kernel
/
dracut
mirror of https://git.kernel.org/pub/scm/boot/dracut/dracut.git/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

fix(crypt): shellcheck for modules.d/90crypt

master
Harald Hoyer 4 years ago committed by Harald Hoyer
parent
e25c536c70
commit
682b297207
7 changed files with 73 additions and 67 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 0
      modules.d/90crypt/.shchkdir
  2. 2
      modules.d/90crypt/crypt-cleanup.sh
  3. 31
      modules.d/90crypt/crypt-lib.sh
  4. 29
      modules.d/90crypt/cryptroot-ask.sh
  5. 50
      modules.d/90crypt/module-setup.sh
  6. 24
      modules.d/90crypt/parse-crypt.sh
  7. 4
      modules.d/90crypt/parse-keydev.sh

0
modules.d/90crypt/.shchkdir
Unescape View File

2
modules.d/90crypt/crypt-cleanup.sh
Unescape View File

@ -7,7 +7,7 @@ if ! getarg rd.luks.uuid -d rd_LUKS_UUID > /dev/null 2>&1 && getargbool 1 rd.luk @@ -7,7 +7,7 @@ if ! getarg rd.luks.uuid -d rd_LUKS_UUID > /dev/null 2>&1 && getargbool 1 rd.luk
while true; do
local do_break="y"
for i in /dev/mapper/luks-*; do
cryptsetup luksClose $i > /dev/null 2>&1 && do_break=n
cryptsetup luksClose "$i" > /dev/null 2>&1 && do_break=n
done
[ "$do_break" = "y" ] && break
done

31
modules.d/90crypt/crypt-lib.sh
Unescape View File

@ -8,11 +8,11 @@ crypttab_contains() { @@ -8,11 +8,11 @@ crypttab_contains() {
local dev="$2"
local l d rest
if [ -f /etc/crypttab ]; then
while read l d rest || [ -n "$l" ]; do
while read -r l d rest || [ -n "$l" ]; do
strstr "${l##luks-}" "${luks##luks-}" && return 0
strstr "$d" "${luks##luks-}" && return 0
if [ -n "$dev" ]; then
for _dev in $(devnames $d); do
for _dev in $(devnames "$d"); do
[ "$dev" -ef "$_dev" ] && return 0
done
fi
@ -21,7 +21,7 @@ crypttab_contains() { @@ -21,7 +21,7 @@ crypttab_contains() {
_line=$(sed -n "\,^$d .*$,{p}" /etc/block_uuid.map)
[ -z "$_line" ] && continue
# get second column with uuid
_uuid="$(echo $_line | sed 's,^.* \(.*$\),\1,')"
_uuid="$(echo "$_line" | sed 's,^.* \(.*$\),\1,')"
strstr "$_uuid" "${luks##luks-}" && return 0
fi
done < /etc/crypttab
@ -49,9 +49,6 @@ crypttab_contains() { @@ -49,9 +49,6 @@ crypttab_contains() {
# Turn off input echo before tty command is executed and turn on after.
# It's useful when password is read from stdin.
ask_for_password() {
local cmd
local prompt
local tries=3
local ply_cmd
local ply_prompt
local ply_tries=3
@ -111,7 +108,7 @@ ask_for_password() { @@ -111,7 +108,7 @@ ask_for_password() {
# Prompt for password with plymouth, if installed and running.
if type plymouth > /dev/null 2>&1 && plymouth --ping 2> /dev/null; then
plymouth ask-for-password \
--prompt "$ply_prompt" --number-of-tries=$ply_tries \
--prompt "$ply_prompt" --number-of-tries="$ply_tries" \
--command="$ply_cmd"
ret=$?
else
@ -121,16 +118,16 @@ ask_for_password() { @@ -121,16 +118,16 @@ ask_for_password() {
fi

local i=1
while [ $i -le $tty_tries ]; do
while [ $i -le "$tty_tries" ]; do
[ -n "$tty_prompt" ] \
&& printf "$tty_prompt [$i/$tty_tries]:" >&2
&& printf "%s" "$tty_prompt [$i/$tty_tries]:" >&2
eval "$tty_cmd" && ret=0 && break
ret=$?
i=$((i + 1))
[ -n "$tty_prompt" ] && printf '\n' >&2
done

[ "$tty_echo_off" = yes ] && stty $stty_orig
[ "$tty_echo_off" = yes ] && stty "$stty_orig"
fi
} 9> /.console_lock

@ -148,14 +145,14 @@ test_dev() { @@ -148,14 +145,14 @@ test_dev() {
local dev="$2"
local f="$3"
local ret=1
local mount_point=$(mkuniqdir /mnt testdev)
local path
local mount_point

mount_point=$(mkuniqdir /mnt testdev)
[ -n "$dev" -a -n "$*" ] || return 1
[ -d "$mount_point" ] || die 'Mount point does not exist!'

if mount -r "$dev" "$mount_point" > /dev/null 2>&1; then
test $test_op "${mount_point}/${f}"
test "$test_op" "${mount_point}/${f}"
ret=$?
umount "$mount_point"
fi
@ -212,8 +209,7 @@ getkey() { @@ -212,8 +209,7 @@ getkey() {
[ -z "$keys_file" -o -z "$for_dev" ] && die 'getkey: wrong usage!'
[ -f "$keys_file" ] || return 1

local IFS=:
while read luks_dev key_dev key_path || [ -n "$luks_dev" ]; do
while IFS=: read -r luks_dev key_dev key_path _ || [ -n "$luks_dev" ]; do
if match_dev "$luks_dev" "$for_dev"; then
echo "${key_dev}:${key_path}"
return 0
@ -241,7 +237,8 @@ readkey() { @@ -241,7 +237,8 @@ readkey() {
# This creates a unique single mountpoint for *, or several for explicitly
# given LUKS devices. It accomplishes unlocking multiple LUKS devices with
# a single password entry.
local mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')"
local mntp
mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')"

if [ ! -d "$mntp" ]; then
mkdir -p "$mntp"
@ -262,7 +259,7 @@ readkey() { @@ -262,7 +259,7 @@ readkey() {
if [ -f /lib/dracut-crypt-loop-lib.sh ]; then
. /lib/dracut-crypt-loop-lib.sh
loop_decrypt "$mntp" "$keypath" "$keydev" "$device"
printf "%s\n" "umount \"$mntp\"; rmdir \"$mntp\";" > ${hookdir}/cleanup/"crypt-loop-cleanup-99-${mntp##*/}".sh
printf "%s\n" "umount \"$mntp\"; rmdir \"$mntp\";" > "${hookdir}/cleanup/crypt-loop-cleanup-99-${mntp##*/}".sh
return 0
else
die "No loop file support to decrypt '$keypath' on '$keydev'."

29
modules.d/90crypt/cryptroot-ask.sh
Unescape View File

@ -4,7 +4,7 @@ PATH=/usr/sbin:/usr/bin:/sbin:/bin @@ -4,7 +4,7 @@ PATH=/usr/sbin:/usr/bin:/sbin:/bin
NEWROOT=${NEWROOT:-"/sysroot"}

# do not ask, if we already have root
[ -f $NEWROOT/proc ] && exit 0
[ -f "$NEWROOT"/proc ] && exit 0

. /lib/dracut-lib.sh

@ -28,7 +28,7 @@ numtries=${4:-10} @@ -28,7 +28,7 @@ numtries=${4:-10}

# TODO: improve to support what cmdline does
if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; then
while read name dev luksfile luksoptions || [ -n "$name" ]; do
while read -r name dev luksfile luksoptions || [ -n "$name" ]; do
# ignore blank lines and comments
if [ -z "$name" -o "${name#\#}" != "$name" ]; then
continue
@ -57,8 +57,8 @@ if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; t @@ -57,8 +57,8 @@ if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; t

# path used in crypttab
else
cdev=$(readlink -f $dev)
mdev=$(readlink -f $device)
cdev=$(readlink -f "$dev")
mdev=$(readlink -f "$device")
if [ "$cdev" = "$mdev" ]; then
luksname="$name"
break
@ -69,11 +69,11 @@ if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; t @@ -69,11 +69,11 @@ if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; t
fi

# check if destination already exists
[ -b /dev/mapper/$luksname ] && exit 0
[ -b /dev/mapper/"$luksname" ] && exit 0

# we already asked for this device
asked_file=/tmp/cryptroot-asked-$luksname
[ -f $asked_file ] && exit 0
[ -f "$asked_file" ] && exit 0

# load dm_crypt if it is not already loaded
[ -d /sys/module/dm_crypt ] || modprobe dm_crypt
@ -88,6 +88,7 @@ info "luksOpen $device $luksname $luksfile $luksoptions" @@ -88,6 +88,7 @@ info "luksOpen $device $luksname $luksfile $luksoptions"

OLD_IFS="$IFS"
IFS=,
# shellcheck disable=SC2086
set -- $luksoptions
IFS="$OLD_IFS"

@ -138,33 +139,33 @@ ask_passphrase=1 @@ -138,33 +139,33 @@ ask_passphrase=1

if [ -n "$luksfile" -a "$luksfile" != "none" -a -e "$luksfile" ]; then
if readkey "$luksfile" / "$device" \
| cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname"; then
| cryptsetup -d - "$cryptsetupopts" luksOpen "$device" "$luksname"; then
ask_passphrase=0
fi
elif [ "$is_keysource" -ne 0 ]; then
info "Asking for passphrase because $device is a keysource."
else
while [ -n "$(getarg rd.luks.key)" ]; do
if tmp=$(getkey /tmp/luks.keys $device); then
if tmp=$(getkey /tmp/luks.keys "$device"); then
keydev="${tmp%%:*}"
keypath="${tmp#*:}"
else
if [ $numtries -eq 0 ]; then
if [ "$numtries" -eq 0 ]; then
warn "No key found for $device. Fallback to passphrase mode."
break
fi
sleep 1
info "No key found for $device. Will try $numtries time(s) more later."
initqueue --unique --onetime --settled \
--name cryptroot-ask-$luksname \
$(command -v cryptroot-ask) "$device" "$luksname" "$is_keysource" "$((numtries - 1))"
--name cryptroot-ask-"$luksname" \
"$(command -v cryptroot-ask)" "$device" "$luksname" "$is_keysource" "$((numtries - 1))"
exit 0
fi
unset tmp

info "Using '$keypath' on '$keydev'"
readkey "$keypath" "$keydev" "$device" \
| cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname" \
| cryptsetup -d - "$cryptsetupopts" luksOpen "$device" "$luksname" \
&& ask_passphrase=0
unset keypath keydev
break
@ -184,7 +185,7 @@ if [ $ask_passphrase -ne 0 ]; then @@ -184,7 +185,7 @@ if [ $ask_passphrase -ne 0 ]; then
unset _timeout
fi

if [ "$is_keysource" -ne 0 -a ${luksname##luks-} != "$luksname" ]; then
if [ "$is_keysource" -ne 0 -a "${luksname##luks-}" != "$luksname" ]; then
luks_close="$(command -v cryptsetup) close"
{
printf -- '[ -e /dev/mapper/%s ] && ' "$luksname"
@ -196,7 +197,7 @@ fi @@ -196,7 +197,7 @@ fi
unset device luksname luksfile

# mark device as asked
>> $asked_file
: >> "$asked_file"

need_shutdown
udevsettle

50
modules.d/90crypt/module-setup.sh
Unescape View File

@ -2,9 +2,9 @@ @@ -2,9 +2,9 @@

# called by dracut
check() {
local _rootdev
local fs
# if cryptsetup is not installed, then we cannot support encrypted devices.
require_any_binary $systemdutildir/systemd-cryptsetup cryptsetup || return 1
require_any_binary "$systemdutildir"/systemd-cryptsetup cryptsetup || return 1

[[ $hostonly ]] || [[ $mount_needs ]] && {
for fs in "${host_fs_types[@]}"; do
@ -33,20 +33,18 @@ installkernel() { @@ -33,20 +33,18 @@ installkernel() {
[[ $hostonly ]] || [[ $mount_needs ]] && {
# dmsetup returns s.th. like
# cryptvol: 0 2064384 crypt aes-xts-plain64 :64:logon:cryptsetup:....
dmsetup table | while read name _ _ is_crypt cipher _; do
[[ $is_crypt != "crypt" ]] && continue
dmsetup table | while read -r name _ _ is_crypt cipher _; do
[[ $is_crypt == "crypt" ]] || continue
# get the device name
name=/dev/$(dmsetup info -c --noheadings -o blkdevname ${name%:})
# check if the device exists as a key in our host_fs_types
name=/dev/$(dmsetup info -c --noheadings -o blkdevname "${name%:}")
# check if the device exists as a key in our host_fs_types (even with null string)
# shellcheck disable=SC2030 # this is a shellcheck bug
if [[ ${host_fs_types[$name]+_} ]]; then
# split the cipher aes-xts-plain64 in pieces
_OLD_IFS=$IFS
IFS='-:'
set -- $cipher
IFS=$_OLD_IFS
IFS='-:' read -ra mods <<< "$cipher"
# try to load the cipher part with "crypto-" prepended
# in non-hostonly mode
hostonly= instmods $(for k in "$@"; do echo "crypto-$k"; done)
hostonly='' instmods "${mods[@]/#/crypto-}" "crypto-$cipher"
fi
done
}
@ -60,9 +58,9 @@ cmdline() { @@ -60,9 +58,9 @@ cmdline() {
[[ ${host_fs_types[$dev]} != "crypto_LUKS" ]] && continue

UUID=$(
blkid -u crypto -o export $dev \
| while read line || [ -n "$line" ]; do
[[ ${line#UUID} == $line ]] && continue
blkid -u crypto -o export "$dev" \
| while read -r line || [ -n "$line" ]; do
[[ ${line#UUID} == "$line" ]] && continue
printf "%s" "${line#UUID=}"
break
done
@ -76,7 +74,8 @@ cmdline() { @@ -76,7 +74,8 @@ cmdline() {
install() {

if [[ $hostonly_cmdline == "yes" ]]; then
local _cryptconf=$(cmdline)
local _cryptconf
_cryptconf=$(cmdline)
[[ $_cryptconf ]] && printf "%s\n" "$_cryptconf" >> "${initdir}/etc/cmdline.d/90crypt.conf"
fi

@ -91,7 +90,7 @@ install() { @@ -91,7 +90,7 @@ install() {

if [[ $hostonly ]] && [[ -f $dracutsysrootdir/etc/crypttab ]]; then
# filter /etc/crypttab for the devices we need
while read _mapper _dev _luksfile _luksoptions || [ -n "$_mapper" ]; do
while read -r _mapper _dev _luksfile _luksoptions || [ -n "$_mapper" ]; do
[[ $_mapper == \#* ]] && continue
[[ $_dev ]] || continue

@ -104,12 +103,13 @@ install() { @@ -104,12 +103,13 @@ install() {
[[ $_dev == ID=* ]] \
&& _dev="/dev/disk/by-id/${_dev#ID=}"

echo "$_dev $(blkid $_dev -s UUID -o value)" >> "${initdir}/etc/block_uuid.map"
echo "$_dev $(blkid "$_dev" -s UUID -o value)" >> "${initdir}/etc/block_uuid.map"

# loop through the options to check for the force option
luksoptions=${_luksoptions}
OLD_IFS="${IFS}"
IFS=,
# shellcheck disable=SC2086
set -- ${luksoptions}
IFS="${OLD_IFS}"

@ -147,14 +147,14 @@ install() { @@ -147,14 +147,14 @@ install() {
# the cryptsetup targets are already pulled in by 00systemd, but not
# the enablement symlinks
inst_multiple -o \
$systemdutildir/system-generators/systemd-cryptsetup-generator \
$systemdutildir/systemd-cryptsetup \
$systemdsystemunitdir/systemd-ask-password-console.path \
$systemdsystemunitdir/systemd-ask-password-console.service \
$systemdsystemunitdir/cryptsetup.target \
$systemdsystemunitdir/sysinit.target.wants/cryptsetup.target \
$systemdsystemunitdir/remote-cryptsetup.target \
$systemdsystemunitdir/initrd-root-device.target.wants/remote-cryptsetup.target \
"$systemdutildir"/system-generators/systemd-cryptsetup-generator \
"$systemdutildir"/systemd-cryptsetup \
"$systemdsystemunitdir"/systemd-ask-password-console.path \
"$systemdsystemunitdir"/systemd-ask-password-console.service \
"$systemdsystemunitdir"/cryptsetup.target \
"$systemdsystemunitdir"/sysinit.target.wants/cryptsetup.target \
"$systemdsystemunitdir"/remote-cryptsetup.target \
"$systemdsystemunitdir"/initrd-root-device.target.wants/remote-cryptsetup.target \
systemd-ask-password systemd-tty-ask-password-agent
fi


24
modules.d/90crypt/parse-crypt.sh
Unescape View File

@ -48,7 +48,7 @@ else @@ -48,7 +48,7 @@ else
is_keysource=0
_uuid=$uuid
uuid=${uuid#keysource:}
[ $uuid != $_uuid ] && is_keysource=1
[ "$uuid" != "$_uuid" ] && is_keysource=1
unset _uuid

uuid=${uuid##luks-}
@ -63,10 +63,12 @@ else @@ -63,10 +63,12 @@ else
printf -- 'ENV{ID_PART_ENTRY_UUID}=="*%s*", ' "$uuid"
printf -- 'RUN+="%s --settled --unique --onetime ' "$(command -v initqueue)"
printf -- '--name cryptroot-ask-%%k %s ' "$(command -v cryptroot-ask)"
printf -- '$env{DEVNAME} %s %s"\n' "$luksname" "$is_keysource" "$tout"
# shellcheck disable=SC2016
printf -- '$env{DEVNAME} %s %s %s"\n' "$luksname" "$is_keysource" "$tout"
} >> /etc/udev/rules.d/70-luks.rules.new
else
luksname=$(dev_unit_name "$luksname")
# shellcheck disable=SC1003
luksname="$(str_replace "$luksname" '\' '\\')"

if ! crypttab_contains "$uuid"; then
@ -86,7 +88,7 @@ else @@ -86,7 +88,7 @@ else
is_keysource=0
_serialid=$serialid
serialid=${serialid#keysource:}
[ $serialid != $_serialid ] && is_keysource=1
[ "$serialid" != "$_serialid" ] && is_keysource=1
unset _serialid

serialid=${serialid##luks-}
@ -101,10 +103,12 @@ else @@ -101,10 +103,12 @@ else
printf -- 'ENV{ID_SERIAL_SHORT}=="*%s*", ' "$serialid"
printf -- 'RUN+="%s --settled --unique --onetime ' "$(command -v initqueue)"
printf -- '--name cryptroot-ask-%%k %s ' "$(command -v cryptroot-ask)"
printf -- '$env{DEVNAME} %s %s"\n' "$luksname" "$is_keysource" "$tout"
# shellcheck disable=SC2016
printf -- '$env{DEVNAME} %s %s %s"\n' "$luksname" "$is_keysource" "$tout"
} >> /etc/udev/rules.d/70-luks.rules.new
else
luksname=$(dev_unit_name "$luksname")
# shellcheck disable=SC1003
luksname="$(str_replace "$luksname" '\' '\\')"

if ! crypttab_contains "$serialid"; then
@ -124,7 +128,7 @@ else @@ -124,7 +128,7 @@ else
is_keysource=0
_luksid=$luksid
luksid=${luksid#keysource:}
[ $luksid != $_luksid ] && is_keysource=1
[ "$luksid" != "$_luksid" ] && is_keysource=1
unset _luksid

luksid=${luksid##luks-}
@ -140,10 +144,12 @@ else @@ -140,10 +144,12 @@ else
printf -- 'ENV{ID_FS_UUID}=="*%s*", ' "$luksid"
printf -- 'RUN+="%s --settled --unique --onetime ' "$(command -v initqueue)"
printf -- '--name cryptroot-ask-%%k %s ' "$(command -v cryptroot-ask)"
# shellcheck disable=SC2016
printf -- '$env{DEVNAME} %s %s %s"\n' "$luksname" "$is_keysource" "$tout"
} >> /etc/udev/rules.d/70-luks.rules.new
else
luksname=$(dev_unit_name "$luksname")
# shellcheck disable=SC1003
luksname="$(str_replace "$luksname" '\' '\\')"

if ! crypttab_contains "$luksid"; then
@ -160,11 +166,11 @@ else @@ -160,11 +166,11 @@ else
if [ $is_keysource -eq 0 ]; then
uuid=$luksid
while [ "$uuid" != "${uuid#*-}" ]; do uuid=${uuid%%-*}${uuid#*-}; done
printf -- '[ -e /dev/disk/by-id/dm-uuid-CRYPT-LUKS?-*%s*-* ] || exit 1\n' $uuid \
printf -- '[ -e /dev/disk/by-id/dm-uuid-CRYPT-LUKS?-*%s*-* ] || exit 1\n' "$uuid" \
>> "$hookdir/initqueue/finished/90-crypt.sh"
{
printf -- '[ -e /dev/disk/by-uuid/*%s* ] || ' $luksid
printf -- 'warn "crypto LUKS UUID "%s" not found"\n' $luksid
printf -- '[ -e /dev/disk/by-uuid/*%s* ] || ' "$luksid"
printf -- 'warn "crypto LUKS UUID "%s" not found"\n' "$luksid"
} >> "$hookdir/emergency/90-crypt.sh"
fi
done
@ -173,12 +179,14 @@ else @@ -173,12 +179,14 @@ else
{
printf -- 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="%s ' "$(command -v initqueue)"
printf -- '--unique --settled --onetime --name cryptroot-ask-%%k '
# shellcheck disable=SC2016
printf -- '%s $env{DEVNAME} luks-$env{ID_FS_UUID} %s"\n' "$(command -v cryptroot-ask)" "$tout"
} >> /etc/udev/rules.d/70-luks.rules.new
else
{
printf -- 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="%s ' "$(command -v initqueue)"
printf -- '--unique --settled --onetime --name crypt-run-generator-%%k '
# shellcheck disable=SC2016
printf -- '%s $env{DEVNAME} luks-$env{ID_FS_UUID}"\n' "$(command -v crypt-run-generator)"
} >> /etc/udev/rules.d/70-luks.rules.new
fi

4
modules.d/90crypt/parse-keydev.sh
Unescape View File

@ -31,10 +31,10 @@ if getargbool 1 rd.luks -n rd_NO_LUKS \ @@ -31,10 +31,10 @@ if getargbool 1 rd.luks -n rd_NO_LUKS \
fi

{
printf -- 'RUN+="%s --unique --onetime ' $(command -v initqueue)
printf -- 'RUN+="%s --unique --onetime ' "$(command -v initqueue)"
printf -- '--name probe-keydev-%%k '
printf -- '%s /dev/%%k %s %s"\n' \
$(command -v probe-keydev) "${keypath}" "${luksdev}"
"$(command -v probe-keydev)" "${keypath}" "${luksdev}"
} >&7
done
unset arg keypath keydev luksdev

Write Preview
Loading…
Cancel
Save