From eb25ff7a278ad159284319660e374b5818af80e6 Mon Sep 17 00:00:00 2001 From: Jeremy Katz Date: Tue, 16 Dec 2008 14:21:08 -0500 Subject: [PATCH] Support root on LUKS (dm-crypt) Support having root on LUKS with the password prompting handled by plymouth. This requires ensuring our input is from /dev/console and also requires that we import vol_id info about all block devices rather than ignoring dm devs (which is what the persistent storage rules do by default) --- generate.sh | 7 ++++--- init | 3 +-- rules.d/63-luks.rules | 13 +++++++++++++ rules.d/64-lvm.rules | 1 + 4 files changed, 19 insertions(+), 5 deletions(-) create mode 100644 rules.d/63-luks.rules diff --git a/generate.sh b/generate.sh index a70962d1..3c3160f9 100755 --- a/generate.sh +++ b/generate.sh @@ -15,21 +15,22 @@ fi tmpdir=$(mktemp -d) # executables that we have to have -exe="/bin/bash /bin/mount /bin/mknod /bin/mkdir /sbin/modprobe /sbin/udevd /sbin/udevadm /sbin/nash /bin/kill /sbin/pidof /bin/sleep" +exe="/bin/bash /bin/mount /bin/mknod /bin/mkdir /sbin/modprobe /sbin/udevd /sbin/udevadm /sbin/nash /bin/kill /sbin/pidof /bin/sleep /bin/echo" lvmexe="/sbin/lvm" +cryptexe="/sbin/cryptsetup" # and some things that are nice for debugging debugexe="/bin/ls /bin/cat /bin/ln /bin/ps /bin/grep /usr/bin/less" # udev things we care about udevexe="/lib/udev/vol_id" # install base files -for binary in $exe $debugexe $udevexe $lvmexe ; do +for binary in $exe $debugexe $udevexe $lvmexe $cryptexe ; do inst $binary $tmpdir done # FIXME: would be nice if we didn't have to know which rules to grab.... mkdir -p $tmpdir/lib/udev/rules.d -for rule in /lib/udev/rules.d/40-redhat* /lib/udev/rules.d/60-persistent-storage.rules /lib/udev/rules.d/61*edd* /lib/udev/rules.d/64* /lib/udev/rules.d/80* /lib/udev/rules.d/95* rules.d/*.rules ; do +for rule in /lib/udev/rules.d/40-redhat* /lib/udev/rules.d/50* /lib/udev/rules.d/60-persistent-storage.rules /lib/udev/rules.d/61*edd* /lib/udev/rules.d/64* /lib/udev/rules.d/80* /lib/udev/rules.d/95* rules.d/*.rules ; do cp -v $rule $tmpdir/lib/udev/rules.d done diff --git a/init b/init index 615dfc3b..42fb5271 100755 --- a/init +++ b/init @@ -21,7 +21,7 @@ export TERM=linux # /dev/console comes from the built-in initramfs crud in the kernel # someday, we may need to mkdir /dev first here -exec > /dev/console 2>&1 +exec > /dev/console 2>&1 < /dev/console # mount some important things mount -t proc /proc /proc @@ -29,7 +29,6 @@ mount -t sysfs /sys /sys mount -t tmpfs -omode=0755 udev /dev # FIXME: what device nodes does plymouth really _need_ ? -mknod /dev/console c 5 1 mknod /dev/null c 1 3 mknod /dev/kmsg c 1 11 mknod /dev/ptmx c 5 2 diff --git a/rules.d/63-luks.rules b/rules.d/63-luks.rules new file mode 100644 index 00000000..4c95c5d0 --- /dev/null +++ b/rules.d/63-luks.rules @@ -0,0 +1,13 @@ +# hacky rules to try to try unlocking dm-crypt devs +# +# Copyright 2008, Red Hat, Inc. +# Jeremy Katz + + +SUBSYSTEM!="block", GOTO="luks_end" +ACTION!="add|change", GOTO="luks_end" + +ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="/bin/plymouth ask-for-password --command '/sbin/cryptsetup luksOpen $env{DEVNAME} luks-$env{ID_FS_UUID}" + + +LABEL="luks_end" diff --git a/rules.d/64-lvm.rules b/rules.d/64-lvm.rules index 0031c08a..886d1b96 100644 --- a/rules.d/64-lvm.rules +++ b/rules.d/64-lvm.rules @@ -7,6 +7,7 @@ SUBSYSTEM!="block", GOTO="lvm_end" ACTION!="add|change", GOTO="lvm_end" +KERNEL!="sr*", IMPORT{program}="vol_id --export $tempnode" ENV{ID_FS_TYPE}=="LVM2_member", RUN+="/sbin/lvm vgchange -ay"