SVN: geninitrd/trunk: ChangeLog Makefile geninitrd mod-luks.sh

glen glen at pld-linux.org
Thu Nov 13 00:41:48 CET 2008 

Author: glen
Date: Thu Nov 13 00:41:47 2008
New Revision: 9986

Added:
   geninitrd/trunk/mod-luks.sh
Modified:
   geninitrd/trunk/ChangeLog
   geninitrd/trunk/Makefile
   geninitrd/trunk/geninitrd
Log:
- put cryptsetup luks related files into separate file

Modified: geninitrd/trunk/ChangeLog
==============================================================================
--- geninitrd/trunk/ChangeLog	(original)
+++ geninitrd/trunk/ChangeLog	Thu Nov 13 00:41:47 2008
@@ -1,3 +1,22 @@
+2008-11-12 23:07 +0000 [r9984]  Elan Ruusamäe <glen/at/pld-linux.org>
+
+	* geninitrd: - cleanup: do not need LUKSNAME to pass around
+
+2008-11-12 21:24 +0000 [r9983]  Elan Ruusamäe <glen/at/pld-linux.org>
+
+	* geninitrd: - luks: add keyfile sypport - luks: process lukstab by
+	  device name not LUKSNAME as these might not match - luks: load
+	  aes and cbc modules
+
+2008-11-12 20:55 +0000 [r9982]  Elan Ruusamäe <glen/at/pld-linux.org>
+
+	* geninitrd: - move ramfs rootdev finding and mounting to
+	  initrd_gen_initramfs_switchroot function
+
+2008-11-10 10:26 +0000 [r9981]  Paweł Sikora <pluto/at/pld-linux.org>
+
+	* geninitrd: - do not touch linux-vdso gate.
+
 2008-11-10 02:36 +0000 [r9979]  Elan Ruusamäe <glen/at/pld-linux.org>
 
 	* geninitrd: - use /bin/cryptsetup on initrd

Modified: geninitrd/trunk/Makefile
==============================================================================
--- geninitrd/trunk/Makefile	(original)
+++ geninitrd/trunk/Makefile	Thu Nov 13 00:41:47 2008
@@ -1,6 +1,6 @@
 # when making release, make sure you do it as RELEASE document describes
 VERSION		:= 9000.16
-FILES		:= Makefile geninitrd.sysconfig geninitrd functions geninitrd.8 geninitrd.8.xml ChangeLog
+FILES		:= Makefile geninitrd.sysconfig geninitrd functions mod-luks.sh geninitrd.8 geninitrd.8.xml ChangeLog
 prefix		:= /usr
 mandir		:= $(prefix)/share/man
 sbindir		:= /sbin
@@ -14,6 +14,7 @@
 	install geninitrd $(DESTDIR)$(sbindir)/geninitrd
 	install -m644 geninitrd.8 $(DESTDIR)$(mandir)/man8/geninitrd.8
 	install -m644 functions $(DESTDIR)$(sysconfdir)/functions
+	install -m644 mod-luks.sh $(DESTDIR)$(sysconfdir)
 	install -m644 geninitrd.sysconfig $(DESTDIR)$(sysconfigdir)/geninitrd
 
 geninitrd.8: geninitrd.8.xml

Modified: geninitrd/trunk/geninitrd
==============================================================================
--- geninitrd/trunk/geninitrd	(original)
+++ geninitrd/trunk/geninitrd	Thu Nov 13 00:41:47 2008
@@ -73,9 +73,6 @@
 # VG for suspend resume dev
 SUSPENDVG=""
 
-# device to use for name for cryptsetup luks
-LUKSDEV=""
-
 # resume device
 resume_dev=""
 
@@ -87,8 +84,6 @@
 have_md=no
 # if we should init dmraid at boot
 have_dmraid=no
-# if we should init cryptsetup luks at boot
-have_luks=no
 # if we should init dm-multipath at boot
 have_multipath=no
 # dm-multipath wwid which is used for rootfs
@@ -688,31 +683,6 @@
 	return $rc
 }
 
-# return true if node is cryptsetup luks encrypted
-is_luks() {
-	local node="$1"
-	if [ ! -e "$node" ]; then
-		warn "is_luks(): node $node doesn't exist!"
-		return 1
-	fi
-
-	local dev dm_name=${node#/dev/mapper/}
-	if [ "$node" = "$dm_name" ]; then
-		debug "is_luks: $node is not device mapper name"
-		return 1
-	fi
-
-	dev=$(cryptsetup status $dm_name 2>/dev/null | awk '/device:/{print $2}')
-	cryptsetup isLuks $dev
-	rc=$?
-
-	if [ $rc = 0 ]; then
-		debug "is_luks: $node is cryptsetup luks"
-	else
-		debug "is_luks: $node is not cryptsetup luks"
-	fi
-	return $rc
-}
 
 # return dependencies MAJOR:MINOR [MAJOR:MINOR] for DM_NAME
 # TODO: patch `dmsetup export`
@@ -823,30 +793,6 @@
 }
 
 # find modules for $devpath
-find_modules_luks() {
-	local devpath="$1"
-	local dev
-
-	local name=${devpath#/dev/mapper/}
-	LUKSDEV=$(cryptsetup status $name 2>/dev/null | awk '/device:/{print $2}')
-	if [ -z "$LUKSDEV" ]; then
-		die "Lost cryptsetup device meanwhile?"
-	fi
-
-	findmodule "dm-crypt"
-
-	# TODO: autodetect
-	findmodule "aes"
-	findmodule "cbc"
-
-	have_luks=yes
-
-	# recurse
-	find_modules_for_devpath $LUKSDEV
-	return 0
-}
-
-# find modules for $devpath
 find_modules_for_devpath() {
 	local devpath="$1"
 	if [ -z "$devpath" ]; then
@@ -1269,79 +1215,6 @@
 	EOF
 }
 
-key_is_random() {
-	[ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ]
-}
-
-# produce cryptsetup from $name from /etc/crypttab
-luks_crypttab() {
-	local LUKSDEV="$1"
-
-	# copy from /etc/rc.d/init.d/cryptsetup
-	local dst src key opt mode owner
-
-	while read dst src key opt; do
-		[ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue
-		[ "$src" != "$LUKSDEV" ] && continue
-
-		if [ -n "$key" -a "x$key" != "xnone" ]; then
-			if test -e "$key" ; then
-				mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
-				owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
-				if [ "$mode" != "------" ] && ! key_is_random "$key"; then
-					die "INSECURE MODE FOR $key"
-				fi
-				if [ "$owner" != root ]; then
-					die "INSECURE OWNER FOR $key"
-				fi
-			else
-				die "Key file for $dst not found"
-			fi
-		else
-			key=""
-		fi
-
-		if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
-			if key_is_random "$key"; then
-				die "$dst: LUKS requires non-random key, skipping"
-			fi
-			if [ -n "$opt" ]; then
-				warn "$dst: options are invalid for LUKS partitions, ignoring them"
-			fi
-			if [ "$key" ]; then
-				keyfile=/etc/.$dst.key
-				inst $key $keyfile
-			fi
-
-			debug "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'"
-			add_linuxrc <<-EOF
-			cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst' <&1
-
-			debugshell
-			EOF
-		else
-			die "$dst: only LUKS encryption supported"
-		fi
-	done < /etc/crypttab
-}
-
-initrd_gen_luks() {
-	if [ ! -x /sbin/cryptsetup-initrd ]; then
-		die "/sbin/cryptsetup-initrd is missing!"
-	fi
-
-	inst_d /bin
-	inst_exec /sbin/cryptsetup-initrd /bin/cryptsetup
-
-	mount_dev
-	mount_sys
-	initrd_gen_devices
-	# TODO: 'udevadm settle' is called by lukssetup, is udev optional?
-
-	debug "luks: process /etc/crypttab $LUKSDEV"
-	luks_crypttab $LUKSDEV
-}
-
 initrd_gen_bootsplash() {
 	local target="$1"
 
@@ -1822,9 +1695,8 @@
 	USE_DMRAID=yes
 fi
 
-if [ -x /sbin/cryptsetup ]; then
-	USE_LUKS=yes
-fi
+# cryptsetup luks addon
+. /etc/geninitrd/mod-luks.sh
 
 if [ -x /sbin/multipath ]; then
 	USE_MULTIPATH=yes

Added: geninitrd/trunk/mod-luks.sh
==============================================================================
--- (empty file)
+++ geninitrd/trunk/mod-luks.sh	Thu Nov 13 00:41:47 2008
@@ -0,0 +1,147 @@
+#!/bin/sh
+#
+# geninitrd mod: cryptsetup luks
+
+# true if root device is crypted with cryptsetup luks
+# and we should init cryptsetup luks at boot
+have_luks=no
+
+if [ -x /sbin/cryptsetup ]; then
+	USE_LUKS=yes
+else
+	USE_LUKS=no
+fi
+
+# device to use for name for cryptsetup luks
+LUKSDEV=""
+
+# return true if node is cryptsetup luks encrypted
+# @param	string $node device node to be examined
+# @access	public
+is_luks() {
+	local node="$1"
+	if [ ! -e "$node" ]; then
+		warn "is_luks(): node $node doesn't exist!"
+		return 1
+	fi
+
+	local dev dm_name=${node#/dev/mapper/}
+	if [ "$node" = "$dm_name" ]; then
+		debug "is_luks: $node is not device mapper name"
+		return 1
+	fi
+
+	dev=$(cryptsetup status $dm_name 2>/dev/null | awk '/device:/{print $2}')
+	cryptsetup isLuks $dev
+	rc=$?
+
+	if [ $rc = 0 ]; then
+		debug "is_luks: $node is cryptsetup luks"
+	else
+		debug "is_luks: $node is not cryptsetup luks"
+	fi
+	return $rc
+}
+
+# find modules for $devpath
+# @param	$devpath	device to be examined
+# @access	public
+find_modules_luks() {
+	local devpath="$1"
+	local dev
+
+	local name=${devpath#/dev/mapper/}
+	LUKSDEV=$(cryptsetup status $name 2>/dev/null | awk '/device:/{print $2}')
+	if [ -z "$LUKSDEV" ]; then
+		die "Lost cryptsetup device meanwhile?"
+	fi
+
+	findmodule "dm-crypt"
+
+	# TODO: autodetect
+	findmodule "aes"
+	findmodule "cbc"
+
+	have_luks=yes
+
+	# recurse
+	find_modules_for_devpath $LUKSDEV
+}
+
+
+# generate initrd fragment for cryptsetup luks init
+# @access	public
+initrd_gen_luks() {
+	if [ ! -x /sbin/cryptsetup-initrd ]; then
+		die "/sbin/cryptsetup-initrd is missing!"
+	fi
+
+	inst_d /bin
+	inst_exec /sbin/cryptsetup-initrd /bin/cryptsetup
+
+	mount_dev
+	mount_sys
+	initrd_gen_devices
+	# TODO: 'udevadm settle' is called by lukssetup, is udev optional?
+
+	debug "luks: process /etc/crypttab $LUKSDEV"
+	luks_crypttab $LUKSDEV
+}
+
+
+# PRIVATE METHODS
+key_is_random() {
+	[ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" -o "$1" = "/dev/random" ]
+}
+
+# produce cryptsetup from $name from /etc/crypttab
+luks_crypttab() {
+	local LUKSDEV="$1"
+
+	# copy from /etc/rc.d/init.d/cryptsetup
+	local dst src key opt mode owner
+
+	while read dst src key opt; do
+		[ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue
+		[ "$src" != "$LUKSDEV" ] && continue
+
+		if [ -n "$key" -a "x$key" != "xnone" ]; then
+			if test -e "$key" ; then
+				mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
+				owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
+				if [ "$mode" != "------" ] && ! key_is_random "$key"; then
+					die "INSECURE MODE FOR $key"
+				fi
+				if [ "$owner" != root ]; then
+					die "INSECURE OWNER FOR $key"
+				fi
+			else
+				die "Key file for $dst not found"
+			fi
+		else
+			key=""
+		fi
+
+		if /sbin/cryptsetup isLuks "$src" 2>/dev/null; then
+			if key_is_random "$key"; then
+				die "$dst: LUKS requires non-random key, skipping"
+			fi
+			if [ -n "$opt" ]; then
+				warn "$dst: options are invalid for LUKS partitions, ignoring them"
+			fi
+			if [ "$key" ]; then
+				keyfile=/etc/.$dst.key
+				inst $key $keyfile
+			fi
+
+			debug "+ cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst'"
+			add_linuxrc <<-EOF
+			cryptsetup ${keyfile:+-d $keyfile} luksOpen '$src' '$dst' <&1
+
+			debugshell
+			EOF
+		else
+			die "$dst: only LUKS encryption supported"
+		fi
+	done < /etc/crypttab
+}

More information about the pld-cvs-commit mailing list