[Pkg-loop-aes-commits] r1411 - in /trunk/loop-aes-utils: ./ debian/README debian/changelog debian/initramfs-tools-hook debian/initramfs-tools-script debian/loop-aes-utils.dirs debian/rules
xam at users.alioth.debian.org
xam at users.alioth.debian.org
Sat Aug 11 14:21:14 UTC 2007
Author: xam
Date: Sat Aug 11 14:21:13 2007
New Revision: 1411
URL: http://svn.debian.org/wsvn/pkg-loop-aes/?sc=1&rev=1411
Log:
* Include initramfs-tools integration for encrypted root, thanks to
Lionel Elie Mamane <lionel at debian.org> (Closes: #378488)
Modified:
trunk/loop-aes-utils/ (props changed)
trunk/loop-aes-utils/debian/README
trunk/loop-aes-utils/debian/changelog
trunk/loop-aes-utils/debian/initramfs-tools-hook
trunk/loop-aes-utils/debian/initramfs-tools-script
trunk/loop-aes-utils/debian/loop-aes-utils.dirs
trunk/loop-aes-utils/debian/rules
Propchange: trunk/loop-aes-utils/
------------------------------------------------------------------------------
--- svk:merge (original)
+++ svk:merge Sat Aug 11 14:21:13 2007
@@ -1,1 +1,9 @@
-02a4734a-7125-4a10-a2dd-ccf7f6155d04:/local/pkg-loop-aes/trunk/loop-aes-utils:9896
+02a4734a-7125-4a10-a2dd-ccf7f6155d04:/local/pkg-loop-aes/trunk/loop-aes-utils:9899
+53348a03-e5de-0310-b097-96e6f85ea926:/import/loop-aes-utils/branches/2.12-alternative:120
+53348a03-e5de-0310-b097-96e6f85ea926:/import/loop-aes-utils/branches/2.12-dpatch:196
+53348a03-e5de-0310-b097-96e6f85ea926:/import/loop-aes-utils/trunk/current:338
+53348a03-e5de-0310-b097-96e6f85ea926:/import/loop-aes-utils/vendor/2.12:90
+53348a03-e5de-0310-b097-96e6f85ea926:/loop-aes-utils/oldtrunk/current:388
+53348a03-e5de-0310-b097-96e6f85ea926:/loop-aes-utils/trunk:1210
+53348a03-e5de-0310-b097-96e6f85ea926:/loop-aes-utils/trunk/current:345
+53348a03-e5de-0310-b097-96e6f85ea926:/tags/loop-aes-utils/2.12r-14:1299
Modified: trunk/loop-aes-utils/debian/README
URL: http://svn.debian.org/wsvn/pkg-loop-aes/trunk/loop-aes-utils/debian/README?rev=1411&op=diff
==============================================================================
--- trunk/loop-aes-utils/debian/README (original)
+++ trunk/loop-aes-utils/debian/README Sat Aug 11 14:21:13 2007
@@ -23,4 +23,77 @@
entry in /etc/fstab and do not have options "noauto" or "sw".
It otherwise works like the normal file system check.
- -- Max Vozeler <xam at debian.org>
+Encrypted root fs
+-----------------
+
+ This package integrates with initramfs-tools so that an initramfs
+ created with initramfs-tools will be able to handle a root fs on an
+ encrypted (or not) loop device. This needs initramfs-tools version
+ 0.81 or later.
+
+ This support is not automatically enabled by default.
+
+ You can activate the support by setting INITRAMFS_LOOPAES in
+ /etc/initramfs-tools/initramfs.conf or in the shell calling
+ mkinitramfs to "auto" or "yes". The recommended setting is "auto".
+ It checks at initramfs creation time if your root device in
+ /etc/fstab has a "loop=/dev/loopN" option. You can also forcibly
+ activate the support with "yes" or force it off with "no". An
+ example of a reason to force it off would be because you have custom
+ scripts to handle a specific situation in your initramfs
+ (e.g. reading the keys from a removable media, from the network,
+ ...).
+
+ Wether you set INITRAMFS_LOOPAES in the shell before running
+ mkinitramfs or in /etc/initramfs-tools/initramfs.conf, don't forget
+ to export it. For example:
+
+ INITRAMFS_LOOPAES=auto
+ export INITRAMFS_LOOPAES
+
+ When support is forced on, support for all ciphers is included; when
+ automatically enabled, only the necessary cipher module is included
+ in the initramfs.
+
+ The entry for the root fs in /etc/fstab should look like:
+ /dev/hda5 / ext3 loop=/dev/loop5,encryption=AES,gpgkey=/root/keys/loopaes.gpg 0 0
+ not
+ /dev/loop5 / ext3 defaults 0 0
+
+ If the options include a "gpghome=" and/or a "gpgkey=", these will
+ be copied into the initramfs, to /keys/rootkeyfile.gpg and /.gnupg,
+ respectively; if you supply a "gpghome=" option, it is recommended
+ that it point towards a specially prepared minimal directory rather
+ than your usual "~/.gnupg/".
+
+ You can override the loop and crypto related options of /etc/fstab
+ at boot time by setting the kernel command-line "loopaesopts="
+ option from your boot leader. The syntax is the same as in the
+ options column of /etc/fstab. Any file path will be interpreted in
+ the initramfs, obviously. For example:
+ "loopaesopts=loop=/dev/loop5,encryption=AES,gpgkey=/keys/rootkeyfile.gpg"
+
+ To minimise risks of losing access to your computer in case of
+ root-on-loopaes, it is recommended to keep your (password-protected)
+ keys to your root partition elsewhere than in the said partition. In
+ this manner, you can still access your partition even if the keys
+ don't get copied into the initramfs for a reason or another
+ (configuration error, bug in our code, ...). /boot/keys is a good
+ choice. It also doesn't reduce security as keys will be in the
+ initramfs in /boot during normal operations anyway. Combine this
+ with INITRAMFS_LOOPAES=yes to always have the necessary modules and
+ loop-aes utilities available in the initramfs shell and/or being
+ able to use the loopaesopts kernel command-line option.
+
+ When doing the boot manually from the initramfs shell, remember you
+ don't have the loop-aes-utils version of mount; you need to use
+ losetup and then "mount /dev/loopN /root".
+
+ The integration sets the umask for the initramfs to 600 if it thinks
+ it is necessary (if it copies cryptographic keys in the initramfs);
+ you can override this by creating a file
+ /etc/initramfs-tools/conf.d/loopaes that sets the UMASK shell
+ variable (or not); mere existence of this file (even if it is empty)
+ disables the loopaes automatic determination.
+
+ -- Max Vozeler <xam at debian.org> and Lionel Elie Mamane <lmamane at debian.org>
Modified: trunk/loop-aes-utils/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-loop-aes/trunk/loop-aes-utils/debian/changelog?rev=1411&op=diff
==============================================================================
--- trunk/loop-aes-utils/debian/changelog (original)
+++ trunk/loop-aes-utils/debian/changelog Sat Aug 11 14:21:13 2007
@@ -5,8 +5,10 @@
- patches/20loop-AES: Update
- patches/40pagesize: Drop, included upstream
* Remove shlib override for libblkid
-
- -- Max Vozeler <xam at debian.org> Sun, 22 Apr 2007 18:23:51 +0200
+ * Include initramfs-tools integration for encrypted root, thanks to
+ Lionel Elie Mamane <lionel at debian.org> (Closes: #378488)
+
+ -- Max Vozeler <xam at debian.org> Sun, 22 Apr 2007 19:56:09 +0200
loop-aes-utils (2.12r-16) unstable; urgency=low
Modified: trunk/loop-aes-utils/debian/initramfs-tools-hook
URL: http://svn.debian.org/wsvn/pkg-loop-aes/trunk/loop-aes-utils/debian/initramfs-tools-hook?rev=1411&op=diff
==============================================================================
--- trunk/loop-aes-utils/debian/initramfs-tools-hook (original)
+++ trunk/loop-aes-utils/debian/initramfs-tools-hook Sat Aug 11 14:21:13 2007
@@ -16,34 +16,14 @@
;;
esac
-#Check whether loop-aes support is forced on or off
-case "${INITRAMFS_LOOPAES}" in
- 0|no|off)
- exit 0
- ;;
- 1|yes|on)
- FORCE_LOOPAES=1
- ;;
- auto|)
- ;;
- *)
- echo "WARNING! (loop-aes) ignoring invalid INITRAMFS_LOOPAES value ${INITRAMFS_LOOPAES}" 1>&2
-esac
-
. /usr/share/initramfs-tools/hook-functions
-
-exit_unless_forced() {
- if [ -z "${FORCE_LOOPAES}" ]; then
- exit $1
- fi
-}
get_root_device() {
[ -r /etc/fstab ] || return
grep '^[^#]' /etc/fstab | ( \
while read dev mount type options dump pass; do
- if [ "$mount" = "/" ]; then
+ if [ "${mount}" = "/" ]; then
echo "rootdev=\"${dev}\" rootoptions=\"${options}\""
return
fi
@@ -53,6 +33,9 @@
decode_cipher() {
local cipher
+ # When changing this, don't forget to update the list of all known
+ # cipher modules in the iterate_cipher_module call near the end
+ # of this file. Also update the copy in initramfs-tools-script
case "$1" in
twofish*)
echo twofish
@@ -83,12 +66,14 @@
}
get_root_opts() {
+ # If you change this, keep the version in initramfs-tools-script
+ # in sync.
local opt cipher
local IFS=", "
for opt in $rootoptions; do
case "$opt" in
encryption=*)
- cipher="$(decode_cipher \"${opt#encryption=}\")"
+ cipher="$(decode_cipher "${opt#encryption=}")"
if [ -n "$cipher" ]; then
rootencryption="${rootencryption}${rootencryption:+:}${cipher}"
fi
@@ -128,14 +113,77 @@
done
}
-# Find out which device root is on
+# Find out which device root is on (sets rootdev and rootoptions)
eval $(get_root_device)
-[ -z "${rootdev}" ] && exit_unless_forced 0
-# We now have set: rootdev rootoptions
+if [ -z "${rootdev}" ]; then
+ echo "WARNING: (loop-aes) Could not determine root device. Skipping." >&2
+ exit 0
+fi
get_root_opts
-[ -z "${rootloop}" ] && exit_unless_forced 0
loopaes_opts="${loopaes_opts},loop=${rootloop}"
+
+encrypted=no
+if [ -n "${rootloop}" ]; then
+ encrypted=yes
+fi
+
+enabled=no
+forced=no
+case "${INITRAMFS_LOOPAES}" in
+ 0|n|no|off|'')
+ ;;
+ 1|y|yes|on)
+ enabled=yes
+ forced=yes
+ ;;
+ auto)
+ enabled="${encrypted}"
+ ;;
+ *)
+ echo "WARNING! (loop-aes) ignoring invalid INITRAMFS_LOOPAES value: '${INITRAMFS_LOOPAES}'" 1>&2
+ ;;
+esac
+
+if [ "$enabled" = no ]; then
+ if [ "$encrypted" = yes ]; then
+ cat >&2 <<END_WARN
+WARNING: Your root partition appears to be encrypted with loop-AES, but
+the initramfs support for loop-AES is disabled. The resulting initramfs
+will most likely NOT be able to boot your system (!!!). Please make sure
+that you have a good initramfs before the next reboot.
+END_WARN
+ fi
+ exit 0
+fi
+
+case "${rootdev}" in
+ /dev/loop*)
+ cat >&2 <<END_WARN
+WARNING:(loop-aes) According to /etc/fstab, your root device is on a
+loop device. Probably you use the wrong syntax for this script in
+/etc/fstab. See /usr/share/doc/loop-aes-utils/README . The initramfs
+being created will NOT be able to mount your loop-AES encrypted root
+automatically.
+END_WARN
+ ;;
+ *)
+ if [ "$encrypted" = no ]; then
+ cat >&2 <<END_WARN
+WARNING: (loop-aes) Support for loop-AES is forced on but this script was
+unable to determine the loop-AES settings from /etc/fstab. Assuming
+you want the possibility of using loopaesopts kernel command-line
+option (and/or have losetup available in the initramfs shell), but
+don't want a loop-AES-encrypted root to be mounted automatically by
+default.
+
+Note that you need to ensure that the keys for the encrypted root fs
+you want to load through the loopaesopts kernel command-line option
+are reachable from the initramfs.
+END_WARN
+ fi
+ ;;
+esac
# Prepare the initramfs
if [ -n "${rootgpgkey}" ]; then
@@ -152,6 +200,12 @@
fi
loopaes_opts="${loopaes_opts},gpghome=/.gnupg"
+# mkinitramfs has installed a symlink to
+# /etc/initramfs-tools/conf.d/loopaes or
+# /usr/share/initramfs-tools/conf.d/loopaes; that is not desirable
+# for us as what we want there at boot time and at initramfs creation
+# time is not the same!
+rm -f ${DESTDIR}/conf/conf.d/loopaes
echo "LOOPAESOPTS=\"$loopaes_opts\"" > ${DESTDIR}/conf/conf.d/loopaes
copy_exec /sbin/losetup /sbin/
# Allow the correct keymap to be loaded if possible
@@ -160,7 +214,7 @@
cp /etc/console/boottime.kmap.gz $DESTDIR/etc/
fi
manual_add_modules loop
-if [ -z "${FORCE_LOOPAES}" ]; then
+if [ "${forced}" = no ]; then
iterate_cipher_module "manual_add_modules" "$rootencryption"
else
iterate_cipher_module "manual_add_modules" "serpent:blowfish:twofish"
Modified: trunk/loop-aes-utils/debian/initramfs-tools-script
URL: http://svn.debian.org/wsvn/pkg-loop-aes/trunk/loop-aes-utils/debian/initramfs-tools-script?rev=1411&op=diff
==============================================================================
--- trunk/loop-aes-utils/debian/initramfs-tools-script (original)
+++ trunk/loop-aes-utils/debian/initramfs-tools-script Sat Aug 11 14:21:13 2007
@@ -22,6 +22,10 @@
decode_cipher() {
local cipher
+ # When changing this, don't forget to update the copy in
+ # initramfs-tools-hook, as well as the list of all known cipher
+ # modules in the iterate_cipher_module call near the end of
+ # initramfs-tools-hook.
case "$1" in
twofish*)
echo twofish
@@ -43,42 +47,44 @@
esac
}
-iterate_cipher_module() {
+modprobe_cipher_modules() {
local cipher
local IFS=":"
- for cipher in $2; do
- $1 "loop_${cipher}"
+ for cipher in $1; do
+ modprobe -q "loop_${cipher}"
done
}
get_options()
{
- # Do we have any settings from the /conf/conf.d/cryptroot file?
- [ -r /conf/conf.d/loopaes ] && . /conf/conf.d/loopaes
- loopaes_opts="${LOOPAESOPTS}"
+ # Do we have any settings from the /conf/conf.d/loopaes file?
+ [ -r /conf/conf.d/loopaes ] && . /conf/conf.d/loopaes
+ loopaes_opts="${LOOPAESOPTS}"
- # Does the kernel boot command line override them?
- for x in $(cat /proc/cmdline); do
- case $x in
- loopaesopts=*)
- loopaes_opts=${x#loopaesopts=}
- ;;
- esac
- done
+ # Does the kernel boot command line override them?
+ for x in $(cat /proc/cmdline); do
+ case $x in
+ loopaesopts=*)
+ loopaes_opts=${x#loopaesopts=}
+ ;;
+ esac
+ done
- # Sanity check
- if [ -z "${loopaes_opts}" ]; then
- # Apparently the root partition isn't encrypted
- echo "No root-on-loop configured, skipping"
- exit 0
- fi
+ # Sanity check
+ if [ -z "${loopaes_opts}" ]; then
+ # Apparently the root partition isn't encrypted
+ echo "No root-on-loop configured, skipping"
+ exit 0
+ fi
+ # If you change this, keep the version in initramfs-tools-script
+ # in sync.
local opt cipher
local IFS=", "
for opt in $loopaes_opts; do
case $opt in
encryption=*)
- cipher="$(decode_cipher \"${opt#encryption=}\")"
+ cipher="$(decode_cipher "${opt#encryption=}")"
if [ -n "$cipher" ]; then
rootencryption="${rootencryption}${rootencryption:+:}${cipher}"
fi
@@ -143,7 +149,7 @@
fi
modprobe -q loop
-iterate_cipher_module "modprobe -q" "$rootencryption"
+modprobe_cipher_modules "$rootencryption"
while ! [ -b "${rootloop}" ]; do
sleep 1
done
Modified: trunk/loop-aes-utils/debian/loop-aes-utils.dirs
URL: http://svn.debian.org/wsvn/pkg-loop-aes/trunk/loop-aes-utils/debian/loop-aes-utils.dirs?rev=1411&op=diff
==============================================================================
--- trunk/loop-aes-utils/debian/loop-aes-utils.dirs (original)
+++ trunk/loop-aes-utils/debian/loop-aes-utils.dirs Sat Aug 11 14:21:13 2007
@@ -5,3 +5,6 @@
/usr/share/man/man5
/usr/share/man/man8
/usr/share/lintian/overrides
+/usr/share/initramfs-tools/scripts/local-top
+/usr/share/initramfs-tools/hooks
+/usr/share/initramfs-tools/conf.d
Modified: trunk/loop-aes-utils/debian/rules
URL: http://svn.debian.org/wsvn/pkg-loop-aes/trunk/loop-aes-utils/debian/rules?rev=1411&op=diff
==============================================================================
--- trunk/loop-aes-utils/debian/rules (original)
+++ trunk/loop-aes-utils/debian/rules Sat Aug 11 14:21:13 2007
@@ -65,8 +65,9 @@
install -m 755 mount/swapon $(DIR_UDEB)/sbin/swapon-aes
install -m 755 debian/loop-aes-keygen $(DIR_UDEB)/bin
# initramsfs-tools integration
- #install -m 755 debian/initramfs-tools-script $(DIR)/usr/share/initramfs-tools/scripts/local-top/loopaes
- #install -m 755 debian/initramfs-tools-hook $(DIR)/usr/share/initramfs-tools/hooks/loopaes
+ install -m 755 debian/initramfs-tools-script $(DIR)/usr/share/initramfs-tools/scripts/local-top/loopaes
+ install -m 755 debian/initramfs-tools-hook $(DIR)/usr/share/initramfs-tools/hooks/loopaes
+ install -m 644 debian/initramfs-tools-conf $(DIR)/usr/share/initramfs-tools/conf.d/loopaes
binary-indep: build install
More information about the Pkg-loop-aes-commits
mailing list