Adding an initial keyfile support embedded in initramfs

defaults/initrd.d/00-crypt.sh

@@ -55,8 +55,9 @@ _open_luks() {
     eval local luks_key='"${CRYPT_'${ltype}'_KEY}"'
     eval local luks_keydev='"${CRYPT_'${ltype}'_KEYDEV}"'
     eval local luks_trim='"${CRYPT_'${ltype}'_TRIM}"'
+    eval local init_key='"${CRYPT_'${ltype}'_INITKEY}"'
 
-    local dev_error=0 key_error=0 keydev_error=0
+    local dev_error=0 key_error=0 initkey_error=0 keydev_error=0
     local mntkey="${KEY_MNT}/" cryptsetup_opts=""
 
     local exit_st=0 luks_device=
@@ -93,6 +94,7 @@ _open_luks() {
             [ "${dev_error}" = "1" ] && any_error=1
             [ "${key_error}" = "1" ] && any_error=1
             [ "${keydev_error}" = "1" ] && any_error=1
+            [ "${initkey_error}" = "1" ] && any_error=1
             if [ "${CRYPT_SILENT}" = "1" ] && [ -n "${any_error}" ]; then
                 bad_msg "Failed to setup the LUKS device"
                 exit_st=1
@@ -110,6 +112,12 @@ _open_luks() {
                 key_error=0
                 continue
             fi
+            if [ "${initkey_error}" = "1" ]; then
+                prompt_user "init_key" "${luks_dev_name} key"
+                initkey_error=0
+                continue
+            fi
+
 
             if [ "${keydev_error}" = "1" ]; then
                 prompt_user "luks_keydev" "${luks_dev_name} key device"
@@ -219,6 +227,17 @@ _open_luks() {
                 fi
             fi
 
+            # if we have a keyfile embedded in the initramfs
+            if [ -n "${init_key}" ]; then
+                if [ ! -e "${init_key}" ]; then
+                   bad_msg "{init_key} on initramfs not found."
+                   initkey_error=1
+                   continue
+                fi
+                cryptsetup_opts="${cryptsetup_opts} -d ${init_key}"
+                passphrase_needed="0"
+            fi
+
             # At this point, keyfile or not, we're ready!
             local ply_cmd="${gpg_ply_cmd}${CRYPTSETUP_BIN}"
             local tty_cmd="${gpg_tty_cmd}${CRYPTSETUP_BIN}"

defaults/linuxrc

@@ -218,6 +218,9 @@ for x in ${CMDLINE}; do
 
         root_key=*)
             CRYPT_ROOT_KEY=${x#*=}
+        ;;
+		root_initkey=*)
+            CRYPT_ROOT_INITKEY=${x#*=}
         ;;
         root_keydev=*)
             CRYPT_ROOT_KEYDEV=${x#*=}
@@ -228,6 +231,9 @@ for x in ${CMDLINE}; do
 
         swap_key=*)
             CRYPT_SWAP_KEY=${x#*=}
+        ;;
+		swap_initkey=*)
+            CRYPT_SWAP_INITKEY=${x#*=}
         ;;
         swap_keydev=*)
             CRYPT_SWAP_KEYDEV=${x#*=}

doc/genkernel.8.txt

@@ -437,8 +437,17 @@ which the ramdisk scripts would recognize.
 
 *root_key*=<...>::
     In case your root is encrypted with a key, you can use a device
-    like a  usb pen to store the key.  This value should be the key
+    like a  usb pen to store the key. This value should be the key
     path relative to the mount point.
+    If you need to use a keyfile embedded in the initramfs itself(for
+    example, when using grub cryptomount feature) please refer to
+    root_initkey=.
+
+*root_initkey*=<...>::
+    In case your root is encrypted with a key embedded in the initramfs.
+    This value should be absolute using initramfs organisation.
+    This is useful when grub cryptomount is used to avoid typing the
+    same password twice, making the initramfs unlock itself.
 
 *root_keydev*=<...>::
     If necessary provide the name of the device that carries the
@@ -453,6 +462,9 @@ which the ramdisk scripts would recognize.
 *swap_key*=<...>::
     Same as root_key for swap.
 
+*swap_initkey*=<...>::
+    Same as root_init_key for swap.
+
 *swap_keydev*=<...>::
     Same as root_keydev for swap.
 

gen_initramfs.sh

@@ -119,9 +119,9 @@ append_base_layout() {
     # the coreutils hostid program doesn't show it in the right form.
     local hostid
     if file -L "${TEMP}/initramfs-base-temp/bin/sh" | grep -q 'MSB executable'; then
-	    hostid="$(hostid)"
+        hostid="$(hostid)"
     else
-	    hostid="$(hostid | sed -E 's/(..)(..)(..)(..)/\4\3\2\1/')"
+        hostid="$(hostid | sed -E 's/(..)(..)(..)(..)/\4\3\2\1/')"
     fi
     printf "$(echo "${hostid}" | sed 's/\([0-9A-F]\{2\}\)/\\x\1/gI')" > ${TEMP}/initramfs-base-temp/etc/hostid
 
@@ -139,7 +139,7 @@ append_busybox() {
         rm -rf "${TEMP}/initramfs-busybox-temp" > /dev/null
     fi
 
-    mkdir -p "${TEMP}/initramfs-busybox-temp/bin/" 
+    mkdir -p "${TEMP}/initramfs-busybox-temp/bin/"
     tar -xjf "${BUSYBOX_BINCACHE}" -C "${TEMP}/initramfs-busybox-temp/bin" busybox ||
         gen_die 'Could not extract busybox bincache!'
     chmod +x "${TEMP}/initramfs-busybox-temp/bin/busybox"
@@ -308,8 +308,8 @@ append_lvm(){
     copy_binaries "${TEMP}/initramfs-lvm-temp" \
         /sbin/lvm /sbin/dmsetup /sbin/thin_check \
         /sbin/thin_restore /sbin/thin_dump \
-	/sbin/cache_check /sbin/cache_restore \
-	/sbin/cache_dump /sbin/cache_repair
+    /sbin/cache_check /sbin/cache_restore \
+    /sbin/cache_dump /sbin/cache_repair
 
     if [ -f /etc/lvm/lvm.conf ]
     then
@@ -380,11 +380,11 @@ append_zfs(){
     # Copy binaries
     # Include libgcc_s.so.1 to workaround zfsonlinux/zfs#4749
     if type gcc-config 2>&1 1>/dev/null; then
-	    copy_binaries "${TEMP}/initramfs-zfs-temp" /sbin/{mount.zfs,zdb,zfs,zpool} \
-		    "/usr/lib/gcc/$(s=$(gcc-config -c); echo ${s%-*}/${s##*-})/libgcc_s.so.1"
+        copy_binaries "${TEMP}/initramfs-zfs-temp" /sbin/{mount.zfs,zdb,zfs,zpool} \
+            "/usr/lib/gcc/$(s=$(gcc-config -c); echo ${s%-*}/${s##*-})/libgcc_s.so.1"
     else
-	    copy_binaries "${TEMP}/initramfs-zfs-temp" /sbin/{mount.zfs,zdb,zfs,zpool} \
-		    /usr/lib/gcc/*/*/libgcc_s.so.1
+        copy_binaries "${TEMP}/initramfs-zfs-temp" /sbin/{mount.zfs,zdb,zfs,zpool} \
+            /usr/lib/gcc/*/*/libgcc_s.so.1
     fi
 
     cd "${TEMP}/initramfs-zfs-temp/"
@@ -993,6 +993,42 @@ append_auxilary() {
     rm -r "${TEMP}/initramfs-aux-temp/"
 }
 
+append_files(){
+    if [ -d "${TEMP}/initramfs-files-temp" ]
+    then
+        rm -r "${TEMP}/initramfs-files-temp/"
+    fi
+    cd ${TEMP}
+    mkdir -p "${TEMP}/initramfs-files-temp/"
+
+    print_info 1 "Including files specified in config"
+
+    if [ -n "${FILES}" ]
+    then
+        print_info 1 "        >> Appending specified files to cpio data..."
+
+        for file in ${FILES}
+        do
+        if [ -f "$file" ]
+        then
+        cp --parents "$file" "${TEMP}/initramfs-files-temp/"
+        print_info 1 "            >> $file appended to initramfs"
+        else
+        print_warning 2 "$file not found on file system."
+        fi
+        done
+    else
+        print_info 1 "        >> No files specified for append to cpio data..."
+    fi
+
+    cd "${TEMP}/initramfs-files-temp/"
+    log_future_cpio_content
+    find . -print | cpio ${CPIO_ARGS} --append -F "${CPIO}" \
+            || gen_die "compressing files cpio"
+    cd "${TEMP}"
+    rm -rf "${TEMP}/initramfs-files-temp" > /dev/null
+}
+
 append_data() {
     local name=$1 var=$2
     local func="append_${name}"

genkernel.conf

@@ -294,6 +294,11 @@ DEFAULT_KERNEL_SOURCE="/usr/src/linux"
 # Create a self-contained env in the initramfs
 #NETBOOT="1"
 
+# This setting includes any additional files a given user may
+# wish into the CPIO image. Files are added as-is and are not
+# parsed in any way.
+# Multiple files should be separated by whitespace.
+#FILES=""
 
 # =========MISC BOOT CONFIGURATION============
 #