[arch-projects] [RFC 19/23] Add Arch Linux mkinitcpio hook for encrypted volumes
Matthew Monaco
dgbaley27 at 0x01b.net
Fri May 18 12:22:13 EDT 2012
From: Matthew Monaco <matthew.monaco at 0x01b.net>
This should support all of the current syntax. If that sentance is
false, please let me know. This might be a good time to drop support for
root=... without a cryptdevice=...?
We'll support root, /usr, and anything tagged with %early in crypttab
---
archlinux/encrypt_hook | 100 +++++++++++++++++++++++++++++++++++++++++++++
archlinux/encrypt_install | 56 +++++++++++++++++++++++++
2 files changed, 156 insertions(+)
create mode 100644 archlinux/encrypt_hook
create mode 100644 archlinux/encrypt_install
diff --git a/archlinux/encrypt_hook b/archlinux/encrypt_hook
new file mode 100644
index 0000000..026c731
--- /dev/null
+++ b/archlinux/encrypt_hook
@@ -0,0 +1,100 @@
+
+encrypt_main() {
+
+ local tmp="$1" name="" dev="" key="${2:--}" opts="" log="" tab="${3:-/etc/crypttab}"
+
+ case "$tmp" in
+ *:*:*)
+ dev="${tmp%%:*}"
+ tmp="${tmp#*:}"
+ name="${tmp%%:*}"
+ opts="${tmp#*:}"
+ ;;
+ *:*)
+ dev="${tmp%%:*}"
+ name="${tmp#*:}"
+ ;;
+ *)
+ name="$tmp"
+ ;;
+ esac
+
+ if [ "$quiet" ]; then
+ log="-q"
+ elif [ "$verbose" ]; then
+ log="-v"
+ fi
+
+ [ -e "/dev/mapper/$name" ] && return
+
+ msg "Mapping encrypted volume '$name'"
+
+ if [ "$dev" ]; then
+ cryptmount $log -O "$opts" -M "$name" "$dev" "$key"
+ else
+ cryptmount -c "$tab" $log -M "$name"
+ fi
+}
+
+run_hook() {
+
+ local vol vols
+
+ if [ -z "$cryptdevice" ]; then
+ printf "The syntax 'root=%s' where '%s' is an encrypted volume is deprecated" \
+ "Use 'cryptdevice=%s:root root=/dev/mapper/root instead." \
+ "$root" "$root" "$root"
+ cryptdevice="$root:root"
+ root="/dev/mapper/root"
+ fi
+
+ encrypt_main "$cryptdevice" "$cryptkey"
+}
+
+run_latehook() {
+
+ if [ "$cryptusr" ]; then
+ encrypt_main "$cryptusr" "$cryptusrkey" "/new_root/etc/crypttab"
+ fi
+
+ if vols="$(cryptmount -c "/new_root/etc/fstab" -Lq -O "%early")" && [ "$vols" ]; then
+ for vol in $vols; do
+ [ -e "/dev/mapper/$vol" ] && continue
+ msg "Mapping encrypted volume '$vol'"
+ cryptmount -c "/new_root/etc/crypttab" -qM "$vol"
+ done
+ fi
+
+ if [ -z "$cryptusr" ]; then
+ cryptusr="$(encrypt_from_mp "/usr")" || return
+ [ -e "/dev/mapper/$cryptusr" ] && return
+ msg "Detected /usr as '$cryptusr'"
+ encrypt_main "$cryptusr"
+ fi
+}
+
+encrypt_from_mp() {
+
+ local fstab="/new_root/etc/fstab" ctab="/new_root/etc/crypttab"
+ local line="" mp="$1" dev=""
+
+ [ -f "$fstab" -a -r "$fstab" ] || return 1
+ [ -f "$ctab" -a -r "$ctab" ] || return 1
+ [ "$mp" ] || return 1
+
+ if ! dev="$(findmnt -sF "$fstab" -cfno SOURCE -T "$mp")"; then
+ return 1
+ fi
+
+ case "$dev" in
+ /dev/mapper/*)
+ printf "%s" "$(basename "$dev")"
+ return
+ ;;
+ *)
+ return 1
+ ;;
+ esac
+}
+
+# vim: set ft=sh ts=4 sw=4 noet :
diff --git a/archlinux/encrypt_install b/archlinux/encrypt_install
new file mode 100644
index 0000000..f0faf05
--- /dev/null
+++ b/archlinux/encrypt_install
@@ -0,0 +1,56 @@
+build()
+{
+ add_module dm-crypt
+ if [ $CRYPTO_MODULES ]; then
+ add_all_modules $CRYPTO_MODULES
+ else
+ add_all_modules "/crypto/"
+ fi
+
+ add_runscript
+
+ add_binary "cryptmount"
+ add_binary "cryptsetup"
+ add_binary "dmsetup"
+ add_binary "findmnt"
+
+ add_file "/etc/crypttab"
+
+ add_file "/usr/lib/udev/rules.d/10-dm.rules"
+ add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
+ add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
+ add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/lib/udev/rules.d/11-dm-initramfs.rules"
+}
+
+help()
+{
+cat <<_EOF_
+ This hook will _always_ attempt to map an encrypted root device. It will also
+ map an encrypted /usr device and attempt to automatically detect one if not
+ explicitly defined. Finally, it will map all devices in /etc/crypttab that have
+ the "%early" tag. (The %early tag is not necessary for root and /usr).
+
+ The root device is defined with the 'cryptdevice' and 'cryptkey' options. If
+ they are defined as
+
+ cryptdevice=<device>:<name>[:opt1,opt2,...]
+ cryptkey=<device>[[:<fstype>]:<path>]
+
+ then no crypttab is needed and cryptkey has the exact same format and semantics
+ as the key field in crypttab(5). Otherwise, root may be defined as
+
+ cryptdevice=<name>
+
+ where <name> is used to find the volume definition in the crypttab ***which
+ was copied to your initrd during mkinitcpio(8)***. The cryptkey option is
+ ignored.
+
+ For /usr, similar rules apply, using the 'cryptusr' and 'cryptkey' options. If
+ cryptusr is not defined, this hook will attempt to discover the correct volume
+ by looking in fstab (your /usr definition must be for /dev/mapper/<name> for
+ this to work).
+
+_EOF_
+}
+
+# vim: set ft=sh noet :
--
1.7.10.2
More information about the arch-projects
mailing list