]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/cryptsetup/cryptsetup-generator.c
projects / thirdparty / systemd.git / blob
? search:


0ae8ab35aaf46c75eecdddf1b902f1e077f80e20
[thirdparty/systemd.git] / src / cryptsetup / cryptsetup-generator.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <errno.h>
4 #include <fcntl.h>
5 #include <sys/stat.h>
6 #include <sys/types.h>
7
8 #include "alloc-util.h"
9 #include "dropin.h"
10 #include "escape.h"
11 #include "fd-util.h"
12 #include "fileio.h"
13 #include "fstab-util.h"
14 #include "generator.h"
15 #include "hashmap.h"
16 #include "id128-util.h"
17 #include "log.h"
18 #include "mkdir.h"
19 #include "parse-util.h"
20 #include "path-util.h"
21 #include "proc-cmdline.h"
22 #include "specifier.h"
23 #include "string-util.h"
24 #include "strv.h"
25 #include "unit-name.h"
26 #include "util.h"
27
28 typedef struct crypto_device {
29 char *uuid;
30 char *keyfile;
31 char *keydev;
32 char *headerdev;
33 char *datadev;
34 char *name;
35 char *options;
36 bool create;
37 } crypto_device;
38
39 static const char *arg_dest = NULL;
40 static bool arg_enabled = true;
41 static bool arg_read_crypttab = true;
42 static const char *arg_crypttab = NULL;
43 static const char *arg_runtime_directory = NULL;
44 static bool arg_allow_list = false;
45 static Hashmap *arg_disks = NULL;
46 static char *arg_default_options = NULL;
47 static char *arg_default_keyfile = NULL;
48
49 STATIC_DESTRUCTOR_REGISTER(arg_disks, hashmap_freep);
50 STATIC_DESTRUCTOR_REGISTER(arg_default_options, freep);
51 STATIC_DESTRUCTOR_REGISTER(arg_default_keyfile, freep);
52
53 static int split_locationspec(const char *locationspec, char **ret_file, char **ret_device) {
54 _cleanup_free_ char *file = NULL, *device = NULL;
55 const char *c;
56
57 assert(ret_file);
58 assert(ret_device);
59
60 if (!locationspec) {
61 *ret_file = *ret_device = NULL;
62 return 0;
63 }
64
65 c = strrchr(locationspec, ':');
66 if (c) {
67 /* The device part has to be either an absolute path to device node (/dev/something,
68 * /dev/foo/something, or even possibly /dev/foo/something:part), or a fstab device
69 * specification starting with LABEL= or similar. The file part has the same syntax.
70 *
71 * Let's try to guess if the second part looks like a device specification, or just part of a
72 * filename with a colon. fstab_node_to_udev_node() will convert the fstab device syntax to
73 * an absolute path. If we didn't get an absolute path, assume that it is just part of the
74 * first file argument. */
75
76 device = fstab_node_to_udev_node(c + 1);
77 if (!device)
78 return log_oom();
79
80 if (path_is_absolute(device))
81 file = strndup(locationspec, c-locationspec);
82 else {
83 log_debug("Location specification argument contains a colon, but \"%s\" doesn't look like a device specification.\n"
84 "Assuming that \"%s\" is a single device specification.",
85 c + 1, locationspec);
86 device = mfree(device);
87 c = NULL;
88 }
89 }
90
91 if (!c)
92 /* No device specified */
93 file = strdup(locationspec);
94
95 if (!file)
96 return log_oom();
97
98 *ret_file = TAKE_PTR(file);
99 *ret_device = TAKE_PTR(device);
100
101 return 0;
102 }
103
104 static int generate_device_mount(
105 const char *name,
106 const char *device,
107 const char *type_prefix, /* "keydev" or "headerdev" */
108 const char *device_timeout,
109 bool canfail,
110 bool readonly,
111 char **unit,
112 char **mount) {
113
114 _cleanup_free_ char *u = NULL, *where = NULL, *name_escaped = NULL, *device_unit = NULL;
115 _cleanup_fclose_ FILE *f = NULL;
116 int r;
117 usec_t timeout_us;
118
119 assert(name);
120 assert(device);
121 assert(unit);
122 assert(mount);
123
124 r = mkdir_parents(arg_runtime_directory, 0755);
125 if (r < 0)
126 return r;
127
128 r = mkdir(arg_runtime_directory, 0700);
129 if (r < 0 && errno != EEXIST)
130 return -errno;
131
132 name_escaped = cescape(name);
133 if (!name_escaped)
134 return -ENOMEM;
135
136 where = strjoin(arg_runtime_directory, "/", type_prefix, "-", name_escaped);
137 if (!where)
138 return -ENOMEM;
139
140 r = mkdir(where, 0700);
141 if (r < 0 && errno != EEXIST)
142 return -errno;
143
144 r = unit_name_from_path(where, ".mount", &u);
145 if (r < 0)
146 return r;
147
148 r = generator_open_unit_file(arg_dest, NULL, u, &f);
149 if (r < 0)
150 return r;
151
152 fprintf(f,
153 "[Unit]\n"
154 "DefaultDependencies=no\n\n"
155 "[Mount]\n"
156 "What=%s\n"
157 "Where=%s\n"
158 "Options=%s%s\n", device, where, readonly ? "ro" : "rw", canfail ? ",nofail" : "");
159
160 if (device_timeout) {
161 r = parse_sec_fix_0(device_timeout, &timeout_us);
162 if (r >= 0) {
163 r = unit_name_from_path(device, ".device", &device_unit);
164 if (r < 0)
165 return log_error_errno(r, "Failed to generate unit name: %m");
166
167 r = write_drop_in_format(arg_dest, device_unit, 90, "device-timeout",
168 "# Automatically generated by systemd-cryptsetup-generator \n\n"
169 "[Unit]\nJobRunningTimeoutSec=%s", device_timeout);
170 if (r < 0)
171 return log_error_errno(r, "Failed to write device drop-in: %m");
172
173 } else
174 log_warning_errno(r, "Failed to parse %s, ignoring: %m", device_timeout);
175
176 }
177
178 r = fflush_and_check(f);
179 if (r < 0)
180 return r;
181
182 *unit = TAKE_PTR(u);
183 *mount = TAKE_PTR(where);
184
185 return 0;
186 }
187
188 static int generate_device_umount(const char *name,
189 const char *device_mount,
190 const char *type_prefix, /* "keydev" or "headerdev" */
191 char **ret_umount_unit) {
192 _cleanup_fclose_ FILE *f = NULL;
193 _cleanup_free_ char *u = NULL, *name_escaped = NULL, *mount = NULL;
194 int r;
195
196 assert(name);
197 assert(ret_umount_unit);
198
199 name_escaped = cescape(name);
200 if (!name_escaped)
201 return -ENOMEM;
202
203 u = strjoin(type_prefix, "-", name_escaped, "-umount.service");
204 if (!u)
205 return -ENOMEM;
206
207 r = unit_name_from_path(device_mount, ".mount", &mount);
208 if (r < 0)
209 return r;
210
211 r = generator_open_unit_file(arg_dest, NULL, u, &f);
212 if (r < 0)
213 return r;
214
215 fprintf(f,
216 "[Unit]\n"
217 "DefaultDependencies=no\n"
218 "After=%s\n\n"
219 "[Service]\n"
220 "ExecStart=-" UMOUNT_PATH " %s\n\n", mount, device_mount);
221
222 r = fflush_and_check(f);
223 if (r < 0)
224 return r;
225
226 *ret_umount_unit = TAKE_PTR(u);
227 return 0;
228 }
229
230 static int print_dependencies(FILE *f, const char* device_path) {
231 int r;
232
233 if (STR_IN_SET(device_path, "-", "none"))
234 /* None, nothing to do */
235 return 0;
236
237 if (PATH_IN_SET(device_path,
238 "/dev/urandom",
239 "/dev/random",
240 "/dev/hw_random",
241 "/dev/hwrng")) {
242 /* RNG device, add random dep */
243 fputs("After=systemd-random-seed.service\n", f);
244 return 0;
245 }
246
247 _cleanup_free_ char *udev_node = fstab_node_to_udev_node(device_path);
248 if (!udev_node)
249 return log_oom();
250
251 if (path_equal(udev_node, "/dev/null"))
252 return 0;
253
254 if (path_startswith(udev_node, "/dev/")) {
255 /* We are dealing with a block device, add dependency for corresponding unit */
256 _cleanup_free_ char *unit = NULL;
257
258 r = unit_name_from_path(udev_node, ".device", &unit);
259 if (r < 0)
260 return log_error_errno(r, "Failed to generate unit name: %m");
261
262 fprintf(f,
263 "After=%1$s\n"
264 "Requires=%1$s\n", unit);
265 } else {
266 /* Regular file, add mount dependency */
267 _cleanup_free_ char *escaped_path = specifier_escape(device_path);
268 if (!escaped_path)
269 return log_oom();
270
271 fprintf(f, "RequiresMountsFor=%s\n", escaped_path);
272 }
273
274 return 0;
275 }
276
277 static int create_disk(
278 const char *name,
279 const char *device,
280 const char *password,
281 const char *keydev,
282 const char *headerdev,
283 const char *options,
284 const char *source) {
285
286 _cleanup_free_ char *n = NULL, *d = NULL, *u = NULL, *e = NULL,
287 *keydev_mount = NULL, *keyfile_timeout_value = NULL,
288 *filtered = NULL, *u_escaped = NULL, *name_escaped = NULL, *header_path = NULL, *password_buffer = NULL,
289 *tmp_fstype = NULL, *filtered_header = NULL, *headerdev_mount = NULL;
290 _cleanup_fclose_ FILE *f = NULL;
291 const char *dmname;
292 bool noauto, nofail, swap, netdev, attach_in_initrd;
293 int r, detached_header, keyfile_can_timeout, tmp;
294
295 assert(name);
296 assert(device);
297
298 noauto = fstab_test_yes_no_option(options, "noauto\0" "auto\0");
299 nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
300 swap = fstab_test_option(options, "swap\0");
301 netdev = fstab_test_option(options, "_netdev\0");
302 attach_in_initrd = fstab_test_option(options, "x-initrd.attach\0");
303
304 keyfile_can_timeout = fstab_filter_options(options, "keyfile-timeout\0", NULL, &keyfile_timeout_value, NULL);
305 if (keyfile_can_timeout < 0)
306 return log_error_errno(keyfile_can_timeout, "Failed to parse keyfile-timeout= option value: %m");
307
308 detached_header = fstab_filter_options(
309 options,
310 "header\0",
311 NULL,
312 &header_path,
313 headerdev ? &filtered_header : NULL);
314 if (detached_header < 0)
315 return log_error_errno(detached_header, "Failed to parse header= option value: %m");
316
317 tmp = fstab_filter_options(options, "tmp\0", NULL, &tmp_fstype, NULL);
318 if (tmp < 0)
319 return log_error_errno(tmp, "Failed to parse tmp= option value: %m");
320
321 if (tmp && swap)
322 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
323 "Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.",
324 name);
325
326 name_escaped = specifier_escape(name);
327 if (!name_escaped)
328 return log_oom();
329
330 e = unit_name_escape(name);
331 if (!e)
332 return log_oom();
333
334 u = fstab_node_to_udev_node(device);
335 if (!u)
336 return log_oom();
337
338 r = unit_name_build("systemd-cryptsetup", e, ".service", &n);
339 if (r < 0)
340 return log_error_errno(r, "Failed to generate unit name: %m");
341
342 u_escaped = specifier_escape(u);
343 if (!u_escaped)
344 return log_oom();
345
346 r = unit_name_from_path(u, ".device", &d);
347 if (r < 0)
348 return log_error_errno(r, "Failed to generate unit name: %m");
349
350 if (keydev && !password)
351 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
352 "Key device is specified, but path to the password file is missing.");
353
354 r = generator_open_unit_file(arg_dest, NULL, n, &f);
355 if (r < 0)
356 return r;
357
358 r = generator_write_cryptsetup_unit_section(f, source);
359 if (r < 0)
360 return r;
361
362 if (netdev)
363 fprintf(f, "After=remote-fs-pre.target\n");
364
365 /* If initrd takes care of attaching the disk then it should also detach it during shutdown. */
366 if (!attach_in_initrd)
367 fprintf(f, "Conflicts=umount.target\n");
368
369 if (keydev) {
370 _cleanup_free_ char *unit = NULL, *umount_unit = NULL;
371
372 r = generate_device_mount(
373 name,
374 keydev,
375 "keydev",
376 keyfile_timeout_value,
377 /* canfail = */ keyfile_can_timeout > 0,
378 /* readonly= */ true,
379 &unit,
380 &keydev_mount);
381 if (r < 0)
382 return log_error_errno(r, "Failed to generate keydev mount unit: %m");
383
384 r = generate_device_umount(name, keydev_mount, "keydev", &umount_unit);
385 if (r < 0)
386 return log_error_errno(r, "Failed to generate keydev umount unit: %m");
387
388 password_buffer = path_join(keydev_mount, password);
389 if (!password_buffer)
390 return log_oom();
391
392 password = password_buffer;
393
394 fprintf(f, "After=%s\n", unit);
395 if (keyfile_can_timeout > 0)
396 fprintf(f, "Wants=%s\n", unit);
397 else
398 fprintf(f, "Requires=%s\n", unit);
399
400 if (umount_unit)
401 fprintf(f,
402 "Wants=%s\n"
403 "Before=%s\n",
404 umount_unit,
405 umount_unit
406 );
407 }
408
409 if (headerdev) {
410 _cleanup_free_ char *unit = NULL, *umount_unit = NULL, *p = NULL;
411
412 r = generate_device_mount(
413 name,
414 headerdev,
415 "headerdev",
416 NULL,
417 /* canfail= */ false, /* header is always necessary */
418 /* readonly= */ false, /* LUKS2 recovery requires rw header access */
419 &unit,
420 &headerdev_mount);
421 if (r < 0)
422 return log_error_errno(r, "Failed to generate header device mount unit: %m");
423
424 r = generate_device_umount(name, headerdev_mount, "headerdev", &umount_unit);
425 if (r < 0)
426 return log_error_errno(r, "Failed to generate header device umount unit: %m");
427
428 p = path_join(headerdev_mount, header_path);
429 if (!p)
430 return log_oom();
431
432 free_and_replace(header_path, p);
433
434 if (isempty(filtered_header))
435 p = strjoin("header=", header_path);
436 else
437 p = strjoin(filtered_header, ",header=", header_path);
438
439 if (!p)
440 return log_oom();
441
442 free_and_replace(filtered_header, p);
443 options = filtered_header;
444
445 fprintf(f, "After=%s\n"
446 "Requires=%s\n", unit, unit);
447
448 if (umount_unit)
449 fprintf(f,
450 "Wants=%s\n"
451 "Before=%s\n",
452 umount_unit,
453 umount_unit
454 );
455 }
456
457 if (!nofail)
458 fprintf(f,
459 "Before=%s\n",
460 netdev ? "remote-cryptsetup.target" : "cryptsetup.target");
461
462 if (password && !keydev) {
463 r = print_dependencies(f, password);
464 if (r < 0)
465 return r;
466 }
467
468 /* Check if a header option was specified */
469 if (detached_header > 0 && !headerdev) {
470 r = print_dependencies(f, header_path);
471 if (r < 0)
472 return r;
473 }
474
475 if (path_startswith(u, "/dev/"))
476 fprintf(f,
477 "BindsTo=%s\n"
478 "After=%s\n"
479 "Before=umount.target\n",
480 d, d);
481 else
482 /* For loopback devices, add systemd-tmpfiles-setup-dev.service
483 dependency to ensure that loopback support is available in
484 the kernel (/dev/loop-control needs to exist) */
485 fprintf(f,
486 "RequiresMountsFor=%s\n"
487 "Requires=systemd-tmpfiles-setup-dev.service\n"
488 "After=systemd-tmpfiles-setup-dev.service\n",
489 u_escaped);
490
491 r = generator_write_timeouts(arg_dest, device, name, options, &filtered);
492 if (r < 0)
493 log_warning_errno(r, "Failed to write device timeout drop-in: %m");
494
495 r = generator_write_cryptsetup_service_section(f, name, u, password, filtered);
496 if (r < 0)
497 return r;
498
499 if (tmp) {
500 _cleanup_free_ char *tmp_fstype_escaped = NULL;
501
502 if (tmp_fstype) {
503 tmp_fstype_escaped = specifier_escape(tmp_fstype);
504 if (!tmp_fstype_escaped)
505 return log_oom();
506 }
507
508 fprintf(f,
509 "ExecStartPost=" ROOTLIBEXECDIR "/systemd-makefs '%s' '/dev/mapper/%s'\n",
510 tmp_fstype_escaped ?: "ext4", name_escaped);
511 }
512
513 if (swap)
514 fprintf(f,
515 "ExecStartPost=" ROOTLIBEXECDIR "/systemd-makefs swap '/dev/mapper/%s'\n",
516 name_escaped);
517
518 r = fflush_and_check(f);
519 if (r < 0)
520 return log_error_errno(r, "Failed to write unit file %s: %m", n);
521
522 if (!noauto) {
523 r = generator_add_symlink(arg_dest,
524 netdev ? "remote-cryptsetup.target" : "cryptsetup.target",
525 nofail ? "wants" : "requires", n);
526 if (r < 0)
527 return r;
528 }
529
530 dmname = strjoina("dev-mapper-", e, ".device");
531 r = generator_add_symlink(arg_dest, dmname, "requires", n);
532 if (r < 0)
533 return r;
534
535 if (!noauto && !nofail) {
536 r = write_drop_in(arg_dest, dmname, 40, "device-timeout",
537 "# Automatically generated by systemd-cryptsetup-generator\n\n"
538 "[Unit]\nJobTimeoutSec=0");
539 if (r < 0)
540 log_warning_errno(r, "Failed to write device timeout drop-in: %m");
541 }
542
543 return 0;
544 }
545
546 static crypto_device* crypt_device_free(crypto_device *d) {
547 if (!d)
548 return NULL;
549
550 free(d->uuid);
551 free(d->keyfile);
552 free(d->keydev);
553 free(d->name);
554 free(d->options);
555 return mfree(d);
556 }
557
558 static crypto_device *get_crypto_device(const char *uuid) {
559 int r;
560 crypto_device *d;
561
562 assert(uuid);
563
564 d = hashmap_get(arg_disks, uuid);
565 if (!d) {
566 d = new0(struct crypto_device, 1);
567 if (!d)
568 return NULL;
569
570 d->uuid = strdup(uuid);
571 if (!d->uuid)
572 return mfree(d);
573
574 r = hashmap_put(arg_disks, d->uuid, d);
575 if (r < 0) {
576 free(d->uuid);
577 return mfree(d);
578 }
579 }
580
581 return d;
582 }
583
584 static bool warn_uuid_invalid(const char *uuid, const char *key) {
585 assert(key);
586
587 if (!id128_is_valid(uuid)) {
588 log_warning("Failed to parse %s= kernel command line switch. UUID is invalid, ignoring.", key);
589 return true;
590 }
591
592 return false;
593 }
594
595 static int filter_header_device(const char *options,
596 char **ret_headerdev,
597 char **ret_filtered_headerdev_options) {
598 int r;
599 _cleanup_free_ char *headerfile = NULL, *headerdev = NULL, *headerspec = NULL,
600 *filtered_headerdev = NULL, *filtered_headerspec = NULL;
601
602 assert(ret_headerdev);
603 assert(ret_filtered_headerdev_options);
604
605 r = fstab_filter_options(options, "header\0", NULL, &headerspec, &filtered_headerspec);
606 if (r < 0)
607 return log_error_errno(r, "Failed to parse header= option value: %m");
608
609 if (r > 0) {
610 r = split_locationspec(headerspec, &headerfile, &headerdev);
611 if (r < 0)
612 return r;
613
614 if (isempty(filtered_headerspec))
615 filtered_headerdev = strjoin("header=", headerfile);
616 else
617 filtered_headerdev = strjoin(filtered_headerspec, ",header=", headerfile);
618
619 if (!filtered_headerdev)
620 return log_oom();
621 } else
622 filtered_headerdev = TAKE_PTR(filtered_headerspec);
623
624 *ret_filtered_headerdev_options = TAKE_PTR(filtered_headerdev);
625 *ret_headerdev = TAKE_PTR(headerdev);
626
627 return 0;
628 }
629
630 static int parse_proc_cmdline_item(const char *key, const char *value, void *data) {
631 _cleanup_free_ char *uuid = NULL, *uuid_value = NULL;
632 crypto_device *d;
633 int r;
634
635 if (streq(key, "luks")) {
636
637 r = value ? parse_boolean(value) : 1;
638 if (r < 0)
639 log_warning("Failed to parse luks= kernel command line switch %s. Ignoring.", value);
640 else
641 arg_enabled = r;
642
643 } else if (streq(key, "luks.crypttab")) {
644
645 r = value ? parse_boolean(value) : 1;
646 if (r < 0)
647 log_warning("Failed to parse luks.crypttab= kernel command line switch %s. Ignoring.", value);
648 else
649 arg_read_crypttab = r;
650
651 } else if (streq(key, "luks.uuid")) {
652
653 if (proc_cmdline_value_missing(key, value))
654 return 0;
655
656 d = get_crypto_device(startswith(value, "luks-") ?: value);
657 if (!d)
658 return log_oom();
659
660 d->create = arg_allow_list = true;
661
662 } else if (streq(key, "luks.options")) {
663 _cleanup_free_ char *headerdev = NULL, *filtered_headerdev_options = NULL;
664
665 if (proc_cmdline_value_missing(key, value))
666 return 0;
667
668 r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
669 if (r != 2)
670 return free_and_strdup(&arg_default_options, value) < 0 ? log_oom() : 0;
671
672 if (warn_uuid_invalid(uuid, key))
673 return 0;
674
675 d = get_crypto_device(uuid);
676 if (!d)
677 return log_oom();
678
679 r = filter_header_device(uuid_value, &headerdev, &filtered_headerdev_options);
680 if (r < 0)
681 return r;
682
683 free_and_replace(d->options, filtered_headerdev_options);
684 free_and_replace(d->headerdev, headerdev);
685 } else if (streq(key, "luks.key")) {
686 size_t n;
687 _cleanup_free_ char *keyfile = NULL, *keydev = NULL;
688 const char *keyspec;
689
690 if (proc_cmdline_value_missing(key, value))
691 return 0;
692
693 n = strspn(value, ALPHANUMERICAL "-");
694 if (value[n] != '=') {
695 if (free_and_strdup(&arg_default_keyfile, value) < 0)
696 return log_oom();
697 return 0;
698 }
699
700 uuid = strndup(value, n);
701 if (!uuid)
702 return log_oom();
703
704 if (warn_uuid_invalid(uuid, key))
705 return 0;
706
707 d = get_crypto_device(uuid);
708 if (!d)
709 return log_oom();
710
711 keyspec = value + n + 1;
712 r = split_locationspec(keyspec, &keyfile, &keydev);
713 if (r < 0)
714 return r;
715
716 free_and_replace(d->keyfile, keyfile);
717 free_and_replace(d->keydev, keydev);
718 } else if (streq(key, "luks.data")) {
719 size_t n;
720 _cleanup_free_ char *datadev = NULL;
721
722 if (proc_cmdline_value_missing(key, value))
723 return 0;
724
725 n = strspn(value, ALPHANUMERICAL "-");
726 if (value[n] != '=') {
727 log_warning("Failed to parse luks.data= kernel command line switch. UUID is invalid, ignoring.");
728 return 0;
729 }
730
731 uuid = strndup(value, n);
732 if (!uuid)
733 return log_oom();
734
735 if (warn_uuid_invalid(uuid, key))
736 return 0;
737
738 d = get_crypto_device(uuid);
739 if (!d)
740 return log_oom();
741
742 datadev = fstab_node_to_udev_node(value + n + 1);
743 if (!datadev)
744 return log_oom();
745
746 free_and_replace(d->datadev, datadev);
747 } else if (streq(key, "luks.name")) {
748
749 if (proc_cmdline_value_missing(key, value))
750 return 0;
751
752 r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
753 if (r == 2) {
754 d = get_crypto_device(uuid);
755 if (!d)
756 return log_oom();
757
758 d->create = arg_allow_list = true;
759
760 free_and_replace(d->name, uuid_value);
761 } else
762 log_warning("Failed to parse luks name switch %s. Ignoring.", value);
763 }
764
765 return 0;
766 }
767
768 static int add_crypttab_devices(void) {
769 _cleanup_fclose_ FILE *f = NULL;
770 unsigned crypttab_line = 0;
771 int r;
772
773 if (!arg_read_crypttab)
774 return 0;
775
776 r = fopen_unlocked(arg_crypttab, "re", &f);
777 if (r < 0) {
778 if (errno != ENOENT)
779 log_error_errno(errno, "Failed to open %s: %m", arg_crypttab);
780 return 0;
781 }
782
783 for (;;) {
784 _cleanup_free_ char *line = NULL, *name = NULL, *device = NULL, *keyspec = NULL, *options = NULL,
785 *keyfile = NULL, *keydev = NULL, *headerdev = NULL, *filtered_header = NULL;
786 crypto_device *d = NULL;
787 char *l, *uuid;
788 int k;
789
790 r = read_line(f, LONG_LINE_MAX, &line);
791 if (r < 0)
792 return log_error_errno(r, "Failed to read %s: %m", arg_crypttab);
793 if (r == 0)
794 break;
795
796 crypttab_line++;
797
798 l = strstrip(line);
799 if (IN_SET(l[0], 0, '#'))
800 continue;
801
802 k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &keyspec, &options);
803 if (k < 2 || k > 4) {
804 log_error("Failed to parse %s:%u, ignoring.", arg_crypttab, crypttab_line);
805 continue;
806 }
807
808 uuid = startswith(device, "UUID=");
809 if (!uuid)
810 uuid = path_startswith(device, "/dev/disk/by-uuid/");
811 if (!uuid)
812 uuid = startswith(name, "luks-");
813 if (uuid)
814 d = hashmap_get(arg_disks, uuid);
815
816 if (arg_allow_list && !d) {
817 log_info("Not creating device '%s' because it was not specified on the kernel command line.", name);
818 continue;
819 }
820
821 r = split_locationspec(keyspec, &keyfile, &keydev);
822 if (r < 0)
823 return r;
824
825 if (options && (!d || !d->options)) {
826 r = filter_header_device(options, &headerdev, &filtered_header);
827 if (r < 0)
828 return r;
829 free_and_replace(options, filtered_header);
830 }
831
832 r = create_disk(name,
833 device,
834 keyfile,
835 keydev,
836 (d && d->options) ? d->headerdev : headerdev,
837 (d && d->options) ? d->options : options,
838 arg_crypttab);
839 if (r < 0)
840 return r;
841
842 if (d)
843 d->create = false;
844 }
845
846 return 0;
847 }
848
849 static int add_proc_cmdline_devices(void) {
850 int r;
851 crypto_device *d;
852
853 HASHMAP_FOREACH(d, arg_disks) {
854 _cleanup_free_ char *device = NULL;
855
856 if (!d->create)
857 continue;
858
859 if (!d->name) {
860 d->name = strjoin("luks-", d->uuid);
861 if (!d->name)
862 return log_oom();
863 }
864
865 device = strjoin("UUID=", d->uuid);
866 if (!device)
867 return log_oom();
868
869 r = create_disk(d->name,
870 d->datadev ?: device,
871 d->keyfile ?: arg_default_keyfile,
872 d->keydev,
873 d->headerdev,
874 d->options ?: arg_default_options,
875 "/proc/cmdline");
876 if (r < 0)
877 return r;
878 }
879
880 return 0;
881 }
882
883 DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(crypt_device_hash_ops, char, string_hash_func, string_compare_func,
884 crypto_device, crypt_device_free);
885
886 static int run(const char *dest, const char *dest_early, const char *dest_late) {
887 int r;
888
889 assert_se(arg_dest = dest);
890
891 arg_crypttab = getenv("SYSTEMD_CRYPTTAB") ?: "/etc/crypttab";
892 arg_runtime_directory = getenv("RUNTIME_DIRECTORY") ?: "/run/systemd/cryptsetup";
893
894 arg_disks = hashmap_new(&crypt_device_hash_ops);
895 if (!arg_disks)
896 return log_oom();
897
898 r = proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_STRIP_RD_PREFIX);
899 if (r < 0)
900 return log_warning_errno(r, "Failed to parse kernel command line: %m");
901
902 if (!arg_enabled)
903 return 0;
904
905 r = add_crypttab_devices();
906 if (r < 0)
907 return r;
908
909 r = add_proc_cmdline_devices();
910 if (r < 0)
911 return r;
912
913 return 0;
914 }
915
916 DEFINE_MAIN_GENERATOR_FUNCTION(run);
Unnamed repository; edit this file 'description' to name the repository.