Merge pull request #211 from Calrama/embedded-keyfile

crypt: Support keyfiles embedded in the initramfs
2017-03-31 11:41:19 +02:00 · 2017-03-31 11:41:19 +02:00 · a63cc421a5
parent f0bfada399 b4cf58f038
commit a63cc421a5
2 changed files with 25 additions and 12 deletions
--- a/modules.d/90crypt/crypt-lib.sh
+++ b/modules.d/90crypt/crypt-lib.sh
@ -182,14 +182,19 @@ readkey() {
    local keydev="$2"
    local device="$3"

-    # This creates a unique single mountpoint for *, or several for explicitly
-    # given LUKS devices. It accomplishes unlocking multiple LUKS devices with
-    # a single password entry.
-    local mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')"
+    # No mounting needed if the keyfile resides inside the initrd
+    if [ "/" == "$keydev" ]; then
+        local mntp=/
+    else
+        # This creates a unique single mountpoint for *, or several for explicitly
+        # given LUKS devices. It accomplishes unlocking multiple LUKS devices with
+        # a single password entry.
+        local mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')"

-    if [ ! -d "$mntp" ]; then
-        mkdir "$mntp"
-        mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!'
+        if [ ! -d "$mntp" ]; then
+            mkdir "$mntp"
+            mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!'
+        fi
    fi

    case "${keypath##*.}" in
@ -215,8 +220,11 @@ readkey() {
        *) cat "$mntp/$keypath" ;;
    esac

-    # General unmounting mechanism, modules doing custom cleanup should return earlier
-    # and install a pre-pivot cleanup hook
-    umount "$mntp"
-    rmdir "$mntp"
+    # No unmounting if the keyfile resides inside the initrd
+    if [ "/" != "$keydev" ]; then
+        # General unmounting mechanism, modules doing custom cleanup should return earlier
+        # and install a pre-pivot cleanup hook
+        umount "$mntp"
+        rmdir "$mntp"
+    fi
 }
--- a/modules.d/90crypt/parse-keydev.sh
+++ b/modules.d/90crypt/parse-keydev.sh
@ -17,7 +17,12 @@ if getargbool 1 rd.luks -n rd_NO_LUKS && \
            continue
        fi

-        if [ -n "$keydev" ]; then
+        # A keydev of '/' is treated as the initrd itself
+        if [ "/" == "$keydev" ]; then
+            [ -z "$luksdev" ] && luksdev='*'
+            echo "$luksdev:$keydev:$keypath" >> /tmp/luks.keys
+            continue
+        elif [ -n "$keydev" ]; then
            udevmatch "$keydev" >&7 || {
                warn 'keydev incorrect!'
                continue