* [PATCH 1/4] 91crypt-loop: open root device with a key inside encrypted loop container
@ 2011-08-30 13:36 Leho Kraav
[not found] ` <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
0 siblings, 1 reply; 7+ messages in thread
From: Leho Kraav @ 2011-08-30 13:36 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA
---
modules.d/91crypt-loop/crypt-loop-lib.sh | 40 ++++++++++++++++++++++++++++++
modules.d/91crypt-loop/module-setup.sh | 14 ++++++++++
2 files changed, 54 insertions(+), 0 deletions(-)
create mode 100644 modules.d/91crypt-loop/crypt-loop-lib.sh
create mode 100644 modules.d/91crypt-loop/module-setup.sh
diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh
new file mode 100644
index 0000000..63a553c
--- /dev/null
+++ b/modules.d/91crypt-loop/crypt-loop-lib.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=4 sw=4 sts=0 et filetype=sh
+
+command -v ask_for_password >/dev/null || . /lib/dracut-crypt-lib.sh
+
+# loop_decrypt mnt_point keypath keydev device
+#
+# Decrypts symmetrically encrypted key to standard output.
+#
+# mnt_point - mount point where <keydev> is already mounted
+# keypath - LUKS encrypted loop file path relative to <mnt_point>
+# keydev - device on which key resides; only to display in prompt
+# device - device to be opened by cryptsetup; only to display in prompt
+loop_decrypt() {
+ local mntp="$1"
+ local keypath="$2"
+ local keydev="$3"
+ local device="$4"
+
+ local key="/dev/mapper/$(basename $mntp)"
+
+ if [ ! -b $key ]; then
+ info "Keyfile has .img suffix, treating it as LUKS-encrypted loop keyfile container to unlock $device"
+
+ local loopdev=$(losetup -f "${mntp}/${keypath}" --show)
+ local opts="-d - luksOpen $loopdev $(basename $key)"
+
+ ask_for_password \
+ --cmd "cryptsetup $opts" \
+ --prompt "Password ($keypath on $keydev for $device)" \
+ --tty-echo-off
+
+ [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!"
+ else
+ info "Existing keyfile found, re-using it for $device"
+ fi
+
+ cat $key
+}
diff --git a/modules.d/91crypt-loop/module-setup.sh b/modules.d/91crypt-loop/module-setup.sh
new file mode 100644
index 0000000..8170694
--- /dev/null
+++ b/modules.d/91crypt-loop/module-setup.sh
@@ -0,0 +1,14 @@
+check() {
+ type -P losetup >/dev/null || return 1
+
+ return 255
+}
+
+depends() {
+ echo crypt
+}
+
+install() {
+ dracut_install losetup
+ inst "$moddir/crypt-loop-lib.sh" "/lib/dracut-crypt-loop-lib.sh"
+}
--
1.7.6
^ permalink raw reply related [flat|nested] 7+ messages in thread[parent not found: <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>]
* [PATCH 2/4] 90crypt: recognize .img as loop key container [not found] ` <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org> @ 2011-08-30 13:36 ` Leho Kraav 2011-08-30 13:36 ` [PATCH 3/4] 90crypt: enhance crypt-lib keydev mounting Leho Kraav 2011-08-30 13:36 ` [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy Leho Kraav 2 siblings, 0 replies; 7+ messages in thread From: Leho Kraav @ 2011-08-30 13:36 UTC (permalink / raw) To: initramfs-u79uwXL29TY76Z2rM5mHXA --- modules.d/90crypt/crypt-lib.sh | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh index 69f14d0..75b74a8 100755 --- a/modules.d/90crypt/crypt-lib.sh +++ b/modules.d/90crypt/crypt-lib.sh @@ -214,6 +214,14 @@ readkey() { die "No GPG support to decrypt '$keypath' on '$keydev'." fi ;; + img) + if [ -f /lib/dracut-crypt-loop-lib.sh ]; then + . /lib/dracut-crypt-loop-lib.sh + loop_decrypt "$mntp" "$keypath" "$keydev" "$device" + else + die "No loop file support to decrypt '$keypath' on '$keydev'." + fi + ;; *) cat "$mntp/$keypath" ;; esac -- 1.7.6 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/4] 90crypt: enhance crypt-lib keydev mounting [not found] ` <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org> 2011-08-30 13:36 ` [PATCH 2/4] 90crypt: recognize .img as loop key container Leho Kraav @ 2011-08-30 13:36 ` Leho Kraav 2011-08-30 13:36 ` [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy Leho Kraav 2 siblings, 0 replies; 7+ messages in thread From: Leho Kraav @ 2011-08-30 13:36 UTC (permalink / raw) To: initramfs-u79uwXL29TY76Z2rM5mHXA Combining $keydev and $keypath should result in a unique, re-usable keydev mountpoint. mkuniqdir doesn't seem to have any an advantage here and lacks reusability. Is there ever a use case where these are true: * there are more than one rd.luks.key=$keypath:$keydev * one is actually different from the other --- modules.d/90crypt/crypt-lib.sh | 13 +++++++++++-- 1 files changed, 11 insertions(+), 2 deletions(-) diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh index 75b74a8..b04512f 100755 --- a/modules.d/90crypt/crypt-lib.sh +++ b/modules.d/90crypt/crypt-lib.sh @@ -202,8 +202,15 @@ readkey() { local keydev="$2" local device="$3" - local mntp=$(mkuniqdir /mnt keydev) - mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!' + # This creates a unique single mountpoint for *, or several for explicitly + # given LUKS devices. It accomplishes unlocking multiple LUKS devices with + # a single password entry. + local mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')" + + if [ ! -d "$mntp" ]; then + mkdir "$mntp" + mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!' + fi case "${keypath##*.}" in gpg) @@ -225,6 +232,8 @@ readkey() { *) cat "$mntp/$keypath" ;; esac + # General unmounting mechanism, modules doing custom cleanup should return earlier + # and install a pre-pivot cleanup hook umount "$mntp" rmdir "$mntp" } -- 1.7.6 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy [not found] ` <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org> 2011-08-30 13:36 ` [PATCH 2/4] 90crypt: recognize .img as loop key container Leho Kraav 2011-08-30 13:36 ` [PATCH 3/4] 90crypt: enhance crypt-lib keydev mounting Leho Kraav @ 2011-08-30 13:36 ` Leho Kraav [not found] ` <1314711391-7149-4-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org> 2 siblings, 1 reply; 7+ messages in thread From: Leho Kraav @ 2011-08-30 13:36 UTC (permalink / raw) To: initramfs-u79uwXL29TY76Z2rM5mHXA --- modules.d/90crypt/crypt-lib.sh | 3 +++ modules.d/91crypt-loop/crypt-loop-lib.sh | 5 +++++ 2 files changed, 8 insertions(+), 0 deletions(-) diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh index b04512f..3095774 100755 --- a/modules.d/90crypt/crypt-lib.sh +++ b/modules.d/90crypt/crypt-lib.sh @@ -225,6 +225,9 @@ readkey() { if [ -f /lib/dracut-crypt-loop-lib.sh ]; then . /lib/dracut-crypt-loop-lib.sh loop_decrypt "$mntp" "$keypath" "$keydev" "$device" + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-99-$(basename $mntp)" \ + $(command -v umount) "$mntp; " $(command -v rmdir) "$mntp" + return 0 else die "No loop file support to decrypt '$keypath' on '$keydev'." fi diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh index 63a553c..6774e7d 100644 --- a/modules.d/91crypt-loop/crypt-loop-lib.sh +++ b/modules.d/91crypt-loop/crypt-loop-lib.sh @@ -32,6 +32,11 @@ loop_decrypt() { --tty-echo-off [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!" + + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-10-$(basename $key)" \ + $(command -v cryptsetup) "luksClose $key" + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-20-$(basename $loopdev)" \ + $(command -v losetup) "-d $loopdev" else info "Existing keyfile found, re-using it for $device" fi -- 1.7.6 ^ permalink raw reply related [flat|nested] 7+ messages in thread
[parent not found: <1314711391-7149-4-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>]
* Re: [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy [not found] ` <1314711391-7149-4-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org> @ 2011-08-31 8:51 ` Amadeusz Żołnowski 2011-08-31 9:29 ` Amadeusz Żołnowski 0 siblings, 1 reply; 7+ messages in thread From: Amadeusz Żołnowski @ 2011-08-31 8:51 UTC (permalink / raw) To: initramfs [-- Attachment #1: Type: text/plain, Size: 2002 bytes --] Excerpts from Leho Kraav's message of 2011-08-30 15:36:31 +0200: > --- > modules.d/90crypt/crypt-lib.sh | 3 +++ > modules.d/91crypt-loop/crypt-loop-lib.sh | 5 +++++ > 2 files changed, 8 insertions(+), 0 deletions(-) > > diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh > index b04512f..3095774 100755 > --- a/modules.d/90crypt/crypt-lib.sh > +++ b/modules.d/90crypt/crypt-lib.sh > @@ -225,6 +225,9 @@ readkey() { > if [ -f /lib/dracut-crypt-loop-lib.sh ]; then > . /lib/dracut-crypt-loop-lib.sh > loop_decrypt "$mntp" "$keypath" "$keydev" "$device" > + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-99-$(basename $mntp)" \ > + $(command -v umount) "$mntp; " $(command -v rmdir) "$mntp" > + return 0 > else > die "No loop file support to decrypt '$keypath' on '$keydev'." > fi > diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh > index 63a553c..6774e7d 100644 > --- a/modules.d/91crypt-loop/crypt-loop-lib.sh > +++ b/modules.d/91crypt-loop/crypt-loop-lib.sh > @@ -32,6 +32,11 @@ loop_decrypt() { > --tty-echo-off > > [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!" > + > + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-10-$(basename $key)" \ > + $(command -v cryptsetup) "luksClose $key" > + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-20-$(basename $loopdev)" \ > + $(command -v losetup) "-d $loopdev" > else > info "Existing keyfile found, re-using it for $device" > fi Always a bit better to use built-ins: basename "$x" == echo "${x#**/}" -- Amadeusz Żołnowski PGP key fpr: C700 CEDE 0C18 212E 49DA 4653 F013 4531 E1DB FAB5 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy 2011-08-31 8:51 ` Amadeusz Żołnowski @ 2011-08-31 9:29 ` Amadeusz Żołnowski 0 siblings, 0 replies; 7+ messages in thread From: Amadeusz Żołnowski @ 2011-08-31 9:29 UTC (permalink / raw) To: initramfs [-- Attachment #1: Type: text/plain, Size: 2194 bytes --] Excerpts from Amadeusz Żołnowski's message of 2011-08-31 10:51:37 +0200: > Excerpts from Leho Kraav's message of 2011-08-30 15:36:31 +0200: > > --- > > modules.d/90crypt/crypt-lib.sh | 3 +++ > > modules.d/91crypt-loop/crypt-loop-lib.sh | 5 +++++ > > 2 files changed, 8 insertions(+), 0 deletions(-) > > > > diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh > > index b04512f..3095774 100755 > > --- a/modules.d/90crypt/crypt-lib.sh > > +++ b/modules.d/90crypt/crypt-lib.sh > > @@ -225,6 +225,9 @@ readkey() { > > if [ -f /lib/dracut-crypt-loop-lib.sh ]; then > > . /lib/dracut-crypt-loop-lib.sh > > loop_decrypt "$mntp" "$keypath" "$keydev" "$device" > > + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-99-$(basename $mntp)" \ > > + $(command -v umount) "$mntp; " $(command -v rmdir) "$mntp" > > + return 0 > > else > > die "No loop file support to decrypt '$keypath' on '$keydev'." > > fi > > diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh > > index 63a553c..6774e7d 100644 > > --- a/modules.d/91crypt-loop/crypt-loop-lib.sh > > +++ b/modules.d/91crypt-loop/crypt-loop-lib.sh > > @@ -32,6 +32,11 @@ loop_decrypt() { > > --tty-echo-off > > > > [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!" > > + > > + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-10-$(basename $key)" \ > > + $(command -v cryptsetup) "luksClose $key" > > + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-20-$(basename $loopdev)" \ > > + $(command -v losetup) "-d $loopdev" > > else > > info "Existing keyfile found, re-using it for $device" > > fi > > Always a bit better to use built-ins: > > basename "$x" == echo "${x#**/}" Ups. echo ${x##*/}, of course :-) -- Amadeusz Żołnowski PGP key fpr: C700 CEDE 0C18 212E 49DA 4653 F013 4531 E1DB FAB5 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 490 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/4] 91crypt-loop: open root device with a key inside encrypted loop container
@ 2011-08-22 12:39 Leho Kraav
[not found] ` <1314016750-9655-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
0 siblings, 1 reply; 7+ messages in thread
From: Leho Kraav @ 2011-08-22 12:39 UTC (permalink / raw)
To: initramfs-u79uwXL29TY76Z2rM5mHXA; +Cc: Leho Kraav
---
modules.d/91crypt-loop/crypt-loop-lib.sh | 40 ++++++++++++++++++++++++++++++
modules.d/91crypt-loop/module-setup.sh | 15 +++++++++++
2 files changed, 55 insertions(+), 0 deletions(-)
create mode 100644 modules.d/91crypt-loop/crypt-loop-lib.sh
create mode 100644 modules.d/91crypt-loop/module-setup.sh
diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh
new file mode 100644
index 0000000..63a553c
--- /dev/null
+++ b/modules.d/91crypt-loop/crypt-loop-lib.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=4 sw=4 sts=0 et filetype=sh
+
+command -v ask_for_password >/dev/null || . /lib/dracut-crypt-lib.sh
+
+# loop_decrypt mnt_point keypath keydev device
+#
+# Decrypts symmetrically encrypted key to standard output.
+#
+# mnt_point - mount point where <keydev> is already mounted
+# keypath - LUKS encrypted loop file path relative to <mnt_point>
+# keydev - device on which key resides; only to display in prompt
+# device - device to be opened by cryptsetup; only to display in prompt
+loop_decrypt() {
+ local mntp="$1"
+ local keypath="$2"
+ local keydev="$3"
+ local device="$4"
+
+ local key="/dev/mapper/$(basename $mntp)"
+
+ if [ ! -b $key ]; then
+ info "Keyfile has .img suffix, treating it as LUKS-encrypted loop keyfile container to unlock $device"
+
+ local loopdev=$(losetup -f "${mntp}/${keypath}" --show)
+ local opts="-d - luksOpen $loopdev $(basename $key)"
+
+ ask_for_password \
+ --cmd "cryptsetup $opts" \
+ --prompt "Password ($keypath on $keydev for $device)" \
+ --tty-echo-off
+
+ [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!"
+ else
+ info "Existing keyfile found, re-using it for $device"
+ fi
+
+ cat $key
+}
diff --git a/modules.d/91crypt-loop/module-setup.sh b/modules.d/91crypt-loop/module-setup.sh
new file mode 100644
index 0000000..2616b9b
--- /dev/null
+++ b/modules.d/91crypt-loop/module-setup.sh
@@ -0,0 +1,15 @@
+check() {
+ [ -n $hostonly ] || return 1
+ type -P losetup >/dev/null || return 1
+
+ return 255
+}
+
+depends() {
+ echo crypt
+}
+
+install() {
+ dracut_install losetup
+ inst "$moddir/crypt-loop-lib.sh" "/lib/dracut-crypt-loop-lib.sh"
+}
--
1.7.6
^ permalink raw reply related [flat|nested] 7+ messages in thread[parent not found: <1314016750-9655-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>]
* [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy [not found] ` <1314016750-9655-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org> @ 2011-08-22 12:39 ` Leho Kraav 0 siblings, 0 replies; 7+ messages in thread From: Leho Kraav @ 2011-08-22 12:39 UTC (permalink / raw) To: initramfs-u79uwXL29TY76Z2rM5mHXA; +Cc: Leho Kraav --- modules.d/90crypt/crypt-lib.sh | 3 +++ modules.d/91crypt-loop/crypt-loop-lib.sh | 5 +++++ 2 files changed, 8 insertions(+), 0 deletions(-) diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh index b04512f..3095774 100755 --- a/modules.d/90crypt/crypt-lib.sh +++ b/modules.d/90crypt/crypt-lib.sh @@ -225,6 +225,9 @@ readkey() { if [ -f /lib/dracut-crypt-loop-lib.sh ]; then . /lib/dracut-crypt-loop-lib.sh loop_decrypt "$mntp" "$keypath" "$keydev" "$device" + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-99-$(basename $mntp)" \ + $(command -v umount) "$mntp; " $(command -v rmdir) "$mntp" + return 0 else die "No loop file support to decrypt '$keypath' on '$keydev'." fi diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh index 63a553c..6774e7d 100644 --- a/modules.d/91crypt-loop/crypt-loop-lib.sh +++ b/modules.d/91crypt-loop/crypt-loop-lib.sh @@ -32,6 +32,11 @@ loop_decrypt() { --tty-echo-off [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!" + + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-10-$(basename $key)" \ + $(command -v cryptsetup) "luksClose $key" + initqueue --onetime --finished --unique --name "crypt-loop-cleanup-20-$(basename $loopdev)" \ + $(command -v losetup) "-d $loopdev" else info "Existing keyfile found, re-using it for $device" fi -- 1.7.6 ^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-08-31 9:29 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-08-30 13:36 [PATCH 1/4] 91crypt-loop: open root device with a key inside encrypted loop container Leho Kraav
[not found] ` <1314711391-7149-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
2011-08-30 13:36 ` [PATCH 2/4] 90crypt: recognize .img as loop key container Leho Kraav
2011-08-30 13:36 ` [PATCH 3/4] 90crypt: enhance crypt-lib keydev mounting Leho Kraav
2011-08-30 13:36 ` [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy Leho Kraav
[not found] ` <1314711391-7149-4-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
2011-08-31 8:51 ` Amadeusz Żołnowski
2011-08-31 9:29 ` Amadeusz Żołnowski
-- strict thread matches above, loose matches on Subject: below --
2011-08-22 12:39 [PATCH 1/4] 91crypt-loop: open root device with a key inside encrypted loop container Leho Kraav
[not found] ` <1314016750-9655-1-git-send-email-leho-BFEd76tUscAAvxtiuMwx3w@public.gmane.org>
2011-08-22 12:39 ` [PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy Leho Kraav
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox