[PATCH 1/4] 91crypt-loop: open root device with a key inside encrypted loop container

[PATCH 1/4] 91crypt-loop: open root device with a key inside encrypted loop container

[Leho Kraav]

---
 modules.d/91crypt-loop/crypt-loop-lib.sh |   40 ++++++++++++++++++++++++++++++
 modules.d/91crypt-loop/module-setup.sh   |   15 +++++++++++
 2 files changed, 55 insertions(+), 0 deletions(-)
 create mode 100644 modules.d/91crypt-loop/crypt-loop-lib.sh
 create mode 100644 modules.d/91crypt-loop/module-setup.sh

diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh
new file mode 100644
index 0000000..63a553c
--- /dev/null
+++ b/modules.d/91crypt-loop/crypt-loop-lib.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=4 sw=4 sts=0 et filetype=sh
+
+command -v ask_for_password >/dev/null || . /lib/dracut-crypt-lib.sh
+
+# loop_decrypt mnt_point keypath keydev device
+#
+# Decrypts symmetrically encrypted key to standard output.
+#
+# mnt_point - mount point where <keydev> is already mounted
+# keypath - LUKS encrypted loop file path relative to <mnt_point>
+# keydev - device on which key resides; only to display in prompt
+# device - device to be opened by cryptsetup; only to display in prompt
+loop_decrypt() {
+    local mntp="$1"
+    local keypath="$2"
+    local keydev="$3"
+    local device="$4"
+
+    local key="/dev/mapper/$(basename $mntp)"
+
+    if [ ! -b $key ]; then
+        info "Keyfile has .img suffix, treating it as LUKS-encrypted loop keyfile container to unlock $device"
+
+        local loopdev=$(losetup -f "${mntp}/${keypath}" --show)
+        local opts="-d - luksOpen $loopdev $(basename $key)"
+
+        ask_for_password \
+            --cmd "cryptsetup $opts" \
+            --prompt "Password ($keypath on $keydev for $device)" \
+            --tty-echo-off
+
+        [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!" 
+    else
+        info "Existing keyfile found, re-using it for $device"
+    fi
+
+    cat $key
+}
diff --git a/modules.d/91crypt-loop/module-setup.sh b/modules.d/91crypt-loop/module-setup.sh
new file mode 100644
index 0000000..2616b9b
--- /dev/null
+++ b/modules.d/91crypt-loop/module-setup.sh
@@ -0,0 +1,15 @@
+check() {
+	[ -n $hostonly ] || return 1
+	type -P losetup >/dev/null || return 1
+	
+	return 255
+}
+
+depends() {
+	echo crypt
+}
+
+install() {
+	dracut_install losetup
+	inst "$moddir/crypt-loop-lib.sh" "/lib/dracut-crypt-loop-lib.sh"
+}
-- 
1.7.6

[PATCH 2/4] 90crypt: recognize .img as loop key container

[Leho Kraav]

---
 modules.d/90crypt/crypt-lib.sh |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh
index 69f14d0..75b74a8 100755
--- a/modules.d/90crypt/crypt-lib.sh
+++ b/modules.d/90crypt/crypt-lib.sh
@@ -214,6 +214,14 @@ readkey() {
                 die "No GPG support to decrypt '$keypath' on '$keydev'."
             fi
             ;;
+        img)
+            if [ -f /lib/dracut-crypt-loop-lib.sh ]; then
+                . /lib/dracut-crypt-loop-lib.sh
+                loop_decrypt "$mntp" "$keypath" "$keydev" "$device"
+            else
+                die "No loop file support to decrypt '$keypath' on '$keydev'."
+            fi
+            ;;
         *) cat "$mntp/$keypath" ;;
     esac
 
-- 
1.7.6

[PATCH 3/4] 90crypt: enhance crypt-lib keydev mounting

[Leho Kraav]

Combining $keydev and $keypath should result in a unique, re-usable keydev
mountpoint. mkuniqdir doesn't seem to have any an advantage here and lacks
reusability. Is there ever a use case where these are true:

 * there are more than one rd.luks.key=$keypath:$keydev
 * one is actually different from the other
---
 modules.d/90crypt/crypt-lib.sh |   13 +++++++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh
index 75b74a8..b04512f 100755
--- a/modules.d/90crypt/crypt-lib.sh
+++ b/modules.d/90crypt/crypt-lib.sh
@@ -202,8 +202,15 @@ readkey() {
     local keydev="$2"
     local device="$3"
 
-    local mntp=$(mkuniqdir /mnt keydev)
-    mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!'
+    # This creates a unique single mountpoint for *, or several for explicitly
+    # given LUKS devices. It accomplishes unlocking multiple LUKS devices with
+    # a single password entry.
+    local mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')"
+
+    if [ ! -d "$mntp" ]; then
+        mkdir "$mntp"
+        mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!'
+    fi
 
     case "${keypath##*.}" in
         gpg)
@@ -225,6 +232,8 @@ readkey() {
         *) cat "$mntp/$keypath" ;;
     esac
 
+    # General unmounting mechanism, modules doing custom cleanup should return earlier
+    # and install a pre-pivot cleanup hook
     umount "$mntp"
     rmdir "$mntp"
 }
-- 
1.7.6

[PATCH 4/4] 91crypt-loop: use initqueue for cleanup strategy

[Leho Kraav]

---
 modules.d/90crypt/crypt-lib.sh           |    3 +++
 modules.d/91crypt-loop/crypt-loop-lib.sh |    5 +++++
 2 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh
index b04512f..3095774 100755
--- a/modules.d/90crypt/crypt-lib.sh
+++ b/modules.d/90crypt/crypt-lib.sh
@@ -225,6 +225,9 @@ readkey() {
             if [ -f /lib/dracut-crypt-loop-lib.sh ]; then
                 . /lib/dracut-crypt-loop-lib.sh
                 loop_decrypt "$mntp" "$keypath" "$keydev" "$device"
+                initqueue --onetime --finished --unique --name "crypt-loop-cleanup-99-$(basename $mntp)" \
+                    $(command -v umount) "$mntp; " $(command -v rmdir) "$mntp"
+                return 0
             else
                 die "No loop file support to decrypt '$keypath' on '$keydev'."
             fi
diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh
index 63a553c..6774e7d 100644
--- a/modules.d/91crypt-loop/crypt-loop-lib.sh
+++ b/modules.d/91crypt-loop/crypt-loop-lib.sh
@@ -32,6 +32,11 @@ loop_decrypt() {
             --tty-echo-off
 
         [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!" 
+
+        initqueue --onetime --finished --unique --name "crypt-loop-cleanup-10-$(basename $key)" \
+            $(command -v cryptsetup) "luksClose $key"
+        initqueue --onetime --finished --unique --name "crypt-loop-cleanup-20-$(basename $loopdev)" \
+            $(command -v losetup) "-d $loopdev"
     else
         info "Existing keyfile found, re-using it for $device"
     fi
-- 
1.7.6

Re: [PATCH 1/4] 91crypt-loop: open root device with a key inside encrypted loop container

[Harald Hoyer]

On 22.08.2011 14:39, Leho Kraav wrote:
> +++ b/modules.d/91crypt-loop/module-setup.sh
> @@ -0,0 +1,15 @@
> +check() {
> +	[ -n $hostonly ] || return 1

any reason, why it's only valid for hostonly setups?

you might also want to use bash syntax in module-setup.sh reading:

[[ $hostonly ]] || return 1

[PATCH 1/4] 91crypt-loop: open root device with a key inside encrypted loop container

[Leho Kraav]

---
 modules.d/91crypt-loop/crypt-loop-lib.sh |   40 ++++++++++++++++++++++++++++++
 modules.d/91crypt-loop/module-setup.sh   |   14 ++++++++++
 2 files changed, 54 insertions(+), 0 deletions(-)
 create mode 100644 modules.d/91crypt-loop/crypt-loop-lib.sh
 create mode 100644 modules.d/91crypt-loop/module-setup.sh

diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh
new file mode 100644
index 0000000..63a553c
--- /dev/null
+++ b/modules.d/91crypt-loop/crypt-loop-lib.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=4 sw=4 sts=0 et filetype=sh
+
+command -v ask_for_password >/dev/null || . /lib/dracut-crypt-lib.sh
+
+# loop_decrypt mnt_point keypath keydev device
+#
+# Decrypts symmetrically encrypted key to standard output.
+#
+# mnt_point - mount point where <keydev> is already mounted
+# keypath - LUKS encrypted loop file path relative to <mnt_point>
+# keydev - device on which key resides; only to display in prompt
+# device - device to be opened by cryptsetup; only to display in prompt
+loop_decrypt() {
+    local mntp="$1"
+    local keypath="$2"
+    local keydev="$3"
+    local device="$4"
+
+    local key="/dev/mapper/$(basename $mntp)"
+
+    if [ ! -b $key ]; then
+        info "Keyfile has .img suffix, treating it as LUKS-encrypted loop keyfile container to unlock $device"
+
+        local loopdev=$(losetup -f "${mntp}/${keypath}" --show)
+        local opts="-d - luksOpen $loopdev $(basename $key)"
+
+        ask_for_password \
+            --cmd "cryptsetup $opts" \
+            --prompt "Password ($keypath on $keydev for $device)" \
+            --tty-echo-off
+
+        [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!" 
+    else
+        info "Existing keyfile found, re-using it for $device"
+    fi
+
+    cat $key
+}
diff --git a/modules.d/91crypt-loop/module-setup.sh b/modules.d/91crypt-loop/module-setup.sh
new file mode 100644
index 0000000..8170694
--- /dev/null
+++ b/modules.d/91crypt-loop/module-setup.sh
@@ -0,0 +1,14 @@
+check() {
+	type -P losetup >/dev/null || return 1
+	
+	return 255
+}
+
+depends() {
+	echo crypt
+}
+
+install() {
+	dracut_install losetup
+	inst "$moddir/crypt-loop-lib.sh" "/lib/dracut-crypt-loop-lib.sh"
+}
-- 
1.7.6