* [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy
[not found] ` <1314016750-9655-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
@ 2011-08-22 12:39 ` Leho Kraav
0 siblings, 0 replies; 7+ messages in thread
From: Leho Kraav @ 2011-08-22 12:39 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA; +Cc: Leho Kraav
---
modules.d/90crypt/crypt-lib.sh | 3 +++
modules.d/91crypt-loop/crypt-loop-lib.sh | 5 +++++
2 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh
index b04512f..3095774 100755
--- a/modules.d/90crypt/crypt-lib.sh
+++ b/modules.d/90crypt/crypt-lib.sh
@@ -225,6 +225,9 @@ readkey() {
if [ -f /lib/dracut-crypt-loop-lib.sh ]; then
. /lib/dracut-crypt-loop-lib.sh
loop_decrypt "$mntp" "$keypath" "$keydev" "$device"
+ initqueue --onetime --finished --unique --name "crypt-loop-cleanup-99-$(basename $mntp)" \
+ $(command -v umount) "$mntp; " $(command -v rmdir) "$mntp"
+ return 0
else
die "No loop file support to decrypt '$keypath' on '$keydev'."
fi
diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh
index 63a553c..6774e7d 100644
--- a/modules.d/91crypt-loop/crypt-loop-lib.sh
+++ b/modules.d/91crypt-loop/crypt-loop-lib.sh
@@ -32,6 +32,11 @@ loop_decrypt() {
--tty-echo-off
[ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!"
+
+ initqueue --onetime --finished --unique --name "crypt-loop-cleanup-10-$(basename $key)" \
+ $(command -v cryptsetup) "luksClose $key"
+ initqueue --onetime --finished --unique --name "crypt-loop-cleanup-20-$(basename $loopdev)" \
+ $(command -v losetup) "-d $loopdev"
else
info "Existing keyfile found, re-using it for $device"
fi
--
1.7.6
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 1/4] 91crypt-loop: open root device with a key inside encrypted loop container
@ 2011-08-30 13:36 Leho Kraav
[not found] ` <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
0 siblings, 1 reply; 7+ messages in thread
From: Leho Kraav @ 2011-08-30 13:36 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA
---
modules.d/91crypt-loop/crypt-loop-lib.sh | 40 ++++++++++++++++++++++++++++++
modules.d/91crypt-loop/module-setup.sh | 14 ++++++++++
2 files changed, 54 insertions(+), 0 deletions(-)
create mode 100644 modules.d/91crypt-loop/crypt-loop-lib.sh
create mode 100644 modules.d/91crypt-loop/module-setup.sh
diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh
new file mode 100644
index 0000000..63a553c
--- /dev/null
+++ b/modules.d/91crypt-loop/crypt-loop-lib.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=4 sw=4 sts=0 et filetype=sh
+
+command -v ask_for_password >/dev/null || . /lib/dracut-crypt-lib.sh
+
+# loop_decrypt mnt_point keypath keydev device
+#
+# Decrypts symmetrically encrypted key to standard output.
+#
+# mnt_point - mount point where <keydev> is already mounted
+# keypath - LUKS encrypted loop file path relative to <mnt_point>
+# keydev - device on which key resides; only to display in prompt
+# device - device to be opened by cryptsetup; only to display in prompt
+loop_decrypt() {
+ local mntp="$1"
+ local keypath="$2"
+ local keydev="$3"
+ local device="$4"
+
+ local key="/dev/mapper/$(basename $mntp)"
+
+ if [ ! -b $key ]; then
+ info "Keyfile has .img suffix, treating it as LUKS-encrypted loop keyfile container to unlock $device"
+
+ local loopdev=$(losetup -f "${mntp}/${keypath}" --show)
+ local opts="-d - luksOpen $loopdev $(basename $key)"
+
+ ask_for_password \
+ --cmd "cryptsetup $opts" \
+ --prompt "Password ($keypath on $keydev for $device)" \
+ --tty-echo-off
+
+ [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!"
+ else
+ info "Existing keyfile found, re-using it for $device"
+ fi
+
+ cat $key
+}
diff --git a/modules.d/91crypt-loop/module-setup.sh b/modules.d/91crypt-loop/module-setup.sh
new file mode 100644
index 0000000..8170694
--- /dev/null
+++ b/modules.d/91crypt-loop/module-setup.sh
@@ -0,0 +1,14 @@
+check() {
+ type -P losetup >/dev/null || return 1
+
+ return 255
+}
+
+depends() {
+ echo crypt
+}
+
+install() {
+ dracut_install losetup
+ inst "$moddir/crypt-loop-lib.sh" "/lib/dracut-crypt-loop-lib.sh"
+}
--
1.7.6
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/4] 90crypt: recognize .img as loop key container
[not found] ` <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
@ 2011-08-30 13:36 ` Leho Kraav
2011-08-30 13:36 ` [PATCH 3/4] 90crypt: enhance crypt-lib keydev mounting Leho Kraav
2011-08-30 13:36 ` [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy Leho Kraav
2 siblings, 0 replies; 7+ messages in thread
From: Leho Kraav @ 2011-08-30 13:36 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA
---
modules.d/90crypt/crypt-lib.sh | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh
index 69f14d0..75b74a8 100755
--- a/modules.d/90crypt/crypt-lib.sh
+++ b/modules.d/90crypt/crypt-lib.sh
@@ -214,6 +214,14 @@ readkey() {
die "No GPG support to decrypt '$keypath' on '$keydev'."
fi
;;
+ img)
+ if [ -f /lib/dracut-crypt-loop-lib.sh ]; then
+ . /lib/dracut-crypt-loop-lib.sh
+ loop_decrypt "$mntp" "$keypath" "$keydev" "$device"
+ else
+ die "No loop file support to decrypt '$keypath' on '$keydev'."
+ fi
+ ;;
*) cat "$mntp/$keypath" ;;
esac
--
1.7.6
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/4] 90crypt: enhance crypt-lib keydev mounting
[not found] ` <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
2011-08-30 13:36 ` [PATCH 2/4] 90crypt: recognize .img as loop key container Leho Kraav
@ 2011-08-30 13:36 ` Leho Kraav
2011-08-30 13:36 ` [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy Leho Kraav
2 siblings, 0 replies; 7+ messages in thread
From: Leho Kraav @ 2011-08-30 13:36 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA
Combining $keydev and $keypath should result in a unique, re-usable keydev
mountpoint. mkuniqdir doesn't seem to have any an advantage here and lacks
reusability. Is there ever a use case where these are true:
* there are more than one rd.luks.key=$keypath:$keydev
* one is actually different from the other
---
modules.d/90crypt/crypt-lib.sh | 13 +++++++++++--
1 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh
index 75b74a8..b04512f 100755
--- a/modules.d/90crypt/crypt-lib.sh
+++ b/modules.d/90crypt/crypt-lib.sh
@@ -202,8 +202,15 @@ readkey() {
local keydev="$2"
local device="$3"
- local mntp=$(mkuniqdir /mnt keydev)
- mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!'
+ # This creates a unique single mountpoint for *, or several for explicitly
+ # given LUKS devices. It accomplishes unlocking multiple LUKS devices with
+ # a single password entry.
+ local mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')"
+
+ if [ ! -d "$mntp" ]; then
+ mkdir "$mntp"
+ mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!'
+ fi
case "${keypath##*.}" in
gpg)
@@ -225,6 +232,8 @@ readkey() {
*) cat "$mntp/$keypath" ;;
esac
+ # General unmounting mechanism, modules doing custom cleanup should return earlier
+ # and install a pre-pivot cleanup hook
umount "$mntp"
rmdir "$mntp"
}
--
1.7.6
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy
[not found] ` <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
2011-08-30 13:36 ` [PATCH 2/4] 90crypt: recognize .img as loop key container Leho Kraav
2011-08-30 13:36 ` [PATCH 3/4] 90crypt: enhance crypt-lib keydev mounting Leho Kraav
@ 2011-08-30 13:36 ` Leho Kraav
[not found] ` <1314711391-7149-4-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
2 siblings, 1 reply; 7+ messages in thread
From: Leho Kraav @ 2011-08-30 13:36 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA
---
modules.d/90crypt/crypt-lib.sh | 3 +++
modules.d/91crypt-loop/crypt-loop-lib.sh | 5 +++++
2 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh
index b04512f..3095774 100755
--- a/modules.d/90crypt/crypt-lib.sh
+++ b/modules.d/90crypt/crypt-lib.sh
@@ -225,6 +225,9 @@ readkey() {
if [ -f /lib/dracut-crypt-loop-lib.sh ]; then
. /lib/dracut-crypt-loop-lib.sh
loop_decrypt "$mntp" "$keypath" "$keydev" "$device"
+ initqueue --onetime --finished --unique --name "crypt-loop-cleanup-99-$(basename $mntp)" \
+ $(command -v umount) "$mntp; " $(command -v rmdir) "$mntp"
+ return 0
else
die "No loop file support to decrypt '$keypath' on '$keydev'."
fi
diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh
index 63a553c..6774e7d 100644
--- a/modules.d/91crypt-loop/crypt-loop-lib.sh
+++ b/modules.d/91crypt-loop/crypt-loop-lib.sh
@@ -32,6 +32,11 @@ loop_decrypt() {
--tty-echo-off
[ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!"
+
+ initqueue --onetime --finished --unique --name "crypt-loop-cleanup-10-$(basename $key)" \
+ $(command -v cryptsetup) "luksClose $key"
+ initqueue --onetime --finished --unique --name "crypt-loop-cleanup-20-$(basename $loopdev)" \
+ $(command -v losetup) "-d $loopdev"
else
info "Existing keyfile found, re-using it for $device"
fi
--
1.7.6
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy
[not found] ` <1314711391-7149-4-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
@ 2011-08-31 8:51 ` Amadeusz Żołnowski
2011-08-31 9:29 ` Amadeusz Żołnowski
0 siblings, 1 reply; 7+ messages in thread
From: Amadeusz Żołnowski @ 2011-08-31 8:51 UTC (permalink / raw)
To: initramfs
[-- Attachment #1: Type: text/plain, Size: 2002 bytes --]
Excerpts from Leho Kraav's message of 2011-08-30 15:36:31 +0200:
> ---
> modules.d/90crypt/crypt-lib.sh | 3 +++
> modules.d/91crypt-loop/crypt-loop-lib.sh | 5 +++++
> 2 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh
> index b04512f..3095774 100755
> --- a/modules.d/90crypt/crypt-lib.sh
> +++ b/modules.d/90crypt/crypt-lib.sh
> @@ -225,6 +225,9 @@ readkey() {
> if [ -f /lib/dracut-crypt-loop-lib.sh ]; then
> . /lib/dracut-crypt-loop-lib.sh
> loop_decrypt "$mntp" "$keypath" "$keydev" "$device"
> + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-99-$(basename $mntp)" \
> + $(command -v umount) "$mntp; " $(command -v rmdir) "$mntp"
> + return 0
> else
> die "No loop file support to decrypt '$keypath' on '$keydev'."
> fi
> diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh
> index 63a553c..6774e7d 100644
> --- a/modules.d/91crypt-loop/crypt-loop-lib.sh
> +++ b/modules.d/91crypt-loop/crypt-loop-lib.sh
> @@ -32,6 +32,11 @@ loop_decrypt() {
> --tty-echo-off
>
> [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!"
> +
> + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-10-$(basename $key)" \
> + $(command -v cryptsetup) "luksClose $key"
> + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-20-$(basename $loopdev)" \
> + $(command -v losetup) "-d $loopdev"
> else
> info "Existing keyfile found, re-using it for $device"
> fi
Always a bit better to use built-ins:
basename "$x" == echo "${x#**/}"
--
Amadeusz Żołnowski
PGP key fpr: C700 CEDE 0C18 212E 49DA 4653 F013 4531 E1DB FAB5
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy
2011-08-31 8:51 ` Amadeusz Żołnowski
@ 2011-08-31 9:29 ` Amadeusz Żołnowski
0 siblings, 0 replies; 7+ messages in thread
From: Amadeusz Żołnowski @ 2011-08-31 9:29 UTC (permalink / raw)
To: initramfs
[-- Attachment #1: Type: text/plain, Size: 2194 bytes --]
Excerpts from Amadeusz Żołnowski's message of 2011-08-31 10:51:37 +0200:
> Excerpts from Leho Kraav's message of 2011-08-30 15:36:31 +0200:
> > ---
> > modules.d/90crypt/crypt-lib.sh | 3 +++
> > modules.d/91crypt-loop/crypt-loop-lib.sh | 5 +++++
> > 2 files changed, 8 insertions(+), 0 deletions(-)
> >
> > diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh
> > index b04512f..3095774 100755
> > --- a/modules.d/90crypt/crypt-lib.sh
> > +++ b/modules.d/90crypt/crypt-lib.sh
> > @@ -225,6 +225,9 @@ readkey() {
> > if [ -f /lib/dracut-crypt-loop-lib.sh ]; then
> > . /lib/dracut-crypt-loop-lib.sh
> > loop_decrypt "$mntp" "$keypath" "$keydev" "$device"
> > + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-99-$(basename $mntp)" \
> > + $(command -v umount) "$mntp; " $(command -v rmdir) "$mntp"
> > + return 0
> > else
> > die "No loop file support to decrypt '$keypath' on '$keydev'."
> > fi
> > diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh
> > index 63a553c..6774e7d 100644
> > --- a/modules.d/91crypt-loop/crypt-loop-lib.sh
> > +++ b/modules.d/91crypt-loop/crypt-loop-lib.sh
> > @@ -32,6 +32,11 @@ loop_decrypt() {
> > --tty-echo-off
> >
> > [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!"
> > +
> > + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-10-$(basename $key)" \
> > + $(command -v cryptsetup) "luksClose $key"
> > + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-20-$(basename $loopdev)" \
> > + $(command -v losetup) "-d $loopdev"
> > else
> > info "Existing keyfile found, re-using it for $device"
> > fi
>
> Always a bit better to use built-ins:
>
> basename "$x" == echo "${x#**/}"
Ups. echo ${x##*/}, of course :-)
--
Amadeusz Żołnowski
PGP key fpr: C700 CEDE 0C18 212E 49DA 4653 F013 4531 E1DB FAB5
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-08-31 9:29 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-08-30 13:36 [PATCH 1/4] 91crypt-loop: open root device with a key inside encrypted loop container Leho Kraav
[not found] ` <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
2011-08-30 13:36 ` [PATCH 2/4] 90crypt: recognize .img as loop key container Leho Kraav
2011-08-30 13:36 ` [PATCH 3/4] 90crypt: enhance crypt-lib keydev mounting Leho Kraav
2011-08-30 13:36 ` [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy Leho Kraav
[not found] ` <1314711391-7149-4-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
2011-08-31 8:51 ` Amadeusz Żołnowski
2011-08-31 9:29 ` Amadeusz Żołnowski
-- strict thread matches above, loose matches on Subject: below --
2011-08-22 12:39 [PATCH 1/4] 91crypt-loop: open root device with a key inside encrypted loop container Leho Kraav
[not found] ` <1314016750-9655-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
2011-08-22 12:39 ` [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy Leho Kraav
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox