Introduce prefix `keysource:` for the values of `rd.luks.partuuid`,
`rd.luks.serial` and `rd.luks.uuid`.
If specified, ask for passphrase instead of waiting for keydevs to come
online.
Commit bf5c53a implements support for mounting LUKS devices with
detached headers; however, it assumes that the LUKS device sits on an
unpartitioned disk.
Mirroring the `rd.luks.serial` option, this commit implements the
`rd.luks.partuuid` cmdline option, supporting headless LUKS devices on
drive partitions.
A LUKS root volume with a detached header on a device without partitioning will not have a UUID and will not have an attribute ENV{ID_FS_TYPE}=="crypto_LUKS".
Therefore, several areas need to be addressed: identification of the LUKS device, inclusion of entries within crypttab, and provision of the detached header file.
- Added support for an option (4th column: "force") in /etc/crypttab to force the inclusion of the entry in the initramfs version (avoiding the fs type test).
- Added support for an option (4th column: "header=/path/to/file") in /etc/crypttab to provide a path to a detached header file embedded within the initramfs.
- Added ID and PARTUUID support to the device (2nd column) in /etc/crypttab (complementing the existing UUID functionality).
- Added cmdline support to indicate LUKS device ("rd.luks.serial=") that refers to the attribute ENV{ID_SERIAL_SHORT}.
Tested successfully on Void Linux (x86_64 musl) (no systemd) with a LUKS root volume accessed with a keyfile and using a detached header.
Not tested on systemd, or on a LUKS root volume with a passphrase rather than a keyfile.
When systemd's crypttab generator parsed crypttab, it tells
systemd about several devices which may not appear until later
in the boot sequence, and which are not needed while dract is running.
This can particularly happen when an md array is encrypted,
and the array is newly degraded so that it doesn't appear until
dracut runs mdraid_start.sh.
This can result in systemd printing warning messages which are
inappropriate.
So tell systemd that the timeout for each of these is zero.
This is involves splitting some functionality out of wait_for_dev()
That function does two things:
- creates 'finished' hooks so that dracut will wait for the device,
and
- sets the systemd timeout for the device to zero, so systemd doesn't
wait.
We only want the second of these for most encrypted devices.
So split that out into a new function set_systemd_timeout_for_dev(),
and call it from parse-crypt.sh
Signed-off-by: NeilBrown <neilb@suse.de>
--
This version fixes the missing redirect from /etc/crypttab
NeilBrown
To eliminate a race condition that occurs when unlocking one device
depends on the result of unlocking a device before it, the crypt
module must wait for udev to settle between each unlock attempt.
Example
/etc/crypttab:
keyfile /dev/md1 none luks
sda4_crypt /dev/sda4 /dev/mapper/keyfile luks
sdb4_crypt /dev/sdb4 /dev/mapper/keyfile luks
Without this patch, sometimes /dev/sda4 fails to unlock because udev
doesn't have time to create /dev/mapper/keyfile before it's needed.
Start the systemd-cryptsetup@luks-*.service for the detected crypto_LUKS
device in the initqueue, so we block in the initqueue and wait for the
password entry.
No automatic assembly is done anymore by default. You will have to
specify exactly what devices to assemble
("rd.md.uuid=" "rd.luks.uuid" ...)
or use "rd.auto=1" or "rd.auto" on the kernel command line.
For big servers with thousands of disks we don't want to assemble
everything by default (error prone, slow).
This asks for the luks passphrase if key is not found for defined time (if defined with rd.luks.tout cmd line):
modules.d/90crypt/cryptroot-ask.sh | 21 ++++++++++++++++++---
modules.d/90crypt/parse-crypt.sh | 5 +++--
2 files changed, 21 insertions(+), 5 deletions(-)
New kernel argument syntax for LUKS-keydev is introduced:
rd.luks.key=<key_path>[:<key_dev>[:<luks_dev>]]
Unfolding <key_dev> in BNF:
<key_dev> ::= "UUID=" <uuid> | "LABEL=" <label> | <kname>
Where <kname> matches following regular expression:
^/dev/.*
<kname> need to be a character device and not a symlink for now.
For every rd.luks.key argument udev rule is created. That rule runs
test to check whether matching device contains <key_path>. If it does
it's applied to matching <luks_dev>.
LVM
rd_NO_LVM
disable LVM detection
rd_LVM_VG=<volume group name>
only activate the volume groups with the given name
crypto LUKS
rd_NO_LUKS
disable crypto LUKS detection
rd_LUKS_UUID=<luks uuid>
only activate the LUKS partitions with the given UUID
MD
rd_NO_MD
disable MD RAID detection
rd_MD_UUID=<md uuid>
only activate the raid sets with the given UUID
DMRAID
rd_NO_DM
disable DM RAID detection
rd_DM_UUID=<dmraid uuid>
only activate the raid sets with the given UUID
Harald Hoyer