Testing initramfs-tools integration
Max Vozeler
max at nusquama.org
Sat Dec 2 18:20:49 CET 2006
Hi all,
On Sat, Dec 02, 2006 at 04:30:44PM +0100, Max Vozeler wrote:
> I think we could do something to help prevent getting systems into
> such a state: README could mention that one should backup the key files
> (and keys, if the keyfile is encrypted asymmetrically) somewhere outside
> the encrypted root partition so that the system can still be repaired in
> case the initramfs gets lost, overwritten or some other thing happens to
> it. And/or we could check if the currently booted system has its root
> partition on loop-AES and output a strong warning in case the initramfs
> being generated cannot be used to boot it.
I have prepared a patch that shows a warning in case we detect root
on loop but are not going to include loop-AES support, and in case the
support is enabled but we couldn't figure out the correct options. This
turned out to be tricky to integrate with the FORCE_LOOPAES feature, so
it is dropped in the patch. Would you mind if we remove it? I can try
to find a way to integrate it back if you prefer.
cheers,
Max
-------------- next part --------------
Index: debian/initramfs-tools-hook
===================================================================
--- debian/initramfs-tools-hook (Revision 1334)
+++ debian/initramfs-tools-hook (Arbeitskopie)
@@ -16,33 +16,8 @@
;;
esac
-#Check whether loop-aes support is forced on or off
-case "${INITRAMFS_LOOPAES}" in
- 0|n|no|off)
- exit 0
- ;;
- 1|y|yes|on)
- FORCE_LOOPAES=1
- ;;
- auto)
- ;;
- *)
- if [ -n "${INITRAMFS_LOOPAES}" ]; then
- echo "WARNING! (loop-aes) ignoring invalid INITRAMFS_LOOPAES value: '${INITRAMFS_LOOPAES}'" 1>&2
- fi
- # Default not doing anything
- exit 0
- ;;
-esac
-
. /usr/share/initramfs-tools/hook-functions
-exit_unless_forced() {
- if [ -z "${FORCE_LOOPAES}" ]; then
- exit $1
- fi
-}
-
get_root_device() {
[ -r /etc/fstab ] || return
@@ -133,15 +108,61 @@
done
}
-# Find out which device root is on
+# Find out which device root is on (sets rootdev and rootoptions)
eval $(get_root_device)
-[ -z "${rootdev}" ] && exit_unless_forced 0
-# We now have set: rootdev rootoptions
+if [ -z "${rootdev}" ]; then
+ echo "WARNING: (loop-aes) Could not determine root device. Skipping." >&2
+ exit 0
+fi
get_root_opts
-[ -z "${rootloop}" ] && exit_unless_forced 0
loopaes_opts="${loopaes_opts},loop=${rootloop}"
+encrypted=no
+if [ "${rootloop}" ]; then
+ encrypted=yes
+fi
+
+enabled=no
+case "${INITRAMFS_LOOPAES}" in
+ 0|n|no|off|'')
+ enabled=no
+ ;;
+ 1|y|yes|on)
+ enabled=yes
+ ;;
+ auto)
+ if [ "$encrypted" = yes ]; then
+ enabled=yes
+ fi
+ ;;
+ *)
+ enabled=no
+ echo "WARNING! (loop-aes) ignoring invalid INITRAMFS_LOOPAES value: '${INITRAMFS_LOOPAES}'" 1>&2
+ ;;
+esac
+
+if [ "$enabled" = no ]; then
+ if [ "$encrypted" = yes ]; then
+ cat >&2 <<END_WARN
+WARNING: Your root partition appears to be encrypted with loop-AES, but
+the initramfs support for loop-AES is disabled. The resulting initramfs
+will most likely NOT be able to boot your system (!!!). Please make sure
+that you have a good initramfs before the next reboot.
+END_WARN
+ fi
+ exit 0
+fi
+
+if [ "$encrypted" = no ]; then
+ cat >&2 <<END_WARN
+WARNING: (loop-aes) Support for loop-AES is enabled but this script was
+unable to determine the loop-AES settings from /etc/fstab. It will skip
+setup of loop-AES support and let initramfs-tools continue.
+END_WARN
+ exit 0
+fi
+
# Prepare the initramfs
if [ -n "${rootgpgkey}" ]; then
mkdir ${DESTDIR}/keys/
More information about the Pkg-loop-aes-maint
mailing list