modules.d/90crypt/cryptroot-ask.sh

   1 #!/bin/sh
   2 # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
   3 # ex: ts=8 sw=4 sts=4 et filetype=sh
   4
   5 PATH=/usr/sbin:/usr/bin:/sbin:/bin
   6 NEWROOT=${NEWROOT:-"/sysroot"}
   7
   8 # do not ask, if we already have root
   9 [ -f $NEWROOT/proc ] && exit 0
  10
  11 . /lib/dracut-lib.sh
  12
  13 # default luksname - luks-UUID
  14 luksname=$2
  15
  16 # check if destination already exists
  17 [ -b /dev/mapper/luksname ] && exit 0
  18
  19 # we already asked for this device
  20 asked_file=/tmp/cryptroot-asked-$luksname
  21 [ -f $asked_file ] && exit 0
  22
  23 # load dm_crypt if it is not already loaded
  24 [ -d /sys/module/dm_crypt ] || modprobe dm_crypt
  25
  26 . /lib/dracut-crypt-lib.sh
  27
  28 # fallback to passphrase
  29 ask_passphrase=1
  30
  31 # if device name is /dev/dm-X, convert to /dev/mapper/name
  32 if [ "${1##/dev/dm-}" != "$1" ]; then
  33     device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
  34 else
  35     device="$1"
  36 fi
  37
  38 # default luksname - luks-UUID
  39 luksname=$2
  40
  41 # number of tries
  42 numtries=${3:-10}
  43
  44 # TODO: improve to support what cmdline does
  45 if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; then
  46     while read name dev luksfile luksoptions; do
  47         # ignore blank lines and comments
  48         if [ -z "$name" -o "${name#\#}" != "$name" ]; then
  49             continue
  50         fi
  51
  52         # UUID used in crypttab
  53         if [ "${dev%%=*}" = "UUID" ]; then
  54             if [ "luks-${dev##UUID=}" = "$luksname" ]; then
  55                 luksname="$name"
  56                 break
  57             fi
  58
  59         # path used in crypttab
  60         else
  61             cdev=$(readlink -f $dev)
  62             mdev=$(readlink -f $device)
  63             if [ "$cdev" = "$mdev" ]; then
  64                 luksname="$name"
  65                 break
  66             fi
  67         fi
  68     done < /etc/crypttab
  69     unset name dev
  70 fi
  71
  72 # check if destination already exists
  73 [ -b /dev/mapper/$luksname ] && exit 0
  74
  75 # we already asked for this device
  76 [ -f /tmp/cryptroot-asked-$luksname ] && exit 0
  77
  78 # load dm_crypt if it is not already loaded
  79 [ -d /sys/module/dm_crypt ] || modprobe dm_crypt
  80
  81 . /lib/dracut-crypt-lib.sh
  82
  83 #
  84 # Open LUKS device
  85 #
  86
  87 info "luksOpen $device $luksname $luksfile $luksoptions"
  88
  89 OLD_IFS="$IFS"
  90 IFS=,
  91 set -- $luksoptions
  92 IFS="$OLD_IFS"
  93
  94 while [ $# -gt 0 ]; do
  95     case $1 in
  96         noauto)
  97             # skip this
  98             exit 0
  99             ;;
 100         swap)
 101             # skip this
 102             exit 0
 103             ;;
 104         tmp)
 105             # skip this
 106             exit 0
 107             ;;
 108         allow-discards)
 109             allowdiscards="--allow-discards"
 110     esac
 111     shift
 112 done
 113
 114 # parse for allow-discards
 115 if strstr "$(cryptsetup --help)" "allow-discards"; then
 116     if discarduuids=$(getargs "rd.luks.allow-discards"); then
 117         discarduuids=$(str_replace "$discarduuids" 'luks-' '')
 118         if strstr " $discarduuids " " ${luksdev##luks-}"; then
 119             allowdiscards="--allow-discards"
 120         fi
 121     elif getargbool 0 rd.luks.allow-discards; then
 122         allowdiscards="--allow-discards"
 123     fi
 124 fi
 125
 126 if strstr "$(cryptsetup --help)" "allow-discards"; then
 127     cryptsetupopts="$cryptsetupopts $allowdiscards"
 128 fi
 129
 130 unset allowdiscards
 131
 132 # fallback to passphrase
 133 ask_passphrase=1
 134
 135 if [ -n "$luksfile" -a "$luksfile" != "none" -a -e "$luksfile" ]; then
 136     if cryptsetup --key-file "$luksfile" $cryptsetupopts luksOpen "$device" "$luksname"; then
 137         ask_passphrase=0
 138     fi
 139 else
 140     while [ -n "$(getarg rd.luks.key)" ]; do
 141         if tmp=$(getkey /tmp/luks.keys $device); then
 142             keydev="${tmp%%:*}"
 143             keypath="${tmp#*:}"
 144         else
 145             if [ $numtries -eq 0 ]; then
 146                 warn "No key found for $device.  Fallback to passphrase mode."
 147                 break
 148             fi
 149             sleep 1
 150             info "No key found for $device.  Will try $numtries time(s) more later."
 151             initqueue --unique --onetime --settled \
 152                 --name cryptroot-ask-$luksname \
 153                 $(command -v cryptroot-ask) "$device" "$luksname" "$(($numtries-1))"
 154             exit 0
 155         fi
 156         unset tmp
 157
 158         info "Using '$keypath' on '$keydev'"
 159         readkey "$keypath" "$keydev" "$device" \
 160             | cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname"
 161         unset keypath keydev
 162         ask_passphrase=0
 163         break
 164     done
 165 fi
 166
 167 if [ $ask_passphrase -ne 0 ]; then
 168     luks_open="$(command -v cryptsetup) $cryptsetupopts luksOpen"
 169     ask_for_password --ply-tries 5 \
 170         --ply-cmd "$luks_open -T1 $device $luksname" \
 171         --ply-prompt "Password ($device)" \
 172         --tty-tries 1 \
 173         --tty-cmd "$luks_open -T5 $device $luksname"
 174     unset luks_open
 175 fi
 176
 177 unset device luksname luksfile
 178
 179 # mark device as asked
 180 >> $asked_file
 181
 182 need_shutdown
 183 udevsettle
 184
 185 exit 0