search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
updated on Thu Jan 19 12:17:07 UTC 2012
[aur-mirror.git] / plymouth-git / encrypt_hook
blob54aaa223663a09e30a7fac4bb34419f6d6064fb9
1 # vim: set ft=sh:
2 # TODO this one needs some work to work with lots of different
3 #       encryption schemes
4 run_hook ()
5 {
6     /sbin/modprobe -a -q dm-crypt >/dev/null 2>&1
7     if [ -e "/sys/class/misc/device-mapper" ]; then
8         if [ ! -e "/dev/mapper/control" ]; then
9             mkdir /dev/mapper
10             mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |')
11         fi
12         [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
13
14         # Get keyfile if specified
15         ckeyfile="/crypto_keyfile.bin"
16         if [ "x${cryptkey}" != "x" ]; then
17             ckdev="$(echo "${cryptkey}" | cut -d: -f1)"
18             ckarg1="$(echo "${cryptkey}" | cut -d: -f2)"
19             ckarg2="$(echo "${cryptkey}" | cut -d: -f3)"
20             if poll_device "${ckdev}" ${rootdelay}; then
21                 case ${ckarg1} in
22                     *[!0-9]*)
23                         # Use a file on the device
24                         # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
25                         mkdir /ckey
26                         mount -r -t ${ckarg1} ${ckdev} /ckey
27                         dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1
28                         umount /ckey
29                         ;;
30                     *)
31                         # Read raw data from the block device
32                         # ckarg1 is numeric: ckarg1=offset, ckarg2=length
33                         dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1
34                         ;;
35                 esac
36             fi
37             [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
38         fi
39
40         if [ -n "${cryptdevice}" ]; then
41             DEPRECATED_CRYPT=0
42             cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)"
43             cryptname="$(echo "${cryptdevice}" | cut -d: -f2)"
44         else
45             DEPRECATED_CRYPT=1
46             cryptdev="${root}"
47             cryptname="root"
48         fi
49
50         warn_deprecated() {
51             echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
52             echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
53         }
54
55         if  poll_device "${cryptdev}" ${rootdelay}; then
56             if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
57                 [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
58                 dopassphrase=1
59                 # If keyfile exists, try to use that
60                 if [ -f ${ckeyfile} ]; then
61                     if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
62                         dopassphrase=0
63                     else
64                         echo "Invalid keyfile. Reverting to passphrase."
65                     fi
66                 fi
67                 # Ask for a passphrase
68                 if [ ${dopassphrase} -gt 0 ]; then
69                     echo ""
70                     echo "A password is required to access the ${cryptname} volume:"
71
72                     #loop until we get a real password
73                     while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
74                         sleep 2;
75                     done
76                 fi
77                 if [ -e "/dev/mapper/${cryptname}" ]; then
78                     if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
79                         export root="/dev/mapper/root"
80                     fi
81                 else
82                     err "Password succeeded, but ${cryptname} creation failed, aborting..."
83                     exit 1
84                 fi
85             elif [ -n "${crypto}" ]; then
86                 [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
87                 msg "Non-LUKS encrypted device found..."
88                 if [ $# -ne 5 ]; then
89                     err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
90                     err "Non-LUKS decryption not attempted..."
91                     return 1
92                 fi
93                 exe="/sbin/cryptsetup create ${cryptname} ${cryptdev}"
94                 tmp=$(echo "${crypto}" | cut -d: -f1)
95                 [ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\""
96                 tmp=$(echo "${crypto}" | cut -d: -f2)
97                 [ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\""
98                 tmp=$(echo "${crypto}" | cut -d: -f3)
99                 [ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\""
100                 tmp=$(echo "${crypto}" | cut -d: -f4)
101                 [ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\""
102                 tmp=$(echo "${crypto}" | cut -d: -f5)
103                 [ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\""
104                 if [ -f ${ckeyfile} ]; then
105                     exe="${exe} --key-file ${ckeyfile}"
106                 else
107                     exe="${exe} --verify-passphrase"
108                     echo ""
109                     echo "A password is required to access the ${cryptname} volume:"
110                 fi
111                 eval "${exe} ${CSQUIET}"
112
113                 if [ $? -ne 0 ]; then
114                     err "Non-LUKS device decryption failed. verify format: "
115                     err "      crypto=hash:cipher:keysize:offset:skip"
116                     exit 1
117                 fi
118                 if [ -e "/dev/mapper/${cryptname}" ]; then
119                     if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
120                         export root="/dev/mapper/root"
121                     fi
122                 else
123                     err "Password succeeded, but ${cryptname} creation failed, aborting..."
124                     exit 1
125                 fi
126             else
127                 err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
128             fi
129         fi
130         rm -f ${ckeyfile}
131     fi
132 }
AUR mirror