Ben Hutchings wrote:
> (...)
> ...which is a linear mapping, not encrypted.
>
> However, that in turn depends on 253:9, which is sda8_crypt.
>
> So it looks like this script needs to keep following dependencies until
> it finds a non-mapped device or encrypted mapping, rather than just
> looking at the first level as it does now.
>
Ok, so I've taken a stab at debugging this thing and got it to work; see
the attached patches; some of them also contain changes which I needed
to be able to run the script with set -eu. I think it would make sense
to apply these, too, so I'm attaching them as well. I'm not squashing
together the patches 1 and 5, and patches 6 and 8, since I think it may
show the difficulties more clear.
You can get the same patches also from the git repository at:
http://christianjaeger.ch/dyn/pubgit/gitweb?p=cryptroot-debugging.git;a=summary
This git repository also contains my whole debugging history in the
"debugging" branch, in case you're interested in more details. (It also
contains a patch for usage under set -eu to the hook-functions file from
the initramfs-tools.)
Christian.
>From 030d49bbacadc03ef604478be7d0582bd2703cf7 Mon Sep 17 00:00:00 2001
Message-Id: <[EMAIL PROTECTED]>
From: Christian Jaeger <[EMAIL PROTECTED]>
Date: Wed, 10 Dec 2008 23:04:43 +0100
Subject: [PATCH] Fix: recurse for non crypt nodes
Signed-off-by: Christian Jaeger <[EMAIL PROTECTED]>
---
debian/initramfs/cryptroot-hook | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/debian/initramfs/cryptroot-hook b/debian/initramfs/cryptroot-hook
index cc0bd24..51ca537 100644
--- a/debian/initramfs/cryptroot-hook
+++ b/debian/initramfs/cryptroot-hook
@@ -142,7 +142,8 @@ get_lvm_deps() {
continue
fi
if [ "$(dmsetup table $depnode 2> /dev/null | cut -d' ' -f3)" != "crypt" ]; then
- continue
+ get_lvm_deps $depnode # no quoting here as above there isn't either, and it contains appended whitespace
+ # continue or not?
fi
echo "$depnode"
done
--
1.6.0.5
>From 9890015baef3b353f143f4fddde7510eed89540d Mon Sep 17 00:00:00 2001
Message-Id: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
From: Christian Jaeger <[EMAIL PROTECTED]>
Date: Wed, 10 Dec 2008 23:07:07 +0100
Subject: [PATCH] Fix: quote parameters to get_device_opts
Or, when using set -eu, get_device_opts would stop with
$2: unbound variable
Signed-off-by: Christian Jaeger <[EMAIL PROTECTED]>
---
debian/initramfs/cryptroot-hook | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/debian/initramfs/cryptroot-hook b/debian/initramfs/cryptroot-hook
index 51ca537..815b133 100644
--- a/debian/initramfs/cryptroot-hook
+++ b/debian/initramfs/cryptroot-hook
@@ -348,7 +348,7 @@ add_device() {
fi
# Get crypttab root options
- if ! get_device_opts $node $opts; then
+ if ! get_device_opts "$node" "$opts"; then
continue
fi
echo "$OPTIONS" >> "$DESTDIR/conf/conf.d/cryptroot"
--
1.6.0.5
>From 6c6213edc0bde1bedcc4b364b7befcb156a220e4 Mon Sep 17 00:00:00 2001
Message-Id: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
From: Christian Jaeger <[EMAIL PROTECTED]>
Date: Wed, 10 Dec 2008 23:11:06 +0100
Subject: [PATCH] Fix: initialize HASH_FOUND and LUKS_FOUND to ""
Instead of unset'ing them, which would make things fail with set -eu.
Signed-off-by: Christian Jaeger <[EMAIL PROTECTED]>
---
debian/initramfs/cryptroot-hook | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/debian/initramfs/cryptroot-hook b/debian/initramfs/cryptroot-hook
index 815b133..9e25d09 100644
--- a/debian/initramfs/cryptroot-hook
+++ b/debian/initramfs/cryptroot-hook
@@ -200,8 +200,8 @@ get_device_opts() {
# We have all the basic options, let's go trough them
OPTIONS="target=$target,source=$source,key=$key"
local IFS=", "
- unset HASH_FOUND
- unset LUKS_FOUND
+ HASH_FOUND=""
+ LUKS_FOUND=""
for opt in $rootopts; do
case $opt in
cipher=*)
--
1.6.0.5
>From e13108d4be405bfd6fba91ddd0832e446a8e6dde Mon Sep 17 00:00:00 2001
Message-Id: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
From: Christian Jaeger <[EMAIL PROTECTED]>
Date: Wed, 10 Dec 2008 23:15:38 +0100
Subject: [PATCH] Fix?: mkdir -p "$DESTDIR/conf/conf.d"
Note that this seems only be needed because I'm testing with the
cryptroot script alone, possibly in real usage this directory already
exists?
Signed-off-by: Christian Jaeger <[EMAIL PROTECTED]>
---
debian/initramfs/cryptroot-hook | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/debian/initramfs/cryptroot-hook b/debian/initramfs/cryptroot-hook
index 9e25d09..096c5bb 100644
--- a/debian/initramfs/cryptroot-hook
+++ b/debian/initramfs/cryptroot-hook
@@ -351,6 +351,7 @@ add_device() {
if ! get_device_opts "$node" "$opts"; then
continue
fi
+ mkdir -p "$DESTDIR/conf/conf.d"
echo "$OPTIONS" >> "$DESTDIR/conf/conf.d/cryptroot"
# If we have a keyscript, make sure it is included
--
1.6.0.5
>From 1f881a48e173968cbd83892808b7992bd4d765ab Mon Sep 17 00:00:00 2001
Message-Id: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
From: Christian Jaeger <[EMAIL PROTECTED]>
Date: Wed, 10 Dec 2008 23:24:40 +0100
Subject: [PATCH] Need to still 'continue' (meaning, stop looping) after recursion (?)
I'm not sure why, but otherwise, we get this:
++ for node in '$nodes'
++ '[' 2 -eq 2 ']'
++ '[' -z '' ']'
++ opts=lvm=main-root
++ get_device_opts main-root-real lvm=main-root
++ local target source link extraopts rootopts opt
++ target=main-root-real
++ extraopts=lvm=main-root
++ KEYSCRIPT=
++ OPTIONS=
++ '[' -z main-root-real ']'
+++ grep '^main-root-real' /etc/crypttab
+++ head -1
+++ sed 's/[[:space:]]\+/ /g'
++ opt=
+++ echo
+++ cut -d ' ' -f2
++ source=
+++ echo
+++ cut -d ' ' -f3
++ key=
+++ echo
+++ cut -d ' ' -f4-
++ rootopts=
++ '[' -z '' ']'
++ echo 'cryptsetup: WARNING: invalid line in /etc/crypttab - '
cryptsetup: WARNING: invalid line in /etc/crypttab -
++ return 1
++ continue
Signed-off-by: Christian Jaeger <[EMAIL PROTECTED]>
---
debian/initramfs/cryptroot-hook | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/debian/initramfs/cryptroot-hook b/debian/initramfs/cryptroot-hook
index 096c5bb..f8b197e 100644
--- a/debian/initramfs/cryptroot-hook
+++ b/debian/initramfs/cryptroot-hook
@@ -143,7 +143,7 @@ get_lvm_deps() {
fi
if [ "$(dmsetup table $depnode 2> /dev/null | cut -d' ' -f3)" != "crypt" ]; then
get_lvm_deps $depnode # no quoting here as above there isn't either, and it contains appended whitespace
- # continue or not?
+ continue
fi
echo "$depnode"
done
--
1.6.0.5
>From 8dabdde5608fb43430a3d0ec6a2d402f81f5bbd7 Mon Sep 17 00:00:00 2001
Message-Id: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
From: Christian Jaeger <[EMAIL PROTECTED]>
Date: Wed, 10 Dec 2008 23:55:54 +0100
Subject: [PATCH] Fix attempt: search in kernel/drivers/ too
But as long as mod is 'dm_mod' and the kernel (2.6.27.7 in my case)
provides dm-mod, it still won't be found.
Signed-off-by: Christian Jaeger <[EMAIL PROTECTED]>
---
debian/initramfs/cryptroot-hook | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/debian/initramfs/cryptroot-hook b/debian/initramfs/cryptroot-hook
index f8b197e..3243ebd 100644
--- a/debian/initramfs/cryptroot-hook
+++ b/debian/initramfs/cryptroot-hook
@@ -413,6 +413,15 @@ add_crypto_modules() {
found="yes"
done
+ if [ -z "$found" ]; then
+ for file in $(find "$MODULESDIR/kernel/drivers/" -name "$mod-*.ko"); do
+ altmod="${file##*/}"
+ altmod="${altmod%.ko}"
+ manual_add_modules "$altmod"
+ found="yes"
+ done
+ fi
+
for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}_generic.ko"); do
altmod="${file##*/}"
altmod="${altmod%.ko}"
--
1.6.0.5
>From a26bef986721585b9affd5ffe73d8940fe4e0808 Mon Sep 17 00:00:00 2001
Message-Id: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
From: Christian Jaeger <[EMAIL PROTECTED]>
Date: Thu, 11 Dec 2008 00:02:11 +0100
Subject: [PATCH] Fix attempt: tr _ - in the module name and try again
But it still doesn't work (yet)
Signed-off-by: Christian Jaeger <[EMAIL PROTECTED]>
---
debian/initramfs/cryptroot-hook | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/debian/initramfs/cryptroot-hook b/debian/initramfs/cryptroot-hook
index 3243ebd..1e30b50 100644
--- a/debian/initramfs/cryptroot-hook
+++ b/debian/initramfs/cryptroot-hook
@@ -440,7 +440,12 @@ add_crypto_modules() {
fi
if [ -z "$found" ]; then
- return 1
+ if echo "$mod"|grep -q _; then
+ add_crypto_modules "$(echo "$mod"|tr _ -)"
+ return $?
+ else
+ return 1
+ fi
fi
return 0
--
1.6.0.5
>From 3688373eeea018c7b0d240b705c874793b6136cb Mon Sep 17 00:00:00 2001
Message-Id: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
From: Christian Jaeger <[EMAIL PROTECTED]>
Date: Thu, 11 Dec 2008 00:05:24 +0100
Subject: [PATCH] Fix fix: search these without -* appendix.
Still, I don't know whether this is the proper solution. But at least
it works for me.
Signed-off-by: Christian Jaeger <[EMAIL PROTECTED]>
---
debian/initramfs/cryptroot-hook | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/debian/initramfs/cryptroot-hook b/debian/initramfs/cryptroot-hook
index 1e30b50..263edf4 100644
--- a/debian/initramfs/cryptroot-hook
+++ b/debian/initramfs/cryptroot-hook
@@ -414,7 +414,7 @@ add_crypto_modules() {
done
if [ -z "$found" ]; then
- for file in $(find "$MODULESDIR/kernel/drivers/" -name "$mod-*.ko"); do
+ for file in $(find "$MODULESDIR/kernel/drivers/" -name "${mod}.ko"); do
altmod="${file##*/}"
altmod="${altmod%.ko}"
manual_add_modules "$altmod"
--
1.6.0.5
