#!/bin/shPREREQ="cryptroot-prepare"## Standard initramfs preamble#

1. #!/bin/sh
2.  
3. PREREQ="cryptroot-prepare"
4.  
5. #
6. # Standard initramfs preamble
7. #
8. prereqs()
9. {
10. # Make sure that cryptroot is run last in local-top
11. for req in $(dirname $0)/*; do
12. script=${req##*/}
13. if [ $script != cryptroot ]; then
14. echo $script
15. fi
16. done
17. }
18.  
19. case $1 in
20. prereqs)
21. prereqs
22. exit 0
23. ;;
24. esac
25.  
26. # source for log_*_msg() functions, see LP: #272301
27. . /scripts/functions
28.  
29. #
30. # Helper functions
31. #
32. message()
33. {
34. if [ -x /bin/plymouth ] && plymouth --ping; then
35. plymouth message --text="$@"
36. else
37. echo "$@" >&2
38. fi
39. return 0
40. }
41.  
42. udev_settle()
43. {
44. # Wait for udev to be ready, see https://launchpad.net/bugs/85640
45. if command -v udevadm >/dev/null 2>&1; then
46. udevadm settle --timeout=30
47. elif command -v udevsettle >/dev/null 2>&1; then
48. udevsettle --timeout=30
49. fi
50. return 0
51. }
52.  
53. parse_options()
54. {
55. local cryptopts
56. cryptopts="$1"
57.  
58. if [ -z "$cryptopts" ]; then
59. return 1
60. fi
61.  
62. # Defaults
63. cryptcipher=aes-cbc-essiv:sha256
64. cryptsize=256
65. crypthash=ripemd160
66. crypttarget=cryptroot
67. cryptsource=""
68. cryptlvm=""
69. cryptkeyscript=""
70. cryptkey="" # This is only used as an argument to an eventual keyscript
71. crypttries=3
72. cryptrootdev=""
73. cryptdiscard=""
74. CRYPTTAB_OPTIONS=""
75.  
76. local IFS=" ,"
77. for x in $cryptopts; do
78. case $x in
79. hash=*)
80. crypthash=${x#hash=}
81. ;;
82. size=*)
83. cryptsize=${x#size=}
84. ;;
85. cipher=*)
86. cryptcipher=${x#cipher=}
87. ;;
88. target=*)
89. crypttarget=${x#target=}
90. export CRYPTTAB_NAME="$crypttarget"
91. ;;
92. source=*)
93. cryptsource=${x#source=}
94. if [ ${cryptsource#UUID=} != $cryptsource ]; then
95. cryptsource="/dev/disk/by-uuid/${cryptsource#UUID=}"
96. elif [ ${cryptsource#LABEL=} != $cryptsource ]; then
97. cryptsource="/dev/disk/by-label/${cryptsource#LABEL=}"
98. fi
99. export CRYPTTAB_SOURCE="$cryptsource"
100. ;;
101. lvm=*)
102. cryptlvm=${x#lvm=}
103. ;;
104. keyscript=*)
105. cryptkeyscript=${x#keyscript=}
106. ;;
107. key=*)
108. if [ "${x#key=}" != "none" ]; then
109. cryptkey=${x#key=}
110. fi
111. export CRYPTTAB_KEY="$cryptkey"
112. ;;
113. tries=*)
114. crypttries="${x#tries=}"
115. case "$crypttries" in
116. *[![:digit:].]*)
117. crypttries=3
118. ;;
119. esac
120. ;;
121. rootdev)
122. cryptrootdev="yes"
123. ;;
124. discard)
125. cryptdiscard="yes"
126. ;;
127. esac
128. PARAM="${x%=*}"
129. if [ "$PARAM" = "$x" ]; then
130. VALUE="yes"
131. else
132. VALUE="${x#*=}"
133. fi
134. CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM"
135. eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\""
136. done
137. export CRYPTTAB_OPTIONS
138.  
139. if [ -z "$cryptsource" ]; then
140. message "cryptsetup: source parameter missing"
141. return 1
142. fi
143. return 0
144. }
145.  
146. activate_vg()
147. {
148. # Sanity checks
149. if [ ! -x /sbin/lvm ]; then
150. message "cryptsetup: lvm is not available"
151. return 1
152. fi
153.  
154. # Detect and activate available volume groups
155. /sbin/lvm vgscan
156. /sbin/lvm vgchange -a y --sysinit
157. return $?
158. }
159.  
160. activate_evms()
161. {
162. local dev module
163.  
164. # Sanity checks
165. if [ ! -x /sbin/evms_activate ]; then
166. message "cryptsetup: evms_activate is not available"
167. return 1
168. fi
169.  
170. # Load modules used by evms
171. for module in dm-mod linear raid0 raid1 raid10 raid5 raid6; do
172. modprobe -q $module
173. done
174.  
175. # Activate it
176. /sbin/evms_activate
177. return $?
178. }
179.  
180. setup_mapping()
181. {
182. local opts count cryptcreate cryptremove NEWROOT
183. opts="$1"
184.  
185. if [ -z "$opts" ]; then
186. return 0
187. fi
188.  
189. parse_options "$opts" || return 1
190.  
191. if [ -n "$cryptkeyscript" ] && ! type "$cryptkeyscript" >/dev/null; then
192. message "cryptsetup: error - script \"$cryptkeyscript\" missing"
193. return 1
194. fi
195.  
196. # The same target can be specified multiple times
197. # e.g. root and resume lvs-on-lvm-on-crypto
198. if [ -e "/dev/mapper/$crypttarget" ]; then
199. return 0
200. fi
201.  
202. modprobe -q dm_crypt
203.  
204. # Make sure the cryptsource device is available
205. if [ ! -e $cryptsource ]; then
206. activate_vg
207. activate_evms
208. fi
209.  
210. # If the encrypted source device hasn't shown up yet, give it a
211. # little while to deal with removable devices
212.  
213. # the following lines below have been taken from
214. # /usr/share/initramfs-tools/scripts/local, as suggested per
215. # https://launchpad.net/bugs/164044
216. if [ ! -e "$cryptsource" ]; then
217. log_begin_msg "Waiting for encrypted source device..."
218.  
219. # Default delay is 180s
220. if [ -z "${ROOTDELAY}" ]; then
221. slumber=180
222. else
223. slumber=${ROOTDELAY}
224. fi
225.  
226. slumber=$(( ${slumber} * 10 ))
227. while [ ! -e "$cryptsource" ]; do
228. /bin/sleep 0.1
229. slumber=$(( ${slumber} - 1 ))
230. [ ${slumber} -gt 0 ] || break
231. done
232.  
233. if [ ${slumber} -gt 0 ]; then
234. log_end_msg 0
235. else
236. log_end_msg 1 || true
237. fi
238. fi
239. udev_settle
240.  
241. # We've given up, but we'll let the user fix matters if they can
242. while [ ! -e "${cryptsource}" ]; do
243. echo " Check cryptopts=source= bootarg: cat /proc/cmdline"
244. echo " or missing modules, devices: cat /proc/modules; ls /dev"
245. panic -r "ALERT! ${cryptsource} does not exist. Dropping to a shell!"
246. done
247.  
248. # Prepare commands
249. cryptcreate="/sbin/cryptsetup -T 1"
250. if [ "$cryptdiscard" = "yes" ]; then
251. cryptcreate="$cryptcreate --allow-discards"
252. fi
253. if /sbin/cryptsetup isLuks $cryptsource >/dev/null 2>&1; then
254. cryptcreate="$cryptcreate luksOpen $cryptsource $crypttarget"
255. else
256. cryptcreate="$cryptcreate -c $cryptcipher -s $cryptsize -h $crypthash create $crypttarget $cryptsource"
257. fi
258. cryptremove="/sbin/cryptsetup remove $crypttarget"
259. NEWROOT="/dev/mapper/$crypttarget"
260.  
261. # Try to get a satisfactory password $crypttries times
262. count=0
263. while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do
264. count=$(( $count + 1 ))
265.  
266. if [ $count -gt 1 ]; then
267. /bin/sleep 3
268. fi
269.  
270. if [ -z "$cryptkeyscript" ]; then
271. cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: "
272. if [ -x /bin/plymouth ] && plymouth --ping; then
273. cryptkeyscript="plymouth ask-for-password --prompt"
274. cryptkey=$(printf "$cryptkey")
275. else
276. cryptkeyscript="/lib/cryptsetup/askpass"
277. fi
278. fi
279.  
280.  
281. if [ ! -e "$NEWROOT" ]; then
282. if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
283. $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ; then
284. message "cryptsetup: cryptsetup failed, bad password or options?"
285. continue
286. fi
287. fi
288.  
289. if [ ! -e "$NEWROOT" ]; then
290. message "cryptsetup: unknown error setting up device mapping"
291. return 1
292. fi
293.  
294. #FSTYPE=''
295. #eval $(fstype < "$NEWROOT")
296. FSTYPE="$(blkid -s TYPE -o value "$NEWROOT")"
297.  
298. # See if we need to setup lvm on the crypto device
299. #if [ "$FSTYPE" = "lvm" ] || [ "$FSTYPE" = "lvm2" ]; then
300. if [ "$FSTYPE" = "LVM_member" ] || [ "$FSTYPE" = "LVM2_member" ]; then
301. if [ -z "$cryptlvm" ]; then
302. message "cryptsetup: lvm fs found but no lvm configured"
303. return 1
304. elif ! activate_vg; then
305. # disable error message, LP: #151532
306. #message "cryptsetup: failed to setup lvm device"
307. return 1
308. fi
309.  
310. NEWROOT=${cmdline_root:-/dev/mapper/$cryptlvm}
311. if [ "$cryptrootdev" = "yes" ]; then
312. # required for lilo to find the root device
313. echo "ROOT=$NEWROOT" >>/conf/param.conf
314. fi
315. eval $(fstype < "$NEWROOT")
316. fi
317.  
318. #if [ -z "$FSTYPE" ] || [ "$FSTYPE" = "unknown" ]; then
319. if [ -z "$FSTYPE" ]; then
320. message "cryptsetup: unknown fstype, bad password or options?"
321. udev_settle
322. $cryptremove
323. continue
324. fi
325.  
326. message "cryptsetup: $crypttarget set up successfully"
327. break
328. done
329.  
330. if [ $crypttries -gt 0 ] && [ $count -gt $crypttries ]; then
331. message "cryptsetup: maximum number of tries exceeded for $crypttarget"
332. return 1
333. fi
334.  
335. udev_settle
336. return 0
337. }
338.  
339. #
340. # Begin real processing
341. #
342.  
343. # Do we have any kernel boot arguments?
344. cmdline_cryptopts=''
345. unset cmdline_root
346. for opt in $(cat /proc/cmdline); do
347. case $opt in
348. cryptopts=*)
349. opt="${opt#cryptopts=}"
350. if [ -n "$opt" ]; then
351. if [ -n "$cmdline_cryptopts" ]; then
352. cmdline_cryptopts="$cmdline_cryptopts $opt"
353. else
354. cmdline_cryptopts="$opt"
355. fi
356. fi
357. ;;
358. root=*)
359. opt="${opt#root=}"
360. case $opt in
361. /*) # Absolute path given. Not lilo major/minor number.
362. cmdline_root=$opt
363. ;;
364. *) # lilo major/minor number (See #398957). Ignore
365. esac
366. ;;
367. esac
368. done
369.  
370. if [ -n "$cmdline_cryptopts" ]; then
371. # Call setup_mapping separately for each possible cryptopts= setting
372. for cryptopt in $cmdline_cryptopts; do
373. setup_mapping "$cryptopt"
374. done
375. exit 0
376. fi
377.  
378. # Do we have any settings from the /conf/conf.d/cryptroot file?
379. if [ -r /conf/conf.d/cryptroot ]; then
380. while read mapping <&3; do
381. setup_mapping "$mapping" 3<&-
382. done 3< /conf/conf.d/cryptroot
383. fi
384.  
385. exit 0