diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 08:06:26 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 08:06:26 +0000 |
commit | fd888e850cf413955483bfb993aeeea5ea611289 (patch) | |
tree | 6148fed3d1f30272c48403f4cdefa59c2b7e1513 /debian/initramfs/hooks | |
parent | Adding upstream version 2:2.6.1. (diff) | |
download | cryptsetup-debian.tar.xz cryptsetup-debian.zip |
Adding debian version 2:2.6.1-4~deb12u2.debian/2%2.6.1-4_deb12u2debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/initramfs/hooks')
-rw-r--r-- | debian/initramfs/hooks/cryptgnupg | 46 | ||||
-rw-r--r-- | debian/initramfs/hooks/cryptgnupg-sc | 87 | ||||
-rw-r--r-- | debian/initramfs/hooks/cryptkeyctl | 30 | ||||
-rw-r--r-- | debian/initramfs/hooks/cryptopensc | 62 | ||||
-rw-r--r-- | debian/initramfs/hooks/cryptpassdev | 38 | ||||
-rw-r--r-- | debian/initramfs/hooks/cryptroot | 406 | ||||
-rw-r--r-- | debian/initramfs/hooks/cryptroot-unlock | 40 |
7 files changed, 709 insertions, 0 deletions
diff --git a/debian/initramfs/hooks/cryptgnupg b/debian/initramfs/hooks/cryptgnupg new file mode 100644 index 0000000..dcb5248 --- /dev/null +++ b/debian/initramfs/hooks/cryptgnupg @@ -0,0 +1,46 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +. /lib/cryptsetup/functions + +if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_gnupg" ] || [ ! -f "$TABFILE" ]; then + exit 0 +fi + +# Hooks for loading gnupg software and symmetrically encrypted key into +# the initramfs +copy_keys() { + crypttab_parse_options + if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_gnupg" ]; then + if [ -f "$CRYPTTAB_KEY" ]; then + [ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$? + else + cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY" + RV=1 + fi + fi +} + +RV=0 +crypttab_foreach_entry copy_keys + +# install askpass and GnuPG +copy_exec /lib/cryptsetup/askpass +copy_exec /usr/bin/gpg +exit $RV diff --git a/debian/initramfs/hooks/cryptgnupg-sc b/debian/initramfs/hooks/cryptgnupg-sc new file mode 100644 index 0000000..9e45000 --- /dev/null +++ b/debian/initramfs/hooks/cryptgnupg-sc @@ -0,0 +1,87 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +. /lib/cryptsetup/functions + +if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_gnupg-sc" ] || [ ! -f "$TABFILE" ]; then + exit 0 +fi + +# Hooks for loading gnupg software and encrypted key into the initramfs +copy_keys() { + crypttab_parse_options + if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_gnupg-sc" ]; then + if [ -f "$CRYPTTAB_KEY" ]; then + [ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$? + else + cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY" + RV=1 + fi + fi +} + +RV=0 +crypttab_foreach_entry copy_keys + +PUBRING="/etc/cryptsetup-initramfs/pubring.gpg" +if [ ! -f "$PUBRING" ]; then + cryptsetup_message "WARNING: $PUBRING: No such file" +else + [ -d "$DESTDIR/cryptroot/gnupghome" ] || mkdir -pm0700 "$DESTDIR/cryptroot/gnupghome" + # let gpg(1) create the keyring on the fly; we're not relying on its + # internals since it's the very same binary we're copying to the + # initramfs + /usr/bin/gpg --no-options --no-autostart --trust-model=always \ + --quiet --batch --no-tty --logger-file=/dev/null \ + --homedir="$DESTDIR/cryptroot/gnupghome" --import <"$PUBRING" + # make sure not to clutter the initramfs with backup keyrings + find "$DESTDIR/cryptroot" -name "*~" -type f -delete +fi + +copy_exec /usr/bin/gpg +copy_exec /usr/bin/gpg-agent +copy_exec /usr/lib/gnupg/scdaemon +copy_exec /usr/bin/gpgconf +copy_exec /usr/bin/gpg-connect-agent + +if [ ! -x "$DESTDIR/usr/bin/pinentry" ]; then + if [ -x "/usr/bin/pinentry-curses" ]; then + pinentry="/usr/bin/pinentry-curses" + elif [ -x "/usr/bin/pinentry-tty" ]; then + pinentry="/usr/bin/pinentry-tty" + else + cryptsetup_message "ERROR: missing required binary pinentry-curses or pinentry-tty" + RV=1 + fi + copy_exec "$pinentry" + ln -s "$pinentry" "$DESTDIR/usr/bin/pinentry" +fi + +# #1028202: ncurses-base: move terminfo files from /lib/terminfo to +# /usr/share/terminfo +for d in "/usr/share/terminfo" "/lib/terminfo"; do + if [ -f "$d/l/linux" ]; then + if [ ! -f "$DESTDIR$d/l/linux" ]; then + copy_file terminfo "$d/l/linux" || RV=$? + fi + break + fi +done + +exit $RV diff --git a/debian/initramfs/hooks/cryptkeyctl b/debian/initramfs/hooks/cryptkeyctl new file mode 100644 index 0000000..5ae6ae8 --- /dev/null +++ b/debian/initramfs/hooks/cryptkeyctl @@ -0,0 +1,30 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +# Hooks for loading keyctl software into the initramfs + +# Check whether cryptroot hook has installed decrypt_keyctl script +if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_keyctl" ]; then + exit 0 +fi + +copy_exec /lib/cryptsetup/askpass +copy_exec /bin/keyctl +exit 0 diff --git a/debian/initramfs/hooks/cryptopensc b/debian/initramfs/hooks/cryptopensc new file mode 100644 index 0000000..e0c5167 --- /dev/null +++ b/debian/initramfs/hooks/cryptopensc @@ -0,0 +1,62 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +. /lib/cryptsetup/functions + +if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_opensc" ] || [ ! -f "$TABFILE" ]; then + exit 0 +fi + +# Hooks for loading smartcard reading software into the initramfs +copy_keys() { + crypttab_parse_options + if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_opensc" ]; then + if [ -f "$CRYPTTAB_KEY" ]; then + [ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$? + else + cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY" + RV=1 + fi + fi +} + +RV=0 +crypttab_foreach_entry copy_keys + +# Install directories needed by smartcard reading daemon, command, and +# key-script +mkdir -p -- "$DESTDIR/etc/opensc" "$DESTDIR/usr/lib/pcsc" "$DESTDIR/var/run" "$DESTDIR/tmp" + +# Install pcscd daemon, drivers, conf file +copy_exec /usr/sbin/pcscd + +cp -rt "$DESTDIR/usr/lib" /usr/lib/pcsc +cp -t "$DESTDIR/etc" /etc/reader.conf || true +cp -t "$DESTDIR/etc" /etc/libccid_Info.plist + +for so in $(ldconfig -p | sed -nr 's/^\s*(libusb-[0-9.-]+|libpcsclite)\.so\.[0-9]+\s.*=>\s*//p'); do + copy_exec "$so" +done + +# Install opensc commands and conf file +copy_exec /usr/bin/opensc-tool +copy_exec /usr/bin/pkcs15-crypt +cp -t "$DESTDIR/etc/opensc" /etc/opensc/opensc.conf + +exit $RV diff --git a/debian/initramfs/hooks/cryptpassdev b/debian/initramfs/hooks/cryptpassdev new file mode 100644 index 0000000..54492f0 --- /dev/null +++ b/debian/initramfs/hooks/cryptpassdev @@ -0,0 +1,38 @@ +#!/bin/sh + +set -e + +PREREQ="cryptroot" + +prereqs() +{ + echo "$PREREQ" +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +# Hooks for adding filesystem modules to the initramfs when the passdev +# keyscript is used + +# Check whether the passdev script has been included +if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/passdev" ]; then + exit 0 +fi + +# The filesystem type of the removable device is probed at boot-time, so +# we add a generous list of filesystems to include. This also helps with +# recovery situation as including e.g. the vfat module might help a user +# who needs to create a new cryptkey (using a backup of a keyfile) on +# a windows-machine for example. + +# This list needs to be kept in sync with the one defined in passdev.c +manual_add_modules ext4 ext3 ext2 vfat btrfs reiserfs xfs jfs ntfs iso9660 udf +exit 0 + diff --git a/debian/initramfs/hooks/cryptroot b/debian/initramfs/hooks/cryptroot new file mode 100644 index 0000000..c16f7c2 --- /dev/null +++ b/debian/initramfs/hooks/cryptroot @@ -0,0 +1,406 @@ +#!/bin/sh + +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +. /lib/cryptsetup/functions +TABFILE="/etc/crypttab" + + +# crypttab_find_and_print_entry($target) +# Find the crypttab(5) entry for the given (unmangled) $target and +# print it - preserving the mangling - to FD nr. 3; but only if the +# target has not already been processed during an earlier function +# call. (Processed target names are stored in +# $DESTDIR/cryptroot/targets.) +# Return 0 on success, 1 on error. +crypttab_find_and_print_entry() { + local target="$1" + local _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS + if ! grep -Fxqz -e "$target" -- "$DESTDIR/cryptroot/targets"; then + printf '%s\0' "$target" >>"$DESTDIR/cryptroot/targets" + crypttab_find_entry "$target" || return 1 + crypttab_parse_options --missing-path=warn || return 1 + crypttab_print_entry + fi +} + +# crypttab_print_entry() +# Print an unmangled crypttab(5) entry to FD nr. 3, using CRYPTTAB_* +# and _CRYPTTAB_* values. +# _CRYPTTAB_SOURCE is replaced with UUID=<uuid> if possible (eg, for +# LUKS), unless the value starts with /dev/disk/by- or /dev/mapper/, +# or is already a device specification (such as LABEL= or PARTUUID=). +# If the entry uses the 'decrypt_derived' keyscript, the other +# crypttab(5) entries it depends on are (recursively) printed before +# hand. +# Various checks are performed on the key and crypttab options, but no +# parsing is done so it's the responsibility of the caller to call +# crypttab_parse_options(). +# Return 0 on success, 1 on error. +crypttab_print_entry() { + local DEV MAJ MIN uuid keyfile + if _resolve_device "$CRYPTTAB_SOURCE"; then + if [ "$(dmsetup info -c --noheadings -o devnos_used -- "$CRYPTTAB_NAME" 2>/dev/null)" != "$MAJ:$MIN" ]; then + cryptsetup_message "ERROR: $CRYPTTAB_NAME: Source mismatch" + elif [ "${_CRYPTTAB_SOURCE#[A-Za-z]*=}" = "$_CRYPTTAB_SOURCE" ] && \ + [ "${CRYPTTAB_SOURCE#/dev/disk/by-}" = "$CRYPTTAB_SOURCE" ] && \ + [ "${CRYPTTAB_SOURCE#/dev/mapper/}" = "$CRYPTTAB_SOURCE" ] && \ + uuid="$(_device_uuid "$DEV")"; then + _CRYPTTAB_SOURCE="UUID=$uuid" + fi + # on failure _resolve_device() prints a warning and we try our + # luck with the unchanged _CRYPTTAB_SOURCE value + fi + + # if keyscript is set, the "key" is just an argument to the script + if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then + crypttab_key_check || return 1 + case "$CRYPTTAB_KEY" in + $KEYFILE_PATTERN) + mkdir -pm0700 -- "$DESTDIR/cryptroot/keyfiles" + # $CRYPTTAB_NAME can't contain '/' (even after unmangling) + keyfile="/cryptroot/keyfiles/$CRYPTTAB_NAME.key" + if [ ! -f "$DESTDIR$keyfile" ] && ! copy_file keyfile "$CRYPTTAB_KEY" "$keyfile"; then + cryptsetup_message "WARNING: couldn't copy keyfile $CRYPTTAB_KEY" + fi + _CRYPTTAB_KEY="/cryptroot/keyfiles/$_CRYPTTAB_NAME.key" # preserve mangled name + ;; + *) + if [ "$usage" = rootfs ]; then + cryptsetup_message "WARNING: Skipping root target $CRYPTTAB_NAME: uses a key file" + return 1 + elif [ "$usage" = resume ]; then + cryptsetup_message "WARNING: Resume target $CRYPTTAB_NAME uses a key file" + fi + if [ -L "$CRYPTTAB_KEY" ] && keyfile="$(readlink -- "$CRYPTTAB_KEY")" && + [ "${keyfile#/}" != "$keyfile" ]; then + cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is a symlink with absolute target" + return 1 + elif [ -f "$CRYPTTAB_KEY" ] && [ "$(stat -L -c"%m" -- "$CRYPTTAB_KEY" 2>/dev/null)" != "/" ]; then + cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is not on the root FS" + return 1 + fi + if [ ! -e "$CRYPTTAB_KEY" ]; then + cryptsetup_message "WARNING: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY" + else + _CRYPTTAB_KEY="/FIXME-initramfs-rootmnt$_CRYPTTAB_KEY" # preserve mangled name + fi + esac + fi + + if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ]; then + copy_exec "$CRYPTTAB_OPTION_keyscript" + elif [ "$CRYPTTAB_KEY" = "none" ]; then + ASKPASS="y" + fi + if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_derived" ]; then + # (recursively) list first the device to derive the key from (so + # the boot scripts unlock it first); since _CRYPTTAB_* are local + # to crypttab_find_and_print_entry() the new value won't + # override the new ones + crypttab_find_and_print_entry "$CRYPTTAB_KEY" + fi + printf '%s %s %s %s\n' \ + "$_CRYPTTAB_NAME" "$_CRYPTTAB_SOURCE" "$_CRYPTTAB_KEY" "$_CRYPTTAB_OPTIONS" >&3 +} + +# get_resume_devno() +# Return the device ID(s) used for system suspend/hibernate. +get_resume_devno() { + local dev filename + + # uswsusp + for filename in /etc/uswsusp.conf /etc/suspend.conf; do + [ -e "$filename" ] || continue + dev="$(sed -nr '/^resume device\s*[:=]\s*/ {s///p;q}' "$filename")" + if [ -n "$dev" ] && [ "$dev" != "<path_to_resume_device_file>" ]; then + # trim quotes + dev="$(printf '%s' "$dev" | sed -re 's/^"(.*)"\s*$/\1/' -e "s/^'(.*)'\\s*$/\\1/")" + _print_devno "$(printf '%b' "$dev")" # unmangle + fi + done + + # regular swsusp + dev="$(sed -nr 's,^(.*\s)?resume=(\S+)(\s.*)?$,\2,p' /proc/cmdline)" + _print_devno "$(printf '%b' "$dev")" # unmangle + + # initramfs-tools >=0.129 + dev="${RESUME:-auto}" + if [ "$dev" != none ]; then + if [ "$dev" = auto ]; then + # next line from /usr/share/initramfs-tools/hooks/resume + dev="$(grep ^/dev/ /proc/swaps | sort -rnk3 | head -n 1 | cut -d " " -f 1)" + fi + _print_devno "$(printf '%b' "$dev")" # unmangle + fi +} +_print_devno() { + local DEV MAJ MIN # locally scope the 3 variables _resolve_device() sets + if [ -n "$1" ] && _resolve_device "$1"; then + printf '%d:%d\n' "$MAJ" "$MIN" + fi +} + +# crypttab_print_initramfs_entry() +# Print a crypttab(5) entry - unless it was already processed - if it +# has the 'initramfs' option set. +crypttab_print_initramfs_entry() { + local usage= + if ! grep -Fxqz -e "$CRYPTTAB_NAME" -- "$DESTDIR/cryptroot/targets" && + crypttab_parse_options --quiet && + [ "${CRYPTTAB_OPTION_initramfs-no}" = "yes" ]; then + printf '%s\0' "$CRYPTTAB_NAME" >>"$DESTDIR/cryptroot/targets" + crypttab_print_entry + fi +} + +# generate_initrd_crypttab() +# Generate the crypttab(5) snippet that is relevant at initramfs +# stage. (Devices that aren't required at initramfs stage are +# ignored.) +generate_initrd_crypttab() { + local devnos usage IFS="$(printf '\t\n ')" + mkdir -- "$DESTDIR/cryptroot" + true >"$DESTDIR/cryptroot/targets" + + { + if devnos="$(get_mnt_devno /)"; then + usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos + else + cryptsetup_message "WARNING: Couldn't determine root device" + fi + + if devnos="$(get_resume_devno)"; then + usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos + fi + + if devnos="$(get_mnt_devno /usr)"; then + usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos + fi + + # add crypttab entries with the 'initramfs' option set + crypttab_foreach_entry crypttab_print_initramfs_entry + } 3>"$DESTDIR/cryptroot/crypttab" + rm -f "$DESTDIR/cryptroot/targets" +} + +# populate_CRYPTO_HASHES() +# Find out which crypto hashes are required for a crypttab(5) entry, +# and append them to the CRYPTO_HASHES variable. +populate_CRYPTO_HASHES() { + local hash source newline=" +" + + if crypttab_parse_options --quiet && [ -n "${CRYPTTAB_OPTION_header+x}" ]; then + source="$CRYPTTAB_OPTION_header" + else + source="$(_resolve_device_spec "$CRYPTTAB_SOURCE")" || source="" + fi + + if [ ! -e "$source" ]; then + # missing source device or detached header, can't determine hashing function(s) + hash="@@UNKNOWN@@" + elif [ "$CRYPTTAB_TYPE" = "luks" ]; then + # using --dump-json-metadata would be more robust for LUKS2 but + # we also have to support LUKS1 hence have to parse luksDump output + hash="$(/sbin/cryptsetup luksDump -- "$source" | sed -nr 's/^\s*(AF hash|Hash|Hash spec)\s*:\s*//Ip')" + elif [ "$CRYPTTAB_TYPE" = "plain" ]; then + # --hash is being ignored when opening via key file + if [ "$CRYPTTAB_KEY" = "none" ] && [ -z "${CRYPTTAB_OPTION_keyscript+x}" ]; then + hash="${CRYPTTAB_OPTION_hash-ripemd160}" # default password hashing as of cryptsetup 2.5 + fi + else + hash="" # or hash="@@UNKNOWN@@"? + fi + + if [ -n "$hash" ]; then + CRYPTO_HASHES="${CRYPTO_HASHES:+$CRYPTO_HASHES$newline}$hash" + fi +} + +# populate_CRYPTO_MODULES() +# Find out which crypto modules are required for a crypttab(5) entry, +# and append them to the CRYPTO_MODULES variable. +populate_CRYPTO_MODULES() { + local cipher iv + + # cf. dmsetup(8) and https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt + cipher="$(dmsetup table --target crypt -- "$CRYPTTAB_NAME" | cut -d' ' -f4)" + if [ -z "$cipher" ]; then + cryptsetup_message "WARNING: Couldn't determine cipher modules to load for $CRYPTTAB_NAME" + elif [ "${cipher#capi:}" = "$cipher" ]; then + # direct specification "cipher[:keycount]-chainmode-ivmode[:ivopts]" + CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${cipher%%[-:]*}" # cipher + cipher="${cipher#"${cipher%%-*}-"}" # chainmode-ivmode[:ivopts]" + CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${cipher%-*}" # chainmode + iv="${cipher##*-}" # ivmode[:ivopts]" + CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${iv%%:*}" # ivmode + if [ "${iv#*:}" != "$iv" ]; then + CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${iv#*:}" # ivopts + fi + else + # kernel crypto API format "capi:cipher_api_spec-ivmode[:ivopts]", since linux 4.12 + cipher="${cipher#capi:}" + cryptsetup_message "WARNING: Couldn't determine cipher modules to load for $CRYPTTAB_NAME" \ + "(kernel crypto API format isn't supported yet)" + fi +} + +# add_modules($glob, $moduledir, [$moduledir ..]) +# Add modules matching under the given $moduledir(s), the name of +# which matching $glob. +# Return 0 if any module was found found, 1 if not. +add_modules() { + local glob="$1" found=n + shift + for mod in $(find -H "$@" -name "$glob.ko*" -type f -printf '%f\n'); do + manual_add_modules "${mod%%.*}" + found=y + done + [ "$found" = y ] && return 0 || return 1 +} + +# add_crypto_modules($name, [$name ..]) +# Determine kernel module name and add to initramfs. +add_crypto_modules() { + local mod + for mod in "$@"; do + # We have several potential sources of modules (in order of preference): + # + # a) /lib/modules/$VERSION/kernel/arch/$ARCH/crypto/$mod-$specific.ko + # b) /lib/modules/$VERSION/kernel/crypto/$mod_generic.ko + # c) /lib/modules/$VERSION/kernel/crypto/$mod.ko + # + # and (currently ignored): + # + # d) /lib/modules/$VERSION/kernel/drivers/crypto/$specific-$mod.ko + add_modules "$mod-*" "$MODULESDIR"/kernel/arch/*/crypto || true + add_modules "${mod}_generic" "$MODULESDIR/kernel/crypto" \ + || add_modules "$mod" "$MODULESDIR/kernel/crypto" \ + || true + done +} + +# copy_libssl_legacy_library() +# Copy ossl-modules/legacy.so (from libssl library) to initramfs if needed. +# OpenSSL 3.0 moved support for some crypto hashes into legacy.so. +# See https://launchpad.net/bugs/1979159 +copy_libssl_legacy_library() { + local libcryptodir CRYPTO_HASHES="" + + libcryptodir="$(env --unset=LD_PRELOAD ldd /sbin/cryptsetup | sed -nr '/.*=>\s*(\S+)\/libcrypto\.so\..*/ {s//\1/p;q}')" + [ -d "$libcryptodir" ] || return + + crypttab_foreach_entry populate_CRYPTO_HASHES + # See https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html#Hashing-Algorithms-Message-Digests + if printf '%s\n' "$CRYPTO_HASHES" | grep -Fxq -e @@UNKNOWN@@ -e ripemd160 -e whirlpool; then + # legacy hashes are used so legacy.so needs to be copied to the initramfs + # (assume ossl-modules/legacy.so is relative to the linked libcrypto.so) + copy_exec "$libcryptodir/ossl-modules/legacy.so" || true + fi +} + +# See #1032221: newer libargon2 are built with glibc ≥2.34 hence no +# longer links libpthread. This in turns means that initramfs-tool's +# copy_exec() is no longer able to detect pthread_*() need and thus +# doesn't copy libgcc_s.so anymore. So we need to do it manually +# instead. +copy_libgcc_argon2() { + local libdir rv=0 + libdir="$(env --unset=LD_PRELOAD ldd /sbin/cryptsetup | sed -nr '/.*=>\s*(\S+)\/libargon2\.so\..*/ {s//\1/p;q}')" + copy_libgcc "$libdir" || rv=$? + if [ $rv -ne 0 ]; then + # merged-/usr mismatch, see #1032518 + if [ "${libdir#/usr/}" != "$libdir" ]; then + libdir="${libdir#/usr}" + else + libdir="/usr/${libdir#/}" + fi + copy_libgcc "$libdir" && rv=0 || rv=$? + fi + return $rv +} + + +####################################################################### +# Begin real processing + +unset -v ASKPASS KEYFILE_PATTERN +ASKPASS="y" +KEYFILE_PATTERN= + +# Load the hook config +if [ -f "/etc/cryptsetup-initramfs/conf-hook" ]; then + . /etc/cryptsetup-initramfs/conf-hook +fi + +if [ -n "$KEYFILE_PATTERN" ]; then + case "${UMASK:-$(umask)}" in + 0[0-7]77) ;; + *) cryptsetup_message "WARNING: Permissive UMASK (${UMASK:-$(umask)})." \ + "Private key material within the initrd might be left unprotected." + ;; + esac +fi + +CRYPTO_MODULES= +if [ -r "$TABFILE" ]; then + generate_initrd_crypttab + TABFILE="$DESTDIR/cryptroot/crypttab" + crypttab_foreach_entry populate_CRYPTO_MODULES + copy_libssl_legacy_library +fi + +# add required components +manual_add_modules dm_mod +manual_add_modules dm_crypt + +copy_exec /sbin/cryptsetup +copy_exec /sbin/dmsetup +copy_libgcc_argon2 + +[ "$ASKPASS" = n ] || copy_exec /lib/cryptsetup/askpass + +# We need sed. Either via busybox or as standalone binary. +if [ "$BUSYBOX" = n ] || [ -z "$BUSYBOXDIR" ]; then + copy_exec /bin/sed +fi + +# detect whether the host CPU has AES-NI support +if grep -Eq '^flags\s*:(.*\s)?aes(\s.*)?$' /proc/cpuinfo; then + CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }aesni" +else + # workaround for #883595/#901884 (xts depends on ecb) + CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }ecb" +fi + +# add userspace crypto module (only required for opening LUKS2 devices +# we add the module unconditionally as it's the default format) +CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }algif_skcipher" + +if [ "$MODULES" = most ]; then + for d in "$MODULESDIR"/kernel/arch/*/crypto; do + copy_modules_dir "${d#"$MODULESDIR/"}" + done + copy_modules_dir "kernel/crypto" +else + if [ "$MODULES" != "dep" ]; then + # with large initramfs, we always add a basic subset of modules + add_crypto_modules aes cbc chainiv cryptomgr krng sha256 xts + fi + add_crypto_modules $(printf '%s' "${CRYPTO_MODULES-}" | tr ' ' '\n' | sort -u) +fi +copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions diff --git a/debian/initramfs/hooks/cryptroot-unlock b/debian/initramfs/hooks/cryptroot-unlock new file mode 100644 index 0000000..06fe976 --- /dev/null +++ b/debian/initramfs/hooks/cryptroot-unlock @@ -0,0 +1,40 @@ +#!/bin/sh + +prereqs() +{ + # cryptroot-unlock needs to be run last among crypt* since other hooks might include askpass + local req script + for req in "${0%/*}"/crypt*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ]; then + printf '%s\n' "$script" + fi + done +} + +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +if [ ! -f "$DESTDIR/lib/cryptsetup/askpass" ]; then + # cryptroot-unlock is useless without askpass + exit 0 +fi + +. /usr/share/initramfs-tools/hook-functions +if [ ! -f "$DESTDIR/bin/cryptroot-unlock" ] && + ! copy_file script /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock /bin/cryptroot-unlock; then + echo "ERROR: Couldn't copy /bin/cryptroot-unlock" >&2 + exit 1 +fi + +if [ -f /etc/initramfs-tools/etc/motd ]; then + copy_file text /etc/initramfs-tools/etc/motd /etc/motd +else + cat >>"$DESTDIR/etc/motd" <<- EOF + To unlock root partition, and maybe others like swap, run \`cryptroot-unlock\`. + EOF +fi |