From: Matthew Monaco <matthew.monaco@0x01b.net> This should support all of the current syntax. If that sentance is false, please let me know. This might be a good time to drop support for root=... without a cryptdevice=...? We'll support root, /usr, and anything tagged with %early in crypttab --- archlinux/encrypt_hook | 100 +++++++++++++++++++++++++++++++++++++++++++++ archlinux/encrypt_install | 56 +++++++++++++++++++++++++ 2 files changed, 156 insertions(+) create mode 100644 archlinux/encrypt_hook create mode 100644 archlinux/encrypt_install diff --git a/archlinux/encrypt_hook b/archlinux/encrypt_hook new file mode 100644 index 0000000..026c731 --- /dev/null +++ b/archlinux/encrypt_hook @@ -0,0 +1,100 @@ + +encrypt_main() { + + local tmp="$1" name="" dev="" key="${2:--}" opts="" log="" tab="${3:-/etc/crypttab}" + + case "$tmp" in + *:*:*) + dev="${tmp%%:*}" + tmp="${tmp#*:}" + name="${tmp%%:*}" + opts="${tmp#*:}" + ;; + *:*) + dev="${tmp%%:*}" + name="${tmp#*:}" + ;; + *) + name="$tmp" + ;; + esac + + if [ "$quiet" ]; then + log="-q" + elif [ "$verbose" ]; then + log="-v" + fi + + [ -e "/dev/mapper/$name" ] && return + + msg "Mapping encrypted volume '$name'" + + if [ "$dev" ]; then + cryptmount $log -O "$opts" -M "$name" "$dev" "$key" + else + cryptmount -c "$tab" $log -M "$name" + fi +} + +run_hook() { + + local vol vols + + if [ -z "$cryptdevice" ]; then + printf "The syntax 'root=%s' where '%s' is an encrypted volume is deprecated" \ + "Use 'cryptdevice=%s:root root=/dev/mapper/root instead." \ + "$root" "$root" "$root" + cryptdevice="$root:root" + root="/dev/mapper/root" + fi + + encrypt_main "$cryptdevice" "$cryptkey" +} + +run_latehook() { + + if [ "$cryptusr" ]; then + encrypt_main "$cryptusr" "$cryptusrkey" "/new_root/etc/crypttab" + fi + + if vols="$(cryptmount -c "/new_root/etc/fstab" -Lq -O "%early")" && [ "$vols" ]; then + for vol in $vols; do + [ -e "/dev/mapper/$vol" ] && continue + msg "Mapping encrypted volume '$vol'" + cryptmount -c "/new_root/etc/crypttab" -qM "$vol" + done + fi + + if [ -z "$cryptusr" ]; then + cryptusr="$(encrypt_from_mp "/usr")" || return + [ -e "/dev/mapper/$cryptusr" ] && return + msg "Detected /usr as '$cryptusr'" + encrypt_main "$cryptusr" + fi +} + +encrypt_from_mp() { + + local fstab="/new_root/etc/fstab" ctab="/new_root/etc/crypttab" + local line="" mp="$1" dev="" + + [ -f "$fstab" -a -r "$fstab" ] || return 1 + [ -f "$ctab" -a -r "$ctab" ] || return 1 + [ "$mp" ] || return 1 + + if ! dev="$(findmnt -sF "$fstab" -cfno SOURCE -T "$mp")"; then + return 1 + fi + + case "$dev" in + /dev/mapper/*) + printf "%s" "$(basename "$dev")" + return + ;; + *) + return 1 + ;; + esac +} + +# vim: set ft=sh ts=4 sw=4 noet : diff --git a/archlinux/encrypt_install b/archlinux/encrypt_install new file mode 100644 index 0000000..f0faf05 --- /dev/null +++ b/archlinux/encrypt_install @@ -0,0 +1,56 @@ +build() +{ + add_module dm-crypt + if [ $CRYPTO_MODULES ]; then + add_all_modules $CRYPTO_MODULES + else + add_all_modules "/crypto/" + fi + + add_runscript + + add_binary "cryptmount" + add_binary "cryptsetup" + add_binary "dmsetup" + add_binary "findmnt" + + add_file "/etc/crypttab" + + add_file "/usr/lib/udev/rules.d/10-dm.rules" + add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" + add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" + add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/lib/udev/rules.d/11-dm-initramfs.rules" +} + +help() +{ +cat <<_EOF_ + This hook will _always_ attempt to map an encrypted root device. It will also + map an encrypted /usr device and attempt to automatically detect one if not + explicitly defined. Finally, it will map all devices in /etc/crypttab that have + the "%early" tag. (The %early tag is not necessary for root and /usr). + + The root device is defined with the 'cryptdevice' and 'cryptkey' options. If + they are defined as + + cryptdevice=<device>:<name>[:opt1,opt2,...] + cryptkey=<device>[[:<fstype>]:<path>] + + then no crypttab is needed and cryptkey has the exact same format and semantics + as the key field in crypttab(5). Otherwise, root may be defined as + + cryptdevice=<name> + + where <name> is used to find the volume definition in the crypttab ***which + was copied to your initrd during mkinitcpio(8)***. The cryptkey option is + ignored. + + For /usr, similar rules apply, using the 'cryptusr' and 'cryptkey' options. If + cryptusr is not defined, this hook will attempt to discover the correct volume + by looking in fstab (your /usr definition must be for /dev/mapper/<name> for + this to work). + +_EOF_ +} + +# vim: set ft=sh noet : -- 1.7.10.2