[thirdparty/systemd.git] / src / cryptsetup / cryptsetup-generator.c

/* SPDX-License-Identifier: LGPL-2.1+ */

#include <errno.h>
#include <stdio_ext.h>

#include "alloc-util.h"
#include "def.h"
#include "dropin.h"
#include "escape.h"
#include "fd-util.h"
#include "fileio.h"
#include "fstab-util.h"
#include "generator.h"
#include "hashmap.h"
#include "id128-util.h"
#include "log.h"
#include "mkdir.h"
#include "parse-util.h"
#include "path-util.h"
#include "proc-cmdline.h"
#include "specifier.h"
#include "string-util.h"
#include "strv.h"
#include "unit-name.h"
#include "util.h"

typedef struct crypto_device {
        char *uuid;
        char *keyfile;
        char *keydev;
        char *name;
        char *options;
        bool create;
} crypto_device;

static const char *arg_dest = "/tmp";
static bool arg_enabled = true;
static bool arg_read_crypttab = true;
static bool arg_whitelist = false;
static Hashmap *arg_disks = NULL;
static char *arg_default_options = NULL;
static char *arg_default_keyfile = NULL;

static int generate_keydev_mount(const char *name, const char *keydev, char **unit, char **mount) {
        _cleanup_free_ char *u = NULL, *what = NULL, *where = NULL, *name_escaped = NULL;
        _cleanup_fclose_ FILE *f = NULL;
        int r;

        assert(name);
        assert(keydev);
        assert(unit);
        assert(mount);

        r = mkdir_parents("/run/systemd/cryptsetup", 0755);
        if (r < 0)
                return r;

        r = mkdir("/run/systemd/cryptsetup", 0700);
        if (r < 0 && errno != EEXIST)
                return -errno;

        name_escaped = cescape(name);
        if (!name_escaped)
                return -ENOMEM;

        where = strjoin("/run/systemd/cryptsetup/keydev-", name_escaped);
        if (!where)
                return -ENOMEM;

        r = mkdir(where, 0700);
        if (r < 0 && errno != EEXIST)
                return -errno;

        r = unit_name_from_path(where, ".mount", &u);
        if (r < 0)
                return r;

        r = generator_open_unit_file(arg_dest, NULL, u, &f);
        if (r < 0)
                return r;

        what = fstab_node_to_udev_node(keydev);
        if (!what)
                return -ENOMEM;

        fprintf(f,
                "[Unit]\n"
                "DefaultDependencies=no\n\n"
                "[Mount]\n"
                "What=%s\n"
                "Where=%s\n"
                "Options=ro\n", what, where);

        r = fflush_and_check(f);
        if (r < 0)
                return r;

        *unit = TAKE_PTR(u);
        *mount = TAKE_PTR(where);

        return 0;
}

static int create_disk(
                const char *name,
                const char *device,
                const char *keydev,
                const char *password,
                const char *options) {

        _cleanup_free_ char *n = NULL, *d = NULL, *u = NULL, *e = NULL,
                *filtered = NULL, *u_escaped = NULL, *password_escaped = NULL, *filtered_escaped = NULL, *name_escaped = NULL, *keydev_mount = NULL;
        _cleanup_fclose_ FILE *f = NULL;
        const char *dmname;
        bool noauto, nofail, tmp, swap, netdev;
        int r;

        assert(name);
        assert(device);

        noauto = fstab_test_yes_no_option(options, "noauto\0" "auto\0");
        nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
        tmp = fstab_test_option(options, "tmp\0");
        swap = fstab_test_option(options, "swap\0");
        netdev = fstab_test_option(options, "_netdev\0");

        if (tmp && swap) {
                log_error("Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.", name);
                return -EINVAL;
        }

        name_escaped = specifier_escape(name);
        if (!name_escaped)
                return log_oom();

        e = unit_name_escape(name);
        if (!e)
                return log_oom();

        u = fstab_node_to_udev_node(device);
        if (!u)
                return log_oom();

        r = unit_name_build("systemd-cryptsetup", e, ".service", &n);
        if (r < 0)
                return log_error_errno(r, "Failed to generate unit name: %m");

        u_escaped = specifier_escape(u);
        if (!u_escaped)
                return log_oom();

        r = unit_name_from_path(u, ".device", &d);
        if (r < 0)
                return log_error_errno(r, "Failed to generate unit name: %m");

        if (password) {
                password_escaped = specifier_escape(password);
                if (!password_escaped)
                        return log_oom();
        }

        if (keydev && !password) {
                log_error("Key device is specified, but path to the password file is missing.");
                return -EINVAL;
        }

        r = generator_open_unit_file(arg_dest, NULL, n, &f);
        if (r < 0)
                return r;

        fprintf(f,
                "[Unit]\n"
                "Description=Cryptography Setup for %%I\n"
                "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
                "SourcePath=/etc/crypttab\n"
                "DefaultDependencies=no\n"
                "Conflicts=umount.target\n"
                "IgnoreOnIsolate=true\n"
                "After=%s\n",
                netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target");

        if (keydev) {
                _cleanup_free_ char *unit = NULL, *p = NULL;

                r = generate_keydev_mount(name, keydev, &unit, &keydev_mount);
                if (r < 0)
                        return log_error_errno(r, "Failed to generate keydev mount unit: %m");

                p = prefix_root(keydev_mount, password_escaped);
                if (!p)
                        return log_oom();

                free_and_replace(password_escaped, p);
        }

        if (!nofail)
                fprintf(f,
                        "Before=%s\n",
                        netdev ? "remote-cryptsetup.target" : "cryptsetup.target");

        if (password) {
                if (PATH_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
                        fputs("After=systemd-random-seed.service\n", f);
                else if (!STR_IN_SET(password, "-", "none")) {
                        _cleanup_free_ char *uu;

                        uu = fstab_node_to_udev_node(password);
                        if (!uu)
                                return log_oom();

                        if (!path_equal(uu, "/dev/null")) {

                                if (path_startswith(uu, "/dev/")) {
                                        _cleanup_free_ char *dd = NULL;

                                        r = unit_name_from_path(uu, ".device", &dd);
                                        if (r < 0)
                                                return log_error_errno(r, "Failed to generate unit name: %m");

                                        fprintf(f, "After=%1$s\nRequires=%1$s\n", dd);
                                } else
                                        fprintf(f, "RequiresMountsFor=%s\n", password_escaped);
                        }
                }
        }

        if (path_startswith(u, "/dev/")) {
                fprintf(f,
                        "BindsTo=%s\n"
                        "After=%s\n"
                        "Before=umount.target\n",
                        d, d);

                if (swap)
                        fputs("Before=dev-mapper-%i.swap\n",
                              f);
        } else
                /* For loopback devices, add systemd-tmpfiles-setup-dev.service
                   dependency to ensure that loopback support is available in
                   the kernel (/dev/loop-control needs to exist) */
                fprintf(f,
                        "RequiresMountsFor=%s\n"
                        "Requires=systemd-tmpfiles-setup-dev.service\n"
                        "After=systemd-tmpfiles-setup-dev.service\n",
                        u_escaped);

        r = generator_write_timeouts(arg_dest, device, name, options, &filtered);
        if (r < 0)
                return r;

        if (filtered) {
                filtered_escaped = specifier_escape(filtered);
                if (!filtered_escaped)
                        return log_oom();
        }

        fprintf(f,
                "\n[Service]\n"
                "Type=oneshot\n"
                "RemainAfterExit=yes\n"
                "TimeoutSec=0\n" /* the binary handles timeouts anyway */
                "KeyringMode=shared\n" /* make sure we can share cached keys among instances */
                "ExecStart=" SYSTEMD_CRYPTSETUP_PATH " attach '%s' '%s' '%s' '%s'\n"
                "ExecStop=" SYSTEMD_CRYPTSETUP_PATH " detach '%s'\n",
                name_escaped, u_escaped, strempty(password_escaped), strempty(filtered_escaped),
                name_escaped);

        if (tmp)
                fprintf(f,
                        "ExecStartPost=/sbin/mke2fs '/dev/mapper/%s'\n",
                        name_escaped);

        if (swap)
                fprintf(f,
                        "ExecStartPost=/sbin/mkswap '/dev/mapper/%s'\n",
                        name_escaped);

        if (keydev)
                fprintf(f,
                        "ExecStartPost=" UMOUNT_PATH " %s\n\n",
                        keydev_mount);

        r = fflush_and_check(f);
        if (r < 0)
                return log_error_errno(r, "Failed to write unit file %s: %m", n);

        if (!noauto) {
                r = generator_add_symlink(arg_dest, d, "wants", n);
                if (r < 0)
                        return r;

                r = generator_add_symlink(arg_dest,
                                          netdev ? "remote-cryptsetup.target" : "cryptsetup.target",
                                          nofail ? "wants" : "requires", n);
                if (r < 0)
                        return r;
        }

        dmname = strjoina("dev-mapper-", e, ".device");
        r = generator_add_symlink(arg_dest, dmname, "requires", n);
        if (r < 0)
                return r;

        if (!noauto && !nofail) {
                r = write_drop_in(arg_dest, dmname, 90, "device-timeout",
                                  "# Automatically generated by systemd-cryptsetup-generator \n\n"
                                  "[Unit]\nJobTimeoutSec=0");
                if (r < 0)
                        return log_error_errno(r, "Failed to write device drop-in: %m");
        }

        return 0;
}

static void crypt_device_free(crypto_device *d) {
        free(d->uuid);
        free(d->keyfile);
        free(d->keydev);
        free(d->name);
        free(d->options);
        free(d);
}

static crypto_device *get_crypto_device(const char *uuid) {
        int r;
        crypto_device *d;

        assert(uuid);

        d = hashmap_get(arg_disks, uuid);
        if (!d) {
                d = new0(struct crypto_device, 1);
                if (!d)
                        return NULL;

                d->create = false;
                d->keyfile = d->options = d->name = NULL;

                d->uuid = strdup(uuid);
                if (!d->uuid)
                        return mfree(d);

                r = hashmap_put(arg_disks, d->uuid, d);
                if (r < 0) {
                        free(d->uuid);
                        return mfree(d);
                }
        }

        return d;
}

static int parse_proc_cmdline_item(const char *key, const char *value, void *data) {
        _cleanup_free_ char *uuid = NULL, *uuid_value = NULL;
        crypto_device *d;
        int r;

        if (streq(key, "luks")) {

                r = value ? parse_boolean(value) : 1;
                if (r < 0)
                        log_warning("Failed to parse luks= kernel command line switch %s. Ignoring.", value);
                else
                        arg_enabled = r;

        } else if (streq(key, "luks.crypttab")) {

                r = value ? parse_boolean(value) : 1;
                if (r < 0)
                        log_warning("Failed to parse luks.crypttab= kernel command line switch %s. Ignoring.", value);
                else
                        arg_read_crypttab = r;

        } else if (streq(key, "luks.uuid")) {

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                d = get_crypto_device(startswith(value, "luks-") ? value+5 : value);
                if (!d)
                        return log_oom();

                d->create = arg_whitelist = true;

        } else if (streq(key, "luks.options")) {

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
                if (r == 2) {
                        d = get_crypto_device(uuid);
                        if (!d)
                                return log_oom();

                        free_and_replace(d->options, uuid_value);
                } else if (free_and_strdup(&arg_default_options, value) < 0)
                        return log_oom();

        } else if (streq(key, "luks.key")) {
                size_t n;
                _cleanup_free_ char *keyfile = NULL, *keydev = NULL;
                char *c;
                const char *keyspec;

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                n = strspn(value, LETTERS DIGITS "-");
                if (value[n] != '=') {
                        if (free_and_strdup(&arg_default_keyfile, value) < 0)
                                 return log_oom();
                        return 0;
                }

                uuid = strndup(value, n);
                if (!uuid)
                        return log_oom();

                if (!id128_is_valid(uuid)) {
                        log_warning("Failed to parse luks.key= kernel command line switch. UUID is invalid, ignoring.");
                        return 0;
                }

                d = get_crypto_device(uuid);
                if (!d)
                        return log_oom();

                keyspec = value + n + 1;
                c = strrchr(keyspec, ':');
                if (c) {
                         *c = '\0';
                        keyfile = strdup(keyspec);
                        keydev = strdup(c + 1);

                        if (!keyfile || !keydev)
                                return log_oom();
                } else {
                        /* No keydev specified */
                        keyfile = strdup(keyspec);
                        if (!keyfile)
                                return log_oom();
                }

                free_and_replace(d->keyfile, keyfile);
                free_and_replace(d->keydev, keydev);
        } else if (streq(key, "luks.name")) {

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
                if (r == 2) {
                        d = get_crypto_device(uuid);
                        if (!d)
                                return log_oom();

                        d->create = arg_whitelist = true;

                        free_and_replace(d->name, uuid_value);
                } else
                        log_warning("Failed to parse luks name switch %s. Ignoring.", value);
        }

        return 0;
}

static int add_crypttab_devices(void) {
        _cleanup_fclose_ FILE *f = NULL;
        unsigned crypttab_line = 0;
        struct stat st;
        int r;

        if (!arg_read_crypttab)
                return 0;

        f = fopen("/etc/crypttab", "re");
        if (!f) {
                if (errno != ENOENT)
                        log_error_errno(errno, "Failed to open /etc/crypttab: %m");
                return 0;
        }

        (void) __fsetlocking(f, FSETLOCKING_BYCALLER);

        if (fstat(fileno(f), &st) < 0) {
                log_error_errno(errno, "Failed to stat /etc/crypttab: %m");
                return 0;
        }

        for (;;) {
                _cleanup_free_ char *line = NULL, *name = NULL, *device = NULL, *keyfile = NULL, *options = NULL;
                crypto_device *d = NULL;
                char *l, *uuid;
                int k;

                r = read_line(f, LONG_LINE_MAX, &line);
                if (r < 0)
                        return log_error_errno(r, "Failed to read /etc/crypttab: %m");
                if (r == 0)
                        break;

                crypttab_line++;

                l = strstrip(line);
                if (IN_SET(l[0], 0, '#'))
                        continue;

                k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &keyfile, &options);
                if (k < 2 || k > 4) {
                        log_error("Failed to parse /etc/crypttab:%u, ignoring.", crypttab_line);
                        continue;
                }

                uuid = startswith(device, "UUID=");
                if (!uuid)
                        uuid = path_startswith(device, "/dev/disk/by-uuid/");
                if (!uuid)
                        uuid = startswith(name, "luks-");
                if (uuid)
                        d = hashmap_get(arg_disks, uuid);

                if (arg_whitelist && !d) {
                        log_info("Not creating device '%s' because it was not specified on the kernel command line.", name);
                        continue;
                }

                r = create_disk(name, device, NULL, keyfile, (d && d->options) ? d->options : options);
                if (r < 0)
                        return r;

                if (d)
                        d->create = false;
        }

        return 0;
}

static int add_proc_cmdline_devices(void) {
        int r;
        Iterator i;
        crypto_device *d;

        HASHMAP_FOREACH(d, arg_disks, i) {
                const char *options;
                _cleanup_free_ char *device = NULL;

                if (!d->create)
                        continue;

                if (!d->name) {
                        d->name = strappend("luks-", d->uuid);
                        if (!d->name)
                                return log_oom();
                }

                device = strappend("UUID=", d->uuid);
                if (!device)
                        return log_oom();

                if (d->options)
                        options = d->options;
                else if (arg_default_options)
                        options = arg_default_options;
                else
                        options = "timeout=0";

                r = create_disk(d->name, device, d->keydev, d->keyfile ?: arg_default_keyfile, options);
                if (r < 0)
                        return r;
        }

        return 0;
}

int main(int argc, char *argv[]) {
        int r;

        if (argc > 1 && argc != 4) {
                log_error("This program takes three or no arguments.");
                return EXIT_FAILURE;
        }

        if (argc > 1)
                arg_dest = argv[1];

        log_set_prohibit_ipc(true);
        log_set_target(LOG_TARGET_AUTO);
        log_parse_environment();
        log_open();

        umask(0022);

        arg_disks = hashmap_new(&string_hash_ops);
        if (!arg_disks) {
                r = log_oom();
                goto finish;
        }

        r = proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_STRIP_RD_PREFIX);
        if (r < 0) {
                log_warning_errno(r, "Failed to parse kernel command line: %m");
                goto finish;
        }

        if (!arg_enabled) {
                r = 0;
                goto finish;
        }

        r = add_crypttab_devices();
        if (r < 0)
                goto finish;

        r = add_proc_cmdline_devices();
        if (r < 0)
                goto finish;

        r = 0;

finish:
        hashmap_free_with_destructor(arg_disks, crypt_device_free);
        free(arg_default_options);
        free(arg_default_keyfile);

        return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
e23a0ce8	2
e23a0ce8	3	#include <errno.h>
0d536673	4	#include <stdio_ext.h>
e23a0ce8	5
b5efdb8a	6	#include "alloc-util.h"
b42674a1	7	#include "def.h"
0fa9e53d	8	#include "dropin.h"
7949dfa7	9	#include "escape.h"
3ffd4af2	10	#include "fd-util.h"
0d39fa9c	11	#include "fileio.h"
07630cea	12	#include "fstab-util.h"
0fa9e53d JJ	13	#include "generator.h"
0fa9e53d JJ	14	#include "hashmap.h"
7949dfa7	15	#include "id128-util.h"
e23a0ce8	16	#include "log.h"
49e942b2	17	#include "mkdir.h"
6bedfcbb	18	#include "parse-util.h"
bde29068	19	#include "path-util.h"
4e731273	20	#include "proc-cmdline.h"
98bad05e	21	#include "specifier.h"
07630cea	22	#include "string-util.h"
0fa9e53d JJ	23	#include "strv.h"
	24	#include "unit-name.h"
	25	#include "util.h"
	26
	27	typedef struct crypto_device {
	28	char *uuid;
6cd5b12a	29	char *keyfile;
70f5f48e	30	char *keydev;
baade8cc	31	char *name;
0fa9e53d JJ	32	char *options;
	33	bool create;
	34	} crypto_device;
e23a0ce8	35
66a78c2b LP	36	static const char *arg_dest = "/tmp";
	37	static bool arg_enabled = true;
	38	static bool arg_read_crypttab = true;
0fa9e53d JJ	39	static bool arg_whitelist = false;
	40	static Hashmap *arg_disks = NULL;
	41	static char *arg_default_options = NULL;
	42	static char *arg_default_keyfile = NULL;
141a79f4	43
70f5f48e	44	static int generate_keydev_mount(const char name, const char keydev, char unit, char mount) {
7949dfa7	45	_cleanup_free_ char u = NULL, what = NULL, where = NULL, name_escaped = NULL;
70f5f48e MS	46	_cleanup_fclose_ FILE *f = NULL;
	47	int r;
	48
	49	assert(name);
	50	assert(keydev);
	51	assert(unit);
	52	assert(mount);
	53
	54	r = mkdir_parents("/run/systemd/cryptsetup", 0755);
	55	if (r < 0)
	56	return r;
	57
	58	r = mkdir("/run/systemd/cryptsetup", 0700);
579875bc MS	59	if (r < 0 && errno != EEXIST)
579875bc MS	60	return -errno;
70f5f48e	61
7949dfa7 MS	62	name_escaped = cescape(name);
	63	if (!name_escaped)
	64	return -ENOMEM;
	65
	66	where = strjoin("/run/systemd/cryptsetup/keydev-", name_escaped);
70f5f48e MS	67	if (!where)
	68	return -ENOMEM;
	69
	70	r = mkdir(where, 0700);
579875bc MS	71	if (r < 0 && errno != EEXIST)
579875bc MS	72	return -errno;
70f5f48e MS	73
	74	r = unit_name_from_path(where, ".mount", &u);
	75	if (r < 0)
	76	return r;
	77
	78	r = generator_open_unit_file(arg_dest, NULL, u, &f);
	79	if (r < 0)
	80	return r;
	81
	82	what = fstab_node_to_udev_node(keydev);
	83	if (!what)
	84	return -ENOMEM;
	85
	86	fprintf(f,
	87	"[Unit]\n"
	88	"DefaultDependencies=no\n\n"
	89	"[Mount]\n"
	90	"What=%s\n"
	91	"Where=%s\n"
	92	"Options=ro\n", what, where);
	93
	94	r = fflush_and_check(f);
	95	if (r < 0)
	96	return r;
	97
	98	*unit = TAKE_PTR(u);
	99	*mount = TAKE_PTR(where);
	100
	101	return 0;
	102	}
	103
e23a0ce8 LP	104	static int create_disk(
	105	const char *name,
	106	const char *device,
70f5f48e	107	const char *keydev,
e23a0ce8 LP	108	const char *password,
	109	const char *options) {
	110
fb883e75	111	_cleanup_free_ char n = NULL, d = NULL, u = NULL, e = NULL,
70f5f48e	112	filtered = NULL, u_escaped = NULL, password_escaped = NULL, filtered_escaped = NULL, name_escaped = NULL, keydev_mount = NULL;
7fd1b19b	113	_cleanup_fclose_ FILE *f = NULL;
b559616f	114	const char *dmname;
b001ad61	115	bool noauto, nofail, tmp, swap, netdev;
744198e9	116	int r;
e23a0ce8 LP	117
	118	assert(name);
	119	assert(device);
	120
b9f111b9 ZJS	121	noauto = fstab_test_yes_no_option(options, "noauto\0" "auto\0");
b9f111b9 ZJS	122	nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
a6dba978 ZJS	123	tmp = fstab_test_option(options, "tmp\0");
a6dba978 ZJS	124	swap = fstab_test_option(options, "swap\0");
b001ad61	125	netdev = fstab_test_option(options, "_netdev\0");
8c11d3c1 TG	126
	127	if (tmp && swap) {
	128	log_error("Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.", name);
	129	return -EINVAL;
	130	}
155da457	131
98bad05e LP	132	name_escaped = specifier_escape(name);
	133	if (!name_escaped)
	134	return log_oom();
	135
744198e9 LP	136	e = unit_name_escape(name);
	137	if (!e)
	138	return log_oom();
	139
f7f21d33	140	u = fstab_node_to_udev_node(device);
24a988e9 HH	141	if (!u)
24a988e9 HH	142	return log_oom();
e23a0ce8	143
fb883e75 ZJS	144	r = unit_name_build("systemd-cryptsetup", e, ".service", &n);
	145	if (r < 0)
	146	return log_error_errno(r, "Failed to generate unit name: %m");
	147
98bad05e LP	148	u_escaped = specifier_escape(u);
	149	if (!u_escaped)
	150	return log_oom();
	151
7410616c LP	152	r = unit_name_from_path(u, ".device", &d);
	153	if (r < 0)
	154	return log_error_errno(r, "Failed to generate unit name: %m");
e23a0ce8	155
d31eb24f LP	156	if (password) {
	157	password_escaped = specifier_escape(password);
	158	if (!password_escaped)
	159	return log_oom();
	160	}
98bad05e	161
2abe6466 LP	162	if (keydev && !password) {
	163	log_error("Key device is specified, but path to the password file is missing.");
	164	return -EINVAL;
	165	}
70f5f48e	166
fb883e75 ZJS	167	r = generator_open_unit_file(arg_dest, NULL, n, &f);
	168	if (r < 0)
	169	return r;
0d536673	170
b001ad61	171	fprintf(f,
b001ad61 ZJS	172	"[Unit]\n"
	173	"Description=Cryptography Setup for %%I\n"
	174	"Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
	175	"SourcePath=/etc/crypttab\n"
	176	"DefaultDependencies=no\n"
	177	"Conflicts=umount.target\n"
	178	"IgnoreOnIsolate=true\n"
	179	"After=%s\n",
a0dd2097	180	netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target");
e23a0ce8	181
70f5f48e MS	182	if (keydev) {
	183	_cleanup_free_ char unit = NULL, p = NULL;
	184
	185	r = generate_keydev_mount(name, keydev, &unit, &keydev_mount);
	186	if (r < 0)
	187	return log_error_errno(r, "Failed to generate keydev mount unit: %m");
	188
	189	p = prefix_root(keydev_mount, password_escaped);
	190	if (!p)
	191	return log_oom();
	192
	193	free_and_replace(password_escaped, p);
	194	}
	195
155da457 LP	196	if (!nofail)
155da457 LP	197	fprintf(f,
b001ad61 ZJS	198	"Before=%s\n",
b001ad61 ZJS	199	netdev ? "remote-cryptsetup.target" : "cryptsetup.target");
155da457	200
ceca9501	201	if (password) {
e3ca6580	202	if (PATH_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
0d536673	203	fputs("After=systemd-random-seed.service\n", f);
b559616f	204	else if (!STR_IN_SET(password, "-", "none")) {
744198e9 LP	205	_cleanup_free_ char *uu;
	206
	207	uu = fstab_node_to_udev_node(password);
	208	if (!uu)
66a5dbdf DR	209	return log_oom();
66a5dbdf DR	210
bde29068	211	if (!path_equal(uu, "/dev/null")) {
744198e9	212
048dd629	213	if (path_startswith(uu, "/dev/")) {
7410616c	214	_cleanup_free_ char *dd = NULL;
66a5dbdf	215
7410616c LP	216	r = unit_name_from_path(uu, ".device", &dd);
	217	if (r < 0)
	218	return log_error_errno(r, "Failed to generate unit name: %m");
bde29068 LP	219
	220	fprintf(f, "After=%1$s\nRequires=%1$s\n", dd);
	221	} else
98bad05e	222	fprintf(f, "RequiresMountsFor=%s\n", password_escaped);
bde29068	223	}
66a5dbdf	224	}
ceca9501	225	}
e23a0ce8	226
048dd629	227	if (path_startswith(u, "/dev/")) {
9ece938a TW	228	fprintf(f,
	229	"BindsTo=%s\n"
	230	"After=%s\n"
	231	"Before=umount.target\n",
	232	d, d);
a6f8786a MFO	233
a6f8786a MFO	234	if (swap)
0d536673 LP	235	fputs("Before=dev-mapper-%i.swap\n",
0d536673 LP	236	f);
a6f8786a	237	} else
b90cbe66 LHS	238	/* For loopback devices, add systemd-tmpfiles-setup-dev.service
	239	dependency to ensure that loopback support is available in
	240	the kernel (/dev/loop-control needs to exist) */
9ece938a	241	fprintf(f,
b90cbe66 LHS	242	"RequiresMountsFor=%s\n"
	243	"Requires=systemd-tmpfiles-setup-dev.service\n"
	244	"After=systemd-tmpfiles-setup-dev.service\n",
98bad05e LP	245	u_escaped);
98bad05e LP	246
8eea8687 ZJS	247	r = generator_write_timeouts(arg_dest, device, name, options, &filtered);
	248	if (r < 0)
	249	return r;
	250
d31eb24f LP	251	if (filtered) {
	252	filtered_escaped = specifier_escape(filtered);
	253	if (!filtered_escaped)
	254	return log_oom();
	255	}
98bad05e	256
e23a0ce8 LP	257	fprintf(f,
	258	"\n[Service]\n"
	259	"Type=oneshot\n"
	260	"RemainAfterExit=yes\n"
90724929	261	"TimeoutSec=0\n" /* the binary handles timeouts anyway */
0b1f68ac	262	"KeyringMode=shared\n" /* make sure we can share cached keys among instances */
260ab287	263	"ExecStart=" SYSTEMD_CRYPTSETUP_PATH " attach '%s' '%s' '%s' '%s'\n"
7f4e0805	264	"ExecStop=" SYSTEMD_CRYPTSETUP_PATH " detach '%s'\n",
98bad05e LP	265	name_escaped, u_escaped, strempty(password_escaped), strempty(filtered_escaped),
98bad05e LP	266	name_escaped);
e23a0ce8	267
8c11d3c1	268	if (tmp)
e23a0ce8	269	fprintf(f,
50109038	270	"ExecStartPost=/sbin/mke2fs '/dev/mapper/%s'\n",
98bad05e	271	name_escaped);
e23a0ce8	272
8c11d3c1	273	if (swap)
e23a0ce8	274	fprintf(f,
50109038	275	"ExecStartPost=/sbin/mkswap '/dev/mapper/%s'\n",
98bad05e	276	name_escaped);
e23a0ce8	277
70f5f48e MS	278	if (keydev)
	279	fprintf(f,
	280	"ExecStartPost=" UMOUNT_PATH " %s\n\n",
	281	keydev_mount);
	282
4652c56c ZJS	283	r = fflush_and_check(f);
4652c56c ZJS	284	if (r < 0)
fb883e75	285	return log_error_errno(r, "Failed to write unit file %s: %m", n);
e23a0ce8	286
155da457	287	if (!noauto) {
b559616f ZJS	288	r = generator_add_symlink(arg_dest, d, "wants", n);
	289	if (r < 0)
	290	return r;
e23a0ce8	291
b001ad61 ZJS	292	r = generator_add_symlink(arg_dest,
b001ad61 ZJS	293	netdev ? "remote-cryptsetup.target" : "cryptsetup.target",
b559616f ZJS	294	nofail ? "wants" : "requires", n);
	295	if (r < 0)
	296	return r;
f7f21d33	297	}
74715b82	298
b559616f ZJS	299	dmname = strjoina("dev-mapper-", e, ".device");
	300	r = generator_add_symlink(arg_dest, dmname, "requires", n);
	301	if (r < 0)
	302	return r;
74715b82	303
68395007	304	if (!noauto && !nofail) {
a6fb0dc1	305	r = write_drop_in(arg_dest, dmname, 90, "device-timeout",
8eea8687 ZJS	306	"# Automatically generated by systemd-cryptsetup-generator \n\n"
8eea8687 ZJS	307	"[Unit]\nJobTimeoutSec=0");
23bbb0de MS	308	if (r < 0)
23bbb0de MS	309	return log_error_errno(r, "Failed to write device drop-in: %m");
68395007 HH	310	}
68395007 HH	311
24a988e9	312	return 0;
e23a0ce8 LP	313	}
e23a0ce8 LP	314
6dd1c368 ZJS	315	static void crypt_device_free(crypto_device *d) {
	316	free(d->uuid);
	317	free(d->keyfile);
70f5f48e	318	free(d->keydev);
6dd1c368 ZJS	319	free(d->name);
	320	free(d->options);
	321	free(d);
0fa9e53d JJ	322	}
	323
	324	static crypto_device get_crypto_device(const char uuid) {
	325	int r;
	326	crypto_device *d;
	327
	328	assert(uuid);
	329
	330	d = hashmap_get(arg_disks, uuid);
	331	if (!d) {
	332	d = new0(struct crypto_device, 1);
	333	if (!d)
	334	return NULL;
	335
	336	d->create = false;
baade8cc	337	d->keyfile = d->options = d->name = NULL;
0fa9e53d JJ	338
0fa9e53d JJ	339	d->uuid = strdup(uuid);
6b430fdb ZJS	340	if (!d->uuid)
6b430fdb ZJS	341	return mfree(d);
0fa9e53d JJ	342
	343	r = hashmap_put(arg_disks, d->uuid, d);
	344	if (r < 0) {
	345	free(d->uuid);
6b430fdb	346	return mfree(d);
0fa9e53d JJ	347	}
	348	}
	349
	350	return d;
	351	}
	352
96287a49	353	static int parse_proc_cmdline_item(const char key, const char value, void *data) {
0fa9e53d	354	_cleanup_free_ char uuid = NULL, uuid_value = NULL;
1d84ad94 LP	355	crypto_device *d;
1d84ad94 LP	356	int r;
66a78c2b	357
1d84ad94	358	if (streq(key, "luks")) {
059cb385	359
1d84ad94	360	r = value ? parse_boolean(value) : 1;
141a79f4	361	if (r < 0)
1d84ad94	362	log_warning("Failed to parse luks= kernel command line switch %s. Ignoring.", value);
141a79f4 ZJS	363	else
141a79f4 ZJS	364	arg_enabled = r;
66a78c2b	365
1d84ad94	366	} else if (streq(key, "luks.crypttab")) {
66a78c2b	367
1d84ad94	368	r = value ? parse_boolean(value) : 1;
141a79f4	369	if (r < 0)
1d84ad94	370	log_warning("Failed to parse luks.crypttab= kernel command line switch %s. Ignoring.", value);
141a79f4 ZJS	371	else
141a79f4 ZJS	372	arg_read_crypttab = r;
66a78c2b	373
1d84ad94 LP	374	} else if (streq(key, "luks.uuid")) {
	375
	376	if (proc_cmdline_value_missing(key, value))
	377	return 0;
66a78c2b	378
0fa9e53d JJ	379	d = get_crypto_device(startswith(value, "luks-") ? value+5 : value);
0fa9e53d JJ	380	if (!d)
141a79f4	381	return log_oom();
66a78c2b	382
0fa9e53d JJ	383	d->create = arg_whitelist = true;
0fa9e53d JJ	384
1d84ad94 LP	385	} else if (streq(key, "luks.options")) {
	386
	387	if (proc_cmdline_value_missing(key, value))
	388	return 0;
66a78c2b	389
0fa9e53d JJ	390	r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
	391	if (r == 2) {
	392	d = get_crypto_device(uuid);
	393	if (!d)
	394	return log_oom();
	395
1d84ad94	396	free_and_replace(d->options, uuid_value);
0fa9e53d	397	} else if (free_and_strdup(&arg_default_options, value) < 0)
141a79f4	398	return log_oom();
66a78c2b	399
1d84ad94	400	} else if (streq(key, "luks.key")) {
7949dfa7 MS	401	size_t n;
	402	_cleanup_free_ char keyfile = NULL, keydev = NULL;
	403	char *c;
	404	const char *keyspec;
1d84ad94 LP	405
	406	if (proc_cmdline_value_missing(key, value))
	407	return 0;
66a78c2b	408
7949dfa7 MS	409	n = strspn(value, LETTERS DIGITS "-");
	410	if (value[n] != '=') {
	411	if (free_and_strdup(&arg_default_keyfile, value) < 0)
	412	return log_oom();
	413	return 0;
	414	}
70f5f48e	415
7949dfa7 MS	416	uuid = strndup(value, n);
	417	if (!uuid)
	418	return log_oom();
6cd5b12a	419
7949dfa7 MS	420	if (!id128_is_valid(uuid)) {
	421	log_warning("Failed to parse luks.key= kernel command line switch. UUID is invalid, ignoring.");
	422	return 0;
	423	}
	424
	425	d = get_crypto_device(uuid);
	426	if (!d)
	427	return log_oom();
70f5f48e	428
7949dfa7 MS	429	keyspec = value + n + 1;
	430	c = strrchr(keyspec, ':');
	431	if (c) {
	432	*c = '\0';
	433	keyfile = strdup(keyspec);
	434	keydev = strdup(c + 1);
70f5f48e MS	435
	436	if (!keyfile \|\| !keydev)
	437	return log_oom();
7949dfa7 MS	438	} else {
	439	/* No keydev specified */
	440	keyfile = strdup(keyspec);
	441	if (!keyfile)
	442	return log_oom();
	443	}
70f5f48e	444
7949dfa7 MS	445	free_and_replace(d->keyfile, keyfile);
7949dfa7 MS	446	free_and_replace(d->keydev, keydev);
1d84ad94 LP	447	} else if (streq(key, "luks.name")) {
	448
	449	if (proc_cmdline_value_missing(key, value))
	450	return 0;
baade8cc JJ	451
	452	r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
	453	if (r == 2) {
	454	d = get_crypto_device(uuid);
	455	if (!d)
	456	return log_oom();
	457
	458	d->create = arg_whitelist = true;
	459
f9ecfd3b	460	free_and_replace(d->name, uuid_value);
baade8cc JJ	461	} else
baade8cc JJ	462	log_warning("Failed to parse luks name switch %s. Ignoring.", value);
85013844	463	}
66a78c2b	464
24a988e9	465	return 0;
66a78c2b LP	466	}
66a78c2b LP	467
0fa9e53d	468	static int add_crypttab_devices(void) {
7fd1b19b	469	_cleanup_fclose_ FILE *f = NULL;
b42674a1 LP	470	unsigned crypttab_line = 0;
	471	struct stat st;
	472	int r;
e23a0ce8	473
0fa9e53d JJ	474	if (!arg_read_crypttab)
	475	return 0;
	476
	477	f = fopen("/etc/crypttab", "re");
	478	if (!f) {
	479	if (errno != ENOENT)
	480	log_error_errno(errno, "Failed to open /etc/crypttab: %m");
	481	return 0;
e23a0ce8 LP	482	}
e23a0ce8 LP	483
0d536673 LP	484	(void) __fsetlocking(f, FSETLOCKING_BYCALLER);
0d536673 LP	485
0fa9e53d JJ	486	if (fstat(fileno(f), &st) < 0) {
	487	log_error_errno(errno, "Failed to stat /etc/crypttab: %m");
	488	return 0;
	489	}
e23a0ce8	490
0fa9e53d	491	for (;;) {
b42674a1	492	_cleanup_free_ char line = NULL, name = NULL, device = NULL, keyfile = NULL, *options = NULL;
0fa9e53d	493	crypto_device *d = NULL;
b42674a1 LP	494	char l, uuid;
b42674a1 LP	495	int k;
4c12626c	496
b42674a1 LP	497	r = read_line(f, LONG_LINE_MAX, &line);
	498	if (r < 0)
	499	return log_error_errno(r, "Failed to read /etc/crypttab: %m");
	500	if (r == 0)
0fa9e53d	501	break;
66a78c2b	502
0fa9e53d	503	crypttab_line++;
141a79f4	504
0fa9e53d	505	l = strstrip(line);
b42674a1	506	if (IN_SET(l[0], 0, '#'))
0fa9e53d	507	continue;
66a78c2b	508
0fa9e53d JJ	509	k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &keyfile, &options);
	510	if (k < 2 \|\| k > 4) {
	511	log_error("Failed to parse /etc/crypttab:%u, ignoring.", crypttab_line);
	512	continue;
	513	}
66a78c2b	514
0fa9e53d JJ	515	uuid = startswith(device, "UUID=");
	516	if (!uuid)
	517	uuid = path_startswith(device, "/dev/disk/by-uuid/");
	518	if (!uuid)
	519	uuid = startswith(name, "luks-");
	520	if (uuid)
	521	d = hashmap_get(arg_disks, uuid);
8973790e	522
0fa9e53d JJ	523	if (arg_whitelist && !d) {
	524	log_info("Not creating device '%s' because it was not specified on the kernel command line.", name);
	525	continue;
8973790e LP	526	}
8973790e LP	527
70f5f48e	528	r = create_disk(name, device, NULL, keyfile, (d && d->options) ? d->options : options);
0fa9e53d JJ	529	if (r < 0)
0fa9e53d JJ	530	return r;
8973790e	531
0fa9e53d JJ	532	if (d)
	533	d->create = false;
	534	}
8973790e	535
0fa9e53d JJ	536	return 0;
0fa9e53d JJ	537	}
66a78c2b	538
0fa9e53d JJ	539	static int add_proc_cmdline_devices(void) {
	540	int r;
	541	Iterator i;
	542	crypto_device *d;
66a78c2b	543
0fa9e53d JJ	544	HASHMAP_FOREACH(d, arg_disks, i) {
0fa9e53d JJ	545	const char *options;
baade8cc	546	_cleanup_free_ char *device = NULL;
66a78c2b	547
0fa9e53d JJ	548	if (!d->create)
0fa9e53d JJ	549	continue;
e23a0ce8	550
baade8cc JJ	551	if (!d->name) {
	552	d->name = strappend("luks-", d->uuid);
	553	if (!d->name)
	554	return log_oom();
	555	}
e23a0ce8	556
0fa9e53d JJ	557	device = strappend("UUID=", d->uuid);
	558	if (!device)
	559	return log_oom();
7ab064a6	560
0fa9e53d JJ	561	if (d->options)
	562	options = d->options;
	563	else if (arg_default_options)
	564	options = arg_default_options;
	565	else
	566	options = "timeout=0";
141a79f4	567
70f5f48e	568	r = create_disk(d->name, device, d->keydev, d->keyfile ?: arg_default_keyfile, options);
0fa9e53d JJ	569	if (r < 0)
0fa9e53d JJ	570	return r;
e23a0ce8 LP	571	}
e23a0ce8 LP	572
0fa9e53d JJ	573	return 0;
0fa9e53d JJ	574	}
e23a0ce8	575
0fa9e53d	576	int main(int argc, char *argv[]) {
5f4bfe56	577	int r;
e23a0ce8	578
0fa9e53d JJ	579	if (argc > 1 && argc != 4) {
	580	log_error("This program takes three or no arguments.");
	581	return EXIT_FAILURE;
	582	}
e23a0ce8	583
0fa9e53d JJ	584	if (argc > 1)
0fa9e53d JJ	585	arg_dest = argv[1];
e23a0ce8	586
6c347d50 LP	587	log_set_prohibit_ipc(true);
6c347d50 LP	588	log_set_target(LOG_TARGET_AUTO);
0fa9e53d JJ	589	log_parse_environment();
0fa9e53d JJ	590	log_open();
e2cb60fa	591
0fa9e53d	592	umask(0022);
e23a0ce8	593
0fa9e53d	594	arg_disks = hashmap_new(&string_hash_ops);
5f4bfe56 LP	595	if (!arg_disks) {
	596	r = log_oom();
	597	goto finish;
	598	}
7ab064a6	599
1d84ad94	600	r = proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_STRIP_RD_PREFIX);
0fa9e53d	601	if (r < 0) {
5f4bfe56 LP	602	log_warning_errno(r, "Failed to parse kernel command line: %m");
5f4bfe56 LP	603	goto finish;
0fa9e53d	604	}
7ab064a6	605
0fa9e53d	606	if (!arg_enabled) {
5f4bfe56 LP	607	r = 0;
5f4bfe56 LP	608	goto finish;
e23a0ce8 LP	609	}
e23a0ce8 LP	610
5f4bfe56 LP	611	r = add_crypttab_devices();
	612	if (r < 0)
	613	goto finish;
0fa9e53d	614
5f4bfe56 LP	615	r = add_proc_cmdline_devices();
	616	if (r < 0)
	617	goto finish;
0fa9e53d	618
5f4bfe56	619	r = 0;
141a79f4	620
5f4bfe56	621	finish:
6dd1c368	622	hashmap_free_with_destructor(arg_disks, crypt_device_free);
0fa9e53d JJ	623	free(arg_default_options);
0fa9e53d JJ	624	free(arg_default_keyfile);
141a79f4	625
5f4bfe56	626	return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
e23a0ce8	627	}