1 |
commit: afaf583892dd618378dd559159777c49bb4b1b88 |
2 |
Author: Martin Kjær Jørgensen <mkj <AT> gotu <DOT> dk> |
3 |
AuthorDate: Sat Jan 22 09:46:01 2022 +0000 |
4 |
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Jan 24 17:02:52 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afaf5838 |
7 |
|
8 |
sys-fs/cryptsetup: add support for using detached LUKS headers |
9 |
|
10 |
Closes: https://bugs.gentoo.org/831806 |
11 |
Closes: https://github.com/gentoo/gentoo/pull/23908 |
12 |
Signed-off-by: Martin Kjær Jørgensen <mkj <AT> gotu.dk> |
13 |
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> |
14 |
|
15 |
sys-fs/cryptsetup/cryptsetup-2.4.3-r1.ebuild | 136 ++++++++++ |
16 |
sys-fs/cryptsetup/files/2.4.3-dmcrypt.confd | 120 +++++++++ |
17 |
sys-fs/cryptsetup/files/2.4.3-dmcrypt.rc | 367 +++++++++++++++++++++++++++ |
18 |
3 files changed, 623 insertions(+) |
19 |
|
20 |
diff --git a/sys-fs/cryptsetup/cryptsetup-2.4.3-r1.ebuild b/sys-fs/cryptsetup/cryptsetup-2.4.3-r1.ebuild |
21 |
new file mode 100644 |
22 |
index 000000000000..3337dfaa89a0 |
23 |
--- /dev/null |
24 |
+++ b/sys-fs/cryptsetup/cryptsetup-2.4.3-r1.ebuild |
25 |
@@ -0,0 +1,136 @@ |
26 |
+# Copyright 1999-2022 Gentoo Authors |
27 |
+# Distributed under the terms of the GNU General Public License v2 |
28 |
+ |
29 |
+EAPI=7 |
30 |
+ |
31 |
+inherit linux-info tmpfiles |
32 |
+ |
33 |
+DESCRIPTION="Tool to setup encrypted devices with dm-crypt" |
34 |
+HOMEPAGE="https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md" |
35 |
+SRC_URI="https://www.kernel.org/pub/linux/utils/${PN}/v$(ver_cut 1-2)/${P/_/-}.tar.xz" |
36 |
+ |
37 |
+LICENSE="GPL-2+" |
38 |
+SLOT="0/12" # libcryptsetup.so version |
39 |
+[[ ${PV} != *_rc* ]] && \ |
40 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" |
41 |
+CRYPTO_BACKENDS="gcrypt kernel nettle +openssl" |
42 |
+# we don't support nss since it doesn't allow cryptsetup to be built statically |
43 |
+# and it's missing ripemd160 support so it can't provide full backward compatibility |
44 |
+IUSE="${CRYPTO_BACKENDS} +argon2 nls pwquality reencrypt ssh static static-libs test +udev urandom" |
45 |
+RESTRICT="!test? ( test )" |
46 |
+REQUIRED_USE="^^ ( ${CRYPTO_BACKENDS//+/} ) |
47 |
+ static? ( !gcrypt !udev )" #496612 |
48 |
+ |
49 |
+LIB_DEPEND=" |
50 |
+ dev-libs/json-c:=[static-libs(+)] |
51 |
+ dev-libs/popt[static-libs(+)] |
52 |
+ >=sys-apps/util-linux-2.31-r1[static-libs(+)] |
53 |
+ argon2? ( app-crypt/argon2:=[static-libs(+)] ) |
54 |
+ gcrypt? ( |
55 |
+ dev-libs/libgcrypt:0=[static-libs(+)] |
56 |
+ dev-libs/libgpg-error[static-libs(+)] |
57 |
+ ) |
58 |
+ nettle? ( >=dev-libs/nettle-2.4[static-libs(+)] ) |
59 |
+ openssl? ( dev-libs/openssl:0=[static-libs(+)] ) |
60 |
+ pwquality? ( dev-libs/libpwquality[static-libs(+)] ) |
61 |
+ ssh? ( net-libs/libssh[static-libs(+)] ) |
62 |
+ sys-fs/lvm2[static-libs(+)]" |
63 |
+# We have to always depend on ${LIB_DEPEND} rather than put behind |
64 |
+# !static? () because we provide a shared library which links against |
65 |
+# these other packages. #414665 |
66 |
+RDEPEND="static-libs? ( ${LIB_DEPEND} ) |
67 |
+ ${LIB_DEPEND//\[static-libs\([+-]\)\]} |
68 |
+ udev? ( virtual/libudev:= )" |
69 |
+# vim-core needed for xxd in tests |
70 |
+DEPEND="${RDEPEND} |
71 |
+ static? ( ${LIB_DEPEND} ) |
72 |
+ test? ( app-editors/vim-core )" |
73 |
+BDEPEND=" |
74 |
+ virtual/pkgconfig |
75 |
+" |
76 |
+ |
77 |
+S="${WORKDIR}/${P/_/-}" |
78 |
+ |
79 |
+pkg_setup() { |
80 |
+ local CONFIG_CHECK="~DM_CRYPT ~CRYPTO ~CRYPTO_CBC ~CRYPTO_SHA256" |
81 |
+ local WARNING_DM_CRYPT="CONFIG_DM_CRYPT:\tis not set (required for cryptsetup)\n" |
82 |
+ local WARNING_CRYPTO_SHA256="CONFIG_CRYPTO_SHA256:\tis not set (required for cryptsetup)\n" |
83 |
+ local WARNING_CRYPTO_CBC="CONFIG_CRYPTO_CBC:\tis not set (required for kernel 2.6.19)\n" |
84 |
+ local WARNING_CRYPTO="CONFIG_CRYPTO:\tis not set (required for cryptsetup)\n" |
85 |
+ check_extra_config |
86 |
+} |
87 |
+ |
88 |
+src_prepare() { |
89 |
+ sed -i '/^LOOPDEV=/s:$: || exit 0:' tests/{compat,mode}-test || die |
90 |
+ default |
91 |
+} |
92 |
+ |
93 |
+src_configure() { |
94 |
+ if use kernel ; then |
95 |
+ ewarn "Note that kernel backend is very slow for this type of operation" |
96 |
+ ewarn "and is provided mainly for embedded systems wanting to avoid" |
97 |
+ ewarn "userspace crypto libraries." |
98 |
+ fi |
99 |
+ |
100 |
+ local myeconfargs=( |
101 |
+ --disable-internal-argon2 |
102 |
+ --enable-shared |
103 |
+ --sbindir=/sbin |
104 |
+ # for later use |
105 |
+ --with-default-luks-format=LUKS2 |
106 |
+ --with-tmpfilesdir="${EPREFIX}/usr/lib/tmpfiles.d" |
107 |
+ --with-crypto_backend=$(for x in ${CRYPTO_BACKENDS//+/} ; do usev ${x} ; done) |
108 |
+ $(use_enable argon2 libargon2) |
109 |
+ $(use_enable nls) |
110 |
+ $(use_enable pwquality) |
111 |
+ $(use_enable reencrypt cryptsetup-reencrypt) |
112 |
+ $(use_enable !static external-tokens) |
113 |
+ $(use_enable static static-cryptsetup) |
114 |
+ $(use_enable static-libs static) |
115 |
+ $(use_enable udev) |
116 |
+ $(use_enable !urandom dev-random) |
117 |
+ $(use_enable ssh ssh-token) |
118 |
+ $(usex argon2 '' '--with-luks2-pbkdf=pbkdf2') |
119 |
+ ) |
120 |
+ econf "${myeconfargs[@]}" |
121 |
+} |
122 |
+ |
123 |
+src_test() { |
124 |
+ if [[ ! -e /dev/mapper/control ]] ; then |
125 |
+ ewarn "No /dev/mapper/control found -- skipping tests" |
126 |
+ return 0 |
127 |
+ fi |
128 |
+ |
129 |
+ local p |
130 |
+ for p in /dev/mapper /dev/loop* ; do |
131 |
+ addwrite ${p} |
132 |
+ done |
133 |
+ |
134 |
+ default |
135 |
+} |
136 |
+ |
137 |
+src_install() { |
138 |
+ default |
139 |
+ |
140 |
+ if use static ; then |
141 |
+ mv "${ED}"/sbin/cryptsetup{.static,} || die |
142 |
+ mv "${ED}"/sbin/veritysetup{.static,} || die |
143 |
+ mv "${ED}"/sbin/integritysetup{.static,} || die |
144 |
+ if use ssh ; then |
145 |
+ mv "${ED}"/sbin/cryptsetup-ssh{.static,} || die |
146 |
+ fi |
147 |
+ if use reencrypt ; then |
148 |
+ mv "${ED}"/sbin/cryptsetup-reencrypt{.static,} || die |
149 |
+ fi |
150 |
+ fi |
151 |
+ find "${ED}" -type f -name "*.la" -delete || die |
152 |
+ |
153 |
+ dodoc docs/v*ReleaseNotes |
154 |
+ |
155 |
+ newconfd "${FILESDIR}"/2.4.3-dmcrypt.confd dmcrypt |
156 |
+ newinitd "${FILESDIR}"/2.4.3-dmcrypt.rc dmcrypt |
157 |
+} |
158 |
+ |
159 |
+pkg_postinst() { |
160 |
+ tmpfiles_process cryptsetup.conf |
161 |
+} |
162 |
|
163 |
diff --git a/sys-fs/cryptsetup/files/2.4.3-dmcrypt.confd b/sys-fs/cryptsetup/files/2.4.3-dmcrypt.confd |
164 |
new file mode 100644 |
165 |
index 000000000000..8250e8268ac9 |
166 |
--- /dev/null |
167 |
+++ b/sys-fs/cryptsetup/files/2.4.3-dmcrypt.confd |
168 |
@@ -0,0 +1,120 @@ |
169 |
+# /etc/conf.d/dmcrypt |
170 |
+ |
171 |
+# For people who run dmcrypt on top of some other layer (like raid), |
172 |
+# use rc_need to specify that requirement. See the runscript(8) man |
173 |
+# page for more information. |
174 |
+ |
175 |
+#-------------------- |
176 |
+# Instructions |
177 |
+#-------------------- |
178 |
+ |
179 |
+# Note regarding the syntax of this file. This file is *almost* bash, |
180 |
+# but each line is evaluated separately. Separate swaps/targets can be |
181 |
+# specified. The init-script which reads this file assumes that a |
182 |
+# swap= or target= line starts a new section, similar to lilo or grub |
183 |
+# configuration. |
184 |
+ |
185 |
+# Note when using gpg keys and /usr on a separate partition, you will |
186 |
+# have to copy /usr/bin/gpg to /bin/gpg so that it will work properly |
187 |
+# and ensure that gpg has been compiled statically. |
188 |
+# See http://bugs.gentoo.org/90482 for more information. |
189 |
+ |
190 |
+# Note that the init-script which reads this file detects whether your |
191 |
+# partition is LUKS or not. No mkfs is run unless you specify a makefs |
192 |
+# option. |
193 |
+ |
194 |
+# Global options: |
195 |
+#---------------- |
196 |
+ |
197 |
+# How long to wait for each timeout (in seconds). |
198 |
+dmcrypt_key_timeout=1 |
199 |
+ |
200 |
+# Max number of checks to perform (see dmcrypt_key_timeout). |
201 |
+#dmcrypt_max_timeout=300 |
202 |
+ |
203 |
+# Number of password retries. |
204 |
+dmcrypt_retries=5 |
205 |
+ |
206 |
+# Arguments: |
207 |
+#----------- |
208 |
+# target=<name> == Mapping name for partition. |
209 |
+# swap=<name> == Mapping name for swap partition. |
210 |
+# source='<dev>' == Real device for partition. |
211 |
+# Note: You can (and should) specify a tag like UUID |
212 |
+# for blkid (see -t option). This is safer than using |
213 |
+# the full path to the device. |
214 |
+# key='</path/to/keyfile>[:<mode>]' == Fullpath from / or from inside removable media. |
215 |
+# header='</path/to/header>' == Full path to detached LUKS header file. |
216 |
+# remdev='<dev>' == Device that will be assigned to removable media. |
217 |
+# gpg_options='<opts>' == Default are --quiet --decrypt |
218 |
+# options='<opts>' == cryptsetup, for LUKS you can only use --readonly |
219 |
+# loop_file='<file>' == Loopback file. |
220 |
+# Note: If you omit $source, then a free loopback will |
221 |
+# be looked up automatically. |
222 |
+# pre_mount='cmds' == commands to execute before mounting partition. |
223 |
+# post_mount='cmds' == commands to execute after mounting partition. |
224 |
+# wait=5 == wait given amount of seconds for source or |
225 |
+# detached header file appear. |
226 |
+#----------- |
227 |
+# Supported Modes |
228 |
+# gpg == decrypt and pipe key into cryptsetup. |
229 |
+# Note: new-line character must not be part of key. |
230 |
+# Command to erase \n char: 'cat key | tr -d '\n' > cleanKey' |
231 |
+ |
232 |
+#-------------------- |
233 |
+# dm-crypt examples |
234 |
+#-------------------- |
235 |
+ |
236 |
+## swap |
237 |
+# Swap partitions. These should come first so that no keys make their |
238 |
+# way into unencrypted swap. |
239 |
+# If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom |
240 |
+# If no makefs is given then mkswap will be assumed |
241 |
+#swap=crypt-swap |
242 |
+#source='/dev/hda2' |
243 |
+ |
244 |
+## /home with passphrase |
245 |
+#target=crypt-home |
246 |
+#source='/dev/hda5' |
247 |
+ |
248 |
+## /home with regular keyfile |
249 |
+#target=crypt-home |
250 |
+#source='/dev/hda5' |
251 |
+#key='/full/path/to/homekey' |
252 |
+ |
253 |
+## /home with regular keyfile and detached header |
254 |
+#target=crypt-home |
255 |
+#source='/dev/hda5' |
256 |
+#key='/full/path/to/homekey' |
257 |
+#header='/full/path/to/header/file' |
258 |
+ |
259 |
+## /home with gpg protected key |
260 |
+#target=crypt-home |
261 |
+#source='/dev/hda5' |
262 |
+#key='/full/path/to/homekey:gpg' |
263 |
+ |
264 |
+## /home with regular keyfile on removable media(such as usb-stick) |
265 |
+#target=crypt-home |
266 |
+#source='/dev/hda5' |
267 |
+#key='/full/path/to/homekey' |
268 |
+#remdev='/dev/sda1' |
269 |
+ |
270 |
+## /home with gpg protected key on removable media(such as usb-stick) |
271 |
+#target=crypt-home |
272 |
+#source='/dev/hda5' |
273 |
+#key='/full/path/to/homekey:gpg' |
274 |
+#remdev='/dev/sda1' |
275 |
+ |
276 |
+## /tmp with regular keyfile |
277 |
+#target=crypt-tmp |
278 |
+#source='/dev/hda6' |
279 |
+#key='/full/path/to/tmpkey' |
280 |
+#pre_mount='/sbin/mkreiserfs -f -f ${dev}' |
281 |
+#post_mount='chown root:root ${mount_point}; chmod 1777 ${mount_point}' |
282 |
+ |
283 |
+## Loopback file example |
284 |
+#target='crypt-loop-home' |
285 |
+#source='/dev/loop0' |
286 |
+#loop_file='/mnt/crypt/home' |
287 |
+ |
288 |
+# The file must be terminated by a newline. Or leave this comment last. |
289 |
|
290 |
diff --git a/sys-fs/cryptsetup/files/2.4.3-dmcrypt.rc b/sys-fs/cryptsetup/files/2.4.3-dmcrypt.rc |
291 |
new file mode 100644 |
292 |
index 000000000000..0903ac5eabd0 |
293 |
--- /dev/null |
294 |
+++ b/sys-fs/cryptsetup/files/2.4.3-dmcrypt.rc |
295 |
@@ -0,0 +1,367 @@ |
296 |
+#!/sbin/openrc-run |
297 |
+# Copyright 1999-2015 Gentoo Foundation |
298 |
+# Distributed under the terms of the GNU General Public License v2 |
299 |
+ |
300 |
+depend() { |
301 |
+ use modules |
302 |
+ before checkfs fsck |
303 |
+ |
304 |
+ if grep -qs ^swap= "${conf_file}" ; then |
305 |
+ before swap |
306 |
+ fi |
307 |
+} |
308 |
+ |
309 |
+# We support multiple dmcrypt instances based on $SVCNAME |
310 |
+conf_file="/etc/conf.d/${SVCNAME}" |
311 |
+ |
312 |
+# Get splash helpers if available. |
313 |
+if [ -e /sbin/splash-functions.sh ] ; then |
314 |
+ . /sbin/splash-functions.sh |
315 |
+fi |
316 |
+ |
317 |
+# Setup mappings for an individual target/swap |
318 |
+# Note: This relies on variables localized in the main body below. |
319 |
+dm_crypt_execute() { |
320 |
+ local dev ret mode foo source_dev |
321 |
+ |
322 |
+ if [ -z "${target}" -a -z "${swap}" ] ; then |
323 |
+ return |
324 |
+ fi |
325 |
+ |
326 |
+ # Set up default values. |
327 |
+ : ${dmcrypt_key_timeout:=1} |
328 |
+ : ${dmcrypt_max_timeout:=300} |
329 |
+ : ${dmcrypt_retries:=5} |
330 |
+ : ${wait:=5} |
331 |
+ |
332 |
+ # Handle automatic look up of the source path. |
333 |
+ if [ -z "${source}" -a -n "${loop_file}" ] ; then |
334 |
+ source=$(losetup --show -f "${loop_file}") |
335 |
+ fi |
336 |
+ case ${source} in |
337 |
+ *=*) |
338 |
+ i=0 |
339 |
+ while [ ${i} -lt ${wait} ]; do |
340 |
+ if source_dev="$(blkid -l -t "${source}" -o device)"; then |
341 |
+ source="${source_dev}" |
342 |
+ break |
343 |
+ fi |
344 |
+ : $((i += 1)) |
345 |
+ einfo "waiting for source \"${source}\" for ${target}..." |
346 |
+ sleep 1 |
347 |
+ done |
348 |
+ ;; |
349 |
+ esac |
350 |
+ if [ -z "${source}" ] || [ ! -e "${source}" ] ; then |
351 |
+ ewarn "source \"${source}\" for ${target} missing, skipping..." |
352 |
+ return |
353 |
+ fi |
354 |
+ |
355 |
+ if [ -n "${header}" ] ; then |
356 |
+ header_opt="--header=${header}" |
357 |
+ |
358 |
+ i=0 |
359 |
+ while [ ! -e "${header}" ] && [ ${i} -lt ${wait} ] ; do |
360 |
+ : $((i += 1)) |
361 |
+ einfo "Waiting for header ${header} to appear for ${target} ${i}/${dmcrypt_max_timeout} ..." |
362 |
+ sleep 1 |
363 |
+ done |
364 |
+ if [ ${i} -gt ${wait} ] || [ ${i} -eq ${wait} ] ; then |
365 |
+ ewarn "Waited ${i} times for header file ${header}. Aborting ${target}." |
366 |
+ return |
367 |
+ fi |
368 |
+ else |
369 |
+ header_opt="" |
370 |
+ fi |
371 |
+ |
372 |
+ if [ -n "${target}" ] ; then |
373 |
+ # let user set options, otherwise leave empty |
374 |
+ : ${options:=' '} |
375 |
+ elif [ -n "${swap}" ] ; then |
376 |
+ if cryptsetup ${header_opt} isLuks ${source} 2>/dev/null ; then |
377 |
+ ewarn "The swap you have defined is a LUKS partition. Aborting crypt-swap setup." |
378 |
+ return |
379 |
+ fi |
380 |
+ target=${swap} |
381 |
+ # swap contents do not need to be preserved between boots, luks not required. |
382 |
+ # suspend2 users should have initramfs's init handling their swap partition either way. |
383 |
+ : ${options:='-c aes -h sha1 -d /dev/urandom'} |
384 |
+ : ${pre_mount:='mkswap ${dev}'} |
385 |
+ fi |
386 |
+ |
387 |
+ if [ -n "${loop_file}" ] ; then |
388 |
+ dev="/dev/mapper/${target}" |
389 |
+ ebegin " Setting up loop device ${source}" |
390 |
+ losetup ${source} ${loop_file} |
391 |
+ fi |
392 |
+ |
393 |
+ # cryptsetup: |
394 |
+ # open <device> <name> # <device> is $source |
395 |
+ # create <name> <device> # <name> is $target |
396 |
+ local arg1="create" arg2="${target}" arg3="${source}" |
397 |
+ if cryptsetup ${header_opt} isLuks ${source} 2>/dev/null ; then |
398 |
+ arg1="open" |
399 |
+ arg2="${source}" |
400 |
+ arg3="${target}" |
401 |
+ fi |
402 |
+ |
403 |
+ # Older versions reported: |
404 |
+ # ${target} is active: |
405 |
+ # Newer versions report: |
406 |
+ # ${target} is active[ and is in use.] |
407 |
+ if cryptsetup ${header_opt} status ${target} | egrep -q ' is active' ; then |
408 |
+ einfo "dm-crypt mapping ${target} is already configured" |
409 |
+ return |
410 |
+ fi |
411 |
+ splash svc_input_begin ${SVCNAME} >/dev/null 2>&1 |
412 |
+ |
413 |
+ # Handle keys |
414 |
+ if [ -n "${key}" ] ; then |
415 |
+ read_abort() { |
416 |
+ # some colors |
417 |
+ local ans savetty resettty |
418 |
+ [ -z "${NORMAL}" ] && eval $(eval_ecolors) |
419 |
+ einfon " $1? (${WARN}yes${NORMAL}/${GOOD}No${NORMAL}) " |
420 |
+ shift |
421 |
+ # This is ugly as s**t. But POSIX doesn't provide `read -t`, so |
422 |
+ # we end up having to implement our own crap with stty/etc... |
423 |
+ savetty=$(stty -g) |
424 |
+ resettty='stty ${savetty}; trap - EXIT HUP INT TERM' |
425 |
+ trap 'eval "${resettty}"' EXIT HUP INT TERM |
426 |
+ stty -icanon |
427 |
+ stty min 0 time "$(( $2 * 10 ))" |
428 |
+ ans=$(dd count=1 bs=1 2>/dev/null) || ans='' |
429 |
+ eval "${resettty}" |
430 |
+ if [ -z "${ans}" ] ; then |
431 |
+ printf '\r' |
432 |
+ else |
433 |
+ echo |
434 |
+ fi |
435 |
+ case ${ans} in |
436 |
+ [yY]) return 0;; |
437 |
+ *) return 1;; |
438 |
+ esac |
439 |
+ } |
440 |
+ |
441 |
+ # Notes: sed not used to avoid case where /usr partition is encrypted. |
442 |
+ mode=${key##*:} && ( [ "${mode}" = "${key}" ] || [ -z "${mode}" ] ) && mode=reg |
443 |
+ key=${key%:*} |
444 |
+ case "${mode}" in |
445 |
+ gpg|reg) |
446 |
+ # handle key on removable device |
447 |
+ if [ -n "${remdev}" ] ; then |
448 |
+ # temp directory to mount removable device |
449 |
+ local mntrem="${RC_SVCDIR}/dm-crypt-remdev.$$" |
450 |
+ if [ ! -d "${mntrem}" ] ; then |
451 |
+ if ! mkdir -p "${mntrem}" ; then |
452 |
+ ewarn "${source} will not be decrypted ..." |
453 |
+ einfo "Reason: Unable to create temporary mount point '${mntrem}'" |
454 |
+ return |
455 |
+ fi |
456 |
+ fi |
457 |
+ i=0 |
458 |
+ einfo "Please insert removable device for ${target}" |
459 |
+ while [ ${i} -lt ${dmcrypt_max_timeout} ] ; do |
460 |
+ foo="" |
461 |
+ if mount -n -o ro "${remdev}" "${mntrem}" 2>/dev/null >/dev/null ; then |
462 |
+ # keyfile exists? |
463 |
+ if [ ! -e "${mntrem}${key}" ] ; then |
464 |
+ umount -n "${mntrem}" |
465 |
+ rmdir "${mntrem}" |
466 |
+ einfo "Cannot find ${key} on removable media." |
467 |
+ read_abort "Abort" ${dmcrypt_key_timeout} && return |
468 |
+ else |
469 |
+ key="${mntrem}${key}" |
470 |
+ break |
471 |
+ fi |
472 |
+ else |
473 |
+ [ -e "${remdev}" ] \ |
474 |
+ && foo="mount failed" \ |
475 |
+ || foo="mount source not found" |
476 |
+ fi |
477 |
+ : $((i += 1)) |
478 |
+ read_abort "Stop waiting after $i attempts (${foo})" -t 1 && return |
479 |
+ done |
480 |
+ else # keyfile ! on removable device |
481 |
+ if [ ! -e "${key}" ] ; then |
482 |
+ ewarn "${source} will not be decrypted ..." |
483 |
+ einfo "Reason: keyfile ${key} does not exist." |
484 |
+ return |
485 |
+ fi |
486 |
+ fi |
487 |
+ ;; |
488 |
+ *) |
489 |
+ ewarn "${source} will not be decrypted ..." |
490 |
+ einfo "Reason: mode ${mode} is invalid." |
491 |
+ return |
492 |
+ ;; |
493 |
+ esac |
494 |
+ else |
495 |
+ mode=none |
496 |
+ fi |
497 |
+ ebegin " ${target} using: ${header_opt} ${options} ${arg1} ${arg2} ${arg3}" |
498 |
+ if [ "${mode}" = "gpg" ] ; then |
499 |
+ : ${gpg_options:='-q -d'} |
500 |
+ # gpg available ? |
501 |
+ if command -v gpg >/dev/null ; then |
502 |
+ i=0 |
503 |
+ while [ ${i} -lt ${dmcrypt_retries} ] ; do |
504 |
+ # paranoid, don't store key in a variable, pipe it so it stays very little in ram unprotected. |
505 |
+ # save stdin stdout stderr "values" |
506 |
+ timeout ${dmcrypt_max_timeout} gpg ${gpg_options} ${key} 2>/dev/null | \ |
507 |
+ cryptsetup ${header_opt} --key-file - ${options} ${arg1} ${arg2} ${arg3} |
508 |
+ ret=$? |
509 |
+ # The timeout command exits 124 when it times out. |
510 |
+ [ ${ret} -eq 0 -o ${ret} -eq 124 ] && break |
511 |
+ : $(( i += 1 )) |
512 |
+ done |
513 |
+ eend ${ret} "failure running cryptsetup" |
514 |
+ else |
515 |
+ ewarn "${source} will not be decrypted ..." |
516 |
+ einfo "Reason: cannot find gpg application." |
517 |
+ einfo "You have to install app-crypt/gnupg first." |
518 |
+ einfo "If you have /usr on its own partition, try copying gpg to /bin ." |
519 |
+ fi |
520 |
+ else |
521 |
+ if [ "${mode}" = "reg" ] ; then |
522 |
+ cryptsetup ${header_opt} ${options} -d ${key} ${arg1} ${arg2} ${arg3} |
523 |
+ ret=$? |
524 |
+ eend ${ret} "failure running cryptsetup" |
525 |
+ else |
526 |
+ cryptsetup ${header_opt} ${options} ${arg1} ${arg2} ${arg3} |
527 |
+ ret=$? |
528 |
+ eend ${ret} "failure running cryptsetup" |
529 |
+ fi |
530 |
+ fi |
531 |
+ if [ -d "${mntrem}" ] ; then |
532 |
+ umount -n ${mntrem} 2>/dev/null >/dev/null |
533 |
+ rmdir ${mntrem} 2>/dev/null >/dev/null |
534 |
+ fi |
535 |
+ splash svc_input_end ${SVCNAME} >/dev/null 2>&1 |
536 |
+ |
537 |
+ if [ ${ret} -ne 0 ] ; then |
538 |
+ cryptfs_status=1 |
539 |
+ else |
540 |
+ if [ -n "${pre_mount}" ] ; then |
541 |
+ dev="/dev/mapper/${target}" |
542 |
+ eval ebegin \"" pre_mount: ${pre_mount}"\" |
543 |
+ eval "${pre_mount}" > /dev/null |
544 |
+ ewend $? || cryptfs_status=1 |
545 |
+ fi |
546 |
+ fi |
547 |
+} |
548 |
+ |
549 |
+# Lookup optional bootparams |
550 |
+get_bootparam_val() { |
551 |
+ # We're given something like: |
552 |
+ # foo=bar=cow |
553 |
+ # Return the "bar=cow" part. |
554 |
+ case $1 in |
555 |
+ *=*) |
556 |
+ echo "${1#*=}" |
557 |
+ ;; |
558 |
+ esac |
559 |
+} |
560 |
+ |
561 |
+start() { |
562 |
+ local print_header=true cryptfs_status=0 |
563 |
+ local gpg_options key loop_file target targetline options pre_mount post_mount source swap remdev |
564 |
+ |
565 |
+ local x |
566 |
+ for x in $(cat /proc/cmdline) ; do |
567 |
+ case "${x}" in |
568 |
+ key_timeout=*) |
569 |
+ dmcrypt_key_timeout=$(get_bootparam_val "${x}") |
570 |
+ ;; |
571 |
+ esac |
572 |
+ done |
573 |
+ |
574 |
+ while read targetline <&3 ; do |
575 |
+ case ${targetline} in |
576 |
+ # skip comments and blank lines |
577 |
+ ""|"#"*) continue ;; |
578 |
+ # skip service-specific openrc configs #377927 |
579 |
+ rc_*) continue ;; |
580 |
+ esac |
581 |
+ |
582 |
+ ${print_header} && ebegin "Setting up dm-crypt mappings" |
583 |
+ print_header=false |
584 |
+ |
585 |
+ # check for the start of a new target/swap |
586 |
+ case ${targetline} in |
587 |
+ target=*|swap=*) |
588 |
+ # If we have a target queued up, then execute it |
589 |
+ dm_crypt_execute |
590 |
+ |
591 |
+ # Prepare for the next target/swap by resetting variables |
592 |
+ unset gpg_options key loop_file target options pre_mount post_mount source swap remdev wait header header_opt |
593 |
+ ;; |
594 |
+ |
595 |
+ gpg_options=*|remdev=*|key=*|loop_file=*|options=*|pre_mount=*|post_mount=*|wait=*|source=*|header=*) |
596 |
+ if [ -z "${target}${swap}" ] ; then |
597 |
+ ewarn "Ignoring setting outside target/swap section: ${targetline}" |
598 |
+ continue |
599 |
+ fi |
600 |
+ ;; |
601 |
+ |
602 |
+ dmcrypt_*=*) |
603 |
+ # ignore global options |
604 |
+ continue |
605 |
+ ;; |
606 |
+ |
607 |
+ *) |
608 |
+ ewarn "Skipping invalid line in ${conf_file}: ${targetline}" |
609 |
+ ;; |
610 |
+ esac |
611 |
+ |
612 |
+ # Queue this setting for the next call to dm_crypt_execute |
613 |
+ eval "${targetline}" |
614 |
+ done 3< ${conf_file} |
615 |
+ |
616 |
+ # If we have a target queued up, then execute it |
617 |
+ dm_crypt_execute |
618 |
+ |
619 |
+ ewend ${cryptfs_status} "Failed to setup dm-crypt devices" |
620 |
+} |
621 |
+ |
622 |
+stop() { |
623 |
+ local line print_header |
624 |
+ |
625 |
+ # Break down all mappings |
626 |
+ print_header=true |
627 |
+ egrep "^(target|swap)=" ${conf_file} | \ |
628 |
+ while read line ; do |
629 |
+ ${print_header} && einfo "Removing dm-crypt mappings" |
630 |
+ print_header=false |
631 |
+ |
632 |
+ target= swap= |
633 |
+ eval ${line} |
634 |
+ |
635 |
+ [ -n "${swap}" ] && target=${swap} |
636 |
+ if [ -z "${target}" ] ; then |
637 |
+ ewarn "invalid line in ${conf_file}: ${line}" |
638 |
+ continue |
639 |
+ fi |
640 |
+ |
641 |
+ ebegin " ${target}" |
642 |
+ cryptsetup ${header_opt} remove ${target} |
643 |
+ eend $? |
644 |
+ done |
645 |
+ |
646 |
+ # Break down loop devices |
647 |
+ print_header=true |
648 |
+ grep '^source=./dev/loop' ${conf_file} | \ |
649 |
+ while read line ; do |
650 |
+ ${print_header} && einfo "Detaching dm-crypt loop devices" |
651 |
+ print_header=false |
652 |
+ |
653 |
+ source= |
654 |
+ eval ${line} |
655 |
+ |
656 |
+ ebegin " ${source}" |
657 |
+ losetup -d "${source}" |
658 |
+ eend $? |
659 |
+ done |
660 |
+ |
661 |
+ return 0 |
662 |
+} |