1 |
commit: 17664fa2cfb06baec8074fc39c0f71a039db7cd3 |
2 |
Author: William Hubbs <williamh <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Nov 2 18:17:40 2018 +0000 |
4 |
Commit: William Hubbs <williamh <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Nov 2 18:21:02 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=17664fa2 |
7 |
|
8 |
sys-fs/cryptsetup: 2.0.5-r1 bump |
9 |
|
10 |
Closes: https://bugs.gentoo.org/601448 |
11 |
Closes: https://bugs.gentoo.org/651998 |
12 |
Package-Manager: Portage-2.3.49, Repoman-2.3.11 |
13 |
Signed-off-by: William Hubbs <williamh <AT> gentoo.org> |
14 |
|
15 |
sys-fs/cryptsetup/cryptsetup-2.0.5-r1.ebuild | 130 ++++++++++ |
16 |
sys-fs/cryptsetup/files/2.0.5-dmcrypt.confd | 115 +++++++++ |
17 |
sys-fs/cryptsetup/files/2.0.5-dmcrypt.rc | 340 +++++++++++++++++++++++++++ |
18 |
3 files changed, 585 insertions(+) |
19 |
|
20 |
diff --git a/sys-fs/cryptsetup/cryptsetup-2.0.5-r1.ebuild b/sys-fs/cryptsetup/cryptsetup-2.0.5-r1.ebuild |
21 |
new file mode 100644 |
22 |
index 00000000000..5f5526582fe |
23 |
--- /dev/null |
24 |
+++ b/sys-fs/cryptsetup/cryptsetup-2.0.5-r1.ebuild |
25 |
@@ -0,0 +1,130 @@ |
26 |
+# Copyright 1999-2018 Gentoo Authors |
27 |
+# Distributed under the terms of the GNU General Public License v2 |
28 |
+ |
29 |
+EAPI=6 |
30 |
+ |
31 |
+PYTHON_COMPAT=( python{2_7,3_{4,5,6,7}} ) |
32 |
+ |
33 |
+inherit autotools python-single-r1 linux-info libtool eapi7-ver |
34 |
+ |
35 |
+DESCRIPTION="Tool to setup encrypted devices with dm-crypt" |
36 |
+HOMEPAGE="https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md" |
37 |
+SRC_URI="mirror://kernel/linux/utils/${PN}/v$(ver_cut 1-2)/${P/_/-}.tar.xz" |
38 |
+ |
39 |
+LICENSE="GPL-2+" |
40 |
+SLOT="0/12" # libcryptsetup.so version |
41 |
+[[ ${PV} != *_rc* ]] && \ |
42 |
+KEYWORDS="~amd64 ~arm64 ~mips ~s390 ~sh ~sparc ~x86" |
43 |
+CRYPTO_BACKENDS="+gcrypt kernel nettle openssl" |
44 |
+# we don't support nss since it doesn't allow cryptsetup to be built statically |
45 |
+# and it's missing ripemd160 support so it can't provide full backward compatibility |
46 |
+IUSE="${CRYPTO_BACKENDS} +argon2 libressl nls pwquality python reencrypt static static-libs +udev urandom" |
47 |
+REQUIRED_USE="^^ ( ${CRYPTO_BACKENDS//+/} ) |
48 |
+ python? ( ${PYTHON_REQUIRED_USE} ) |
49 |
+ static? ( !gcrypt )" #496612 |
50 |
+ |
51 |
+LIB_DEPEND=" |
52 |
+ dev-libs/json-c:=[static-libs(+)] |
53 |
+ dev-libs/libgpg-error[static-libs(+)] |
54 |
+ dev-libs/popt[static-libs(+)] |
55 |
+ >=sys-apps/util-linux-2.31-r1[static-libs(+)] |
56 |
+ argon2? ( app-crypt/argon2:=[static-libs(+)] ) |
57 |
+ gcrypt? ( dev-libs/libgcrypt:0=[static-libs(+)] ) |
58 |
+ nettle? ( >=dev-libs/nettle-2.4[static-libs(+)] ) |
59 |
+ openssl? ( |
60 |
+ !libressl? ( dev-libs/openssl:0=[static-libs(+)] ) |
61 |
+ libressl? ( dev-libs/libressl:=[static-libs(+)] ) |
62 |
+ ) |
63 |
+ pwquality? ( dev-libs/libpwquality[static-libs(+)] ) |
64 |
+ sys-fs/lvm2[static-libs(+)] |
65 |
+ udev? ( virtual/libudev[static-libs(+)] )" |
66 |
+# We have to always depend on ${LIB_DEPEND} rather than put behind |
67 |
+# !static? () because we provide a shared library which links against |
68 |
+# these other packages. #414665 |
69 |
+RDEPEND="static-libs? ( ${LIB_DEPEND} ) |
70 |
+ ${LIB_DEPEND//\[static-libs\(+\)\]} |
71 |
+ python? ( ${PYTHON_DEPS} )" |
72 |
+DEPEND="${RDEPEND} |
73 |
+ virtual/pkgconfig |
74 |
+ static? ( ${LIB_DEPEND} )" |
75 |
+ |
76 |
+S="${WORKDIR}/${P/_/-}" |
77 |
+ |
78 |
+PATCHES=( "${FILESDIR}"/${PN}-2.0.4-fix-static-pwquality-build.patch ) |
79 |
+ |
80 |
+pkg_setup() { |
81 |
+ local CONFIG_CHECK="~DM_CRYPT ~CRYPTO ~CRYPTO_CBC ~CRYPTO_SHA256" |
82 |
+ local WARNING_DM_CRYPT="CONFIG_DM_CRYPT:\tis not set (required for cryptsetup)\n" |
83 |
+ local WARNING_CRYPTO_SHA256="CONFIG_CRYPTO_SHA256:\tis not set (required for cryptsetup)\n" |
84 |
+ local WARNING_CRYPTO_CBC="CONFIG_CRYPTO_CBC:\tis not set (required for kernel 2.6.19)\n" |
85 |
+ local WARNING_CRYPTO="CONFIG_CRYPTO:\tis not set (required for cryptsetup)\n" |
86 |
+ check_extra_config |
87 |
+} |
88 |
+ |
89 |
+src_prepare() { |
90 |
+ sed -i '/^LOOPDEV=/s:$: || exit 0:' tests/{compat,mode}-test || die |
91 |
+ default |
92 |
+ eautoreconf |
93 |
+} |
94 |
+ |
95 |
+src_configure() { |
96 |
+ if use kernel ; then |
97 |
+ ewarn "Note that kernel backend is very slow for this type of operation" |
98 |
+ ewarn "and is provided mainly for embedded systems wanting to avoid" |
99 |
+ ewarn "userspace crypto libraries." |
100 |
+ fi |
101 |
+ |
102 |
+ use python && python_setup |
103 |
+ |
104 |
+ # We disable autotool python integration so we can use eclasses |
105 |
+ # for proper integration with multiple python versions. |
106 |
+ local myeconfargs=( |
107 |
+ --disable-internal-argon2 |
108 |
+ --enable-shared |
109 |
+ --sbindir=/sbin |
110 |
+ # for later use |
111 |
+ # --with-default-luks-format=LUKS2 |
112 |
+ --with-tmpfilesdir="${EPREFIX%/}/usr/lib/tmpfiles.d" |
113 |
+ --with-crypto_backend=$(for x in ${CRYPTO_BACKENDS//+/} ; do usev ${x} ; done) |
114 |
+ $(use_enable argon2 libargon2) |
115 |
+ $(use_enable nls) |
116 |
+ $(use_enable pwquality) |
117 |
+ $(use_enable python) |
118 |
+ $(use_enable reencrypt cryptsetup-reencrypt) |
119 |
+ $(use_enable static static-cryptsetup) |
120 |
+ $(use_enable static-libs static) |
121 |
+ $(use_enable udev) |
122 |
+ $(use_enable !urandom dev-random) |
123 |
+ ) |
124 |
+ econf "${myeconfargs[@]}" |
125 |
+} |
126 |
+ |
127 |
+src_test() { |
128 |
+ if [[ ! -e /dev/mapper/control ]] ; then |
129 |
+ ewarn "No /dev/mapper/control found -- skipping tests" |
130 |
+ return 0 |
131 |
+ fi |
132 |
+ |
133 |
+ local p |
134 |
+ for p in /dev/mapper /dev/loop* ; do |
135 |
+ addwrite ${p} |
136 |
+ done |
137 |
+ |
138 |
+ default |
139 |
+} |
140 |
+ |
141 |
+src_install() { |
142 |
+ default |
143 |
+ |
144 |
+ if use static ; then |
145 |
+ mv "${ED%}"/sbin/cryptsetup{.static,} || die |
146 |
+ mv "${ED%}"/sbin/veritysetup{.static,} || die |
147 |
+ use reencrypt && { mv "${ED%}"/sbin/cryptsetup-reencrypt{.static,} || die ; } |
148 |
+ fi |
149 |
+ find "${ED}" -name "*.la" -delete || die |
150 |
+ |
151 |
+ dodoc docs/v*ReleaseNotes |
152 |
+ |
153 |
+ newconfd "${FILESDIR}"/2.0.5-dmcrypt.confd dmcrypt |
154 |
+ newinitd "${FILESDIR}"/2.0.5-dmcrypt.rc dmcrypt |
155 |
+} |
156 |
|
157 |
diff --git a/sys-fs/cryptsetup/files/2.0.5-dmcrypt.confd b/sys-fs/cryptsetup/files/2.0.5-dmcrypt.confd |
158 |
new file mode 100644 |
159 |
index 00000000000..977d4b3172d |
160 |
--- /dev/null |
161 |
+++ b/sys-fs/cryptsetup/files/2.0.5-dmcrypt.confd |
162 |
@@ -0,0 +1,115 @@ |
163 |
+# /etc/conf.d/dmcrypt |
164 |
+ |
165 |
+# For people who run dmcrypt on top of some other layer (like raid), |
166 |
+# use rc_need to specify that requirement. See the runscript(8) man |
167 |
+# page for more information. |
168 |
+ |
169 |
+# Along the same lines, if dmcrypt needs to be running before |
170 |
+# localmount or netmount, please use rc_before to specify this |
171 |
+# requirement. |
172 |
+ |
173 |
+#-------------------- |
174 |
+# Instructions |
175 |
+#-------------------- |
176 |
+ |
177 |
+# Note regarding the syntax of this file. This file is *almost* bash, |
178 |
+# but each line is evaluated separately. Separate swaps/targets can be |
179 |
+# specified. The init-script which reads this file assumes that a |
180 |
+# swap= or target= line starts a new section, similar to lilo or grub |
181 |
+# configuration. |
182 |
+ |
183 |
+# Note when using gpg keys and /usr on a separate partition, you will |
184 |
+# have to copy /usr/bin/gpg to /bin/gpg so that it will work properly |
185 |
+# and ensure that gpg has been compiled statically. |
186 |
+# See http://bugs.gentoo.org/90482 for more information. |
187 |
+ |
188 |
+# Note that the init-script which reads this file detects whether your |
189 |
+# partition is LUKS or not. No mkfs is run unless you specify a makefs |
190 |
+# option. |
191 |
+ |
192 |
+# Global options: |
193 |
+#---------------- |
194 |
+ |
195 |
+# How long to wait for each timeout (in seconds). |
196 |
+dmcrypt_key_timeout=1 |
197 |
+ |
198 |
+# Max number of checks to perform (see dmcrypt_key_timeout). |
199 |
+#dmcrypt_max_timeout=300 |
200 |
+ |
201 |
+# Number of password retries. |
202 |
+dmcrypt_retries=5 |
203 |
+ |
204 |
+# Arguments: |
205 |
+#----------- |
206 |
+# target=<name> == Mapping name for partition. |
207 |
+# swap=<name> == Mapping name for swap partition. |
208 |
+# source='<dev>' == Real device for partition. |
209 |
+# Note: You can (and should) specify a tag like UUID |
210 |
+# for blkid (see -t option). This is safer than using |
211 |
+# the full path to the device. |
212 |
+# key='</path/to/keyfile>[:<mode>]' == Fullpath from / or from inside removable media. |
213 |
+# remdev='<dev>' == Device that will be assigned to removable media. |
214 |
+# gpg_options='<opts>' == Default are --quiet --decrypt |
215 |
+# options='<opts>' == cryptsetup, for LUKS you can only use --readonly |
216 |
+# loop_file='<file>' == Loopback file. |
217 |
+# Note: If you omit $source, then a free loopback will |
218 |
+# be looked up automatically. |
219 |
+# pre_mount='cmds' == commands to execute before mounting partition. |
220 |
+# post_mount='cmds' == commands to execute after mounting partition. |
221 |
+#----------- |
222 |
+# Supported Modes |
223 |
+# gpg == decrypt and pipe key into cryptsetup. |
224 |
+# Note: new-line character must not be part of key. |
225 |
+# Command to erase \n char: 'cat key | tr -d '\n' > cleanKey' |
226 |
+ |
227 |
+#-------------------- |
228 |
+# dm-crypt examples |
229 |
+#-------------------- |
230 |
+ |
231 |
+## swap |
232 |
+# Swap partitions. These should come first so that no keys make their |
233 |
+# way into unencrypted swap. |
234 |
+# If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom |
235 |
+# If no makefs is given then mkswap will be assumed |
236 |
+#swap=crypt-swap |
237 |
+#source='/dev/hda2' |
238 |
+ |
239 |
+## /home with passphrase |
240 |
+#target=crypt-home |
241 |
+#source='/dev/hda5' |
242 |
+ |
243 |
+## /home with regular keyfile |
244 |
+#target=crypt-home |
245 |
+#source='/dev/hda5' |
246 |
+#key='/full/path/to/homekey' |
247 |
+ |
248 |
+## /home with gpg protected key |
249 |
+#target=crypt-home |
250 |
+#source='/dev/hda5' |
251 |
+#key='/full/path/to/homekey:gpg' |
252 |
+ |
253 |
+## /home with regular keyfile on removable media(such as usb-stick) |
254 |
+#target=crypt-home |
255 |
+#source='/dev/hda5' |
256 |
+#key='/full/path/to/homekey' |
257 |
+#remdev='/dev/sda1' |
258 |
+ |
259 |
+## /home with gpg protected key on removable media(such as usb-stick) |
260 |
+#target=crypt-home |
261 |
+#source='/dev/hda5' |
262 |
+#key='/full/path/to/homekey:gpg' |
263 |
+#remdev='/dev/sda1' |
264 |
+ |
265 |
+## /tmp with regular keyfile |
266 |
+#target=crypt-tmp |
267 |
+#source='/dev/hda6' |
268 |
+#key='/full/path/to/tmpkey' |
269 |
+#pre_mount='/sbin/mkreiserfs -f -f ${dev}' |
270 |
+#post_mount='chown root:root ${mount_point}; chmod 1777 ${mount_point}' |
271 |
+ |
272 |
+## Loopback file example |
273 |
+#target='crypt-loop-home' |
274 |
+#source='/dev/loop0' |
275 |
+#loop_file='/mnt/crypt/home' |
276 |
+ |
277 |
+# The file must be terminated by a newline. Or leave this comment last. |
278 |
|
279 |
diff --git a/sys-fs/cryptsetup/files/2.0.5-dmcrypt.rc b/sys-fs/cryptsetup/files/2.0.5-dmcrypt.rc |
280 |
new file mode 100644 |
281 |
index 00000000000..555d216b50d |
282 |
--- /dev/null |
283 |
+++ b/sys-fs/cryptsetup/files/2.0.5-dmcrypt.rc |
284 |
@@ -0,0 +1,340 @@ |
285 |
+#!/sbin/openrc-run |
286 |
+# Copyright 1999-2018 Gentoo Authors |
287 |
+# Distributed under the terms of the GNU General Public License v2 |
288 |
+ |
289 |
+depend() { |
290 |
+ after keymaps |
291 |
+ before checkfs fsck |
292 |
+ |
293 |
+ if grep -qs ^swap= "${conf_file}" ; then |
294 |
+ before swap |
295 |
+ fi |
296 |
+} |
297 |
+ |
298 |
+# We support multiple dmcrypt instances based on $SVCNAME |
299 |
+conf_file="/etc/conf.d/${SVCNAME}" |
300 |
+ |
301 |
+# Get splash helpers if available. |
302 |
+if [ -e /sbin/splash-functions.sh ] ; then |
303 |
+ . /sbin/splash-functions.sh |
304 |
+fi |
305 |
+ |
306 |
+# Setup mappings for an individual target/swap |
307 |
+# Note: This relies on variables localized in the main body below. |
308 |
+dm_crypt_execute() { |
309 |
+ local dev ret mode foo |
310 |
+ |
311 |
+ if [ -z "${target}" -a -z "${swap}" ] ; then |
312 |
+ return |
313 |
+ fi |
314 |
+ |
315 |
+ # Set up default values. |
316 |
+ : ${dmcrypt_key_timeout:=1} |
317 |
+ : ${dmcrypt_max_timeout:=300} |
318 |
+ : ${dmcrypt_retries:=5} |
319 |
+ |
320 |
+ # Handle automatic look up of the source path. |
321 |
+ if [ -z "${source}" -a -n "${loop_file}" ] ; then |
322 |
+ source=$(losetup --show -f "${loop_file}") |
323 |
+ fi |
324 |
+ case ${source} in |
325 |
+ *=*) |
326 |
+ source=$(blkid -l -t "${source}" -o device) |
327 |
+ ;; |
328 |
+ esac |
329 |
+ if [ -z "${source}" ] || [ ! -e "${source}" ] ; then |
330 |
+ ewarn "source \"${source}\" for ${target} missing, skipping..." |
331 |
+ return |
332 |
+ fi |
333 |
+ |
334 |
+ if [ -n "${target}" ] ; then |
335 |
+ # let user set options, otherwise leave empty |
336 |
+ : ${options:=' '} |
337 |
+ elif [ -n "${swap}" ] ; then |
338 |
+ if cryptsetup isLuks ${source} 2>/dev/null ; then |
339 |
+ ewarn "The swap you have defined is a LUKS partition. Aborting crypt-swap setup." |
340 |
+ return |
341 |
+ fi |
342 |
+ target=${swap} |
343 |
+ # swap contents do not need to be preserved between boots, luks not required. |
344 |
+ # suspend2 users should have initramfs's init handling their swap partition either way. |
345 |
+ : ${options:='-c aes -h sha1 -d /dev/urandom'} |
346 |
+ : ${pre_mount:='mkswap ${dev}'} |
347 |
+ fi |
348 |
+ |
349 |
+ if [ -n "${loop_file}" ] ; then |
350 |
+ dev="/dev/mapper/${target}" |
351 |
+ ebegin " Setting up loop device ${source}" |
352 |
+ losetup ${source} ${loop_file} |
353 |
+ fi |
354 |
+ |
355 |
+ # cryptsetup: |
356 |
+ # open <device> <name> # <device> is $source |
357 |
+ # create <name> <device> # <name> is $target |
358 |
+ local arg1="create" arg2="${target}" arg3="${source}" |
359 |
+ if cryptsetup isLuks ${source} 2>/dev/null ; then |
360 |
+ arg1="open" |
361 |
+ arg2="${source}" |
362 |
+ arg3="${target}" |
363 |
+ fi |
364 |
+ |
365 |
+ # Older versions reported: |
366 |
+ # ${target} is active: |
367 |
+ # Newer versions report: |
368 |
+ # ${target} is active[ and is in use.] |
369 |
+ if cryptsetup status ${target} | egrep -q ' is active' ; then |
370 |
+ einfo "dm-crypt mapping ${target} is already configured" |
371 |
+ return |
372 |
+ fi |
373 |
+ splash svc_input_begin ${SVCNAME} >/dev/null 2>&1 |
374 |
+ |
375 |
+ # Handle keys |
376 |
+ if [ -n "${key}" ] ; then |
377 |
+ read_abort() { |
378 |
+ # some colors |
379 |
+ local ans savetty resettty |
380 |
+ [ -z "${NORMAL}" ] && eval $(eval_ecolors) |
381 |
+ einfon " $1? (${WARN}yes${NORMAL}/${GOOD}No${NORMAL}) " |
382 |
+ shift |
383 |
+ # This is ugly as s**t. But POSIX doesn't provide `read -t`, so |
384 |
+ # we end up having to implement our own crap with stty/etc... |
385 |
+ savetty=$(stty -g) |
386 |
+ resettty='stty ${savetty}; trap - EXIT HUP INT TERM' |
387 |
+ trap 'eval "${resettty}"' EXIT HUP INT TERM |
388 |
+ stty -icanon |
389 |
+ stty min 0 time "$(( $2 * 10 ))" |
390 |
+ ans=$(dd count=1 bs=1 2>/dev/null) || ans='' |
391 |
+ eval "${resettty}" |
392 |
+ if [ -z "${ans}" ] ; then |
393 |
+ printf '\r' |
394 |
+ else |
395 |
+ echo |
396 |
+ fi |
397 |
+ case ${ans} in |
398 |
+ [yY]) return 0;; |
399 |
+ *) return 1;; |
400 |
+ esac |
401 |
+ } |
402 |
+ |
403 |
+ # Notes: sed not used to avoid case where /usr partition is encrypted. |
404 |
+ mode=${key##*:} && ( [ "${mode}" = "${key}" ] || [ -z "${mode}" ] ) && mode=reg |
405 |
+ key=${key%:*} |
406 |
+ case "${mode}" in |
407 |
+ gpg|reg) |
408 |
+ # handle key on removable device |
409 |
+ if [ -n "${remdev}" ] ; then |
410 |
+ # temp directory to mount removable device |
411 |
+ local mntrem="${RC_SVCDIR}/dm-crypt-remdev.$$" |
412 |
+ if [ ! -d "${mntrem}" ] ; then |
413 |
+ if ! mkdir -p "${mntrem}" ; then |
414 |
+ ewarn "${source} will not be decrypted ..." |
415 |
+ einfo "Reason: Unable to create temporary mount point '${mntrem}'" |
416 |
+ return |
417 |
+ fi |
418 |
+ fi |
419 |
+ i=0 |
420 |
+ einfo "Please insert removable device for ${target}" |
421 |
+ while [ ${i} -lt ${dmcrypt_max_timeout} ] ; do |
422 |
+ foo="" |
423 |
+ if mount -n -o ro "${remdev}" "${mntrem}" 2>/dev/null >/dev/null ; then |
424 |
+ # keyfile exists? |
425 |
+ if [ ! -e "${mntrem}${key}" ] ; then |
426 |
+ umount -n "${mntrem}" |
427 |
+ rmdir "${mntrem}" |
428 |
+ einfo "Cannot find ${key} on removable media." |
429 |
+ read_abort "Abort" ${dmcrypt_key_timeout} && return |
430 |
+ else |
431 |
+ key="${mntrem}${key}" |
432 |
+ break |
433 |
+ fi |
434 |
+ else |
435 |
+ [ -e "${remdev}" ] \ |
436 |
+ && foo="mount failed" \ |
437 |
+ || foo="mount source not found" |
438 |
+ fi |
439 |
+ : $((i += 1)) |
440 |
+ read_abort "Stop waiting after $i attempts (${foo})" -t 1 && return |
441 |
+ done |
442 |
+ else # keyfile ! on removable device |
443 |
+ if [ ! -e "${key}" ] ; then |
444 |
+ ewarn "${source} will not be decrypted ..." |
445 |
+ einfo "Reason: keyfile ${key} does not exist." |
446 |
+ return |
447 |
+ fi |
448 |
+ fi |
449 |
+ ;; |
450 |
+ *) |
451 |
+ ewarn "${source} will not be decrypted ..." |
452 |
+ einfo "Reason: mode ${mode} is invalid." |
453 |
+ return |
454 |
+ ;; |
455 |
+ esac |
456 |
+ else |
457 |
+ mode=none |
458 |
+ fi |
459 |
+ ebegin " ${target} using: ${options} ${arg1} ${arg2} ${arg3}" |
460 |
+ if [ "${mode}" = "gpg" ] ; then |
461 |
+ : ${gpg_options:='-q -d'} |
462 |
+ # gpg available ? |
463 |
+ if command -v gpg >/dev/null ; then |
464 |
+ i=0 |
465 |
+ while [ ${i} -lt ${dmcrypt_retries} ] ; do |
466 |
+ # paranoid, don't store key in a variable, pipe it so it stays very little in ram unprotected. |
467 |
+ # save stdin stdout stderr "values" |
468 |
+ timeout ${dmcrypt_max_timeout} gpg ${gpg_options} ${key} 2>/dev/null | \ |
469 |
+ cryptsetup --key-file - ${options} ${arg1} ${arg2} ${arg3} |
470 |
+ ret=$? |
471 |
+ # The timeout command exits 124 when it times out. |
472 |
+ [ ${ret} -eq 0 -o ${ret} -eq 124 ] && break |
473 |
+ : $(( i += 1 )) |
474 |
+ done |
475 |
+ eend ${ret} "failure running cryptsetup" |
476 |
+ else |
477 |
+ ewarn "${source} will not be decrypted ..." |
478 |
+ einfo "Reason: cannot find gpg application." |
479 |
+ einfo "You have to install app-crypt/gnupg first." |
480 |
+ einfo "If you have /usr on its own partition, try copying gpg to /bin ." |
481 |
+ fi |
482 |
+ else |
483 |
+ if [ "${mode}" = "reg" ] ; then |
484 |
+ cryptsetup ${options} -d ${key} ${arg1} ${arg2} ${arg3} |
485 |
+ ret=$? |
486 |
+ eend ${ret} "failure running cryptsetup" |
487 |
+ else |
488 |
+ cryptsetup ${options} ${arg1} ${arg2} ${arg3} |
489 |
+ ret=$? |
490 |
+ eend ${ret} "failure running cryptsetup" |
491 |
+ fi |
492 |
+ fi |
493 |
+ if [ -d "${mntrem}" ] ; then |
494 |
+ umount -n ${mntrem} 2>/dev/null >/dev/null |
495 |
+ rmdir ${mntrem} 2>/dev/null >/dev/null |
496 |
+ fi |
497 |
+ splash svc_input_end ${SVCNAME} >/dev/null 2>&1 |
498 |
+ |
499 |
+ if [ ${ret} -ne 0 ] ; then |
500 |
+ cryptfs_status=1 |
501 |
+ else |
502 |
+ if [ -n "${pre_mount}" ] ; then |
503 |
+ dev="/dev/mapper/${target}" |
504 |
+ eval ebegin \"" pre_mount: ${pre_mount}"\" |
505 |
+ eval "${pre_mount}" > /dev/null |
506 |
+ ewend $? || cryptfs_status=1 |
507 |
+ fi |
508 |
+ fi |
509 |
+} |
510 |
+ |
511 |
+# Lookup optional bootparams |
512 |
+get_bootparam_val() { |
513 |
+ # We're given something like: |
514 |
+ # foo=bar=cow |
515 |
+ # Return the "bar=cow" part. |
516 |
+ case $1 in |
517 |
+ *=*) |
518 |
+ echo "${1#*=}" |
519 |
+ ;; |
520 |
+ esac |
521 |
+} |
522 |
+ |
523 |
+start() { |
524 |
+ local header=true cryptfs_status=0 |
525 |
+ local gpg_options key loop_file target targetline options pre_mount post_mount source swap remdev |
526 |
+ |
527 |
+ local x |
528 |
+ for x in $(cat /proc/cmdline) ; do |
529 |
+ case "${x}" in |
530 |
+ key_timeout=*) |
531 |
+ dmcrypt_key_timeout=$(get_bootparam_val "${x}") |
532 |
+ ;; |
533 |
+ esac |
534 |
+ done |
535 |
+ |
536 |
+ while read targetline <&3 ; do |
537 |
+ case ${targetline} in |
538 |
+ # skip comments and blank lines |
539 |
+ ""|"#"*) continue ;; |
540 |
+ # skip service-specific openrc configs #377927 |
541 |
+ rc_*) continue ;; |
542 |
+ esac |
543 |
+ |
544 |
+ ${header} && ebegin "Setting up dm-crypt mappings" |
545 |
+ header=false |
546 |
+ |
547 |
+ # check for the start of a new target/swap |
548 |
+ case ${targetline} in |
549 |
+ target=*|swap=*) |
550 |
+ # If we have a target queued up, then execute it |
551 |
+ dm_crypt_execute |
552 |
+ |
553 |
+ # Prepare for the next target/swap by resetting variables |
554 |
+ unset gpg_options key loop_file target options pre_mount post_mount source swap remdev |
555 |
+ ;; |
556 |
+ |
557 |
+ gpg_options=*|remdev=*|key=*|loop_file=*|options=*|pre_mount=*|post_mount=*|source=*) |
558 |
+ if [ -z "${target}${swap}" ] ; then |
559 |
+ ewarn "Ignoring setting outside target/swap section: ${targetline}" |
560 |
+ continue |
561 |
+ fi |
562 |
+ ;; |
563 |
+ |
564 |
+ dmcrypt_*=*) |
565 |
+ # ignore global options |
566 |
+ continue |
567 |
+ ;; |
568 |
+ |
569 |
+ *) |
570 |
+ ewarn "Skipping invalid line in ${conf_file}: ${targetline}" |
571 |
+ ;; |
572 |
+ esac |
573 |
+ |
574 |
+ # Queue this setting for the next call to dm_crypt_execute |
575 |
+ eval "${targetline}" |
576 |
+ done 3< ${conf_file} |
577 |
+ |
578 |
+ # If we have a target queued up, then execute it |
579 |
+ dm_crypt_execute |
580 |
+ |
581 |
+ ewend ${cryptfs_status} "Failed to setup dm-crypt devices" |
582 |
+} |
583 |
+ |
584 |
+stop() { |
585 |
+ local line header |
586 |
+ |
587 |
+ # Break down all mappings |
588 |
+ header=true |
589 |
+ egrep "^(target|swap)=" ${conf_file} | \ |
590 |
+ while read line ; do |
591 |
+ ${header} && einfo "Removing dm-crypt mappings" |
592 |
+ header=false |
593 |
+ |
594 |
+ target= swap= |
595 |
+ eval ${line} |
596 |
+ |
597 |
+ [ -n "${swap}" ] && target=${swap} |
598 |
+ if [ -z "${target}" ] ; then |
599 |
+ ewarn "invalid line in ${conf_file}: ${line}" |
600 |
+ continue |
601 |
+ fi |
602 |
+ |
603 |
+ ebegin " ${target}" |
604 |
+ cryptsetup remove ${target} |
605 |
+ eend $? |
606 |
+ done |
607 |
+ |
608 |
+ # Break down loop devices |
609 |
+ header=true |
610 |
+ grep '^source=./dev/loop' ${conf_file} | \ |
611 |
+ while read line ; do |
612 |
+ ${header} && einfo "Detaching dm-crypt loop devices" |
613 |
+ header=false |
614 |
+ |
615 |
+ source= |
616 |
+ eval ${line} |
617 |
+ |
618 |
+ ebegin " ${source}" |
619 |
+ losetup -d "${source}" |
620 |
+ eend $? |
621 |
+ done |
622 |
+ |
623 |
+ return 0 |
624 |
+} |