[thirdparty/systemd.git] / src / cryptsetup / cryptsetup-generator.c

/* SPDX-License-Identifier: LGPL-2.1+ */

#include <errno.h>
#include <stdio_ext.h>

#include "alloc-util.h"
#include "dropin.h"
#include "fd-util.h"
#include "fileio.h"
#include "fstab-util.h"
#include "generator.h"
#include "hashmap.h"
#include "log.h"
#include "mkdir.h"
#include "parse-util.h"
#include "path-util.h"
#include "proc-cmdline.h"
#include "specifier.h"
#include "string-util.h"
#include "strv.h"
#include "unit-name.h"
#include "util.h"

typedef struct crypto_device {
        char *uuid;
        char *keyfile;
        char *name;
        char *options;
        bool create;
} crypto_device;

static const char *arg_dest = "/tmp";
static bool arg_enabled = true;
static bool arg_read_crypttab = true;
static bool arg_whitelist = false;
static Hashmap *arg_disks = NULL;
static char *arg_default_options = NULL;
static char *arg_default_keyfile = NULL;

static int create_disk(
                const char *name,
                const char *device,
                const char *password,
                const char *options) {

        _cleanup_free_ char *n = NULL, *d = NULL, *u = NULL, *e = NULL,
                *filtered = NULL, *u_escaped = NULL, *password_escaped = NULL, *filtered_escaped = NULL, *name_escaped = NULL;
        _cleanup_fclose_ FILE *f = NULL;
        const char *dmname;
        bool noauto, nofail, tmp, swap, netdev;
        int r;

        assert(name);
        assert(device);

        noauto = fstab_test_yes_no_option(options, "noauto\0" "auto\0");
        nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
        tmp = fstab_test_option(options, "tmp\0");
        swap = fstab_test_option(options, "swap\0");
        netdev = fstab_test_option(options, "_netdev\0");

        if (tmp && swap) {
                log_error("Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.", name);
                return -EINVAL;
        }

        name_escaped = specifier_escape(name);
        if (!name_escaped)
                return log_oom();

        e = unit_name_escape(name);
        if (!e)
                return log_oom();

        u = fstab_node_to_udev_node(device);
        if (!u)
                return log_oom();

        r = unit_name_build("systemd-cryptsetup", e, ".service", &n);
        if (r < 0)
                return log_error_errno(r, "Failed to generate unit name: %m");

        u_escaped = specifier_escape(u);
        if (!u_escaped)
                return log_oom();

        r = unit_name_from_path(u, ".device", &d);
        if (r < 0)
                return log_error_errno(r, "Failed to generate unit name: %m");

        if (password) {
                password_escaped = specifier_escape(password);
                if (!password_escaped)
                        return log_oom();
        }

        r = generator_open_unit_file(arg_dest, NULL, n, &f);
        if (r < 0)
                return r;

        fprintf(f,
                "[Unit]\n"
                "Description=Cryptography Setup for %%I\n"
                "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
                "SourcePath=/etc/crypttab\n"
                "DefaultDependencies=no\n"
                "Conflicts=umount.target\n"
                "IgnoreOnIsolate=true\n"
                "After=%s\n",
                netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target");

        if (!nofail)
                fprintf(f,
                        "Before=%s\n",
                        netdev ? "remote-cryptsetup.target" : "cryptsetup.target");

        if (password) {
                if (STR_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
                        fputs("After=systemd-random-seed.service\n", f);
                else if (!STR_IN_SET(password, "-", "none")) {
                        _cleanup_free_ char *uu;

                        uu = fstab_node_to_udev_node(password);
                        if (!uu)
                                return log_oom();

                        if (!path_equal(uu, "/dev/null")) {

                                if (path_startswith(uu, "/dev/")) {
                                        _cleanup_free_ char *dd = NULL;

                                        r = unit_name_from_path(uu, ".device", &dd);
                                        if (r < 0)
                                                return log_error_errno(r, "Failed to generate unit name: %m");

                                        fprintf(f, "After=%1$s\nRequires=%1$s\n", dd);
                                } else
                                        fprintf(f, "RequiresMountsFor=%s\n", password_escaped);
                        }
                }
        }

        if (path_startswith(u, "/dev/")) {
                fprintf(f,
                        "BindsTo=%s\n"
                        "After=%s\n"
                        "Before=umount.target\n",
                        d, d);

                if (swap)
                        fputs("Before=dev-mapper-%i.swap\n",
                              f);
        } else
                fprintf(f,
                        "RequiresMountsFor=%s\n",
                        u_escaped);

        r = generator_write_timeouts(arg_dest, device, name, options, &filtered);
        if (r < 0)
                return r;

        if (filtered) {
                filtered_escaped = specifier_escape(filtered);
                if (!filtered_escaped)
                        return log_oom();
        }

        fprintf(f,
                "\n[Service]\n"
                "Type=oneshot\n"
                "RemainAfterExit=yes\n"
                "TimeoutSec=0\n" /* the binary handles timeouts anyway */
                "KeyringMode=shared\n" /* make sure we can share cached keys among instances */
                "ExecStart=" SYSTEMD_CRYPTSETUP_PATH " attach '%s' '%s' '%s' '%s'\n"
                "ExecStop=" SYSTEMD_CRYPTSETUP_PATH " detach '%s'\n",
                name_escaped, u_escaped, strempty(password_escaped), strempty(filtered_escaped),
                name_escaped);

        if (tmp)
                fprintf(f,
                        "ExecStartPost=/sbin/mke2fs '/dev/mapper/%s'\n",
                        name_escaped);

        if (swap)
                fprintf(f,
                        "ExecStartPost=/sbin/mkswap '/dev/mapper/%s'\n",
                        name_escaped);

        r = fflush_and_check(f);
        if (r < 0)
                return log_error_errno(r, "Failed to write unit file %s: %m", n);

        if (!noauto) {
                r = generator_add_symlink(arg_dest, d, "wants", n);
                if (r < 0)
                        return r;

                r = generator_add_symlink(arg_dest,
                                          netdev ? "remote-cryptsetup.target" : "cryptsetup.target",
                                          nofail ? "wants" : "requires", n);
                if (r < 0)
                        return r;
        }

        dmname = strjoina("dev-mapper-", e, ".device");
        r = generator_add_symlink(arg_dest, dmname, "requires", n);
        if (r < 0)
                return r;

        if (!noauto && !nofail) {
                r = write_drop_in(arg_dest, dmname, 90, "device-timeout",
                                  "# Automatically generated by systemd-cryptsetup-generator \n\n"
                                  "[Unit]\nJobTimeoutSec=0");
                if (r < 0)
                        return log_error_errno(r, "Failed to write device drop-in: %m");
        }

        return 0;
}

static void crypt_device_free(crypto_device *d) {
        free(d->uuid);
        free(d->keyfile);
        free(d->name);
        free(d->options);
        free(d);
}

static crypto_device *get_crypto_device(const char *uuid) {
        int r;
        crypto_device *d;

        assert(uuid);

        d = hashmap_get(arg_disks, uuid);
        if (!d) {
                d = new0(struct crypto_device, 1);
                if (!d)
                        return NULL;

                d->create = false;
                d->keyfile = d->options = d->name = NULL;

                d->uuid = strdup(uuid);
                if (!d->uuid)
                        return mfree(d);

                r = hashmap_put(arg_disks, d->uuid, d);
                if (r < 0) {
                        free(d->uuid);
                        return mfree(d);
                }
        }

        return d;
}

static int parse_proc_cmdline_item(const char *key, const char *value, void *data) {
        _cleanup_free_ char *uuid = NULL, *uuid_value = NULL;
        crypto_device *d;
        int r;

        if (streq(key, "luks")) {

                r = value ? parse_boolean(value) : 1;
                if (r < 0)
                        log_warning("Failed to parse luks= kernel command line switch %s. Ignoring.", value);
                else
                        arg_enabled = r;

        } else if (streq(key, "luks.crypttab")) {

                r = value ? parse_boolean(value) : 1;
                if (r < 0)
                        log_warning("Failed to parse luks.crypttab= kernel command line switch %s. Ignoring.", value);
                else
                        arg_read_crypttab = r;

        } else if (streq(key, "luks.uuid")) {

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                d = get_crypto_device(startswith(value, "luks-") ? value+5 : value);
                if (!d)
                        return log_oom();

                d->create = arg_whitelist = true;

        } else if (streq(key, "luks.options")) {

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
                if (r == 2) {
                        d = get_crypto_device(uuid);
                        if (!d)
                                return log_oom();

                        free_and_replace(d->options, uuid_value);
                } else if (free_and_strdup(&arg_default_options, value) < 0)
                        return log_oom();

        } else if (streq(key, "luks.key")) {

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
                if (r == 2) {
                        d = get_crypto_device(uuid);
                        if (!d)
                                return log_oom();

                        free_and_replace(d->keyfile, uuid_value);
                } else if (free_and_strdup(&arg_default_keyfile, value) < 0)
                        return log_oom();

        } else if (streq(key, "luks.name")) {

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
                if (r == 2) {
                        d = get_crypto_device(uuid);
                        if (!d)
                                return log_oom();

                        d->create = arg_whitelist = true;

                        free_and_replace(d->name, uuid_value);
                } else
                        log_warning("Failed to parse luks name switch %s. Ignoring.", value);
        }

        return 0;
}

static int add_crypttab_devices(void) {
        struct stat st;
        unsigned crypttab_line = 0;
        _cleanup_fclose_ FILE *f = NULL;

        if (!arg_read_crypttab)
                return 0;

        f = fopen("/etc/crypttab", "re");
        if (!f) {
                if (errno != ENOENT)
                        log_error_errno(errno, "Failed to open /etc/crypttab: %m");
                return 0;
        }

        (void) __fsetlocking(f, FSETLOCKING_BYCALLER);

        if (fstat(fileno(f), &st) < 0) {
                log_error_errno(errno, "Failed to stat /etc/crypttab: %m");
                return 0;
        }

        for (;;) {
                int r, k;
                char line[LINE_MAX], *l, *uuid;
                crypto_device *d = NULL;
                _cleanup_free_ char *name = NULL, *device = NULL, *keyfile = NULL, *options = NULL;

                if (!fgets(line, sizeof(line), f))
                        break;

                crypttab_line++;

                l = strstrip(line);
                if (IN_SET(*l, 0, '#'))
                        continue;

                k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &keyfile, &options);
                if (k < 2 || k > 4) {
                        log_error("Failed to parse /etc/crypttab:%u, ignoring.", crypttab_line);
                        continue;
                }

                uuid = startswith(device, "UUID=");
                if (!uuid)
                        uuid = path_startswith(device, "/dev/disk/by-uuid/");
                if (!uuid)
                        uuid = startswith(name, "luks-");
                if (uuid)
                        d = hashmap_get(arg_disks, uuid);

                if (arg_whitelist && !d) {
                        log_info("Not creating device '%s' because it was not specified on the kernel command line.", name);
                        continue;
                }

                r = create_disk(name, device, keyfile, (d && d->options) ? d->options : options);
                if (r < 0)
                        return r;

                if (d)
                        d->create = false;
        }

        return 0;
}

static int add_proc_cmdline_devices(void) {
        int r;
        Iterator i;
        crypto_device *d;

        HASHMAP_FOREACH(d, arg_disks, i) {
                const char *options;
                _cleanup_free_ char *device = NULL;

                if (!d->create)
                        continue;

                if (!d->name) {
                        d->name = strappend("luks-", d->uuid);
                        if (!d->name)
                                return log_oom();
                }

                device = strappend("UUID=", d->uuid);
                if (!device)
                        return log_oom();

                if (d->options)
                        options = d->options;
                else if (arg_default_options)
                        options = arg_default_options;
                else
                        options = "timeout=0";

                r = create_disk(d->name, device, d->keyfile ?: arg_default_keyfile, options);
                if (r < 0)
                        return r;
        }

        return 0;
}

int main(int argc, char *argv[]) {
        int r;

        if (argc > 1 && argc != 4) {
                log_error("This program takes three or no arguments.");
                return EXIT_FAILURE;
        }

        if (argc > 1)
                arg_dest = argv[1];

        log_set_prohibit_ipc(true);
        log_set_target(LOG_TARGET_AUTO);
        log_parse_environment();
        log_open();

        umask(0022);

        arg_disks = hashmap_new(&string_hash_ops);
        if (!arg_disks) {
                r = log_oom();
                goto finish;
        }

        r = proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_STRIP_RD_PREFIX);
        if (r < 0) {
                log_warning_errno(r, "Failed to parse kernel command line: %m");
                goto finish;
        }

        if (!arg_enabled) {
                r = 0;
                goto finish;
        }

        r = add_crypttab_devices();
        if (r < 0)
                goto finish;

        r = add_proc_cmdline_devices();
        if (r < 0)
                goto finish;

        r = 0;

finish:
        hashmap_free_with_destructor(arg_disks, crypt_device_free);
        free(arg_default_options);
        free(arg_default_keyfile);

        return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
e23a0ce8	2
e23a0ce8	3	#include <errno.h>
0d536673	4	#include <stdio_ext.h>
e23a0ce8	5
b5efdb8a	6	#include "alloc-util.h"
0fa9e53d	7	#include "dropin.h"
3ffd4af2	8	#include "fd-util.h"
0d39fa9c	9	#include "fileio.h"
07630cea	10	#include "fstab-util.h"
0fa9e53d JJ	11	#include "generator.h"
0fa9e53d JJ	12	#include "hashmap.h"
e23a0ce8	13	#include "log.h"
49e942b2	14	#include "mkdir.h"
6bedfcbb	15	#include "parse-util.h"
bde29068	16	#include "path-util.h"
4e731273	17	#include "proc-cmdline.h"
98bad05e	18	#include "specifier.h"
07630cea	19	#include "string-util.h"
0fa9e53d JJ	20	#include "strv.h"
	21	#include "unit-name.h"
	22	#include "util.h"
	23
	24	typedef struct crypto_device {
	25	char *uuid;
6cd5b12a	26	char *keyfile;
baade8cc	27	char *name;
0fa9e53d JJ	28	char *options;
	29	bool create;
	30	} crypto_device;
e23a0ce8	31
66a78c2b LP	32	static const char *arg_dest = "/tmp";
	33	static bool arg_enabled = true;
	34	static bool arg_read_crypttab = true;
0fa9e53d JJ	35	static bool arg_whitelist = false;
	36	static Hashmap *arg_disks = NULL;
	37	static char *arg_default_options = NULL;
	38	static char *arg_default_keyfile = NULL;
141a79f4	39
e23a0ce8 LP	40	static int create_disk(
	41	const char *name,
	42	const char *device,
	43	const char *password,
	44	const char *options) {
	45
fb883e75	46	_cleanup_free_ char n = NULL, d = NULL, u = NULL, e = NULL,
98bad05e	47	filtered = NULL, u_escaped = NULL, password_escaped = NULL, filtered_escaped = NULL, *name_escaped = NULL;
7fd1b19b	48	_cleanup_fclose_ FILE *f = NULL;
b559616f	49	const char *dmname;
b001ad61	50	bool noauto, nofail, tmp, swap, netdev;
744198e9	51	int r;
e23a0ce8 LP	52
	53	assert(name);
	54	assert(device);
	55
b9f111b9 ZJS	56	noauto = fstab_test_yes_no_option(options, "noauto\0" "auto\0");
b9f111b9 ZJS	57	nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
a6dba978 ZJS	58	tmp = fstab_test_option(options, "tmp\0");
a6dba978 ZJS	59	swap = fstab_test_option(options, "swap\0");
b001ad61	60	netdev = fstab_test_option(options, "_netdev\0");
8c11d3c1 TG	61
	62	if (tmp && swap) {
	63	log_error("Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.", name);
	64	return -EINVAL;
	65	}
155da457	66
98bad05e LP	67	name_escaped = specifier_escape(name);
	68	if (!name_escaped)
	69	return log_oom();
	70
744198e9 LP	71	e = unit_name_escape(name);
	72	if (!e)
	73	return log_oom();
	74
f7f21d33	75	u = fstab_node_to_udev_node(device);
24a988e9 HH	76	if (!u)
24a988e9 HH	77	return log_oom();
e23a0ce8	78
fb883e75 ZJS	79	r = unit_name_build("systemd-cryptsetup", e, ".service", &n);
	80	if (r < 0)
	81	return log_error_errno(r, "Failed to generate unit name: %m");
	82
98bad05e LP	83	u_escaped = specifier_escape(u);
	84	if (!u_escaped)
	85	return log_oom();
	86
7410616c LP	87	r = unit_name_from_path(u, ".device", &d);
	88	if (r < 0)
	89	return log_error_errno(r, "Failed to generate unit name: %m");
e23a0ce8	90
d31eb24f LP	91	if (password) {
	92	password_escaped = specifier_escape(password);
	93	if (!password_escaped)
	94	return log_oom();
	95	}
98bad05e	96
fb883e75 ZJS	97	r = generator_open_unit_file(arg_dest, NULL, n, &f);
	98	if (r < 0)
	99	return r;
0d536673	100
b001ad61	101	fprintf(f,
b001ad61 ZJS	102	"[Unit]\n"
	103	"Description=Cryptography Setup for %%I\n"
	104	"Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
	105	"SourcePath=/etc/crypttab\n"
	106	"DefaultDependencies=no\n"
	107	"Conflicts=umount.target\n"
	108	"IgnoreOnIsolate=true\n"
	109	"After=%s\n",
a0dd2097	110	netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target");
e23a0ce8	111
155da457 LP	112	if (!nofail)
155da457 LP	113	fprintf(f,
b001ad61 ZJS	114	"Before=%s\n",
b001ad61 ZJS	115	netdev ? "remote-cryptsetup.target" : "cryptsetup.target");
155da457	116
ceca9501	117	if (password) {
744198e9	118	if (STR_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
0d536673	119	fputs("After=systemd-random-seed.service\n", f);
b559616f	120	else if (!STR_IN_SET(password, "-", "none")) {
744198e9 LP	121	_cleanup_free_ char *uu;
	122
	123	uu = fstab_node_to_udev_node(password);
	124	if (!uu)
66a5dbdf DR	125	return log_oom();
66a5dbdf DR	126
bde29068	127	if (!path_equal(uu, "/dev/null")) {
744198e9	128
048dd629	129	if (path_startswith(uu, "/dev/")) {
7410616c	130	_cleanup_free_ char *dd = NULL;
66a5dbdf	131
7410616c LP	132	r = unit_name_from_path(uu, ".device", &dd);
	133	if (r < 0)
	134	return log_error_errno(r, "Failed to generate unit name: %m");
bde29068 LP	135
	136	fprintf(f, "After=%1$s\nRequires=%1$s\n", dd);
	137	} else
98bad05e	138	fprintf(f, "RequiresMountsFor=%s\n", password_escaped);
bde29068	139	}
66a5dbdf	140	}
ceca9501	141	}
e23a0ce8	142
048dd629	143	if (path_startswith(u, "/dev/")) {
9ece938a TW	144	fprintf(f,
	145	"BindsTo=%s\n"
	146	"After=%s\n"
	147	"Before=umount.target\n",
	148	d, d);
a6f8786a MFO	149
a6f8786a MFO	150	if (swap)
0d536673 LP	151	fputs("Before=dev-mapper-%i.swap\n",
0d536673 LP	152	f);
a6f8786a	153	} else
9ece938a TW	154	fprintf(f,
9ece938a TW	155	"RequiresMountsFor=%s\n",
98bad05e LP	156	u_escaped);
98bad05e LP	157
8eea8687 ZJS	158	r = generator_write_timeouts(arg_dest, device, name, options, &filtered);
	159	if (r < 0)
	160	return r;
	161
d31eb24f LP	162	if (filtered) {
	163	filtered_escaped = specifier_escape(filtered);
	164	if (!filtered_escaped)
	165	return log_oom();
	166	}
98bad05e	167
e23a0ce8 LP	168	fprintf(f,
	169	"\n[Service]\n"
	170	"Type=oneshot\n"
	171	"RemainAfterExit=yes\n"
90724929	172	"TimeoutSec=0\n" /* the binary handles timeouts anyway */
0b1f68ac	173	"KeyringMode=shared\n" /* make sure we can share cached keys among instances */
260ab287	174	"ExecStart=" SYSTEMD_CRYPTSETUP_PATH " attach '%s' '%s' '%s' '%s'\n"
7f4e0805	175	"ExecStop=" SYSTEMD_CRYPTSETUP_PATH " detach '%s'\n",
98bad05e LP	176	name_escaped, u_escaped, strempty(password_escaped), strempty(filtered_escaped),
98bad05e LP	177	name_escaped);
e23a0ce8	178
8c11d3c1	179	if (tmp)
e23a0ce8	180	fprintf(f,
50109038	181	"ExecStartPost=/sbin/mke2fs '/dev/mapper/%s'\n",
98bad05e	182	name_escaped);
e23a0ce8	183
8c11d3c1	184	if (swap)
e23a0ce8	185	fprintf(f,
50109038	186	"ExecStartPost=/sbin/mkswap '/dev/mapper/%s'\n",
98bad05e	187	name_escaped);
e23a0ce8	188
4652c56c ZJS	189	r = fflush_and_check(f);
4652c56c ZJS	190	if (r < 0)
fb883e75	191	return log_error_errno(r, "Failed to write unit file %s: %m", n);
e23a0ce8	192
155da457	193	if (!noauto) {
b559616f ZJS	194	r = generator_add_symlink(arg_dest, d, "wants", n);
	195	if (r < 0)
	196	return r;
e23a0ce8	197
b001ad61 ZJS	198	r = generator_add_symlink(arg_dest,
b001ad61 ZJS	199	netdev ? "remote-cryptsetup.target" : "cryptsetup.target",
b559616f ZJS	200	nofail ? "wants" : "requires", n);
	201	if (r < 0)
	202	return r;
f7f21d33	203	}
74715b82	204
b559616f ZJS	205	dmname = strjoina("dev-mapper-", e, ".device");
	206	r = generator_add_symlink(arg_dest, dmname, "requires", n);
	207	if (r < 0)
	208	return r;
74715b82	209
68395007	210	if (!noauto && !nofail) {
a6fb0dc1	211	r = write_drop_in(arg_dest, dmname, 90, "device-timeout",
8eea8687 ZJS	212	"# Automatically generated by systemd-cryptsetup-generator \n\n"
8eea8687 ZJS	213	"[Unit]\nJobTimeoutSec=0");
23bbb0de MS	214	if (r < 0)
23bbb0de MS	215	return log_error_errno(r, "Failed to write device drop-in: %m");
68395007 HH	216	}
68395007 HH	217
24a988e9	218	return 0;
e23a0ce8 LP	219	}
e23a0ce8 LP	220
6dd1c368 ZJS	221	static void crypt_device_free(crypto_device *d) {
	222	free(d->uuid);
	223	free(d->keyfile);
	224	free(d->name);
	225	free(d->options);
	226	free(d);
0fa9e53d JJ	227	}
	228
	229	static crypto_device get_crypto_device(const char uuid) {
	230	int r;
	231	crypto_device *d;
	232
	233	assert(uuid);
	234
	235	d = hashmap_get(arg_disks, uuid);
	236	if (!d) {
	237	d = new0(struct crypto_device, 1);
	238	if (!d)
	239	return NULL;
	240
	241	d->create = false;
baade8cc	242	d->keyfile = d->options = d->name = NULL;
0fa9e53d JJ	243
0fa9e53d JJ	244	d->uuid = strdup(uuid);
6b430fdb ZJS	245	if (!d->uuid)
6b430fdb ZJS	246	return mfree(d);
0fa9e53d JJ	247
	248	r = hashmap_put(arg_disks, d->uuid, d);
	249	if (r < 0) {
	250	free(d->uuid);
6b430fdb	251	return mfree(d);
0fa9e53d JJ	252	}
	253	}
	254
	255	return d;
	256	}
	257
96287a49	258	static int parse_proc_cmdline_item(const char key, const char value, void *data) {
0fa9e53d	259	_cleanup_free_ char uuid = NULL, uuid_value = NULL;
1d84ad94 LP	260	crypto_device *d;
1d84ad94 LP	261	int r;
66a78c2b	262
1d84ad94	263	if (streq(key, "luks")) {
059cb385	264
1d84ad94	265	r = value ? parse_boolean(value) : 1;
141a79f4	266	if (r < 0)
1d84ad94	267	log_warning("Failed to parse luks= kernel command line switch %s. Ignoring.", value);
141a79f4 ZJS	268	else
141a79f4 ZJS	269	arg_enabled = r;
66a78c2b	270
1d84ad94	271	} else if (streq(key, "luks.crypttab")) {
66a78c2b	272
1d84ad94	273	r = value ? parse_boolean(value) : 1;
141a79f4	274	if (r < 0)
1d84ad94	275	log_warning("Failed to parse luks.crypttab= kernel command line switch %s. Ignoring.", value);
141a79f4 ZJS	276	else
141a79f4 ZJS	277	arg_read_crypttab = r;
66a78c2b	278
1d84ad94 LP	279	} else if (streq(key, "luks.uuid")) {
	280
	281	if (proc_cmdline_value_missing(key, value))
	282	return 0;
66a78c2b	283
0fa9e53d JJ	284	d = get_crypto_device(startswith(value, "luks-") ? value+5 : value);
0fa9e53d JJ	285	if (!d)
141a79f4	286	return log_oom();
66a78c2b	287
0fa9e53d JJ	288	d->create = arg_whitelist = true;
0fa9e53d JJ	289
1d84ad94 LP	290	} else if (streq(key, "luks.options")) {
	291
	292	if (proc_cmdline_value_missing(key, value))
	293	return 0;
66a78c2b	294
0fa9e53d JJ	295	r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
	296	if (r == 2) {
	297	d = get_crypto_device(uuid);
	298	if (!d)
	299	return log_oom();
	300
1d84ad94	301	free_and_replace(d->options, uuid_value);
0fa9e53d	302	} else if (free_and_strdup(&arg_default_options, value) < 0)
141a79f4	303	return log_oom();
66a78c2b	304
1d84ad94 LP	305	} else if (streq(key, "luks.key")) {
	306
	307	if (proc_cmdline_value_missing(key, value))
	308	return 0;
66a78c2b	309
6cd5b12a JJ	310	r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
	311	if (r == 2) {
	312	d = get_crypto_device(uuid);
	313	if (!d)
	314	return log_oom();
	315
1d84ad94	316	free_and_replace(d->keyfile, uuid_value);
c802a730	317	} else if (free_and_strdup(&arg_default_keyfile, value) < 0)
141a79f4	318	return log_oom();
7ab064a6	319
1d84ad94 LP	320	} else if (streq(key, "luks.name")) {
	321
	322	if (proc_cmdline_value_missing(key, value))
	323	return 0;
baade8cc JJ	324
	325	r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
	326	if (r == 2) {
	327	d = get_crypto_device(uuid);
	328	if (!d)
	329	return log_oom();
	330
	331	d->create = arg_whitelist = true;
	332
f9ecfd3b	333	free_and_replace(d->name, uuid_value);
baade8cc JJ	334	} else
baade8cc JJ	335	log_warning("Failed to parse luks name switch %s. Ignoring.", value);
85013844	336	}
66a78c2b	337
24a988e9	338	return 0;
66a78c2b LP	339	}
66a78c2b LP	340
0fa9e53d JJ	341	static int add_crypttab_devices(void) {
	342	struct stat st;
	343	unsigned crypttab_line = 0;
7fd1b19b	344	_cleanup_fclose_ FILE *f = NULL;
e23a0ce8	345
0fa9e53d JJ	346	if (!arg_read_crypttab)
	347	return 0;
	348
	349	f = fopen("/etc/crypttab", "re");
	350	if (!f) {
	351	if (errno != ENOENT)
	352	log_error_errno(errno, "Failed to open /etc/crypttab: %m");
	353	return 0;
e23a0ce8 LP	354	}
e23a0ce8 LP	355
0d536673 LP	356	(void) __fsetlocking(f, FSETLOCKING_BYCALLER);
0d536673 LP	357
0fa9e53d JJ	358	if (fstat(fileno(f), &st) < 0) {
	359	log_error_errno(errno, "Failed to stat /etc/crypttab: %m");
	360	return 0;
	361	}
e23a0ce8	362
0fa9e53d JJ	363	for (;;) {
	364	int r, k;
	365	char line[LINE_MAX], l, uuid;
	366	crypto_device *d = NULL;
	367	_cleanup_free_ char name = NULL, device = NULL, keyfile = NULL, options = NULL;
4c12626c	368
0fa9e53d JJ	369	if (!fgets(line, sizeof(line), f))
0fa9e53d JJ	370	break;
66a78c2b	371
0fa9e53d	372	crypttab_line++;
141a79f4	373
0fa9e53d	374	l = strstrip(line);
4c701096	375	if (IN_SET(*l, 0, '#'))
0fa9e53d	376	continue;
66a78c2b	377
0fa9e53d JJ	378	k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &keyfile, &options);
	379	if (k < 2 \|\| k > 4) {
	380	log_error("Failed to parse /etc/crypttab:%u, ignoring.", crypttab_line);
	381	continue;
	382	}
66a78c2b	383
0fa9e53d JJ	384	uuid = startswith(device, "UUID=");
	385	if (!uuid)
	386	uuid = path_startswith(device, "/dev/disk/by-uuid/");
	387	if (!uuid)
	388	uuid = startswith(name, "luks-");
	389	if (uuid)
	390	d = hashmap_get(arg_disks, uuid);
8973790e	391
0fa9e53d JJ	392	if (arg_whitelist && !d) {
	393	log_info("Not creating device '%s' because it was not specified on the kernel command line.", name);
	394	continue;
8973790e LP	395	}
8973790e LP	396
0fa9e53d JJ	397	r = create_disk(name, device, keyfile, (d && d->options) ? d->options : options);
	398	if (r < 0)
	399	return r;
8973790e	400
0fa9e53d JJ	401	if (d)
	402	d->create = false;
	403	}
8973790e	404
0fa9e53d JJ	405	return 0;
0fa9e53d JJ	406	}
66a78c2b	407
0fa9e53d JJ	408	static int add_proc_cmdline_devices(void) {
	409	int r;
	410	Iterator i;
	411	crypto_device *d;
66a78c2b	412
0fa9e53d JJ	413	HASHMAP_FOREACH(d, arg_disks, i) {
0fa9e53d JJ	414	const char *options;
baade8cc	415	_cleanup_free_ char *device = NULL;
66a78c2b	416
0fa9e53d JJ	417	if (!d->create)
0fa9e53d JJ	418	continue;
e23a0ce8	419
baade8cc JJ	420	if (!d->name) {
	421	d->name = strappend("luks-", d->uuid);
	422	if (!d->name)
	423	return log_oom();
	424	}
e23a0ce8	425
0fa9e53d JJ	426	device = strappend("UUID=", d->uuid);
	427	if (!device)
	428	return log_oom();
7ab064a6	429
0fa9e53d JJ	430	if (d->options)
	431	options = d->options;
	432	else if (arg_default_options)
	433	options = arg_default_options;
	434	else
	435	options = "timeout=0";
141a79f4	436
baade8cc	437	r = create_disk(d->name, device, d->keyfile ?: arg_default_keyfile, options);
0fa9e53d JJ	438	if (r < 0)
0fa9e53d JJ	439	return r;
e23a0ce8 LP	440	}
e23a0ce8 LP	441
0fa9e53d JJ	442	return 0;
0fa9e53d JJ	443	}
e23a0ce8	444
0fa9e53d	445	int main(int argc, char *argv[]) {
5f4bfe56	446	int r;
e23a0ce8	447
0fa9e53d JJ	448	if (argc > 1 && argc != 4) {
	449	log_error("This program takes three or no arguments.");
	450	return EXIT_FAILURE;
	451	}
e23a0ce8	452
0fa9e53d JJ	453	if (argc > 1)
0fa9e53d JJ	454	arg_dest = argv[1];
e23a0ce8	455
6c347d50 LP	456	log_set_prohibit_ipc(true);
6c347d50 LP	457	log_set_target(LOG_TARGET_AUTO);
0fa9e53d JJ	458	log_parse_environment();
0fa9e53d JJ	459	log_open();
e2cb60fa	460
0fa9e53d	461	umask(0022);
e23a0ce8	462
0fa9e53d	463	arg_disks = hashmap_new(&string_hash_ops);
5f4bfe56 LP	464	if (!arg_disks) {
	465	r = log_oom();
	466	goto finish;
	467	}
7ab064a6	468
1d84ad94	469	r = proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_STRIP_RD_PREFIX);
0fa9e53d	470	if (r < 0) {
5f4bfe56 LP	471	log_warning_errno(r, "Failed to parse kernel command line: %m");
5f4bfe56 LP	472	goto finish;
0fa9e53d	473	}
7ab064a6	474
0fa9e53d	475	if (!arg_enabled) {
5f4bfe56 LP	476	r = 0;
5f4bfe56 LP	477	goto finish;
e23a0ce8 LP	478	}
e23a0ce8 LP	479
5f4bfe56 LP	480	r = add_crypttab_devices();
	481	if (r < 0)
	482	goto finish;
0fa9e53d	483
5f4bfe56 LP	484	r = add_proc_cmdline_devices();
	485	if (r < 0)
	486	goto finish;
0fa9e53d	487
5f4bfe56	488	r = 0;
141a79f4	489
5f4bfe56	490	finish:
6dd1c368	491	hashmap_free_with_destructor(arg_disks, crypt_device_free);
0fa9e53d JJ	492	free(arg_default_options);
0fa9e53d JJ	493	free(arg_default_keyfile);
141a79f4	494
5f4bfe56	495	return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
e23a0ce8	496	}