Commit Graph

41 Commits (e3fb645821d20621c02cea66ecd1b6e32fd5dc6c)

Author SHA1 Message Date
B. Wilson 1b72c97cc5 crypt: Implement cmdline rd.luks.partuuid
Commit bf5c53a implements support for mounting LUKS devices with
detached headers; however, it assumes that the LUKS device sits on an
unpartitioned disk.

Mirroring the `rd.luks.serial` option, this commit implements the
`rd.luks.partuuid` cmdline option, supporting headless LUKS devices on
drive partitions.
2018-06-13 10:59:28 +02:00
Harald Hoyer 0f6d93eb9d crypt: escape backslashes for systemd unit names b/c udev/initqueue/bash
otherwise
luks\x2d25e41d19\x2d1580\x2d4e7c\x2d8875\x2d134045008f33
turns to
luksx2d25e41d19x2d1580x2d4e7cx2d8875x2d134045008f33
2018-01-11 11:42:22 +01:00
privb0x23 b7058d0ce5 Add basic LUKS detached header support
A LUKS root volume with a detached header on a device without partitioning will not have a UUID and will not have an attribute ENV{ID_FS_TYPE}=="crypto_LUKS".
Therefore, several areas need to be addressed: identification of the LUKS device, inclusion of entries within crypttab, and provision of the detached header file.
- Added support for an option (4th column: "force") in /etc/crypttab to force the inclusion of the entry in the initramfs version (avoiding the fs type test).
- Added support for an option (4th column: "header=/path/to/file") in /etc/crypttab to provide a path to a detached header file embedded within the initramfs.
- Added ID and PARTUUID support to the device (2nd column) in /etc/crypttab (complementing the existing UUID functionality).
- Added cmdline support to indicate LUKS device ("rd.luks.serial=") that refers to the attribute ENV{ID_SERIAL_SHORT}.
Tested successfully on Void Linux (x86_64 musl) (no systemd) with a LUKS root volume accessed with a keyfile and using a detached header.
Not tested on systemd, or on a LUKS root volume with a passphrase rather than a keyfile.
2017-10-03 23:37:55 +01:00
Harald Hoyer 65f78f3d74 crypt: handle rd.luks.name
systemd supports renaming of dm devices with rd.luks.name.

Honor the kernel command line parameter.
2017-08-11 13:23:10 +02:00
Harald Hoyer 5711f54312 crypt: check for crypttab before reading 2015-06-09 15:05:32 +02:00
NeilBrown 4d9d767da2 crypt/parse-crypt.sh: hide encrypted devices from systemd timeout warnings.
When systemd's crypttab generator parsed crypttab, it tells
systemd about several devices which may not appear until later
in the boot sequence, and which are not needed while dract is running.

This can particularly happen when an md array is encrypted,
and the array is newly degraded so that it doesn't appear until
dracut runs mdraid_start.sh.

This can result in systemd printing warning messages which are
inappropriate.

So tell systemd that the timeout for each of these is zero.

This is involves splitting some functionality out of wait_for_dev()

That function does two things:
 - creates 'finished' hooks so that dracut will wait for the device,
   and
 - sets the systemd timeout for the device to zero, so systemd doesn't
   wait.

We only want the second of these for most encrypted devices.
So split that out into a new function set_systemd_timeout_for_dev(),
and call it from parse-crypt.sh

Signed-off-by: NeilBrown <neilb@suse.de>

--
This version fixes the missing redirect from /etc/crypttab
NeilBrown
2015-06-02 12:03:43 +02:00
Harald Hoyer 967cc19ab1 remove all vim and emacs code format comments 2014-08-29 13:38:47 +02:00
Harald Hoyer a13bf117d5 crypt: only manually activate systemd-cryptsetup, if not in crypttab
Only additional rd.luks.UUID have to be manually activated.
2013-08-13 10:26:29 +02:00
James Lee 6e0348f33b crypt: Wait for udev to settle before unlocking disk
To eliminate a race condition that occurs when unlocking one device
depends on the result of unlocking a device before it, the crypt
module must wait for udev to settle between each unlock attempt.

Example

/etc/crypttab:

  keyfile /dev/md1 none luks
  sda4_crypt /dev/sda4 /dev/mapper/keyfile luks
  sdb4_crypt /dev/sdb4 /dev/mapper/keyfile luks

Without this patch, sometimes /dev/sda4 fails to unlock because udev
doesn't have time to create /dev/mapper/keyfile before it's needed.
2013-07-30 15:28:47 +02:00
Harald Hoyer 32bd2fbb4c use "rm --" to guard against filenames beginning with "-" 2013-06-28 10:31:18 +02:00
Harald Hoyer ab9b04f55b crypt/parse-crypt.sh: create udev rule for systemd
Start the systemd-cryptsetup@luks-*.service for the detected crypto_LUKS
device in the initqueue, so we block in the initqueue and wait for the
password entry.
2013-04-04 12:54:59 +02:00
Harald Hoyer 5ac8420abc crypt/parse-crypt.sh: don't generate luks rules in systemd mode 2013-03-06 17:29:11 +01:00
Harald Hoyer e064127729 add "rd.auto" parameter and switch off automatic assembly
No automatic assembly is done anymore by default. You will have to
specify exactly what devices to assemble
("rd.md.uuid=" "rd.luks.uuid" ...)
or use "rd.auto=1" or "rd.auto" on the kernel command line.

For big servers with thousands of disks we don't want to assemble
everything by default (error prone, slow).
2012-09-27 14:05:50 +02:00
Harald Hoyer 3d352f5228 crypt: add systemd crypt support 2012-07-30 17:08:52 +02:00
Harald Hoyer aefea76cf8 set DRACUT_SYSTEMD for systemd mode in the initramfs 2012-07-30 17:08:51 +02:00
Harald Hoyer 68e7661ca7 deprecate old command line options 2012-07-25 10:32:42 +02:00
Harald Hoyer 8d021e4b8a 90crypt/parse-crypt.sh: simplify rd.luks.uuid testing 2012-02-29 16:20:02 +01:00
Harald Hoyer 2c0b5281f5 90crypt/parse-crypt.sh: also accept the beginning of the LUKS UUID
2e0c003435 introduced a too strict test
for LUKS UUIDs
2011-08-30 14:43:57 +02:00
Przemysław Rudy 2e0c003435 luks key on ext dev - wait for luks
This really waits for the luks mapper device, so luksOpen can do it job
2011-08-22 11:27:00 +02:00
Amadeusz Żołnowski 1f735f82cc crypt: changed cmdline arg name from rd.luks.tout to rd.luks.key.tout 2011-08-22 11:19:22 +02:00
Przemysław Rudy c70f6415f8 luks key on ext dev - wait for luks
This asks for the luks passphrase if key is not found for defined time (if defined with rd.luks.tout cmd line):

 modules.d/90crypt/cryptroot-ask.sh |   21 ++++++++++++++++++---
 modules.d/90crypt/parse-crypt.sh   |    5 +++--
 2 files changed, 21 insertions(+), 5 deletions(-)
2011-08-22 11:19:22 +02:00
Harald Hoyer 3b403b32fc removed trailing whitespaces 2011-05-10 11:56:09 +02:00
Harald Hoyer 6730280c5b crypt/parse-crypt.sh: fixed rule creation
"\n" was missing
create rules file on tmp file and rename it later
2011-04-08 13:50:10 +02:00
Harald Hoyer fb59f4c967 get rid of absolute PATHs 2011-04-08 13:49:06 +02:00
Harald Hoyer ea8ca78af0 crypt/parse-crypt.sh: fix udev rule creation 2011-04-08 10:23:58 +02:00
Harald Hoyer 0b53ca70b6 Move all hooks to "$hookdir"
hookdir=/lib/dracut/hooks for now, to keep the root directory clean
2011-03-25 16:10:46 +01:00
Harald Hoyer fcbcc89bb2 crypt: fix emergency script generation
[ forward port of e45a2dba]
2011-03-07 13:37:20 +01:00
Amadeusz Żołnowski 8844cd6b6c 90crypt: probe for keydev asynchronously; changed kernel arg
New kernel argument syntax for LUKS-keydev is introduced:

  rd.luks.key=<key_path>[:<key_dev>[:<luks_dev>]]

Unfolding <key_dev> in BNF:

  <key_dev> ::= "UUID=" <uuid> | "LABEL=" <label> | <kname>

Where <kname> matches following regular expression:

  ^/dev/.*

<kname> need to be a character device and not a symlink for now.

For every rd.luks.key argument udev rule is created.  That rule runs
test to check whether matching device contains <key_path>.  If it does
it's applied to matching <luks_dev>.
2010-11-12 14:08:08 +01:00
Harald Hoyer fa7ada31d0 new parameter option names with "rd.*" namespace
Renamed Options
       Here is a list of options, which were used in dracut prior to
       version 008, and their new replacement.

       rdbreak
           rd.break

       rd_CCW
           rd.ccw

       rdcopystate
           rd.copystate

       rd_DASD_MOD
           rd.dasd_mod.dasd

       rd_DASD
           rd.dasd

       rdinitdebug rdnetdebug
           rd.debug

       rd_NO_DM
           rd.dm=0

       rd_DM_UUID
           rd.dm.uuid

       rdblacklist
           rd.driver.blacklist

       rdinsmodpost
           rd.driver.post

       rdloaddriver
           rd.driver.pre

       rd_NO_FSTAB
           rd.fstab=0

       rdinfo
           rd.info

       check
           rd.live.check

       rdlivedebug
           rd.live.debug

       live_dir
           rd.live.dir

       liveimg
           rd.live.image

       overlay
           rd.live.overlay

       readonly_overlay
           rd.live.overlay.readonly

       reset_overlay
           rd.live.overlay.reset

       live_ram
           rd.live.ram

       rd_NO_CRYPTTAB
           rd.luks.crypttab=0

       rd_LUKS_KEYDEV_UUID
           rd.luks.keydev.uuid

       rd_LUKS_KEYPATH
           rd.luks.keypath

       rd_NO_LUKS
           rd.luks=0

       rd_LUKS_UUID
           rd.luks.uuid

       rd_LUKS_UUID
           rd.luks.uuid

       rd_NO_LVMCONF
           rd.lvm.conf

       rd_LVM_LV
           rd.lvm.lv

       rd_NO_LVM
           rd.lvm=0

       rd_LVM_SNAPSHOT
           rd.lvm.snapshot

       rd_LVM_SNAPSIZE
           rd.lvm.snapsize

       rd_LVM_VG
           rd.lvm.vg

       rd_NO_MDADMCONF
           rd.md.conf=0

       rd_NO_MDIMSM
           rd.md.imsm=0

       rd_NO_MD
           rd.md=0

       rd_MD_UUID
           rd.md.uuid

       rd_NFS_DOMAIN
           rd.nfs.domain

       rd_NO_PLYMOUTH
           rd.plymouth=0

       rd_retry
           rd.retry

       rdshell
           rd.shell

       rd_NO_SPLASH
           rd.splash

       rdudevdebug
           rd.udev.debug

       rdudevinfo
           rd.udev.info

       rd_NO_ZFCPCONF
           rd.zfcp.conf=0

       rd_ZFCP
           rd.zfcp
2010-10-28 17:11:27 +02:00
Harald Hoyer cc02093d69 reformat source code
removed tabs and set indention to 4 spaces
added emacs and vi format headers
2010-09-10 15:34:36 +02:00
Harald Hoyer 8e102a2487 crypt: fix printf 2010-08-02 14:17:58 +02:00
Harald Hoyer 3f62b2637c crypt: strip "luks-" from rd_LUKS_UUID 2010-07-29 16:35:31 +02:00
Harald Hoyer e5c6cb2a8c crypt: remove emergency source of dracut-lib.sh 2010-07-23 12:26:42 +02:00
Amadeusz Żołnowski 2926b5b35d 90crypt: keys on external devices support
99base/dracut-lib.sh: new fun.: getoptcomma, foreach_uuid_until
2010-07-21 13:38:47 +02:00
Harald Hoyer e9ef52b460 crypt: wait for all rd_LUKS_UUID disks to appear
Also give a hint in emergency, if one disk is not found.
2010-07-12 16:16:39 +02:00
Harald Hoyer ecee64bffa crypt/parse-crypt.sh: fix end label for luks udev rules 2010-07-12 14:43:11 +02:00
Harald Hoyer 013986a8ad crypt: assemble 70-luks.rules dynamically 2010-07-12 14:31:21 +02:00
Philippe Seewer 2e6b98c7f6 All module scripts should have a shebang 2009-11-27 14:07:21 +01:00
Harald Hoyer 650da7bada removed initrdargs from parse-*.sh 2009-09-10 17:34:15 +02:00
Harald Hoyer 4578763326 crypt: output info, on rd_NO_LUKS handling 2009-07-17 16:00:19 +02:00
Harald Hoyer f874872fc2 add command line parameters to specify exact actions for root assembly
LVM
       rd_NO_LVM
              disable LVM detection

       rd_LVM_VG=<volume group name>
              only activate the volume groups with the given name

crypto LUKS
       rd_NO_LUKS
              disable crypto LUKS detection

       rd_LUKS_UUID=<luks uuid>
              only activate the LUKS partitions with the given UUID

MD
       rd_NO_MD
              disable MD RAID detection

       rd_MD_UUID=<md uuid>
              only activate the raid sets with the given UUID

DMRAID
       rd_NO_DM
              disable DM RAID detection

       rd_DM_UUID=<dmraid uuid>
              only activate the raid sets with the given UUID
2009-07-15 18:27:21 +02:00