diff options
Diffstat (limited to 'abs/core-testing/cryptsetup')
-rw-r--r-- | abs/core-testing/cryptsetup/PKGBUILD | 39 | ||||
-rw-r--r-- | abs/core-testing/cryptsetup/cryptsetup-1.0.5-run_udevsettle.patch | 29 | ||||
-rw-r--r-- | abs/core-testing/cryptsetup/encrypt_hook | 122 | ||||
-rw-r--r-- | abs/core-testing/cryptsetup/encrypt_install | 22 | ||||
-rw-r--r-- | abs/core-testing/cryptsetup/luksOpen-status.patch | 13 |
5 files changed, 225 insertions, 0 deletions
diff --git a/abs/core-testing/cryptsetup/PKGBUILD b/abs/core-testing/cryptsetup/PKGBUILD new file mode 100644 index 0000000..ff5f83f --- /dev/null +++ b/abs/core-testing/cryptsetup/PKGBUILD @@ -0,0 +1,39 @@ +# $Id: PKGBUILD 356 2008-04-18 22:56:27Z aaron $ +# Maintainer: Judd Vinet <jvinet@zeroflux.org> +pkgname=cryptsetup +pkgver=1.0.6 +pkgrel=10 +pkgdesc="Userspace setup tool for transparent encryption of block devices using the Linux 2.6 cryptoapi" +arch=(i686 x86_64) +license=('GPL') +url="http://luks.endorphin.org/dm-crypt" +groups=('base') +depends=('device-mapper' 'libgcrypt' 'popt' 'e2fsprogs') +options=('!libtool' '!emptydirs') +source=(http://luks.endorphin.org/source/cryptsetup-$pkgver.tar.bz2 + encrypt_hook + encrypt_install + luksOpen-status.patch) +md5sums=('00d452eb7a76e39f5749545d48934a10' + '40fee2419cd444cfb283c311f9555d2d' + '24b76e9cb938bc3c8dcff396cbab28c7' + 'd4be8d2059d5427c057be4de4e948887') + +build() { + cd $startdir/src/$pkgname-$pkgver + # suppress "Command successful" message on luksOpen + patch -p1 -i $startdir/src/luksOpen-status.patch + ./configure --prefix=/usr --disable-static + make || return 1 + make DESTDIR=$startdir/pkg install + # include a static cryptsetup binary for initrd setups + make clean + cd $startdir/src/$pkgname-$pkgver + ./configure --prefix=/usr --enable-static + make || return 1 + # include a static cryptsetup binary for initrd setups + install -D -m755 src/cryptsetup $startdir/pkg/sbin/cryptsetup.static || return 1 + # install hook + install -D -m644 $startdir/src/encrypt_hook $startdir/pkg/lib/initcpio/hooks/encrypt + install -D -m644 $startdir/src/encrypt_install $startdir/pkg/lib/initcpio/install/encrypt +} diff --git a/abs/core-testing/cryptsetup/cryptsetup-1.0.5-run_udevsettle.patch b/abs/core-testing/cryptsetup/cryptsetup-1.0.5-run_udevsettle.patch new file mode 100644 index 0000000..28f85e6 --- /dev/null +++ b/abs/core-testing/cryptsetup/cryptsetup-1.0.5-run_udevsettle.patch @@ -0,0 +1,29 @@ +Index: cryptsetup-1.0.5/lib/libdevmapper.c +=================================================================== +--- cryptsetup-1.0.5.orig/lib/libdevmapper.c ++++ cryptsetup-1.0.5/lib/libdevmapper.c +@@ -18,6 +18,13 @@ + + #define CRYPT_TARGET "crypt" + ++#define UDEVSETTLE "/sbin/udevsettle" ++ ++static void run_udevsettle(void) ++{ ++ system(UDEVSETTLE); ++} ++ + static void set_dm_error(int level, const char *file, int line, + const char *f, ...) + { +@@ -184,6 +191,9 @@ static int dm_create_device(int reload, + if (dmi.read_only) + options->flags |= CRYPT_FLAG_READONLY; + ++ /* run udevsettle to avoid problems with busy dm devices */ ++ run_udevsettle(); ++ + r = 0; + + out: + diff --git a/abs/core-testing/cryptsetup/encrypt_hook b/abs/core-testing/cryptsetup/encrypt_hook new file mode 100644 index 0000000..248f1f2 --- /dev/null +++ b/abs/core-testing/cryptsetup/encrypt_hook @@ -0,0 +1,122 @@ +# vim: set ft=sh: +# TODO this one needs some work to work with lots of different +# encryption schemes +run_hook () +{ + /sbin/modprobe -a -q dm-crypt >/dev/null 2>&1 + if [ -e "/sys/class/misc/device-mapper" ]; then + if [ ! -c "/dev/mapper/control" ]; then + read dev_t < /sys/class/misc/device-mapper/dev + /bin/mknod "/dev/mapper/control" c $(/bin/replace "${dev_t}" ':') + fi + [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" + + # Get keyfile if specified + ckeyfile="/crypto_keyfile.bin" + if [ "x${cryptkey}" != "x" ]; then + set -- $(/bin/replace "${cryptkey}" ':'); ckdev=$1; ckarg1=$2; ckarg2=$3 + try=10 + echo "Waiting for ${ckdev} ..." + while [ ! -b ${ckdev} -a ${try} -gt 0 ]; do + sleep 1 + try=$((${try}-1)) + done + if [ -b ${ckdev} ]; then + case ${ckarg1} in + *[!0-9]*) + # Use a file on the device + # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path + mkdir /ckey + mount -r -t ${ckarg1} ${ckdev} /ckey + dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1 + umount /ckey + ;; + *) + # Read raw data from the block device + # ckarg1 is numeric: ckarg1=offset, ckarg2=length + dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1 + ;; + esac + fi + [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." + fi + + if [ -n "${cryptdevice}" ]; then + set -- $(/bin/replace "${cryptdevice}" ':'); cryptdev="$1"; cryptname="$2"; + else + cryptdev="${root}" + cryptname="root" + fi + + if /bin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then + dopassphrase=1 + # If keyfile exists, try to use that + if [ -f ${ckeyfile} ]; then + if eval /bin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then + dopassphrase=0 + else + echo "Invalid keyfile. Reverting to passphrase." + fi + fi + # Ask for a passphrase + if [ ${dopassphrase} -gt 0 ]; then + echo "" + echo "A password is required to access the ${cryptname} volume:" + + #loop until we get a real password + while ! eval /bin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do + sleep 2; + done + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ "${cryptname}" = "root" ]; then + export root="/dev/mapper/root" + fi + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 + fi + elif [ "x${crypto}" != "x" ]; then + do_oldcrypto () + { + if [ $# -ne 5 ]; then + err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" + err "Non-LUKS decryption not attempted..." + return 1 + fi + exe="/bin/cryptsetup create ${cryptname} ${cryptdev}" + [ "x$(eval echo ${1})" != "x" ] && exe="${exe} --hash \"$(eval echo ${1})\"" + [ "x$(eval echo ${2})" != "x" ] && exe="${exe} --cipher \"$(eval echo ${2})\"" + [ "x$(eval echo ${3})" != "x" ] && exe="${exe} --key-size \"$(eval echo ${3})\"" + [ "x$(eval echo ${4})" != "x" ] && exe="${exe} --offset \"$(eval echo ${4})\"" + [ "x$(eval echo ${5})" != "x" ] && exe="${exe} --skip \"$(eval echo ${5})\"" + if [ -f ${ckeyfile} ]; then + exe="${exe} --key-file ${ckeyfile}" + else + exe="${exe} --verify-passphrase" + echo "" + echo "A password is required to access the ${cryptname} volume:" + fi + eval "${exe} ${CSQUIET}" + } + + msg "Non-LUKS encrypted device found..." + do_oldcrypto $(/bin/replace -q "${crypto}" ':') + + if [ $? -ne 0 ]; then + err "Non-LUKS device decryption failed. verify format: " + err " crypto=hash:cipher:keysize:offset:skip" + exit 1 + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ "${cryptname}" = "root" ]; then + export root="/dev/mapper/root" + fi + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 + fi + fi + nuke ${ckeyfile} + fi +} diff --git a/abs/core-testing/cryptsetup/encrypt_install b/abs/core-testing/cryptsetup/encrypt_install new file mode 100644 index 0000000..28cfa3f --- /dev/null +++ b/abs/core-testing/cryptsetup/encrypt_install @@ -0,0 +1,22 @@ +# vim: set ft=sh: + +install () +{ + if [ -z "${CRYPTO_MODULES}" ]; then + MODULES=" dm-crypt $(all_modules "/crypto/") " + else + MODULES=" dm-crypt ${CRYPTO_MODULES} " + fi + BINARIES="" + add_dir "/dev/mapper" + add_file "/sbin/cryptsetup.static" "/bin/cryptsetup" + FILES="" + SCRIPT="encrypt" +} + +help () +{ +cat<<HELPEOF + This hook allows for an encrypted root device. +HELPEOF +} diff --git a/abs/core-testing/cryptsetup/luksOpen-status.patch b/abs/core-testing/cryptsetup/luksOpen-status.patch new file mode 100644 index 0000000..d2e4004 --- /dev/null +++ b/abs/core-testing/cryptsetup/luksOpen-status.patch @@ -0,0 +1,13 @@ +diff -Nur cryptsetup-luks-1.0.4.orig/src/cryptsetup.c cryptsetup-luks-1.0.4/src/cryptsetup.c +--- cryptsetup-luks-1.0.4.orig/src/cryptsetup.c 2006-10-04 15:47:00.000000000 +0200 ++++ cryptsetup-luks-1.0.4/src/cryptsetup.c 2006-12-16 15:54:12.000000000 +0100 +@@ -249,7 +249,8 @@ + if (opt_readonly) + options.flags |= CRYPT_FLAG_READONLY; + r = crypt_luksOpen(&options); +- show_status(-r); ++ if(r) ++ show_status(-r); + return r; + } + |