* [PATCH 1/4] 91crypt-loop: open root device with a key inside encrypted loop container
@ 2011-08-30 13:36 Leho Kraav
[not found] ` <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
0 siblings, 1 reply; 7+ messages in thread
From: Leho Kraav @ 2011-08-30 13:36 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA
---
modules.d/91crypt-loop/crypt-loop-lib.sh | 40 ++++++++++++++++++++++++++++++
modules.d/91crypt-loop/module-setup.sh | 14 ++++++++++
2 files changed, 54 insertions(+), 0 deletions(-)
create mode 100644 modules.d/91crypt-loop/crypt-loop-lib.sh
create mode 100644 modules.d/91crypt-loop/module-setup.sh
diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh
new file mode 100644
index 0000000..63a553c
--- /dev/null
+++ b/modules.d/91crypt-loop/crypt-loop-lib.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=4 sw=4 sts=0 et filetype=sh
+
+command -v ask_for_password >/dev/null || . /lib/dracut-crypt-lib.sh
+
+# loop_decrypt mnt_point keypath keydev device
+#
+# Decrypts symmetrically encrypted key to standard output.
+#
+# mnt_point - mount point where <keydev> is already mounted
+# keypath - LUKS encrypted loop file path relative to <mnt_point>
+# keydev - device on which key resides; only to display in prompt
+# device - device to be opened by cryptsetup; only to display in prompt
+loop_decrypt() {
+ local mntp="$1"
+ local keypath="$2"
+ local keydev="$3"
+ local device="$4"
+
+ local key="/dev/mapper/$(basename $mntp)"
+
+ if [ ! -b $key ]; then
+ info "Keyfile has .img suffix, treating it as LUKS-encrypted loop keyfile container to unlock $device"
+
+ local loopdev=$(losetup -f "${mntp}/${keypath}" --show)
+ local opts="-d - luksOpen $loopdev $(basename $key)"
+
+ ask_for_password \
+ --cmd "cryptsetup $opts" \
+ --prompt "Password ($keypath on $keydev for $device)" \
+ --tty-echo-off
+
+ [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!"
+ else
+ info "Existing keyfile found, re-using it for $device"
+ fi
+
+ cat $key
+}
diff --git a/modules.d/91crypt-loop/module-setup.sh b/modules.d/91crypt-loop/module-setup.sh
new file mode 100644
index 0000000..8170694
--- /dev/null
+++ b/modules.d/91crypt-loop/module-setup.sh
@@ -0,0 +1,14 @@
+check() {
+ type -P losetup >/dev/null || return 1
+
+ return 255
+}
+
+depends() {
+ echo crypt
+}
+
+install() {
+ dracut_install losetup
+ inst "$moddir/crypt-loop-lib.sh" "/lib/dracut-crypt-loop-lib.sh"
+}
--
1.7.6
^ permalink raw reply related [flat|nested] 7+ messages in thread[parent not found: <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>]
* [PATCH 2/4] 90crypt: recognize .img as loop key container [not found] ` <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org> @ 2011-08-30 13:36 ` Leho Kraav 2011-08-30 13:36 ` [PATCH 3/4] 90crypt: enhance crypt-lib keydev mounting Leho Kraav 2011-08-30 13:36 ` [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy Leho Kraav 2 siblings, 0 replies; 7+ messages in thread From: Leho Kraav @ 2011-08-30 13:36 UTC (permalink / raw) To: initramfs-u79uwXL29TY76Z2rM5mHXA --- modules.d/90crypt/crypt-lib.sh | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh index 69f14d0..75b74a8 100755 --- a/modules.d/90crypt/crypt-lib.sh +++ b/modules.d/90crypt/crypt-lib.sh @@ -214,6 +214,14 @@ readkey() { die "No GPG support to decrypt '$keypath' on '$keydev'." fi ;; + img) + if [ -f /lib/dracut-crypt-loop-lib.sh ]; then + . /lib/dracut-crypt-loop-lib.sh + loop_decrypt "$mntp" "$keypath" "$keydev" "$device" + else + die "No loop file support to decrypt '$keypath' on '$keydev'." + fi + ;; *) cat "$mntp/$keypath" ;; esac -- 1.7.6 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/4] 90crypt: enhance crypt-lib keydev mounting [not found] ` <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org> 2011-08-30 13:36 ` [PATCH 2/4] 90crypt: recognize .img as loop key container Leho Kraav @ 2011-08-30 13:36 ` Leho Kraav 2011-08-30 13:36 ` [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy Leho Kraav 2 siblings, 0 replies; 7+ messages in thread From: Leho Kraav @ 2011-08-30 13:36 UTC (permalink / raw) To: initramfs-u79uwXL29TY76Z2rM5mHXA Combining $keydev and $keypath should result in a unique, re-usable keydev mountpoint. mkuniqdir doesn't seem to have any an advantage here and lacks reusability. Is there ever a use case where these are true: * there are more than one rd.luks.key=$keypath:$keydev * one is actually different from the other --- modules.d/90crypt/crypt-lib.sh | 13 +++++++++++-- 1 files changed, 11 insertions(+), 2 deletions(-) diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh index 75b74a8..b04512f 100755 --- a/modules.d/90crypt/crypt-lib.sh +++ b/modules.d/90crypt/crypt-lib.sh @@ -202,8 +202,15 @@ readkey() { local keydev="$2" local device="$3" - local mntp=$(mkuniqdir /mnt keydev) - mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!' + # This creates a unique single mountpoint for *, or several for explicitly + # given LUKS devices. It accomplishes unlocking multiple LUKS devices with + # a single password entry. + local mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')" + + if [ ! -d "$mntp" ]; then + mkdir "$mntp" + mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!' + fi case "${keypath##*.}" in gpg) @@ -225,6 +232,8 @@ readkey() { *) cat "$mntp/$keypath" ;; esac + # General unmounting mechanism, modules doing custom cleanup should return earlier + # and install a pre-pivot cleanup hook umount "$mntp" rmdir "$mntp" } -- 1.7.6 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy [not found] ` <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org> 2011-08-30 13:36 ` [PATCH 2/4] 90crypt: recognize .img as loop key container Leho Kraav 2011-08-30 13:36 ` [PATCH 3/4] 90crypt: enhance crypt-lib keydev mounting Leho Kraav @ 2011-08-30 13:36 ` Leho Kraav [not found] ` <1314711391-7149-4-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org> 2 siblings, 1 reply; 7+ messages in thread From: Leho Kraav @ 2011-08-30 13:36 UTC (permalink / raw) To: initramfs-u79uwXL29TY76Z2rM5mHXA --- modules.d/90crypt/crypt-lib.sh | 3 +++ modules.d/91crypt-loop/crypt-loop-lib.sh | 5 +++++ 2 files changed, 8 insertions(+), 0 deletions(-) diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh index b04512f..3095774 100755 --- a/modules.d/90crypt/crypt-lib.sh +++ b/modules.d/90crypt/crypt-lib.sh @@ -225,6 +225,9 @@ readkey() { if [ -f /lib/dracut-crypt-loop-lib.sh ]; then . /lib/dracut-crypt-loop-lib.sh loop_decrypt "$mntp" "$keypath" "$keydev" "$device" + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-99-$(basename $mntp)" \ + $(command -v umount) "$mntp; " $(command -v rmdir) "$mntp" + return 0 else die "No loop file support to decrypt '$keypath' on '$keydev'." fi diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh index 63a553c..6774e7d 100644 --- a/modules.d/91crypt-loop/crypt-loop-lib.sh +++ b/modules.d/91crypt-loop/crypt-loop-lib.sh @@ -32,6 +32,11 @@ loop_decrypt() { --tty-echo-off [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!" + + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-10-$(basename $key)" \ + $(command -v cryptsetup) "luksClose $key" + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-20-$(basename $loopdev)" \ + $(command -v losetup) "-d $loopdev" else info "Existing keyfile found, re-using it for $device" fi -- 1.7.6 ^ permalink raw reply related [flat|nested] 7+ messages in thread
[parent not found: <1314711391-7149-4-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>]
* Re: [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy [not found] ` <1314711391-7149-4-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org> @ 2011-08-31 8:51 ` Amadeusz Żołnowski 2011-08-31 9:29 ` Amadeusz Żołnowski 0 siblings, 1 reply; 7+ messages in thread From: Amadeusz Żołnowski @ 2011-08-31 8:51 UTC (permalink / raw) To: initramfs [-- Attachment #1: Type: text/plain, Size: 2002 bytes --] Excerpts from Leho Kraav's message of 2011-08-30 15:36:31 +0200: > --- > modules.d/90crypt/crypt-lib.sh | 3 +++ > modules.d/91crypt-loop/crypt-loop-lib.sh | 5 +++++ > 2 files changed, 8 insertions(+), 0 deletions(-) > > diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh > index b04512f..3095774 100755 > --- a/modules.d/90crypt/crypt-lib.sh > +++ b/modules.d/90crypt/crypt-lib.sh > @@ -225,6 +225,9 @@ readkey() { > if [ -f /lib/dracut-crypt-loop-lib.sh ]; then > . /lib/dracut-crypt-loop-lib.sh > loop_decrypt "$mntp" "$keypath" "$keydev" "$device" > + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-99-$(basename $mntp)" \ > + $(command -v umount) "$mntp; " $(command -v rmdir) "$mntp" > + return 0 > else > die "No loop file support to decrypt '$keypath' on '$keydev'." > fi > diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh > index 63a553c..6774e7d 100644 > --- a/modules.d/91crypt-loop/crypt-loop-lib.sh > +++ b/modules.d/91crypt-loop/crypt-loop-lib.sh > @@ -32,6 +32,11 @@ loop_decrypt() { > --tty-echo-off > > [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!" > + > + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-10-$(basename $key)" \ > + $(command -v cryptsetup) "luksClose $key" > + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-20-$(basename $loopdev)" \ > + $(command -v losetup) "-d $loopdev" > else > info "Existing keyfile found, re-using it for $device" > fi Always a bit better to use built-ins: basename "$x" == echo "${x#**/}" -- Amadeusz Żołnowski PGP key fpr: C700 CEDE 0C18 212E 49DA 4653 F013 4531 E1DB FAB5 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy 2011-08-31 8:51 ` Amadeusz Żołnowski @ 2011-08-31 9:29 ` Amadeusz Żołnowski 0 siblings, 0 replies; 7+ messages in thread From: Amadeusz Żołnowski @ 2011-08-31 9:29 UTC (permalink / raw) To: initramfs [-- Attachment #1: Type: text/plain, Size: 2194 bytes --] Excerpts from Amadeusz Żołnowski's message of 2011-08-31 10:51:37 +0200: > Excerpts from Leho Kraav's message of 2011-08-30 15:36:31 +0200: > > --- > > modules.d/90crypt/crypt-lib.sh | 3 +++ > > modules.d/91crypt-loop/crypt-loop-lib.sh | 5 +++++ > > 2 files changed, 8 insertions(+), 0 deletions(-) > > > > diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh > > index b04512f..3095774 100755 > > --- a/modules.d/90crypt/crypt-lib.sh > > +++ b/modules.d/90crypt/crypt-lib.sh > > @@ -225,6 +225,9 @@ readkey() { > > if [ -f /lib/dracut-crypt-loop-lib.sh ]; then > > . /lib/dracut-crypt-loop-lib.sh > > loop_decrypt "$mntp" "$keypath" "$keydev" "$device" > > + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-99-$(basename $mntp)" \ > > + $(command -v umount) "$mntp; " $(command -v rmdir) "$mntp" > > + return 0 > > else > > die "No loop file support to decrypt '$keypath' on '$keydev'." > > fi > > diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh > > index 63a553c..6774e7d 100644 > > --- a/modules.d/91crypt-loop/crypt-loop-lib.sh > > +++ b/modules.d/91crypt-loop/crypt-loop-lib.sh > > @@ -32,6 +32,11 @@ loop_decrypt() { > > --tty-echo-off > > > > [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!" > > + > > + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-10-$(basename $key)" \ > > + $(command -v cryptsetup) "luksClose $key" > > + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-20-$(basename $loopdev)" \ > > + $(command -v losetup) "-d $loopdev" > > else > > info "Existing keyfile found, re-using it for $device" > > fi > > Always a bit better to use built-ins: > > basename "$x" == echo "${x#**/}" Ups. echo ${x##*/}, of course :-) -- Amadeusz Żołnowski PGP key fpr: C700 CEDE 0C18 212E 49DA 4653 F013 4531 E1DB FAB5 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/4] 91crypt-loop: open root device with a key inside encrypted loop container
@ 2011-08-22 12:39 Leho Kraav
[not found] ` <1314016750-9655-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
0 siblings, 1 reply; 7+ messages in thread
From: Leho Kraav @ 2011-08-22 12:39 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA; +Cc: Leho Kraav
---
modules.d/91crypt-loop/crypt-loop-lib.sh | 40 ++++++++++++++++++++++++++++++
modules.d/91crypt-loop/module-setup.sh | 15 +++++++++++
2 files changed, 55 insertions(+), 0 deletions(-)
create mode 100644 modules.d/91crypt-loop/crypt-loop-lib.sh
create mode 100644 modules.d/91crypt-loop/module-setup.sh
diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh
new file mode 100644
index 0000000..63a553c
--- /dev/null
+++ b/modules.d/91crypt-loop/crypt-loop-lib.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=4 sw=4 sts=0 et filetype=sh
+
+command -v ask_for_password >/dev/null || . /lib/dracut-crypt-lib.sh
+
+# loop_decrypt mnt_point keypath keydev device
+#
+# Decrypts symmetrically encrypted key to standard output.
+#
+# mnt_point - mount point where <keydev> is already mounted
+# keypath - LUKS encrypted loop file path relative to <mnt_point>
+# keydev - device on which key resides; only to display in prompt
+# device - device to be opened by cryptsetup; only to display in prompt
+loop_decrypt() {
+ local mntp="$1"
+ local keypath="$2"
+ local keydev="$3"
+ local device="$4"
+
+ local key="/dev/mapper/$(basename $mntp)"
+
+ if [ ! -b $key ]; then
+ info "Keyfile has .img suffix, treating it as LUKS-encrypted loop keyfile container to unlock $device"
+
+ local loopdev=$(losetup -f "${mntp}/${keypath}" --show)
+ local opts="-d - luksOpen $loopdev $(basename $key)"
+
+ ask_for_password \
+ --cmd "cryptsetup $opts" \
+ --prompt "Password ($keypath on $keydev for $device)" \
+ --tty-echo-off
+
+ [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!"
+ else
+ info "Existing keyfile found, re-using it for $device"
+ fi
+
+ cat $key
+}
diff --git a/modules.d/91crypt-loop/module-setup.sh b/modules.d/91crypt-loop/module-setup.sh
new file mode 100644
index 0000000..2616b9b
--- /dev/null
+++ b/modules.d/91crypt-loop/module-setup.sh
@@ -0,0 +1,15 @@
+check() {
+ [ -n $hostonly ] || return 1
+ type -P losetup >/dev/null || return 1
+
+ return 255
+}
+
+depends() {
+ echo crypt
+}
+
+install() {
+ dracut_install losetup
+ inst "$moddir/crypt-loop-lib.sh" "/lib/dracut-crypt-loop-lib.sh"
+}
--
1.7.6
^ permalink raw reply related [flat|nested] 7+ messages in thread[parent not found: <1314016750-9655-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>]
* [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy [not found] ` <1314016750-9655-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org> @ 2011-08-22 12:39 ` Leho Kraav 0 siblings, 0 replies; 7+ messages in thread From: Leho Kraav @ 2011-08-22 12:39 UTC (permalink / raw) To: initramfs-u79uwXL29TY76Z2rM5mHXA; +Cc: Leho Kraav --- modules.d/90crypt/crypt-lib.sh | 3 +++ modules.d/91crypt-loop/crypt-loop-lib.sh | 5 +++++ 2 files changed, 8 insertions(+), 0 deletions(-) diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh index b04512f..3095774 100755 --- a/modules.d/90crypt/crypt-lib.sh +++ b/modules.d/90crypt/crypt-lib.sh @@ -225,6 +225,9 @@ readkey() { if [ -f /lib/dracut-crypt-loop-lib.sh ]; then . /lib/dracut-crypt-loop-lib.sh loop_decrypt "$mntp" "$keypath" "$keydev" "$device" + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-99-$(basename $mntp)" \ + $(command -v umount) "$mntp; " $(command -v rmdir) "$mntp" + return 0 else die "No loop file support to decrypt '$keypath' on '$keydev'." fi diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh index 63a553c..6774e7d 100644 --- a/modules.d/91crypt-loop/crypt-loop-lib.sh +++ b/modules.d/91crypt-loop/crypt-loop-lib.sh @@ -32,6 +32,11 @@ loop_decrypt() { --tty-echo-off [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!" + + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-10-$(basename $key)" \ + $(command -v cryptsetup) "luksClose $key" + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-20-$(basename $loopdev)" \ + $(command -v losetup) "-d $loopdev" else info "Existing keyfile found, re-using it for $device" fi -- 1.7.6 ^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-08-31 9:29 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-08-30 13:36 [PATCH 1/4] 91crypt-loop: open root device with a key inside encrypted loop container Leho Kraav
[not found] ` <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
2011-08-30 13:36 ` [PATCH 2/4] 90crypt: recognize .img as loop key container Leho Kraav
2011-08-30 13:36 ` [PATCH 3/4] 90crypt: enhance crypt-lib keydev mounting Leho Kraav
2011-08-30 13:36 ` [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy Leho Kraav
[not found] ` <1314711391-7149-4-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
2011-08-31 8:51 ` Amadeusz Żołnowski
2011-08-31 9:29 ` Amadeusz Żołnowski
-- strict thread matches above, loose matches on Subject: below --
2011-08-22 12:39 [PATCH 1/4] 91crypt-loop: open root device with a key inside encrypted loop container Leho Kraav
[not found] ` <1314016750-9655-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
2011-08-22 12:39 ` [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy Leho Kraav
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.