dracut/modules.d/90crypt/cryptroot-ask.sh

#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh

PATH=/usr/sbin:/usr/bin:/sbin:/bin
NEWROOT=${NEWROOT:-"/sysroot"}

# do not ask, if we already have root
[ -f $NEWROOT/proc ] && exit 0

# check if destination already exists
[ -b /dev/mapper/$2 ] && exit 0

# we already asked for this device
[ -f /tmp/cryptroot-asked-$2 ] && exit 0

# load dm_crypt if it is not already loaded
[ -d /sys/module/dm_crypt ] || modprobe dm_crypt

. /lib/dracut-crypt-lib.sh

# default luksname - luks-UUID
luksname=$2

# if device name is /dev/dm-X, convert to /dev/mapper/name
if [ "${1##/dev/dm-}" != "$1" ]; then
    device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
else
    device="$1"
fi

# TODO: improve to support what cmdline does
if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -n rd_NO_CRYPTTAB; then
    while read name dev rest; do
        # ignore blank lines and comments
        if [ -z "$name" -o "${name#\#}" != "$name" ]; then
            continue
        fi

        # UUID used in crypttab
        if [ "${dev%%=*}" = "UUID" ]; then
            if [ "luks-${dev##UUID=}" = "$2" ]; then
                luksname="$name"
                break
            fi

        # path used in crypttab
        else
            cdev=$(readlink -f $dev)
            mdev=$(readlink -f $device)
            if [ "$cdev" = "$mdev" ]; then
                luksname="$name"
                break
            fi
        fi
    done < /etc/crypttab
    unset name dev rest
fi

#
# Open LUKS device
#

info "luksOpen $device $luksname"

if [ -n "$(getarg rd.luks.key)" ]; then
    if tmp=$(getkey /tmp/luks.keys $device); then
        keydev="${tmp%%:*}"
        keypath="${tmp#*:}"
    else
        info "No key found for $device.  Will try later."
        initqueue --unique --onetime --settled \
            --name cryptroot-ask-$luksname \
            $(command -v cryptroot-ask) "$@"
        exit 0
    fi
    unset tmp

    info "Using '$keypath' on '$keydev'"
    readkey "$keypath" "$keydev" "$device" \
        | cryptsetup -d - luksOpen "$device" "$luksname"
    unset keypath keydev
else
    luks_open="$(command -v cryptsetup) luksOpen"
    ask_for_password --ply-tries 5 \
        --ply-cmd "$luks_open -T1 $device $luksname" \
        --ply-prompt "Password ($device)" \
        --tty-tries 1 \
        --tty-cmd "$luks_open -T5 $device $luksname"
    unset luks_open
fi

unset device luksname

# mark device as asked
>> /tmp/cryptroot-asked-$2

udevsettle

exit 0
get crypt password with rules 16 years ago			`#!/bin/sh`
reformat source code removed tabs and set indention to 4 spaces added emacs and vi format headers 15 years ago			`# -- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; --`
			`# ex: ts=8 sw=4 sts=4 et filetype=sh`
get crypt password with rules 16 years ago
get rid of absolute PATHs 14 years ago			`PATH=/usr/sbin:/usr/bin:/sbin:/bin`
crypt/cryptroot-ask.sh: check and use NEWROOT 14 years ago			`NEWROOT=${NEWROOT:-"/sysroot"}`
get rid of absolute PATHs 14 years ago
bail out of cryptroot-ask, if we have already asked about the password 16 years ago			`# do not ask, if we already have root`
crypt/cryptroot-ask.sh: check and use NEWROOT 14 years ago			`[ -f $NEWROOT/proc ] && exit 0`
bail out of cryptroot-ask, if we have already asked about the password 16 years ago
			`# check if destination already exists`
get crypt password with rules 16 years ago			`[ -b /dev/mapper/$2 ] && exit 0`
bail out of cryptroot-ask, if we have already asked about the password 16 years ago
			`# we already asked for this device`
			`[ -f /tmp/cryptroot-asked-$2 ] && exit 0`

Have cryptroot-ask load dm_crypt if needed. 15 years ago			`# load dm_crypt if it is not already loaded`
			`[ -d /sys/module/dm_crypt ] \|\| modprobe dm_crypt`

90crypt: probe for keydev asynchronously; changed kernel arg New kernel argument syntax for LUKS-keydev is introduced: rd.luks.key=<key_path>[:<key_dev>[:<luks_dev>]] Unfolding <key_dev> in BNF: <key_dev> ::= "UUID=" <uuid> \| "LABEL=" <label> \| <kname> Where <kname> matches following regular expression: ^/dev/.* <kname> need to be a character device and not a symlink for now. For every rd.luks.key argument udev rule is created. That rule runs test to check whether matching device contains <key_path>. If it does it's applied to matching <luks_dev>. 14 years ago			`. /lib/dracut-crypt-lib.sh`
crypt: install /etc/crypttab and honor crypttab entries 16 years ago
cryptroot-ask.sh: fixed luks handling see https://bugzilla.redhat.com/show_bug.cgi?id=530898#c16 15 years ago			`# default luksname - luks-UUID`
crypt: install /etc/crypttab and honor crypttab entries 16 years ago			`luksname=$2`
cryptroot-ask.sh: fixed luks handling see https://bugzilla.redhat.com/show_bug.cgi?id=530898#c16 15 years ago
			`# if device name is /dev/dm-X, convert to /dev/mapper/name`
			`if [ "${1##/dev/dm-}" != "$1" ]; then`
			`device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"`
			`else`
			`device="$1"`
			`fi`

90crypt: probe for keydev asynchronously; changed kernel arg New kernel argument syntax for LUKS-keydev is introduced: rd.luks.key=<key_path>[:<key_dev>[:<luks_dev>]] Unfolding <key_dev> in BNF: <key_dev> ::= "UUID=" <uuid> \| "LABEL=" <label> \| <kname> Where <kname> matches following regular expression: ^/dev/.* <kname> need to be a character device and not a symlink for now. For every rd.luks.key argument udev rule is created. That rule runs test to check whether matching device contains <key_path>. If it does it's applied to matching <luks_dev>. 14 years ago			`# TODO: improve to support what cmdline does`
new parameter option names with "rd.*" namespace Renamed Options Here is a list of options, which were used in dracut prior to version 008, and their new replacement. rdbreak rd.break rd_CCW rd.ccw rdcopystate rd.copystate rd_DASD_MOD rd.dasd_mod.dasd rd_DASD rd.dasd rdinitdebug rdnetdebug rd.debug rd_NO_DM rd.dm=0 rd_DM_UUID rd.dm.uuid rdblacklist rd.driver.blacklist rdinsmodpost rd.driver.post rdloaddriver rd.driver.pre rd_NO_FSTAB rd.fstab=0 rdinfo rd.info check rd.live.check rdlivedebug rd.live.debug live_dir rd.live.dir liveimg rd.live.image overlay rd.live.overlay readonly_overlay rd.live.overlay.readonly reset_overlay rd.live.overlay.reset live_ram rd.live.ram rd_NO_CRYPTTAB rd.luks.crypttab=0 rd_LUKS_KEYDEV_UUID rd.luks.keydev.uuid rd_LUKS_KEYPATH rd.luks.keypath rd_NO_LUKS rd.luks=0 rd_LUKS_UUID rd.luks.uuid rd_LUKS_UUID rd.luks.uuid rd_NO_LVMCONF rd.lvm.conf rd_LVM_LV rd.lvm.lv rd_NO_LVM rd.lvm=0 rd_LVM_SNAPSHOT rd.lvm.snapshot rd_LVM_SNAPSIZE rd.lvm.snapsize rd_LVM_VG rd.lvm.vg rd_NO_MDADMCONF rd.md.conf=0 rd_NO_MDIMSM rd.md.imsm=0 rd_NO_MD rd.md=0 rd_MD_UUID rd.md.uuid rd_NFS_DOMAIN rd.nfs.domain rd_NO_PLYMOUTH rd.plymouth=0 rd_retry rd.retry rdshell rd.shell rd_NO_SPLASH rd.splash rdudevdebug rd.udev.debug rdudevinfo rd.udev.info rd_NO_ZFCPCONF rd.zfcp.conf=0 rd_ZFCP rd.zfcp 15 years ago			`if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -n rd_NO_CRYPTTAB; then`
crypt: install /etc/crypttab and honor crypttab entries 16 years ago			`while read name dev rest; do`
90crypt: keys on external devices support 99base/dracut-lib.sh: new fun.: getoptcomma, foreach_uuid_until 15 years ago			`# ignore blank lines and comments`
			`if [ -z "$name" -o "${name#\#}" != "$name" ]; then`
			`continue`
			`fi`

			`# UUID used in crypttab`
			`if [ "${dev%%=*}" = "UUID" ]; then`
			`if [ "luks-${dev##UUID=}" = "$2" ]; then`
			`luksname="$name"`
			`break`
			`fi`
removed trailing whitespaces 14 years ago
90crypt: keys on external devices support 99base/dracut-lib.sh: new fun.: getoptcomma, foreach_uuid_until 15 years ago			`# path used in crypttab`
			`else`
			`cdev=$(readlink -f $dev)`
			`mdev=$(readlink -f $device)`
			`if [ "$cdev" = "$mdev" ]; then`
			`luksname="$name"`
			`break`
			`fi`
			`fi`
crypt: install /etc/crypttab and honor crypttab entries 16 years ago			`done < /etc/crypttab`
cryptroot-ask.sh: fixed luks handling see https://bugzilla.redhat.com/show_bug.cgi?id=530898#c16 15 years ago			`unset name dev rest`
crypt: install /etc/crypttab and honor crypttab entries 16 years ago			`fi`

90crypt: keys on external devices support 99base/dracut-lib.sh: new fun.: getoptcomma, foreach_uuid_until 15 years ago			`#`
			`# Open LUKS device`
			`#`

crypt: assemble 70-luks.rules dynamically 15 years ago			`info "luksOpen $device $luksname"`
90crypt: keys on external devices support 99base/dracut-lib.sh: new fun.: getoptcomma, foreach_uuid_until 15 years ago
90crypt: probe for keydev asynchronously; changed kernel arg New kernel argument syntax for LUKS-keydev is introduced: rd.luks.key=<key_path>[:<key_dev>[:<luks_dev>]] Unfolding <key_dev> in BNF: <key_dev> ::= "UUID=" <uuid> \| "LABEL=" <label> \| <kname> Where <kname> matches following regular expression: ^/dev/.* <kname> need to be a character device and not a symlink for now. For every rd.luks.key argument udev rule is created. That rule runs test to check whether matching device contains <key_path>. If it does it's applied to matching <luks_dev>. 14 years ago			`if [ -n "$(getarg rd.luks.key)" ]; then`
			`if tmp=$(getkey /tmp/luks.keys $device); then`
crypt: change /tmp/luks.keys seperator from "\|" to ":" Do it like on the kernel command line, so we only have one forbidden character. 14 years ago			`keydev="${tmp%%:*}"`
			`keypath="${tmp#*:}"`
90crypt: probe for keydev asynchronously; changed kernel arg New kernel argument syntax for LUKS-keydev is introduced: rd.luks.key=<key_path>[:<key_dev>[:<luks_dev>]] Unfolding <key_dev> in BNF: <key_dev> ::= "UUID=" <uuid> \| "LABEL=" <label> \| <kname> Where <kname> matches following regular expression: ^/dev/.* <kname> need to be a character device and not a symlink for now. For every rd.luks.key argument udev rule is created. That rule runs test to check whether matching device contains <key_path>. If it does it's applied to matching <luks_dev>. 14 years ago			`else`
			`info "No key found for $device. Will try later."`
get rid of absolute PATHs 14 years ago			`initqueue --unique --onetime --settled \`
90crypt: probe for keydev asynchronously; changed kernel arg New kernel argument syntax for LUKS-keydev is introduced: rd.luks.key=<key_path>[:<key_dev>[:<luks_dev>]] Unfolding <key_dev> in BNF: <key_dev> ::= "UUID=" <uuid> \| "LABEL=" <label> \| <kname> Where <kname> matches following regular expression: ^/dev/.* <kname> need to be a character device and not a symlink for now. For every rd.luks.key argument udev rule is created. That rule runs test to check whether matching device contains <key_path>. If it does it's applied to matching <luks_dev>. 14 years ago			`--name cryptroot-ask-$luksname \`
get rid of absolute PATHs 14 years ago			`$(command -v cryptroot-ask) "$@"`
90crypt: probe for keydev asynchronously; changed kernel arg New kernel argument syntax for LUKS-keydev is introduced: rd.luks.key=<key_path>[:<key_dev>[:<luks_dev>]] Unfolding <key_dev> in BNF: <key_dev> ::= "UUID=" <uuid> \| "LABEL=" <label> \| <kname> Where <kname> matches following regular expression: ^/dev/.* <kname> need to be a character device and not a symlink for now. For every rd.luks.key argument udev rule is created. That rule runs test to check whether matching device contains <key_path>. If it does it's applied to matching <luks_dev>. 14 years ago			`exit 0`
			`fi`
			`unset tmp`

crypt: functions for ask-for-password and reading key Asking for password and reading key parts are moved to separate functions in crypt-lib.sh: ask_for_password and readkey. 14 years ago			`info "Using '$keypath' on '$keydev'"`
			`readkey "$keypath" "$keydev" "$device" \`
			`\| cryptsetup -d - luksOpen "$device" "$luksname"`
			`unset keypath keydev`
90crypt: keys on external devices support 99base/dracut-lib.sh: new fun.: getoptcomma, foreach_uuid_until 15 years ago			`else`
crypt: functions for ask-for-password and reading key Asking for password and reading key parts are moved to separate functions in crypt-lib.sh: ask_for_password and readkey. 14 years ago			`luks_open="$(command -v cryptsetup) luksOpen"`
			`ask_for_password --ply-tries 5 \`
			`--ply-cmd "$luks_open -T1 $device $luksname" \`
			`--ply-prompt "Password ($device)" \`
			`--tty-tries 1 \`
			`--tty-cmd "$luks_open -T5 $device $luksname"`
			`unset luks_open`
90crypt: keys on external devices support 99base/dracut-lib.sh: new fun.: getoptcomma, foreach_uuid_until 15 years ago			`fi`
get crypt password with rules 16 years ago
Merged cryptroot-ask.sh from plymouth to crypt module. First, it's duplicate code. Second, it did not allow those who had plymouth installed to use other methods, like the new usb key file. When building the initram, it would install the plymouth cryptroot-ask script, and not the crypt module one. Added these new items to crypt module's cryptroot-ask.sh: - 'unset' for used variables - udevsettle The non-plymouth cryptsetup prompt was using $1 instead of $device. Changed prompt number from 1 to 5, as this is much nicer. I believe plymouth already does infinite prompts. Also added unset for usb key. Just saw it didn't unset its vars. 15 years ago			`unset device luksname`

bail out of cryptroot-ask, if we have already asked about the password 16 years ago			`# mark device as asked`
			`>> /tmp/cryptroot-asked-$2`

Merged cryptroot-ask.sh from plymouth to crypt module. First, it's duplicate code. Second, it did not allow those who had plymouth installed to use other methods, like the new usb key file. When building the initram, it would install the plymouth cryptroot-ask script, and not the crypt module one. Added these new items to crypt module's cryptroot-ask.sh: - 'unset' for used variables - udevsettle The non-plymouth cryptsetup prompt was using $1 instead of $device. Changed prompt number from 1 to 5, as this is much nicer. I believe plymouth already does infinite prompts. Also added unset for usb key. Just saw it didn't unset its vars. 15 years ago			`udevsettle`

cryptroot-ask.sh: fix rd_LUKS_UUID handling 16 years ago			`exit 0`