Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #ctrl+c trap
- #
- ctrl_c() {
- echo "** CTRL-C Pressed --"
- result="1"
- return 1
- }
- #Find the filesystem that the partition uses. Handy in mounting and determining if the
- #partition is a swap device.
- find_fstype(){
- local fs_type=$(blkid $1)
- fs_type=${fs_type##*TYPE=\"}
- fs_type=${fs_type%%\"*}
- echo -n $fs_type
- }
- #getCryptKey() searches for the specified block device and finds the LUKS key.
- #If the device does not exist it waits for 10s before returning an error code
- #Also it cleans up if there was any mounting when searching for the key (file key)
- getCryptKey() {
- local key_dev=$(find_real_device $2)
- local key_dev_con="false"
- if [ $3 == "clean" ];then
- umount $key_dev
- rmdir "/mnt/$1_key"
- else
- local counter="0"
- echo "Searching for key in $key_dev" >&2
- while [ ! -b $key_dev ] && [ "$counter" != "10" ]; do
- counter=$((counter+1))
- echo "Waiting 10s for $key_dev : Try $counter" >&2
- key_dev=$(find_real_device $2)
- if [ -b $key_dev ] ; then
- echo "$key_dev connected" >&2
- fi
- sleep 1
- done
- if [ "$4" == "FILE" ]; then
- if [ -b $key_dev ];then
- if [ ! -d "/mnt/$1_key" ];then
- mkdir "/mnt/$1_key"
- fi
- mount -r -t $(find_fstype $key_dev) $key_dev "/mnt/$1_key"
- if [ -f "/mnt/$1_key/$3" ];then
- echo "Found key in $key_dev" >&2
- echo "0"
- else
- echo "$3 does not exist in $key_dev" >&2
- echo "1"
- fi
- else
- echo "Key device: $key_dev is not present">&2
- echo "1"
- fi
- else
- if [ -b $key_dev ];then
- echo "Found key device $key_dev" >&2
- echo "0"
- else
- echo "Key device: $key_dev is not present">&2
- echo "1"
- fi
- fi
- fi
- }
- #openLUKS() Unlocks a volume based on the boot args. If the volume is a swap device
- #it gets mounted.
- openLUKS() {
- #luks_dev : $1
- #luks_map : $2
- #luks_opts: $3
- #key_dev : $4
- #key_type : $5
- #key : $6
- result=""
- local luks_opts=$(echo $luks_opts | awk -F',' '{for (i=1; i<=NF; i++) print $i}')
- local luks_dev=$(find_real_device $1)
- if [ $luks_opts == "null" ];then
- luks_opts=""
- fi
- case $5 in
- PASS|"null")
- echo "Trying to unlock $luks_dev" >&2
- cryptsetup luksOpen $luks_opts $luks_dev $2
- if [ $? == "0" ] && [ -b "/dev/mapper/$2" ]; then
- echo "LUKS Volume $luks_dev is now unlocked" >&2
- if [ "$(find_fstype "/dev/mapper/$2")" == "swap" ];then
- swapon "/dev/mapper/$2"
- fi
- echo "0"
- else
- echo "1"
- fi
- ;;
- BLK)
- key_start=$(echo $key_loc | awk -F'-' '{print $1}')
- key_size=$(echo $key_loc | awk -F'-' '{print $2}')
- result=$(getCryptKey $2 $4 $6 $5)
- if [ $result == "0" ];then
- echo "Trying to unlock $luks_dev" >&2
- local key_dev=$(find_real_device $4)
- key_dev=${key_dev%%[0-9]*}
- echo "Trying to unlock $luks_dev" >&2
- dd if=$key_dev bs=1 skip=$key_start count=$key_size | cryptsetup luksOpen $luks_opts $luks_dev $2 --key-file=-
- result="$?"
- if [ "$result" == "0" ] && [ -b "/dev/mapper/$2" ]; then
- echo "LUKS Volume $luks_dev is now unlocked" >&2
- if [ "$(find_fstype "/dev/mapper/$2")" == "swap" ];then
- swapon "/dev/mapper/$2"
- fi
- echo "0"
- else
- echo "1"
- fi
- else
- echo "1"
- fi
- ;;
- FILE)
- result=$(getCryptKey $2 $4 $6 $5)
- if [ $result == "0" ];then
- echo "Trying to unlock $luks_dev" >&2
- cryptsetup -d /mnt/$2_key/$6 open --type luks $luks_opts $luks_dev $2
- if [ $? == "0" ] && [ -b "/dev/mapper/$2" ]; then
- echo "LUKS Volume $luks_dev is now unlocked" >&2
- if [ "$(find_fstype "/dev/mapper/$2")" == "swap" ];then
- swapon "/dev/mapper/$2"
- fi
- echo "0"
- else
- echo "1"
- fi
- else
- echo "1"
- fi
- getCryptKey $2 $4 "clean"
- ;;
- *)
- echo "Unknown Key Type" >&2
- esac
- }
- #startLUKS() reads the boot line, stores the arguments in arrays, parses them
- #and uses openLUKS() to unlock the LUKS volumes. If a volume fails it is included
- #in the error array.
- startLUKS() {
- boot_args="$(cat /proc/cmdline)"
- root_arg=""
- dev_error=""
- crypt_devs=""
- crypt_keys=""
- unlocked="false"
- trap ctrl_c INT
- for boot_arg in $boot_args
- do
- if [ ${boot_arg%%=*} == "real_root" ]; then
- REAL_ROOT=${boot_arg#*=}
- fi
- if [ ${boot_arg%%=*} == "crypt_dev" ]; then
- boot_arg_map=$(echo $boot_arg | awk -F':' '{print $2}')
- boot_arg_path=$(find_real_device $(echo "${boot_arg#*=}" |awk -F':' '{print $1}'))
- boot_arg_opts=$(echo $boot_arg | awk -F':' '{print $3}')
- if [ -z $boot_arg_map ]; then
- boot_arg_map="null"
- fi
- if [ -z $boot_arg_opts ]; then
- boot_arg_opts="null"
- fi
- crypt_devs="$crypt_devs $boot_arg_path|$boot_arg_map|$boot_arg_opts "
- fi
- if [ ${boot_arg%%=*} == "crypt_key" ]; then
- key_map=$(echo ${boot_arg#*=} | awk -F':' '{print $1}')
- key_dev=$(echo ${boot_arg#*=} | awk -F':' '{print $2}')
- key_type=$(echo ${boot_arg#*=} | awk -F':' '{print $3}')
- key_loc=$(echo ${boot_arg#*=} | awk -F':' '{print $4}')
- crypt_keys="$crypt_keys $key_map|$key_dev|$key_type|$key_loc "
- fi
- done
- for dev in $crypt_devs
- do
- key_map="null"
- key_dev="null"
- key_type="null"
- key_loc="null"
- luks_dev=$(echo $dev | awk -F'|' '{print $1}')
- luks_map=$(echo $dev | awk -F'|' '{print $2}')
- luks_opts=$(echo $dev | awk -F'|' '{print $3}')
- for key in $crypt_keys
- do
- key_map=$(echo $key | awk -F'|' '{print $1}')
- if [ $luks_map == $key_map ];then
- key_dev=$(echo $key | awk -F'|' '{print $2}')
- key_type=$(echo $key | awk -F'|' '{print $3}')
- key_loc=$(echo $key | awk -F'|' '{print $4}')
- break
- else
- key_map="null"
- key_dev="null"
- key_type="null"
- key_loc="null"
- fi
- done
- if [ ! -b $(find_real_device $luks_dev) ];then
- echo "LUKS device $luks_dev does not exist"
- dev_error="$dev_error $luks_dev"
- elif [ $luks_map == "null" ];then
- echo "LUKS Map cannot be empty!"
- dev_error="$dev_error $luks_dev"
- else
- result=$(openLUKS $luks_dev $luks_map $luks_opts $key_dev $key_type $key_loc)
- if [ $result == "0" ];then
- unlocked="true"
- else
- dev_error="$dev_error $luks_dev"
- fi
- fi
- done
- if [ -n "$dev_error" ]; then
- for i in $dev_error
- do
- luks_dev="$(echo $i | awk -F':' '{print $1}')"
- luks_map="$(echo $i | awk -F':' '{print $2}')"
- echo "Failed to unlock: $luks_dev"
- echo -n "Retry with Password? [y/n]: "
- read try_pass
- if [ $try_pass == "Y" ] || [ $try_pass == "y" ];then
- cryptsetup luksOpen $luks_dev $luks_map
- if [ $? == "0" ] && [ -b "/dev/mapper/$luks_map" ]; then
- echo "LUKS Volume $luks_dev is now unlocked"
- if [ "$(find_fstype "/dev/mapper/$luks_map")" == "swap" ];then
- swapon "/dev/mapper/$luks_map"
- fi
- fi
- else
- echo "Unlocking $luks_dev aborted"
- fi
- done
- else
- if [ -z "$dev_error" ];then
- echo "All LUKS devices were succesfully unlocked"
- fi
- fi
- if [ -n "${REAL_ROOT}" ]; then
- startVolumes
- else
- if [ -z "$REAL_ROOT" ]; then
- REAL_ROOT="/dev/mapper/root"
- fi
- fi
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement