summarylogtreecommitdiffstats
path: root/support-detached-header.patch
blob: f3287948a97039a16219dfacc4e0389fa91577fb (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

--- encrypt	2024-07-13 15:01:49.172799574 -0400
+++ hooks-encrypt-dh	2024-07-13 15:03:51.889462155 -0400
@@ -38,6 +38,40 @@
         [ ! -f "${ckeyfile}" ] && echo "Keyfile could not be opened. Reverting to passphrase."
     fi
 
+    # Get detached header file if specified
+    cheaderfile="/crypto_header"
+    if [ -n "$cryptheader" ]; then
+        IFS=: read chdev charg1 charg2 <<EOF
+$cryptheader
+EOF
+
+        if [ "$chdev" = "rootfs" ]; then
+            cheaderfile=$charg1
+        elif resolved=$(resolve_device "${chdev}" ${rootdelay}); then
+            case ${charg1} in
+                *[!0-9]*)
+                    # Use a file on the device
+                    # charg1 is not numeric: charg1=filesystem, charg2=path
+                    mkdir /cheader
+                    mount -r -t "$charg1" "$resolved" /cheader
+                    dd if="/cheader/$charg2" of="$cheaderfile" >/dev/null 2>&1
+                    umount /cheader
+                    ;;
+                *)
+                    # Read raw data from the block device
+                    # charg1 is numeric: charg1=offset, charg2=length
+                    dd if="$resolved" of="$cheaderfile" bs=1 skip="$charg1" count="$charg2" >/dev/null 2>&1
+                    ;;
+            esac
+        fi
+
+        if [ -f ${cheaderfile} ]; then
+            cryptargs="${cryptargs} --header ${cheaderfile}"
+        else
+            echo "Detached header could not be opened. Ignoring."
+        fi
+    fi
+
     if [ -n "${cryptdevice}" ]; then
         DEPRECATED_CRYPT=0
         # cryptdevice can contain : which needs to be escaped.
@@ -88,7 +122,7 @@
     unset OLDIFS
 
     if resolved=$(resolve_device "${cryptdev}" "${rootdelay}"); then
-        if cryptsetup isLuks "${resolved}" >/dev/null 2>&1; then
+        if (cryptsetup isLuks ${resolved} >/dev/null 2>&1 || cryptsetup isLuks ${cheaderfile} >/dev/null 2>&1); then
             [ "${DEPRECATED_CRYPT}" -eq 1 ] && warn_deprecated
             dopassphrase=1
             # If keyfile exists, try to use that
@@ -165,7 +199,7 @@
             err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
         fi
     fi
-    rm -f "${ckeyfile}"
+    rm -f ${ckeyfile} ${cheaderfile}
 }
 
 # vim: set ft=sh ts=4 sw=4 et: