kernel
/
dracut
mirror of https://git.kernel.org/pub/scm/boot/dracut/dracut.git/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5790 Commits
1 Branch
68 Tags
6.7 MiB
Tree: 9a52c3fdb0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9a52c3fdb0'
${ noResults }
dracut/modules.d/90crypt/cryptroot-ask.sh

205 lines
5.3 KiB
Raw Normal View History Unescape

get crypt password with rules
15 years ago
#!/bin/sh
get rid of absolute PATHs
13 years ago
PATH=/usr/sbin:/usr/bin:/sbin:/bin
crypt/cryptroot-ask.sh: check and use NEWROOT
13 years ago
NEWROOT=${NEWROOT:-"/sysroot"}
get rid of absolute PATHs
13 years ago
bail out of cryptroot-ask, if we have already asked about the password
15 years ago
# do not ask, if we already have root
crypt/cryptroot-ask.sh: check and use NEWROOT
13 years ago
[ -f $NEWROOT/proc ] && exit 0
bail out of cryptroot-ask, if we have already asked about the password
15 years ago
crypt: Prevent asking for password multiple times if non-default crypt name is used. If a non-default device mapper name is used for an encrypted partion is used, (i.e. not luks-$UUID) due to parsing of /etc/crypttab, then the short-circuits put in place to prevent asking the password twice do not work. This would not normally be an issue as the settled job itself should be removed after it has run and thus cannot be run again. Sadly, due to the corresponding udev rule using ACTION="add|changed", and the fact that trying to unlock the device (whether successful or not) seems to trigger a changed event, it means the settled job is recreated with each itteration thus causing the whole loop to run again. It is this situation that the short-circuit exits would normally come into play but sadly do not work when non-standard names are used. By the time the /tmp/cryptroot-asked-$2 file is written near the end of the script, the value of $2 has already been lost due to the argument parsing code's use of 'shift'. So while on systems where the default name is used are protected by checking /dev/mapper/xxxx, the /tmp/cryptroot-asked-$2 file didn't help on systems where this was not used due to this bug. So this commit shuffles things around somewhat such that: 1. The /dev/mapper/xxxx device is checked *after* resolving $2 (which contains the default name) to whatever /etc/crypttab specifies. 2. The cryptroot-asked-xxxx file also uses the translated name both for the initial check and to flag when it's written. As a separate fix, it might make sense to change the udev rule to only act on add events rather than add|change events, but I'm not sure of the ramifications of such a change and there may be cases where the add event is missed and thus the change event needs to be included.
11 years ago
. /lib/dracut-lib.sh
luks key on ext dev - wait for luks This asks for the luks passphrase if key is not found for defined time (if defined with rd.luks.tout cmd line): modules.d/90crypt/cryptroot-ask.sh | 21 ++++++++++++++++++--- modules.d/90crypt/parse-crypt.sh | 5 +++-- 2 files changed, 21 insertions(+), 5 deletions(-)
13 years ago
cryptroot-ask: no warn if /run/cryptsetup exist In either case: - encrypted device is decrypted, udev will trigger device changes again, - multiple encrypted device, cryptroot-ask will run multiple time, then report: > mkdir: cannot create directory '/run/cryptsetup': File exists Pass `-p` into mkdir to ignore that warning.
4 years ago
mkdir -p -m 0700 /run/cryptsetup
crypt: create locking directory /run/cryptsetup For LUKS2 partitions cryptsetup needs a locking directory. If it does not exist, cryptsetup will create it, but produce a warning WARNING: Locking directory /run/cryptsetup is missing! in the process that we do not want to see in the dracut output.
5 years ago
cryptroot-ask.sh: fixed luks handling see https://bugzilla.redhat.com/show_bug.cgi?id=530898#c16
15 years ago
# if device name is /dev/dm-X, convert to /dev/mapper/name
if [ "${1##/dev/dm-}" != "$1" ]; then
device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
else
device="$1"
fi
crypt: Prevent asking for password multiple times if non-default crypt name is used. If a non-default device mapper name is used for an encrypted partion is used, (i.e. not luks-$UUID) due to parsing of /etc/crypttab, then the short-circuits put in place to prevent asking the password twice do not work. This would not normally be an issue as the settled job itself should be removed after it has run and thus cannot be run again. Sadly, due to the corresponding udev rule using ACTION="add|changed", and the fact that trying to unlock the device (whether successful or not) seems to trigger a changed event, it means the settled job is recreated with each itteration thus causing the whole loop to run again. It is this situation that the short-circuit exits would normally come into play but sadly do not work when non-standard names are used. By the time the /tmp/cryptroot-asked-$2 file is written near the end of the script, the value of $2 has already been lost due to the argument parsing code's use of 'shift'. So while on systems where the default name is used are protected by checking /dev/mapper/xxxx, the /tmp/cryptroot-asked-$2 file didn't help on systems where this was not used due to this bug. So this commit shuffles things around somewhat such that: 1. The /dev/mapper/xxxx device is checked *after* resolving $2 (which contains the default name) to whatever /etc/crypttab specifies. 2. The cryptroot-asked-xxxx file also uses the translated name both for the initial check and to flag when it's written. As a separate fix, it might make sense to change the udev rule to only act on add events rather than add|change events, but I'm not sure of the ramifications of such a change and there may be cases where the add event is missed and thus the change event needs to be included.
11 years ago
# default luksname - luks-UUID
luksname=$2
90crypt: make `rd.luks.key` usable with encrypted keydev. Introduce prefix `keysource:` for the values of `rd.luks.partuuid`, `rd.luks.serial` and `rd.luks.uuid`. If specified, ask for passphrase instead of waiting for keydevs to come online.
4 years ago
# is_keysource - ask for passphrase even if a rd.luks.key argument is set
is_keysource=${3:-0}
crypt: add rd.luks.allow-discards and honor options in crypttab also fixed the retry loop for rd.luks.key
12 years ago
# number of tries
90crypt: make `rd.luks.key` usable with encrypted keydev. Introduce prefix `keysource:` for the values of `rd.luks.partuuid`, `rd.luks.serial` and `rd.luks.uuid`. If specified, ask for passphrase instead of waiting for keydevs to come online.
4 years ago
numtries=${4:-10}
crypt: add rd.luks.allow-discards and honor options in crypttab also fixed the retry loop for rd.luks.key
12 years ago
90crypt: probe for keydev asynchronously; changed kernel arg New kernel argument syntax for LUKS-keydev is introduced: rd.luks.key=<key_path>[:<key_dev>[:<luks_dev>]] Unfolding <key_dev> in BNF: <key_dev> ::= "UUID=" <uuid> | "LABEL=" <label> | <kname> Where <kname> matches following regular expression: ^/dev/.* <kname> need to be a character device and not a symlink for now. For every rd.luks.key argument udev rule is created. That rule runs test to check whether matching device contains <key_path>. If it does it's applied to matching <luks_dev>.
14 years ago
# TODO: improve to support what cmdline does
deprecate old command line options
12 years ago
if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; then
change "while read x" to cope with EOF without newline while read x || [ -n "$x" ] should do the trick
10 years ago
while read name dev luksfile luksoptions || [ -n "$name" ]; do
90crypt: keys on external devices support 99base/dracut-lib.sh: new fun.: getoptcomma, foreach_uuid_until
14 years ago
# ignore blank lines and comments
if [ -z "$name" -o "${name#\#}" != "$name" ]; then
continue
fi
Add basic LUKS detached header support A LUKS root volume with a detached header on a device without partitioning will not have a UUID and will not have an attribute ENV{ID_FS_TYPE}=="crypto_LUKS". Therefore, several areas need to be addressed: identification of the LUKS device, inclusion of entries within crypttab, and provision of the detached header file. - Added support for an option (4th column: "force") in /etc/crypttab to force the inclusion of the entry in the initramfs version (avoiding the fs type test). - Added support for an option (4th column: "header=/path/to/file") in /etc/crypttab to provide a path to a detached header file embedded within the initramfs. - Added ID and PARTUUID support to the device (2nd column) in /etc/crypttab (complementing the existing UUID functionality). - Added cmdline support to indicate LUKS device ("rd.luks.serial=") that refers to the attribute ENV{ID_SERIAL_SHORT}. Tested successfully on Void Linux (x86_64 musl) (no systemd) with a LUKS root volume accessed with a keyfile and using a detached header. Not tested on systemd, or on a LUKS root volume with a passphrase rather than a keyfile.
7 years ago
# PARTUUID used in crypttab
if [ "${dev%%=*}" = "PARTUUID" ]; then
if [ "luks-${dev##PARTUUID=}" = "$luksname" ]; then
luksname="$name"
break
fi
90crypt: keys on external devices support 99base/dracut-lib.sh: new fun.: getoptcomma, foreach_uuid_until
14 years ago
# UUID used in crypttab
Add basic LUKS detached header support A LUKS root volume with a detached header on a device without partitioning will not have a UUID and will not have an attribute ENV{ID_FS_TYPE}=="crypto_LUKS". Therefore, several areas need to be addressed: identification of the LUKS device, inclusion of entries within crypttab, and provision of the detached header file. - Added support for an option (4th column: "force") in /etc/crypttab to force the inclusion of the entry in the initramfs version (avoiding the fs type test). - Added support for an option (4th column: "header=/path/to/file") in /etc/crypttab to provide a path to a detached header file embedded within the initramfs. - Added ID and PARTUUID support to the device (2nd column) in /etc/crypttab (complementing the existing UUID functionality). - Added cmdline support to indicate LUKS device ("rd.luks.serial=") that refers to the attribute ENV{ID_SERIAL_SHORT}. Tested successfully on Void Linux (x86_64 musl) (no systemd) with a LUKS root volume accessed with a keyfile and using a detached header. Not tested on systemd, or on a LUKS root volume with a passphrase rather than a keyfile.
7 years ago
elif [ "${dev%%=*}" = "UUID" ]; then
Cryptroot-ask.sh: Use variables consistently - Always use $luksname instead of sometimes $2 - define $asked_file instead of using the same path twice
10 years ago
if [ "luks-${dev##UUID=}" = "$luksname" ]; then
90crypt: keys on external devices support 99base/dracut-lib.sh: new fun.: getoptcomma, foreach_uuid_until
14 years ago
luksname="$name"
break
fi
removed trailing whitespaces
13 years ago
Add basic LUKS detached header support A LUKS root volume with a detached header on a device without partitioning will not have a UUID and will not have an attribute ENV{ID_FS_TYPE}=="crypto_LUKS". Therefore, several areas need to be addressed: identification of the LUKS device, inclusion of entries within crypttab, and provision of the detached header file. - Added support for an option (4th column: "force") in /etc/crypttab to force the inclusion of the entry in the initramfs version (avoiding the fs type test). - Added support for an option (4th column: "header=/path/to/file") in /etc/crypttab to provide a path to a detached header file embedded within the initramfs. - Added ID and PARTUUID support to the device (2nd column) in /etc/crypttab (complementing the existing UUID functionality). - Added cmdline support to indicate LUKS device ("rd.luks.serial=") that refers to the attribute ENV{ID_SERIAL_SHORT}. Tested successfully on Void Linux (x86_64 musl) (no systemd) with a LUKS root volume accessed with a keyfile and using a detached header. Not tested on systemd, or on a LUKS root volume with a passphrase rather than a keyfile.
7 years ago
# ID used in crypttab
elif [ "${dev%%=*}" = "ID" ]; then
if [ "luks-${dev##ID=}" = "$luksname" ]; then
luksname="$name"
break
fi
90crypt: keys on external devices support 99base/dracut-lib.sh: new fun.: getoptcomma, foreach_uuid_until
14 years ago
# path used in crypttab
else
cdev=$(readlink -f $dev)
mdev=$(readlink -f $device)
if [ "$cdev" = "$mdev" ]; then
luksname="$name"
break
fi
fi
crypt: install /etc/crypttab and honor crypttab entries
15 years ago
done < /etc/crypttab
crypt: add rd.luks.allow-discards and honor options in crypttab also fixed the retry loop for rd.luks.key
12 years ago
unset name dev
crypt: install /etc/crypttab and honor crypttab entries
15 years ago
fi
crypt: Prevent asking for password multiple times if non-default crypt name is used. If a non-default device mapper name is used for an encrypted partion is used, (i.e. not luks-$UUID) due to parsing of /etc/crypttab, then the short-circuits put in place to prevent asking the password twice do not work. This would not normally be an issue as the settled job itself should be removed after it has run and thus cannot be run again. Sadly, due to the corresponding udev rule using ACTION="add|changed", and the fact that trying to unlock the device (whether successful or not) seems to trigger a changed event, it means the settled job is recreated with each itteration thus causing the whole loop to run again. It is this situation that the short-circuit exits would normally come into play but sadly do not work when non-standard names are used. By the time the /tmp/cryptroot-asked-$2 file is written near the end of the script, the value of $2 has already been lost due to the argument parsing code's use of 'shift'. So while on systems where the default name is used are protected by checking /dev/mapper/xxxx, the /tmp/cryptroot-asked-$2 file didn't help on systems where this was not used due to this bug. So this commit shuffles things around somewhat such that: 1. The /dev/mapper/xxxx device is checked *after* resolving $2 (which contains the default name) to whatever /etc/crypttab specifies. 2. The cryptroot-asked-xxxx file also uses the translated name both for the initial check and to flag when it's written. As a separate fix, it might make sense to change the udev rule to only act on add events rather than add|change events, but I'm not sure of the ramifications of such a change and there may be cases where the add event is missed and thus the change event needs to be included.
11 years ago
# check if destination already exists
[ -b /dev/mapper/$luksname ] && exit 0
# we already asked for this device
Cryptroot-ask.sh: Remove duplicate code Remove duplicate code introduced with commit 9b5e2e8574577cd4ec1e3645255060f749490537.
10 years ago
asked_file=/tmp/cryptroot-asked-$luksname
[ -f $asked_file ] && exit 0
crypt: Prevent asking for password multiple times if non-default crypt name is used. If a non-default device mapper name is used for an encrypted partion is used, (i.e. not luks-$UUID) due to parsing of /etc/crypttab, then the short-circuits put in place to prevent asking the password twice do not work. This would not normally be an issue as the settled job itself should be removed after it has run and thus cannot be run again. Sadly, due to the corresponding udev rule using ACTION="add|changed", and the fact that trying to unlock the device (whether successful or not) seems to trigger a changed event, it means the settled job is recreated with each itteration thus causing the whole loop to run again. It is this situation that the short-circuit exits would normally come into play but sadly do not work when non-standard names are used. By the time the /tmp/cryptroot-asked-$2 file is written near the end of the script, the value of $2 has already been lost due to the argument parsing code's use of 'shift'. So while on systems where the default name is used are protected by checking /dev/mapper/xxxx, the /tmp/cryptroot-asked-$2 file didn't help on systems where this was not used due to this bug. So this commit shuffles things around somewhat such that: 1. The /dev/mapper/xxxx device is checked *after* resolving $2 (which contains the default name) to whatever /etc/crypttab specifies. 2. The cryptroot-asked-xxxx file also uses the translated name both for the initial check and to flag when it's written. As a separate fix, it might make sense to change the udev rule to only act on add events rather than add|change events, but I'm not sure of the ramifications of such a change and there may be cases where the add event is missed and thus the change event needs to be included.
11 years ago
# load dm_crypt if it is not already loaded
[ -d /sys/module/dm_crypt ] || modprobe dm_crypt
. /lib/dracut-crypt-lib.sh
90crypt: keys on external devices support 99base/dracut-lib.sh: new fun.: getoptcomma, foreach_uuid_until
14 years ago
#
# Open LUKS device
#
crypt: add rd.luks.allow-discards and honor options in crypttab also fixed the retry loop for rd.luks.key
12 years ago
info "luksOpen $device $luksname $luksfile $luksoptions"
OLD_IFS="$IFS"
IFS=,
set -- $luksoptions
IFS="$OLD_IFS"
while [ $# -gt 0 ]; do
case $1 in
noauto)
# skip this
exit 0
;;
swap)
# skip this
exit 0
;;
tmp)
# skip this
exit 0
;;
allow-discards)
allowdiscards="--allow-discards"
Add basic LUKS detached header support A LUKS root volume with a detached header on a device without partitioning will not have a UUID and will not have an attribute ENV{ID_FS_TYPE}=="crypto_LUKS". Therefore, several areas need to be addressed: identification of the LUKS device, inclusion of entries within crypttab, and provision of the detached header file. - Added support for an option (4th column: "force") in /etc/crypttab to force the inclusion of the entry in the initramfs version (avoiding the fs type test). - Added support for an option (4th column: "header=/path/to/file") in /etc/crypttab to provide a path to a detached header file embedded within the initramfs. - Added ID and PARTUUID support to the device (2nd column) in /etc/crypttab (complementing the existing UUID functionality). - Added cmdline support to indicate LUKS device ("rd.luks.serial=") that refers to the attribute ENV{ID_SERIAL_SHORT}. Tested successfully on Void Linux (x86_64 musl) (no systemd) with a LUKS root volume accessed with a keyfile and using a detached header. Not tested on systemd, or on a LUKS root volume with a passphrase rather than a keyfile.
7 years ago
;;
header=*)
cryptsetupopts="${cryptsetupopts} --${1}"
;;
crypt: add rd.luks.allow-discards and honor options in crypttab also fixed the retry loop for rd.luks.key
12 years ago
esac
shift
done
# parse for allow-discards
if strstr "$(cryptsetup --help)" "allow-discards"; then
if discarduuids=$(getargs "rd.luks.allow-discards"); then
crypt/crypt-run-generator.sh: fixup last commit 065fc56ab27d8ea1aace72de54a6884bb558ea97
12 years ago
discarduuids=$(str_replace "$discarduuids" 'luks-' '')
if strstr " $discarduuids " " ${luksdev##luks-}"; then
crypt: add rd.luks.allow-discards and honor options in crypttab also fixed the retry loop for rd.luks.key
12 years ago
allowdiscards="--allow-discards"
fi
crypt/crypt-run-generator.sh: fixup last commit 065fc56ab27d8ea1aace72de54a6884bb558ea97
12 years ago
elif getargbool 0 rd.luks.allow-discards; then
crypt: add rd.luks.allow-discards and honor options in crypttab also fixed the retry loop for rd.luks.key
12 years ago
allowdiscards="--allow-discards"
fi
fi
if strstr "$(cryptsetup --help)" "allow-discards"; then
cryptsetupopts="$cryptsetupopts $allowdiscards"
fi
unset allowdiscards
90crypt: keys on external devices support 99base/dracut-lib.sh: new fun.: getoptcomma, foreach_uuid_until
14 years ago
crypt: Prevent asking for password multiple times if non-default crypt name is used. If a non-default device mapper name is used for an encrypted partion is used, (i.e. not luks-$UUID) due to parsing of /etc/crypttab, then the short-circuits put in place to prevent asking the password twice do not work. This would not normally be an issue as the settled job itself should be removed after it has run and thus cannot be run again. Sadly, due to the corresponding udev rule using ACTION="add|changed", and the fact that trying to unlock the device (whether successful or not) seems to trigger a changed event, it means the settled job is recreated with each itteration thus causing the whole loop to run again. It is this situation that the short-circuit exits would normally come into play but sadly do not work when non-standard names are used. By the time the /tmp/cryptroot-asked-$2 file is written near the end of the script, the value of $2 has already been lost due to the argument parsing code's use of 'shift'. So while on systems where the default name is used are protected by checking /dev/mapper/xxxx, the /tmp/cryptroot-asked-$2 file didn't help on systems where this was not used due to this bug. So this commit shuffles things around somewhat such that: 1. The /dev/mapper/xxxx device is checked *after* resolving $2 (which contains the default name) to whatever /etc/crypttab specifies. 2. The cryptroot-asked-xxxx file also uses the translated name both for the initial check and to flag when it's written. As a separate fix, it might make sense to change the udev rule to only act on add events rather than add|change events, but I'm not sure of the ramifications of such a change and there may be cases where the add event is missed and thus the change event needs to be included.
11 years ago
# fallback to passphrase
ask_passphrase=1
cryptroot-ask.sh: use key file, if specified in crypttab and present if a key file is specified in crypttab and present in the initramfs use it to open the device. https://bugzilla.redhat.com/show_bug.cgi?id=751640
13 years ago
if [ -n "$luksfile" -a "$luksfile" != "none" -a -e "$luksfile" ]; then
cryptroot-ask: unify /etc/crypttab and rd.luks.key dracut feeds whatever it receives in password field of crypttab(5) to `cryptsetup -d`, treating them as plain-text key file. Meanwhile, dracut treats the key file from `rd.luks.key` differently, by have some special rules to decrypt those key files that has extension of `gpg` and `img`. Let's begin to treat them the same. This is a backward-incompatible change for those people that uses plain-text key-file that has extension of `gpg` and `img`. However, those setup is questionable to begin with.
4 years ago
if readkey "$luksfile" / "$device" \
| cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname"; then
cryptroot-ask.sh: use key file, if specified in crypttab and present if a key file is specified in crypttab and present in the initramfs use it to open the device. https://bugzilla.redhat.com/show_bug.cgi?id=751640
13 years ago
ask_passphrase=0
fi
90crypt: make `rd.luks.key` usable with encrypted keydev. Introduce prefix `keysource:` for the values of `rd.luks.partuuid`, `rd.luks.serial` and `rd.luks.uuid`. If specified, ask for passphrase instead of waiting for keydevs to come online.
4 years ago
elif [ "$is_keysource" -ne 0 ]; then
info "Asking for passphrase because $device is a keysource."
cryptroot-ask.sh: use key file, if specified in crypttab and present if a key file is specified in crypttab and present in the initramfs use it to open the device. https://bugzilla.redhat.com/show_bug.cgi?id=751640
13 years ago
else
while [ -n "$(getarg rd.luks.key)" ]; do
if tmp=$(getkey /tmp/luks.keys $device); then
keydev="${tmp%%:*}"
keypath="${tmp#*:}"
luks key on ext dev - wait for luks This asks for the luks passphrase if key is not found for defined time (if defined with rd.luks.tout cmd line): modules.d/90crypt/cryptroot-ask.sh | 21 ++++++++++++++++++--- modules.d/90crypt/parse-crypt.sh | 5 +++-- 2 files changed, 21 insertions(+), 5 deletions(-)
13 years ago
else
crypt: add rd.luks.allow-discards and honor options in crypttab also fixed the retry loop for rd.luks.key
12 years ago
if [ $numtries -eq 0 ]; then
warn "No key found for $device. Fallback to passphrase mode."
break
cryptroot-ask.sh: use key file, if specified in crypttab and present if a key file is specified in crypttab and present in the initramfs use it to open the device. https://bugzilla.redhat.com/show_bug.cgi?id=751640
13 years ago
fi
crypt: add rd.luks.allow-discards and honor options in crypttab also fixed the retry loop for rd.luks.key
12 years ago
sleep 1
info "No key found for $device. Will try $numtries time(s) more later."
cryptroot-ask.sh: use key file, if specified in crypttab and present if a key file is specified in crypttab and present in the initramfs use it to open the device. https://bugzilla.redhat.com/show_bug.cgi?id=751640
13 years ago
initqueue --unique --onetime --settled \
--name cryptroot-ask-$luksname \
style: shfmt reformat reproducible with: ``` $ shfmt_version=3.0.1 $ wget "https://github.com/mvdan/sh/releases/download/v${shfmt_version}/shfmt_v${shfmt_version}_linux_amd64" -O shfmt $ chmod u+x shfmt $ ./shfmt -w . ```
3 years ago
$(command -v cryptroot-ask) "$device" "$luksname" "$is_keysource" "$(($numtries - 1))"
cryptroot-ask.sh: use key file, if specified in crypttab and present if a key file is specified in crypttab and present in the initramfs use it to open the device. https://bugzilla.redhat.com/show_bug.cgi?id=751640
13 years ago
exit 0
luks key on ext dev - wait for luks This asks for the luks passphrase if key is not found for defined time (if defined with rd.luks.tout cmd line): modules.d/90crypt/cryptroot-ask.sh | 21 ++++++++++++++++++--- modules.d/90crypt/parse-crypt.sh | 5 +++-- 2 files changed, 21 insertions(+), 5 deletions(-)
13 years ago
fi
cryptroot-ask.sh: use key file, if specified in crypttab and present if a key file is specified in crypttab and present in the initramfs use it to open the device. https://bugzilla.redhat.com/show_bug.cgi?id=751640
13 years ago
unset tmp
info "Using '$keypath' on '$keydev'"
readkey "$keypath" "$keydev" "$device" \
ask for a password on readkey failure continue asking for a password if readkey for cryptsetup input failed, e.g. wrong password in the password file
5 years ago
| cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname" \
&& ask_passphrase=0
cryptroot-ask.sh: use key file, if specified in crypttab and present if a key file is specified in crypttab and present in the initramfs use it to open the device. https://bugzilla.redhat.com/show_bug.cgi?id=751640
13 years ago
unset keypath keydev
break
done
fi
luks key on ext dev - wait for luks This asks for the luks passphrase if key is not found for defined time (if defined with rd.luks.tout cmd line): modules.d/90crypt/cryptroot-ask.sh | 21 ++++++++++++++++++--- modules.d/90crypt/parse-crypt.sh | 5 +++-- 2 files changed, 21 insertions(+), 5 deletions(-)
13 years ago
if [ $ask_passphrase -ne 0 ]; then
crypt: add rd.luks.allow-discards and honor options in crypttab also fixed the retry loop for rd.luks.key
12 years ago
luks_open="$(command -v cryptsetup) $cryptsetupopts luksOpen"
Add timeout option to crypt module
6 years ago
_timeout=$(getargs "rd.luks.timeout")
_timeout=${_timeout:-0}
crypt: functions for ask-for-password and reading key Asking for password and reading key parts are moved to separate functions in crypt-lib.sh: ask_for_password and readkey.
13 years ago
ask_for_password --ply-tries 5 \
--ply-cmd "$luks_open -T1 $device $luksname" \
--ply-prompt "Password ($device)" \
--tty-tries 1 \
Add timeout option to crypt module
6 years ago
--tty-cmd "$luks_open -T5 -t $_timeout $device $luksname"
crypt: functions for ask-for-password and reading key Asking for password and reading key parts are moved to separate functions in crypt-lib.sh: ask_for_password and readkey.
13 years ago
unset luks_open
Add timeout option to crypt module
6 years ago
unset _timeout
90crypt: keys on external devices support 99base/dracut-lib.sh: new fun.: getoptcomma, foreach_uuid_until
14 years ago
fi
get crypt password with rules
15 years ago
90crypt: make `rd.luks.key` usable with encrypted keydev. Introduce prefix `keysource:` for the values of `rd.luks.partuuid`, `rd.luks.serial` and `rd.luks.uuid`. If specified, ask for passphrase instead of waiting for keydevs to come online.
4 years ago
if [ "$is_keysource" -ne 0 -a ${luksname##luks-} != "$luksname" ]; then
luks_close="$(command -v cryptsetup) close"
{
printf -- '[ -e /dev/mapper/%s ] && ' "$luksname"
printf -- '%s "%s"\n' "$luks_close" "$luksname"
} >> "$hookdir/cleanup/31-crypt-keysource.sh"
unset luks_close
fi
cryptroot-ask.sh: use key file, if specified in crypttab and present if a key file is specified in crypttab and present in the initramfs use it to open the device. https://bugzilla.redhat.com/show_bug.cgi?id=751640
13 years ago
unset device luksname luksfile
Merged cryptroot-ask.sh from plymouth to crypt module. First, it's duplicate code. Second, it did not allow those who had plymouth installed to use other methods, like the new usb key file. When building the initram, it would install the plymouth cryptroot-ask script, and not the crypt module one. Added these new items to crypt module's cryptroot-ask.sh: - 'unset' for used variables - udevsettle The non-plymouth cryptsetup prompt was using $1 instead of $device. Changed prompt number from 1 to 5, as this is much nicer. I believe plymouth already does infinite prompts. Also added unset for usb key. Just saw it didn't unset its vars.
14 years ago
bail out of cryptroot-ask, if we have already asked about the password
15 years ago
# mark device as asked
Cryptroot-ask.sh: Use variables consistently - Always use $luksname instead of sometimes $2 - define $asked_file instead of using the same path twice
10 years ago
>> $asked_file
bail out of cryptroot-ask, if we have already asked about the password
15 years ago
shutdown on demand Do not save and restore the initramfs, but instead, just unpack the default initramfs for shutdown on shutdown.
12 years ago
need_shutdown
Merged cryptroot-ask.sh from plymouth to crypt module. First, it's duplicate code. Second, it did not allow those who had plymouth installed to use other methods, like the new usb key file. When building the initram, it would install the plymouth cryptroot-ask script, and not the crypt module one. Added these new items to crypt module's cryptroot-ask.sh: - 'unset' for used variables - udevsettle The non-plymouth cryptsetup prompt was using $1 instead of $device. Changed prompt number from 1 to 5, as this is much nicer. I believe plymouth already does infinite prompts. Also added unset for usb key. Just saw it didn't unset its vars.
14 years ago
udevsettle
cryptroot-ask.sh: fix rd_LUKS_UUID handling
15 years ago
exit 0