| 1 |
commit: a0a6d6313874a7567a26c405713aaf610695285d |
| 2 |
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Sun Feb 7 18:02:29 2021 +0000 |
| 4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Feb 7 18:02:29 2021 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/genkernel.git/commit/?id=a0a6d631 |
| 7 |
|
| 8 |
linuxrc: add kernel command-line argument to allow user to pass additional options to cryptsetup |
| 9 |
|
| 10 |
Cryptsetup supports additional options like "--perf-no_read_workqueue" or |
| 11 |
"--perf-no_write_workqueue". While it is recommended to use LUKS2 format |
| 12 |
and make these activiation flags permanent, you can also make use of |
| 13 |
the new kernel command-line arguments "crypt_root_options" for root device |
| 14 |
or "crypt_swap_options" for swap device to pass additional options |
| 15 |
to cryptsetup. |
| 16 |
|
| 17 |
These arguments can be specified multiple times or separate multiple |
| 18 |
options with a comma. |
| 19 |
|
| 20 |
Bug: https://bugs.gentoo.org/755587 |
| 21 |
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> |
| 22 |
|
| 23 |
defaults/initrd.defaults | 2 ++ |
| 24 |
defaults/initrd.scripts | 16 +++++++--------- |
| 25 |
defaults/linuxrc | 13 ++++++++++++- |
| 26 |
defaults/unlock-luks.sh | 8 +++----- |
| 27 |
doc/genkernel.8.txt | 10 ++++++++++ |
| 28 |
5 files changed, 34 insertions(+), 15 deletions(-) |
| 29 |
|
| 30 |
diff --git a/defaults/initrd.defaults b/defaults/initrd.defaults |
| 31 |
index cd485ca..ac3b072 100644 |
| 32 |
--- a/defaults/initrd.defaults |
| 33 |
+++ b/defaults/initrd.defaults |
| 34 |
@@ -104,9 +104,11 @@ CRYPT_ENV_FILE='/etc/CRYPT_ENV.conf' |
| 35 |
CRYPT_ROOT_KEYDEV_FSTYPE='auto' |
| 36 |
CRYPT_ROOT_KEYFILE='/tmp/root.key' |
| 37 |
CRYPT_ROOT_OPENED_LOCKFILE='/tmp/ROOT.opened' |
| 38 |
+CRYPT_ROOT_OPTIONS='' |
| 39 |
CRYPT_SWAP_KEYDEV_FSTYPE='auto' |
| 40 |
CRYPT_SWAP_KEYFILE='/tmp/swap.key' |
| 41 |
CRYPT_SWAP_OPENED_LOCKFILE='/tmp/SWAP.opened' |
| 42 |
+CRYPT_SWAP_OPTIONS='' |
| 43 |
|
| 44 |
ZFS_ENC_ENV_FILE='/etc/ZFS_ENC_ENV.conf' |
| 45 |
ZFS_ENC_OPENED_LOCKFILE='/tmp/ZFS.opened' |
| 46 |
|
| 47 |
diff --git a/defaults/initrd.scripts b/defaults/initrd.scripts |
| 48 |
index f6e84fc..5d744ee 100644 |
| 49 |
--- a/defaults/initrd.scripts |
| 50 |
+++ b/defaults/initrd.scripts |
| 51 |
@@ -1193,7 +1193,7 @@ write_env_file() { |
| 52 |
for varname in $* |
| 53 |
do |
| 54 |
eval varvalue=\$${varname} |
| 55 |
- echo "${varname}=${varvalue}" >> "${env_file}" |
| 56 |
+ echo "${varname}='${varvalue}'" >> "${env_file}" |
| 57 |
done |
| 58 |
} |
| 59 |
|
| 60 |
@@ -1774,15 +1774,13 @@ openLUKS() { |
| 61 |
eval local LUKS_KEY='"${CRYPT_'${TYPE}'_KEY}"' |
| 62 |
eval local LUKS_KEYDEV='"${CRYPT_'${TYPE}'_KEYDEV}"' |
| 63 |
eval local LUKS_KEYDEV_FSTYPE='"${CRYPT_'${TYPE}'_KEYDEV_FSTYPE}"' |
| 64 |
- eval local LUKS_TRIM='"${CRYPT_'${TYPE}'_TRIM}"' |
| 65 |
+ eval local cryptsetup_options='"${CRYPT_'${TYPE}'_OPTIONS}"' |
| 66 |
eval local OPENED_LOCKFILE='"${CRYPT_'${TYPE}'_OPENED_LOCKFILE}"' |
| 67 |
local DEV_ERROR=0 KEY_ERROR=0 KEYDEV_ERROR=0 |
| 68 |
local mntkey="/mnt/key/" crypt_filter_ret= |
| 69 |
|
| 70 |
while true |
| 71 |
do |
| 72 |
- local cryptsetup_options='' |
| 73 |
- |
| 74 |
local gpg_cmd="" |
| 75 |
if [ -e "${OPENED_LOCKFILE}" ] |
| 76 |
then |
| 77 |
@@ -1819,10 +1817,9 @@ openLUKS() { |
| 78 |
DEV_ERROR=1 |
| 79 |
continue |
| 80 |
else |
| 81 |
- if [ "x${LUKS_TRIM}" = "xyes" ] |
| 82 |
+ if [ -n "${cryptsetup_options}" ] |
| 83 |
then |
| 84 |
- good_msg "Enabling TRIM support for ${LUKS_NAME} ..." ${CRYPT_SILENT} |
| 85 |
- cryptsetup_options="${cryptsetup_options} --allow-discards" |
| 86 |
+ good_msg "Using the following cryptsetup options for ${LUKS_NAME}: ${cryptsetup_options}" ${CRYPT_SILENT} |
| 87 |
fi |
| 88 |
|
| 89 |
# Handle keys |
| 90 |
@@ -2333,9 +2330,10 @@ start_sshd() { |
| 91 |
write_env_file \ |
| 92 |
"${CRYPT_ENV_FILE}" \ |
| 93 |
CRYPT_ROOT \ |
| 94 |
- CRYPT_ROOT_TRIM \ |
| 95 |
+ CRYPT_ROOT_OPTIONS \ |
| 96 |
CRYPT_SILENT \ |
| 97 |
- CRYPT_SWAP |
| 98 |
+ CRYPT_SWAP \ |
| 99 |
+ CRYPT_SWAP_OPTIONS |
| 100 |
|
| 101 |
run touch /var/log/lastlog |
| 102 |
|
| 103 |
|
| 104 |
diff --git a/defaults/linuxrc b/defaults/linuxrc |
| 105 |
index df0f570..e33576d 100644 |
| 106 |
--- a/defaults/linuxrc |
| 107 |
+++ b/defaults/linuxrc |
| 108 |
@@ -244,10 +244,16 @@ do |
| 109 |
CRYPT_ROOT=${x#*=} |
| 110 |
USE_CRYPTSETUP=1 |
| 111 |
;; |
| 112 |
+ crypt_root_options=*) |
| 113 |
+ CRYPT_ROOT_OPTIONS=$(echo ${CRYPT_ROOT_OPTIONS} ${x#*=} | sed -e 's/,/ /g') |
| 114 |
+ ;; |
| 115 |
crypt_swap=*) |
| 116 |
CRYPT_SWAP=${x#*=} |
| 117 |
USE_CRYPTSETUP=1 |
| 118 |
;; |
| 119 |
+ crypt_swap_options=*) |
| 120 |
+ CRYPT_SWAP_OPTIONS=$(echo ${CRYPT_SWAP_OPTIONS} ${x#*=} | sed -e 's/,/ /g') |
| 121 |
+ ;; |
| 122 |
root_key=*) |
| 123 |
CRYPT_ROOT_KEY=${x#*=} |
| 124 |
;; |
| 125 |
@@ -258,7 +264,12 @@ do |
| 126 |
CRYPT_ROOT_KEYDEV_FSTYPE=${x#*=} |
| 127 |
;; |
| 128 |
root_trim=*) |
| 129 |
- CRYPT_ROOT_TRIM=${x#*=} |
| 130 |
+ tmp_enabled=${x#*=} |
| 131 |
+ if is_true "${tmp_enabled}" |
| 132 |
+ then |
| 133 |
+ CRYPT_ROOT_OPTIONS="${CRYPT_ROOT_OPTIONS} --allow-discards" |
| 134 |
+ fi |
| 135 |
+ unset tmp_enabled |
| 136 |
;; |
| 137 |
swap_key=*) |
| 138 |
CRYPT_SWAP_KEY=${x#*=} |
| 139 |
|
| 140 |
diff --git a/defaults/unlock-luks.sh b/defaults/unlock-luks.sh |
| 141 |
index a8ae990..59e086a 100644 |
| 142 |
--- a/defaults/unlock-luks.sh |
| 143 |
+++ b/defaults/unlock-luks.sh |
| 144 |
@@ -46,12 +46,11 @@ main() { |
| 145 |
local LUKS_NAME="${NAME}" |
| 146 |
eval local LUKS_DEVICE='"${CRYPT_'${TYPE}'}"' |
| 147 |
eval local LUKS_KEY='"${CRYPT_'${TYPE}'_KEYFILE}"' |
| 148 |
- eval local LUKS_TRIM='"${CRYPT_'${TYPE}'_TRIM}"' |
| 149 |
+ eval local cryptsetup_options='"${CRYPT_'${TYPE}'_OPTIONS}"' |
| 150 |
eval local OPENED_LOCKFILE='"${CRYPT_'${TYPE}'_OPENED_LOCKFILE}"' |
| 151 |
|
| 152 |
while true |
| 153 |
do |
| 154 |
- local cryptsetup_options="" |
| 155 |
local gpg_cmd crypt_filter_ret |
| 156 |
|
| 157 |
if [ -e "${OPENED_LOCKFILE}" ] |
| 158 |
@@ -74,10 +73,9 @@ main() { |
| 159 |
# able to investigate the problem on its own. |
| 160 |
exit 1 |
| 161 |
else |
| 162 |
- if [ "x${LUKS_TRIM}" = "xyes" ] |
| 163 |
+ if [ -n "${cryptsetup_options}" ] |
| 164 |
then |
| 165 |
- good_msg "Enabling TRIM support for ${LUKS_NAME} ..." "${CRYPT_SILENT}" |
| 166 |
- cryptsetup_options="${cryptsetup_options} --allow-discards" |
| 167 |
+ good_msg "Using the following cryptsetup options for ${LUKS_NAME}: ${cryptsetup_options}" ${CRYPT_SILENT} |
| 168 |
fi |
| 169 |
|
| 170 |
# Handle keys |
| 171 |
|
| 172 |
diff --git a/doc/genkernel.8.txt b/doc/genkernel.8.txt |
| 173 |
index 8909fc7..ddccd9f 100644 |
| 174 |
--- a/doc/genkernel.8.txt |
| 175 |
+++ b/doc/genkernel.8.txt |
| 176 |
@@ -633,9 +633,19 @@ recognized by the kernel itself. |
| 177 |
This specifies the device encrypted by LUKS, which contains the |
| 178 |
root filesystem to mount. |
| 179 |
|
| 180 |
+*crypt_root_options*=<...>:: |
| 181 |
+ This specifies additional options, which should get passed to |
| 182 |
+ cryptsetup when opening root volume. Can be specified multiple |
| 183 |
+ times or separate multiple options with a comma. |
| 184 |
+ |
| 185 |
*crypt_swap*=<...>:: |
| 186 |
This specifies the swap device encrypted by LUKS. |
| 187 |
|
| 188 |
+*crypt_swap_options*=<...>:: |
| 189 |
+ This specifies additional options, which should get passed to |
| 190 |
+ cryptsetup when opening swap volume. Can be specified multiple |
| 191 |
+ times or separate multiple options with a comma. |
| 192 |
+ |
| 193 |
*root_key*=<...>:: |
| 194 |
In case your root is encrypted with a key, you can use a device |
| 195 |
like a usb pen to store the key. This value should be the key |
Archives