1 |
commit: a0a6d6313874a7567a26c405713aaf610695285d |
2 |
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Feb 7 18:02:29 2021 +0000 |
4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 7 18:02:29 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/genkernel.git/commit/?id=a0a6d631 |
7 |
|
8 |
linuxrc: add kernel command-line argument to allow user to pass additional options to cryptsetup |
9 |
|
10 |
Cryptsetup supports additional options like "--perf-no_read_workqueue" or |
11 |
"--perf-no_write_workqueue". While it is recommended to use LUKS2 format |
12 |
and make these activiation flags permanent, you can also make use of |
13 |
the new kernel command-line arguments "crypt_root_options" for root device |
14 |
or "crypt_swap_options" for swap device to pass additional options |
15 |
to cryptsetup. |
16 |
|
17 |
These arguments can be specified multiple times or separate multiple |
18 |
options with a comma. |
19 |
|
20 |
Bug: https://bugs.gentoo.org/755587 |
21 |
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> |
22 |
|
23 |
defaults/initrd.defaults | 2 ++ |
24 |
defaults/initrd.scripts | 16 +++++++--------- |
25 |
defaults/linuxrc | 13 ++++++++++++- |
26 |
defaults/unlock-luks.sh | 8 +++----- |
27 |
doc/genkernel.8.txt | 10 ++++++++++ |
28 |
5 files changed, 34 insertions(+), 15 deletions(-) |
29 |
|
30 |
diff --git a/defaults/initrd.defaults b/defaults/initrd.defaults |
31 |
index cd485ca..ac3b072 100644 |
32 |
--- a/defaults/initrd.defaults |
33 |
+++ b/defaults/initrd.defaults |
34 |
@@ -104,9 +104,11 @@ CRYPT_ENV_FILE='/etc/CRYPT_ENV.conf' |
35 |
CRYPT_ROOT_KEYDEV_FSTYPE='auto' |
36 |
CRYPT_ROOT_KEYFILE='/tmp/root.key' |
37 |
CRYPT_ROOT_OPENED_LOCKFILE='/tmp/ROOT.opened' |
38 |
+CRYPT_ROOT_OPTIONS='' |
39 |
CRYPT_SWAP_KEYDEV_FSTYPE='auto' |
40 |
CRYPT_SWAP_KEYFILE='/tmp/swap.key' |
41 |
CRYPT_SWAP_OPENED_LOCKFILE='/tmp/SWAP.opened' |
42 |
+CRYPT_SWAP_OPTIONS='' |
43 |
|
44 |
ZFS_ENC_ENV_FILE='/etc/ZFS_ENC_ENV.conf' |
45 |
ZFS_ENC_OPENED_LOCKFILE='/tmp/ZFS.opened' |
46 |
|
47 |
diff --git a/defaults/initrd.scripts b/defaults/initrd.scripts |
48 |
index f6e84fc..5d744ee 100644 |
49 |
--- a/defaults/initrd.scripts |
50 |
+++ b/defaults/initrd.scripts |
51 |
@@ -1193,7 +1193,7 @@ write_env_file() { |
52 |
for varname in $* |
53 |
do |
54 |
eval varvalue=\$${varname} |
55 |
- echo "${varname}=${varvalue}" >> "${env_file}" |
56 |
+ echo "${varname}='${varvalue}'" >> "${env_file}" |
57 |
done |
58 |
} |
59 |
|
60 |
@@ -1774,15 +1774,13 @@ openLUKS() { |
61 |
eval local LUKS_KEY='"${CRYPT_'${TYPE}'_KEY}"' |
62 |
eval local LUKS_KEYDEV='"${CRYPT_'${TYPE}'_KEYDEV}"' |
63 |
eval local LUKS_KEYDEV_FSTYPE='"${CRYPT_'${TYPE}'_KEYDEV_FSTYPE}"' |
64 |
- eval local LUKS_TRIM='"${CRYPT_'${TYPE}'_TRIM}"' |
65 |
+ eval local cryptsetup_options='"${CRYPT_'${TYPE}'_OPTIONS}"' |
66 |
eval local OPENED_LOCKFILE='"${CRYPT_'${TYPE}'_OPENED_LOCKFILE}"' |
67 |
local DEV_ERROR=0 KEY_ERROR=0 KEYDEV_ERROR=0 |
68 |
local mntkey="/mnt/key/" crypt_filter_ret= |
69 |
|
70 |
while true |
71 |
do |
72 |
- local cryptsetup_options='' |
73 |
- |
74 |
local gpg_cmd="" |
75 |
if [ -e "${OPENED_LOCKFILE}" ] |
76 |
then |
77 |
@@ -1819,10 +1817,9 @@ openLUKS() { |
78 |
DEV_ERROR=1 |
79 |
continue |
80 |
else |
81 |
- if [ "x${LUKS_TRIM}" = "xyes" ] |
82 |
+ if [ -n "${cryptsetup_options}" ] |
83 |
then |
84 |
- good_msg "Enabling TRIM support for ${LUKS_NAME} ..." ${CRYPT_SILENT} |
85 |
- cryptsetup_options="${cryptsetup_options} --allow-discards" |
86 |
+ good_msg "Using the following cryptsetup options for ${LUKS_NAME}: ${cryptsetup_options}" ${CRYPT_SILENT} |
87 |
fi |
88 |
|
89 |
# Handle keys |
90 |
@@ -2333,9 +2330,10 @@ start_sshd() { |
91 |
write_env_file \ |
92 |
"${CRYPT_ENV_FILE}" \ |
93 |
CRYPT_ROOT \ |
94 |
- CRYPT_ROOT_TRIM \ |
95 |
+ CRYPT_ROOT_OPTIONS \ |
96 |
CRYPT_SILENT \ |
97 |
- CRYPT_SWAP |
98 |
+ CRYPT_SWAP \ |
99 |
+ CRYPT_SWAP_OPTIONS |
100 |
|
101 |
run touch /var/log/lastlog |
102 |
|
103 |
|
104 |
diff --git a/defaults/linuxrc b/defaults/linuxrc |
105 |
index df0f570..e33576d 100644 |
106 |
--- a/defaults/linuxrc |
107 |
+++ b/defaults/linuxrc |
108 |
@@ -244,10 +244,16 @@ do |
109 |
CRYPT_ROOT=${x#*=} |
110 |
USE_CRYPTSETUP=1 |
111 |
;; |
112 |
+ crypt_root_options=*) |
113 |
+ CRYPT_ROOT_OPTIONS=$(echo ${CRYPT_ROOT_OPTIONS} ${x#*=} | sed -e 's/,/ /g') |
114 |
+ ;; |
115 |
crypt_swap=*) |
116 |
CRYPT_SWAP=${x#*=} |
117 |
USE_CRYPTSETUP=1 |
118 |
;; |
119 |
+ crypt_swap_options=*) |
120 |
+ CRYPT_SWAP_OPTIONS=$(echo ${CRYPT_SWAP_OPTIONS} ${x#*=} | sed -e 's/,/ /g') |
121 |
+ ;; |
122 |
root_key=*) |
123 |
CRYPT_ROOT_KEY=${x#*=} |
124 |
;; |
125 |
@@ -258,7 +264,12 @@ do |
126 |
CRYPT_ROOT_KEYDEV_FSTYPE=${x#*=} |
127 |
;; |
128 |
root_trim=*) |
129 |
- CRYPT_ROOT_TRIM=${x#*=} |
130 |
+ tmp_enabled=${x#*=} |
131 |
+ if is_true "${tmp_enabled}" |
132 |
+ then |
133 |
+ CRYPT_ROOT_OPTIONS="${CRYPT_ROOT_OPTIONS} --allow-discards" |
134 |
+ fi |
135 |
+ unset tmp_enabled |
136 |
;; |
137 |
swap_key=*) |
138 |
CRYPT_SWAP_KEY=${x#*=} |
139 |
|
140 |
diff --git a/defaults/unlock-luks.sh b/defaults/unlock-luks.sh |
141 |
index a8ae990..59e086a 100644 |
142 |
--- a/defaults/unlock-luks.sh |
143 |
+++ b/defaults/unlock-luks.sh |
144 |
@@ -46,12 +46,11 @@ main() { |
145 |
local LUKS_NAME="${NAME}" |
146 |
eval local LUKS_DEVICE='"${CRYPT_'${TYPE}'}"' |
147 |
eval local LUKS_KEY='"${CRYPT_'${TYPE}'_KEYFILE}"' |
148 |
- eval local LUKS_TRIM='"${CRYPT_'${TYPE}'_TRIM}"' |
149 |
+ eval local cryptsetup_options='"${CRYPT_'${TYPE}'_OPTIONS}"' |
150 |
eval local OPENED_LOCKFILE='"${CRYPT_'${TYPE}'_OPENED_LOCKFILE}"' |
151 |
|
152 |
while true |
153 |
do |
154 |
- local cryptsetup_options="" |
155 |
local gpg_cmd crypt_filter_ret |
156 |
|
157 |
if [ -e "${OPENED_LOCKFILE}" ] |
158 |
@@ -74,10 +73,9 @@ main() { |
159 |
# able to investigate the problem on its own. |
160 |
exit 1 |
161 |
else |
162 |
- if [ "x${LUKS_TRIM}" = "xyes" ] |
163 |
+ if [ -n "${cryptsetup_options}" ] |
164 |
then |
165 |
- good_msg "Enabling TRIM support for ${LUKS_NAME} ..." "${CRYPT_SILENT}" |
166 |
- cryptsetup_options="${cryptsetup_options} --allow-discards" |
167 |
+ good_msg "Using the following cryptsetup options for ${LUKS_NAME}: ${cryptsetup_options}" ${CRYPT_SILENT} |
168 |
fi |
169 |
|
170 |
# Handle keys |
171 |
|
172 |
diff --git a/doc/genkernel.8.txt b/doc/genkernel.8.txt |
173 |
index 8909fc7..ddccd9f 100644 |
174 |
--- a/doc/genkernel.8.txt |
175 |
+++ b/doc/genkernel.8.txt |
176 |
@@ -633,9 +633,19 @@ recognized by the kernel itself. |
177 |
This specifies the device encrypted by LUKS, which contains the |
178 |
root filesystem to mount. |
179 |
|
180 |
+*crypt_root_options*=<...>:: |
181 |
+ This specifies additional options, which should get passed to |
182 |
+ cryptsetup when opening root volume. Can be specified multiple |
183 |
+ times or separate multiple options with a comma. |
184 |
+ |
185 |
*crypt_swap*=<...>:: |
186 |
This specifies the swap device encrypted by LUKS. |
187 |
|
188 |
+*crypt_swap_options*=<...>:: |
189 |
+ This specifies additional options, which should get passed to |
190 |
+ cryptsetup when opening swap volume. Can be specified multiple |
191 |
+ times or separate multiple options with a comma. |
192 |
+ |
193 |
*root_key*=<...>:: |
194 |
In case your root is encrypted with a key, you can use a device |
195 |
like a usb pen to store the key. This value should be the key |