev'"
+ # shellcheck disable=SC2086
+ readkey "$keypath" "$keydev" "$device" \
+ | cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname" \
+ && ask_passphrase=0
+ unset keypath keydev
+ break
+ done
+fi
+
+if [ $ask_passphrase -ne 0 ]; then
+ luks_open="$(command -v cryptsetup) $cryptsetupopts luksOpen"
+ _timeout=$(getargs "rd.luks.timeout")
+ _timeout=${_timeout:-0}
+ ask_for_password --ply-tries 5 \
+ --ply-cmd "$luks_open -T1 $device $luksname" \
+ --ply-prompt "Password ($device)" \
+ --tty-tries 1 \
+ --tty-cmd "$luks_open -T5 -t $_timeout $device $luksname"
+ unset luks_open
+ unset _timeout
+fi
+
+if [ "$is_keysource" -ne 0 -a "${luksname##luks-}" != "$luksname" ]; then
+ luks_close="$(command -v cryptsetup) close"
+ {
+ printf -- '[ -e /dev/mapper/%s ] && ' "$luksname"
+ printf -- '%s "%s"\n' "$luks_close" "$luksname"
+ } >> "$hookdir/cleanup/31-crypt-keysource.sh"
+ unset luks_close
+fi
+
+unset device luksname luksfile
+
+# mark device as asked
+: >> "$asked_file"
+
+need_shutdown
+udevsettle
+
+exit 0