Here is version 3 of the patch:
- Some documentation (NEWS.Debian and README.Debian)
still TODO: full example on how to setup an encrypted root system
- Minor code cleanup (unused function removed)
Again, cumulative and incremental patch attached.
--
Lionel
diff -u loop-aes-utils-2.12r/debian/initramfs-tools-script
loop-aes-utils-2.12r/debian/initramfs-tools-script
--- loop-aes-utils-2.12r/debian/initramfs-tools-script
+++ loop-aes-utils-2.12r/debian/initramfs-tools-script
@@ -19,18 +19,6 @@
#
# Helper functions
#
-get_root_device() {
- [ -r /etc/fstab ] || return
-
- grep '^[^#]' /etc/fstab | ( \
- while read dev mount type options dump pass; do
- if [ "$mount" = "/" ]; then
- echo "rootdev=\"${dev}\" rootoptions=\"${options}\""
- return
- fi
- done )
-}
-
decode_cipher() {
local cipher
only in patch2:
unchanged:
--- loop-aes-utils-2.12r/debian/README
+++ loop-aes-utils-2.12r/debian/README
@@ -26 +26,38 @@
- -- Max Vozeler <[EMAIL PROTECTED]>
+Encrypted root fs
+-----------------
+
+ This package integrates with initramfs-tools so that an initramfs
+ created with initramfs-tools will be able to handle a root fs on an
+ encrypted (or not) loop device.
+
+ This support is automatically enabled at initramfs creation time
+ when your root device in /etc/fstab has a "loop=/dev/loopN"
+ option. You can also force it on by setting the environmental
+ variable INITRAMFS_LOOPAES to "1", "yes" or "on"; you can force it
+ off by setting INITRAMFS_LOOPAES to "0", "no" or
+ "off". INITRAMFS_LOOPAES can be set in the shell calling mkinitramfs
+ or in /etc/initramfs-tools/initramfs.conf .
+
+ When support is forced on, support for all ciphers is included; when
+ automatically enabled, only the necessary cipher module is included
+ in the initramfs.
+
+ The entry for the root fs in /etc/fstab should look like:
+ /dev/hda5 / ext3
loop=/dev/loop5,encryption=AES,gpgkey=/root/keys/loopaes.gpg 0 0
+ not
+ /dev/loop5 / ext3 defaults 0 0
+
+ If the options include a "gpghome=" and/or a "gpgkey=", these will
+ be copied into the initramfs, to /keys/rootkeyfile.gpg and /.gnupg,
+ respectively; if you supply a "gpghome=" option, it is recommended
+ that it point towards a specially prepared minimal directory rather
+ than your usual "~/.gnupg/".
+
+ You can override the loop and crypto related options of /etc/fstab
+ at boot time by setting the kernel command-line "loopaesopts="
+ option from your boot leader. The syntax is the same as in the
+ options column of /etc/fstab. Any file path will be interpreted in
+ the initramfs, obviously. For example:
+ "loopaesopts=loop=/dev/loop5,encryption=AES,gpgkey=/keys/rootkeyfile.gpg"
+
+ -- Max Vozeler <[EMAIL PROTECTED]> and Lionel Elie Mamane <[EMAIL PROTECTED]>
only in patch2:
unchanged:
--- loop-aes-utils-2.12r.orig/debian/NEWS.Debian
+++ loop-aes-utils-2.12r/debian/NEWS.Debian
@@ -0,0 +1,12 @@
+loop-aes-utils (2.12r-12) unstable; urgency=low
+
+ * This version includes support for root on loop-aes encrypted
+ device when using an initramfs-tools generated initramfs.
+
+ If you had a working loop-aes encrypted root and you are using
+ initramfs-tools, this support may interfere and cause initramfs-tools
+ to produce an initramfs that will not boot your system. See
+ /usr/share/doc/loop-aes-utils/README.Debian.gz for details.
+
+ -- Lionel Elie Mamane <[EMAIL PROTECTED]> Sun, 6 Aug 2006 15:20:24 +0200
+
diff -u loop-aes-utils-2.12r/debian/changelog
loop-aes-utils-2.12r/debian/changelog
--- loop-aes-utils-2.12r/debian/changelog
+++ loop-aes-utils-2.12r/debian/changelog
@@ -1,3 +1,10 @@
+loop-aes-utils (2.12r-11.0) unstable; urgency=low
+
+ * Integrate with initramfs-tools for root fs on loop/loopaes device
+ (version 2 of integration).
+
+ -- Lionel Elie Mamane <[EMAIL PROTECTED]> Tue, 25 Jul 2006 19:07:49 +0200
+
loop-aes-utils (2.12r-11) unstable; urgency=low
* Sync with util-linux 2.12r-10
diff -u loop-aes-utils-2.12r/debian/rules loop-aes-utils-2.12r/debian/rules
--- loop-aes-utils-2.12r/debian/rules
+++ loop-aes-utils-2.12r/debian/rules
@@ -64,7 +64,9 @@
install -m 755 mount/losetup $(DIR_UDEB)/sbin/losetup-aes
install -m 755 mount/swapon $(DIR_UDEB)/sbin/swapon-aes
install -m 755 debian/loop-aes-keygen $(DIR_UDEB)/bin
-
+ # initramsfs-tools integration
+ install -m 755 debian/initramfs-tools-script
$(DIR)/usr/share/initramfs-tools/scripts/local-top/loopaes
+ install -m 755 debian/initramfs-tools-hook
$(DIR)/usr/share/initramfs-tools/hooks/loopaes
binary-indep: build install
diff -u loop-aes-utils-2.12r/debian/README loop-aes-utils-2.12r/debian/README
--- loop-aes-utils-2.12r/debian/README
+++ loop-aes-utils-2.12r/debian/README
@@ -26 +26,38 @@
- -- Max Vozeler <[EMAIL PROTECTED]>
+Encrypted root fs
+-----------------
+
+ This package integrates with initramfs-tools so that an initramfs
+ created with initramfs-tools will be able to handle a root fs on an
+ encrypted (or not) loop device.
+
+ This support is automatically enabled at initramfs creation time
+ when your root device in /etc/fstab has a "loop=/dev/loopN"
+ option. You can also force it on by setting the environmental
+ variable INITRAMFS_LOOPAES to "1", "yes" or "on"; you can force it
+ off by setting INITRAMFS_LOOPAES to "0", "no" or
+ "off". INITRAMFS_LOOPAES can be set in the shell calling mkinitramfs
+ or in /etc/initramfs-tools/initramfs.conf .
+
+ When support is forced on, support for all ciphers is included; when
+ automatically enabled, only the necessary cipher module is included
+ in the initramfs.
+
+ The entry for the root fs in /etc/fstab should look like:
+ /dev/hda5 / ext3
loop=/dev/loop5,encryption=AES,gpgkey=/root/keys/loopaes.gpg 0 0
+ not
+ /dev/loop5 / ext3 defaults 0 0
+
+ If the options include a "gpghome=" and/or a "gpgkey=", these will
+ be copied into the initramfs, to /keys/rootkeyfile.gpg and /.gnupg,
+ respectively; if you supply a "gpghome=" option, it is recommended
+ that it point towards a specially prepared minimal directory rather
+ than your usual "~/.gnupg/".
+
+ You can override the loop and crypto related options of /etc/fstab
+ at boot time by setting the kernel command-line "loopaesopts="
+ option from your boot leader. The syntax is the same as in the
+ options column of /etc/fstab. Any file path will be interpreted in
+ the initramfs, obviously. For example:
+ "loopaesopts=loop=/dev/loop5,encryption=AES,gpgkey=/keys/rootkeyfile.gpg"
+
+ -- Max Vozeler <[EMAIL PROTECTED]> and Lionel Elie Mamane <[EMAIL PROTECTED]>
diff -u loop-aes-utils-2.12r/debian/loop-aes-utils.dirs
loop-aes-utils-2.12r/debian/loop-aes-utils.dirs
--- loop-aes-utils-2.12r/debian/loop-aes-utils.dirs
+++ loop-aes-utils-2.12r/debian/loop-aes-utils.dirs
@@ -7,0 +8,2 @@
+/usr/share/initramfs-tools/scripts/local-top
+/usr/share/initramfs-tools/hooks
only in patch2:
unchanged:
--- loop-aes-utils-2.12r.orig/debian/initramfs-tools-hook
+++ loop-aes-utils-2.12r/debian/initramfs-tools-hook
@@ -0,0 +1,170 @@
+#!/bin/sh
+
+set -e
+
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+#Check whether loop-aes support is forced on or off
+case "${INITRAMFS_LOOPAES}" in
+ 0|no|off)
+ exit 0
+ ;;
+ 1|yes|on)
+ FORCE_LOOPAES=1
+ ;;
+ auto|)
+ ;;
+ *)
+ echo "WARNING! (loop-aes) ignoring invalid INITRAMFS_LOOPAES value
${INITRAMFS_LOOPAES}" 1>&2
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+exit_unless_forced() {
+ if [ -z "${FORCE_LOOPAES}" ]; then
+ exit $1
+ fi
+}
+
+get_root_device() {
+ [ -r /etc/fstab ] || return
+
+ grep '^[^#]' /etc/fstab | ( \
+ while read dev mount type options dump pass; do
+ if [ "$mount" = "/" ]; then
+ echo "rootdev=\"${dev}\" rootoptions=\"${options}\""
+ return
+ fi
+ done )
+}
+
+decode_cipher() {
+ local cipher
+
+ case "$1" in
+ twofish*)
+ echo twofish
+ ;;
+ blowfish*)
+ echo blowfish
+ ;;
+ serpent*)
+ echo serpent
+ ;;
+ mars*|rc6*|tripleDES)
+ echo "WARNING| (loop-aes) Don't know how to handle encryption type
$1" 1>&2
+ ;;
+ NONE|XOR|AES*)
+ ;;
+ *)
+ echo "WARNING| (loop-aes) Unknown encryption type $1" 1>&2
+ ;;
+ esac
+}
+
+iterate_cipher_module() {
+ local cipher
+ local IFS=":"
+ for cipher in $2; do
+ $1 "loop_${cipher}"
+ done
+}
+
+get_root_opts() {
+ local opt cipher
+ local IFS=", "
+ for opt in $rootoptions; do
+ case "$opt" in
+ encryption=*)
+ cipher="$(decode_cipher \"${opt#encryption=}\")"
+ if [ -n "$cipher" ]; then
+
rootencryption="${rootencryption}${rootencryption:+:}${cipher}"
+ fi
+ loopaes_opts="${loopaes_opts},${opt}"
+ ;;
+ offset=*)
+ loopaes_opts="${loopaes_opts},${opt}"
+ ;;
+ sizelimit=*)
+ loopaes_opts="${loopaes_opts},${opt}"
+ ;;
+ pseed=*)
+ loopaes_opts="${loopaes_opts},${opt}"
+ ;;
+ phash=*)
+ loopaes_opts="${loopaes_opts},${opt}"
+ ;;
+ loinit=*)
+ loopaes_opts="${loopaes_opts},${opt}"
+ ;;
+ itercountk=*)
+ loopaes_opts="${loopaes_opts},${opt}"
+ ;;
+ gpgkey=*)
+ rootgpgkey=${opt#gpgkey=}
+ ;;
+ gpghome=*)
+ rootgpghome=${opt#gpghome=}
+ ;;
+ loop=*)
+ rootloop=${opt#loop=}
+ ;;
+ *)
+ # Presumably a non-supported or filesystem option
+ ;;
+ esac
+ done
+}
+
+# Find out which device root is on
+eval $(get_root_device)
+[ -z "${rootdev}" ] && exit_unless_forced 0
+# We now have set: rootdev rootoptions
+
+get_root_opts
+[ -z "${rootloop}" ] && exit_unless_forced 0
+loopaes_opts="${loopaes_opts},loop=${rootloop}"
+
+# Prepare the initramfs
+if [ -n "${rootgpgkey}" ]; then
+ mkdir ${DESTDIR}/keys/
+ cp "${rootgpgkey}" ${DESTDIR}/keys/rootkeyfile.gpg
+ copy_exec /usr/bin/gpg /bin/
+ loopaes_opts="${loopaes_opts},gpgkey=/keys/rootkeyfile.gpg"
+fi
+
+if [ -n "${rootgpghome}" ]; then
+ cp -R "${rootgpghome}" ${DESTDIR}/.gnupg
+else
+ mkdir ${DESTDIR}/.gnupg/
+fi
+loopaes_opts="${loopaes_opts},gpghome=/.gnupg"
+
+echo "LOOPAESOPTS=\"$loopaes_opts\"" > ${DESTDIR}/conf/conf.d/loopaes
+copy_exec /sbin/losetup /sbin/
+# Allow the correct keymap to be loaded if possible
+if [ -e /bin/loadkeys -a -r /etc/console/boottime.kmap.gz ]; then
+ copy_exec /bin/loadkeys /bin/
+ cp /etc/console/boottime.kmap.gz $DESTDIR/etc/
+fi
+manual_add_modules loop
+if [ -z "${FORCE_LOOPAES}" ]; then
+ iterate_cipher_module "manual_add_modules" "$rootencryption"
+else
+ iterate_cipher_module "manual_add_modules" "serpent:blowfish:twofish"
+fi
+
+# Done
+exit 0
only in patch2:
unchanged:
--- loop-aes-utils-2.12r.orig/debian/initramfs-tools-script
+++ loop-aes-utils-2.12r/debian/initramfs-tools-script
@@ -0,0 +1,161 @@
+#!/bin/sh
+
+#
+# Standard initramfs preamble
+#
+prereqs()
+{
+ echo ""
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+
+#
+# Helper functions
+#
+decode_cipher() {
+ local cipher
+
+ case "$1" in
+ twofish*)
+ echo twofish
+ ;;
+ blowfish*)
+ echo blowfish
+ ;;
+ serpent*)
+ echo serpent
+ ;;
+ mars*|rc6*|tripleDES)
+ echo "WARNING| (loop-aes) Don't know how to handle encryption type
$1" 1>&2
+ ;;
+ NONE|XOR|AES*)
+ ;;
+ *)
+ echo "WARNING| (loop-aes) Unknown encryption type $1" 1>&2
+ ;;
+ esac
+}
+
+iterate_cipher_module() {
+ local cipher
+ local IFS=":"
+ for cipher in $2; do
+ $1 "loop_${cipher}"
+ done
+}
+
+get_options()
+{
+ # Do we have any settings from the /conf/conf.d/cryptroot file?
+ [ -r /conf/conf.d/loopaes ] && . /conf/conf.d/loopaes
+ loopaes_opts="${LOOPAESOPTS}"
+
+ # Does the kernel boot command line override them?
+ for x in $(cat /proc/cmdline); do
+ case $x in
+ loopaesopts=*)
+ loopaes_opts=${x#loopaesopts=}
+ ;;
+ esac
+ done
+
+ # Sanity check
+ if [ -z "${loopaes_opts}" ]; then
+ # Apparently the root partition isn't encrypted
+ echo "No root-on-loop configured, skipping"
+ exit 0
+ fi
+
+ local opt cipher
+ local IFS=", "
+ for opt in $loopaes_opts; do
+ case $opt in
+ encryption=*)
+ cipher="$(decode_cipher \"${opt#encryption=}\")"
+ if [ -n "$cipher" ]; then
+
rootencryption="${rootencryption}${rootencryption:+:}${cipher}"
+ fi
+ losetup_opts="${losetup_opts} -e ${opt#encryption=}"
+ ;;
+ offset=*)
+ losetup_opts="${losetup_opts} -o ${opt#offset=}"
+ ;;
+ sizelimit=*)
+ losetup_opts="${losetup_opts} -s ${opt#sizelimit=}"
+ ;;
+ pseed=*)
+ losetup_opts="${losetup_opts} -S ${opt#pseed=}"
+ ;;
+ phash=*)
+ losetup_opts="${losetup_opts} -H ${opt#phash=}"
+ ;;
+ loinit=*)
+ losetup_opts="${losetup_opts} -I ${opt#loinit=}"
+ ;;
+ itercountk=*)
+ losetup_opts="${losetup_opts} -C ${opt#itercountk=}"
+ ;;
+ gpgkey=*)
+ losetup_opts="${losetup_opts} -K ${opt#gpgkey=}"
+ ;;
+ gpghome=*)
+ rootgpghome=${opt#gpghome=}
+ ;;
+ loop=*)
+ rootloop=${opt#loop=}
+ ;;
+ *)
+ # Presumably a non-supported or filesystem option
+ ;;
+ esac
+ done
+}
+
+load_keymap()
+{
+ if [ -x /bin/loadkeys -a -r /etc/boottime.kmap.gz ]; then
+ loadkeys -q /etc/boottime.kmap.gz
+ fi
+}
+
+#
+# Begin real processing
+#
+
+# define crypto variables
+get_options
+
+if [ -z "${rootgpghome}" ]; then
+ rootgpghome=/.gnupg
+fi
+losetup_opts="${losetup_opts} -G ${rootgpghome}"
+
+if [ -z "${rootloop}" ]; then
+ echo "root on loop enabled, but not loop device given"
+ exit 1
+fi
+
+modprobe -q loop
+iterate_cipher_module "modprobe -q" "$rootencryption"
+while ! [ -b "${rootloop}" ]; do
+ sleep 1
+done
+
+# If possible, load the keymap so that the user can input non-en characters
+load_keymap
+
+# Use /sbin/losetup to make sure that we get the loopaes modified one,
+# not the busybox one.
+/sbin/losetup ${losetup_opts} "${rootloop}" "$ROOT"
+
+# init can now pick up new FSTYPE, FSSIZE and ROOT
+echo "ROOT=\"${rootloop}\"" >> /conf/param.conf
+exit 0
+
only in patch2:
unchanged:
--- loop-aes-utils-2.12r.orig/debian/NEWS.Debian
+++ loop-aes-utils-2.12r/debian/NEWS.Debian
@@ -0,0 +1,12 @@
+loop-aes-utils (2.12r-12) unstable; urgency=low
+
+ * This version includes support for root on loop-aes encrypted
+ device when using an initramfs-tools generated initramfs.
+
+ If you had a working loop-aes encrypted root and you are using
+ initramfs-tools, this support may interfere and cause initramfs-tools
+ to produce an initramfs that will not boot your system. See
+ /usr/share/doc/loop-aes-utils/README.Debian.gz for details.
+
+ -- Lionel Elie Mamane <[EMAIL PROTECTED]> Sun, 6 Aug 2006 15:20:24 +0200
+
