7 files changed, 709 insertions, 0 deletions
diff --git a/debian/initramfs/hooks/cryptgnupg b/debian/initramfs/hooks/cryptgnupg
new file mode 100644
index 0000000..dcb5248
--- /dev/null
+++ b/debian/initramfs/hooks/cryptgnupg
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+set -e
+
+PREREQ="cryptroot"
+
+prereqs()
+{
+	echo "$PREREQ"
+}
+
+case "$1" in
+    prereqs)
+        prereqs
+        exit 0
+        ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+. /lib/cryptsetup/functions
+
+if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_gnupg" ] || [ ! -f "$TABFILE" ]; then
+    exit 0
+fi
+
+# Hooks for loading gnupg software and symmetrically encrypted key into
+# the initramfs
+copy_keys() {
+    crypttab_parse_options
+    if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_gnupg" ]; then
+        if [ -f "$CRYPTTAB_KEY" ]; then
+            [ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$?
+        else
+            cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
+            RV=1
+        fi
+    fi
+}
+
+RV=0
+crypttab_foreach_entry copy_keys
+
+# install askpass and GnuPG
+copy_exec /lib/cryptsetup/askpass
+copy_exec /usr/bin/gpg
+exit $RV
diff --git a/debian/initramfs/hooks/cryptgnupg-sc b/debian/initramfs/hooks/cryptgnupg-sc
new file mode 100644
index 0000000..9e45000
--- /dev/null
+++ b/debian/initramfs/hooks/cryptgnupg-sc
@@ -0,0 +1,87 @@
+#!/bin/sh
+
+set -e
+
+PREREQ="cryptroot"
+
+prereqs()
+{
+	echo "$PREREQ"
+}
+
+case "$1" in
+    prereqs)
+        prereqs
+        exit 0
+        ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+. /lib/cryptsetup/functions
+
+if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_gnupg-sc" ] || [ ! -f "$TABFILE" ]; then
+    exit 0
+fi
+
+# Hooks for loading gnupg software and encrypted key into the initramfs
+copy_keys() {
+    crypttab_parse_options
+    if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_gnupg-sc" ]; then
+        if [ -f "$CRYPTTAB_KEY" ]; then
+            [ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$?
+        else
+            cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
+            RV=1
+        fi
+    fi
+}
+
+RV=0
+crypttab_foreach_entry copy_keys
+
+PUBRING="/etc/cryptsetup-initramfs/pubring.gpg"
+if [ ! -f "$PUBRING" ]; then
+    cryptsetup_message "WARNING: $PUBRING: No such file"
+else
+    [ -d "$DESTDIR/cryptroot/gnupghome" ] || mkdir -pm0700 "$DESTDIR/cryptroot/gnupghome"
+    # let gpg(1) create the keyring on the fly; we're not relying on its
+    # internals since it's the very same binary we're copying to the
+    # initramfs
+    /usr/bin/gpg --no-options --no-autostart --trust-model=always \
+        --quiet --batch --no-tty --logger-file=/dev/null \
+        --homedir="$DESTDIR/cryptroot/gnupghome" --import <"$PUBRING"
+    # make sure not to clutter the initramfs with backup keyrings
+    find "$DESTDIR/cryptroot" -name "*~" -type f -delete
+fi
+
+copy_exec /usr/bin/gpg
+copy_exec /usr/bin/gpg-agent
+copy_exec /usr/lib/gnupg/scdaemon
+copy_exec /usr/bin/gpgconf
+copy_exec /usr/bin/gpg-connect-agent
+
+if [ ! -x "$DESTDIR/usr/bin/pinentry" ]; then
+    if [ -x "/usr/bin/pinentry-curses" ]; then
+        pinentry="/usr/bin/pinentry-curses"
+    elif [ -x "/usr/bin/pinentry-tty" ]; then
+        pinentry="/usr/bin/pinentry-tty"
+    else
+        cryptsetup_message "ERROR: missing required binary pinentry-curses or pinentry-tty"
+        RV=1
+    fi
+    copy_exec "$pinentry"
+    ln -s "$pinentry" "$DESTDIR/usr/bin/pinentry"
+fi
+
+# #1028202: ncurses-base: move terminfo files from /lib/terminfo to
+# /usr/share/terminfo
+for d in "/usr/share/terminfo" "/lib/terminfo"; do
+    if [ -f "$d/l/linux" ]; then
+        if [ ! -f "$DESTDIR$d/l/linux" ]; then
+            copy_file terminfo "$d/l/linux" || RV=$?
+        fi
+        break
+    fi
+done
+
+exit $RV
diff --git a/debian/initramfs/hooks/cryptkeyctl b/debian/initramfs/hooks/cryptkeyctl
new file mode 100644
index 0000000..5ae6ae8
--- /dev/null
+++ b/debian/initramfs/hooks/cryptkeyctl
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+set -e
+
+PREREQ="cryptroot"
+
+prereqs()
+{
+	echo "$PREREQ"
+}
+
+case "$1" in
+    prereqs)
+        prereqs
+        exit 0
+        ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+# Hooks for loading keyctl software into the initramfs
+
+# Check whether cryptroot hook has installed decrypt_keyctl script
+if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_keyctl" ]; then
+    exit 0
+fi
+
+copy_exec /lib/cryptsetup/askpass
+copy_exec /bin/keyctl
+exit 0
diff --git a/debian/initramfs/hooks/cryptopensc b/debian/initramfs/hooks/cryptopensc
new file mode 100644
index 0000000..e0c5167
--- /dev/null
+++ b/debian/initramfs/hooks/cryptopensc
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+set -e
+
+PREREQ="cryptroot"
+
+prereqs()
+{
+    echo "$PREREQ"
+}
+
+case "$1" in
+    prereqs)
+        prereqs
+        exit 0
+        ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+. /lib/cryptsetup/functions
+
+if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_opensc" ] || [ ! -f "$TABFILE" ]; then
+    exit 0
+fi
+
+# Hooks for loading smartcard reading software into the initramfs
+copy_keys() {
+    crypttab_parse_options
+    if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_opensc" ]; then
+        if [ -f "$CRYPTTAB_KEY" ]; then
+            [ -f "$DESTDIR$CRYPTTAB_KEY" ] || copy_file keyfile "$CRYPTTAB_KEY" || RV=$?
+        else
+            cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
+            RV=1
+        fi
+    fi
+}
+
+RV=0
+crypttab_foreach_entry copy_keys
+
+# Install directories needed by smartcard reading daemon, command, and
+# key-script
+mkdir -p -- "$DESTDIR/etc/opensc" "$DESTDIR/usr/lib/pcsc" "$DESTDIR/var/run" "$DESTDIR/tmp"
+
+# Install pcscd daemon, drivers, conf file
+copy_exec /usr/sbin/pcscd
+
+cp -rt "$DESTDIR/usr/lib" /usr/lib/pcsc
+cp -t "$DESTDIR/etc" /etc/reader.conf || true
+cp -t "$DESTDIR/etc" /etc/libccid_Info.plist
+
+for so in $(ldconfig -p | sed -nr 's/^\s*(libusb-[0-9.-]+|libpcsclite)\.so\.[0-9]+\s.*=>\s*//p'); do
+    copy_exec "$so"
+done
+
+# Install opensc commands and conf file
+copy_exec /usr/bin/opensc-tool
+copy_exec /usr/bin/pkcs15-crypt
+cp -t "$DESTDIR/etc/opensc" /etc/opensc/opensc.conf
+
+exit $RV
diff --git a/debian/initramfs/hooks/cryptpassdev b/debian/initramfs/hooks/cryptpassdev
new file mode 100644
index 0000000..54492f0
--- /dev/null
+++ b/debian/initramfs/hooks/cryptpassdev
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+set -e
+
+PREREQ="cryptroot"
+
+prereqs()
+{
+	echo "$PREREQ"
+}
+
+case "$1" in
+    prereqs)
+        prereqs
+        exit 0
+        ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+# Hooks for adding filesystem modules to the initramfs when the passdev
+# keyscript is used
+
+# Check whether the passdev script has been included
+if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/passdev" ]; then
+	exit 0
+fi
+
+# The filesystem type of the removable device is probed at boot-time, so
+# we add a generous list of filesystems to include. This also helps with
+# recovery situation as including e.g. the vfat module might help a user
+# who needs to create a new cryptkey (using a backup of a keyfile) on
+# a windows-machine for example.
+
+# This list needs to be kept in sync with the one defined in passdev.c
+manual_add_modules ext4 ext3 ext2 vfat btrfs reiserfs xfs jfs ntfs iso9660 udf
+exit 0
+
diff --git a/debian/initramfs/hooks/cryptroot b/debian/initramfs/hooks/cryptroot
new file mode 100644
index 0000000..c16f7c2
--- /dev/null
+++ b/debian/initramfs/hooks/cryptroot
@@ -0,0 +1,406 @@
+#!/bin/sh
+
+PREREQ=""
+
+prereqs()
+{
+    echo "$PREREQ"
+}
+
+case "$1" in
+    prereqs)
+        prereqs
+        exit 0
+        ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+. /lib/cryptsetup/functions
+TABFILE="/etc/crypttab"
+
+
+# crypttab_find_and_print_entry($target)
+#   Find the crypttab(5) entry for the given (unmangled) $target and
+#   print it - preserving the mangling - to FD nr. 3; but only if the
+#   target has not already been processed during an earlier function
+#   call.  (Processed target names are stored in
+#   $DESTDIR/cryptroot/targets.)
+#   Return 0 on success, 1 on error.
+crypttab_find_and_print_entry() {
+    local target="$1"
+    local _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS
+    if ! grep -Fxqz -e "$target" -- "$DESTDIR/cryptroot/targets"; then
+        printf '%s\0' "$target" >>"$DESTDIR/cryptroot/targets"
+        crypttab_find_entry "$target" || return 1
+        crypttab_parse_options --missing-path=warn || return 1
+        crypttab_print_entry
+    fi
+}
+
+# crypttab_print_entry()
+#   Print an unmangled crypttab(5) entry to FD nr. 3, using CRYPTTAB_*
+#   and _CRYPTTAB_* values.
+#   _CRYPTTAB_SOURCE is replaced with UUID=<uuid> if possible (eg, for
+#   LUKS), unless the value starts with /dev/disk/by- or /dev/mapper/,
+#   or is already a device specification (such as LABEL= or PARTUUID=).
+#   If the entry uses the 'decrypt_derived' keyscript, the other
+#   crypttab(5) entries it depends on are (recursively) printed before
+#   hand.
+#   Various checks are performed on the key and crypttab options, but no
+#   parsing is done so it's the responsibility of the caller to call
+#   crypttab_parse_options().
+#   Return 0 on success, 1 on error.
+crypttab_print_entry() {
+    local DEV MAJ MIN uuid keyfile
+    if _resolve_device "$CRYPTTAB_SOURCE"; then
+        if [ "$(dmsetup info -c --noheadings -o devnos_used -- "$CRYPTTAB_NAME" 2>/dev/null)" != "$MAJ:$MIN" ]; then
+            cryptsetup_message "ERROR: $CRYPTTAB_NAME: Source mismatch"
+        elif [ "${_CRYPTTAB_SOURCE#[A-Za-z]*=}" = "$_CRYPTTAB_SOURCE" ] && \
+                [ "${CRYPTTAB_SOURCE#/dev/disk/by-}" = "$CRYPTTAB_SOURCE" ] && \
+                [ "${CRYPTTAB_SOURCE#/dev/mapper/}" = "$CRYPTTAB_SOURCE" ] && \
+                uuid="$(_device_uuid "$DEV")"; then
+            _CRYPTTAB_SOURCE="UUID=$uuid"
+        fi
+        # on failure _resolve_device() prints a warning and we try our
+        # luck with the unchanged _CRYPTTAB_SOURCE value
+    fi
+
+    # if keyscript is set, the "key" is just an argument to the script
+    if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
+        crypttab_key_check || return 1
+        case "$CRYPTTAB_KEY" in
+            $KEYFILE_PATTERN)
+                mkdir -pm0700 -- "$DESTDIR/cryptroot/keyfiles"
+                # $CRYPTTAB_NAME can't contain '/' (even after unmangling)
+                keyfile="/cryptroot/keyfiles/$CRYPTTAB_NAME.key"
+                if [ ! -f "$DESTDIR$keyfile" ] && ! copy_file keyfile "$CRYPTTAB_KEY" "$keyfile"; then
+                    cryptsetup_message "WARNING: couldn't copy keyfile $CRYPTTAB_KEY"
+                fi
+                _CRYPTTAB_KEY="/cryptroot/keyfiles/$_CRYPTTAB_NAME.key" # preserve mangled name
+                ;;
+            *)
+                if [ "$usage" = rootfs ]; then
+                    cryptsetup_message "WARNING: Skipping root target $CRYPTTAB_NAME: uses a key file"
+                    return 1
+                elif [ "$usage" = resume ]; then
+                    cryptsetup_message "WARNING: Resume target $CRYPTTAB_NAME uses a key file"
+                fi
+                if [ -L "$CRYPTTAB_KEY" ] && keyfile="$(readlink -- "$CRYPTTAB_KEY")" &&
+                        [ "${keyfile#/}" != "$keyfile" ]; then
+                    cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is a symlink with absolute target"
+                    return 1
+                elif [ -f "$CRYPTTAB_KEY" ] && [ "$(stat -L -c"%m" -- "$CRYPTTAB_KEY" 2>/dev/null)" != "/" ]; then
+                    cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is not on the root FS"
+                    return 1
+                fi
+                if [ ! -e "$CRYPTTAB_KEY" ]; then
+                    cryptsetup_message "WARNING: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
+                else
+                    _CRYPTTAB_KEY="/FIXME-initramfs-rootmnt$_CRYPTTAB_KEY" # preserve mangled name
+                fi
+        esac
+    fi
+
+    if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ]; then
+        copy_exec "$CRYPTTAB_OPTION_keyscript"
+    elif [ "$CRYPTTAB_KEY" = "none" ]; then
+        ASKPASS="y"
+    fi
+    if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_derived" ]; then
+        # (recursively) list first the device to derive the key from (so
+        # the boot scripts unlock it first); since _CRYPTTAB_* are local
+        # to crypttab_find_and_print_entry() the new value won't
+        # override the new ones
+        crypttab_find_and_print_entry "$CRYPTTAB_KEY"
+    fi
+    printf '%s %s %s %s\n' \
+        "$_CRYPTTAB_NAME" "$_CRYPTTAB_SOURCE" "$_CRYPTTAB_KEY" "$_CRYPTTAB_OPTIONS" >&3
+}
+
+# get_resume_devno()
+#   Return the device ID(s) used for system suspend/hibernate.
+get_resume_devno() {
+    local dev filename
+
+    # uswsusp
+    for filename in /etc/uswsusp.conf /etc/suspend.conf; do
+        [ -e "$filename" ] || continue
+        dev="$(sed -nr '/^resume device\s*[:=]\s*/ {s///p;q}' "$filename")"
+        if [ -n "$dev" ] && [ "$dev" != "<path_to_resume_device_file>" ]; then
+            # trim quotes
+            dev="$(printf '%s' "$dev" | sed -re 's/^"(.*)"\s*$/\1/' -e "s/^'(.*)'\\s*$/\\1/")"
+            _print_devno "$(printf '%b' "$dev")" # unmangle
+        fi
+    done
+
+    # regular swsusp
+    dev="$(sed -nr 's,^(.*\s)?resume=(\S+)(\s.*)?$,\2,p' /proc/cmdline)"
+    _print_devno "$(printf '%b' "$dev")" # unmangle
+
+    # initramfs-tools >=0.129
+    dev="${RESUME:-auto}"
+    if [ "$dev" != none ]; then
+        if [ "$dev" = auto ]; then
+            # next line from /usr/share/initramfs-tools/hooks/resume
+            dev="$(grep ^/dev/ /proc/swaps | sort -rnk3 | head -n 1 | cut -d " " -f 1)"
+        fi
+        _print_devno "$(printf '%b' "$dev")" # unmangle
+    fi
+}
+_print_devno() {
+    local DEV MAJ MIN # locally scope the 3 variables _resolve_device() sets
+    if [ -n "$1" ] && _resolve_device "$1"; then
+        printf '%d:%d\n' "$MAJ" "$MIN"
+    fi
+}
+
+# crypttab_print_initramfs_entry()
+#   Print a crypttab(5) entry - unless it was already processed - if it
+#   has the 'initramfs' option set.
+crypttab_print_initramfs_entry() {
+    local usage=
+    if ! grep -Fxqz -e "$CRYPTTAB_NAME" -- "$DESTDIR/cryptroot/targets" &&
+            crypttab_parse_options --quiet &&
+            [ "${CRYPTTAB_OPTION_initramfs-no}" = "yes" ]; then
+        printf '%s\0' "$CRYPTTAB_NAME" >>"$DESTDIR/cryptroot/targets"
+        crypttab_print_entry
+    fi
+}
+
+# generate_initrd_crypttab()
+#   Generate the crypttab(5) snippet that is relevant at initramfs
+#   stage.  (Devices that aren't required at initramfs stage are
+#   ignored.)
+generate_initrd_crypttab() {
+    local devnos usage IFS="$(printf '\t\n ')"
+    mkdir -- "$DESTDIR/cryptroot"
+    true >"$DESTDIR/cryptroot/targets"
+
+    {
+        if devnos="$(get_mnt_devno /)"; then
+            usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
+        else
+            cryptsetup_message "WARNING: Couldn't determine root device"
+        fi
+
+        if devnos="$(get_resume_devno)"; then
+            usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
+        fi
+
+        if devnos="$(get_mnt_devno /usr)"; then
+            usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
+        fi
+
+        # add crypttab entries with the 'initramfs' option set
+        crypttab_foreach_entry crypttab_print_initramfs_entry
+    } 3>"$DESTDIR/cryptroot/crypttab"
+    rm -f "$DESTDIR/cryptroot/targets"
+}
+
+# populate_CRYPTO_HASHES()
+#   Find out which crypto hashes are required for a crypttab(5) entry,
+#   and append them to the CRYPTO_HASHES variable.
+populate_CRYPTO_HASHES() {
+    local hash source newline="
+"
+
+    if crypttab_parse_options --quiet && [ -n "${CRYPTTAB_OPTION_header+x}" ]; then
+        source="$CRYPTTAB_OPTION_header"
+    else
+        source="$(_resolve_device_spec "$CRYPTTAB_SOURCE")" || source=""
+    fi
+
+    if [ ! -e "$source" ]; then
+        # missing source device or detached header, can't determine hashing function(s)
+        hash="@@UNKNOWN@@"
+    elif [ "$CRYPTTAB_TYPE" = "luks" ]; then
+        # using --dump-json-metadata would be more robust for LUKS2 but
+        # we also have to support LUKS1 hence have to parse luksDump output
+        hash="$(/sbin/cryptsetup luksDump -- "$source" | sed -nr 's/^\s*(AF hash|Hash|Hash spec)\s*:\s*//Ip')"
+    elif [ "$CRYPTTAB_TYPE" = "plain" ]; then
+        # --hash is being ignored when opening via key file
+        if [ "$CRYPTTAB_KEY" = "none" ] && [ -z "${CRYPTTAB_OPTION_keyscript+x}" ]; then
+            hash="${CRYPTTAB_OPTION_hash-ripemd160}" # default password hashing as of cryptsetup 2.5
+        fi
+    else
+        hash="" # or hash="@@UNKNOWN@@"?
+    fi
+
+    if [ -n "$hash" ]; then
+        CRYPTO_HASHES="${CRYPTO_HASHES:+$CRYPTO_HASHES$newline}$hash"
+    fi
+}
+
+# populate_CRYPTO_MODULES()
+#   Find out which crypto modules are required for a crypttab(5) entry,
+#   and append them to the CRYPTO_MODULES variable.
+populate_CRYPTO_MODULES() {
+    local cipher iv
+
+    # cf. dmsetup(8) and https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
+    cipher="$(dmsetup table --target crypt -- "$CRYPTTAB_NAME" | cut -d' ' -f4)"
+    if [ -z "$cipher" ]; then
+        cryptsetup_message "WARNING: Couldn't determine cipher modules to load for $CRYPTTAB_NAME"
+    elif [ "${cipher#capi:}" = "$cipher" ]; then
+        # direct specification "cipher[:keycount]-chainmode-ivmode[:ivopts]"
+        CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${cipher%%[-:]*}" # cipher
+        cipher="${cipher#"${cipher%%-*}-"}" # chainmode-ivmode[:ivopts]"
+        CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${cipher%-*}" # chainmode
+        iv="${cipher##*-}" # ivmode[:ivopts]"
+        CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${iv%%:*}" # ivmode
+        if [ "${iv#*:}" != "$iv" ]; then
+            CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${iv#*:}" # ivopts
+        fi
+    else
+        # kernel crypto API format "capi:cipher_api_spec-ivmode[:ivopts]", since linux 4.12
+        cipher="${cipher#capi:}"
+        cryptsetup_message "WARNING: Couldn't determine cipher modules to load for $CRYPTTAB_NAME" \
+            "(kernel crypto API format isn't supported yet)"
+    fi
+}
+
+# add_modules($glob, $moduledir, [$moduledir ..])
+#   Add modules matching under the given $moduledir(s), the name of
+#   which matching $glob.
+#   Return 0 if any module was found found, 1 if not.
+add_modules() {
+    local glob="$1" found=n
+    shift
+    for mod in $(find -H "$@" -name "$glob.ko*" -type f -printf '%f\n'); do
+        manual_add_modules "${mod%%.*}"
+        found=y
+    done
+    [ "$found" = y ] && return 0 || return 1
+}
+
+# add_crypto_modules($name, [$name ..])
+#   Determine kernel module name and add to initramfs.
+add_crypto_modules() {
+    local mod
+    for mod in "$@"; do
+        # We have several potential sources of modules (in order of preference):
+        #
+        #   a) /lib/modules/$VERSION/kernel/arch/$ARCH/crypto/$mod-$specific.ko
+        #   b) /lib/modules/$VERSION/kernel/crypto/$mod_generic.ko
+        #   c) /lib/modules/$VERSION/kernel/crypto/$mod.ko
+        #
+        # and (currently ignored):
+        #
+        #   d) /lib/modules/$VERSION/kernel/drivers/crypto/$specific-$mod.ko
+        add_modules "$mod-*" "$MODULESDIR"/kernel/arch/*/crypto || true
+        add_modules "${mod}_generic" "$MODULESDIR/kernel/crypto" \
+            || add_modules "$mod" "$MODULESDIR/kernel/crypto" \
+            || true
+    done
+}
+
+# copy_libssl_legacy_library()
+#   Copy ossl-modules/legacy.so (from libssl library) to initramfs if needed.
+#   OpenSSL 3.0 moved support for some crypto hashes into legacy.so.
+#   See https://launchpad.net/bugs/1979159
+copy_libssl_legacy_library() {
+    local libcryptodir CRYPTO_HASHES=""
+
+    libcryptodir="$(env --unset=LD_PRELOAD ldd /sbin/cryptsetup | sed -nr '/.*=>\s*(\S+)\/libcrypto\.so\..*/ {s//\1/p;q}')"
+    [ -d "$libcryptodir" ] || return
+
+    crypttab_foreach_entry populate_CRYPTO_HASHES
+    # See https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html#Hashing-Algorithms-Message-Digests
+    if printf '%s\n' "$CRYPTO_HASHES" | grep -Fxq -e @@UNKNOWN@@ -e ripemd160 -e whirlpool; then
+        # legacy hashes are used so legacy.so needs to be copied to the initramfs
+        # (assume ossl-modules/legacy.so is relative to the linked libcrypto.so)
+        copy_exec "$libcryptodir/ossl-modules/legacy.so" || true
+    fi
+}
+
+# See #1032221: newer libargon2 are built with glibc ≥2.34 hence no
+# longer links libpthread.  This in turns means that initramfs-tool's
+# copy_exec() is no longer able to detect pthread_*() need and thus
+# doesn't copy libgcc_s.so anymore.  So we need to do it manually
+# instead.
+copy_libgcc_argon2() {
+    local libdir rv=0
+    libdir="$(env --unset=LD_PRELOAD ldd /sbin/cryptsetup | sed -nr '/.*=>\s*(\S+)\/libargon2\.so\..*/ {s//\1/p;q}')"
+    copy_libgcc "$libdir" || rv=$?
+    if [ $rv -ne 0 ]; then
+        # merged-/usr mismatch, see #1032518
+        if [ "${libdir#/usr/}" != "$libdir" ]; then
+            libdir="${libdir#/usr}"
+        else
+            libdir="/usr/${libdir#/}"
+        fi
+        copy_libgcc "$libdir" && rv=0 || rv=$?
+    fi
+    return $rv
+}
+
+
+#######################################################################
+# Begin real processing
+
+unset -v ASKPASS KEYFILE_PATTERN
+ASKPASS="y"
+KEYFILE_PATTERN=
+
+# Load the hook config
+if [ -f "/etc/cryptsetup-initramfs/conf-hook" ]; then
+    . /etc/cryptsetup-initramfs/conf-hook
+fi
+
+if [ -n "$KEYFILE_PATTERN" ]; then
+    case "${UMASK:-$(umask)}" in
+        0[0-7]77) ;;
+        *) cryptsetup_message "WARNING: Permissive UMASK (${UMASK:-$(umask)})." \
+                "Private key material within the initrd might be left unprotected."
+        ;;
+    esac
+fi
+
+CRYPTO_MODULES=
+if [ -r "$TABFILE" ]; then
+    generate_initrd_crypttab
+    TABFILE="$DESTDIR/cryptroot/crypttab"
+    crypttab_foreach_entry populate_CRYPTO_MODULES
+    copy_libssl_legacy_library
+fi
+
+# add required components
+manual_add_modules dm_mod
+manual_add_modules dm_crypt
+
+copy_exec /sbin/cryptsetup
+copy_exec /sbin/dmsetup
+copy_libgcc_argon2
+
+[ "$ASKPASS" = n ] || copy_exec /lib/cryptsetup/askpass
+
+# We need sed. Either via busybox or as standalone binary.
+if [ "$BUSYBOX" = n ] || [ -z "$BUSYBOXDIR" ]; then
+    copy_exec /bin/sed
+fi
+
+# detect whether the host CPU has AES-NI support
+if grep -Eq '^flags\s*:(.*\s)?aes(\s.*)?$' /proc/cpuinfo; then
+    CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }aesni"
+else
+    # workaround for #883595/#901884 (xts depends on ecb)
+    CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }ecb"
+fi
+
+# add userspace crypto module (only required for opening LUKS2 devices
+# we add the module unconditionally as it's the default format)
+CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }algif_skcipher"
+
+if [ "$MODULES" = most ]; then
+    for d in "$MODULESDIR"/kernel/arch/*/crypto; do
+        copy_modules_dir "${d#"$MODULESDIR/"}"
+    done
+    copy_modules_dir "kernel/crypto"
+else
+    if [ "$MODULES" != "dep" ]; then
+        # with large initramfs, we always add a basic subset of modules
+        add_crypto_modules aes cbc chainiv cryptomgr krng sha256 xts
+    fi
+    add_crypto_modules $(printf '%s' "${CRYPTO_MODULES-}" | tr ' ' '\n' | sort -u)
+fi
+copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions
diff --git a/debian/initramfs/hooks/cryptroot-unlock b/debian/initramfs/hooks/cryptroot-unlock
new file mode 100644
index 0000000..06fe976
--- /dev/null
+++ b/debian/initramfs/hooks/cryptroot-unlock
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+prereqs()
+{
+    # cryptroot-unlock needs to be run last among crypt* since other hooks might include askpass
+    local req script
+    for req in "${0%/*}"/crypt*; do
+        script="${req##*/}"
+        if [ "$script" != "${0##*/}" ]; then
+            printf '%s\n' "$script"
+        fi
+    done
+}
+
+case "$1" in
+    prereqs)
+        prereqs
+        exit 0
+        ;;
+esac
+
+if [ ! -f "$DESTDIR/lib/cryptsetup/askpass" ]; then
+    # cryptroot-unlock is useless without askpass
+    exit 0
+fi
+
+. /usr/share/initramfs-tools/hook-functions
+if [ ! -f "$DESTDIR/bin/cryptroot-unlock" ] &&
+        ! copy_file script /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock /bin/cryptroot-unlock; then
+    echo "ERROR: Couldn't copy /bin/cryptroot-unlock" >&2
+    exit 1
+fi
+
+if [ -f /etc/initramfs-tools/etc/motd ]; then
+    copy_file text /etc/initramfs-tools/etc/motd /etc/motd
+else
+    cat >>"$DESTDIR/etc/motd" <<- EOF
+		To unlock root partition, and maybe others like swap, run \`cryptroot-unlock\`.
+	EOF
+fi