Gentoo Archives: gentoo-commits

From: Mike Gilbert <floppym@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-fs/cryptsetup/, sys-fs/cryptsetup/files/
Date: Mon, 24 Jan 2022 17:05:24
Message-Id: 1643043772.afaf583892dd618378dd559159777c49bb4b1b88.floppym@gentoo
1 commit: afaf583892dd618378dd559159777c49bb4b1b88
2 Author: Martin Kjær Jørgensen <mkj <AT> gotu <DOT> dk>
3 AuthorDate: Sat Jan 22 09:46:01 2022 +0000
4 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
5 CommitDate: Mon Jan 24 17:02:52 2022 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afaf5838
7
8 sys-fs/cryptsetup: add support for using detached LUKS headers
9
10 Closes: https://bugs.gentoo.org/831806
11 Closes: https://github.com/gentoo/gentoo/pull/23908
12 Signed-off-by: Martin Kjær Jørgensen <mkj <AT> gotu.dk>
13 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
14
15 sys-fs/cryptsetup/cryptsetup-2.4.3-r1.ebuild | 136 ++++++++++
16 sys-fs/cryptsetup/files/2.4.3-dmcrypt.confd | 120 +++++++++
17 sys-fs/cryptsetup/files/2.4.3-dmcrypt.rc | 367 +++++++++++++++++++++++++++
18 3 files changed, 623 insertions(+)
19
20 diff --git a/sys-fs/cryptsetup/cryptsetup-2.4.3-r1.ebuild b/sys-fs/cryptsetup/cryptsetup-2.4.3-r1.ebuild
21 new file mode 100644
22 index 000000000000..3337dfaa89a0
23 --- /dev/null
24 +++ b/sys-fs/cryptsetup/cryptsetup-2.4.3-r1.ebuild
25 @@ -0,0 +1,136 @@
26 +# Copyright 1999-2022 Gentoo Authors
27 +# Distributed under the terms of the GNU General Public License v2
28 +
29 +EAPI=7
30 +
31 +inherit linux-info tmpfiles
32 +
33 +DESCRIPTION="Tool to setup encrypted devices with dm-crypt"
34 +HOMEPAGE="https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md"
35 +SRC_URI="https://www.kernel.org/pub/linux/utils/${PN}/v$(ver_cut 1-2)/${P/_/-}.tar.xz"
36 +
37 +LICENSE="GPL-2+"
38 +SLOT="0/12" # libcryptsetup.so version
39 +[[ ${PV} != *_rc* ]] && \
40 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
41 +CRYPTO_BACKENDS="gcrypt kernel nettle +openssl"
42 +# we don't support nss since it doesn't allow cryptsetup to be built statically
43 +# and it's missing ripemd160 support so it can't provide full backward compatibility
44 +IUSE="${CRYPTO_BACKENDS} +argon2 nls pwquality reencrypt ssh static static-libs test +udev urandom"
45 +RESTRICT="!test? ( test )"
46 +REQUIRED_USE="^^ ( ${CRYPTO_BACKENDS//+/} )
47 + static? ( !gcrypt !udev )" #496612
48 +
49 +LIB_DEPEND="
50 + dev-libs/json-c:=[static-libs(+)]
51 + dev-libs/popt[static-libs(+)]
52 + >=sys-apps/util-linux-2.31-r1[static-libs(+)]
53 + argon2? ( app-crypt/argon2:=[static-libs(+)] )
54 + gcrypt? (
55 + dev-libs/libgcrypt:0=[static-libs(+)]
56 + dev-libs/libgpg-error[static-libs(+)]
57 + )
58 + nettle? ( >=dev-libs/nettle-2.4[static-libs(+)] )
59 + openssl? ( dev-libs/openssl:0=[static-libs(+)] )
60 + pwquality? ( dev-libs/libpwquality[static-libs(+)] )
61 + ssh? ( net-libs/libssh[static-libs(+)] )
62 + sys-fs/lvm2[static-libs(+)]"
63 +# We have to always depend on ${LIB_DEPEND} rather than put behind
64 +# !static? () because we provide a shared library which links against
65 +# these other packages. #414665
66 +RDEPEND="static-libs? ( ${LIB_DEPEND} )
67 + ${LIB_DEPEND//\[static-libs\([+-]\)\]}
68 + udev? ( virtual/libudev:= )"
69 +# vim-core needed for xxd in tests
70 +DEPEND="${RDEPEND}
71 + static? ( ${LIB_DEPEND} )
72 + test? ( app-editors/vim-core )"
73 +BDEPEND="
74 + virtual/pkgconfig
75 +"
76 +
77 +S="${WORKDIR}/${P/_/-}"
78 +
79 +pkg_setup() {
80 + local CONFIG_CHECK="~DM_CRYPT ~CRYPTO ~CRYPTO_CBC ~CRYPTO_SHA256"
81 + local WARNING_DM_CRYPT="CONFIG_DM_CRYPT:\tis not set (required for cryptsetup)\n"
82 + local WARNING_CRYPTO_SHA256="CONFIG_CRYPTO_SHA256:\tis not set (required for cryptsetup)\n"
83 + local WARNING_CRYPTO_CBC="CONFIG_CRYPTO_CBC:\tis not set (required for kernel 2.6.19)\n"
84 + local WARNING_CRYPTO="CONFIG_CRYPTO:\tis not set (required for cryptsetup)\n"
85 + check_extra_config
86 +}
87 +
88 +src_prepare() {
89 + sed -i '/^LOOPDEV=/s:$: || exit 0:' tests/{compat,mode}-test || die
90 + default
91 +}
92 +
93 +src_configure() {
94 + if use kernel ; then
95 + ewarn "Note that kernel backend is very slow for this type of operation"
96 + ewarn "and is provided mainly for embedded systems wanting to avoid"
97 + ewarn "userspace crypto libraries."
98 + fi
99 +
100 + local myeconfargs=(
101 + --disable-internal-argon2
102 + --enable-shared
103 + --sbindir=/sbin
104 + # for later use
105 + --with-default-luks-format=LUKS2
106 + --with-tmpfilesdir="${EPREFIX}/usr/lib/tmpfiles.d"
107 + --with-crypto_backend=$(for x in ${CRYPTO_BACKENDS//+/} ; do usev ${x} ; done)
108 + $(use_enable argon2 libargon2)
109 + $(use_enable nls)
110 + $(use_enable pwquality)
111 + $(use_enable reencrypt cryptsetup-reencrypt)
112 + $(use_enable !static external-tokens)
113 + $(use_enable static static-cryptsetup)
114 + $(use_enable static-libs static)
115 + $(use_enable udev)
116 + $(use_enable !urandom dev-random)
117 + $(use_enable ssh ssh-token)
118 + $(usex argon2 '' '--with-luks2-pbkdf=pbkdf2')
119 + )
120 + econf "${myeconfargs[@]}"
121 +}
122 +
123 +src_test() {
124 + if [[ ! -e /dev/mapper/control ]] ; then
125 + ewarn "No /dev/mapper/control found -- skipping tests"
126 + return 0
127 + fi
128 +
129 + local p
130 + for p in /dev/mapper /dev/loop* ; do
131 + addwrite ${p}
132 + done
133 +
134 + default
135 +}
136 +
137 +src_install() {
138 + default
139 +
140 + if use static ; then
141 + mv "${ED}"/sbin/cryptsetup{.static,} || die
142 + mv "${ED}"/sbin/veritysetup{.static,} || die
143 + mv "${ED}"/sbin/integritysetup{.static,} || die
144 + if use ssh ; then
145 + mv "${ED}"/sbin/cryptsetup-ssh{.static,} || die
146 + fi
147 + if use reencrypt ; then
148 + mv "${ED}"/sbin/cryptsetup-reencrypt{.static,} || die
149 + fi
150 + fi
151 + find "${ED}" -type f -name "*.la" -delete || die
152 +
153 + dodoc docs/v*ReleaseNotes
154 +
155 + newconfd "${FILESDIR}"/2.4.3-dmcrypt.confd dmcrypt
156 + newinitd "${FILESDIR}"/2.4.3-dmcrypt.rc dmcrypt
157 +}
158 +
159 +pkg_postinst() {
160 + tmpfiles_process cryptsetup.conf
161 +}
162
163 diff --git a/sys-fs/cryptsetup/files/2.4.3-dmcrypt.confd b/sys-fs/cryptsetup/files/2.4.3-dmcrypt.confd
164 new file mode 100644
165 index 000000000000..8250e8268ac9
166 --- /dev/null
167 +++ b/sys-fs/cryptsetup/files/2.4.3-dmcrypt.confd
168 @@ -0,0 +1,120 @@
169 +# /etc/conf.d/dmcrypt
170 +
171 +# For people who run dmcrypt on top of some other layer (like raid),
172 +# use rc_need to specify that requirement. See the runscript(8) man
173 +# page for more information.
174 +
175 +#--------------------
176 +# Instructions
177 +#--------------------
178 +
179 +# Note regarding the syntax of this file. This file is *almost* bash,
180 +# but each line is evaluated separately. Separate swaps/targets can be
181 +# specified. The init-script which reads this file assumes that a
182 +# swap= or target= line starts a new section, similar to lilo or grub
183 +# configuration.
184 +
185 +# Note when using gpg keys and /usr on a separate partition, you will
186 +# have to copy /usr/bin/gpg to /bin/gpg so that it will work properly
187 +# and ensure that gpg has been compiled statically.
188 +# See http://bugs.gentoo.org/90482 for more information.
189 +
190 +# Note that the init-script which reads this file detects whether your
191 +# partition is LUKS or not. No mkfs is run unless you specify a makefs
192 +# option.
193 +
194 +# Global options:
195 +#----------------
196 +
197 +# How long to wait for each timeout (in seconds).
198 +dmcrypt_key_timeout=1
199 +
200 +# Max number of checks to perform (see dmcrypt_key_timeout).
201 +#dmcrypt_max_timeout=300
202 +
203 +# Number of password retries.
204 +dmcrypt_retries=5
205 +
206 +# Arguments:
207 +#-----------
208 +# target=<name> == Mapping name for partition.
209 +# swap=<name> == Mapping name for swap partition.
210 +# source='<dev>' == Real device for partition.
211 +# Note: You can (and should) specify a tag like UUID
212 +# for blkid (see -t option). This is safer than using
213 +# the full path to the device.
214 +# key='</path/to/keyfile>[:<mode>]' == Fullpath from / or from inside removable media.
215 +# header='</path/to/header>' == Full path to detached LUKS header file.
216 +# remdev='<dev>' == Device that will be assigned to removable media.
217 +# gpg_options='<opts>' == Default are --quiet --decrypt
218 +# options='<opts>' == cryptsetup, for LUKS you can only use --readonly
219 +# loop_file='<file>' == Loopback file.
220 +# Note: If you omit $source, then a free loopback will
221 +# be looked up automatically.
222 +# pre_mount='cmds' == commands to execute before mounting partition.
223 +# post_mount='cmds' == commands to execute after mounting partition.
224 +# wait=5 == wait given amount of seconds for source or
225 +# detached header file appear.
226 +#-----------
227 +# Supported Modes
228 +# gpg == decrypt and pipe key into cryptsetup.
229 +# Note: new-line character must not be part of key.
230 +# Command to erase \n char: 'cat key | tr -d '\n' > cleanKey'
231 +
232 +#--------------------
233 +# dm-crypt examples
234 +#--------------------
235 +
236 +## swap
237 +# Swap partitions. These should come first so that no keys make their
238 +# way into unencrypted swap.
239 +# If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom
240 +# If no makefs is given then mkswap will be assumed
241 +#swap=crypt-swap
242 +#source='/dev/hda2'
243 +
244 +## /home with passphrase
245 +#target=crypt-home
246 +#source='/dev/hda5'
247 +
248 +## /home with regular keyfile
249 +#target=crypt-home
250 +#source='/dev/hda5'
251 +#key='/full/path/to/homekey'
252 +
253 +## /home with regular keyfile and detached header
254 +#target=crypt-home
255 +#source='/dev/hda5'
256 +#key='/full/path/to/homekey'
257 +#header='/full/path/to/header/file'
258 +
259 +## /home with gpg protected key
260 +#target=crypt-home
261 +#source='/dev/hda5'
262 +#key='/full/path/to/homekey:gpg'
263 +
264 +## /home with regular keyfile on removable media(such as usb-stick)
265 +#target=crypt-home
266 +#source='/dev/hda5'
267 +#key='/full/path/to/homekey'
268 +#remdev='/dev/sda1'
269 +
270 +## /home with gpg protected key on removable media(such as usb-stick)
271 +#target=crypt-home
272 +#source='/dev/hda5'
273 +#key='/full/path/to/homekey:gpg'
274 +#remdev='/dev/sda1'
275 +
276 +## /tmp with regular keyfile
277 +#target=crypt-tmp
278 +#source='/dev/hda6'
279 +#key='/full/path/to/tmpkey'
280 +#pre_mount='/sbin/mkreiserfs -f -f ${dev}'
281 +#post_mount='chown root:root ${mount_point}; chmod 1777 ${mount_point}'
282 +
283 +## Loopback file example
284 +#target='crypt-loop-home'
285 +#source='/dev/loop0'
286 +#loop_file='/mnt/crypt/home'
287 +
288 +# The file must be terminated by a newline. Or leave this comment last.
289
290 diff --git a/sys-fs/cryptsetup/files/2.4.3-dmcrypt.rc b/sys-fs/cryptsetup/files/2.4.3-dmcrypt.rc
291 new file mode 100644
292 index 000000000000..0903ac5eabd0
293 --- /dev/null
294 +++ b/sys-fs/cryptsetup/files/2.4.3-dmcrypt.rc
295 @@ -0,0 +1,367 @@
296 +#!/sbin/openrc-run
297 +# Copyright 1999-2015 Gentoo Foundation
298 +# Distributed under the terms of the GNU General Public License v2
299 +
300 +depend() {
301 + use modules
302 + before checkfs fsck
303 +
304 + if grep -qs ^swap= "${conf_file}" ; then
305 + before swap
306 + fi
307 +}
308 +
309 +# We support multiple dmcrypt instances based on $SVCNAME
310 +conf_file="/etc/conf.d/${SVCNAME}"
311 +
312 +# Get splash helpers if available.
313 +if [ -e /sbin/splash-functions.sh ] ; then
314 + . /sbin/splash-functions.sh
315 +fi
316 +
317 +# Setup mappings for an individual target/swap
318 +# Note: This relies on variables localized in the main body below.
319 +dm_crypt_execute() {
320 + local dev ret mode foo source_dev
321 +
322 + if [ -z "${target}" -a -z "${swap}" ] ; then
323 + return
324 + fi
325 +
326 + # Set up default values.
327 + : ${dmcrypt_key_timeout:=1}
328 + : ${dmcrypt_max_timeout:=300}
329 + : ${dmcrypt_retries:=5}
330 + : ${wait:=5}
331 +
332 + # Handle automatic look up of the source path.
333 + if [ -z "${source}" -a -n "${loop_file}" ] ; then
334 + source=$(losetup --show -f "${loop_file}")
335 + fi
336 + case ${source} in
337 + *=*)
338 + i=0
339 + while [ ${i} -lt ${wait} ]; do
340 + if source_dev="$(blkid -l -t "${source}" -o device)"; then
341 + source="${source_dev}"
342 + break
343 + fi
344 + : $((i += 1))
345 + einfo "waiting for source \"${source}\" for ${target}..."
346 + sleep 1
347 + done
348 + ;;
349 + esac
350 + if [ -z "${source}" ] || [ ! -e "${source}" ] ; then
351 + ewarn "source \"${source}\" for ${target} missing, skipping..."
352 + return
353 + fi
354 +
355 + if [ -n "${header}" ] ; then
356 + header_opt="--header=${header}"
357 +
358 + i=0
359 + while [ ! -e "${header}" ] && [ ${i} -lt ${wait} ] ; do
360 + : $((i += 1))
361 + einfo "Waiting for header ${header} to appear for ${target} ${i}/${dmcrypt_max_timeout} ..."
362 + sleep 1
363 + done
364 + if [ ${i} -gt ${wait} ] || [ ${i} -eq ${wait} ] ; then
365 + ewarn "Waited ${i} times for header file ${header}. Aborting ${target}."
366 + return
367 + fi
368 + else
369 + header_opt=""
370 + fi
371 +
372 + if [ -n "${target}" ] ; then
373 + # let user set options, otherwise leave empty
374 + : ${options:=' '}
375 + elif [ -n "${swap}" ] ; then
376 + if cryptsetup ${header_opt} isLuks ${source} 2>/dev/null ; then
377 + ewarn "The swap you have defined is a LUKS partition. Aborting crypt-swap setup."
378 + return
379 + fi
380 + target=${swap}
381 + # swap contents do not need to be preserved between boots, luks not required.
382 + # suspend2 users should have initramfs's init handling their swap partition either way.
383 + : ${options:='-c aes -h sha1 -d /dev/urandom'}
384 + : ${pre_mount:='mkswap ${dev}'}
385 + fi
386 +
387 + if [ -n "${loop_file}" ] ; then
388 + dev="/dev/mapper/${target}"
389 + ebegin " Setting up loop device ${source}"
390 + losetup ${source} ${loop_file}
391 + fi
392 +
393 + # cryptsetup:
394 + # open <device> <name> # <device> is $source
395 + # create <name> <device> # <name> is $target
396 + local arg1="create" arg2="${target}" arg3="${source}"
397 + if cryptsetup ${header_opt} isLuks ${source} 2>/dev/null ; then
398 + arg1="open"
399 + arg2="${source}"
400 + arg3="${target}"
401 + fi
402 +
403 + # Older versions reported:
404 + # ${target} is active:
405 + # Newer versions report:
406 + # ${target} is active[ and is in use.]
407 + if cryptsetup ${header_opt} status ${target} | egrep -q ' is active' ; then
408 + einfo "dm-crypt mapping ${target} is already configured"
409 + return
410 + fi
411 + splash svc_input_begin ${SVCNAME} >/dev/null 2>&1
412 +
413 + # Handle keys
414 + if [ -n "${key}" ] ; then
415 + read_abort() {
416 + # some colors
417 + local ans savetty resettty
418 + [ -z "${NORMAL}" ] && eval $(eval_ecolors)
419 + einfon " $1? (${WARN}yes${NORMAL}/${GOOD}No${NORMAL}) "
420 + shift
421 + # This is ugly as s**t. But POSIX doesn't provide `read -t`, so
422 + # we end up having to implement our own crap with stty/etc...
423 + savetty=$(stty -g)
424 + resettty='stty ${savetty}; trap - EXIT HUP INT TERM'
425 + trap 'eval "${resettty}"' EXIT HUP INT TERM
426 + stty -icanon
427 + stty min 0 time "$(( $2 * 10 ))"
428 + ans=$(dd count=1 bs=1 2>/dev/null) || ans=''
429 + eval "${resettty}"
430 + if [ -z "${ans}" ] ; then
431 + printf '\r'
432 + else
433 + echo
434 + fi
435 + case ${ans} in
436 + [yY]) return 0;;
437 + *) return 1;;
438 + esac
439 + }
440 +
441 + # Notes: sed not used to avoid case where /usr partition is encrypted.
442 + mode=${key##*:} && ( [ "${mode}" = "${key}" ] || [ -z "${mode}" ] ) && mode=reg
443 + key=${key%:*}
444 + case "${mode}" in
445 + gpg|reg)
446 + # handle key on removable device
447 + if [ -n "${remdev}" ] ; then
448 + # temp directory to mount removable device
449 + local mntrem="${RC_SVCDIR}/dm-crypt-remdev.$$"
450 + if [ ! -d "${mntrem}" ] ; then
451 + if ! mkdir -p "${mntrem}" ; then
452 + ewarn "${source} will not be decrypted ..."
453 + einfo "Reason: Unable to create temporary mount point '${mntrem}'"
454 + return
455 + fi
456 + fi
457 + i=0
458 + einfo "Please insert removable device for ${target}"
459 + while [ ${i} -lt ${dmcrypt_max_timeout} ] ; do
460 + foo=""
461 + if mount -n -o ro "${remdev}" "${mntrem}" 2>/dev/null >/dev/null ; then
462 + # keyfile exists?
463 + if [ ! -e "${mntrem}${key}" ] ; then
464 + umount -n "${mntrem}"
465 + rmdir "${mntrem}"
466 + einfo "Cannot find ${key} on removable media."
467 + read_abort "Abort" ${dmcrypt_key_timeout} && return
468 + else
469 + key="${mntrem}${key}"
470 + break
471 + fi
472 + else
473 + [ -e "${remdev}" ] \
474 + && foo="mount failed" \
475 + || foo="mount source not found"
476 + fi
477 + : $((i += 1))
478 + read_abort "Stop waiting after $i attempts (${foo})" -t 1 && return
479 + done
480 + else # keyfile ! on removable device
481 + if [ ! -e "${key}" ] ; then
482 + ewarn "${source} will not be decrypted ..."
483 + einfo "Reason: keyfile ${key} does not exist."
484 + return
485 + fi
486 + fi
487 + ;;
488 + *)
489 + ewarn "${source} will not be decrypted ..."
490 + einfo "Reason: mode ${mode} is invalid."
491 + return
492 + ;;
493 + esac
494 + else
495 + mode=none
496 + fi
497 + ebegin " ${target} using: ${header_opt} ${options} ${arg1} ${arg2} ${arg3}"
498 + if [ "${mode}" = "gpg" ] ; then
499 + : ${gpg_options:='-q -d'}
500 + # gpg available ?
501 + if command -v gpg >/dev/null ; then
502 + i=0
503 + while [ ${i} -lt ${dmcrypt_retries} ] ; do
504 + # paranoid, don't store key in a variable, pipe it so it stays very little in ram unprotected.
505 + # save stdin stdout stderr "values"
506 + timeout ${dmcrypt_max_timeout} gpg ${gpg_options} ${key} 2>/dev/null | \
507 + cryptsetup ${header_opt} --key-file - ${options} ${arg1} ${arg2} ${arg3}
508 + ret=$?
509 + # The timeout command exits 124 when it times out.
510 + [ ${ret} -eq 0 -o ${ret} -eq 124 ] && break
511 + : $(( i += 1 ))
512 + done
513 + eend ${ret} "failure running cryptsetup"
514 + else
515 + ewarn "${source} will not be decrypted ..."
516 + einfo "Reason: cannot find gpg application."
517 + einfo "You have to install app-crypt/gnupg first."
518 + einfo "If you have /usr on its own partition, try copying gpg to /bin ."
519 + fi
520 + else
521 + if [ "${mode}" = "reg" ] ; then
522 + cryptsetup ${header_opt} ${options} -d ${key} ${arg1} ${arg2} ${arg3}
523 + ret=$?
524 + eend ${ret} "failure running cryptsetup"
525 + else
526 + cryptsetup ${header_opt} ${options} ${arg1} ${arg2} ${arg3}
527 + ret=$?
528 + eend ${ret} "failure running cryptsetup"
529 + fi
530 + fi
531 + if [ -d "${mntrem}" ] ; then
532 + umount -n ${mntrem} 2>/dev/null >/dev/null
533 + rmdir ${mntrem} 2>/dev/null >/dev/null
534 + fi
535 + splash svc_input_end ${SVCNAME} >/dev/null 2>&1
536 +
537 + if [ ${ret} -ne 0 ] ; then
538 + cryptfs_status=1
539 + else
540 + if [ -n "${pre_mount}" ] ; then
541 + dev="/dev/mapper/${target}"
542 + eval ebegin \"" pre_mount: ${pre_mount}"\"
543 + eval "${pre_mount}" > /dev/null
544 + ewend $? || cryptfs_status=1
545 + fi
546 + fi
547 +}
548 +
549 +# Lookup optional bootparams
550 +get_bootparam_val() {
551 + # We're given something like:
552 + # foo=bar=cow
553 + # Return the "bar=cow" part.
554 + case $1 in
555 + *=*)
556 + echo "${1#*=}"
557 + ;;
558 + esac
559 +}
560 +
561 +start() {
562 + local print_header=true cryptfs_status=0
563 + local gpg_options key loop_file target targetline options pre_mount post_mount source swap remdev
564 +
565 + local x
566 + for x in $(cat /proc/cmdline) ; do
567 + case "${x}" in
568 + key_timeout=*)
569 + dmcrypt_key_timeout=$(get_bootparam_val "${x}")
570 + ;;
571 + esac
572 + done
573 +
574 + while read targetline <&3 ; do
575 + case ${targetline} in
576 + # skip comments and blank lines
577 + ""|"#"*) continue ;;
578 + # skip service-specific openrc configs #377927
579 + rc_*) continue ;;
580 + esac
581 +
582 + ${print_header} && ebegin "Setting up dm-crypt mappings"
583 + print_header=false
584 +
585 + # check for the start of a new target/swap
586 + case ${targetline} in
587 + target=*|swap=*)
588 + # If we have a target queued up, then execute it
589 + dm_crypt_execute
590 +
591 + # Prepare for the next target/swap by resetting variables
592 + unset gpg_options key loop_file target options pre_mount post_mount source swap remdev wait header header_opt
593 + ;;
594 +
595 + gpg_options=*|remdev=*|key=*|loop_file=*|options=*|pre_mount=*|post_mount=*|wait=*|source=*|header=*)
596 + if [ -z "${target}${swap}" ] ; then
597 + ewarn "Ignoring setting outside target/swap section: ${targetline}"
598 + continue
599 + fi
600 + ;;
601 +
602 + dmcrypt_*=*)
603 + # ignore global options
604 + continue
605 + ;;
606 +
607 + *)
608 + ewarn "Skipping invalid line in ${conf_file}: ${targetline}"
609 + ;;
610 + esac
611 +
612 + # Queue this setting for the next call to dm_crypt_execute
613 + eval "${targetline}"
614 + done 3< ${conf_file}
615 +
616 + # If we have a target queued up, then execute it
617 + dm_crypt_execute
618 +
619 + ewend ${cryptfs_status} "Failed to setup dm-crypt devices"
620 +}
621 +
622 +stop() {
623 + local line print_header
624 +
625 + # Break down all mappings
626 + print_header=true
627 + egrep "^(target|swap)=" ${conf_file} | \
628 + while read line ; do
629 + ${print_header} && einfo "Removing dm-crypt mappings"
630 + print_header=false
631 +
632 + target= swap=
633 + eval ${line}
634 +
635 + [ -n "${swap}" ] && target=${swap}
636 + if [ -z "${target}" ] ; then
637 + ewarn "invalid line in ${conf_file}: ${line}"
638 + continue
639 + fi
640 +
641 + ebegin " ${target}"
642 + cryptsetup ${header_opt} remove ${target}
643 + eend $?
644 + done
645 +
646 + # Break down loop devices
647 + print_header=true
648 + grep '^source=./dev/loop' ${conf_file} | \
649 + while read line ; do
650 + ${print_header} && einfo "Detaching dm-crypt loop devices"
651 + print_header=false
652 +
653 + source=
654 + eval ${line}
655 +
656 + ebegin " ${source}"
657 + losetup -d "${source}"
658 + eend $?
659 + done
660 +
661 + return 0
662 +}