[arch-commits] Commit in cryptsetup/repos (5 files)

Christian Hesse eworm at gemini.archlinux.org
Thu Nov 18 12:53:53 UTC 2021


    Date: Thursday, November 18, 2021 @ 12:53:52
  Author: eworm
Revision: 428580

archrelease: copy trunk to testing-x86_64

Added:
  cryptsetup/repos/testing-x86_64/
  cryptsetup/repos/testing-x86_64/PKGBUILD
    (from rev 428579, cryptsetup/trunk/PKGBUILD)
  cryptsetup/repos/testing-x86_64/hooks-encrypt
    (from rev 428579, cryptsetup/trunk/hooks-encrypt)
  cryptsetup/repos/testing-x86_64/install-encrypt
    (from rev 428579, cryptsetup/trunk/install-encrypt)
  cryptsetup/repos/testing-x86_64/install-sd-encrypt
    (from rev 428579, cryptsetup/trunk/install-sd-encrypt)

--------------------+
 PKGBUILD           |   52 +++++++++++++++++
 hooks-encrypt      |  155 +++++++++++++++++++++++++++++++++++++++++++++++++++
 install-encrypt    |   49 ++++++++++++++++
 install-sd-encrypt |   62 ++++++++++++++++++++
 4 files changed, 318 insertions(+)

Copied: cryptsetup/repos/testing-x86_64/PKGBUILD (from rev 428579, cryptsetup/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD	                        (rev 0)
+++ testing-x86_64/PKGBUILD	2021-11-18 12:53:52 UTC (rev 428580)
@@ -0,0 +1,52 @@
+# Maintainer:  Bartłomiej Piotrowski <bpiotrowski at archlinux.org>
+# Contributor: Thomas Bächler <thomas at archlinux.org>
+
+pkgname=cryptsetup
+pkgver=2.4.2
+pkgrel=1
+pkgdesc='Userspace setup tool for transparent encryption of block devices using dm-crypt'
+arch=(x86_64)
+license=('GPL')
+url='https://gitlab.com/cryptsetup/cryptsetup/'
+depends=('device-mapper' 'libdevmapper.so' 'openssl' 'popt' 'util-linux-libs'
+         'libuuid.so' 'json-c' 'libjson-c.so' 'argon2' 'libargon2.so')
+makedepends=('util-linux')
+provides=('libcryptsetup.so')
+options=('!emptydirs')
+validpgpkeys=('2A2918243FDE46648D0686F9D9B0577BD93E98FC') # Milan Broz <gmazyland at gmail.com>
+source=("https://www.kernel.org/pub/linux/utils/cryptsetup/v${pkgver%.*}/${pkgname}-${pkgver}.tar."{xz,sign}
+        'hooks-encrypt'
+        'install-encrypt'
+        'install-sd-encrypt')
+sha256sums=('170cc2326a9daeeeb578579176bd10d4a60ee5c4fc5bc69018ce67dafc540b9c'
+            'SKIP'
+            '29a3f1db5b86a8e6b7c914125e2c46711d6d5985bbf4089e158e06af551c8307'
+            '817686b47e5ffd32913bcae7efe717f3377a48062b6311549d4440cfd3eadf17'
+            'b616470eebbda8edf2a8cb0cd265cada5f03f9a6096683a01974f3812ab9c0f0')
+
+build() {
+  cd "${srcdir}"/$pkgname-${pkgver}
+
+  ./configure \
+    --prefix=/usr \
+    --sbindir=/usr/bin \
+    --enable-libargon2 \
+    --disable-ssh-token \
+    --disable-static
+  sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
+  make
+}
+
+package() {
+  cd "${srcdir}"/$pkgname-${pkgver}
+
+  make DESTDIR="${pkgdir}" install
+
+  # install docs
+  install -D -m0644 -t "${pkgdir}"/usr/share/doc/cryptsetup/ FAQ docs/{Keyring,LUKS2-locking}.txt
+
+  # install hook
+  install -D -m0644 "${srcdir}"/hooks-encrypt "${pkgdir}"/usr/lib/initcpio/hooks/encrypt
+  install -D -m0644 "${srcdir}"/install-encrypt "${pkgdir}"/usr/lib/initcpio/install/encrypt
+  install -D -m0644 "${srcdir}"/install-sd-encrypt "${pkgdir}"/usr/lib/initcpio/install/sd-encrypt
+}

Copied: cryptsetup/repos/testing-x86_64/hooks-encrypt (from rev 428579, cryptsetup/trunk/hooks-encrypt)
===================================================================
--- testing-x86_64/hooks-encrypt	                        (rev 0)
+++ testing-x86_64/hooks-encrypt	2021-11-18 12:53:52 UTC (rev 428580)
@@ -0,0 +1,155 @@
+#!/usr/bin/ash
+
+run_hook() {
+    modprobe -a -q dm-crypt >/dev/null 2>&1
+    [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
+
+    # Get keyfile if specified
+    ckeyfile="/crypto_keyfile.bin"
+    if [ -n "$cryptkey" ]; then
+        IFS=: read ckdev ckarg1 ckarg2 <<EOF
+$cryptkey
+EOF
+
+        if [ "$ckdev" = "rootfs" ]; then
+            ckeyfile=$ckarg1
+        elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then
+            case ${ckarg1} in
+                *[!0-9]*)
+                    # Use a file on the device
+                    # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
+                    mkdir /ckey
+                    mount -r -t "$ckarg1" "$resolved" /ckey
+                    dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1
+                    umount /ckey
+                    ;;
+                *)
+                    # Read raw data from the block device
+                    # ckarg1 is numeric: ckarg1=offset, ckarg2=length
+                    dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1
+                    ;;
+            esac
+        fi
+        [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
+    fi
+
+    if [ -n "${cryptdevice}" ]; then
+        DEPRECATED_CRYPT=0
+        IFS=: read cryptdev cryptname cryptoptions <<EOF
+$cryptdevice
+EOF
+    else
+        DEPRECATED_CRYPT=1
+        cryptdev="${root}"
+        cryptname="root"
+    fi
+
+    # This may happen if third party hooks do the crypt setup
+    if [ -b "/dev/mapper/${cryptname}" ]; then
+        echo "Device ${cryptname} already exists, not doing any crypt setup."
+        return 0
+    fi
+
+    warn_deprecated() {
+        echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
+        echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
+    }
+
+    set -f
+    OLDIFS="$IFS"; IFS=,
+    for cryptopt in ${cryptoptions}; do
+        case ${cryptopt} in
+            allow-discards|discard)
+                cryptargs="${cryptargs} --allow-discards"
+                ;;
+            no-read-workqueue|perf-no_read_workqueue)
+                cryptargs="${cryptargs} --perf-no_read_workqueue"
+                ;;
+            no-write-workqueue|perf-no_write_workqueue)
+                cryptargs="${cryptargs} --perf-no_write_workqueue"
+                ;;
+            *)
+                echo "Encryption option '${cryptopt}' not known, ignoring." >&2
+                ;;
+        esac
+    done
+    set +f
+    IFS="$OLDIFS"
+    unset OLDIFS
+
+    if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
+        if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
+            [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
+            dopassphrase=1
+            # If keyfile exists, try to use that
+            if [ -f ${ckeyfile} ]; then
+                if eval cryptsetup --key-file ${ckeyfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then
+                    dopassphrase=0
+                else
+                    echo "Invalid keyfile. Reverting to passphrase."
+                fi
+            fi
+            # Ask for a passphrase
+            if [ ${dopassphrase} -gt 0 ]; then
+                echo ""
+                echo "A password is required to access the ${cryptname} volume:"
+
+                #loop until we get a real password
+                while ! eval cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do
+                    sleep 2;
+                done
+            fi
+            if [ -e "/dev/mapper/${cryptname}" ]; then
+                if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+                    export root="/dev/mapper/root"
+                fi
+            else
+                err "Password succeeded, but ${cryptname} creation failed, aborting..."
+                return 1
+            fi
+        elif [ -n "${crypto}" ]; then
+            [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
+            msg "Non-LUKS encrypted device found..."
+            if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then
+                err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
+                err "Non-LUKS decryption not attempted..."
+                return 1
+            fi
+            exe="cryptsetup open --type plain $resolved $cryptname $cryptargs"
+            IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF
+$crypto
+EOF
+            [ -n "$c_hash" ]    && exe="$exe --hash '$c_hash'"
+            [ -n "$c_cipher" ]  && exe="$exe --cipher '$c_cipher'"
+            [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'"
+            [ -n "$c_offset" ]  && exe="$exe --offset '$c_offset'"
+            [ -n "$c_skip" ]    && exe="$exe --skip '$c_skip'"
+            if [ -f "$ckeyfile" ]; then
+                exe="$exe --key-file $ckeyfile"
+            else
+                echo ""
+                echo "A password is required to access the ${cryptname} volume:"
+            fi
+            eval "$exe $CSQUIET"
+
+            if [ $? -ne 0 ]; then
+                err "Non-LUKS device decryption failed. verify format: "
+                err "      crypto=hash:cipher:keysize:offset:skip"
+                return 1
+            fi
+            if [ -e "/dev/mapper/${cryptname}" ]; then
+                if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
+                    export root="/dev/mapper/root"
+                fi
+            else
+                err "Password succeeded, but ${cryptname} creation failed, aborting..."
+                return 1
+            fi
+        else
+            err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
+        fi
+    fi
+    rm -f ${ckeyfile}
+}
+
+# vim: set ft=sh ts=4 sw=4 et:

Copied: cryptsetup/repos/testing-x86_64/install-encrypt (from rev 428579, cryptsetup/trunk/install-encrypt)
===================================================================
--- testing-x86_64/install-encrypt	                        (rev 0)
+++ testing-x86_64/install-encrypt	2021-11-18 12:53:52 UTC (rev 428580)
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+build() {
+    local mod
+
+    add_module 'dm-crypt'
+    add_module 'dm-integrity'
+    if [[ $CRYPTO_MODULES ]]; then
+        for mod in $CRYPTO_MODULES; do
+            add_module "$mod"
+        done
+    else
+        add_all_modules '/crypto/'
+    fi
+
+    add_binary 'cryptsetup'
+
+    map add_udev_rule \
+        '10-dm.rules' \
+        '13-dm-disk.rules' \
+        '95-dm-notify.rules' \
+        '/usr/lib/initcpio/udev/11-dm-initramfs.rules'
+
+    # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1
+    add_binary '/usr/lib/libgcc_s.so.1'
+
+    add_runscript
+}
+
+help() {
+    cat <<HELPEOF
+This hook allows for an encrypted root device. Users should specify the device
+to be unlocked using 'cryptdevice=device:dmname' on the kernel command line,
+where 'device' is the path to the raw device, and 'dmname' is the name given to
+the device after unlocking, and will be available as /dev/mapper/dmname.
+
+For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on
+the kernel cmdline, where 'device' represents the raw block device where the key
+exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is
+the absolute path of the keyfile within the device.
+
+Without specifying a keyfile, you will be prompted for the password at runtime.
+This means you must have a keyboard available to input it, and you may need
+the keymap hook as well to ensure that the keyboard is using the layout you
+expect.
+HELPEOF
+}
+
+# vim: set ft=sh ts=4 sw=4 et:

Copied: cryptsetup/repos/testing-x86_64/install-sd-encrypt (from rev 428579, cryptsetup/trunk/install-sd-encrypt)
===================================================================
--- testing-x86_64/install-sd-encrypt	                        (rev 0)
+++ testing-x86_64/install-sd-encrypt	2021-11-18 12:53:52 UTC (rev 428580)
@@ -0,0 +1,62 @@
+#!/bin/bash
+
+build() {
+    local mod
+
+    add_module 'dm-crypt'
+    add_module 'dm-integrity'
+    if [[ $CRYPTO_MODULES ]]; then
+        for mod in $CRYPTO_MODULES; do
+            add_module "$mod"
+        done
+    else
+        add_all_modules '/crypto/'
+    fi
+    add_checked_modules '/drivers/char/tpm/'
+
+    map add_udev_rule \
+        '10-dm.rules' \
+        '13-dm-disk.rules' \
+        '60-fido-id.rules' \
+        '95-dm-notify.rules' \
+        '/usr/lib/initcpio/udev/11-dm-initramfs.rules'
+
+    add_systemd_unit 'cryptsetup.target'
+    add_binary '/usr/lib/systemd/system-generators/systemd-cryptsetup-generator'
+    add_binary '/usr/lib/systemd/systemd-cryptsetup'
+
+    add_systemd_unit 'systemd-ask-password-console.path'
+    add_systemd_unit 'systemd-ask-password-console.service'
+
+    # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1
+    add_binary '/usr/lib/libgcc_s.so.1'
+
+    # add libraries dlopen()ed by systemd-cryptsetup
+    for LIB in fido2 tss2-{{esys,rc,mu},tcti-'*'}; do
+        for FILE in $(find /usr/lib/ -maxdepth 1 -name "lib${LIB}.so*"); do
+            if [[ -L "${FILE}" ]]; then
+                add_symlink "${FILE}"
+            else
+                add_binary "${FILE}"
+            fi
+        done
+    done
+
+    # add mkswap for creating swap space on the fly (see 'swap' in crypttab(5))
+    add_binary 'mkswap'
+
+    [[ -f /etc/crypttab.initramfs ]] && add_file '/etc/crypttab.initramfs' '/etc/crypttab'
+}
+
+help() {
+    cat <<HELPEOF
+This hook allows for an encrypted root device with systemd initramfs.
+
+See the manpage of systemd-cryptsetup-generator(8) for available kernel
+command line options. Alternatively, if the file /etc/crypttab.initramfs
+exists, it will be added to the initramfs as /etc/crypttab. See the
+crypttab(5) manpage for more information on crypttab syntax.
+HELPEOF
+}
+
+# vim: set ft=sh ts=4 sw=4 et:



More information about the arch-commits mailing list