diff options
author | Emil Lundberg | 2016-06-27 01:10:50 +0200 |
---|---|---|
committer | Emil Lundberg | 2016-06-27 01:43:24 +0200 |
commit | 55118fcb4da1914522959ad1e9ced719cfd3a101 (patch) | |
tree | 98e907ddf5cf1f3b55369f0a9b5fc8929e8f3b31 | |
download | aur-55118fcb4da1914522959ad1e9ced719cfd3a101.tar.gz |
Initial commit: Copy encrypt hook from cryptsetup package
-rw-r--r-- | .SRCINFO | 12 | ||||
-rw-r--r-- | .gitignore | 4 | ||||
-rw-r--r-- | PKGBUILD | 19 | ||||
-rw-r--r-- | encrypt_remote_luks_header.hook | 139 | ||||
-rw-r--r-- | encrypt_remote_luks_header.install | 44 |
5 files changed, 218 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..cf25b951641b --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,12 @@ +pkgbase = initcpio-encrypt-remote-luks-header + pkgdesc = Modified initcpio encrypt hook capable of using remote LUKS header + pkgver = 1.0.0 + pkgrel = 1 + arch = any + license = GPL + source = encrypt_remote_luks_header.hook + source = encrypt_remote_luks_header.install + sha256sums = 4406f8dc83f4f1b408e49d557515f721d91b358355c71fbe51f74ab27e5c84ff + sha256sums = cfe465bdad3d958bb2332a05e04f2e1e884422a5714dfd1a0a3b9b74bf7dc6ae + +pkgname = initcpio-encrypt-remote-luks-header diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000000..ce6740e87cf8 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +/src/ +/pkg/ +/*.tar.xz +/*.tar.xz.sig diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..0b3c51b896ef --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,19 @@ +# Author: Emil Lundberg <lundberg.emil@gmail.com> + +pkgname=initcpio-encrypt-remote-luks-header +pkgver=1.0.0 +pkgrel=1 +pkgdesc="Modified initcpio encrypt hook capable of using remote LUKS header" +arch=('any') +license=('GPL') +source=( + encrypt_remote_luks_header.hook + encrypt_remote_luks_header.install +) +sha256sums=('4406f8dc83f4f1b408e49d557515f721d91b358355c71fbe51f74ab27e5c84ff' + 'cfe465bdad3d958bb2332a05e04f2e1e884422a5714dfd1a0a3b9b74bf7dc6ae') + +package() { + install -D -m 644 "${srcdir}"/encrypt_remote_luks_header.hook "${pkgdir}"/usr/lib/initcpio/hooks/encrypt_remote_luks_header + install -D -m 644 "${srcdir}"/encrypt_remote_luks_header.install "${pkgdir}"/usr/lib/initcpio/install/encrypt_remote_luks_header +} diff --git a/encrypt_remote_luks_header.hook b/encrypt_remote_luks_header.hook new file mode 100644 index 000000000000..819c4cf60fe0 --- /dev/null +++ b/encrypt_remote_luks_header.hook @@ -0,0 +1,139 @@ +#!/usr/bin/ash + +run_hook() { + modprobe -a -q dm-crypt >/dev/null 2>&1 + [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" + + # Get keyfile if specified + ckeyfile="/crypto_keyfile.bin" + if [ -n "$cryptkey" ]; then + IFS=: read ckdev ckarg1 ckarg2 <<EOF +$cryptkey +EOF + + if [ "$ckdev" = "rootfs" ]; then + ckeyfile=$ckarg1 + elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then + case ${ckarg1} in + *[!0-9]*) + # Use a file on the device + # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path + mkdir /ckey + mount -r -t "$ckarg1" "$resolved" /ckey + dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1 + umount /ckey + ;; + *) + # Read raw data from the block device + # ckarg1 is numeric: ckarg1=offset, ckarg2=length + dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1 + ;; + esac + fi + [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." + fi + + if [ -n "${cryptdevice}" ]; then + DEPRECATED_CRYPT=0 + IFS=: read cryptdev cryptname cryptoptions <<EOF +$cryptdevice +EOF + else + DEPRECATED_CRYPT=1 + cryptdev="${root}" + cryptname="root" + fi + + warn_deprecated() { + echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" + echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." + } + + for cryptopt in ${cryptoptions//,/ }; do + case ${cryptopt} in + allow-discards) + cryptargs="${cryptargs} --allow-discards" + ;; + *) + echo "Encryption option '${cryptopt}' not known, ignoring." >&2 + ;; + esac + done + + if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then + if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + dopassphrase=1 + # If keyfile exists, try to use that + if [ -f ${ckeyfile} ]; then + if eval cryptsetup --key-file ${ckeyfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then + dopassphrase=0 + else + echo "Invalid keyfile. Reverting to passphrase." + fi + fi + # Ask for a passphrase + if [ ${dopassphrase} -gt 0 ]; then + echo "" + echo "A password is required to access the ${cryptname} volume:" + + #loop until we get a real password + while ! eval cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do + sleep 2; + done + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" + fi + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 + fi + elif [ -n "${crypto}" ]; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + msg "Non-LUKS encrypted device found..." + if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then + err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" + err "Non-LUKS decryption not attempted..." + return 1 + fi + exe="cryptsetup open --type plain $resolved $cryptname $cryptargs" + IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF +$crypto +EOF + [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'" + [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'" + [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'" + [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'" + [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'" + if [ -f "$ckeyfile" ]; then + exe="$exe --key-file $ckeyfile" + else + exe="$exe --verify-passphrase" + echo "" + echo "A password is required to access the ${cryptname} volume:" + fi + eval "$exe $CSQUIET" + + if [ $? -ne 0 ]; then + err "Non-LUKS device decryption failed. verify format: " + err " crypto=hash:cipher:keysize:offset:skip" + exit 1 + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" + fi + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 + fi + else + err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified." + fi + fi + rm -f ${ckeyfile} +} + +# vim: set ft=sh ts=4 sw=4 et: diff --git a/encrypt_remote_luks_header.install b/encrypt_remote_luks_header.install new file mode 100644 index 000000000000..38e5ddc57b11 --- /dev/null +++ b/encrypt_remote_luks_header.install @@ -0,0 +1,44 @@ +#!/bin/bash + +build() { + local mod + + add_module dm-crypt + if [[ $CRYPTO_MODULES ]]; then + for mod in $CRYPTO_MODULES; do + add_module "$mod" + done + else + add_all_modules '/crypto/' + fi + + add_binary "cryptsetup" + add_binary "dmsetup" + add_file "/usr/lib/udev/rules.d/10-dm.rules" + add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" + add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" + add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" + + add_runscript +} + +help() { + cat <<HELPEOF +This hook allows for an encrypted root device. Users should specify the device +to be unlocked using 'cryptdevice=device:dmname' on the kernel command line, +where 'device' is the path to the raw device, and 'dmname' is the name given to +the device after unlocking, and will be available as /dev/mapper/dmname. + +For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on +the kernel cmdline, where 'device' represents the raw block device where the key +exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is +the absolute path of the keyfile within the device. + +Without specifying a keyfile, you will be prompted for the password at runtime. +This means you must have a keyboard available to input it, and you may need +the keymap hook as well to ensure that the keyboard is using the layout you +expect. +HELPEOF +} + +# vim: set ft=sh ts=4 sw=4 et: |