[projects/geninitrd] luks: initial support for luks2 tokens

atler atler at pld-linux.org
Wed Sep 28 18:47:38 CEST 2022 

commit ddf87c79b74022a30cec286191d31d186be184cf
Author: Jan Palus <atler at pld-linux.org>
Date:   Wed Sep 28 18:42:21 2022 +0200

    luks: initial support for luks2 tokens
    
    tested with fido2 token only. to disable set USE_LUKS_TOKEN=no
    
    systemd fido2 and tpm2 tokens need dlopened libraries for respective
    functionality (systemd avoids hard dependency on external deps)

 mod-luks.sh | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)
---
diff --git a/mod-luks.sh b/mod-luks.sh
index 94b6499..468489a 100644
--- a/mod-luks.sh
+++ b/mod-luks.sh
@@ -117,7 +117,7 @@ luks_crypttab() {
 	local LUKSNAME="$1"
 
 	# copy from /etc/rc.d/init.d/cryptsetup
-	local dst src key opt mode owner failsafe
+	local dst src key opt mode owner failsafe token libdir cryptdir
 
 	while read dst src key opt; do
 		[ "$dst" != "$LUKSNAME" ] && continue
@@ -153,6 +153,33 @@ luks_crypttab() {
 				keyfile=/etc/.$dst.key
 				inst $key $keyfile
 			fi
+			for libdir in $(get_libdir /usr/LIBDIR); do
+				if [ -d $libdir/cryptsetup ]; then
+					cryptdir=$libdir/cryptsetup
+					break
+				fi
+			done
+			if ! is_no "$USE_LUKS_TOKEN" && [ -n "$cryptdir" ]; then
+				for token in $(/sbin/cryptsetup luksDump $src | sed -n -e '/^Tokens:/,/^[^[:space:]]/ { /^[[:space:]]*[[:digit:]]*:/ { s/^[[:space:]]*[[:digit:]]*:[[:space:]]*// p } }'); do
+					verbose "Found cryptsetup token: $token"
+					case "$token" in
+						systemd-fido2)
+							inst_d $cryptdir
+							inst_exec $cryptdir/libcryptsetup-token-$token.so $cryptdir
+							inst_exec $libdir/libfido2.so.1 $libdir
+							;;
+						systemd-tpm2)
+							inst_d $cryptdir
+							inst_exec $cryptdir/libcryptsetup-token-$token.so $cryptdir
+							inst_exec $libdir/libtss2-esys.so.0 $libdir/libtss2-rc.so.0 $libdir/libtss2-mu.so.0 $libdir
+							;;
+						*)
+							inst_d $cryptdir
+							inst_exec $cryptdir/libcryptsetup-token-$token.so $cryptdir
+							;;
+					esac
+				done
+			fi
 
 			crypttab_opt=""
 			old_IFS="$IFS"
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/projects/geninitrd.git/commitdiff/ddf87c79b74022a30cec286191d31d186be184cf

More information about the pld-cvs-commit mailing list