Package: cryptsetup
Version: 2:1.1.3-4squeeze2
Severity: wishlist
Tags: patch
Hi,
I have a system where the root device is *not* encrypted, but another
device *is* encrypted and mounted during boot. This device is unlocked
during the "early" phase of cryptsetup, but at this point there is no
SSH daemon running to allow remote unlocking without the console.
If the device was the root device, or a resume device, then it would be
unlocked during the initramfs stage, which allows using a SSH daemon such
as dropbear to be used to remotely unlock the device. The attached patch
adds a new option "initramfs" which allows arbitrary devices to be able
to be unlocked during the initramfs stage.
The patch is applies cleanly to stable, testing, and unstable.
Cheers,
Hugh
-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-2.6.32-5-amd64
root=UUID=0a7d3b19-2450-4f9d-95ec-9d61f1e07f2b ro console=tty0
console=ttyS0,115200 debug
-- /etc/crypttab
# <target name> <source device> <key file> <options>
swap /dev/vda5 /dev/urandom swap
vdb_crypt /dev/vdb none luks,initramfs
-- /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
# / was on /dev/vda1 during installation
UUID=0a7d3b19-2450-4f9d-95ec-9d61f1e07f2b / ext4
errors=remount-ro 0 1
# swap was on /dev/vda5 during installation
#UUID=7fa4b1ae-f150-44e4-8a9b-39d23689baf0 none swap sw
0 0
/dev/mapper/swap none swap sw 0 0
# /dev/mapper/vdb_crypt
UUID=22e77b9e-9e69-41b1-a4d8-14be9a8a325a /mnt ext4 errors=remount-ro 0 2
-- lsmod
Module Size Used by
loop 11799 0
sha256_generic 8692 4
aes_x86_64 7340 4
aes_generic 25714 1 aes_x86_64
cbc 2539 2
snd_pcm 60487 0
snd_timer 15598 1 snd_pcm
snd 46526 2 snd_pcm,snd_timer
soundcore 4598 1 snd
joydev 8459 0
psmouse 49985 0
snd_page_alloc 6249 1 snd_pcm
evdev 7352 2
serio_raw 3752 0
pcspkr 1699 0
i2c_piix4 8328 0
i2c_core 15819 1 i2c_piix4
virtio_balloon 2961 0
button 4650 0
processor 29935 0
ext4 288382 2
mbcache 5050 1 ext4
jbd2 67111 1 ext4
crc16 1319 1 ext4
usbhid 33292 0
hid 63257 1 usbhid
dm_crypt 10664 2
dm_mod 53946 5 dm_crypt
ata_generic 3239 0
virtio_net 10573 0
uhci_hcd 18521 0
ata_piix 21124 0
virtio_blk 4209 4
ehci_hcd 32097 0
libata 133776 2 ata_generic,ata_piix
floppy 49087 0
thermal 11674 0
thermal_sys 11942 2 processor,thermal
scsi_mod 126725 1 libata
usbcore 123271 4 usbhid,uhci_hcd,ehci_hcd
nls_base 6377 1 usbcore
virtio_pci 5511 0
virtio_ring 3258 1 virtio_pci
virtio 3309 4 virtio_balloon,virtio_net,virtio_blk,virtio_pci
-- System Information:
Debian Release: 6.0.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cryptsetup depends on:
ii dmsetup 2:1.02.48-5 The Linux Kernel Device Mapper use
ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib
ii libdevmapper1.02.1 2:1.02.48-5 The Linux Kernel Device Mapper use
ii libpopt0 1.16-1 lib for parsing cmdline parameters
ii libuuid1 2.17.2-9 Universally Unique ID library
cryptsetup recommends no packages.
Versions of packages cryptsetup suggests:
ii busybox 1:1.17.1-8 Tiny utilities for small and embed
pn dosfstools <none> (no description available)
ii initramfs-tools [linux-initra 0.98.8 tools for generating an initramfs
ii udev 164-3 /dev/ and hotplug management daemo
-- no debconf information
>From d13ff91c8b360360c8654d7805e0fb4f701e1959 Mon Sep 17 00:00:00 2001
From: Hugh Davenport <h...@davenport.net.nz>
Date: Wed, 2 Jan 2013 14:18:36 +1300
Subject: [PATCH] crypttab: Add support for initramfs option
The option "initramfs" allows a user to specify that a particular
crypttab entry should be processed during the initramfs stage of
booting, regardless of whether it is the root or resume device.
The cryptroot-hook file is modified to search the crypttab file for
entries with this option, and these are added to the conf file.
The manpage documentation has been updated to reflect this new option.
---
debian/doc/crypttab.xml | 11 ++++++++
debian/initramfs/cryptroot-hook | 55 ++++++++++++++++++++++++++++++++++++++-
2 files changed, 65 insertions(+), 1 deletion(-)
diff --git a/debian/doc/crypttab.xml b/debian/doc/crypttab.xml
index bd31377..015f89b 100644
--- a/debian/doc/crypttab.xml
+++ b/debian/doc/crypttab.xml
@@ -235,6 +235,17 @@
</varlistentry>
<varlistentry>
+ <term><emphasis>initramfs</emphasis></term>
+ <listitem>
+ <simpara>The initramfs hook processes the root device, any resume devices
+ and any devices with the initramfs option set. These devices are
processed
+ within the initramfs stage of boot, which allows the use of remote
unlocking
+ using dropbear for example.
+ </simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><emphasis>noearly</emphasis></term>
<listitem>
<simpara>The cryptsetup init scripts are invoked twice during the boot
diff --git a/debian/initramfs/cryptroot-hook b/debian/initramfs/cryptroot-hook
index cffefe2..3823392 100644
--- a/debian/initramfs/cryptroot-hook
+++ b/debian/initramfs/cryptroot-hook
@@ -124,6 +124,58 @@ get_resume_devices() {
return 0
}
+get_initramfs_devices() {
+ local device target source key options candidates devices
+
+ if [ ! -r /etc/crypttab ]; then
+ return 1
+ fi
+
+ candidates="$(grep -s '^[^#]' /etc/crypttab | \
+ while read target source key options; do
+ if echo $options | grep -q "\binitramfs\b"; then
+ echo " /dev/mapper/$target"
+ fi
+ done;)"
+
+ devices=""
+ count=0
+ for device in $candidates; do
+ # Detect devices required by decrypt_derived
+ derived="$(grep "^${device#/dev/mapper/}\b.*decrypt_derived"
/etc/crypttab 2>/dev/null | awk '{print $3}')"
+ if [ -n "$derived" ]; then
+ if grep -q "^$derived" /etc/crypttab; then
+ candidates="$candidates /dev/mapper/$derived"
+ else
+ echo "cryptsetup: WARNING: decrypt_derived
device $derived not found in crypttab" >&2
+ fi
+ fi
+
+ device=$(canonical_device "$device") || return 0
+
+ # Weed out duplicates
+ dupe=0
+ for opt in $devices; do
+ if [ "$device" = "$opt" ]; then
+ dupe=1
+ fi
+ done
+ if [ $dupe -eq 1 ]; then
+ continue
+ fi
+
+ # This device seems ok
+ devices="$devices $device"
+ count=$(( $count + 1 ))
+ done
+
+ if [ $count -gt 0 ]; then
+ echo $devices
+ fi
+
+ return 0
+}
+
node_is_in_crypttab() {
local node
node="$1"
@@ -492,10 +544,11 @@ if [ -r /etc/crypttab ]; then
echo "cryptsetup: WARNING: could not determine root device from
/etc/fstab" >&2
fi
resumedevs=$(get_resume_devices)
+ initramfsdevs=$(get_initramfs_devices)
fi
# Load the config opts and modules for each device
-for dev in $rootdev $resumedevs; do
+for dev in $rootdev $resumedevs $initramfsdevs; do
if ! modules=$(add_device "$dev"); then
echo "cryptsetup: FAILURE: could not determine configuration
for $dev" >&2
continue
--
1.7.10.4
