[thirdparty/dracut.git] / modules.d / 90crypt / cryptroot-ask.sh

#!/bin/sh

PATH=/usr/sbin:/usr/bin:/sbin:/bin
NEWROOT=${NEWROOT:-"/sysroot"}

# do not ask, if we already have root
[ -f $NEWROOT/proc ] && exit 0

. /lib/dracut-lib.sh

# if device name is /dev/dm-X, convert to /dev/mapper/name
if [ "${1##/dev/dm-}" != "$1" ]; then
    device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
else
    device="$1"
fi

# default luksname - luks-UUID
luksname=$2

# number of tries
numtries=${3:-10}

# TODO: improve to support what cmdline does
if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; then
    while read name dev luksfile luksoptions || [ -n "$name" ]; do
        # ignore blank lines and comments
        if [ -z "$name" -o "${name#\#}" != "$name" ]; then
            continue
        fi

        # PARTUUID used in crypttab
        if [ "${dev%%=*}" = "PARTUUID" ]; then
            if [ "luks-${dev##PARTUUID=}" = "$luksname" ]; then
                luksname="$name"
                break
            fi

        # UUID used in crypttab
        elif [ "${dev%%=*}" = "UUID" ]; then
            if [ "luks-${dev##UUID=}" = "$luksname" ]; then
                luksname="$name"
                break
            fi

        # ID used in crypttab
        elif [ "${dev%%=*}" = "ID" ]; then
            if [ "luks-${dev##ID=}" = "$luksname" ]; then
                luksname="$name"
                break
            fi

        # path used in crypttab
        else
            cdev=$(readlink -f $dev)
            mdev=$(readlink -f $device)
            if [ "$cdev" = "$mdev" ]; then
                luksname="$name"
                break
            fi
        fi
    done < /etc/crypttab
    unset name dev
fi

# check if destination already exists
[ -b /dev/mapper/$luksname ] && exit 0

# we already asked for this device
asked_file=/tmp/cryptroot-asked-$luksname
[ -f $asked_file ] && exit 0

# load dm_crypt if it is not already loaded
[ -d /sys/module/dm_crypt ] || modprobe dm_crypt

. /lib/dracut-crypt-lib.sh

#
# Open LUKS device
#

info "luksOpen $device $luksname $luksfile $luksoptions"

OLD_IFS="$IFS"
IFS=,
set -- $luksoptions
IFS="$OLD_IFS"

while [ $# -gt 0 ]; do
    case $1 in
        noauto)
            # skip this
            exit 0
            ;;
        swap)
            # skip this
            exit 0
            ;;
        tmp)
            # skip this
            exit 0
            ;;
        allow-discards)
            allowdiscards="--allow-discards"
            ;;
        header=*)
            cryptsetupopts="${cryptsetupopts} --${1}"
            ;;
    esac
    shift
done

# parse for allow-discards
if strstr "$(cryptsetup --help)" "allow-discards"; then
    if discarduuids=$(getargs "rd.luks.allow-discards"); then
        discarduuids=$(str_replace "$discarduuids" 'luks-' '')
        if strstr " $discarduuids " " ${luksdev##luks-}"; then
            allowdiscards="--allow-discards"
        fi
    elif getargbool 0 rd.luks.allow-discards; then
        allowdiscards="--allow-discards"
    fi
fi

if strstr "$(cryptsetup --help)" "allow-discards"; then
    cryptsetupopts="$cryptsetupopts $allowdiscards"
fi

unset allowdiscards

# fallback to passphrase
ask_passphrase=1

if [ -n "$luksfile" -a "$luksfile" != "none" -a -e "$luksfile" ]; then
    if cryptsetup --key-file "$luksfile" $cryptsetupopts luksOpen "$device" "$luksname"; then
        ask_passphrase=0
    fi
else
    while [ -n "$(getarg rd.luks.key)" ]; do
        if tmp=$(getkey /tmp/luks.keys $device); then
            keydev="${tmp%%:*}"
            keypath="${tmp#*:}"
        else
            if [ $numtries -eq 0 ]; then
                warn "No key found for $device.  Fallback to passphrase mode."
                break
            fi
            sleep 1
            info "No key found for $device.  Will try $numtries time(s) more later."
            initqueue --unique --onetime --settled \
                --name cryptroot-ask-$luksname \
                $(command -v cryptroot-ask) "$device" "$luksname" "$(($numtries-1))"
            exit 0
        fi
        unset tmp

        info "Using '$keypath' on '$keydev'"
        readkey "$keypath" "$keydev" "$device" \
            | cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname" \
            && ask_passphrase=0
        unset keypath keydev
        break
    done
fi

if [ $ask_passphrase -ne 0 ]; then
    luks_open="$(command -v cryptsetup) $cryptsetupopts luksOpen"
    _timeout=$(getargs "rd.luks.timeout")
    _timeout=${_timeout:-0}
    ask_for_password --ply-tries 5 \
        --ply-cmd "$luks_open -T1 $device $luksname" \
        --ply-prompt "Password ($device)" \
        --tty-tries 1 \
        --tty-cmd "$luks_open -T5 -t $_timeout $device $luksname"
    unset luks_open
    unset _timeout
fi

unset device luksname luksfile

# mark device as asked
>> $asked_file

need_shutdown
udevsettle

exit 0
Commit	Line	Data
ab83e0a6 HH	1	#!/bin/sh
ab83e0a6 HH	2
fb59f4c9	3	PATH=/usr/sbin:/usr/bin:/sbin:/bin
8234b92d	4	NEWROOT=${NEWROOT:-"/sysroot"}
fb59f4c9	5
5966b1b1	6	# do not ask, if we already have root
8234b92d	7	[ -f $NEWROOT/proc ] && exit 0
5966b1b1	8
e3469d76	9	. /lib/dracut-lib.sh
c70f6415	10
bb2200ff HH	11	# if device name is /dev/dm-X, convert to /dev/mapper/name
	12	if [ "${1##/dev/dm-}" != "$1" ]; then
	13	device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
	14	else
	15	device="$1"
	16	fi
	17
e3469d76 CG	18	# default luksname - luks-UUID
	19	luksname=$2
	20
5ad3803d HH	21	# number of tries
	22	numtries=${3:-10}
	23
8844cd6b	24	# TODO: improve to support what cmdline does
68e7661c	25	if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; then
6d58fa27	26	while read name dev luksfile luksoptions \|\| [ -n "$name" ]; do
2926b5b3 AŻ	27	# ignore blank lines and comments
	28	if [ -z "$name" -o "${name#\#}" != "$name" ]; then
	29	continue
	30	fi
	31
b7058d0c	32	# PARTUUID used in crypttab
	33	if [ "${dev%%=*}" = "PARTUUID" ]; then
	34	if [ "luks-${dev##PARTUUID=}" = "$luksname" ]; then
	35	luksname="$name"
	36	break
	37	fi
	38
2926b5b3	39	# UUID used in crypttab
b7058d0c	40	elif [ "${dev%%=*}" = "UUID" ]; then
9b5e2e85	41	if [ "luks-${dev##UUID=}" = "$luksname" ]; then
2926b5b3 AŻ	42	luksname="$name"
	43	break
	44	fi
3b403b32	45
b7058d0c	46	# ID used in crypttab
	47	elif [ "${dev%%=*}" = "ID" ]; then
	48	if [ "luks-${dev##ID=}" = "$luksname" ]; then
	49	luksname="$name"
	50	break
	51	fi
	52
2926b5b3 AŻ	53	# path used in crypttab
	54	else
	55	cdev=$(readlink -f $dev)
	56	mdev=$(readlink -f $device)
	57	if [ "$cdev" = "$mdev" ]; then
	58	luksname="$name"
	59	break
	60	fi
	61	fi
349bac42	62	done < /etc/crypttab
5ad3803d	63	unset name dev
349bac42 HH	64	fi
349bac42 HH	65
e3469d76 CG	66	# check if destination already exists
	67	[ -b /dev/mapper/$luksname ] && exit 0
	68
	69	# we already asked for this device
9835859f TM	70	asked_file=/tmp/cryptroot-asked-$luksname
9835859f TM	71	[ -f $asked_file ] && exit 0
e3469d76 CG	72
	73	# load dm_crypt if it is not already loaded
	74	[ -d /sys/module/dm_crypt ] \|\| modprobe dm_crypt
	75
	76	. /lib/dracut-crypt-lib.sh
	77
2926b5b3 AŻ	78	#
	79	# Open LUKS device
	80	#
	81
5ad3803d HH	82	info "luksOpen $device $luksname $luksfile $luksoptions"
	83
	84	OLD_IFS="$IFS"
	85	IFS=,
	86	set -- $luksoptions
	87	IFS="$OLD_IFS"
	88
	89	while [ $# -gt 0 ]; do
	90	case $1 in
	91	noauto)
	92	# skip this
	93	exit 0
	94	;;
	95	swap)
	96	# skip this
	97	exit 0
	98	;;
	99	tmp)
	100	# skip this
	101	exit 0
	102	;;
	103	allow-discards)
	104	allowdiscards="--allow-discards"
b7058d0c	105	;;
	106	header=*)
	107	cryptsetupopts="${cryptsetupopts} --${1}"
	108	;;
5ad3803d HH	109	esac
	110	shift
	111	done
	112
	113	# parse for allow-discards
	114	if strstr "$(cryptsetup --help)" "allow-discards"; then
	115	if discarduuids=$(getargs "rd.luks.allow-discards"); then
329bbd79 HH	116	discarduuids=$(str_replace "$discarduuids" 'luks-' '')
329bbd79 HH	117	if strstr " $discarduuids " " ${luksdev##luks-}"; then
5ad3803d HH	118	allowdiscards="--allow-discards"
5ad3803d HH	119	fi
329bbd79	120	elif getargbool 0 rd.luks.allow-discards; then
5ad3803d HH	121	allowdiscards="--allow-discards"
	122	fi
	123	fi
	124
	125	if strstr "$(cryptsetup --help)" "allow-discards"; then
	126	cryptsetupopts="$cryptsetupopts $allowdiscards"
	127	fi
	128
	129	unset allowdiscards
2926b5b3	130
e3469d76 CG	131	# fallback to passphrase
	132	ask_passphrase=1
	133
4e05cb40	134	if [ -n "$luksfile" -a "$luksfile" != "none" -a -e "$luksfile" ]; then
5ad3803d	135	if cryptsetup --key-file "$luksfile" $cryptsetupopts luksOpen "$device" "$luksname"; then
4e05cb40 HH	136	ask_passphrase=0
	137	fi
	138	else
	139	while [ -n "$(getarg rd.luks.key)" ]; do
	140	if tmp=$(getkey /tmp/luks.keys $device); then
	141	keydev="${tmp%%:*}"
	142	keypath="${tmp#*:}"
c70f6415	143	else
5ad3803d HH	144	if [ $numtries -eq 0 ]; then
	145	warn "No key found for $device. Fallback to passphrase mode."
	146	break
4e05cb40	147	fi
5ad3803d HH	148	sleep 1
5ad3803d HH	149	info "No key found for $device. Will try $numtries time(s) more later."
4e05cb40 HH	150	initqueue --unique --onetime --settled \
4e05cb40 HH	151	--name cryptroot-ask-$luksname \
5ad3803d	152	$(command -v cryptroot-ask) "$device" "$luksname" "$(($numtries-1))"
4e05cb40	153	exit 0
c70f6415	154	fi
4e05cb40 HH	155	unset tmp
	156
	157	info "Using '$keypath' on '$keydev'"
	158	readkey "$keypath" "$keydev" "$device" \
705eb4ee MR	159	\| cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname" \
705eb4ee MR	160	&& ask_passphrase=0
4e05cb40	161	unset keypath keydev
4e05cb40 HH	162	break
	163	done
	164	fi
	165
c70f6415	166	if [ $ask_passphrase -ne 0 ]; then
5ad3803d	167	luks_open="$(command -v cryptsetup) $cryptsetupopts luksOpen"
c1688560 NP	168	_timeout=$(getargs "rd.luks.timeout")
c1688560 NP	169	_timeout=${_timeout:-0}
3909d7ed AŻ	170	ask_for_password --ply-tries 5 \
	171	--ply-cmd "$luks_open -T1 $device $luksname" \
	172	--ply-prompt "Password ($device)" \
	173	--tty-tries 1 \
c1688560	174	--tty-cmd "$luks_open -T5 -t $_timeout $device $luksname"
3909d7ed	175	unset luks_open
c1688560	176	unset _timeout
2926b5b3	177	fi
ab83e0a6	178
4e05cb40	179	unset device luksname luksfile
7254c24a	180
5966b1b1	181	# mark device as asked
9b5e2e85	182	>> $asked_file
5966b1b1	183
fb67e4aa	184	need_shutdown
7254c24a MS	185	udevsettle
7254c24a MS	186
ed2de829	187	exit 0