Created
November 7, 2014 21:31
-
-
Save nicot/6e573ae33193d4e496c4 to your computer and use it in GitHub Desktop.
mkinitcpio hooks: https://bbs.archlinux.org/viewtopic.php?pid=943338#p943338
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/ash | |
run_hook() { | |
/sbin/modprobe -a -q dm-crypt >/dev/null 2>&1 | |
if [ -e "/sys/class/misc/device-mapper" ]; then | |
if [ ! -e "/dev/mapper/control" ]; then | |
/bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |') | |
fi | |
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null" | |
# Get keyfile if specified | |
ckeyfile="/crypto_keyfile" | |
usegpg="n" | |
if [ "x${cryptkey}" != "x" ]; then | |
ckdev="$(echo "${cryptkey}" | cut -d: -f1)" | |
ckarg1="$(echo "${cryptkey}" | cut -d: -f2)" | |
ckarg2="$(echo "${cryptkey}" | cut -d: -f3)" | |
if poll_device "${ckdev}" ${rootdelay}; then | |
case ${ckarg1} in | |
*[!0-9]*) | |
# Use a file on the device | |
# ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path | |
if [ "${ckarg2#*.}" = "gpg" ]; then | |
ckeyfile="${ckeyfile}.gpg" | |
usegpg="y" | |
fi | |
mkdir /ckey | |
mount -r -t ${ckarg1} ${ckdev} /ckey | |
dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1 | |
umount /ckey | |
;; | |
*) | |
# Read raw data from the block device | |
# ckarg1 is numeric: ckarg1=offset, ckarg2=length | |
dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1 | |
;; | |
esac | |
fi | |
[ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." | |
fi | |
if [ -n "${cryptdevice}" ]; then | |
DEPRECATED_CRYPT=0 | |
cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)" | |
cryptname="$(echo "${cryptdevice}" | cut -d: -f2)" | |
else | |
DEPRECATED_CRYPT=1 | |
cryptdev="${root}" | |
cryptname="root" | |
fi | |
warn_deprecated() { | |
echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" | |
echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." | |
} | |
if poll_device "${cryptdev}" ${rootdelay}; then | |
if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then | |
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated | |
dopassphrase=1 | |
# If keyfile exists, try to use that | |
if [ -f ${ckeyfile} ]; then | |
if [ "${usegpg}" = "y" ]; then | |
# gpg tty fixup | |
if [ -e /dev/tty ]; then mv /dev/tty /dev/tty.backup; fi | |
cp -a /dev/console /dev/tty | |
while [ ! -e /dev/mapper/${cryptname} ]; | |
do | |
sleep 2 | |
/usr/bin/gpg -d "${ckeyfile}" 2>/dev/null | cryptsetup --key-file=- luksOpen ${cryptdev} ${cryptname} ${CSQUIET} | |
dopassphrase=0 | |
done | |
rm /dev/tty | |
if [ -e /dev/tty.backup ]; then mv /dev/tty.backup /dev/tty; fi | |
else | |
if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then | |
dopassphrase=0 | |
else | |
echo "Invalid keyfile. Reverting to passphrase." | |
fi | |
fi | |
fi | |
# Ask for a passphrase | |
if [ ${dopassphrase} -gt 0 ]; then | |
echo "" | |
echo "A password is required to access the ${cryptname} volume:" | |
#loop until we get a real password | |
while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do | |
sleep 2; | |
done | |
fi | |
if [ -e "/dev/mapper/${cryptname}" ]; then | |
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then | |
export root="/dev/mapper/root" | |
fi | |
else | |
err "Password succeeded, but ${cryptname} creation failed, aborting..." | |
exit 1 | |
fi | |
elif [ -n "${crypto}" ]; then | |
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated | |
msg "Non-LUKS encrypted device found..." | |
if [ $# -ne 5 ]; then | |
err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" | |
err "Non-LUKS decryption not attempted..." | |
return 1 | |
fi | |
exe="/sbin/cryptsetup create ${cryptname} ${cryptdev}" | |
tmp=$(echo "${crypto}" | cut -d: -f1) | |
[ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\"" | |
tmp=$(echo "${crypto}" | cut -d: -f2) | |
[ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\"" | |
tmp=$(echo "${crypto}" | cut -d: -f3) | |
[ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\"" | |
tmp=$(echo "${crypto}" | cut -d: -f4) | |
[ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\"" | |
tmp=$(echo "${crypto}" | cut -d: -f5) | |
[ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\"" | |
if [ -f ${ckeyfile} ]; then | |
exe="${exe} --key-file ${ckeyfile}" | |
else | |
exe="${exe} --verify-passphrase" | |
echo "" | |
echo "A password is required to access the ${cryptname} volume:" | |
fi | |
eval "${exe} ${CSQUIET}" | |
if [ $? -ne 0 ]; then | |
err "Non-LUKS device decryption failed. verify format: " | |
err " crypto=hash:cipher:keysize:offset:skip" | |
exit 1 | |
fi | |
if [ -e "/dev/mapper/${cryptname}" ]; then | |
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then | |
export root="/dev/mapper/root" | |
fi | |
else | |
err "Password succeeded, but ${cryptname} creation failed, aborting..." | |
exit 1 | |
fi | |
else | |
err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified." | |
fi | |
fi | |
rm -f ${ckeyfile} | |
fi | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
build() { | |
local mod | |
add_module dm-crypt | |
if [[ $CRYPTO_MODULES ]]; then | |
for mod in $CRYPTO_MODULES; do | |
add_module "$mod" | |
done | |
else | |
add_all_modules '/crypto/' | |
fi | |
add_dir "/dev/mapper" | |
add_binary "cryptsetup" | |
add_binary "dmsetup" | |
add_binary "/usr/bin/gpg" | |
add_file "/usr/lib/udev/rules.d/10-dm.rules" | |
add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" | |
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" | |
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" | |
add_runscript | |
} | |
help () | |
{ | |
cat<<HELPEOF | |
This hook allows for an encrypted root device with support for gpg encrypted key files. | |
To use gpg, the key file must have the extension .gpg and you have to install gpg and add /usr/bin/gpg | |
to your BINARIES var in /etc/mkinitcpio.conf. | |
HELPEOF | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment