diff --git a/modules.d/90crypt/.shchkdir b/modules.d/90crypt/.shchkdir new file mode 100644 index 00000000..e69de29b diff --git a/modules.d/90crypt/crypt-cleanup.sh b/modules.d/90crypt/crypt-cleanup.sh index ba74fedc..94fa7243 100755 --- a/modules.d/90crypt/crypt-cleanup.sh +++ b/modules.d/90crypt/crypt-cleanup.sh @@ -7,7 +7,7 @@ if ! getarg rd.luks.uuid -d rd_LUKS_UUID > /dev/null 2>&1 && getargbool 1 rd.luk while true; do local do_break="y" for i in /dev/mapper/luks-*; do - cryptsetup luksClose $i > /dev/null 2>&1 && do_break=n + cryptsetup luksClose "$i" > /dev/null 2>&1 && do_break=n done [ "$do_break" = "y" ] && break done diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh index de39a93e..7a88643c 100755 --- a/modules.d/90crypt/crypt-lib.sh +++ b/modules.d/90crypt/crypt-lib.sh @@ -8,11 +8,11 @@ crypttab_contains() { local dev="$2" local l d rest if [ -f /etc/crypttab ]; then - while read l d rest || [ -n "$l" ]; do + while read -r l d rest || [ -n "$l" ]; do strstr "${l##luks-}" "${luks##luks-}" && return 0 strstr "$d" "${luks##luks-}" && return 0 if [ -n "$dev" ]; then - for _dev in $(devnames $d); do + for _dev in $(devnames "$d"); do [ "$dev" -ef "$_dev" ] && return 0 done fi @@ -21,7 +21,7 @@ crypttab_contains() { _line=$(sed -n "\,^$d .*$,{p}" /etc/block_uuid.map) [ -z "$_line" ] && continue # get second column with uuid - _uuid="$(echo $_line | sed 's,^.* \(.*$\),\1,')" + _uuid="$(echo "$_line" | sed 's,^.* \(.*$\),\1,')" strstr "$_uuid" "${luks##luks-}" && return 0 fi done < /etc/crypttab @@ -49,9 +49,6 @@ crypttab_contains() { # Turn off input echo before tty command is executed and turn on after. # It's useful when password is read from stdin. ask_for_password() { - local cmd - local prompt - local tries=3 local ply_cmd local ply_prompt local ply_tries=3 @@ -111,7 +108,7 @@ ask_for_password() { # Prompt for password with plymouth, if installed and running. if type plymouth > /dev/null 2>&1 && plymouth --ping 2> /dev/null; then plymouth ask-for-password \ - --prompt "$ply_prompt" --number-of-tries=$ply_tries \ + --prompt "$ply_prompt" --number-of-tries="$ply_tries" \ --command="$ply_cmd" ret=$? else @@ -121,16 +118,16 @@ ask_for_password() { fi local i=1 - while [ $i -le $tty_tries ]; do + while [ $i -le "$tty_tries" ]; do [ -n "$tty_prompt" ] \ - && printf "$tty_prompt [$i/$tty_tries]:" >&2 + && printf "%s" "$tty_prompt [$i/$tty_tries]:" >&2 eval "$tty_cmd" && ret=0 && break ret=$? i=$((i + 1)) [ -n "$tty_prompt" ] && printf '\n' >&2 done - [ "$tty_echo_off" = yes ] && stty $stty_orig + [ "$tty_echo_off" = yes ] && stty "$stty_orig" fi } 9> /.console_lock @@ -148,14 +145,14 @@ test_dev() { local dev="$2" local f="$3" local ret=1 - local mount_point=$(mkuniqdir /mnt testdev) - local path + local mount_point + mount_point=$(mkuniqdir /mnt testdev) [ -n "$dev" -a -n "$*" ] || return 1 [ -d "$mount_point" ] || die 'Mount point does not exist!' if mount -r "$dev" "$mount_point" > /dev/null 2>&1; then - test $test_op "${mount_point}/${f}" + test "$test_op" "${mount_point}/${f}" ret=$? umount "$mount_point" fi @@ -212,8 +209,7 @@ getkey() { [ -z "$keys_file" -o -z "$for_dev" ] && die 'getkey: wrong usage!' [ -f "$keys_file" ] || return 1 - local IFS=: - while read luks_dev key_dev key_path || [ -n "$luks_dev" ]; do + while IFS=: read -r luks_dev key_dev key_path _ || [ -n "$luks_dev" ]; do if match_dev "$luks_dev" "$for_dev"; then echo "${key_dev}:${key_path}" return 0 @@ -241,7 +237,8 @@ readkey() { # This creates a unique single mountpoint for *, or several for explicitly # given LUKS devices. It accomplishes unlocking multiple LUKS devices with # a single password entry. - local mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')" + local mntp + mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')" if [ ! -d "$mntp" ]; then mkdir -p "$mntp" @@ -262,7 +259,7 @@ readkey() { if [ -f /lib/dracut-crypt-loop-lib.sh ]; then . /lib/dracut-crypt-loop-lib.sh loop_decrypt "$mntp" "$keypath" "$keydev" "$device" - printf "%s\n" "umount \"$mntp\"; rmdir \"$mntp\";" > ${hookdir}/cleanup/"crypt-loop-cleanup-99-${mntp##*/}".sh + printf "%s\n" "umount \"$mntp\"; rmdir \"$mntp\";" > "${hookdir}/cleanup/crypt-loop-cleanup-99-${mntp##*/}".sh return 0 else die "No loop file support to decrypt '$keypath' on '$keydev'." diff --git a/modules.d/90crypt/cryptroot-ask.sh b/modules.d/90crypt/cryptroot-ask.sh index 226b2e49..37a4deea 100755 --- a/modules.d/90crypt/cryptroot-ask.sh +++ b/modules.d/90crypt/cryptroot-ask.sh @@ -4,7 +4,7 @@ PATH=/usr/sbin:/usr/bin:/sbin:/bin NEWROOT=${NEWROOT:-"/sysroot"} # do not ask, if we already have root -[ -f $NEWROOT/proc ] && exit 0 +[ -f "$NEWROOT"/proc ] && exit 0 . /lib/dracut-lib.sh @@ -28,7 +28,7 @@ numtries=${4:-10} # TODO: improve to support what cmdline does if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; then - while read name dev luksfile luksoptions || [ -n "$name" ]; do + while read -r name dev luksfile luksoptions || [ -n "$name" ]; do # ignore blank lines and comments if [ -z "$name" -o "${name#\#}" != "$name" ]; then continue @@ -57,8 +57,8 @@ if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; t # path used in crypttab else - cdev=$(readlink -f $dev) - mdev=$(readlink -f $device) + cdev=$(readlink -f "$dev") + mdev=$(readlink -f "$device") if [ "$cdev" = "$mdev" ]; then luksname="$name" break @@ -69,11 +69,11 @@ if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; t fi # check if destination already exists -[ -b /dev/mapper/$luksname ] && exit 0 +[ -b /dev/mapper/"$luksname" ] && exit 0 # we already asked for this device asked_file=/tmp/cryptroot-asked-$luksname -[ -f $asked_file ] && exit 0 +[ -f "$asked_file" ] && exit 0 # load dm_crypt if it is not already loaded [ -d /sys/module/dm_crypt ] || modprobe dm_crypt @@ -88,6 +88,7 @@ info "luksOpen $device $luksname $luksfile $luksoptions" OLD_IFS="$IFS" IFS=, +# shellcheck disable=SC2086 set -- $luksoptions IFS="$OLD_IFS" @@ -138,33 +139,33 @@ ask_passphrase=1 if [ -n "$luksfile" -a "$luksfile" != "none" -a -e "$luksfile" ]; then if readkey "$luksfile" / "$device" \ - | cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname"; then + | cryptsetup -d - "$cryptsetupopts" luksOpen "$device" "$luksname"; then ask_passphrase=0 fi elif [ "$is_keysource" -ne 0 ]; then info "Asking for passphrase because $device is a keysource." else while [ -n "$(getarg rd.luks.key)" ]; do - if tmp=$(getkey /tmp/luks.keys $device); then + if tmp=$(getkey /tmp/luks.keys "$device"); then keydev="${tmp%%:*}" keypath="${tmp#*:}" else - if [ $numtries -eq 0 ]; then + if [ "$numtries" -eq 0 ]; then warn "No key found for $device. Fallback to passphrase mode." break fi sleep 1 info "No key found for $device. Will try $numtries time(s) more later." initqueue --unique --onetime --settled \ - --name cryptroot-ask-$luksname \ - $(command -v cryptroot-ask) "$device" "$luksname" "$is_keysource" "$((numtries - 1))" + --name cryptroot-ask-"$luksname" \ + "$(command -v cryptroot-ask)" "$device" "$luksname" "$is_keysource" "$((numtries - 1))" exit 0 fi unset tmp info "Using '$keypath' on '$keydev'" readkey "$keypath" "$keydev" "$device" \ - | cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname" \ + | cryptsetup -d - "$cryptsetupopts" luksOpen "$device" "$luksname" \ && ask_passphrase=0 unset keypath keydev break @@ -184,7 +185,7 @@ if [ $ask_passphrase -ne 0 ]; then unset _timeout fi -if [ "$is_keysource" -ne 0 -a ${luksname##luks-} != "$luksname" ]; then +if [ "$is_keysource" -ne 0 -a "${luksname##luks-}" != "$luksname" ]; then luks_close="$(command -v cryptsetup) close" { printf -- '[ -e /dev/mapper/%s ] && ' "$luksname" @@ -196,7 +197,7 @@ fi unset device luksname luksfile # mark device as asked ->> $asked_file +: >> "$asked_file" need_shutdown udevsettle diff --git a/modules.d/90crypt/module-setup.sh b/modules.d/90crypt/module-setup.sh index 4ffeaf36..cc409fa8 100755 --- a/modules.d/90crypt/module-setup.sh +++ b/modules.d/90crypt/module-setup.sh @@ -2,9 +2,9 @@ # called by dracut check() { - local _rootdev + local fs # if cryptsetup is not installed, then we cannot support encrypted devices. - require_any_binary $systemdutildir/systemd-cryptsetup cryptsetup || return 1 + require_any_binary "$systemdutildir"/systemd-cryptsetup cryptsetup || return 1 [[ $hostonly ]] || [[ $mount_needs ]] && { for fs in "${host_fs_types[@]}"; do @@ -33,20 +33,18 @@ installkernel() { [[ $hostonly ]] || [[ $mount_needs ]] && { # dmsetup returns s.th. like # cryptvol: 0 2064384 crypt aes-xts-plain64 :64:logon:cryptsetup:.... - dmsetup table | while read name _ _ is_crypt cipher _; do - [[ $is_crypt != "crypt" ]] && continue + dmsetup table | while read -r name _ _ is_crypt cipher _; do + [[ $is_crypt == "crypt" ]] || continue # get the device name - name=/dev/$(dmsetup info -c --noheadings -o blkdevname ${name%:}) - # check if the device exists as a key in our host_fs_types + name=/dev/$(dmsetup info -c --noheadings -o blkdevname "${name%:}") + # check if the device exists as a key in our host_fs_types (even with null string) + # shellcheck disable=SC2030 # this is a shellcheck bug if [[ ${host_fs_types[$name]+_} ]]; then # split the cipher aes-xts-plain64 in pieces - _OLD_IFS=$IFS - IFS='-:' - set -- $cipher - IFS=$_OLD_IFS + IFS='-:' read -ra mods <<< "$cipher" # try to load the cipher part with "crypto-" prepended # in non-hostonly mode - hostonly= instmods $(for k in "$@"; do echo "crypto-$k"; done) + hostonly='' instmods "${mods[@]/#/crypto-}" "crypto-$cipher" fi done } @@ -60,9 +58,9 @@ cmdline() { [[ ${host_fs_types[$dev]} != "crypto_LUKS" ]] && continue UUID=$( - blkid -u crypto -o export $dev \ - | while read line || [ -n "$line" ]; do - [[ ${line#UUID} == $line ]] && continue + blkid -u crypto -o export "$dev" \ + | while read -r line || [ -n "$line" ]; do + [[ ${line#UUID} == "$line" ]] && continue printf "%s" "${line#UUID=}" break done @@ -76,7 +74,8 @@ cmdline() { install() { if [[ $hostonly_cmdline == "yes" ]]; then - local _cryptconf=$(cmdline) + local _cryptconf + _cryptconf=$(cmdline) [[ $_cryptconf ]] && printf "%s\n" "$_cryptconf" >> "${initdir}/etc/cmdline.d/90crypt.conf" fi @@ -91,7 +90,7 @@ install() { if [[ $hostonly ]] && [[ -f $dracutsysrootdir/etc/crypttab ]]; then # filter /etc/crypttab for the devices we need - while read _mapper _dev _luksfile _luksoptions || [ -n "$_mapper" ]; do + while read -r _mapper _dev _luksfile _luksoptions || [ -n "$_mapper" ]; do [[ $_mapper == \#* ]] && continue [[ $_dev ]] || continue @@ -104,12 +103,13 @@ install() { [[ $_dev == ID=* ]] \ && _dev="/dev/disk/by-id/${_dev#ID=}" - echo "$_dev $(blkid $_dev -s UUID -o value)" >> "${initdir}/etc/block_uuid.map" + echo "$_dev $(blkid "$_dev" -s UUID -o value)" >> "${initdir}/etc/block_uuid.map" # loop through the options to check for the force option luksoptions=${_luksoptions} OLD_IFS="${IFS}" IFS=, + # shellcheck disable=SC2086 set -- ${luksoptions} IFS="${OLD_IFS}" @@ -147,14 +147,14 @@ install() { # the cryptsetup targets are already pulled in by 00systemd, but not # the enablement symlinks inst_multiple -o \ - $systemdutildir/system-generators/systemd-cryptsetup-generator \ - $systemdutildir/systemd-cryptsetup \ - $systemdsystemunitdir/systemd-ask-password-console.path \ - $systemdsystemunitdir/systemd-ask-password-console.service \ - $systemdsystemunitdir/cryptsetup.target \ - $systemdsystemunitdir/sysinit.target.wants/cryptsetup.target \ - $systemdsystemunitdir/remote-cryptsetup.target \ - $systemdsystemunitdir/initrd-root-device.target.wants/remote-cryptsetup.target \ + "$systemdutildir"/system-generators/systemd-cryptsetup-generator \ + "$systemdutildir"/systemd-cryptsetup \ + "$systemdsystemunitdir"/systemd-ask-password-console.path \ + "$systemdsystemunitdir"/systemd-ask-password-console.service \ + "$systemdsystemunitdir"/cryptsetup.target \ + "$systemdsystemunitdir"/sysinit.target.wants/cryptsetup.target \ + "$systemdsystemunitdir"/remote-cryptsetup.target \ + "$systemdsystemunitdir"/initrd-root-device.target.wants/remote-cryptsetup.target \ systemd-ask-password systemd-tty-ask-password-agent fi diff --git a/modules.d/90crypt/parse-crypt.sh b/modules.d/90crypt/parse-crypt.sh index 56a19835..ebd15211 100755 --- a/modules.d/90crypt/parse-crypt.sh +++ b/modules.d/90crypt/parse-crypt.sh @@ -48,7 +48,7 @@ else is_keysource=0 _uuid=$uuid uuid=${uuid#keysource:} - [ $uuid != $_uuid ] && is_keysource=1 + [ "$uuid" != "$_uuid" ] && is_keysource=1 unset _uuid uuid=${uuid##luks-} @@ -63,10 +63,12 @@ else printf -- 'ENV{ID_PART_ENTRY_UUID}=="*%s*", ' "$uuid" printf -- 'RUN+="%s --settled --unique --onetime ' "$(command -v initqueue)" printf -- '--name cryptroot-ask-%%k %s ' "$(command -v cryptroot-ask)" - printf -- '$env{DEVNAME} %s %s"\n' "$luksname" "$is_keysource" "$tout" + # shellcheck disable=SC2016 + printf -- '$env{DEVNAME} %s %s %s"\n' "$luksname" "$is_keysource" "$tout" } >> /etc/udev/rules.d/70-luks.rules.new else luksname=$(dev_unit_name "$luksname") + # shellcheck disable=SC1003 luksname="$(str_replace "$luksname" '\' '\\')" if ! crypttab_contains "$uuid"; then @@ -86,7 +88,7 @@ else is_keysource=0 _serialid=$serialid serialid=${serialid#keysource:} - [ $serialid != $_serialid ] && is_keysource=1 + [ "$serialid" != "$_serialid" ] && is_keysource=1 unset _serialid serialid=${serialid##luks-} @@ -101,10 +103,12 @@ else printf -- 'ENV{ID_SERIAL_SHORT}=="*%s*", ' "$serialid" printf -- 'RUN+="%s --settled --unique --onetime ' "$(command -v initqueue)" printf -- '--name cryptroot-ask-%%k %s ' "$(command -v cryptroot-ask)" - printf -- '$env{DEVNAME} %s %s"\n' "$luksname" "$is_keysource" "$tout" + # shellcheck disable=SC2016 + printf -- '$env{DEVNAME} %s %s %s"\n' "$luksname" "$is_keysource" "$tout" } >> /etc/udev/rules.d/70-luks.rules.new else luksname=$(dev_unit_name "$luksname") + # shellcheck disable=SC1003 luksname="$(str_replace "$luksname" '\' '\\')" if ! crypttab_contains "$serialid"; then @@ -124,7 +128,7 @@ else is_keysource=0 _luksid=$luksid luksid=${luksid#keysource:} - [ $luksid != $_luksid ] && is_keysource=1 + [ "$luksid" != "$_luksid" ] && is_keysource=1 unset _luksid luksid=${luksid##luks-} @@ -140,10 +144,12 @@ else printf -- 'ENV{ID_FS_UUID}=="*%s*", ' "$luksid" printf -- 'RUN+="%s --settled --unique --onetime ' "$(command -v initqueue)" printf -- '--name cryptroot-ask-%%k %s ' "$(command -v cryptroot-ask)" + # shellcheck disable=SC2016 printf -- '$env{DEVNAME} %s %s %s"\n' "$luksname" "$is_keysource" "$tout" } >> /etc/udev/rules.d/70-luks.rules.new else luksname=$(dev_unit_name "$luksname") + # shellcheck disable=SC1003 luksname="$(str_replace "$luksname" '\' '\\')" if ! crypttab_contains "$luksid"; then @@ -160,11 +166,11 @@ else if [ $is_keysource -eq 0 ]; then uuid=$luksid while [ "$uuid" != "${uuid#*-}" ]; do uuid=${uuid%%-*}${uuid#*-}; done - printf -- '[ -e /dev/disk/by-id/dm-uuid-CRYPT-LUKS?-*%s*-* ] || exit 1\n' $uuid \ + printf -- '[ -e /dev/disk/by-id/dm-uuid-CRYPT-LUKS?-*%s*-* ] || exit 1\n' "$uuid" \ >> "$hookdir/initqueue/finished/90-crypt.sh" { - printf -- '[ -e /dev/disk/by-uuid/*%s* ] || ' $luksid - printf -- 'warn "crypto LUKS UUID "%s" not found"\n' $luksid + printf -- '[ -e /dev/disk/by-uuid/*%s* ] || ' "$luksid" + printf -- 'warn "crypto LUKS UUID "%s" not found"\n' "$luksid" } >> "$hookdir/emergency/90-crypt.sh" fi done @@ -173,12 +179,14 @@ else { printf -- 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="%s ' "$(command -v initqueue)" printf -- '--unique --settled --onetime --name cryptroot-ask-%%k ' + # shellcheck disable=SC2016 printf -- '%s $env{DEVNAME} luks-$env{ID_FS_UUID} %s"\n' "$(command -v cryptroot-ask)" "$tout" } >> /etc/udev/rules.d/70-luks.rules.new else { printf -- 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="%s ' "$(command -v initqueue)" printf -- '--unique --settled --onetime --name crypt-run-generator-%%k ' + # shellcheck disable=SC2016 printf -- '%s $env{DEVNAME} luks-$env{ID_FS_UUID}"\n' "$(command -v crypt-run-generator)" } >> /etc/udev/rules.d/70-luks.rules.new fi diff --git a/modules.d/90crypt/parse-keydev.sh b/modules.d/90crypt/parse-keydev.sh index add49b2a..467d8928 100755 --- a/modules.d/90crypt/parse-keydev.sh +++ b/modules.d/90crypt/parse-keydev.sh @@ -31,10 +31,10 @@ if getargbool 1 rd.luks -n rd_NO_LUKS \ fi { - printf -- 'RUN+="%s --unique --onetime ' $(command -v initqueue) + printf -- 'RUN+="%s --unique --onetime ' "$(command -v initqueue)" printf -- '--name probe-keydev-%%k ' printf -- '%s /dev/%%k %s %s"\n' \ - $(command -v probe-keydev) "${keypath}" "${luksdev}" + "$(command -v probe-keydev)" "${keypath}" "${luksdev}" } >&7 done unset arg keypath keydev luksdev