[Pkg-cryptsetup-devel] Bug#358452: Please provide add initramfs-tools cryptroot functionality

David Härdeman david at 2gen.com
Wed Mar 22 19:48:32 UTC 2006 

Package: cryptsetup
Version: 2:1.0.2+1.0.3-rc3-1
Severity: wishlist

Hi,

in order to support encrypted root paritions from an initramfs, it would 
be good if the cryptsetup package could be adapted to install the two 
files attached in this mail (my debian packaging skills are not up to 
par here, so I'll leave that as an exercise to the reader):

croot3-hooks-cryptroot: in /etc/mkinitramfs/hooks/cryptroot
croot3-scripts-local-premount-cryptroot: in /etc/mkinitramfs/scripts/local-premount/cryptroot

The cryptroot works in two different ways depending on whether the root 
partition is a luks partition or not.


o With LUKS
-----------
The kernel only needs to be booted with root=/dev/path/to/luks-partition


o Without LUKS
--------------
The kernel should be booted with root=/dev/path/to/partition and 
cryptopts=OPTIONS.

OPTIONS can be cipher, size, hash and cryptnode. The first three should 
be self-explanatory, while cryptnode is the name of the cryptnode to 
setup (i.e. /dev/mapper/something).


o Additionally
--------------
The cryptnode option is also honoured with a luks partition.

An example of cryptopts would be:
cryptopts=cipher=aes-cbc-essiv:sha256,size=256,hash=plain

These options can also be set by creating 
/etc/mkinitramfs/conf.d/cryptroot with the CRYPTOPTS variable (it will 
be sourced by the relevant scripts, so something like 
CRYPTOPTS="cipher=aes-cbc-essiv:sha256,size=256,hash=plain").

Oh, and if the user wants some more esoteric way of getting the key, a 
script can be placed in /etc/mkinitramfs/cryptgetpw which outputs the 
key on stdout (which allows e.g. usb-key based keys with a suitable 
script).

This functionality depends on bug 348147 being fixed first.


Regards,
David
-------------- next part --------------
#!/bin/sh

PREREQ=""

prereqs()
{
	echo "$PREREQ"
}

case $1 in
prereqs)
	prereqs
	exit 0
	;;
esac

. /usr/share/initramfs-tools/hook-functions

copy_exec /sbin/cryptsetup /sbin
copy_exec /sbin/dmsetup /sbin
[ -x "/etc/mkinitramfs/cryptgetpw" ] && copy_exec /etc/mkinitramfs/cryptgetpw /sbin

exit 0
-------------- next part --------------
#!/bin/sh

PREREQ=""

prereqs()
{
	echo "$PREREQ"
}

case $1 in
# get pre-requisites
prereqs)
	prereqs
	exit 0
	;;
esac

# Do we have any settings from the /etc/conf.d/cryptroot file?
[ -r /conf/conf.d/cryptroot ] && . /conf/conf.d/cryptroot
cryptopts="${CRYPTOPTS}"

# Does the kernel boot command line override them?
for x in $(cat /proc/cmdline); do
	case $x in
	cryptopts=*)
		cryptopts=${x#cryptopts=}
		;;
	esac
done

# Sanity checks
if [ "$FSTYPE" != "luks" -a -z "$cryptopts" ]; then
	# Apparently the root partition isn't encrypted
	echo "No cryptoroot configured or detected"
	exit 0
fi

# There are two possible scenarios here:
#
# 1) The fstype of the root device has been identified as "luks"
# 2) The fstype is not "luks" but cryptopts has been set
#
# The former means that we use the luks functionality of cryptsetup, the
# latter means that we do it the old-fashioned way.

# Start by parsing some options, all options are relevant to regular cryptsetup
# but only cryptnode is relevant to luks which picks up the rest of the 
# parameters by reading the partition header
cryptcipher=aes-cbc-essiv:sha256
cryptsize=256
crypthash=sha256
cryptnode=cryptroot
if [ -n "$cryptopts" ]; then
	IFS=" ,"
	for x in $cryptopts; do
		case $x in
		hash=*)
			crypthash=${x#hash=}
			;;
		size=*)
			cryptsize=${x#size=}
			;;
		cipher=*)
			cryptcipher=${x#cipher=}
			;;
		node=*)
			cryptnode=${x#node=}
			;;
		esac
	done
	unset IFS
fi
NEWROOT="/dev/mapper/$cryptnode"

# Check which cryptosolution we want
if [ "$FSTYPE" = "luks" ]; then
	# 1) The fstype of the root device has been identified as "luks"
	cryptcreate="/sbin/cryptsetup luksOpen $ROOT $cryptnode"
	cryptremove=""
else
	# 2) The fstype is not "luks" but cryptopts has been set
	cryptcreate="/sbin/cryptsetup -c $cryptcipher -s $cryptsize -h $crypthash create $cryptnode $ROOT"
	cryptremove="/sbin/cryptsetup remove $cryptnode"
fi

# Loop until we have a satisfactory password
while [ 1 ]; do
	if [ -x "/sbin/cryptgetpw" ]; then
		/sbin/cryptgetpw | $cryptcreate
	else
		$cryptcreate
	fi

	if [ $? -eq 0 ]; then
		fstype < "$NEWROOT" > /dev/.initramfs/source.me
		. /dev/.initramfs/source.me
		if [ "$FSTYPE" != "unknown" ]; then
			break
		fi
	fi

	echo "$0: cryptsetup failed or fstype not recognized, bad password or options?"
	$cryptremove
	sleep 3
done

# init can now pick up new FSTYPE, FSSIZE and ROOT
echo "ROOT=\"$NEWROOT\"" >> /dev/.initramfs/source.me

exit 0

More information about the Pkg-cryptsetup-devel mailing list