crypt: add rd.luks.allow-discards and honor options in crypttab
also fixed the retry loop for rd.luks.keymaster
Harald Hoyer
parent
e04d02cc3a
commit
5ad3803dac
|
|
@ -191,6 +191,16 @@ crypto LUKS
|
||||||
LUKS UUID, so you don't have to specify the full UUID.
|
LUKS UUID, so you don't have to specify the full UUID.
|
||||||
This parameter can be specified multiple times.
|
This parameter can be specified multiple times.
|
||||||
|
|
||||||
|
**rd.luks.allow-discards=**_<luks uuid>_::
|
||||||
|
Allow using of discards (TRIM) requests for LUKS partitions with the given UUID.
|
||||||
|
Any "luks-" of the LUKS UUID is removed before comparing to _<luks uuid>_.
|
||||||
|
The comparisons also matches, if _<luks uuid>_ is only the beginning of the
|
||||||
|
LUKS UUID, so you don't have to specify the full UUID.
|
||||||
|
This parameter can be specified multiple times.
|
||||||
|
|
||||||
|
**rd.luks.allow-discards::
|
||||||
|
Allow using of discards (TRIM) requests on all LUKS partitions.
|
||||||
|
|
||||||
**rd.luks.crypttab=0**::
|
**rd.luks.crypttab=0**::
|
||||||
do not check, if LUKS partition is in _/etc/crypttab_
|
do not check, if LUKS partition is in _/etc/crypttab_
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -32,9 +32,12 @@ else
|
||||||
device="$1"
|
device="$1"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# number of tries
|
||||||
|
numtries=${3:-10}
|
||||||
|
|
||||||
# TODO: improve to support what cmdline does
|
# TODO: improve to support what cmdline does
|
||||||
if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -n rd_NO_CRYPTTAB; then
|
if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -n rd_NO_CRYPTTAB; then
|
||||||
while read name dev luksfile rest; do
|
while read name dev luksfile luksoptions; do
|
||||||
# ignore blank lines and comments
|
# ignore blank lines and comments
|
||||||
if [ -z "$name" -o "${name#\#}" != "$name" ]; then
|
if [ -z "$name" -o "${name#\#}" != "$name" ]; then
|
||||||
continue
|
continue
|
||||||
|
|
@ -57,17 +60,59 @@ if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -n rd_NO_CRYPTTAB; then
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done < /etc/crypttab
|
done < /etc/crypttab
|
||||||
unset name dev rest
|
unset name dev
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#
|
#
|
||||||
# Open LUKS device
|
# Open LUKS device
|
||||||
#
|
#
|
||||||
|
|
||||||
info "luksOpen $device $luksname $luksfile"
|
info "luksOpen $device $luksname $luksfile $luksoptions"
|
||||||
|
|
||||||
|
OLD_IFS="$IFS"
|
||||||
|
IFS=,
|
||||||
|
set -- $luksoptions
|
||||||
|
IFS="$OLD_IFS"
|
||||||
|
|
||||||
|
while [ $# -gt 0 ]; do
|
||||||
|
case $1 in
|
||||||
|
noauto)
|
||||||
|
# skip this
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
swap)
|
||||||
|
# skip this
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
tmp)
|
||||||
|
# skip this
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
allow-discards)
|
||||||
|
allowdiscards="--allow-discards"
|
||||||
|
esac
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
|
||||||
|
# parse for allow-discards
|
||||||
|
if strstr "$(cryptsetup --help)" "allow-discards"; then
|
||||||
|
if discarduuids=$(getargs "rd.luks.allow-discards"); then
|
||||||
|
if strstr " $discarduuids " " ${luksdev##luks-}"; then
|
||||||
|
allowdiscards="--allow-discards"
|
||||||
|
fi
|
||||||
|
elif getargbool rd.luks.allow-discards; then
|
||||||
|
allowdiscards="--allow-discards"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if strstr "$(cryptsetup --help)" "allow-discards"; then
|
||||||
|
cryptsetupopts="$cryptsetupopts $allowdiscards"
|
||||||
|
fi
|
||||||
|
|
||||||
|
unset allowdiscards
|
||||||
|
|
||||||
if [ -n "$luksfile" -a "$luksfile" != "none" -a -e "$luksfile" ]; then
|
if [ -n "$luksfile" -a "$luksfile" != "none" -a -e "$luksfile" ]; then
|
||||||
if cryptsetup --key-file "$luksfile" luksOpen "$device" "$luksname"; then
|
if cryptsetup --key-file "$luksfile" $cryptsetupopts luksOpen "$device" "$luksname"; then
|
||||||
ask_passphrase=0
|
ask_passphrase=0
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
|
|
@ -76,26 +121,22 @@ else
|
||||||
keydev="${tmp%%:*}"
|
keydev="${tmp%%:*}"
|
||||||
keypath="${tmp#*:}"
|
keypath="${tmp#*:}"
|
||||||
else
|
else
|
||||||
if [ $# -eq 3 ]; then
|
if [ $numtries -eq 0 ]; then
|
||||||
if [ $3 -eq 0 ]; then
|
warn "No key found for $device. Fallback to passphrase mode."
|
||||||
info "No key found for $device. Fallback to passphrase mode."
|
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
info "No key found for $device. Will try $3 time(s) more later."
|
sleep 1
|
||||||
set -- "$1" "$2" "$(($3 - 1))"
|
info "No key found for $device. Will try $numtries time(s) more later."
|
||||||
else
|
|
||||||
info "No key found for $device. Will try later."
|
|
||||||
fi
|
|
||||||
initqueue --unique --onetime --settled \
|
initqueue --unique --onetime --settled \
|
||||||
--name cryptroot-ask-$luksname \
|
--name cryptroot-ask-$luksname \
|
||||||
$(command -v cryptroot-ask) "$@"
|
$(command -v cryptroot-ask) "$device" "$luksname" "$(($numtries-1))"
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
unset tmp
|
unset tmp
|
||||||
|
|
||||||
info "Using '$keypath' on '$keydev'"
|
info "Using '$keypath' on '$keydev'"
|
||||||
readkey "$keypath" "$keydev" "$device" \
|
readkey "$keypath" "$keydev" "$device" \
|
||||||
| cryptsetup -d - luksOpen "$device" "$luksname"
|
| cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname"
|
||||||
unset keypath keydev
|
unset keypath keydev
|
||||||
ask_passphrase=0
|
ask_passphrase=0
|
||||||
break
|
break
|
||||||
|
|
@ -103,7 +144,7 @@ else
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $ask_passphrase -ne 0 ]; then
|
if [ $ask_passphrase -ne 0 ]; then
|
||||||
luks_open="$(command -v cryptsetup) luksOpen"
|
luks_open="$(command -v cryptsetup) $cryptsetupopts luksOpen"
|
||||||
ask_for_password --ply-tries 5 \
|
ask_for_password --ply-tries 5 \
|
||||||
--ply-cmd "$luks_open -T1 $device $luksname" \
|
--ply-cmd "$luks_open -T1 $device $luksname" \
|
||||||
--ply-prompt "Password ($device)" \
|
--ply-prompt "Password ($device)" \
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue