From 8ac539106bded08446e309b9c20c44ce7f0f654e Mon Sep 17 00:00:00 2001 From: Andrew Gaffney Date: Sun, 23 Dec 2007 22:44:50 +0000 Subject: [PATCH] apply LUKS key patch from bug 162962 from Nelson Batalha git-svn-id: svn+ssh://svn.gentoo.org/var/svnroot/genkernel/trunk@573 67a159dc-881f-0410-a524-ba9dfbe2cb84 --- ChangeLog | 5 + generic/initrd.scripts | 427 ++++++++++++++++++++++++++--------------- generic/linuxrc | 102 +++++----- genkernel.8 | 20 ++ 4 files changed, 353 insertions(+), 201 deletions(-) diff --git a/ChangeLog b/ChangeLog index 82cbe81..1315bf1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,11 @@ # Copyright 2006-2007 Gentoo Foundation; Distributed under the GPL v2 # $Header: $ + 23 Dec 2007; Andrew Gaffney generic/initrd.scripts, + generic/linuxrc, genkernel.8: + apply LUKS key patch from bug 162962 from Nelson Batalha + + 14 Dec 2007; Andrew Gaffney generic/linuxrc: fix text bolding on serial console for bug 202266 thanks to Michael Hordijk diff --git a/generic/initrd.scripts b/generic/initrd.scripts index 1e3bf99..e6649b8 100644 --- a/generic/initrd.scripts +++ b/generic/initrd.scripts @@ -37,9 +37,9 @@ modules_load() { modules_scan() { local MODS - [ -d /etc/modules/${1} ] || touch /etc/modules/${1} + [ -d "/etc/modules/${1}" ] || touch /etc/modules/${1} - [ -f /etc/modules/${1} ] && MODS=`cat /etc/modules/${1}` + [ -f "/etc/modules/${1}" ] && MODS=`cat /etc/modules/${1}` for x in ${MODS} do MLOAD=`echo ${MLIST} | sed -e "s/.*${x}.*/${x}/"` @@ -63,82 +63,96 @@ modules_scan() { done } -findcdmount() { +uppercase(){ + # needs tr on busybox + echo $1 | tr 'a-z' 'A-Z' +} + + +findmediamount() { + # $1 = mount dir name / media name + # $2 = recognition file + # $3 = variable to have the device path + # $4 = directory before /mnt, like NEW_ROOT + # args remaining are possible devices + + local media=$1 recon=$2 vrbl=$3 + local mntdir="${4}/mnt/${media}" + shift 4 + + good_msg "Looking for the ${media}" ${CRYPT_SILENT} + if [ "$#" -gt "0" ] then + + [ ! -d "${mntdir}" ] && mkdir -p ${mntdir} 2>/dev/null >/dev/null + for x in $* do # Check for a block device to mount if [ -b "${x}" ] then - good_msg "Attempting to mount media:- ${x}" - if [ -z "${CDROOT_DEV}" ] - then - mount -r -t auto ${x} ${NEW_ROOT}/mnt/cdrom \ - > /dev/null 2>&1 + good_msg "Attempting to mount media:- ${x}" ${CRYPT_SILENT} + + if [ -n "${CDROOT_DEV}" -a \( ${media}="cdrom" \) ]; then + mount -r -t auto ${x} ${NEW_ROOT}/mnt/cdrom >/dev/null 2>&1 else - mount -r -t iso9660 ${x} ${NEW_ROOT}/mnt/cdrom \ - > /dev/null 2>&1 - fi + mount -r -t auto ${x} ${mntdir} >/dev/null 2>&1 + fi if [ "$?" = '0' ] then - # Check for a LiveCD - if [ -f ${NEW_ROOT}/mnt/cdrom/${SUBDIR}/livecd ] + # Check for the media + if [ -f "${mntdir}/${recon}" ] then - REAL_ROOT="${x}" + #set REAL_ROOT, CRYPT_ROOT_KEYDEV or whatever ${vrbl} is + eval ${vrbl}'='"${x}" + good_msg "Media found on ${x}" ${CRYPT_SILENT} break else - umount ${NEW_ROOT}/mnt/cdrom + umount ${mntdir} fi fi fi done - if [ "${REAL_ROOT}" != '' ] - then - good_msg "Media found on ${x}" - fi fi + + eval local result='$'${vrbl} + + [ -n "${result}" ] || bad_msg "Media not found" ${CRYPT_SILENT} } -findkeymount() { - if [ "$#" -gt "0" ] - then - for x in $* - do - # Check for a block device to mount - if [ -b "${x}" ] - then - if [ ${crypt_silent} = '' ] - then - good_msg "Attempting to mount key media:- ${x}" - fi +devicelist(){ + # Locate the cdrom device with our media on it. + # CDROM DEVICES + local DEVICES="/dev/cdroms/* /dev/ide/cd/* /dev/sr*" + # USB Keychain/Storage + DEVICES="$DEVICES /dev/sd*" + # IDE devices + DEVICES="$DEVICES /dev/hd*" + # USB using the USB Block Driver + DEVICES="$DEVICES /dev/ubd* /dev/ubd/*" + # iSeries devices + DEVICES="$DEVICES /dev/iseries/vcd*" + echo ${DEVICES} +} - mount -r -t auto ${x} ${NEW_ROOT}/mnt/keydev \ - > /dev/null 2>&1 - if [ "$?" = '0' ] - then - # Check for the key - if [ -e ${NEW_ROOT}/mnt/keydev/${LUKS_ROOT_KEY} ] - then - LUKS_ROOT_KEYDEV="${x}" - umount ${NEW_ROOT}/mnt/keydev - break - else - umount ${NEW_ROOT}/mnt/keydev - fi - fi - fi - done - if [ "${LUKS_ROOT_KEYDEV}" != '' ] - then - if [ ${crypt_silent} = '' ] - then - good_msg "Key media found on ${x}" - fi - fi - fi +bootstrapCD() { + + local DEVICES=`devicelist` + # The device was specified on the command line. Shold we even be doing a + # scan at this point? I think not. + [ -n "${CDROOT_DEV}" ] && DEVICES="$DEVICES ${CDROOT_DEV}" + + findmediamount "cdrom" "${SUBDIR}/livecd" "REAL_ROOT" "${NEW_ROOT}" ${DEVICES} } +bootstrapKey() { + # $1 = ROOT/SWAP + local KEYDEVS=`devicelist` + eval local keyloc='"${CRYPT_'${1}'_KEY}"' + + findmediamount "key" "${keyloc}" "CRYPT_${1}_KEYDEV" "" ${KEYDEVS} +} cache_cd_contents() { # Check loop file exists and cache to ramdisk if DO_cache is enabled @@ -328,24 +342,74 @@ test_success() { fi } -good_msg() { + +# msg functions arguments +# $1 string +# $2 hide flag + +good_msg() { msg_string=$1 msg_string="${msg_string:-...}" - echo -e "${GOOD}>>${NORMAL}${BOLD} ${msg_string} ${NORMAL}" + [ "$2" != 1 ] && echo -e "${GOOD}>>${NORMAL}${BOLD} ${msg_string} ${NORMAL}" } bad_msg() { msg_string=$1 msg_string="${msg_string:-...}" - splash 'verbose' > /dev/null & - echo -e "${BAD}!!${NORMAL}${BOLD} ${msg_string} ${NORMAL}" + if [ "$2" != 1 ] + then + splash 'verbose' > /dev/null & + echo -e "${BAD}!!${NORMAL}${BOLD} ${msg_string} ${NORMAL}" + fi } warn_msg() { msg_string=$1 msg_string="${msg_string:-...}" - echo -e "${WARN}**${NORMAL}${BOLD} ${msg_string} ${NORMAL}" -} + [ "$2" != 1 ] && echo -e "${WARN}**${NORMAL}${BOLD} ${msg_string} ${NORMAL}" +} + +crypt_filter() { + if [ ${CRYPT_SILENT} -eq 1 ] + then + eval $1 >/dev/null 2>/dev/null + else + eval $1 + fi +} + +whereis(){ + # $1 = variable whose value is the path (examples: "REAL_ROOT", "LUKS_KEYDEV") + # $2 = label + # $3 = optional explanations for failure + + eval local oldvalue='$'${1} + + [ \( $# != 2 \) -a \( $# != 3 \) ] && \ + bad_msg "Bad invocation of function whereis, please file a bug \ + report with this message" && exit 1 + [ -n "${3}" ] && local explnt=" or : ${3}" || local explnt="." + + bad_msg "Could not find the ${2} in ${oldvalue}${explnt}" + echo ' Please specify another value or: press Enter for the same, type "shell" for a shell, or "q" to skip...' + echo -n "${2}(${oldvalue}) :: " + read ${1} + case `eval echo '$'${1}` in + 'q') + eval ${1}'='${oldvalue} + warn_msg "Skipping step, this will likely cause a boot failure." + break + ;; + 'shell') + eval ${1}'='${oldvalue} + echo "To leave and try again just press +D" + run_shell + ;; + '') + eval ${1}'='${oldvalue} + ;; + esac +} bind_mount_dev() { # bind-mount /dev/ so that loop devices can be found @@ -354,14 +418,14 @@ bind_mount_dev() { start_dev_mgr() { # Check udev is available... - if [ "${KV_2_6_OR_GREATER}" -a ! "${USE_UDEV_NORMAL}" -eq '0' ] + if [ "${KV_2_6_OR_GREATER}" -a "${USE_UDEV_NORMAL}" != '0' ] then USE_UDEV_NORMAL=1 else USE_UDEV_NORMAL=0 fi - if [ "${USE_UDEV_NORMAL}" -eq '1' ] + if [ "${USE_UDEV_NORMAL}" = '1' ] then cd /sys [ "${DO_slowusb}" ] && sleep 10 @@ -378,42 +442,6 @@ start_dev_mgr() { fi } -bootstrapCD() { - # Locate the cdrom device with our media on it. - # CDROM DEVICES - DEVICES="/dev/cdroms/* /dev/ide/cd/* /dev/sr*" - # USB Keychain/Storage - DEVICES="$DEVICES /dev/sd*" - # IDE devices - DEVICES="$DEVICES /dev/hd*" - # USB using the USB Block Driver - DEVICES="$DEVICES /dev/ubd* /dev/ubd/*" - # iSeries devices - DEVICES="$DEVICES /dev/iseries/vcd*" - # The device was specified on the command line. Shold we even be doing a - # scan at this point? I think not. - [ -n "${CDROOT_DEV}" ] && DEVICES="$DEVICES ${CDROOT_DEV}" - - findcdmount $DEVICES -} - -bootstrapKey() { - # Locate the device with our key on it. - # USB Keychain/Storage - KEYDEVS="/dev/sd*" - # CDROM DEVICES - KEYDEVS="${KEYDEVS} /dev/cdroms/* /dev/ide/cd/* /dev/sr*" - # IDE devices - KEYDEVS="${KEYDEVS} /dev/hd*" - # USB using the USB Block Driver - KEYDEVS="${KEYDEVS} /dev/ubd* /dev/ubd/*" - # iSeries devices - KEYDEVS="${KEYDEVs} /dev/iseries/vcd*" - - findkeymount ${KEYDEVS} -} - - cmdline_hwopts() { # Scan CMDLINE for any "doscsi" or "noscsi"-type arguments @@ -510,7 +538,7 @@ setup_keymap() { chooseKeymap - [ "${DEVBIND}" -eq '1' ] && umount /dev + [ "${DEVBIND}" = '1' ] && umount /dev if [ -e /etc/sysconfig/keyboard -a "${CDROOT}" -eq '1' ] then @@ -611,7 +639,7 @@ startVolumes() { /sbin/mdadm --assemble fi - if [ "${USE_DMRAID_NORMAL}" -eq '1' ] + if [ "${USE_DMRAID_NORMAL}" = '1' ] then if [ -e '/sbin/dmraid' ] then @@ -625,7 +653,7 @@ startVolumes() { fi fi - if [ "${USE_LVM_NORMAL}" -eq '1' ] + if [ "${USE_LVM_NORMAL}" = '1' ] then if [ -e '/bin/vgscan' -a -e '/bin/vgchange' ] then @@ -641,7 +669,7 @@ startVolumes() { /bin/vgchange -ay --ignorelockingfailure 2>/dev/null # Disable EVMS since lvm is activated and they dont work together. - if [ "${USE_EVMS_NORMAL}" -eq '1' ] + if [ "${USE_EVMS_NORMAL}" = '1' ] then bad_msg "Disabling EVMS Support because LVM started" bad_msg "Do not add dolvm to the cmdline if this is not what you want" @@ -653,7 +681,7 @@ startVolumes() { fi fi - if [ "${USE_EVMS_NORMAL}" -eq '1' ] + if [ "${USE_EVMS_NORMAL}" = '1' ] then if [ -e '/sbin/evms_activate' ] then @@ -664,60 +692,142 @@ startVolumes() { } # Open a LUKS device -# $1 LUKS device -# $2 LUKS name +# It is either the root or a swap, other devices are supported in the scripts provided with sys-fs/cryptsetup-luks +# $1 - root/swap openLUKS() { - LUKS_DEVICE="$1" - LUKS_NAME="$2" - if [ -e /sbin/cryptsetup ] - then - while [ 1 ] - do - if [ "${LUKS_DEVICE}" = '' ] - then - # LUKS device could not be opened. Prompt user for device. - bad_msg "The LUKS ${LUKS_NAME} block device is not detected." - echo " Please specify a ${LUKS_NAME} LUKS device to open, "q" to skip, or "shell" for a shell..." - echo -n "LUKS ${LUKS_NAME}() :: " - read LUKS_DEVICE - continue - elif [ "${LUKS_DEVICE}" = 'shell' ] + # please use 'tr' and this line, or remove it + # eval local TYPE=`uppercase $1` + + case $1 in + root) + local TYPE=ROOT + ;; + swap) + local TYPE=SWAP + ;; + esac + + eval local LUKS_DEVICE='"${CRYPT_'${TYPE}'}"' LUKS_NAME="$1" LUKS_KEY='"${CRYPT_'${TYPE}'_KEY}"' LUKS_KEYDEV='"${CRYPT_'${TYPE}'_KEYDEV}"' + local DEV_ERROR=0 KEY_ERROR=0 KEYDEV_ERROR=0 + local mntkey="/mnt/key/" cryptsetup_options='' + + [ ! -e /sbin/cryptsetup ] && bad_msg "The initrd does not support LUKS" && exit 1 + while [ 1 ] + do + # if crypt_silent=1 and some error occurs, enter shell quietly + if [ \( ${CRYPT_SILENT} -eq 1 \) -a \( \( \( ${DEV_ERROR} -eq 1 \) -o \( ${KEY_ERROR} -eq 1 \) \) -o \( ${KEYDEV_ERROR} -eq 1 \) \) ] + then + run_shell + elif [ ${DEV_ERROR} -eq 1 ] + then + whereis "LUKS_DEVICE" "${LUKS_NAME}" + DEV_ERROR=0 + elif [ ${KEY_ERROR} -eq 1 ] + then + whereis "LUKS_KEY" "${LUKS_NAME} key" + KEY_ERROR=0 + elif [ ${KEYDEV_ERROR} -eq 1 ] + then + whereis "LUKS_KEYDEV" "${LUKS_NAME} key device" + KEYDEV_ERROR=0 + else + setup_md_device ${LUKS_DEVICE} + cryptsetup isLuks ${LUKS_DEVICE} + if [ ! "$?" -eq '0' ] then - run_shell - - LUKS_DEVICE='' + bad_msg "The LUKS device ${LUKS_DEVICE} does not contain a LUKS header" ${CRYPT_SILENT} + DEV_ERROR=1 continue - elif [ "${LUKS_DEVICE}" = 'q' ] - then - break else - setup_md_device ${LUKS_DEVICE} - if cryptsetup isLuks ${LUKS_DEVICE} + # Handle keys + if [ -n "${LUKS_KEY}" ] then - good_msg "Opening LUKS device ${LUKS_DEVICE}" - - cryptsetup luksOpen ${LUKS_DEVICE} ${LUKS_NAME} - if [ ! "$?" -eq '0' ] + if [ ! -e "${mntkey}${LUKS_KEY}" ] then - bad_msg "Failed open LUKS device ${LUKS_DEVICE}" - else - break + if [ -b "${LUKS_KEYDEV}" ] + then good_msg "Using key device ${LUKS_KEYDEV}." ${CRYPT_SILENT} + else + good_msg "Please insert removable device ${LUKS_KEYDEV} for ${LUKS_NAME}" ${CRYPT_SILENT} + # abort after 10 secs + local count=10 + while [ ${count} -gt 0 ] + do + count=$((count-1)) + sleep 1 + if [ -b "${LUKS_KEYDEV}" ] + then + good_msg "Removable device ${LUKS_KEYDEV} detected." ${CRYPT_SILENT} + break + fi + done + if [ ! -b "${LUKS_KEYDEV}" ] + then + eval CRYPT_${TYPE}_KEY=${LUKS_KEY} + bootstrapKey ${TYPE} + eval LUKS_KEYDEV='"${CRYPT_'${TYPE}'_KEYDEV}"' + if [ ! -b "${LUKS_KEYDEV}" ]; then + KEYDEV_ERROR=1 + bad_msg "Removable device ${LUKS_KEYDEV} not found." ${CRYPT_SILENT} + continue + fi + # continue otherwise will mount keydev which is mounted by bootstrap + continue + fi + fi + # At this point a device was recognized, now let's see if the key is there + [ ! -d "$mntkey" ] && mkdir -p ${mntkey} 2>/dev/null >/dev/null + + mount -n -o ro ${LUKS_KEYDEV} ${mntkey} >/dev/null 2>/dev/null + if [ "$?" != '0' ] + then + KEYDEV_ERROR=1 + bad_msg "Mounting of device ${LUKS_KEYDEV} failed." ${CRYPT_SILENT} + continue + else + good_msg "Removable device ${LUKS_KEYDEV} mounted." ${CRYPT_SILENT} + sleep 2 + # keyfile exists? + if [ ! -e "${mntkey}${LUKS_KEY}" ]; then + umount -n ${mntkey} 2>/dev/null >/dev/null + KEY_ERROR=1 + KEYDEV_ERROR=1 + bad_msg "Key {LUKS_KEY} on device ${LUKS_KEYDEV} not found." ${CRYPT_SILENT} + continue + fi + fi fi + # At this point a candidate key exists (either mounted before or not) + good_msg "${LUKS_KEY} on device ${LUKS_KEYDEV} found" ${CRYPT_SILENT} + cryptsetup_options="-d ${mntkey}${LUKS_KEY}" + fi + # At this point, keyfile or not, we're ready! + crypt_filter "cryptsetup ${cryptsetup_options} luksOpen ${LUKS_DEVICE} ${LUKS_NAME}" + if [ $? -eq 0 ] + then + good_msg "LUKS device ${LUKS_DEVICE} opened" ${CRYPT_SILENT} + break else - bad_msg "The LUKS device ${LUKS_DEVICE} does not contain a LUKS header" + bad_msg "Failed to open LUKS device ${LUKS_DEVICE}" ${CRYPT_SILENT} + DEV_ERROR=1 + KEY_ERROR=1 + KEYDEV_ERROR=1 fi fi - LUKS_DEVICE='' - done - else - bad_msg "The initrd does not support LUKS" - fi + fi + done + umount ${mntkey} 2>/dev/null >/dev/null + rmdir -p ${mntkey} 2>/dev/null >/dev/null } startLUKS() { - if [ -n "${LUKS_ROOT}" ] - then - openLUKS "${LUKS_ROOT}" "root" + + # if key is set but key device isn't, find it + + [ -n "${CRYPT_ROOT_KEY}" ] && [ -z "${CRYPT_ROOT_KEYDEV}" ] \ + && sleep 6 && bootstrapKey "ROOT" + + if [ -n "${CRYPT_ROOT}" ]; then + openLUKS "root" if [ -n "${REAL_ROOT}" ] then # Rescan volumes @@ -726,10 +836,18 @@ startLUKS() { REAL_ROOT="/dev/mapper/root" fi fi - if [ -n "${LUKS_SWAP}" ] - then - openLUKS "${LUKS_SWAP}" "swap" - break + + # same for swap, but no need to sleep if root was unencrypted + [ -n "${CRYPT_SWAP_KEY}" ] && [ -z "${CRYPT_SWAP_KEYDEV}" ] \ + && { [ -z "${CRYPT_ROOT}" ] && sleep 6; bootstrapKey "SWAP"; } + + if [ -n "${CRYPT_SWAP}" ]; then + openLUKS "swap" + if [ -z "${REAL_RESUME}" ] + then + # Resume from swap as default + REAL_RESUME="/dev/mapper/swap" + fi fi } @@ -756,7 +874,7 @@ verbose_kmsg() { cdupdate() { - if [ "${CDROOT}" -eq '1' ] + if [ "${CDROOT}" = '1' ] then if [ -x /${NEW_ROOT}/mnt/cdrom/cdupdate.sh ] then @@ -802,7 +920,7 @@ rundebugshell() { } setup_unionfs() { - if [ "${USE_UNIONFS_NORMAL}" -eq '1' ] + if [ "${USE_UNIONFS_NORMAL}" = '1' ] then # Directory used for rw changes in union mount filesystem UNION=/union @@ -857,6 +975,13 @@ setup_unionfs() { fi } +swsusp_resume() { + ### determine swap resume partition + local device=$(ls -l "${REAL_RESUME}" | sed 's/\ */ /g' | cut -d \ -f 6-7 | sed 's/,\ */:/') + [ -f /sys/power/resume ] && echo "${device}" > /sys/power/resume + return 0 +} + tuxonice_resume() { [ -d /proc/suspend2 -o -d /sys/power/suspend2 -o -d /sys/power/tuxonice ] || return diff --git a/generic/linuxrc b/generic/linuxrc index c53976d..7cccb57 100644 --- a/generic/linuxrc +++ b/generic/linuxrc @@ -44,6 +44,7 @@ CMDLINE="`cat /proc/cmdline`" REAL_ROOT='' FAKE_ROOT='' REAL_ROOTFLAGS='' +CRYPT_SILENT=0 for x in ${CMDLINE} do case "${x}" in @@ -174,13 +175,31 @@ do NFSROOT=`parse_opt "${x}"` ;; crypt_root\=*) - LUKS_ROOT=`parse_opt "${x}"` + CRYPT_ROOT=`parse_opt "${x}"` ;; crypt_swap\=*) - LUKS_SWAP=`parse_opt "${x}"` + CRYPT_SWAP=`parse_opt "${x}"` ;; - crypt_silent\=*) - LUKS_SILENT=`parse_opt "${x}"` + root_key\=*) + CRYPT_ROOT_KEY=`parse_opt "${x}"` + ;; + root_keydev\=*) + CRYPT_ROOT_KEYDEV=`parse_opt "${x}"` + ;; + swap_key\=*) + CRYPT_SWAP_KEY=`parse_opt "${x}"` + ;; + swap_keydev\=*) + CRYPT_SWAP_KEYDEV=`parse_opt "${x}"` + ;; + real_resume\=*) + REAL_RESUME=`parse_opt "${x}"` + ;; + noresume) + NORESUME=1 + ;; + crypt_silent) + CRYPT_SILENT=1 ;; real_rootflags\=*) REAL_ROOTFLAGS=`parse_opt "${x}"` @@ -203,7 +222,7 @@ if [ -d '/lib/modules' ] then good_msg 'Loading modules' # Load appropriate kernel modules - if [ "${NODETECT}" -ne '1' ] + if [ "${NODETECT}" != '1' ] then for modules in $MY_HWOPTS do @@ -237,7 +256,7 @@ setup_md_device startVolumes # Initialize LUKS root device except for livecd's -if [ "${CDROOT}" -ne '1' ] +if [ "${CDROOT}" != 1 ] then startLUKS fi @@ -246,7 +265,7 @@ fi mkdir -p ${NEW_ROOT} setup_unionfs -if [ "${USE_UNIONFS_NORMAL}" -eq '1' ] +if [ "${USE_UNIONFS_NORMAL}" = '1' ] then CHROOT=${UNION} else @@ -256,17 +275,23 @@ fi # Run debug shell if requested rundebugshell -tuxonice_resume +if [ "${NORESUME}" != '1' ] +then + swsusp_resume +# suspend_resume +# suspend2_resume + tuxonice_resume +fi -if [ "${CDROOT}" -eq '1' ] +if [ "${CDROOT}" = '1' ] then - if [ ! "${USE_UNIONFS_NORMAL}" -eq '1' ] + if [ ! "${USE_UNIONFS_NORMAL}" = '1' ] then good_msg "Making tmpfs for ${NEW_ROOT}" mount -t tmpfs tmpfs ${NEW_ROOT} fi - for i in dev mnt mnt/cdrom mnt/livecd mnt/keydev tmp tmp/.initrd mnt/gentoo sys + for i in dev mnt mnt/cdrom mnt/livecd mnt/key tmp tmp/.initrd mnt/gentoo sys do mkdir -p ${NEW_ROOT}/$i chmod 755 ${NEW_ROOT}/$i @@ -357,31 +382,17 @@ do good_msg "Detected real_root=${ROOT_DEV}" REAL_ROOT="${ROOT_DEV}" else - bad_msg "Could not find root block device: ${REAL_ROOT}" - echo ' Please specify a device to boot, or "shell" for a shell...' - echo -n 'boot() :: ' - read REAL_ROOT + whereis "REAL_ROOT" "root block device" got_good_root=0 continue fi ;; esac - if [ "${REAL_ROOT}" = 'shell' ] - then - run_shell - - REAL_ROOT='' - got_good_root=0 - continue - - elif [ "${REAL_ROOT}" = '' ] + if [ "${REAL_ROOT}" = '' ] then # No REAL_ROOT determined/specified. Prompt user for root block device. - bad_msg "The root block device is unspecified or not detected." - echo ' Please specify a device to boot, or "shell" for a shell...' - echo -n 'boot() :: ' - read REAL_ROOT + whereis "REAL_ROOT" "root block device" got_good_root=0 # Check for a block device or /dev/nfs @@ -397,7 +408,7 @@ do done - if [ "${CDROOT}" -eq '1' -a "${got_good_root}" = '1' -a "${REAL_ROOT}" != "/dev/nfs" ] + if [ "${CDROOT}" = 1 -a "${got_good_root}" = '1' -a "${REAL_ROOT}" != "/dev/nfs" ] then # CD already mounted; no further checks necessary break @@ -441,7 +452,7 @@ done #verbose_kmsg -# If cdroot is set determine the looptype to boot +# If cd root is set determine the looptype to boot if [ "${CDROOT}" = '1' ] then good_msg 'Determining looptype ...' @@ -495,28 +506,19 @@ then fi cache_cd_contents - # If encrypted, find key and mount, otherwise mount as usual - if [ "${LUKS_ROOT}" != '' ] + if [ -n "${CRYPT_ROOT}" ] then - if [ "${LUKS_SILENT}" = '' ] - then - good_msg 'You booted an encrypted livecd' - fi - - LUKS_ROOT_KEY=$(head -n 1 ${NEW_ROOT}/mnt/cdrom/livecd) + good_msg 'You booted an encrypted livecd' ${CRYPT_SILENT} - if [ "${LUKS_ROOT_KEY}" ] - then - bootstrapKey - fi + CRYPT_ROOT_KEY=$(head -n 1 ${NEW_ROOT}/mnt/cdrom/livecd) losetup /dev/loop0 ${NEW_ROOT}/mnt/cdrom/${LOOPEXT}${LOOP} test_success 'Preparing loop filesystem' - LUKS_ROOT='/dev/loop0' + CRYPT_ROOT='/dev/loop0' startLUKS @@ -601,7 +603,7 @@ then # End cdrom looptype determination and mounting if necessary # - if [ "${USE_UNIONFS_NORMAL}" -eq '1' ] + if [ "${USE_UNIONFS_NORMAL}" = '1' ] then union_insert_dir ${UNION} ${NEW_ROOT}/${FS_LOCATION} @@ -627,7 +629,7 @@ then fi - if [ ! "${USE_UNIONFS_NORMAL}" -eq '1' ] + if [ "${USE_UNIONFS_NORMAL}" != '1' ] then good_msg "Copying read-write image contents to tmpfs" # Copy over stuff that should be writable @@ -695,7 +697,7 @@ then sleep 10 fi else - if [ "${USE_UNIONFS_NORMAL}" -eq '1' ] + if [ "${USE_UNIONFS_NORMAL}" = '1' ] then union_insert_dir ${UNION} ${NEW_ROOT} mkdir -p ${UNION}/tmp/.initrd @@ -717,7 +719,7 @@ verbose_kmsg # init scripts will be able to unmount it properly at next reboot # # Eventually, all "unions over /" mounts should go in that /.unions/ -if [ "${USE_UNIONFS_NORMAL}" -eq '1' ] +if [ "${USE_UNIONFS_NORMAL}" = '1' ] then mkdir -p /${CHROOT}/.unions/memory 2>/dev/null mount -o move /memory /${CHROOT}/.unions/memory || echo '*: Failed to move unionfs /memory into the system root!' @@ -737,12 +739,12 @@ then fi echo -ne "${BOLD}.${NORMAL}" - if /tmp/.initrd/bin/[ "${USE_DEVFS_NORMAL}" -eq '1' -a "${CDROOT}" -eq '0' ] + if /tmp/.initrd/bin/[ "${USE_DEVFS_NORMAL}" = '1' -a "${CDROOT}" = 0 ] then umount /tmp/.initrd/proc || echo '*: Failed to unmount the initrd /proc!' mount -n --move /tmp/.initrd/dev dev || echo '*: Failed to move over the /dev tree!' rm -rf /tmp/.initrd/dev || echo '*: Failed to remove the initrd /dev!' - elif /tmp/.initrd/bin/[ "${USE_UDEV_NORMAL}" -eq '1' ] + elif /tmp/.initrd/bin/[ "${USE_UDEV_NORMAL}" = '1' ] then /tmp/.initrd/bin/[ -e /tmp/.initrd/dev/fd ] && rm /tmp/.initrd/dev/fd /tmp/.initrd/bin/[ -e /tmp/.initrd/dev/stdin ] && rm /tmp/.initrd/dev/stdin @@ -752,7 +754,7 @@ then umount /tmp/.initrd/dev || echo '*: Failed to unmount the initrd /dev!' umount /tmp/.initrd/proc || echo '*: Failed to unmount the initrd /proc!' umount /tmp/.initrd/sys || echo '*: Failed to unmount the initrd /sys!' - elif /tmp/.initrd/bin/[ "${CDROOT}" -eq '1' ] + elif /tmp/.initrd/bin/[ "${CDROOT}" -eq 1 ] then umount /tmp/.initrd/proc || echo "*: Failed to unmount the initrd /proc!" umount /dev 2>/dev/null diff --git a/genkernel.8 b/genkernel.8 index 4acc807..6daec21 100644 --- a/genkernel.8 +++ b/genkernel.8 @@ -259,6 +259,26 @@ Specifies the device node of the root filesystem to mount. This specifies the device encrypted by Luks, which contains the root filesystem to mount. .TP +\fBcrypt_swap=\fR<...> +This specifies the swap device encrypted by Luks. +.TP +\fBroot_key=\fR<...> +In case your root is encrypted with a key, you can use a device like a usb pen to store the key. +This value should be the key path relative to the mount point. +.TP +\fBroot_keydev=\fR<...> +If necessary provide the name of the device that carries the root_key. +If unset while using root_key, it will automatically look for the device in every boot. +.TP +\fBswap_key=\fR<...> +Same as root_key for swap. +.TP +\fBswap_keydev=\fR<...> +Same as root_keydev for swap. +.TP +\fBcrypt_silent\fR +Set this to silent all the output related to the cryptographic software, and in case your encrypted device isn't open with the key, it opens a shell in the initrd quietly. +.TP \fBdodmraid=\fR<...> Passes arguments to dmraid on bootup. .TP