Testing initramfs-tools integration

Sat Dec 2 18:20:49 CET 2006

Hi all,

On Sat, Dec 02, 2006 at 04:30:44PM +0100, Max Vozeler wrote:
> I think we could do something to help prevent getting systems into
> such a state: README could mention that one should backup the key files
> (and keys, if the keyfile is encrypted asymmetrically) somewhere outside
> the encrypted root partition so that the system can still be repaired in
> case the initramfs gets lost, overwritten or some other thing happens to
> it. And/or we could check if the currently booted system has its root
> partition on loop-AES and output a strong warning in case the initramfs
> being generated cannot be used to boot it.

I have prepared a patch that shows a warning in case we detect root
on loop but are not going to include loop-AES support, and in case the
support is enabled but we couldn't figure out the correct options. This
turned out to be tricky to integrate with the FORCE_LOOPAES feature, so
it is dropped in the patch. Would you mind if we remove it? I can try 
to find a way to integrate it back if you prefer.

cheers,
Max
-------------- next part --------------
Index: debian/initramfs-tools-hook
===================================================================

--- debian/initramfs-tools-hook	(Revision 1334)
+++ debian/initramfs-tools-hook	(Arbeitskopie)
@@ -16,33 +16,8 @@
 	;;
 esac
 
-#Check whether loop-aes support is forced on or off
-case "${INITRAMFS_LOOPAES}" in
-    0|n|no|off)
-	exit 0
-	;;
-    1|y|yes|on)
-	FORCE_LOOPAES=1
-	;;
-    auto)
-	;;
-    *)
-	if [ -n "${INITRAMFS_LOOPAES}" ]; then
-	    echo "WARNING! (loop-aes) ignoring invalid INITRAMFS_LOOPAES value: '${INITRAMFS_LOOPAES}'" 1>&2
-	fi
-    	# Default not doing anything
-	exit 0
-	;;
-esac
-
 . /usr/share/initramfs-tools/hook-functions
 
-exit_unless_forced() {
-    if [ -z "${FORCE_LOOPAES}" ]; then
-	exit $1
-    fi
-}
-
 get_root_device() {
     [ -r /etc/fstab ] || return
 
@@ -133,15 +108,61 @@
     done
 }
 
-# Find out which device root is on
+# Find out which device root is on (sets rootdev and rootoptions)
 eval $(get_root_device)
-[ -z "${rootdev}" ] && exit_unless_forced 0
-# We now have set: rootdev rootoptions
+if [ -z "${rootdev}" ]; then
+    echo "WARNING: (loop-aes) Could not determine root device. Skipping." >&2
+    exit 0
+fi
 
 get_root_opts
-[ -z "${rootloop}" ] && exit_unless_forced 0
 loopaes_opts="${loopaes_opts},loop=${rootloop}"
 
+encrypted=no
+if [ "${rootloop}" ]; then
+    encrypted=yes
+fi
+
+enabled=no
+case "${INITRAMFS_LOOPAES}" in
+    0|n|no|off|'')
+	enabled=no
+	;;
+    1|y|yes|on)
+	enabled=yes
+	;;
+    auto)
+	if [ "$encrypted" = yes ]; then
+	    enabled=yes
+	fi
+	;;
+    *)
+	enabled=no
+	echo "WARNING! (loop-aes) ignoring invalid INITRAMFS_LOOPAES value: '${INITRAMFS_LOOPAES}'" 1>&2
+	;;
+esac
+
+if [ "$enabled" = no ]; then
+    if [ "$encrypted" = yes ]; then
+	cat >&2 <<END_WARN
+WARNING: Your root partition appears to be encrypted with loop-AES, but
+the initramfs support for loop-AES is disabled. The resulting initramfs
+will most likely NOT be able to boot your system (!!!). Please make sure
+that you have a good initramfs before the next reboot.
+END_WARN
+    fi
+    exit 0
+fi
+
+if [ "$encrypted" = no ]; then
+    cat >&2 <<END_WARN
+WARNING: (loop-aes) Support for loop-AES is enabled but this script was 
+unable to determine the loop-AES settings from /etc/fstab. It will skip
+setup of loop-AES support and let initramfs-tools continue.
+END_WARN
+    exit 0
+fi
+
 # Prepare the initramfs
 if [ -n "${rootgpgkey}" ]; then
     mkdir ${DESTDIR}/keys/
