tags 348147 moreinfo
thanks
hello david,
thanks a lot for your cryptowork.
based on it i nicely boot cryptoroot,
with this some rough edges, but works out with passphrase.
On Sun, 05 Feb 2006, David Härdeman wrote:
> I've attached an updated version of the previous patch. The changes are:
>
> * Adds support for cryptsetup-luks (see http://luks.endorphin.org/).
> LUKS support is now present in the regular Debian cryptsetup package.
> If root points at a partition with a luks header, it will be
> automagically recognized. This depends on support for luks detection
> in fstype in klibc (patch submitted upstream).
luks is great, i'm really happy how easy the cryptoroot setup is.
> * Adds support for changing variables in the main init script, this is
> performed by checking for the file /dev/.initramfs/source.me after
> running each script and sourcing it if it does. This is probably
> necessary if we ever want to support features such as ROOT=probe as it
> would require changing the ROOT variable as the real root is found.
nacked, this hack is ugly.
the form you envisaged to do it is really nonobvious.
the trouble is that you change the ROOT variable to NEWROOT from a
subscript. need to think of a better way to do this.
> * Uses the above feature to remove the cryptroot boot option and also
> makes changes to other files (such as lvm script) unnecessary.
hmm..
ahh ok that refers to the previous version of the patch.
> Index: initramfs-tools-quilt/hooks/cryptroot
> ===================================================================
> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
> +++ initramfs-tools-quilt/hooks/cryptroot 2006-02-05 00:11:39.000000000
> +0100
> @@ -0,0 +1,26 @@
> +#!/bin/sh
> +
> +PREREQ=""
> +
> +prereqs()
> +{
> + echo "$PREREQ"
> +}
> +
> +case $1 in
> +prereqs)
> + prereqs
> + exit 0
> + ;;
> +esac
> +
> +. /usr/share/initramfs-tools/hook-functions
> +
> +if [ -x "/sbin/cryptsetup" ]; then
> + copy_exec /sbin/cryptsetup /sbin
> + if [ -x "/etc/mkinitramfs/cryptgetpw" ]; then
> + copy_exec /etc/mkinitramfs/cryptgetpw /sbin
> + fi
> +fi
> +
> +exit 0
nice but missing essential crypto modules, see attached hook file.
also i'm real curious about that cryptgetpw, what's in there?
mounting usb stick for reading the key?
hmm that looks very much in the initrd-tools spirit where you
putted an script to get executed later.
> Index: initramfs-tools-quilt/init
> ===================================================================
> --- initramfs-tools-quilt.orig/init 2006-01-24 11:29:32.000000000 +0100
> +++ initramfs-tools-quilt/init 2006-02-05 00:12:17.000000000 +0100
> @@ -34,6 +34,8 @@
> export resume=${RESUME}
> export rootmnt=/root
> export debug=
> +export cryptopts=${CRYPTOPTS}
> +
> for x in $(cat /proc/cmdline); do
> case $x in
> init=*)
> @@ -65,6 +67,9 @@
> exec >/tmp/initramfs.debug 2>&1
> set -x
> ;;
> + cryptopts=*)
> + cryptopts=${x#cryptopts=}
> + ;;
> break=*)
> break=${x#break=}
> ;;
ok looks sane.
> Index: initramfs-tools-quilt/scripts/functions
> ===================================================================
> --- initramfs-tools-quilt.orig/scripts/functions 2006-01-24
> 13:11:16.000000000 +0100
> +++ initramfs-tools-quilt/scripts/functions 2006-02-05 00:12:56.000000000
> +0100
> @@ -162,6 +162,10 @@
> {
> for cs_x in ${runlist}; do
> ${initdir}/${cs_x}
> + if [ -e /dev/.initramfs/source.me ]; then
> + . /dev/.initramfs/source.me
> + rm -f /dev/.initramfs/source.me
> + fi
> done
> }
nack this is really strange, i had to triple look when that would be run.
> Index: initramfs-tools-quilt/scripts/local-premount/cryptroot
> ===================================================================
> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
> +++ initramfs-tools-quilt/scripts/local-premount/cryptroot 2006-02-05
> 00:13:58.000000000 +0100
that's too late the hook needs to be put in local-top.
> @@ -0,0 +1,99 @@
> +#!/bin/sh
> +
> +PREREQ=""
> +
> +prereqs()
> +{
> + echo "$PREREQ"
> +}
> +
> +case $1 in
> +# get pre-requisites
> +prereqs)
> + prereqs
> + exit 0
> + ;;
> +esac
> +
> +# Sanity checks
> +if [ "$FSTYPE" != "luks" -a -z "$cryptopts" ]; then
$FSTYPE is not exported so the check fails at this stage,
also this seems to only work if luks and cryptopts are set,
which seems not to match the code below.
> + # Apparently the root partition isn't encrypted
> + exit 0
> +elif [ ! -x "/sbin/cryptsetup" ]; then
> + echo "$0: no cryptsetup present"
> + exit 0
> +fi
> +
> +# There are two possible scenarios here:
> +#
> +# 1) The fstype of the root device has been identified as "luks"
> +# 2) The fstype is not "luks" but cryptopts has been set
> +#
> +# The former means that we use the luks functionality of cryptsetup, the
> +# latter means that we do it the old-fashioned way.
> +
> +# Start by parsing some options, all options are relevant to regular
> cryptsetup
> +# but only cryptnode is relevant to luks which picks up the rest of the
> +# parameters by reading the partition header
> +cryptcipher=aes-cbc-essiv:sha256
> +cryptsize=256
> +crypthash=sha256
> +cryptnode=cryptroot
> +if [ -n "$cryptopts" ]; then
> + IFS=" ,"
> + for x in $cryptopts; do
> + case $x in
> + hash=*)
> + crypthash=${x#hash=}
> + ;;
> + size=*)
> + cryptsize=${x#size=}
> + ;;
> + cipher=*)
> + cryptcipher=${x#cipher=}
> + ;;
> + node=*)
> + cryptnode=${x#node=}
> + ;;
> + esac
> + done
> + unset IFS
> +fi
> +NEWROOT="/dev/mapper/$cryptnode"
> +
> +# Check which cryptosolution we want
> +if [ "$FSTYPE" = "luks" ]; then
we need to run fstype to know that.
> + # 1) The fstype of the root device has been identified as "luks"
> + cryptcreate="/sbin/cryptsetup luksOpen $ROOT $cryptnode"
> + cryptremove=""
> +else
> + # 2) The fstype is not "luks" but cryptopts has been set
> + cryptcreate="/sbin/cryptsetup -c $cryptcipher -s $cryptsize -h
> $crypthash create $cryptnode $ROOT"
> + cryptremove="/sbin/cryptsetup remove $cryptnode"
> +fi
> +
> +# Loop until we have a satisfactory password
> +while [ 1 ]; do
> + if [ -x "/sbin/cryptgetpw" ]; then
> + /sbin/cryptgetpw | $cryptcreate
> + else
> + $cryptcreate
> + fi
> +
> + if [ $? -eq 0 ]; then
> + fstype < "$NEWROOT" > /dev/.initramfs/source.me
> + . /dev/.initramfs/source.me
> + if [ "$FSTYPE" != "unknown" ]; then
> + break
> + fi
> + fi
> +
> + echo "$0: cryptsetup failed or fstype not recognized, bad password or
> options?"
> + $cryptremove
> + sleep 3
> +done
hmm the loop broke out with me having typed in a bad password,
need to recheck that.
> +
> +# init can now pick up new FSTYPE, FSSIZE and ROOT
> +echo "ROOT=\"$NEWROOT\"" >> /dev/.initramfs/source.me
> +
> +exit 0
need to properly read the initrd-tools report about cryptoroot to know
what people wants and i guess we can get that working till that weekend.
i need to check the initrd-tools boot args too as cat /proc/cmdline
root=/dev/sda2 ro cryptopts=node=sda2
looks somehow ugly.
anyway thanks a lot for initial work.
--
maks
ps my quick trick to make the attached hook and the attached bootscript
working was this hack (which doesn't work of course with lvm and md):
--- initramfs-tools-a/scripts/local 2006-03-26 21:46:26.000000000 +0200
+++ initramfs-tools-b/scripts/local 2006-03-28 01:48:37.000000000 +0200
@@ -7,6 +7,8 @@
run_scripts /scripts/local-top
[ "$quiet" != "y" ] && log_end_msg
+ [ -e /conf/cryptoroot ] && . /conf/cryptoroot
+
# If the root device hasn't shown up yet, give it a little while
# to deal with removable devices
if [ ! -e "${ROOT}" ]; then
#!/bin/sh
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
if [ ! -x "/sbin/cryptsetup" ]; then
exit 0
fi
copy_exec /sbin/cryptsetup /sbin
for x in dm_mod dm_crypt aes sha256; do
manual_add_modules ${x}
done
exit 0
#!/bin/sh
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
# get pre-requisites
prereqs)
prereqs
exit 0
;;
esac
# Sanity checks
if [ -z "$cryptopts" ]; then
# Apparently the root partition isn't encrypted
exit 0
elif [ ! -x "/sbin/cryptsetup" ]; then
echo "$0: no cryptsetup present"
exit 0
fi
# There are two possible scenarios here:
#
# 1) The fstype of the root device has been identified as "luks"
# 2) The fstype is not "luks" but cryptopts has been set
#
# The former means that we use the luks functionality of cryptsetup, the
# latter means that we do it the old-fashioned way.
# Start by parsing some options, all options are relevant to regular cryptsetup
# but only cryptnode is relevant to luks which picks up the rest of the
# parameters by reading the partition header
cryptcipher=aes-cbc-essiv:sha256
cryptsize=256
crypthash=sha256
cryptnode=cryptroot
if [ -n "$cryptopts" ]; then
IFS=" ,"
for x in $cryptopts; do
case $x in
hash=*)
crypthash=${x#hash=}
;;
size=*)
cryptsize=${x#size=}
;;
cipher=*)
cryptcipher=${x#cipher=}
;;
node=*)
cryptnode=${x#node=}
;;
esac
done
unset IFS
fi
NEWROOT="/dev/mapper/$cryptnode"
modprobe -q dm-mod
# Check which cryptosolution we want
fstype < "$ROOT"
if [ "$FSTYPE" = "luks" ]; then
cryptcreate="/sbin/cryptsetup luksOpen $ROOT $cryptnode"
cryptremove=""
else
cryptcreate="/sbin/cryptsetup -c $cryptcipher -s $cryptsize -h
$crypthash create $cryptnode $ROOT"
cryptremove="/sbin/cryptsetup remove $cryptnode"
fi
# Loop until we have a satisfactory password
while [ 1 ]; do
# FIXME: we want other input devices too
$cryptcreate
if [ $? -eq 0 ]; then
fstype < "$NEWROOT"
if [ "$FSTYPE" != "unknown" ]; then
break
fi
fi
echo "$0: cryptsetup failed or fstype not recognized, bad password or
options?"
$cryptremove
sleep 3
done
echo "ROOT=\"$NEWROOT\"" > /conf/cryptoroot
exit 0
