|
| 1 | +#!/usr/bin/ash |
| 2 | + |
| 3 | +run_hook() { |
| 4 | + modprobe -a -q dm-crypt >/dev/null 2>&1 |
| 5 | + [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" |
| 6 | + |
| 7 | + # Get keyfile if specified |
| 8 | + ckeyfile="/crypto_keyfile.bin" |
| 9 | + if [ -n "$cryptkey" ]; then |
| 10 | + IFS=: read ckdev ckarg1 ckarg2 <<EOF |
| 11 | +$cryptkey |
| 12 | +EOF |
| 13 | + |
| 14 | + if [ "$ckdev" = "rootfs" ]; then |
| 15 | + ckeyfile=$ckarg1 |
| 16 | + elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then |
| 17 | + case ${ckarg1} in |
| 18 | + *[!0-9]*) |
| 19 | + # Use a file on the device |
| 20 | + # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path |
| 21 | + mkdir /ckey |
| 22 | + mount -r -t "$ckarg1" "$resolved" /ckey |
| 23 | + dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1 |
| 24 | + umount /ckey |
| 25 | + ;; |
| 26 | + *) |
| 27 | + # Read raw data from the block device |
| 28 | + # ckarg1 is numeric: ckarg1=offset, ckarg2=length |
| 29 | + dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1 |
| 30 | + ;; |
| 31 | + esac |
| 32 | + fi |
| 33 | + [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." |
| 34 | + fi |
| 35 | + |
| 36 | + if [ -n "${cryptdevice}" ]; then |
| 37 | + DEPRECATED_CRYPT=0 |
| 38 | + IFS=: read cryptdev cryptname cryptoptions <<EOF |
| 39 | +$cryptdevice |
| 40 | +EOF |
| 41 | + else |
| 42 | + DEPRECATED_CRYPT=1 |
| 43 | + cryptdev="${root}" |
| 44 | + cryptname="root" |
| 45 | + fi |
| 46 | + |
| 47 | + warn_deprecated() { |
| 48 | + echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" |
| 49 | + echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." |
| 50 | + } |
| 51 | + |
| 52 | + for cryptopt in ${cryptoptions//,/ }; do |
| 53 | + case ${cryptopt} in |
| 54 | + allow-discards) |
| 55 | + cryptargs="${cryptargs} --allow-discards" |
| 56 | + ;; |
| 57 | + *) |
| 58 | + echo "Encryption option '${cryptopt}' not known, ignoring." >&2 |
| 59 | + ;; |
| 60 | + esac |
| 61 | + done |
| 62 | + |
| 63 | + if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then |
| 64 | + if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then |
| 65 | + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated |
| 66 | + dopassphrase=1 |
| 67 | + # If keyfile exists, try to use that |
| 68 | + if [ -f ${ckeyfile} ]; then |
| 69 | + if eval cryptsetup --key-file ${ckeyfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then |
| 70 | + dopassphrase=0 |
| 71 | + else |
| 72 | + echo "Invalid keyfile. Reverting to passphrase." |
| 73 | + fi |
| 74 | + fi |
| 75 | + # Ask for a passphrase |
| 76 | + if [ ${dopassphrase} -gt 0 ]; then |
| 77 | + echo "" |
| 78 | + echo "A password is required to access the ${cryptname} volume:" |
| 79 | + |
| 80 | + #loop until we get a real password |
| 81 | + while ! eval cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do |
| 82 | + sleep 2; |
| 83 | + done |
| 84 | + fi |
| 85 | + if [ -e "/dev/mapper/${cryptname}" ]; then |
| 86 | + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then |
| 87 | + export root="/dev/mapper/root" |
| 88 | + fi |
| 89 | + else |
| 90 | + err "Password succeeded, but ${cryptname} creation failed, aborting..." |
| 91 | + exit 1 |
| 92 | + fi |
| 93 | + elif [ -n "${crypto}" ]; then |
| 94 | + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated |
| 95 | + msg "Non-LUKS encrypted device found..." |
| 96 | + if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then |
| 97 | + err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" |
| 98 | + err "Non-LUKS decryption not attempted..." |
| 99 | + return 1 |
| 100 | + fi |
| 101 | + exe="cryptsetup open --type plain $resolved $cryptname $cryptargs" |
| 102 | + IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF |
| 103 | +$crypto |
| 104 | +EOF |
| 105 | + [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'" |
| 106 | + [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'" |
| 107 | + [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'" |
| 108 | + [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'" |
| 109 | + [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'" |
| 110 | + if [ -f "$ckeyfile" ]; then |
| 111 | + exe="$exe --key-file $ckeyfile" |
| 112 | + else |
| 113 | + exe="$exe --verify-passphrase" |
| 114 | + echo "" |
| 115 | + echo "A password is required to access the ${cryptname} volume:" |
| 116 | + fi |
| 117 | + eval "$exe $CSQUIET" |
| 118 | + |
| 119 | + if [ $? -ne 0 ]; then |
| 120 | + err "Non-LUKS device decryption failed. verify format: " |
| 121 | + err " crypto=hash:cipher:keysize:offset:skip" |
| 122 | + exit 1 |
| 123 | + fi |
| 124 | + if [ -e "/dev/mapper/${cryptname}" ]; then |
| 125 | + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then |
| 126 | + export root="/dev/mapper/root" |
| 127 | + fi |
| 128 | + else |
| 129 | + err "Password succeeded, but ${cryptname} creation failed, aborting..." |
| 130 | + exit 1 |
| 131 | + fi |
| 132 | + else |
| 133 | + err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified." |
| 134 | + fi |
| 135 | + fi |
| 136 | + rm -f ${ckeyfile} |
| 137 | +} |
| 138 | + |
| 139 | +# vim: set ft=sh ts=4 sw=4 et: |
0 commit comments