From e1a9284dfbd683fc9550a772e46f8729f021d00b Mon Sep 17 00:00:00 2001 From: Gauvain Roussel-Tarbouriech Date: Tue, 2 May 2017 19:20:25 +0200 Subject: [PATCH 1/9] Adding initramfs keyfile support --- defaults/00-crypt.sh | 337 +++++++++++++++++++++++++++++++++++++++ defaults/linuxrc | 6 + doc/.genkernel.8.txt.swp | Bin 0 -> 45056 bytes doc/genkernel.8.txt | 14 +- 4 files changed, 356 insertions(+), 1 deletion(-) create mode 100755 defaults/00-crypt.sh create mode 100644 doc/.genkernel.8.txt.swp diff --git a/defaults/00-crypt.sh b/defaults/00-crypt.sh new file mode 100755 index 00000000..c8fccc2e --- /dev/null +++ b/defaults/00-crypt.sh @@ -0,0 +1,337 @@ +#!/bin/sh + +. /etc/initrd.d/00-common.sh +. /etc/initrd.d/00-devmgr.sh +. /etc/initrd.d/00-splash.sh +. /etc/initrd.d/00-fsdev.sh + +CRYPTSETUP_BIN="/sbin/cryptsetup" +KEY_MNT="/mnt/key" + +_bootstrap_key() { + local ltype="${1}" + local keydevs=$(device_list) + + eval local keyloc='"${CRYPT_'${ltype}'_KEY}"' + + media_find "key" "${keyloc}" "CRYPT_${ltype}_KEYDEV" "${KEY_MNT}" ${keydevs} +} + +_crypt_exec() { + local luks_dev="${1}" + local ply_cmd="${2}" # command for use when plymouth is active + local tty_cmd="${3}" # command for use without plymouth + local do_ask="${4}" # whether we need a passphrase at all + + if [ "${CRYPT_SILENT}" = "1" -o "${do_ask}" = "0" ]; then + eval ${tty_cmd} >/dev/null 2>/dev/null + else + ask_for_password --ply-tries 5 \ + --ply-cmd "${ply_cmd}" \ + --ply-prompt "Encryption password (${luks_dev}): " \ + --tty-tries 5 \ + --tty-cmd "${tty_cmd}" || return 1 + return 0 + fi +} + +_open_luks() { + local luks_name="${1}" + + case ${luks_name} in + root) + local ltypes=ROOTS + local ltype=ROOT + local real_dev="${REAL_ROOT}" + ;; + swap) + local ltypes=SWAPS + local ltype=SWAP + local real_dev="${REAL_RESUME}" + ;; + esac + + eval local luks_devices='"${CRYPT_'${ltypes}'}"' + eval local luks_key='"${CRYPT_'${ltype}'_KEY}"' + eval local luks_keydev='"${CRYPT_'${ltype}'_KEYDEV}"' + eval local luks_trim='"${CRYPT_'${ltype}'_TRIM}"' + eval local init_key='"${CRYPT_'${ltype}'_INITKEY}"' + + local dev_error=0 key_error=0 keydev_error=0 + local mntkey="${KEY_MNT}/" cryptsetup_opts="" + + local exit_st=0 luks_device= + for luks_device in ${luks_devices}; do + + good_msg "Working on device ${luks_device}..." + + while true; do + + local gpg_ply_cmd="" + local gpg_tty_cmd="" + local passphrase_needed="1" + + # do not force the link to /dev/mapper/root + # but rather use the value from root=, which is + # in ${REAL_ROOT} + # Using find_real_device to convert UUID= or LABEL= + # strings into actual device paths, this and basename + # avoid to create long strings that could be truncated + # by cryptsetup, generating a "DM-UUID for device %s was truncated" + # error. + local luks_dev_name=$(basename $(find_real_device "${luks_device}")) + local luks_name_prefix= + + if echo "${real_dev}" | grep -q "^/dev/mapper/"; then + local real_dev_bn=$(basename "${real_dev}") + # If we use LVM + cryptsetup, we may have collisions between + # the two inside /dev/mapper. So, make up a way to avoid them. + luks_dev_name="${luks_name}_${luks_dev_name}-${real_dev_bn}" + fi + + # if crypt_silent=1 and some error occurs, bail out. + local any_error= + [ "${dev_error}" = "1" ] && any_error=1 + [ "${key_error}" = "1" ] && any_error=1 + [ "${keydev_error}" = "1" ] && any_error=1 + if [ "${CRYPT_SILENT}" = "1" ] && [ -n "${any_error}" ]; then + bad_msg "Failed to setup the LUKS device" + exit_st=1 + break + fi + + if [ "${dev_error}" = "1" ]; then + prompt_user "luks_device" "${luks_dev_name}" + dev_error=0 + continue + fi + + if [ "${key_error}" = "1" ]; then + prompt_user "luks_key" "${luks_dev_name} key" + key_error=0 + continue + fi + + if [ "${keydev_error}" = "1" ]; then + prompt_user "luks_keydev" "${luks_dev_name} key device" + keydev_error=0 + continue + fi + + local luks_dev=$(find_real_device "${luks_device}") + [ -n "${luks_dev}" ] && \ + luks_device="${luks_dev}" # otherwise hope... + + eval "${CRYPTSETUP_BIN} isLuks ${luks_device}" || { + bad_msg "${luks_device} does not contain a LUKS header" + dev_error=1 + continue; + } + + # Handle keys + if [ "${luks_trim}" = "yes" ]; then + good_msg "Enabling TRIM support for ${luks_dev_name}." + cryptsetup_opts="${cryptsetup_opts} --allow-discards" + fi + + if [ -n "${luks_key}" ]; then + local real_luks_keydev="${luks_keydev}" + + if [ ! -e "${mntkey}${luks_key}" ]; then + real_luks_keydev=$(find_real_device "${luks_keydev}") + good_msg "Using key device ${real_luks_keydev}." + + if [ ! -b "${real_luks_keydev}" ]; then + bad_msg "Insert device ${luks_keydev} for ${luks_dev_name}" + bad_msg "You have 10 seconds..." + local count=10 + while [ ${count} -gt 0 ]; do + count=$((count-1)) + sleep 1 + + real_luks_keydev=$(find_real_device "${luks_keydev}") + [ ! -b "${real_luks_keydev}" ] || { + good_msg "Device ${real_luks_keydev} detected." + break; + } + done + + if [ ! -b "${real_luks_keydev}" ]; then + eval CRYPT_${ltype}_KEY=${luks_key} + _bootstrap_key ${ltype} + eval luks_keydev='"${CRYPT_'${ltype}'_KEYDEV}"' + + real_luks_keydev=$(find_real_device "${luks_keydev}") + if [ ! -b "${real_luks_keydev}" ]; then + keydev_error=1 + bad_msg "Device ${luks_keydev} not found." + continue + fi + + # continue otherwise will mount keydev which is + # mounted by bootstrap + continue + fi + fi + + # At this point a device was recognized, now let's see + # if the key is there + mkdir -p "${mntkey}" # ignore + + mount -n -o ro "${real_luks_keydev}" \ + "${mntkey}" || { + keydev_error=1 + bad_msg "Mounting of device ${real_luks_keydev} failed." + continue; + } + + good_msg "Removable device ${real_luks_keydev} mounted." + + if [ ! -e "${mntkey}${luks_key}" ]; then + umount -n "${mntkey}" + key_error=1 + keydev_error=1 + bad_msg "{luks_key} on ${real_luks_keydev} not found." + continue + fi + fi + + # At this point a candidate key exists + # (either mounted before or not) + good_msg "${luks_key} on device ${real_luks_keydev} found" + if [ "$(echo ${luks_key} | grep -o '.gpg$')" = ".gpg" ] && \ + [ -e /usr/bin/gpg ]; then + + # TODO(lxnay): WTF is this? + [ -e /dev/tty ] && mv /dev/tty /dev/tty.org + mknod /dev/tty c 5 1 + + cryptsetup_opts="${cryptsetup_opts} -d -" + # if plymouth not in use, gpg reads keyfile passphrase... + gpg_tty_cmd="/usr/bin/gpg --logger-file /dev/null" + gpg_tty_cmd="${gpg_tty_cmd} --quiet --decrypt ${mntkey}${luks_key} | " + # but when plymouth is in use, keyfile passphrase piped in + gpg_ply_cmd="/usr/bin/gpg --logger-file /dev/null" + gpg_ply_cmd="${gpg_ply_cmd} --quiet --passphrase-fd 0 --batch --no-tty" + gpg_ply_cmd="${gpg_ply_cmd} --decrypt ${mntkey}${luks_key} | " + else + cryptsetup_opts="${cryptsetup_opts} -d ${mntkey}${luks_key}" + passphrase_needed="0" # keyfile not itself encrypted + fi + fi + + # if we have a keyfile embedded in the initramfs + if [ -n "${init_key}" ]; then + if [ ! -e "${init_key}" ]; then + bad_msg "{init_key} on initramfs not found." + key_error=1 + continue + fi + cryptsetup_opts="${cryptsetup_opts} -d ${init_key}" + fi + + # At this point, keyfile or not, we're ready! + local ply_cmd="${gpg_ply_cmd}${CRYPTSETUP_BIN}" + local tty_cmd="${gpg_tty_cmd}${CRYPTSETUP_BIN}" + ply_cmd="${ply_cmd} ${cryptsetup_opts} luksOpen ${luks_device} ${luks_dev_name}" + tty_cmd="${tty_cmd} ${cryptsetup_opts} luksOpen ${luks_device} ${luks_dev_name}" + # send to a temporary shell script, so plymouth can + # invoke the pipeline successfully + local ply_cmd_file="$(mktemp -t "ply_cmd.XXXXXX")" + printf '#!/bin/sh\n%s\n' "${ply_cmd}" > "${ply_cmd_file}" + chmod 500 "${ply_cmd_file}" + _crypt_exec "${luks_device}" "${ply_cmd_file}" "${tty_cmd}" "${passphrase_needed}" + local ret="${?}" + rm -f "${ply_cmd_file}" + + # TODO(lxnay): WTF is this? + [ -e /dev/tty.org ] \ + && rm -f /dev/tty \ + && mv /dev/tty.org /dev/tty + + if [ "${ret}" = "0" ]; then + good_msg "LUKS device ${luks_device} opened" + + # Note 1: This is fine if the crypt device is a physical device + # like /dev/sdaX, however, if we have cryptsetup inside + # LVM, we must tweak REAL_ROOT if there is no device node. + # Note 2: we should not activate md arrays yet, because + # they could be started in degraded mode and mdadm is so stupid + # that it may end up creating multiple md devices with the + # same UUID... Let's postpone this for the end + ( USE_MDADM=0 + USE_DMRAID_NORMAL=0 + start_volumes # this creates /dev/mapper links + ) + if echo "${real_dev}" | grep -q "^/dev/mapper/"; then + if [ ! -e "${real_dev}" ]; then + # WARN: while for ltype=SWAP this may not be a problem, + # for ltype=ROOT this may render the system unbootable + # because lvm can get angry to see a symlink where it's + # not supposed to be or we may fail to create the proper + # link (due to the if above), however, reordering the + # cmdline entries may solve this. + good_msg "Creating symlink ${luks_dev_name} -> ${real_dev}" + ln -s "${luks_dev_name}" "${real_dev}" || exit_st=1 + fi + fi + + break + fi + + bad_msg "Failed to open LUKS device ${luks_device}" + dev_error=1 + key_error=1 + keydev_error=1 + + done + + done + + umount -l "${mntkey}" 2>/dev/null >/dev/null + rmdir "${mntkey}" 2>/dev/null >/dev/null + + return ${exit_st} +} + +start_luks() { + + local root_or_swap= + if [ -n "${CRYPT_ROOTS}" ] || [ -n "${CRYPT_SWAPS}" ]; then + root_or_swap=1 + fi + + if [ ! -e "${CRYPTSETUP_BIN}" ] && [ -n "${root_or_swap}" ]; then + bad_msg "${CRYPTSETUP_BIN} not found inside the initramfs" + return 1 + fi + + # if key is set but key device isn't, find it + [ -n "${CRYPT_ROOT_KEY}" ] && [ -z "${CRYPT_ROOT_KEYDEV}" ] \ + && _bootstrap_key "ROOT" + + if [ -n "${CRYPT_ROOTS}" ]; then + # force REAL_ROOT= to some value if not set + # this is mainly for backward compatibility, + # because grub2 always sets a valid root= + # and user must have it as well. + [ -z "${REAL_ROOT}" ] && REAL_ROOT="/dev/mapper/root" + _open_luks "root" + fi + + [ -n "${CRYPT_SWAP_KEY}" ] && [ -z "${CRYPT_SWAP_KEYDEV}" ] \ + && _bootstrap_key "SWAP" + + if [ -n "${CRYPT_SWAPS}" ]; then + # force REAL_RESUME= to some value if not set + [ -z "${REAL_RESUME}" ] && REAL_RESUME="/dev/mapper/swap" + _open_luks "swap" + fi + + if [ -n "${root_or_swap}" ]; then + # We postponed the initialization of raid devices + # in order to avoid to assemble possibly degraded + # arrays. + start_volumes + fi +} diff --git a/defaults/linuxrc b/defaults/linuxrc index 1fd61557..8bfc7d68 100755 --- a/defaults/linuxrc +++ b/defaults/linuxrc @@ -218,6 +218,9 @@ for x in ${CMDLINE}; do root_key=*) CRYPT_ROOT_KEY=${x#*=} + ;; + root_initkey=*) + CRYPT_ROOT_INITKEY=${x#*=} ;; root_keydev=*) CRYPT_ROOT_KEYDEV=${x#*=} @@ -228,6 +231,9 @@ for x in ${CMDLINE}; do swap_key=*) CRYPT_SWAP_KEY=${x#*=} + ;; + swap_initkey=*) + CRYPT_SWAP_INITKEY=${x#*=} ;; swap_keydev=*) CRYPT_SWAP_KEYDEV=${x#*=} diff --git a/doc/.genkernel.8.txt.swp b/doc/.genkernel.8.txt.swp new file mode 100644 index 0000000000000000000000000000000000000000..94a1372ed6f14bf4662b2f7e57779d60255c9697 GIT binary patch literal 45056 zcmeI53zS?}b*2j(Y>TJOGhh-fZE#DS?rK@);blvTTk5vdrd!=nwJ?eU^6jeI-DOqP zE$UXO)#8y1F^>=+0WvT=0y99?g76wl2qeSX3A0u*0|ZtAOu~eL1o8qB2qc6s%=hne z&aGS3E!kuZlQlC{OTVi6-gD1mpMCb(XYYN^UETZS`Nink^4=1k%SxpeedyAY-%l^T z$HK!(rSDGllD;xFJ>E*a~^W*ngHs?$G?2zH~Y+CI#lU6sIUOv8b)7;^e zihdk9KC`$uf9%Ng(#p}f>VpuBFxfrSi4q?%D47N*Y}sQD8)Y z0SffGYg5#z%G)v7FwBE)4AJ+fhd_bx6W$@eJCE&&2 zMd111Ip8KR4~~ML1Wy1D1rGra2A6<;x__zko1hJ@2iJjb+^h~fZM=0xC}f1TmpU{qriv2o4_kT z8zkU5PzINROTfk8e_~kpHn;<%U=|z(hrlFwD7Yv1Zx|9j2R;iv27Uv)9{db=82B27 zkgtM21TP0o&;U1shl3vl4+HlEU&W~MY4CjTJdlE`z+=I^!JQaIUI|_Seij@A2f$U} z&oQX{8Tb9iNEL%0?2^ zlC`+k=tlJ{iYBI}>aDCBHyRUVZqKhpi%TbttsGifTG9P1Az7=WC+A(VY%+?{PE<>i zENZ2?YfndAGIr4*Q8$gor&rUoJ08Vr-J}z(_UesVy|rF0QQX8W6RmV=;;9p%-0Q9@ zSpjhtZ6=LI#CIXHYT8<>ulG7}x1P4jmN4nW8KtkL-Hj-2ZAI0z*{(N|T9mHdmQ=gZ z8h>O|te8!f_Bz!h>UNUE@;KgW(UM|AI=$9pG}eqyCsDK0?xgLcGZw8TYiTF(C0G@r zDYC6+11$;ZCqh$bCT*-XlDIVy)tl``oeH^&d0N+&oQ@munS|CTbxa%5f!YreA&M&P zq)OlqBrOu;UqB1GrhC`)u!ihN45+c49IoBa;@R6ir6=54{XI=ZpJUh8gN*gtQd62Dq;=C^|l=1oxlCe*mXIx(^GMENSuUbvAY^~R5 z^qJCibA{d=;UV08B~ zwKK`8aXUenJ-wH-=%PV}v6Oi$HMk}D#;4E3o#{rpUWjSquW{F(gw#>66_z1SS9|O0 zDySBBV|AUnRZ=M0Pa6F=SdI>D1;MMXBr9E?IFP3ZvIFtg>{T~HQ~0x;W?6le+$eLs zekSo^Fw|5snlkrJM$LMw-i#ZC3h_iOZ6()7#;p9sKcD{bHteh+^jx=-Hk{n0#?hIi zvzli0?pD-D&LoW}U5oNyzfiF$^7JjSL^NgZ)Z-8C)QzRtxkD$893gZtT3XhaulPZK zBt#I>T?H}kXh)lRS)wA`O$snl?o@&}r*wF!z#@f`PNu!6ifGN8)Qq;63!=2G3B{%f z$<4G=OFHG!;iS`z;hu2Uq_Pv-6A=tij|qy5HaF^YP|fvo+NOW%U5#Z}pj_&=DeG~o zLwaL}w9!a6#UvqbmrLBx3|S}DYC>ss>Q*jIxld`3T8A`^!tO{H<=BavwR(1XnojTX zdrfTZuZf!_REM7M^K;y)Sq9Ct)?=pRF?ZuUPwiArUgmk8aT${H>bd!5yq*juL)(b5 zZqm+dG7WkI{Oc+-$vo(4=!+&FDJU8t%#GGh>Ex(+&PsL*q6;$oDBZpmprb2xCQS5VYvu!!$oW1d=))jP=~qk|sP?FNI)bdlt2 zJ?rYyj!Ma-=3A*vB^!5}X^##?*QoW-O=7P<(fsVRvanjK`Wxw{svX7%fT4?QXVB*$_z#l5?-=Vjji8MaUZr#?)y3wt9AKn^m)=kxO6)K&m%p93Rf*>7gUuOw29_drJQ_Lx0ZE+z8l!K z)M0{wFC3PBhs5Qb{rbVbo32Xn|Sd@N5uVYSL7VwpWol#?Rr=a>=o+ z@pNb&BotlZD62Q?jku!;q}LW@tt-X(p-+wbMjXg_?tEG`|JSro@z*QBdJFK%3ic4s{-L!|A+YeFS6!;9k>Pj6j%oPz}N8Me-3;Wd>A|z+zw8I2s{eh6WoCxzX!Tt z1<0@e$N2AG2YwZ7fk|*NxEJ_c{PiyY&j(d-1^76A`L}_$f?o%(1}_Br!R6pGa1ZcN z{PG_GZwFi8TJS_L2L3xf`B#IR!GpoK@wzaif`crB=aOTY&)nq=Uq;Ag-*xEJ^+e)ZRali=ZC7q}Gs9kdp`ZwD^` zyUbX7CT{ewId7QF7K2>8nx%~%c7JD!tCx1o<8{I_?M!MNta&nX;&AG0wPm(*MobJ$ zTT#+nO=_}8V#<@5E;pykgwKPgbb*ApJTPm?r&8Kgyndiu+LfG*aV%qm-rPuXgJ7q( z8d-U1GwosTUQ6O`uaoSFNU5rIk~O>ynC__Unwe*1Ce;OJ;-gG4;`u8mPesyL+l|4| zJPhp^%WNlUz{GNAI+utmyPaaQbndc79j|&EQOIi4rnaQZx^k?m@swF6E&*B%li1(2 zg6=kPC#_kssk$cBuq;+_BN_b$X^IKY4A$WmNujK+c9Ldl{`f6NGPw;^YoqO{Y%^{j zP@U;YESfNd?3k);hD|vN*&VQ~d>5O8Nojb5#I>Y~DHZ#*LM~+JS7rOTX9p%#2l0uz z%QBLo)inm=b$6p2ExSHFog{5B65c;~O|Y)3CK!G@iaOY=Q$g4jFN2)Z7?^3E8Q;|& zUkyBtjcy$t8K?q%6nCkFTwX~mmn1bnjLAcWh1fE(eshjBm1Z=6I=-Ss_FvtK7J8?% za&(f`%EDioD73f0>8hVf>W>`Jdor-_FrjEVR`D25fF8VXeF}Nz)$#Ny9}fBKRkv}?*GaR2->ERpjC$tm}xcm|f$nBXdbFKY;jEM4oG zE2k6JYtG+L;2ZVxjW|5aRmH&cBi;nFbz^rE`Qi(~qtIt0m4Igkzi&yIh+E?`F;0!u zdPClBE8LH;G!)!u6bUDa~bTw`;yi295aThxS$EF@-6)l@M~2yR@BK8IBwsO5WsJBS2p zc9AH%CC)92A&N+%nC#D`n!Hw$N^XA1rHrSL<*~zv^@a8O%@5WB{Un1-+!RSTM8R3b zsF_5PR3?zZ=70%AtLujTTn?>mE|wd<-H5A+>)VB7J+5vAmr(98jMh47(_fw1SAHDS z!vl{1n&>2P$skCjvpMQo#K&O$Y*3%Ca&#DjQ-t?D=B13Nl2=Kic->l6 zsI`<*)oUW#%BI}I(~UaL)Ty<4rzz<@QP7s@B{WYI9ttc>*ItFe1uXpu70~>}B(92v zE)c}TT!XBg#xd856$_;vsAu{qce}-)x`h;U3Kc+&pm9S&$~ru6T1ZO6Toi0*mL`~7 zUWvYh@8$Fsy>zXGV3CTY=meyCvl+Wy=#O`=8ddvsvb;3Ft7$tZzUZ2rP8~QBrD45@z5@8#$)=|Z_C<@qh6e|uC3~_H21y`{M5nolblAt#? zi5!XIbxk*nx-d$dU*GuO<}Vk6Anvu=xNM2J>*s8Yy;fHo1R5s{M6|1ID-;NJjy#-|^BjVLgpz=#4P3XCW) zqQHm(BMOWtFrvVS0wW5HDBvjI9Ar3+niB_hZzb6?Tj`!)3~8k4>D&zN&6h01*&Bwj zK}JHinwF*Il)3Y4Cox-W*_wvI5_64nl7C0Gf49n2% z%v(&g{@+6f-4DOC*8kyrzxT4tpf16PB+;DO-p@%MiYyav1)JR2;61#k_x7x)qI z7sLX*54;z=9;||Ka6fQg@OQ)nya)UScs1ArXTUAsiQoy~$HDiA5%_2D1)zQU?+0%J z4R9J92UmbcfQ!M$E+QTRyd8v?f8{@()c1Fr%Na2hNE_33@V z-Tuhj>WoJbFI?!vc+J-BJq@xXc}t_Lru=Ti*@muS53gc!vf(#iYH~>!Bk*W5$<2Hf zv&Sn+#pi)_U11LLnH9`%X4rEnrbt0Hg>-pl-e$O_omQ*8HH9AdT%9=ZWfw9l)@N`x zFk67;SLSCH=6|}l1Ng|X6Val!?1xR2?7_wsi|gw)%=`r4Sl-&yPXbjl{LJfE(e7D> zDWg8OAM0;6bs>CKlX6YQP-j=2#I2nloiJ|kJ^f_t494^r{^l7vD_+|TfgnHa?VY%n7v)3L)?Lo z@}|)DY^XG|rfi^i+9iY~x7`*p%h3`|=^0wBubjSl4`IWVOEYAN8`f{ccF(F~eE&fA zzSCuacbB-3l?y%HsPQZ=0+Qw>&*0!{(qxNwxzNM07(?zbOPxP|*c~fzmycJgJT9*d z^IX65C2!KtS;pCRqt$xLCN?5CqTQm@^jezQX&KY2ac7Ts$XkJ3O7d2;M_#K{!g!p; zntj>cP`t+`P7AW>Ki)++B;5lO=32L1gw86x+s|a`h^Hhidvsf6)fwl5Ue%qtUPH@M!ja6+bNzY`Fv5lS;I6Z}+gx$iS^WS!vU6t9 z?xeh4md~nNtvYXur`$IF85Dd&f0Y)NZk}40d-C8R8be;#@%{3*)z2O@Cy(EsiX377 zh?eb+WV!DLcN;#{#%1e{d?$A91@Yc7bKiL}$JX&FR|=h86m+!Td>gHCIZQ}mJ3AHh zz(Fpq4$dWs7!j>ZH}iF2(3me5-i(Jwj>|x&4yYM~1O#E+52=K;oyXs&HAlV52(_?B zhawJgr_O-0+WdQ>Qji=4cD=qZO5H<{Kt8#g^_h9cr+ZmvI_p%OSJYE~sBG13c;@k> z@MHUW7pCId+AnxuE*RpG{LqYrrNcH`hVvGr=CUt2938;cf05GpjBOUlo!YL4VkVAO zN@xsWD}i0)?bI0&+U4yzi`hYcs&e_%qS&!|HJ?{}qZB+99hN4pbL_MRk&Nh>4q<6T_MEAA(w0Kh{Mj(vRW-C*do`|}reDGuKrKC-wzX1# zyYhz0iD^N61Eaxo9hGDY1BG@JnnvDJ{$v8p_c}u%Z|C_+2)spWLi^z@mC!%qpisp5 zvY&TeYIl^3P5C=0SN>cC>P`{)%4V<)Ui}LTy!nAMirfJ{;TVSAwxf%PP4p+o#5(1hOE+xCzLuaI z&p>?5?s_>XPgP;rQb2-6;R3D~ zuus6Ij4)W0sIHo19jZ2I{J9NUk1+t`@mmf1NaN@Y4B^{Dd1*s06YYI5<9?~z#GAfK@Dg>fb0ZUfyV-!@%JTc z0AB>30B-?r2EPPqpbCzGaUgra{lTAM8~76VICwF55#ZGa`5Axv`27`Z178NRAv_P9 z0X?t^9t3o@-&;WqRDtXT4*>TE|A0N<4)8AU8jye*sDhJV2|NyHZ^8S(d%+vP7SR5J z8rTDNg9m^QV+Z&U_#k)(cpdl!a1+=Ac7w~o?_md!o#1WYm%&ZoG2lvY3D6#dkAPnX zYv57ffk6Fz8QA{OfDp?ff*q?$h=?0K2fCRCdEn$}uwPZ-;vx18lcZzU8)c?rFuPN& zqBts}(wA4y?HdovjY;Wn#B(AGQQcesk)O<_?R+xTz~X4M4B*LJ9lB87VLEh21*#!= zy*Sc@Abc9C@$1uZI^Jo--*5?Dmvqy0L2b35p&B|sNp!nVJv{kDO_$4ciUta`gDM$@ zNUMk~Gh64Yh@C4HbW_tKl4iTRW#!MbCE1{D7yC_+oZAW>NAO@VF$pgTgzjf?Lug^P z;)*R7B^gq0d=!$`6|L-C{8;%bv9n2TD-w!X4BG|E)l-9|4(Xkxr4uX5Csv}$+{y}v zeFd%aF#8lZ&4x*bbB#FkN$N#M^Q-nwbenBcwb2QnjByV??byh??(jk8_`RrxaqL#t zvdSenCYHj{Pmqx)ZBF3QdOIAxgWBAWk+Wrs=|xI7pivvS@@28OGORXSpjc4a?P0uV<=9$!)U?@`NfpCxD!>&TL?K~YKe%U~zHITA$2A4>a zsum&QQ9WtFZ;C2}OM*!z?=YRH!%>XvF+;*cd_oXmoHtaeN-?522pGp@)^No;Px*Lf z%ozE2KWxHgNYS=y@V@pB=}0$)aMK8Mcm|v`Bv*_E=Id6{9WYVNyGTIGJvnOwoWs+4 z+16@$b|5F_^MbNv70#C@K7GzQGsbc9Curl%lwa+Oc&LXro-{`Po zk=oG{&S7(5<8IyO%v@S)p{0@&n=quNqOcB>*WmHIz(v`docOg++@N(jeb?naZWgn4 zx|wv^RcAGG#;LNC*{rhRegwxkQ+@Ni9e1lfu@>|l_Br|K(DRL-HTAS-jqRrn8s$%5 z!*px?+#!a-+&kN;!h8967xDVy%O|k9`QMC5jn#a_%+zYQy*9%bV;(+o{KO$mxW&_N zRXeP;E+l{Az=Rx8c^h}^pnBzSWj^%K0PX8pHLG9v;YHgOCQGGft$_?&bToG_oXJn$ zSP7304#9J4{l4F^?yKF-S{5CjnV;P`1G|6W!jpY#nas&UM}Fp)FZ}fE;`s}&HMKV> ze?E6+`h(RF7M*wtVcoNtPQ5nOYr7GCsBgLwpZK+YuC%yC-h{WaXeAjnYjLgVb`Uc_ zhWU`m(ea5m%D8fIc4l_bsBKT4hm~*kmK+7}uVvGg^cFXMpK8p^{495p^bS`$Z>Vwg zv69&A;TpAL4_cOFj1_6;F0=$W5uLbk%e+vOmnREPUL24q{xS<-Eh259W)j9#hS5~e zH<(@YcrG3l3-6yd8~aXTN zi8q}@%WkPH7RE>jF5#Zfca!8(xm6^jnzB^V-3OeGVK0)ax;Cl#O!MV2Z9AjoOW-xS zk7GXjj<5WQ9V#G~>6o*3jfFurK;-an-pWC#tLG8C9O&(hW<%aq+M=^%gU8kHO7T_o zEoDbBf>N%i4TdwnaxKd!(Km&OXKVwN%h1;UY(X#mTm8rSKfE9BuUPMY4(MD!o&WbP z&;yDISObp*j{%o~&#>NqC3ppR7MKSY0i6TzH>~;p71~><% z!DlbRo&n^qFM}yC3A7e}B=`<%?azXDf}aOV;Gy6Tp!+MqD}eO@P31EcX>A9qy3$&IK82omD%Us+FC_NK3z^~y@Nby!g=`F#kh-@MUv0P8;xjx zFFwVY(&tX0LvViQ4eU#X;k7TMQLZJ*B-ihTGpfbx>pUIp&saKS%^R}bDmE>R9O6p! z;4$i5aR(Et&MO<7Zkk1vgsGzw!L6D7x?#P^wpeDIrk<%JcpY&Zw4&vD+X7qmXW`Nf zZFec;e|V$AY;lCd9K@Tp>e2qqw6S*0)#<()Tw_AQIjP5UwRH{@-H$c!bkZG4uu^YA z$|eJ1zXn$`hKPen+*ZWW%!!qwOUJd4p+QHCVqxdmI>t$}Pu4rA^_)|!Lx7QJ8)*lX zpq^zM>EI1|Y=*T%(PPuYpgx;eb>Ctrf?npGGB)4%`GlQ_eixhV9FoEdq4INp$%qN6 zYGE2qaLV6R@_SER{l+)C-F9}}^fZaHa-U4oJ}MNod9#1b99 zurCNvFWbQZv+s$bU(m102 z{!tOJbh8XPEwiLjd)5GmH#0X_cV*tvYc>)hvg%j_*qr8QAVuC~^%L;1_PMSmH#E%L z?GlKWXf^YhN@e3^BjSj6Sk_JFRJko(ki z99vt)nY?z8G$C!;k47J>6)eu9n58FM;5uT7N#`_lm&k528OOqb@rIQs9X zjEFs7kHfu5M`OQSU9bP7_dOgqVod$meS42$^GIs^Sni~H*F|=fx(6+&)jdEX9kHOu zn0q2}>GAox)NH#A$)mA6{TRG}YXjAx#1RlWCd3p;-!exKpWlL(Iyem3K-*{#f8_VY z`FeVaF`{_k1(rLbkxY1N*v@745~)0e^U}lqWz;^1(;C`mTsl6tymVaFq=+NrHO4(} zdBYro*d4PHXSVGTyPC7Gd8+{i26yA z^I{quMNx0Dme=Xidi4plER3!7p5h|W_KcN~9h;k*MbUxGnNC`T^M}qh8{<;h?WAr~ zru^DGny9zEAu))#d@nesriXV9gyTlS5i&cq)a<5a`ZRecKbV9 zhl*|7dI%wV()OdPJW0~rb2@3+6{>BU;QJ47NKANngp1g*MO**AY}_zd!{y_uc)-r| zfhvl8p!;JY6wA@01)6`6)HSJ}ed^uV)Qd>}Ocf;yL*SV83{MqA}v&_V1og&ez z9Q@EEKe~tw`60|W_7aFQVpO)ZJ@@4MS`Ik&sjbbv5k7$n$4z8TxfB1A;8W^7M6PiJj5O7ij&PDgNWeW2Q|3|R+#)8GjS70=DAUHthx zbezd?Gwnm|erB?}`>Gm0#6BxBWdRvtN@=36^n_pi+xhr(vOkb$dlwhd`ydgYS+E~i z4(j=QeW=WaXw&a$PqU%^cULEFap|5K#$@H@%8AM{YF>u26~=GG#~ZQjI%g92w}8md zZR7t;o%YWhBA^OBJaGbRlkZ%FB`oRWO>ETT%~dY@iT>dOj`l7r)R&!$PsT5Wt3DPG zQ0hNVrNfB%HGO?E|{2w{b#FsQM=A?D`L&#_)GSVk%rA%1#fIE-G zA_>PZgLl$Ne`hQ=(%4x%C~fX-5s=+Rl8FYkj#aT!G8+QLk zEO~ZIEq6!#U?cN$ty3iwj3>uGDGL_Ko${MGabsoQU1b&b3b_QYiZjC&_(Bs4_SaLb zw7$A#;kW*Ry-cV-+sOa_cGl@%1zP{JjJA*b{~0(5=*bR>;B&Yn?N>! z4e(^}5b!DN0PhBO0Qvu)3vLG;um{`^+!yFjgU{2jKLNi7ZU;Tk1vL=f^Y=u4e-k@_ z-s$&l@CL96w1*%9j{@31@JZ|hp8&rNGH@-B{Xnq*7Xifr+zCDk6c5k_2f+bw4frN@ zgpY!c0L1}37u*gqa14YvfGha@r`Q(W2;Kl*3Sw|8(4K)=a2a?2_})eAtpM);iU)Wt zcp*3pzKxyXTi`R`!{Dvp<>1*M0eT1EUhrU`kLQ%IorS{!`~2eXF?Dw|0qt}zJa^uQ zw%w5TXxl~9R790Rr+tK-FS@(l-kvy*4jxRaS)d+sWXYgg*+gEY@2Q$#;BVx?-lsk=si&!%}vohN#&=Z3fnMr$Wnh9vy-$5o$_@4!e z@5GR!m+~AikOUBoCcYPDNfXie_4hLT9y|cMi47Y zDx0Em>v-Z`zUBI+ zLQsGim89sH2_`hc?GhQ|PZpS*VYq*hcfc&n9gL=0qE}w4TmuN_A-M*v7I7nNX9U#o<{E4;NPi9XVIb`oMxJY?!f>)!{rj zHA$o)o;W$cT5`6(E61trj)=Cxl=2MgAQ1EIdqow2CEC7e{<}v1Jr3p9smWp9RzH~% z?UfK|qEZic(o+gcgjg(Kno2gPyV`KmU~$eB>V86fCo=F7Hu+m74xqZa7lzX5aIXy& z;#pl7qF5{SDFfU4NOK)R+F$P@Tudj;c!Q+!&89I6MSP^Txt$<>MM&A>i!;mPxLwTn zlO>)8EQ;N;YOy6@OO-Y;2_IuxZ%}gs)O^!ar!uoL zr{xV38DZ0JLR8Vr}ND#p=^~OG8PCF)q-TOrBU;REj*_w;Zq=`E*eU8JnxwdyVrP zt!{Gu=FA@=wH;qXV zb^UIMpf32<5Ij1I>+6>=(|G=QF{~Ini3n zRHdO=OsfDnNE|ig-RZ39Fi06;^1@ULZ{XXhEMJ(_@tE0G;02_QZ4TDU39Yi;i0RHW zME1K=rSWRQD{?@XwG2fs80NyTae*{Q+wYn~boK*ZMk z;9Bmdzj|-D6}Tfr_QO7F8CFSlW9v0-`94zwJRDo&#OJMTEAVA)qQe@IFZ$shdXL>NQ=t|BCwZmYWCY9yL{x#n!RCa zQSqA{7uTYB+>a3n4bJI?ghK?BFTa-hc#~nH2f`QYJ$e=1E1Bw?QsUJSRR({g=>z%X z?vK`G)TnUHrLy=Vms!o{XO%nQfh5%?F6GU*a!!8hE4P=G*-63$F)t;>bG8p3wj;qk z)5DW?AZ^MSl5KVpq3P;K^i%H1T(VW-T@@KlnK3jr?F@9CCg9Xbj(~;^IthA*!_gx? z1JCaC7}tizyX5(HJG(No)>bM69_d|&+Ffx}ehf2(o-SJ5c^U6!9rZD()nj?1ruEnK z%JKQd@sctMW&~Xsu!v)GBKU2}*^Sj+KLJwIl5BlWVKM)I3E%VIYwgGS|BS5w@x!yW z|4Z%r^5F9GcVSOV7r?E&~0Yy95@?*hL7UI02^FZgTL z_Eo*>-xU|UjQEf?+1EMfc5~K z04rb?TnWa&!@#Fm6a4GmM>-!IZp9jwYPX{yL2Cxr2 z2K+5+`>zAV9sE9c33xGhCb$h;3I6CJ>@VQG;NOE^1bQFA)4&{19KvP5`q=mH|Ic3| z`-T)VDVZbt21Llh(p;))SW7T(jqDpE`vx;?uuY8Y8{v4Ok$q!i-_Xliyj8+%2qBU` q*S1IYjgft0WZxLsH-ZgtWZ(GV+cyfv4U7@kShkrq+~tCq;(q}I<:: In case your root is encrypted with a key, you can use a device - like a usb pen to store the key. This value should be the key + like a usb pen to store the key. This value should be the key path relative to the mount point. + If you need to use a keyfile embedded in the initramfs itself(for + example, when using grub cryptomount feature) please refer to + root_initkey=. + +*root_initkey*=<...>:: + In case your root is encrypted with a key embedded in the initramfs. + This value should be absolute using initramfs organisation. + This is useful when grub cryptomount is used to avoid typing the + same password twice, making the initramfs unlock itself. *root_keydev*=<...>:: If necessary provide the name of the device that carries the @@ -453,6 +462,9 @@ which the ramdisk scripts would recognize. *swap_key*=<...>:: Same as root_key for swap. +*swap_initkey*=<...>:: + Same as root_init_key for swap. + *swap_keydev*=<...>:: Same as root_keydev for swap. From d0eac45c61bfbedee9c74412a25a630c5377809f Mon Sep 17 00:00:00 2001 From: Gauvain Roussel-Tarbouriech Date: Tue, 2 May 2017 19:21:05 +0200 Subject: [PATCH 2/9] Adding documentation(and removing vim swap file) --- doc/.genkernel.8.txt.swp | Bin 45056 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 doc/.genkernel.8.txt.swp diff --git a/doc/.genkernel.8.txt.swp b/doc/.genkernel.8.txt.swp deleted file mode 100644 index 94a1372ed6f14bf4662b2f7e57779d60255c9697..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 45056 zcmeI53zS?}b*2j(Y>TJOGhh-fZE#DS?rK@);blvTTk5vdrd!=nwJ?eU^6jeI-DOqP zE$UXO)#8y1F^>=+0WvT=0y99?g76wl2qeSX3A0u*0|ZtAOu~eL1o8qB2qc6s%=hne z&aGS3E!kuZlQlC{OTVi6-gD1mpMCb(XYYN^UETZS`Nink^4=1k%SxpeedyAY-%l^T z$HK!(rSDGllD;xFJ>E*a~^W*ngHs?$G?2zH~Y+CI#lU6sIUOv8b)7;^e zihdk9KC`$uf9%Ng(#p}f>VpuBFxfrSi4q?%D47N*Y}sQD8)Y z0SffGYg5#z%G)v7FwBE)4AJ+fhd_bx6W$@eJCE&&2 zMd111Ip8KR4~~ML1Wy1D1rGra2A6<;x__zko1hJ@2iJjb+^h~fZM=0xC}f1TmpU{qriv2o4_kT z8zkU5PzINROTfk8e_~kpHn;<%U=|z(hrlFwD7Yv1Zx|9j2R;iv27Uv)9{db=82B27 zkgtM21TP0o&;U1shl3vl4+HlEU&W~MY4CjTJdlE`z+=I^!JQaIUI|_Seij@A2f$U} z&oQX{8Tb9iNEL%0?2^ zlC`+k=tlJ{iYBI}>aDCBHyRUVZqKhpi%TbttsGifTG9P1Az7=WC+A(VY%+?{PE<>i zENZ2?YfndAGIr4*Q8$gor&rUoJ08Vr-J}z(_UesVy|rF0QQX8W6RmV=;;9p%-0Q9@ zSpjhtZ6=LI#CIXHYT8<>ulG7}x1P4jmN4nW8KtkL-Hj-2ZAI0z*{(N|T9mHdmQ=gZ z8h>O|te8!f_Bz!h>UNUE@;KgW(UM|AI=$9pG}eqyCsDK0?xgLcGZw8TYiTF(C0G@r zDYC6+11$;ZCqh$bCT*-XlDIVy)tl``oeH^&d0N+&oQ@munS|CTbxa%5f!YreA&M&P zq)OlqBrOu;UqB1GrhC`)u!ihN45+c49IoBa;@R6ir6=54{XI=ZpJUh8gN*gtQd62Dq;=C^|l=1oxlCe*mXIx(^GMENSuUbvAY^~R5 z^qJCibA{d=;UV08B~ zwKK`8aXUenJ-wH-=%PV}v6Oi$HMk}D#;4E3o#{rpUWjSquW{F(gw#>66_z1SS9|O0 zDySBBV|AUnRZ=M0Pa6F=SdI>D1;MMXBr9E?IFP3ZvIFtg>{T~HQ~0x;W?6le+$eLs zekSo^Fw|5snlkrJM$LMw-i#ZC3h_iOZ6()7#;p9sKcD{bHteh+^jx=-Hk{n0#?hIi zvzli0?pD-D&LoW}U5oNyzfiF$^7JjSL^NgZ)Z-8C)QzRtxkD$893gZtT3XhaulPZK zBt#I>T?H}kXh)lRS)wA`O$snl?o@&}r*wF!z#@f`PNu!6ifGN8)Qq;63!=2G3B{%f z$<4G=OFHG!;iS`z;hu2Uq_Pv-6A=tij|qy5HaF^YP|fvo+NOW%U5#Z}pj_&=DeG~o zLwaL}w9!a6#UvqbmrLBx3|S}DYC>ss>Q*jIxld`3T8A`^!tO{H<=BavwR(1XnojTX zdrfTZuZf!_REM7M^K;y)Sq9Ct)?=pRF?ZuUPwiArUgmk8aT${H>bd!5yq*juL)(b5 zZqm+dG7WkI{Oc+-$vo(4=!+&FDJU8t%#GGh>Ex(+&PsL*q6;$oDBZpmprb2xCQS5VYvu!!$oW1d=))jP=~qk|sP?FNI)bdlt2 zJ?rYyj!Ma-=3A*vB^!5}X^##?*QoW-O=7P<(fsVRvanjK`Wxw{svX7%fT4?QXVB*$_z#l5?-=Vjji8MaUZr#?)y3wt9AKn^m)=kxO6)K&m%p93Rf*>7gUuOw29_drJQ_Lx0ZE+z8l!K z)M0{wFC3PBhs5Qb{rbVbo32Xn|Sd@N5uVYSL7VwpWol#?Rr=a>=o+ z@pNb&BotlZD62Q?jku!;q}LW@tt-X(p-+wbMjXg_?tEG`|JSro@z*QBdJFK%3ic4s{-L!|A+YeFS6!;9k>Pj6j%oPz}N8Me-3;Wd>A|z+zw8I2s{eh6WoCxzX!Tt z1<0@e$N2AG2YwZ7fk|*NxEJ_c{PiyY&j(d-1^76A`L}_$f?o%(1}_Br!R6pGa1ZcN z{PG_GZwFi8TJS_L2L3xf`B#IR!GpoK@wzaif`crB=aOTY&)nq=Uq;Ag-*xEJ^+e)ZRali=ZC7q}Gs9kdp`ZwD^` zyUbX7CT{ewId7QF7K2>8nx%~%c7JD!tCx1o<8{I_?M!MNta&nX;&AG0wPm(*MobJ$ zTT#+nO=_}8V#<@5E;pykgwKPgbb*ApJTPm?r&8Kgyndiu+LfG*aV%qm-rPuXgJ7q( z8d-U1GwosTUQ6O`uaoSFNU5rIk~O>ynC__Unwe*1Ce;OJ;-gG4;`u8mPesyL+l|4| zJPhp^%WNlUz{GNAI+utmyPaaQbndc79j|&EQOIi4rnaQZx^k?m@swF6E&*B%li1(2 zg6=kPC#_kssk$cBuq;+_BN_b$X^IKY4A$WmNujK+c9Ldl{`f6NGPw;^YoqO{Y%^{j zP@U;YESfNd?3k);hD|vN*&VQ~d>5O8Nojb5#I>Y~DHZ#*LM~+JS7rOTX9p%#2l0uz z%QBLo)inm=b$6p2ExSHFog{5B65c;~O|Y)3CK!G@iaOY=Q$g4jFN2)Z7?^3E8Q;|& zUkyBtjcy$t8K?q%6nCkFTwX~mmn1bnjLAcWh1fE(eshjBm1Z=6I=-Ss_FvtK7J8?% za&(f`%EDioD73f0>8hVf>W>`Jdor-_FrjEVR`D25fF8VXeF}Nz)$#Ny9}fBKRkv}?*GaR2->ERpjC$tm}xcm|f$nBXdbFKY;jEM4oG zE2k6JYtG+L;2ZVxjW|5aRmH&cBi;nFbz^rE`Qi(~qtIt0m4Igkzi&yIh+E?`F;0!u zdPClBE8LH;G!)!u6bUDa~bTw`;yi295aThxS$EF@-6)l@M~2yR@BK8IBwsO5WsJBS2p zc9AH%CC)92A&N+%nC#D`n!Hw$N^XA1rHrSL<*~zv^@a8O%@5WB{Un1-+!RSTM8R3b zsF_5PR3?zZ=70%AtLujTTn?>mE|wd<-H5A+>)VB7J+5vAmr(98jMh47(_fw1SAHDS z!vl{1n&>2P$skCjvpMQo#K&O$Y*3%Ca&#DjQ-t?D=B13Nl2=Kic->l6 zsI`<*)oUW#%BI}I(~UaL)Ty<4rzz<@QP7s@B{WYI9ttc>*ItFe1uXpu70~>}B(92v zE)c}TT!XBg#xd856$_;vsAu{qce}-)x`h;U3Kc+&pm9S&$~ru6T1ZO6Toi0*mL`~7 zUWvYh@8$Fsy>zXGV3CTY=meyCvl+Wy=#O`=8ddvsvb;3Ft7$tZzUZ2rP8~QBrD45@z5@8#$)=|Z_C<@qh6e|uC3~_H21y`{M5nolblAt#? zi5!XIbxk*nx-d$dU*GuO<}Vk6Anvu=xNM2J>*s8Yy;fHo1R5s{M6|1ID-;NJjy#-|^BjVLgpz=#4P3XCW) zqQHm(BMOWtFrvVS0wW5HDBvjI9Ar3+niB_hZzb6?Tj`!)3~8k4>D&zN&6h01*&Bwj zK}JHinwF*Il)3Y4Cox-W*_wvI5_64nl7C0Gf49n2% z%v(&g{@+6f-4DOC*8kyrzxT4tpf16PB+;DO-p@%MiYyav1)JR2;61#k_x7x)qI z7sLX*54;z=9;||Ka6fQg@OQ)nya)UScs1ArXTUAsiQoy~$HDiA5%_2D1)zQU?+0%J z4R9J92UmbcfQ!M$E+QTRyd8v?f8{@()c1Fr%Na2hNE_33@V z-Tuhj>WoJbFI?!vc+J-BJq@xXc}t_Lru=Ti*@muS53gc!vf(#iYH~>!Bk*W5$<2Hf zv&Sn+#pi)_U11LLnH9`%X4rEnrbt0Hg>-pl-e$O_omQ*8HH9AdT%9=ZWfw9l)@N`x zFk67;SLSCH=6|}l1Ng|X6Val!?1xR2?7_wsi|gw)%=`r4Sl-&yPXbjl{LJfE(e7D> zDWg8OAM0;6bs>CKlX6YQP-j=2#I2nloiJ|kJ^f_t494^r{^l7vD_+|TfgnHa?VY%n7v)3L)?Lo z@}|)DY^XG|rfi^i+9iY~x7`*p%h3`|=^0wBubjSl4`IWVOEYAN8`f{ccF(F~eE&fA zzSCuacbB-3l?y%HsPQZ=0+Qw>&*0!{(qxNwxzNM07(?zbOPxP|*c~fzmycJgJT9*d z^IX65C2!KtS;pCRqt$xLCN?5CqTQm@^jezQX&KY2ac7Ts$XkJ3O7d2;M_#K{!g!p; zntj>cP`t+`P7AW>Ki)++B;5lO=32L1gw86x+s|a`h^Hhidvsf6)fwl5Ue%qtUPH@M!ja6+bNzY`Fv5lS;I6Z}+gx$iS^WS!vU6t9 z?xeh4md~nNtvYXur`$IF85Dd&f0Y)NZk}40d-C8R8be;#@%{3*)z2O@Cy(EsiX377 zh?eb+WV!DLcN;#{#%1e{d?$A91@Yc7bKiL}$JX&FR|=h86m+!Td>gHCIZQ}mJ3AHh zz(Fpq4$dWs7!j>ZH}iF2(3me5-i(Jwj>|x&4yYM~1O#E+52=K;oyXs&HAlV52(_?B zhawJgr_O-0+WdQ>Qji=4cD=qZO5H<{Kt8#g^_h9cr+ZmvI_p%OSJYE~sBG13c;@k> z@MHUW7pCId+AnxuE*RpG{LqYrrNcH`hVvGr=CUt2938;cf05GpjBOUlo!YL4VkVAO zN@xsWD}i0)?bI0&+U4yzi`hYcs&e_%qS&!|HJ?{}qZB+99hN4pbL_MRk&Nh>4q<6T_MEAA(w0Kh{Mj(vRW-C*do`|}reDGuKrKC-wzX1# zyYhz0iD^N61Eaxo9hGDY1BG@JnnvDJ{$v8p_c}u%Z|C_+2)spWLi^z@mC!%qpisp5 zvY&TeYIl^3P5C=0SN>cC>P`{)%4V<)Ui}LTy!nAMirfJ{;TVSAwxf%PP4p+o#5(1hOE+xCzLuaI z&p>?5?s_>XPgP;rQb2-6;R3D~ zuus6Ij4)W0sIHo19jZ2I{J9NUk1+t`@mmf1NaN@Y4B^{Dd1*s06YYI5<9?~z#GAfK@Dg>fb0ZUfyV-!@%JTc z0AB>30B-?r2EPPqpbCzGaUgra{lTAM8~76VICwF55#ZGa`5Axv`27`Z178NRAv_P9 z0X?t^9t3o@-&;WqRDtXT4*>TE|A0N<4)8AU8jye*sDhJV2|NyHZ^8S(d%+vP7SR5J z8rTDNg9m^QV+Z&U_#k)(cpdl!a1+=Ac7w~o?_md!o#1WYm%&ZoG2lvY3D6#dkAPnX zYv57ffk6Fz8QA{OfDp?ff*q?$h=?0K2fCRCdEn$}uwPZ-;vx18lcZzU8)c?rFuPN& zqBts}(wA4y?HdovjY;Wn#B(AGQQcesk)O<_?R+xTz~X4M4B*LJ9lB87VLEh21*#!= zy*Sc@Abc9C@$1uZI^Jo--*5?Dmvqy0L2b35p&B|sNp!nVJv{kDO_$4ciUta`gDM$@ zNUMk~Gh64Yh@C4HbW_tKl4iTRW#!MbCE1{D7yC_+oZAW>NAO@VF$pgTgzjf?Lug^P z;)*R7B^gq0d=!$`6|L-C{8;%bv9n2TD-w!X4BG|E)l-9|4(Xkxr4uX5Csv}$+{y}v zeFd%aF#8lZ&4x*bbB#FkN$N#M^Q-nwbenBcwb2QnjByV??byh??(jk8_`RrxaqL#t zvdSenCYHj{Pmqx)ZBF3QdOIAxgWBAWk+Wrs=|xI7pivvS@@28OGORXSpjc4a?P0uV<=9$!)U?@`NfpCxD!>&TL?K~YKe%U~zHITA$2A4>a zsum&QQ9WtFZ;C2}OM*!z?=YRH!%>XvF+;*cd_oXmoHtaeN-?522pGp@)^No;Px*Lf z%ozE2KWxHgNYS=y@V@pB=}0$)aMK8Mcm|v`Bv*_E=Id6{9WYVNyGTIGJvnOwoWs+4 z+16@$b|5F_^MbNv70#C@K7GzQGsbc9Curl%lwa+Oc&LXro-{`Po zk=oG{&S7(5<8IyO%v@S)p{0@&n=quNqOcB>*WmHIz(v`docOg++@N(jeb?naZWgn4 zx|wv^RcAGG#;LNC*{rhRegwxkQ+@Ni9e1lfu@>|l_Br|K(DRL-HTAS-jqRrn8s$%5 z!*px?+#!a-+&kN;!h8967xDVy%O|k9`QMC5jn#a_%+zYQy*9%bV;(+o{KO$mxW&_N zRXeP;E+l{Az=Rx8c^h}^pnBzSWj^%K0PX8pHLG9v;YHgOCQGGft$_?&bToG_oXJn$ zSP7304#9J4{l4F^?yKF-S{5CjnV;P`1G|6W!jpY#nas&UM}Fp)FZ}fE;`s}&HMKV> ze?E6+`h(RF7M*wtVcoNtPQ5nOYr7GCsBgLwpZK+YuC%yC-h{WaXeAjnYjLgVb`Uc_ zhWU`m(ea5m%D8fIc4l_bsBKT4hm~*kmK+7}uVvGg^cFXMpK8p^{495p^bS`$Z>Vwg zv69&A;TpAL4_cOFj1_6;F0=$W5uLbk%e+vOmnREPUL24q{xS<-Eh259W)j9#hS5~e zH<(@YcrG3l3-6yd8~aXTN zi8q}@%WkPH7RE>jF5#Zfca!8(xm6^jnzB^V-3OeGVK0)ax;Cl#O!MV2Z9AjoOW-xS zk7GXjj<5WQ9V#G~>6o*3jfFurK;-an-pWC#tLG8C9O&(hW<%aq+M=^%gU8kHO7T_o zEoDbBf>N%i4TdwnaxKd!(Km&OXKVwN%h1;UY(X#mTm8rSKfE9BuUPMY4(MD!o&WbP z&;yDISObp*j{%o~&#>NqC3ppR7MKSY0i6TzH>~;p71~><% z!DlbRo&n^qFM}yC3A7e}B=`<%?azXDf}aOV;Gy6Tp!+MqD}eO@P31EcX>A9qy3$&IK82omD%Us+FC_NK3z^~y@Nby!g=`F#kh-@MUv0P8;xjx zFFwVY(&tX0LvViQ4eU#X;k7TMQLZJ*B-ihTGpfbx>pUIp&saKS%^R}bDmE>R9O6p! z;4$i5aR(Et&MO<7Zkk1vgsGzw!L6D7x?#P^wpeDIrk<%JcpY&Zw4&vD+X7qmXW`Nf zZFec;e|V$AY;lCd9K@Tp>e2qqw6S*0)#<()Tw_AQIjP5UwRH{@-H$c!bkZG4uu^YA z$|eJ1zXn$`hKPen+*ZWW%!!qwOUJd4p+QHCVqxdmI>t$}Pu4rA^_)|!Lx7QJ8)*lX zpq^zM>EI1|Y=*T%(PPuYpgx;eb>Ctrf?npGGB)4%`GlQ_eixhV9FoEdq4INp$%qN6 zYGE2qaLV6R@_SER{l+)C-F9}}^fZaHa-U4oJ}MNod9#1b99 zurCNvFWbQZv+s$bU(m102 z{!tOJbh8XPEwiLjd)5GmH#0X_cV*tvYc>)hvg%j_*qr8QAVuC~^%L;1_PMSmH#E%L z?GlKWXf^YhN@e3^BjSj6Sk_JFRJko(ki z99vt)nY?z8G$C!;k47J>6)eu9n58FM;5uT7N#`_lm&k528OOqb@rIQs9X zjEFs7kHfu5M`OQSU9bP7_dOgqVod$meS42$^GIs^Sni~H*F|=fx(6+&)jdEX9kHOu zn0q2}>GAox)NH#A$)mA6{TRG}YXjAx#1RlWCd3p;-!exKpWlL(Iyem3K-*{#f8_VY z`FeVaF`{_k1(rLbkxY1N*v@745~)0e^U}lqWz;^1(;C`mTsl6tymVaFq=+NrHO4(} zdBYro*d4PHXSVGTyPC7Gd8+{i26yA z^I{quMNx0Dme=Xidi4plER3!7p5h|W_KcN~9h;k*MbUxGnNC`T^M}qh8{<;h?WAr~ zru^DGny9zEAu))#d@nesriXV9gyTlS5i&cq)a<5a`ZRecKbV9 zhl*|7dI%wV()OdPJW0~rb2@3+6{>BU;QJ47NKANngp1g*MO**AY}_zd!{y_uc)-r| zfhvl8p!;JY6wA@01)6`6)HSJ}ed^uV)Qd>}Ocf;yL*SV83{MqA}v&_V1og&ez z9Q@EEKe~tw`60|W_7aFQVpO)ZJ@@4MS`Ik&sjbbv5k7$n$4z8TxfB1A;8W^7M6PiJj5O7ij&PDgNWeW2Q|3|R+#)8GjS70=DAUHthx zbezd?Gwnm|erB?}`>Gm0#6BxBWdRvtN@=36^n_pi+xhr(vOkb$dlwhd`ydgYS+E~i z4(j=QeW=WaXw&a$PqU%^cULEFap|5K#$@H@%8AM{YF>u26~=GG#~ZQjI%g92w}8md zZR7t;o%YWhBA^OBJaGbRlkZ%FB`oRWO>ETT%~dY@iT>dOj`l7r)R&!$PsT5Wt3DPG zQ0hNVrNfB%HGO?E|{2w{b#FsQM=A?D`L&#_)GSVk%rA%1#fIE-G zA_>PZgLl$Ne`hQ=(%4x%C~fX-5s=+Rl8FYkj#aT!G8+QLk zEO~ZIEq6!#U?cN$ty3iwj3>uGDGL_Ko${MGabsoQU1b&b3b_QYiZjC&_(Bs4_SaLb zw7$A#;kW*Ry-cV-+sOa_cGl@%1zP{JjJA*b{~0(5=*bR>;B&Yn?N>! z4e(^}5b!DN0PhBO0Qvu)3vLG;um{`^+!yFjgU{2jKLNi7ZU;Tk1vL=f^Y=u4e-k@_ z-s$&l@CL96w1*%9j{@31@JZ|hp8&rNGH@-B{Xnq*7Xifr+zCDk6c5k_2f+bw4frN@ zgpY!c0L1}37u*gqa14YvfGha@r`Q(W2;Kl*3Sw|8(4K)=a2a?2_})eAtpM);iU)Wt zcp*3pzKxyXTi`R`!{Dvp<>1*M0eT1EUhrU`kLQ%IorS{!`~2eXF?Dw|0qt}zJa^uQ zw%w5TXxl~9R790Rr+tK-FS@(l-kvy*4jxRaS)d+sWXYgg*+gEY@2Q$#;BVx?-lsk=si&!%}vohN#&=Z3fnMr$Wnh9vy-$5o$_@4!e z@5GR!m+~AikOUBoCcYPDNfXie_4hLT9y|cMi47Y zDx0Em>v-Z`zUBI+ zLQsGim89sH2_`hc?GhQ|PZpS*VYq*hcfc&n9gL=0qE}w4TmuN_A-M*v7I7nNX9U#o<{E4;NPi9XVIb`oMxJY?!f>)!{rj zHA$o)o;W$cT5`6(E61trj)=Cxl=2MgAQ1EIdqow2CEC7e{<}v1Jr3p9smWp9RzH~% z?UfK|qEZic(o+gcgjg(Kno2gPyV`KmU~$eB>V86fCo=F7Hu+m74xqZa7lzX5aIXy& z;#pl7qF5{SDFfU4NOK)R+F$P@Tudj;c!Q+!&89I6MSP^Txt$<>MM&A>i!;mPxLwTn zlO>)8EQ;N;YOy6@OO-Y;2_IuxZ%}gs)O^!ar!uoL zr{xV38DZ0JLR8Vr}ND#p=^~OG8PCF)q-TOrBU;REj*_w;Zq=`E*eU8JnxwdyVrP zt!{Gu=FA@=wH;qXV zb^UIMpf32<5Ij1I>+6>=(|G=QF{~Ini3n zRHdO=OsfDnNE|ig-RZ39Fi06;^1@ULZ{XXhEMJ(_@tE0G;02_QZ4TDU39Yi;i0RHW zME1K=rSWRQD{?@XwG2fs80NyTae*{Q+wYn~boK*ZMk z;9Bmdzj|-D6}Tfr_QO7F8CFSlW9v0-`94zwJRDo&#OJMTEAVA)qQe@IFZ$shdXL>NQ=t|BCwZmYWCY9yL{x#n!RCa zQSqA{7uTYB+>a3n4bJI?ghK?BFTa-hc#~nH2f`QYJ$e=1E1Bw?QsUJSRR({g=>z%X z?vK`G)TnUHrLy=Vms!o{XO%nQfh5%?F6GU*a!!8hE4P=G*-63$F)t;>bG8p3wj;qk z)5DW?AZ^MSl5KVpq3P;K^i%H1T(VW-T@@KlnK3jr?F@9CCg9Xbj(~;^IthA*!_gx? z1JCaC7}tizyX5(HJG(No)>bM69_d|&+Ffx}ehf2(o-SJ5c^U6!9rZD()nj?1ruEnK z%JKQd@sctMW&~Xsu!v)GBKU2}*^Sj+KLJwIl5BlWVKM)I3E%VIYwgGS|BS5w@x!yW z|4Z%r^5F9GcVSOV7r?E&~0Yy95@?*hL7UI02^FZgTL z_Eo*>-xU|UjQEf?+1EMfc5~K z04rb?TnWa&!@#Fm6a4GmM>-!IZp9jwYPX{yL2Cxr2 z2K+5+`>zAV9sE9c33xGhCb$h;3I6CJ>@VQG;NOE^1bQFA)4&{19KvP5`q=mH|Ic3| z`-T)VDVZbt21Llh(p;))SW7T(jqDpE`vx;?uuY8Y8{v4Ok$q!i-_Xliyj8+%2qBU` q*S1IYjgft0WZxLsH-ZgtWZ(GV+cyfv4U7@kShkrq+~tCq;(q}I< Date: Tue, 2 May 2017 19:24:52 +0200 Subject: [PATCH 3/9] My git skills are amazing --- defaults/00-crypt.sh | 337 ---------------------------------- defaults/initrd.d/00-crypt.sh | 11 ++ 2 files changed, 11 insertions(+), 337 deletions(-) delete mode 100755 defaults/00-crypt.sh diff --git a/defaults/00-crypt.sh b/defaults/00-crypt.sh deleted file mode 100755 index c8fccc2e..00000000 --- a/defaults/00-crypt.sh +++ /dev/null @@ -1,337 +0,0 @@ -#!/bin/sh - -. /etc/initrd.d/00-common.sh -. /etc/initrd.d/00-devmgr.sh -. /etc/initrd.d/00-splash.sh -. /etc/initrd.d/00-fsdev.sh - -CRYPTSETUP_BIN="/sbin/cryptsetup" -KEY_MNT="/mnt/key" - -_bootstrap_key() { - local ltype="${1}" - local keydevs=$(device_list) - - eval local keyloc='"${CRYPT_'${ltype}'_KEY}"' - - media_find "key" "${keyloc}" "CRYPT_${ltype}_KEYDEV" "${KEY_MNT}" ${keydevs} -} - -_crypt_exec() { - local luks_dev="${1}" - local ply_cmd="${2}" # command for use when plymouth is active - local tty_cmd="${3}" # command for use without plymouth - local do_ask="${4}" # whether we need a passphrase at all - - if [ "${CRYPT_SILENT}" = "1" -o "${do_ask}" = "0" ]; then - eval ${tty_cmd} >/dev/null 2>/dev/null - else - ask_for_password --ply-tries 5 \ - --ply-cmd "${ply_cmd}" \ - --ply-prompt "Encryption password (${luks_dev}): " \ - --tty-tries 5 \ - --tty-cmd "${tty_cmd}" || return 1 - return 0 - fi -} - -_open_luks() { - local luks_name="${1}" - - case ${luks_name} in - root) - local ltypes=ROOTS - local ltype=ROOT - local real_dev="${REAL_ROOT}" - ;; - swap) - local ltypes=SWAPS - local ltype=SWAP - local real_dev="${REAL_RESUME}" - ;; - esac - - eval local luks_devices='"${CRYPT_'${ltypes}'}"' - eval local luks_key='"${CRYPT_'${ltype}'_KEY}"' - eval local luks_keydev='"${CRYPT_'${ltype}'_KEYDEV}"' - eval local luks_trim='"${CRYPT_'${ltype}'_TRIM}"' - eval local init_key='"${CRYPT_'${ltype}'_INITKEY}"' - - local dev_error=0 key_error=0 keydev_error=0 - local mntkey="${KEY_MNT}/" cryptsetup_opts="" - - local exit_st=0 luks_device= - for luks_device in ${luks_devices}; do - - good_msg "Working on device ${luks_device}..." - - while true; do - - local gpg_ply_cmd="" - local gpg_tty_cmd="" - local passphrase_needed="1" - - # do not force the link to /dev/mapper/root - # but rather use the value from root=, which is - # in ${REAL_ROOT} - # Using find_real_device to convert UUID= or LABEL= - # strings into actual device paths, this and basename - # avoid to create long strings that could be truncated - # by cryptsetup, generating a "DM-UUID for device %s was truncated" - # error. - local luks_dev_name=$(basename $(find_real_device "${luks_device}")) - local luks_name_prefix= - - if echo "${real_dev}" | grep -q "^/dev/mapper/"; then - local real_dev_bn=$(basename "${real_dev}") - # If we use LVM + cryptsetup, we may have collisions between - # the two inside /dev/mapper. So, make up a way to avoid them. - luks_dev_name="${luks_name}_${luks_dev_name}-${real_dev_bn}" - fi - - # if crypt_silent=1 and some error occurs, bail out. - local any_error= - [ "${dev_error}" = "1" ] && any_error=1 - [ "${key_error}" = "1" ] && any_error=1 - [ "${keydev_error}" = "1" ] && any_error=1 - if [ "${CRYPT_SILENT}" = "1" ] && [ -n "${any_error}" ]; then - bad_msg "Failed to setup the LUKS device" - exit_st=1 - break - fi - - if [ "${dev_error}" = "1" ]; then - prompt_user "luks_device" "${luks_dev_name}" - dev_error=0 - continue - fi - - if [ "${key_error}" = "1" ]; then - prompt_user "luks_key" "${luks_dev_name} key" - key_error=0 - continue - fi - - if [ "${keydev_error}" = "1" ]; then - prompt_user "luks_keydev" "${luks_dev_name} key device" - keydev_error=0 - continue - fi - - local luks_dev=$(find_real_device "${luks_device}") - [ -n "${luks_dev}" ] && \ - luks_device="${luks_dev}" # otherwise hope... - - eval "${CRYPTSETUP_BIN} isLuks ${luks_device}" || { - bad_msg "${luks_device} does not contain a LUKS header" - dev_error=1 - continue; - } - - # Handle keys - if [ "${luks_trim}" = "yes" ]; then - good_msg "Enabling TRIM support for ${luks_dev_name}." - cryptsetup_opts="${cryptsetup_opts} --allow-discards" - fi - - if [ -n "${luks_key}" ]; then - local real_luks_keydev="${luks_keydev}" - - if [ ! -e "${mntkey}${luks_key}" ]; then - real_luks_keydev=$(find_real_device "${luks_keydev}") - good_msg "Using key device ${real_luks_keydev}." - - if [ ! -b "${real_luks_keydev}" ]; then - bad_msg "Insert device ${luks_keydev} for ${luks_dev_name}" - bad_msg "You have 10 seconds..." - local count=10 - while [ ${count} -gt 0 ]; do - count=$((count-1)) - sleep 1 - - real_luks_keydev=$(find_real_device "${luks_keydev}") - [ ! -b "${real_luks_keydev}" ] || { - good_msg "Device ${real_luks_keydev} detected." - break; - } - done - - if [ ! -b "${real_luks_keydev}" ]; then - eval CRYPT_${ltype}_KEY=${luks_key} - _bootstrap_key ${ltype} - eval luks_keydev='"${CRYPT_'${ltype}'_KEYDEV}"' - - real_luks_keydev=$(find_real_device "${luks_keydev}") - if [ ! -b "${real_luks_keydev}" ]; then - keydev_error=1 - bad_msg "Device ${luks_keydev} not found." - continue - fi - - # continue otherwise will mount keydev which is - # mounted by bootstrap - continue - fi - fi - - # At this point a device was recognized, now let's see - # if the key is there - mkdir -p "${mntkey}" # ignore - - mount -n -o ro "${real_luks_keydev}" \ - "${mntkey}" || { - keydev_error=1 - bad_msg "Mounting of device ${real_luks_keydev} failed." - continue; - } - - good_msg "Removable device ${real_luks_keydev} mounted." - - if [ ! -e "${mntkey}${luks_key}" ]; then - umount -n "${mntkey}" - key_error=1 - keydev_error=1 - bad_msg "{luks_key} on ${real_luks_keydev} not found." - continue - fi - fi - - # At this point a candidate key exists - # (either mounted before or not) - good_msg "${luks_key} on device ${real_luks_keydev} found" - if [ "$(echo ${luks_key} | grep -o '.gpg$')" = ".gpg" ] && \ - [ -e /usr/bin/gpg ]; then - - # TODO(lxnay): WTF is this? - [ -e /dev/tty ] && mv /dev/tty /dev/tty.org - mknod /dev/tty c 5 1 - - cryptsetup_opts="${cryptsetup_opts} -d -" - # if plymouth not in use, gpg reads keyfile passphrase... - gpg_tty_cmd="/usr/bin/gpg --logger-file /dev/null" - gpg_tty_cmd="${gpg_tty_cmd} --quiet --decrypt ${mntkey}${luks_key} | " - # but when plymouth is in use, keyfile passphrase piped in - gpg_ply_cmd="/usr/bin/gpg --logger-file /dev/null" - gpg_ply_cmd="${gpg_ply_cmd} --quiet --passphrase-fd 0 --batch --no-tty" - gpg_ply_cmd="${gpg_ply_cmd} --decrypt ${mntkey}${luks_key} | " - else - cryptsetup_opts="${cryptsetup_opts} -d ${mntkey}${luks_key}" - passphrase_needed="0" # keyfile not itself encrypted - fi - fi - - # if we have a keyfile embedded in the initramfs - if [ -n "${init_key}" ]; then - if [ ! -e "${init_key}" ]; then - bad_msg "{init_key} on initramfs not found." - key_error=1 - continue - fi - cryptsetup_opts="${cryptsetup_opts} -d ${init_key}" - fi - - # At this point, keyfile or not, we're ready! - local ply_cmd="${gpg_ply_cmd}${CRYPTSETUP_BIN}" - local tty_cmd="${gpg_tty_cmd}${CRYPTSETUP_BIN}" - ply_cmd="${ply_cmd} ${cryptsetup_opts} luksOpen ${luks_device} ${luks_dev_name}" - tty_cmd="${tty_cmd} ${cryptsetup_opts} luksOpen ${luks_device} ${luks_dev_name}" - # send to a temporary shell script, so plymouth can - # invoke the pipeline successfully - local ply_cmd_file="$(mktemp -t "ply_cmd.XXXXXX")" - printf '#!/bin/sh\n%s\n' "${ply_cmd}" > "${ply_cmd_file}" - chmod 500 "${ply_cmd_file}" - _crypt_exec "${luks_device}" "${ply_cmd_file}" "${tty_cmd}" "${passphrase_needed}" - local ret="${?}" - rm -f "${ply_cmd_file}" - - # TODO(lxnay): WTF is this? - [ -e /dev/tty.org ] \ - && rm -f /dev/tty \ - && mv /dev/tty.org /dev/tty - - if [ "${ret}" = "0" ]; then - good_msg "LUKS device ${luks_device} opened" - - # Note 1: This is fine if the crypt device is a physical device - # like /dev/sdaX, however, if we have cryptsetup inside - # LVM, we must tweak REAL_ROOT if there is no device node. - # Note 2: we should not activate md arrays yet, because - # they could be started in degraded mode and mdadm is so stupid - # that it may end up creating multiple md devices with the - # same UUID... Let's postpone this for the end - ( USE_MDADM=0 - USE_DMRAID_NORMAL=0 - start_volumes # this creates /dev/mapper links - ) - if echo "${real_dev}" | grep -q "^/dev/mapper/"; then - if [ ! -e "${real_dev}" ]; then - # WARN: while for ltype=SWAP this may not be a problem, - # for ltype=ROOT this may render the system unbootable - # because lvm can get angry to see a symlink where it's - # not supposed to be or we may fail to create the proper - # link (due to the if above), however, reordering the - # cmdline entries may solve this. - good_msg "Creating symlink ${luks_dev_name} -> ${real_dev}" - ln -s "${luks_dev_name}" "${real_dev}" || exit_st=1 - fi - fi - - break - fi - - bad_msg "Failed to open LUKS device ${luks_device}" - dev_error=1 - key_error=1 - keydev_error=1 - - done - - done - - umount -l "${mntkey}" 2>/dev/null >/dev/null - rmdir "${mntkey}" 2>/dev/null >/dev/null - - return ${exit_st} -} - -start_luks() { - - local root_or_swap= - if [ -n "${CRYPT_ROOTS}" ] || [ -n "${CRYPT_SWAPS}" ]; then - root_or_swap=1 - fi - - if [ ! -e "${CRYPTSETUP_BIN}" ] && [ -n "${root_or_swap}" ]; then - bad_msg "${CRYPTSETUP_BIN} not found inside the initramfs" - return 1 - fi - - # if key is set but key device isn't, find it - [ -n "${CRYPT_ROOT_KEY}" ] && [ -z "${CRYPT_ROOT_KEYDEV}" ] \ - && _bootstrap_key "ROOT" - - if [ -n "${CRYPT_ROOTS}" ]; then - # force REAL_ROOT= to some value if not set - # this is mainly for backward compatibility, - # because grub2 always sets a valid root= - # and user must have it as well. - [ -z "${REAL_ROOT}" ] && REAL_ROOT="/dev/mapper/root" - _open_luks "root" - fi - - [ -n "${CRYPT_SWAP_KEY}" ] && [ -z "${CRYPT_SWAP_KEYDEV}" ] \ - && _bootstrap_key "SWAP" - - if [ -n "${CRYPT_SWAPS}" ]; then - # force REAL_RESUME= to some value if not set - [ -z "${REAL_RESUME}" ] && REAL_RESUME="/dev/mapper/swap" - _open_luks "swap" - fi - - if [ -n "${root_or_swap}" ]; then - # We postponed the initialization of raid devices - # in order to avoid to assemble possibly degraded - # arrays. - start_volumes - fi -} diff --git a/defaults/initrd.d/00-crypt.sh b/defaults/initrd.d/00-crypt.sh index 0e7c863b..c8fccc2e 100755 --- a/defaults/initrd.d/00-crypt.sh +++ b/defaults/initrd.d/00-crypt.sh @@ -55,6 +55,7 @@ _open_luks() { eval local luks_key='"${CRYPT_'${ltype}'_KEY}"' eval local luks_keydev='"${CRYPT_'${ltype}'_KEYDEV}"' eval local luks_trim='"${CRYPT_'${ltype}'_TRIM}"' + eval local init_key='"${CRYPT_'${ltype}'_INITKEY}"' local dev_error=0 key_error=0 keydev_error=0 local mntkey="${KEY_MNT}/" cryptsetup_opts="" @@ -219,6 +220,16 @@ _open_luks() { fi fi + # if we have a keyfile embedded in the initramfs + if [ -n "${init_key}" ]; then + if [ ! -e "${init_key}" ]; then + bad_msg "{init_key} on initramfs not found." + key_error=1 + continue + fi + cryptsetup_opts="${cryptsetup_opts} -d ${init_key}" + fi + # At this point, keyfile or not, we're ready! local ply_cmd="${gpg_ply_cmd}${CRYPTSETUP_BIN}" local tty_cmd="${gpg_tty_cmd}${CRYPTSETUP_BIN}" From 0d8ce91b6dee97187792e07f1e224b5d258c1570 Mon Sep 17 00:00:00 2001 From: Gauvain Roussel-Tarbouriech Date: Tue, 2 May 2017 20:17:48 +0200 Subject: [PATCH 4/9] Fixing indentation --- defaults/initrd.d/00-crypt.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/defaults/initrd.d/00-crypt.sh b/defaults/initrd.d/00-crypt.sh index c8fccc2e..c23da262 100755 --- a/defaults/initrd.d/00-crypt.sh +++ b/defaults/initrd.d/00-crypt.sh @@ -221,14 +221,14 @@ _open_luks() { fi # if we have a keyfile embedded in the initramfs - if [ -n "${init_key}" ]; then - if [ ! -e "${init_key}" ]; then - bad_msg "{init_key} on initramfs not found." - key_error=1 - continue - fi - cryptsetup_opts="${cryptsetup_opts} -d ${init_key}" - fi + if [ -n "${init_key}" ]; then + if [ ! -e "${init_key}" ]; then + bad_msg "{init_key} on initramfs not found." + key_error=1 + continue + fi + cryptsetup_opts="${cryptsetup_opts} -d ${init_key}" + fi # At this point, keyfile or not, we're ready! local ply_cmd="${gpg_ply_cmd}${CRYPTSETUP_BIN}" From 627ea00f632730c330e8751d3d32a5956e0f9932 Mon Sep 17 00:00:00 2001 From: Gauvain Roussel-Tarbouriech Date: Tue, 2 May 2017 21:09:50 +0200 Subject: [PATCH 5/9] Indentation v2 --- defaults/initrd.d/00-crypt.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/defaults/initrd.d/00-crypt.sh b/defaults/initrd.d/00-crypt.sh index c23da262..700d9c77 100755 --- a/defaults/initrd.d/00-crypt.sh +++ b/defaults/initrd.d/00-crypt.sh @@ -220,12 +220,12 @@ _open_luks() { fi fi - # if we have a keyfile embedded in the initramfs + # if we have a keyfile embedded in the initramfs if [ -n "${init_key}" ]; then - if [ ! -e "${init_key}" ]; then - bad_msg "{init_key} on initramfs not found." - key_error=1 - continue + if [ ! -e "${init_key}" ]; then + bad_msg "{init_key} on initramfs not found." + key_error=1 + continue fi cryptsetup_opts="${cryptsetup_opts} -d ${init_key}" fi From bcff5d3fcff36850fa94ec0371e5786295885592 Mon Sep 17 00:00:00 2001 From: Gauvain Roussel-Tarbouriech Date: Wed, 3 May 2017 13:28:54 +0200 Subject: [PATCH 6/9] Adding its own prompt error --- defaults/initrd.d/00-crypt.sh | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/defaults/initrd.d/00-crypt.sh b/defaults/initrd.d/00-crypt.sh index 700d9c77..459b9837 100755 --- a/defaults/initrd.d/00-crypt.sh +++ b/defaults/initrd.d/00-crypt.sh @@ -57,7 +57,7 @@ _open_luks() { eval local luks_trim='"${CRYPT_'${ltype}'_TRIM}"' eval local init_key='"${CRYPT_'${ltype}'_INITKEY}"' - local dev_error=0 key_error=0 keydev_error=0 + local dev_error=0 key_error=0 initkey_error=0 keydev_error=0 local mntkey="${KEY_MNT}/" cryptsetup_opts="" local exit_st=0 luks_device= @@ -94,6 +94,7 @@ _open_luks() { [ "${dev_error}" = "1" ] && any_error=1 [ "${key_error}" = "1" ] && any_error=1 [ "${keydev_error}" = "1" ] && any_error=1 + [ "${initkey_error}" = "1" ] && any_error=1 if [ "${CRYPT_SILENT}" = "1" ] && [ -n "${any_error}" ]; then bad_msg "Failed to setup the LUKS device" exit_st=1 @@ -111,6 +112,12 @@ _open_luks() { key_error=0 continue fi + if [ "${initkey_error}" = "1" ]; then + prompt_user "init_key" "${luks_dev_name} key" + initkey_error=0 + continue + fi + if [ "${keydev_error}" = "1" ]; then prompt_user "luks_keydev" "${luks_dev_name} key device" @@ -223,9 +230,9 @@ _open_luks() { # if we have a keyfile embedded in the initramfs if [ -n "${init_key}" ]; then if [ ! -e "${init_key}" ]; then - bad_msg "{init_key} on initramfs not found." - key_error=1 - continue + bad_msg "{init_key} (${init_key}) on initramfs not found." + initkey_error=1 + continue fi cryptsetup_opts="${cryptsetup_opts} -d ${init_key}" fi From f88790824c3a4bb9d6ec58fb6b4e565ab8d726c8 Mon Sep 17 00:00:00 2001 From: Gauvain Roussel-Tarbouriech Date: Wed, 3 May 2017 13:56:16 +0200 Subject: [PATCH 7/9] Do not ask for a password. Embedding a keyfile in the initramfs encrypted is useless, better use a password directly --- defaults/initrd.d/00-crypt.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/initrd.d/00-crypt.sh b/defaults/initrd.d/00-crypt.sh index 459b9837..287f06e0 100755 --- a/defaults/initrd.d/00-crypt.sh +++ b/defaults/initrd.d/00-crypt.sh @@ -235,6 +235,7 @@ _open_luks() { continue fi cryptsetup_opts="${cryptsetup_opts} -d ${init_key}" + passphrase_needed="0" fi # At this point, keyfile or not, we're ready! From 077b989714ed322934a7959dfa85d0c7f0c13216 Mon Sep 17 00:00:00 2001 From: Gauvain Roussel-Tarbouriech Date: Wed, 3 May 2017 13:59:33 +0200 Subject: [PATCH 8/9] Do not show init_var as prompt_user already do --- defaults/initrd.d/00-crypt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/initrd.d/00-crypt.sh b/defaults/initrd.d/00-crypt.sh index 287f06e0..5ef8adec 100755 --- a/defaults/initrd.d/00-crypt.sh +++ b/defaults/initrd.d/00-crypt.sh @@ -230,7 +230,7 @@ _open_luks() { # if we have a keyfile embedded in the initramfs if [ -n "${init_key}" ]; then if [ ! -e "${init_key}" ]; then - bad_msg "{init_key} (${init_key}) on initramfs not found." + bad_msg "{init_key} on initramfs not found." initkey_error=1 continue fi From 37c0753edf36065d689d4422897540b8307a01be Mon Sep 17 00:00:00 2001 From: Gauvain Roussel-Tarbouriech Date: Wed, 3 May 2017 13:59:33 +0200 Subject: [PATCH 9/9] Do not show init_var as prompt_user already do --- defaults/initrd.d/00-crypt.sh | 2 +- doc/genkernel.8.txt | 16 +++++------ gen_initramfs.sh | 54 +++++++++++++++++++++++++++++------ genkernel.conf | 5 ++++ 4 files changed, 59 insertions(+), 18 deletions(-) diff --git a/defaults/initrd.d/00-crypt.sh b/defaults/initrd.d/00-crypt.sh index 287f06e0..5ef8adec 100755 --- a/defaults/initrd.d/00-crypt.sh +++ b/defaults/initrd.d/00-crypt.sh @@ -230,7 +230,7 @@ _open_luks() { # if we have a keyfile embedded in the initramfs if [ -n "${init_key}" ]; then if [ ! -e "${init_key}" ]; then - bad_msg "{init_key} (${init_key}) on initramfs not found." + bad_msg "{init_key} on initramfs not found." initkey_error=1 continue fi diff --git a/doc/genkernel.8.txt b/doc/genkernel.8.txt index c4917b33..ec747627 100644 --- a/doc/genkernel.8.txt +++ b/doc/genkernel.8.txt @@ -439,15 +439,15 @@ which the ramdisk scripts would recognize. In case your root is encrypted with a key, you can use a device like a usb pen to store the key. This value should be the key path relative to the mount point. - If you need to use a keyfile embedded in the initramfs itself(for - example, when using grub cryptomount feature) please refer to - root_initkey=. + If you need to use a keyfile embedded in the initramfs itself(for + example, when using grub cryptomount feature) please refer to + root_initkey=. *root_initkey*=<...>:: - In case your root is encrypted with a key embedded in the initramfs. - This value should be absolute using initramfs organisation. - This is useful when grub cryptomount is used to avoid typing the - same password twice, making the initramfs unlock itself. + In case your root is encrypted with a key embedded in the initramfs. + This value should be absolute using initramfs organisation. + This is useful when grub cryptomount is used to avoid typing the + same password twice, making the initramfs unlock itself. *root_keydev*=<...>:: If necessary provide the name of the device that carries the @@ -463,7 +463,7 @@ which the ramdisk scripts would recognize. Same as root_key for swap. *swap_initkey*=<...>:: - Same as root_init_key for swap. + Same as root_init_key for swap. *swap_keydev*=<...>:: Same as root_keydev for swap. diff --git a/gen_initramfs.sh b/gen_initramfs.sh index 38d07348..5f75d444 100755 --- a/gen_initramfs.sh +++ b/gen_initramfs.sh @@ -119,9 +119,9 @@ append_base_layout() { # the coreutils hostid program doesn't show it in the right form. local hostid if file -L "${TEMP}/initramfs-base-temp/bin/sh" | grep -q 'MSB executable'; then - hostid="$(hostid)" + hostid="$(hostid)" else - hostid="$(hostid | sed -E 's/(..)(..)(..)(..)/\4\3\2\1/')" + hostid="$(hostid | sed -E 's/(..)(..)(..)(..)/\4\3\2\1/')" fi printf "$(echo "${hostid}" | sed 's/\([0-9A-F]\{2\}\)/\\x\1/gI')" > ${TEMP}/initramfs-base-temp/etc/hostid @@ -139,7 +139,7 @@ append_busybox() { rm -rf "${TEMP}/initramfs-busybox-temp" > /dev/null fi - mkdir -p "${TEMP}/initramfs-busybox-temp/bin/" + mkdir -p "${TEMP}/initramfs-busybox-temp/bin/" tar -xjf "${BUSYBOX_BINCACHE}" -C "${TEMP}/initramfs-busybox-temp/bin" busybox || gen_die 'Could not extract busybox bincache!' chmod +x "${TEMP}/initramfs-busybox-temp/bin/busybox" @@ -308,8 +308,8 @@ append_lvm(){ copy_binaries "${TEMP}/initramfs-lvm-temp" \ /sbin/lvm /sbin/dmsetup /sbin/thin_check \ /sbin/thin_restore /sbin/thin_dump \ - /sbin/cache_check /sbin/cache_restore \ - /sbin/cache_dump /sbin/cache_repair + /sbin/cache_check /sbin/cache_restore \ + /sbin/cache_dump /sbin/cache_repair if [ -f /etc/lvm/lvm.conf ] then @@ -380,11 +380,11 @@ append_zfs(){ # Copy binaries # Include libgcc_s.so.1 to workaround zfsonlinux/zfs#4749 if type gcc-config 2>&1 1>/dev/null; then - copy_binaries "${TEMP}/initramfs-zfs-temp" /sbin/{mount.zfs,zdb,zfs,zpool} \ - "/usr/lib/gcc/$(s=$(gcc-config -c); echo ${s%-*}/${s##*-})/libgcc_s.so.1" + copy_binaries "${TEMP}/initramfs-zfs-temp" /sbin/{mount.zfs,zdb,zfs,zpool} \ + "/usr/lib/gcc/$(s=$(gcc-config -c); echo ${s%-*}/${s##*-})/libgcc_s.so.1" else - copy_binaries "${TEMP}/initramfs-zfs-temp" /sbin/{mount.zfs,zdb,zfs,zpool} \ - /usr/lib/gcc/*/*/libgcc_s.so.1 + copy_binaries "${TEMP}/initramfs-zfs-temp" /sbin/{mount.zfs,zdb,zfs,zpool} \ + /usr/lib/gcc/*/*/libgcc_s.so.1 fi cd "${TEMP}/initramfs-zfs-temp/" @@ -993,6 +993,42 @@ append_auxilary() { rm -r "${TEMP}/initramfs-aux-temp/" } +append_files(){ + if [ -d "${TEMP}/initramfs-files-temp" ] + then + rm -r "${TEMP}/initramfs-files-temp/" + fi + cd ${TEMP} + mkdir -p "${TEMP}/initramfs-files-temp/" + + print_info 1 "Including files specified in config" + + if [ -n "${FILES}" ] + then + print_info 1 " >> Appending specified files to cpio data..." + + for file in ${FILES} + do + if [ -f "$file" ] + then + cp --parents "$file" "${TEMP}/initramfs-files-temp/" + print_info 1 " >> $file appended to initramfs" + else + print_warning 2 "$file not found on file system." + fi + done + else + print_info 1 " >> No files specified for append to cpio data..." + fi + + cd "${TEMP}/initramfs-files-temp/" + log_future_cpio_content + find . -print | cpio ${CPIO_ARGS} --append -F "${CPIO}" \ + || gen_die "compressing files cpio" + cd "${TEMP}" + rm -rf "${TEMP}/initramfs-files-temp" > /dev/null +} + append_data() { local name=$1 var=$2 local func="append_${name}" diff --git a/genkernel.conf b/genkernel.conf index 4eb5cff2..d9edfe7e 100644 --- a/genkernel.conf +++ b/genkernel.conf @@ -294,6 +294,11 @@ DEFAULT_KERNEL_SOURCE="/usr/src/linux" # Create a self-contained env in the initramfs #NETBOOT="1" +# This setting includes any additional files a given user may +# wish into the CPIO image. Files are added as-is and are not +# parsed in any way. +# Multiple files should be separated by whitespace. +#FILES="" # =========MISC BOOT CONFIGURATION============ #