[thirdparty/dracut.git] / modules.d / 90crypt / cryptroot-ask.sh

#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh

PATH=/usr/sbin:/usr/bin:/sbin:/bin
NEWROOT=${NEWROOT:-"/sysroot"}

# do not ask, if we already have root
[ -f $NEWROOT/proc ] && exit 0

# check if destination already exists
[ -b /dev/mapper/$2 ] && exit 0

# we already asked for this device
[ -f /tmp/cryptroot-asked-$2 ] && exit 0

# load dm_crypt if it is not already loaded
[ -d /sys/module/dm_crypt ] || modprobe dm_crypt

. /lib/dracut-crypt-lib.sh

# default luksname - luks-UUID
luksname=$2

# fallback to passphrase
ask_passphrase=1

# if device name is /dev/dm-X, convert to /dev/mapper/name
if [ "${1##/dev/dm-}" != "$1" ]; then
    device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
else
    device="$1"
fi

# TODO: improve to support what cmdline does
if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -n rd_NO_CRYPTTAB; then
    while read name dev rest; do
        # ignore blank lines and comments
        if [ -z "$name" -o "${name#\#}" != "$name" ]; then
            continue
        fi

        # UUID used in crypttab
        if [ "${dev%%=*}" = "UUID" ]; then
            if [ "luks-${dev##UUID=}" = "$2" ]; then
                luksname="$name"
                break
            fi

        # path used in crypttab
        else
            cdev=$(readlink -f $dev)
            mdev=$(readlink -f $device)
            if [ "$cdev" = "$mdev" ]; then
                luksname="$name"
                break
            fi
        fi
    done < /etc/crypttab
    unset name dev rest
fi

#
# Open LUKS device
#

info "luksOpen $device $luksname"

while [ -n "$(getarg rd.luks.key)" ]; do
    if tmp=$(getkey /tmp/luks.keys $device); then
        keydev="${tmp%%:*}"
        keypath="${tmp#*:}"
    else
        if [ $# -eq 3 ]; then
            if [ $3 -eq 0 ]; then
                info "No key found for $device.  Fallback to passphrase mode."
                break
            fi
            info "No key found for $device.  Will try $3 time(s) more later."
            set -- "$1" "$2" "$(($3 - 1))"
        else
            info "No key found for $device.  Will try later."
        fi
        initqueue --unique --onetime --settled \
            --name cryptroot-ask-$luksname \
            $(command -v cryptroot-ask) "$@"
        exit 0
    fi
    unset tmp

    info "Using '$keypath' on '$keydev'"
    readkey "$keypath" "$keydev" "$device" \
        | cryptsetup -d - luksOpen "$device" "$luksname"
    unset keypath keydev
    ask_passphrase=0
    break
done    
if [ $ask_passphrase -ne 0 ]; then
    luks_open="$(command -v cryptsetup) luksOpen"
    ask_for_password --ply-tries 5 \
        --ply-cmd "$luks_open -T1 $device $luksname" \
        --ply-prompt "Password ($device)" \
        --tty-tries 1 \
        --tty-cmd "$luks_open -T5 $device $luksname"
    unset luks_open
fi

unset device luksname

# mark device as asked
>> /tmp/cryptroot-asked-$2

udevsettle

exit 0
Commit	Line	Data
ab83e0a6	1	#!/bin/sh
cc02093d HH	2	# -- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; --
cc02093d HH	3	# ex: ts=8 sw=4 sts=4 et filetype=sh
ab83e0a6	4
fb59f4c9	5	PATH=/usr/sbin:/usr/bin:/sbin:/bin
8234b92d	6	NEWROOT=${NEWROOT:-"/sysroot"}
fb59f4c9	7
5966b1b1	8	# do not ask, if we already have root
8234b92d	9	[ -f $NEWROOT/proc ] && exit 0
5966b1b1 HH	10
5966b1b1 HH	11	# check if destination already exists
ab83e0a6	12	[ -b /dev/mapper/$2 ] && exit 0
5966b1b1 HH	13
	14	# we already asked for this device
	15	[ -f /tmp/cryptroot-asked-$2 ] && exit 0
	16
2974f382 VL	17	# load dm_crypt if it is not already loaded
	18	[ -d /sys/module/dm_crypt ] \|\| modprobe dm_crypt
	19
8844cd6b	20	. /lib/dracut-crypt-lib.sh
349bac42	21
bb2200ff	22	# default luksname - luks-UUID
349bac42	23	luksname=$2
bb2200ff	24
c70f6415 PR	25	# fallback to passphrase
	26	ask_passphrase=1
	27
bb2200ff HH	28	# if device name is /dev/dm-X, convert to /dev/mapper/name
	29	if [ "${1##/dev/dm-}" != "$1" ]; then
	30	device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
	31	else
	32	device="$1"
	33	fi
	34
8844cd6b	35	# TODO: improve to support what cmdline does
fa7ada31	36	if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -n rd_NO_CRYPTTAB; then
349bac42	37	while read name dev rest; do
2926b5b3 AŻ	38	# ignore blank lines and comments
	39	if [ -z "$name" -o "${name#\#}" != "$name" ]; then
	40	continue
	41	fi
	42
	43	# UUID used in crypttab
	44	if [ "${dev%%=*}" = "UUID" ]; then
	45	if [ "luks-${dev##UUID=}" = "$2" ]; then
	46	luksname="$name"
	47	break
	48	fi
3b403b32	49
2926b5b3 AŻ	50	# path used in crypttab
	51	else
	52	cdev=$(readlink -f $dev)
	53	mdev=$(readlink -f $device)
	54	if [ "$cdev" = "$mdev" ]; then
	55	luksname="$name"
	56	break
	57	fi
	58	fi
349bac42	59	done < /etc/crypttab
bb2200ff	60	unset name dev rest
349bac42 HH	61	fi
349bac42 HH	62
2926b5b3 AŻ	63	#
	64	# Open LUKS device
	65	#
	66
013986a8	67	info "luksOpen $device $luksname"
2926b5b3	68
c70f6415	69	while [ -n "$(getarg rd.luks.key)" ]; do
8844cd6b	70	if tmp=$(getkey /tmp/luks.keys $device); then
91f4d45f HH	71	keydev="${tmp%%:*}"
91f4d45f HH	72	keypath="${tmp#*:}"
8844cd6b	73	else
c70f6415 PR	74	if [ $# -eq 3 ]; then
	75	if [ $3 -eq 0 ]; then
	76	info "No key found for $device. Fallback to passphrase mode."
	77	break
	78	fi
	79	info "No key found for $device. Will try $3 time(s) more later."
	80	set -- "$1" "$2" "$(($3 - 1))"
	81	else
	82	info "No key found for $device. Will try later."
	83	fi
fb59f4c9	84	initqueue --unique --onetime --settled \
8844cd6b	85	--name cryptroot-ask-$luksname \
fb59f4c9	86	$(command -v cryptroot-ask) "$@"
8844cd6b AŻ	87	exit 0
	88	fi
	89	unset tmp
	90
3909d7ed AŻ	91	info "Using '$keypath' on '$keydev'"
	92	readkey "$keypath" "$keydev" "$device" \
	93	\| cryptsetup -d - luksOpen "$device" "$luksname"
	94	unset keypath keydev
c70f6415 PR	95	ask_passphrase=0
	96	break
	97	done
	98	if [ $ask_passphrase -ne 0 ]; then
3909d7ed AŻ	99	luks_open="$(command -v cryptsetup) luksOpen"
	100	ask_for_password --ply-tries 5 \
	101	--ply-cmd "$luks_open -T1 $device $luksname" \
	102	--ply-prompt "Password ($device)" \
	103	--tty-tries 1 \
	104	--tty-cmd "$luks_open -T5 $device $luksname"
	105	unset luks_open
2926b5b3	106	fi
ab83e0a6	107
7254c24a MS	108	unset device luksname
7254c24a MS	109
5966b1b1 HH	110	# mark device as asked
	111	>> /tmp/cryptroot-asked-$2
	112
7254c24a MS	113	udevsettle
7254c24a MS	114
ed2de829	115	exit 0