summaryrefslogtreecommitdiffstats
path: root/abs/core/cryptsetup/encrypt_hook
blob: 248f1f217b7c2165fd1b5755bf01e0c21c7849fd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# vim: set ft=sh:
# TODO this one needs some work to work with lots of different
#       encryption schemes
run_hook ()
{
    /sbin/modprobe -a -q dm-crypt >/dev/null 2>&1
    if [ -e "/sys/class/misc/device-mapper" ]; then
        if [ ! -c "/dev/mapper/control" ]; then
            read dev_t < /sys/class/misc/device-mapper/dev
            /bin/mknod "/dev/mapper/control" c $(/bin/replace "${dev_t}" ':')
        fi
        [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"

        # Get keyfile if specified
        ckeyfile="/crypto_keyfile.bin"
        if [ "x${cryptkey}" != "x" ]; then
            set -- $(/bin/replace "${cryptkey}" ':'); ckdev=$1; ckarg1=$2; ckarg2=$3
            try=10
            echo "Waiting for ${ckdev} ..."
            while [ ! -b ${ckdev} -a ${try} -gt 0 ]; do
                sleep 1
                try=$((${try}-1))
            done
            if [ -b ${ckdev} ]; then
                case ${ckarg1} in
                    *[!0-9]*)
                        # Use a file on the device
                        # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
                        mkdir /ckey
                        mount -r -t ${ckarg1} ${ckdev} /ckey
                        dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1
                        umount /ckey
                        ;;
                    *)
                        # Read raw data from the block device
                        # ckarg1 is numeric: ckarg1=offset, ckarg2=length
                        dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1
                        ;;
                esac
            fi
            [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
        fi

        if [ -n "${cryptdevice}" ]; then
            set -- $(/bin/replace "${cryptdevice}" ':'); cryptdev="$1"; cryptname="$2";
        else
            cryptdev="${root}"
            cryptname="root"
        fi

        if /bin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
            dopassphrase=1
            # If keyfile exists, try to use that
            if [ -f ${ckeyfile} ]; then
                if eval /bin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
                    dopassphrase=0
                else
                    echo "Invalid keyfile. Reverting to passphrase."
                fi
            fi
            # Ask for a passphrase
            if [ ${dopassphrase} -gt 0 ]; then
                echo ""
                echo "A password is required to access the ${cryptname} volume:"

                #loop until we get a real password
                while ! eval /bin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
                    sleep 2;
                done
            fi
            if [ -e "/dev/mapper/${cryptname}" ]; then
                if [ "${cryptname}" = "root" ]; then
                    export root="/dev/mapper/root"
                fi
            else
                err "Password succeeded, but ${cryptname} creation failed, aborting..."
                exit 1
            fi
        elif [ "x${crypto}" != "x" ]; then
            do_oldcrypto ()
            {
                if [ $# -ne 5 ]; then
                    err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
                    err "Non-LUKS decryption not attempted..."
                    return 1
                fi
                exe="/bin/cryptsetup create ${cryptname} ${cryptdev}"
                [ "x$(eval echo ${1})" != "x" ] && exe="${exe} --hash \"$(eval echo ${1})\""
                [ "x$(eval echo ${2})" != "x" ] && exe="${exe} --cipher \"$(eval echo ${2})\""
                [ "x$(eval echo ${3})" != "x" ] && exe="${exe} --key-size \"$(eval echo ${3})\""
                [ "x$(eval echo ${4})" != "x" ] && exe="${exe} --offset \"$(eval echo ${4})\""
                [ "x$(eval echo ${5})" != "x" ] && exe="${exe} --skip \"$(eval echo ${5})\""
                if [ -f ${ckeyfile} ]; then
                    exe="${exe} --key-file ${ckeyfile}"
                else
                    exe="${exe} --verify-passphrase"
                    echo ""
                    echo "A password is required to access the ${cryptname} volume:"
                fi
                eval "${exe} ${CSQUIET}"
            }

            msg "Non-LUKS encrypted device found..."
            do_oldcrypto $(/bin/replace -q "${crypto}" ':')

            if [ $? -ne 0 ]; then
                err "Non-LUKS device decryption failed. verify format: "
                err "      crypto=hash:cipher:keysize:offset:skip"
                exit 1
            fi
            if [ -e "/dev/mapper/${cryptname}" ]; then
                if [ "${cryptname}" = "root" ]; then
                    export root="/dev/mapper/root"
                fi
            else
                err "Password succeeded, but ${cryptname} creation failed, aborting..."
                exit 1
            fi
        fi
        nuke ${ckeyfile}
    fi
}