[arch-commits] Commit in cryptsetup/repos (6 files)
Evangelos Foutras
foutrelis at archlinux.org
Sat Apr 25 14:17:30 UTC 2020
Date: Saturday, April 25, 2020 @ 14:17:29
Author: foutrelis
Revision: 381557
archrelease: copy trunk to staging-x86_64
Added:
cryptsetup/repos/staging-x86_64/
cryptsetup/repos/staging-x86_64/PKGBUILD
(from rev 381556, cryptsetup/trunk/PKGBUILD)
cryptsetup/repos/staging-x86_64/hooks-encrypt
(from rev 381556, cryptsetup/trunk/hooks-encrypt)
cryptsetup/repos/staging-x86_64/install-encrypt
(from rev 381556, cryptsetup/trunk/install-encrypt)
cryptsetup/repos/staging-x86_64/install-sd-encrypt
(from rev 381556, cryptsetup/trunk/install-sd-encrypt)
cryptsetup/repos/staging-x86_64/json-c-0.14.patch
(from rev 381556, cryptsetup/trunk/json-c-0.14.patch)
--------------------+
PKGBUILD | 52 +++++++++++++++
hooks-encrypt | 144 ++++++++++++++++++++++++++++++++++++++++++
install-encrypt | 48 ++++++++++++++
install-sd-encrypt | 49 ++++++++++++++
json-c-0.14.patch | 174 +++++++++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 467 insertions(+)
Copied: cryptsetup/repos/staging-x86_64/PKGBUILD (from rev 381556, cryptsetup/trunk/PKGBUILD)
===================================================================
--- staging-x86_64/PKGBUILD (rev 0)
+++ staging-x86_64/PKGBUILD 2020-04-25 14:17:29 UTC (rev 381557)
@@ -0,0 +1,52 @@
+# Maintainer: Bartłomiej Piotrowski <bpiotrowski at archlinux.org>
+# Contributor: Thomas Bächler <thomas at archlinux.org>
+
+pkgname=cryptsetup
+pkgver=2.3.1
+pkgrel=2
+pkgdesc='Userspace setup tool for transparent encryption of block devices using dm-crypt'
+arch=(x86_64)
+license=('GPL')
+url='https://gitlab.com/cryptsetup/cryptsetup/'
+depends=('device-mapper' 'openssl' 'popt' 'libutil-linux' 'json-c' 'argon2')
+makedepends=('util-linux')
+options=('!emptydirs')
+validpgpkeys=('2A2918243FDE46648D0686F9D9B0577BD93E98FC') # Milan Broz <gmazyland at gmail.com>
+source=("https://www.kernel.org/pub/linux/utils/cryptsetup/v${pkgver%.*}/${pkgname}-${pkgver}.tar."{xz,sign}
+ 'hooks-encrypt'
+ 'install-encrypt'
+ 'install-sd-encrypt'
+ 'json-c-0.14.patch')
+sha256sums=('92aba4d559a2cf7043faed92e0f22c5addea36bd63f8c039ba5a8f3a159fe7d2'
+ 'SKIP'
+ '416aa179ce3c6a7a5eee0861f1f0a4fafac91b69e84a2aae82b6e5a6140e31e2'
+ 'd325dc239ecc9a5324407b0782da6df2573e8491251836d6c4e65fa61339ce57'
+ '31d816b3650a57512a5f9b52c1995fa65a161faa8b37975d07c9a1b8e1a119db'
+ 'bbf6abba86d4c76307734e95593a5ba3647e1d80d51e521f7e542c92a3d89408')
+
+prepare() {
+ cd "${srcdir}"/$pkgname-${pkgver}
+ patch -Np1 -i ../json-c-0.14.patch
+}
+
+build() {
+ cd "${srcdir}"/$pkgname-${pkgver}
+
+ ./configure \
+ --prefix=/usr \
+ --sbindir=/usr/bin \
+ --enable-libargon2 \
+ --disable-static
+ make
+}
+
+package() {
+ cd "${srcdir}"/$pkgname-${pkgver}
+
+ make DESTDIR="${pkgdir}" install
+
+ # install hook
+ install -D -m0644 "${srcdir}"/hooks-encrypt "${pkgdir}"/usr/lib/initcpio/hooks/encrypt
+ install -D -m0644 "${srcdir}"/install-encrypt "${pkgdir}"/usr/lib/initcpio/install/encrypt
+ install -D -m0644 "${srcdir}"/install-sd-encrypt "${pkgdir}"/usr/lib/initcpio/install/sd-encrypt
+}
Copied: cryptsetup/repos/staging-x86_64/hooks-encrypt (from rev 381556, cryptsetup/trunk/hooks-encrypt)
===================================================================
--- staging-x86_64/hooks-encrypt (rev 0)
+++ staging-x86_64/hooks-encrypt 2020-04-25 14:17:29 UTC (rev 381557)
@@ -0,0 +1,144 @@
+#!/usr/bin/ash
+
+run_hook() {
+ modprobe -a -q dm-crypt >/dev/null 2>&1
+ [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
+
+ # Get keyfile if specified
+ ckeyfile="/crypto_keyfile.bin"
+ if [ -n "$cryptkey" ]; then
+ IFS=: read ckdev ckarg1 ckarg2 <<EOF
+$cryptkey
+EOF
+
+ if [ "$ckdev" = "rootfs" ]; then
+ ckeyfile=$ckarg1
+ elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then
+ case ${ckarg1} in
+ *[!0-9]*)
+ # Use a file on the device
+ # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
+ mkdir /ckey
+ mount -r -t "$ckarg1" "$resolved" /ckey
+ dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1
+ umount /ckey
+ ;;
+ *)
+ # Read raw data from the block device
+ # ckarg1 is numeric: ckarg1=offset, ckarg2=length
+ dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1
+ ;;
+ esac
+ fi
+ [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
+ fi
+
+ if [ -n "${cryptdevice}" ]; then
+ DEPRECATED_CRYPT=0
+ IFS=: read cryptdev cryptname cryptoptions <<EOF
+$cryptdevice
+EOF
+ else
+ DEPRECATED_CRYPT=1
+ cryptdev="${root}"
+ cryptname="root"
+ fi
+
+ # This may happen if third party hooks do the crypt setup
+ if [ -b "/dev/mapper/${cryptname}" ]; then
+ echo "Device ${cryptname} already exists, not doing any crypt setup."
+ return 0
+ fi
+
+ warn_deprecated() {
+ echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
+ echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
+ }
+
+ for cryptopt in ${cryptoptions//,/ }; do
+ case ${cryptopt} in
+ allow-discards)
+ cryptargs="${cryptargs} --allow-discards"
+ ;;
+ *)
+ echo "Encryption option '${cryptopt}' not known, ignoring." >&2
+ ;;
+ esac
+ done
+
+ if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
+ if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
+ [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
+ dopassphrase=1
+ # If keyfile exists, try to use that
+ if [ -f ${ckeyfile} ]; then
+ if eval cryptsetup --key-file ${ckeyfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then
+ dopassphrase=0
+ else
+ echo "Invalid keyfile. Reverting to passphrase."
+ fi
+ fi
+ # Ask for a passphrase
+ if [ ${dopassphrase} -gt 0 ]; then
+ echo ""
+ echo "A password is required to access the ${cryptname} volume:"
+
+ #loop until we get a real password
+ while ! eval cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do
+ sleep 2;
+ done
+ fi
+ if [ -e "/dev/mapper/${cryptname}" ]; then
+ if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+ export root="/dev/mapper/root"
+ fi
+ else
+ err "Password succeeded, but ${cryptname} creation failed, aborting..."
+ return 1
+ fi
+ elif [ -n "${crypto}" ]; then
+ [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
+ msg "Non-LUKS encrypted device found..."
+ if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then
+ err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
+ err "Non-LUKS decryption not attempted..."
+ return 1
+ fi
+ exe="cryptsetup open --type plain $resolved $cryptname $cryptargs"
+ IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF
+$crypto
+EOF
+ [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'"
+ [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'"
+ [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'"
+ [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'"
+ [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'"
+ if [ -f "$ckeyfile" ]; then
+ exe="$exe --key-file $ckeyfile"
+ else
+ echo ""
+ echo "A password is required to access the ${cryptname} volume:"
+ fi
+ eval "$exe $CSQUIET"
+
+ if [ $? -ne 0 ]; then
+ err "Non-LUKS device decryption failed. verify format: "
+ err " crypto=hash:cipher:keysize:offset:skip"
+ return 1
+ fi
+ if [ -e "/dev/mapper/${cryptname}" ]; then
+ if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+ export root="/dev/mapper/root"
+ fi
+ else
+ err "Password succeeded, but ${cryptname} creation failed, aborting..."
+ return 1
+ fi
+ else
+ err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
+ fi
+ fi
+ rm -f ${ckeyfile}
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
Copied: cryptsetup/repos/staging-x86_64/install-encrypt (from rev 381556, cryptsetup/trunk/install-encrypt)
===================================================================
--- staging-x86_64/install-encrypt (rev 0)
+++ staging-x86_64/install-encrypt 2020-04-25 14:17:29 UTC (rev 381557)
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+build() {
+ local mod
+
+ add_module "dm-crypt"
+ add_module "dm-integrity"
+ if [[ $CRYPTO_MODULES ]]; then
+ for mod in $CRYPTO_MODULES; do
+ add_module "$mod"
+ done
+ else
+ add_all_modules "/crypto/"
+ fi
+
+ add_binary "cryptsetup"
+ add_binary "dmsetup"
+ add_file "/usr/lib/udev/rules.d/10-dm.rules"
+ add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
+ add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
+ add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
+
+ # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1
+ add_binary "/usr/lib/libgcc_s.so.1"
+
+ add_runscript
+}
+
+help() {
+ cat <<HELPEOF
+This hook allows for an encrypted root device. Users should specify the device
+to be unlocked using 'cryptdevice=device:dmname' on the kernel command line,
+where 'device' is the path to the raw device, and 'dmname' is the name given to
+the device after unlocking, and will be available as /dev/mapper/dmname.
+
+For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on
+the kernel cmdline, where 'device' represents the raw block device where the key
+exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is
+the absolute path of the keyfile within the device.
+
+Without specifying a keyfile, you will be prompted for the password at runtime.
+This means you must have a keyboard available to input it, and you may need
+the keymap hook as well to ensure that the keyboard is using the layout you
+expect.
+HELPEOF
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
Copied: cryptsetup/repos/staging-x86_64/install-sd-encrypt (from rev 381556, cryptsetup/trunk/install-sd-encrypt)
===================================================================
--- staging-x86_64/install-sd-encrypt (rev 0)
+++ staging-x86_64/install-sd-encrypt 2020-04-25 14:17:29 UTC (rev 381557)
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+build() {
+ local mod
+
+ add_module "dm-crypt"
+ add_module "dm-integrity"
+ if [[ $CRYPTO_MODULES ]]; then
+ for mod in $CRYPTO_MODULES; do
+ add_module "$mod"
+ done
+ else
+ add_all_modules "/crypto/"
+ fi
+
+ add_binary "dmsetup"
+ add_file "/usr/lib/udev/rules.d/10-dm.rules"
+ add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
+ add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
+ add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
+
+ add_systemd_unit "cryptsetup.target"
+ add_binary "/usr/lib/systemd/system-generators/systemd-cryptsetup-generator"
+ add_binary "/usr/lib/systemd/systemd-cryptsetup"
+
+ add_systemd_unit "systemd-ask-password-console.path"
+ add_systemd_unit "systemd-ask-password-console.service"
+
+ # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1
+ add_binary "/usr/lib/libgcc_s.so.1"
+
+ # add mkswap for creating swap space on the fly (see 'swap' in crypttab(5))
+ add_binary "mkswap"
+
+ [[ -f /etc/crypttab.initramfs ]] && add_file "/etc/crypttab.initramfs" "/etc/crypttab"
+}
+
+help() {
+ cat <<HELPEOF
+This hook allows for an encrypted root device with systemd initramfs.
+
+See the manpage of systemd-cryptsetup-generator(8) for available kernel
+command line options. Alternatively, if the file /etc/crypttab.initramfs
+exists, it will be added to the initramfs as /etc/crypttab. See the
+crypttab(5) manpage for more information on crypttab syntax.
+HELPEOF
+}
+
+# vim: set ft=sh ts=4 sw=4 et:
Copied: cryptsetup/repos/staging-x86_64/json-c-0.14.patch (from rev 381556, cryptsetup/trunk/json-c-0.14.patch)
===================================================================
--- staging-x86_64/json-c-0.14.patch (rev 0)
+++ staging-x86_64/json-c-0.14.patch 2020-04-25 14:17:29 UTC (rev 381557)
@@ -0,0 +1,174 @@
+From 604abec333a0efb44fd8bc610aa0b1151dd0f612 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82 at fedoraproject.org>
+Date: Mon, 13 Apr 2020 11:48:17 +0200
+Subject: [PATCH] Add support for upcoming json-c 0.14.0.
+
+ * TRUE/FALSE are not defined anymore. 1 and 0 are used instead.
+ * json_object_get_uint64() and json_object_new_uint64() are part
+ of the upstream API now.
+---
+ lib/luks2/luks2_internal.h | 4 +++-
+ lib/luks2/luks2_json_metadata.c | 38 +++++++++++++++++----------------
+ 2 files changed, 23 insertions(+), 19 deletions(-)
+
+diff --git a/lib/luks2/luks2_internal.h b/lib/luks2/luks2_internal.h
+index b9fec6b5..939101d6 100644
+--- a/lib/luks2/luks2_internal.h
++++ b/lib/luks2/luks2_internal.h
+@@ -58,9 +58,11 @@ json_object *LUKS2_get_segments_jobj(struct luks2_hdr *hdr);
+ void hexprint_base64(struct crypt_device *cd, json_object *jobj,
+ const char *sep, const char *line_sep);
+
++#if !(defined JSON_C_VERSION_NUM && JSON_C_VERSION_NUM >= ((13 << 8) | 99))
+ uint64_t json_object_get_uint64(json_object *jobj);
+-uint32_t json_object_get_uint32(json_object *jobj);
+ json_object *json_object_new_uint64(uint64_t value);
++#endif
++uint32_t json_object_get_uint32(json_object *jobj);
+
+ int json_object_object_add_by_uint(json_object *jobj, unsigned key, json_object *jobj_val);
+ void json_object_object_del_by_uint(json_object *jobj, unsigned key);
+diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c
+index 781280c2..712c2bbd 100644
+--- a/lib/luks2/luks2_json_metadata.c
++++ b/lib/luks2/luks2_json_metadata.c
+@@ -234,13 +234,14 @@ static json_bool json_str_to_uint64(json_object *jobj, uint64_t *value)
+ tmp = strtoull(json_object_get_string(jobj), &endptr, 10);
+ if (*endptr || errno) {
+ *value = 0;
+- return FALSE;
++ return 0;
+ }
+
+ *value = tmp;
+- return TRUE;
++ return 1;
+ }
+
++#if !(defined JSON_C_VERSION_NUM && JSON_C_VERSION_NUM >= ((13 << 8) | 99))
+ uint64_t json_object_get_uint64(json_object *jobj)
+ {
+ uint64_t r;
+@@ -262,6 +263,7 @@ json_object *json_object_new_uint64(uint64_t value)
+ jobj = json_object_new_string(num);
+ return jobj;
+ }
++#endif
+
+ /*
+ * Validate helpers
+@@ -273,9 +275,9 @@ static json_bool numbered(struct crypt_device *cd, const char *name, const char
+ for (i = 0; key[i]; i++)
+ if (!isdigit(key[i])) {
+ log_dbg(cd, "%s \"%s\" is not in numbered form.", name, key);
+- return FALSE;
++ return 0;
+ }
+- return TRUE;
++ return 1;
+ }
+
+ json_object *json_contains(struct crypt_device *cd, json_object *jobj, const char *name,
+@@ -300,7 +302,7 @@ json_bool validate_json_uint32(json_object *jobj)
+ errno = 0;
+ tmp = json_object_get_int64(jobj);
+
+- return (errno || tmp < 0 || tmp > UINT32_MAX) ? FALSE : TRUE;
++ return (errno || tmp < 0 || tmp > UINT32_MAX) ? 0 : 1;
+ }
+
+ static json_bool validate_keyslots_array(struct crypt_device *cd,
+@@ -313,17 +315,17 @@ static json_bool validate_keyslots_array(struct crypt_device *cd,
+ jobj = json_object_array_get_idx(jarr, i);
+ if (!json_object_is_type(jobj, json_type_string)) {
+ log_dbg(cd, "Illegal value type in keyslots array at index %d.", i);
+- return FALSE;
++ return 0;
+ }
+
+ if (!json_contains(cd, jobj_keys, "", "Keyslots section",
+ json_object_get_string(jobj), json_type_object))
+- return FALSE;
++ return 0;
+
+ i++;
+ }
+
+- return TRUE;
++ return 1;
+ }
+
+ static json_bool validate_segments_array(struct crypt_device *cd,
+@@ -336,17 +338,17 @@ static json_bool validate_segments_array(struct crypt_device *cd,
+ jobj = json_object_array_get_idx(jarr, i);
+ if (!json_object_is_type(jobj, json_type_string)) {
+ log_dbg(cd, "Illegal value type in segments array at index %d.", i);
+- return FALSE;
++ return 0;
+ }
+
+ if (!json_contains(cd, jobj_segments, "", "Segments section",
+ json_object_get_string(jobj), json_type_object))
+- return FALSE;
++ return 0;
+
+ i++;
+ }
+
+- return TRUE;
++ return 1;
+ }
+
+ static json_bool segment_has_digest(const char *segment_name, json_object *jobj_digests)
+@@ -357,10 +359,10 @@ static json_bool segment_has_digest(const char *segment_name, json_object *jobj_
+ UNUSED(key);
+ json_object_object_get_ex(val, "segments", &jobj_segments);
+ if (LUKS2_array_jobj(jobj_segments, segment_name))
+- return TRUE;
++ return 1;
+ }
+
+- return FALSE;
++ return 0;
+ }
+
+ static json_bool validate_intervals(struct crypt_device *cd,
+@@ -372,18 +374,18 @@ static json_bool validate_intervals(struct crypt_device *cd,
+ while (i < length) {
+ if (ix[i].offset < 2 * metadata_size) {
+ log_dbg(cd, "Illegal area offset: %" PRIu64 ".", ix[i].offset);
+- return FALSE;
++ return 0;
+ }
+
+ if (!ix[i].length) {
+ log_dbg(cd, "Area length must be greater than zero.");
+- return FALSE;
++ return 0;
+ }
+
+ if ((ix[i].offset + ix[i].length) > keyslots_area_end) {
+ log_dbg(cd, "Area [%" PRIu64 ", %" PRIu64 "] overflows binary keyslots area (ends at offset: %" PRIu64 ").",
+ ix[i].offset, ix[i].offset + ix[i].length, keyslots_area_end);
+- return FALSE;
++ return 0;
+ }
+
+ for (j = 0; j < length; j++) {
+@@ -393,14 +395,14 @@ static json_bool validate_intervals(struct crypt_device *cd,
+ log_dbg(cd, "Overlapping areas [%" PRIu64 ",%" PRIu64 "] and [%" PRIu64 ",%" PRIu64 "].",
+ ix[i].offset, ix[i].offset + ix[i].length,
+ ix[j].offset, ix[j].offset + ix[j].length);
+- return FALSE;
++ return 0;
+ }
+ }
+
+ i++;
+ }
+
+- return TRUE;
++ return 1;
+ }
+
+ static int LUKS2_keyslot_validate(struct crypt_device *cd, json_object *hdr_jobj, json_object *hdr_keyslot, const char *key)
More information about the arch-commits
mailing list