[thirdparty/systemd.git] / src / cryptsetup / cryptsetup-generator.c

/* SPDX-License-Identifier: LGPL-2.1+ */

#include <errno.h>
#include <stdio_ext.h>

#include "alloc-util.h"
#include "dropin.h"
#include "escape.h"
#include "fd-util.h"
#include "fileio.h"
#include "fstab-util.h"
#include "generator.h"
#include "hashmap.h"
#include "id128-util.h"
#include "log.h"
#include "mkdir.h"
#include "parse-util.h"
#include "path-util.h"
#include "proc-cmdline.h"
#include "specifier.h"
#include "string-util.h"
#include "strv.h"
#include "unit-name.h"
#include "util.h"

typedef struct crypto_device {
        char *uuid;
        char *keyfile;
        char *keydev;
        char *name;
        char *options;
        bool create;
} crypto_device;

static const char *arg_dest = "/tmp";
static bool arg_enabled = true;
static bool arg_read_crypttab = true;
static bool arg_whitelist = false;
static Hashmap *arg_disks = NULL;
static char *arg_default_options = NULL;
static char *arg_default_keyfile = NULL;

static int generate_keydev_mount(const char *name, const char *keydev, char **unit, char **mount) {
        _cleanup_free_ char *u = NULL, *what = NULL, *where = NULL, *name_escaped = NULL;
        _cleanup_fclose_ FILE *f = NULL;
        int r;

        assert(name);
        assert(keydev);
        assert(unit);
        assert(mount);

        r = mkdir_parents("/run/systemd/cryptsetup", 0755);
        if (r < 0)
                return r;

        r = mkdir("/run/systemd/cryptsetup", 0700);
        if (r < 0 && errno != EEXIST)
                return -errno;

        name_escaped = cescape(name);
        if (!name_escaped)
                return -ENOMEM;

        where = strjoin("/run/systemd/cryptsetup/keydev-", name_escaped);
        if (!where)
                return -ENOMEM;

        r = mkdir(where, 0700);
        if (r < 0 && errno != EEXIST)
                return -errno;

        r = unit_name_from_path(where, ".mount", &u);
        if (r < 0)
                return r;

        r = generator_open_unit_file(arg_dest, NULL, u, &f);
        if (r < 0)
                return r;

        what = fstab_node_to_udev_node(keydev);
        if (!what)
                return -ENOMEM;

        fprintf(f,
                "[Unit]\n"
                "DefaultDependencies=no\n\n"
                "[Mount]\n"
                "What=%s\n"
                "Where=%s\n"
                "Options=ro\n", what, where);

        r = fflush_and_check(f);
        if (r < 0)
                return r;

        *unit = TAKE_PTR(u);
        *mount = TAKE_PTR(where);

        return 0;
}

static int create_disk(
                const char *name,
                const char *device,
                const char *keydev,
                const char *password,
                const char *options) {

        _cleanup_free_ char *n = NULL, *d = NULL, *u = NULL, *e = NULL,
                *filtered = NULL, *u_escaped = NULL, *password_escaped = NULL, *filtered_escaped = NULL, *name_escaped = NULL, *keydev_mount = NULL;
        _cleanup_fclose_ FILE *f = NULL;
        const char *dmname;
        bool noauto, nofail, tmp, swap, netdev;
        int r;

        assert(name);
        assert(device);

        noauto = fstab_test_yes_no_option(options, "noauto\0" "auto\0");
        nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
        tmp = fstab_test_option(options, "tmp\0");
        swap = fstab_test_option(options, "swap\0");
        netdev = fstab_test_option(options, "_netdev\0");

        if (tmp && swap)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.",
                                       name);

        name_escaped = specifier_escape(name);
        if (!name_escaped)
                return log_oom();

        e = unit_name_escape(name);
        if (!e)
                return log_oom();

        u = fstab_node_to_udev_node(device);
        if (!u)
                return log_oom();

        r = unit_name_build("systemd-cryptsetup", e, ".service", &n);
        if (r < 0)
                return log_error_errno(r, "Failed to generate unit name: %m");

        u_escaped = specifier_escape(u);
        if (!u_escaped)
                return log_oom();

        r = unit_name_from_path(u, ".device", &d);
        if (r < 0)
                return log_error_errno(r, "Failed to generate unit name: %m");

        if (password) {
                password_escaped = specifier_escape(password);
                if (!password_escaped)
                        return log_oom();
        }

        if (keydev && !password)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "Key device is specified, but path to the password file is missing.");

        r = generator_open_unit_file(arg_dest, NULL, n, &f);
        if (r < 0)
                return r;

        fprintf(f,
                "[Unit]\n"
                "Description=Cryptography Setup for %%I\n"
                "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
                "SourcePath=/etc/crypttab\n"
                "DefaultDependencies=no\n"
                "Conflicts=umount.target\n"
                "IgnoreOnIsolate=true\n"
                "After=%s\n",
                netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target");

        if (keydev) {
                _cleanup_free_ char *unit = NULL, *p = NULL;

                r = generate_keydev_mount(name, keydev, &unit, &keydev_mount);
                if (r < 0)
                        return log_error_errno(r, "Failed to generate keydev mount unit: %m");

                p = prefix_root(keydev_mount, password_escaped);
                if (!p)
                        return log_oom();

                free_and_replace(password_escaped, p);
        }

        if (!nofail)
                fprintf(f,
                        "Before=%s\n",
                        netdev ? "remote-cryptsetup.target" : "cryptsetup.target");

        if (password) {
                if (PATH_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
                        fputs("After=systemd-random-seed.service\n", f);
                else if (!STR_IN_SET(password, "-", "none")) {
                        _cleanup_free_ char *uu;

                        uu = fstab_node_to_udev_node(password);
                        if (!uu)
                                return log_oom();

                        if (!path_equal(uu, "/dev/null")) {

                                if (path_startswith(uu, "/dev/")) {
                                        _cleanup_free_ char *dd = NULL;

                                        r = unit_name_from_path(uu, ".device", &dd);
                                        if (r < 0)
                                                return log_error_errno(r, "Failed to generate unit name: %m");

                                        fprintf(f, "After=%1$s\nRequires=%1$s\n", dd);
                                } else
                                        fprintf(f, "RequiresMountsFor=%s\n", password_escaped);
                        }
                }
        }

        if (path_startswith(u, "/dev/")) {
                fprintf(f,
                        "BindsTo=%s\n"
                        "After=%s\n"
                        "Before=umount.target\n",
                        d, d);

                if (swap)
                        fputs("Before=dev-mapper-%i.swap\n",
                              f);
        } else
                /* For loopback devices, add systemd-tmpfiles-setup-dev.service
                   dependency to ensure that loopback support is available in
                   the kernel (/dev/loop-control needs to exist) */
                fprintf(f,
                        "RequiresMountsFor=%s\n"
                        "Requires=systemd-tmpfiles-setup-dev.service\n"
                        "After=systemd-tmpfiles-setup-dev.service\n",
                        u_escaped);

        r = generator_write_timeouts(arg_dest, device, name, options, &filtered);
        if (r < 0)
                return r;

        if (filtered) {
                filtered_escaped = specifier_escape(filtered);
                if (!filtered_escaped)
                        return log_oom();
        }

        fprintf(f,
                "\n[Service]\n"
                "Type=oneshot\n"
                "RemainAfterExit=yes\n"
                "TimeoutSec=0\n" /* the binary handles timeouts anyway */
                "KeyringMode=shared\n" /* make sure we can share cached keys among instances */
                "ExecStart=" SYSTEMD_CRYPTSETUP_PATH " attach '%s' '%s' '%s' '%s'\n"
                "ExecStop=" SYSTEMD_CRYPTSETUP_PATH " detach '%s'\n",
                name_escaped, u_escaped, strempty(password_escaped), strempty(filtered_escaped),
                name_escaped);

        if (tmp)
                fprintf(f,
                        "ExecStartPost=/sbin/mke2fs '/dev/mapper/%s'\n",
                        name_escaped);

        if (swap)
                fprintf(f,
                        "ExecStartPost=/sbin/mkswap '/dev/mapper/%s'\n",
                        name_escaped);

        if (keydev)
                fprintf(f,
                        "ExecStartPost=" UMOUNT_PATH " %s\n\n",
                        keydev_mount);

        r = fflush_and_check(f);
        if (r < 0)
                return log_error_errno(r, "Failed to write unit file %s: %m", n);

        if (!noauto) {
                r = generator_add_symlink(arg_dest, d, "wants", n);
                if (r < 0)
                        return r;

                r = generator_add_symlink(arg_dest,
                                          netdev ? "remote-cryptsetup.target" : "cryptsetup.target",
                                          nofail ? "wants" : "requires", n);
                if (r < 0)
                        return r;
        }

        dmname = strjoina("dev-mapper-", e, ".device");
        r = generator_add_symlink(arg_dest, dmname, "requires", n);
        if (r < 0)
                return r;

        if (!noauto && !nofail) {
                r = write_drop_in(arg_dest, dmname, 90, "device-timeout",
                                  "# Automatically generated by systemd-cryptsetup-generator \n\n"
                                  "[Unit]\nJobTimeoutSec=0");
                if (r < 0)
                        return log_error_errno(r, "Failed to write device drop-in: %m");
        }

        return 0;
}

static void crypt_device_free(crypto_device *d) {
        free(d->uuid);
        free(d->keyfile);
        free(d->keydev);
        free(d->name);
        free(d->options);
        free(d);
}

static crypto_device *get_crypto_device(const char *uuid) {
        int r;
        crypto_device *d;

        assert(uuid);

        d = hashmap_get(arg_disks, uuid);
        if (!d) {
                d = new0(struct crypto_device, 1);
                if (!d)
                        return NULL;

                d->create = false;
                d->keyfile = d->options = d->name = NULL;

                d->uuid = strdup(uuid);
                if (!d->uuid)
                        return mfree(d);

                r = hashmap_put(arg_disks, d->uuid, d);
                if (r < 0) {
                        free(d->uuid);
                        return mfree(d);
                }
        }

        return d;
}

static int parse_proc_cmdline_item(const char *key, const char *value, void *data) {
        _cleanup_free_ char *uuid = NULL, *uuid_value = NULL;
        crypto_device *d;
        int r;

        if (streq(key, "luks")) {

                r = value ? parse_boolean(value) : 1;
                if (r < 0)
                        log_warning("Failed to parse luks= kernel command line switch %s. Ignoring.", value);
                else
                        arg_enabled = r;

        } else if (streq(key, "luks.crypttab")) {

                r = value ? parse_boolean(value) : 1;
                if (r < 0)
                        log_warning("Failed to parse luks.crypttab= kernel command line switch %s. Ignoring.", value);
                else
                        arg_read_crypttab = r;

        } else if (streq(key, "luks.uuid")) {

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                d = get_crypto_device(startswith(value, "luks-") ? value+5 : value);
                if (!d)
                        return log_oom();

                d->create = arg_whitelist = true;

        } else if (streq(key, "luks.options")) {

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
                if (r == 2) {
                        d = get_crypto_device(uuid);
                        if (!d)
                                return log_oom();

                        free_and_replace(d->options, uuid_value);
                } else if (free_and_strdup(&arg_default_options, value) < 0)
                        return log_oom();

        } else if (streq(key, "luks.key")) {
                size_t n;
                _cleanup_free_ char *keyfile = NULL, *keydev = NULL;
                char *c;
                const char *keyspec;

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                n = strspn(value, LETTERS DIGITS "-");
                if (value[n] != '=') {
                        if (free_and_strdup(&arg_default_keyfile, value) < 0)
                                 return log_oom();
                        return 0;
                }

                uuid = strndup(value, n);
                if (!uuid)
                        return log_oom();

                if (!id128_is_valid(uuid)) {
                        log_warning("Failed to parse luks.key= kernel command line switch. UUID is invalid, ignoring.");
                        return 0;
                }

                d = get_crypto_device(uuid);
                if (!d)
                        return log_oom();

                keyspec = value + n + 1;
                c = strrchr(keyspec, ':');
                if (c) {
                         *c = '\0';
                        keyfile = strdup(keyspec);
                        keydev = strdup(c + 1);

                        if (!keyfile || !keydev)
                                return log_oom();
                } else {
                        /* No keydev specified */
                        keyfile = strdup(keyspec);
                        if (!keyfile)
                                return log_oom();
                }

                free_and_replace(d->keyfile, keyfile);
                free_and_replace(d->keydev, keydev);
        } else if (streq(key, "luks.name")) {

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
                if (r == 2) {
                        d = get_crypto_device(uuid);
                        if (!d)
                                return log_oom();

                        d->create = arg_whitelist = true;

                        free_and_replace(d->name, uuid_value);
                } else
                        log_warning("Failed to parse luks name switch %s. Ignoring.", value);
        }

        return 0;
}

static int add_crypttab_devices(void) {
        _cleanup_fclose_ FILE *f = NULL;
        unsigned crypttab_line = 0;
        struct stat st;
        int r;

        if (!arg_read_crypttab)
                return 0;

        f = fopen("/etc/crypttab", "re");
        if (!f) {
                if (errno != ENOENT)
                        log_error_errno(errno, "Failed to open /etc/crypttab: %m");
                return 0;
        }

        (void) __fsetlocking(f, FSETLOCKING_BYCALLER);

        if (fstat(fileno(f), &st) < 0) {
                log_error_errno(errno, "Failed to stat /etc/crypttab: %m");
                return 0;
        }

        for (;;) {
                _cleanup_free_ char *line = NULL, *name = NULL, *device = NULL, *keyfile = NULL, *options = NULL;
                crypto_device *d = NULL;
                char *l, *uuid;
                int k;

                r = read_line(f, LONG_LINE_MAX, &line);
                if (r < 0)
                        return log_error_errno(r, "Failed to read /etc/crypttab: %m");
                if (r == 0)
                        break;

                crypttab_line++;

                l = strstrip(line);
                if (IN_SET(l[0], 0, '#'))
                        continue;

                k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &keyfile, &options);
                if (k < 2 || k > 4) {
                        log_error("Failed to parse /etc/crypttab:%u, ignoring.", crypttab_line);
                        continue;
                }

                uuid = STARTSWITH_SET(device, "UUID=", "luks-");
                if (!uuid)
                        uuid = path_startswith(device, "/dev/disk/by-uuid/");
                if (uuid)
                        d = hashmap_get(arg_disks, uuid);

                if (arg_whitelist && !d) {
                        log_info("Not creating device '%s' because it was not specified on the kernel command line.", name);
                        continue;
                }

                r = create_disk(name, device, NULL, keyfile, (d && d->options) ? d->options : options);
                if (r < 0)
                        return r;

                if (d)
                        d->create = false;
        }

        return 0;
}

static int add_proc_cmdline_devices(void) {
        int r;
        Iterator i;
        crypto_device *d;

        HASHMAP_FOREACH(d, arg_disks, i) {
                const char *options;
                _cleanup_free_ char *device = NULL;

                if (!d->create)
                        continue;

                if (!d->name) {
                        d->name = strappend("luks-", d->uuid);
                        if (!d->name)
                                return log_oom();
                }

                device = strappend("UUID=", d->uuid);
                if (!device)
                        return log_oom();

                if (d->options)
                        options = d->options;
                else if (arg_default_options)
                        options = arg_default_options;
                else
                        options = "timeout=0";

                r = create_disk(d->name, device, d->keydev, d->keyfile ?: arg_default_keyfile, options);
                if (r < 0)
                        return r;
        }

        return 0;
}

int main(int argc, char *argv[]) {
        int r;

        if (argc > 1 && argc != 4) {
                log_error("This program takes three or no arguments.");
                return EXIT_FAILURE;
        }

        if (argc > 1)
                arg_dest = argv[1];

        log_setup_generator();

        arg_disks = hashmap_new(&string_hash_ops);
        if (!arg_disks) {
                r = log_oom();
                goto finish;
        }

        r = proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_STRIP_RD_PREFIX);
        if (r < 0) {
                log_warning_errno(r, "Failed to parse kernel command line: %m");
                goto finish;
        }

        if (!arg_enabled) {
                r = 0;
                goto finish;
        }

        r = add_crypttab_devices();
        if (r < 0)
                goto finish;

        r = add_proc_cmdline_devices();
        if (r < 0)
                goto finish;

        r = 0;

finish:
        hashmap_free_with_destructor(arg_disks, crypt_device_free);
        free(arg_default_options);
        free(arg_default_keyfile);

        return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
e23a0ce8	2
e23a0ce8	3	#include <errno.h>
0d536673	4	#include <stdio_ext.h>
e23a0ce8	5
b5efdb8a	6	#include "alloc-util.h"
0fa9e53d	7	#include "dropin.h"
7949dfa7	8	#include "escape.h"
3ffd4af2	9	#include "fd-util.h"
0d39fa9c	10	#include "fileio.h"
07630cea	11	#include "fstab-util.h"
0fa9e53d JJ	12	#include "generator.h"
0fa9e53d JJ	13	#include "hashmap.h"
7949dfa7	14	#include "id128-util.h"
e23a0ce8	15	#include "log.h"
49e942b2	16	#include "mkdir.h"
6bedfcbb	17	#include "parse-util.h"
bde29068	18	#include "path-util.h"
4e731273	19	#include "proc-cmdline.h"
98bad05e	20	#include "specifier.h"
07630cea	21	#include "string-util.h"
0fa9e53d JJ	22	#include "strv.h"
	23	#include "unit-name.h"
	24	#include "util.h"
	25
	26	typedef struct crypto_device {
	27	char *uuid;
6cd5b12a	28	char *keyfile;
70f5f48e	29	char *keydev;
baade8cc	30	char *name;
0fa9e53d JJ	31	char *options;
	32	bool create;
	33	} crypto_device;
e23a0ce8	34
66a78c2b LP	35	static const char *arg_dest = "/tmp";
	36	static bool arg_enabled = true;
	37	static bool arg_read_crypttab = true;
0fa9e53d JJ	38	static bool arg_whitelist = false;
	39	static Hashmap *arg_disks = NULL;
	40	static char *arg_default_options = NULL;
	41	static char *arg_default_keyfile = NULL;
141a79f4	42
70f5f48e	43	static int generate_keydev_mount(const char name, const char keydev, char unit, char mount) {
7949dfa7	44	_cleanup_free_ char u = NULL, what = NULL, where = NULL, name_escaped = NULL;
70f5f48e MS	45	_cleanup_fclose_ FILE *f = NULL;
	46	int r;
	47
	48	assert(name);
	49	assert(keydev);
	50	assert(unit);
	51	assert(mount);
	52
	53	r = mkdir_parents("/run/systemd/cryptsetup", 0755);
	54	if (r < 0)
	55	return r;
	56
	57	r = mkdir("/run/systemd/cryptsetup", 0700);
579875bc MS	58	if (r < 0 && errno != EEXIST)
579875bc MS	59	return -errno;
70f5f48e	60
7949dfa7 MS	61	name_escaped = cescape(name);
	62	if (!name_escaped)
	63	return -ENOMEM;
	64
	65	where = strjoin("/run/systemd/cryptsetup/keydev-", name_escaped);
70f5f48e MS	66	if (!where)
	67	return -ENOMEM;
	68
	69	r = mkdir(where, 0700);
579875bc MS	70	if (r < 0 && errno != EEXIST)
579875bc MS	71	return -errno;
70f5f48e MS	72
	73	r = unit_name_from_path(where, ".mount", &u);
	74	if (r < 0)
	75	return r;
	76
	77	r = generator_open_unit_file(arg_dest, NULL, u, &f);
	78	if (r < 0)
	79	return r;
	80
	81	what = fstab_node_to_udev_node(keydev);
	82	if (!what)
	83	return -ENOMEM;
	84
	85	fprintf(f,
	86	"[Unit]\n"
	87	"DefaultDependencies=no\n\n"
	88	"[Mount]\n"
	89	"What=%s\n"
	90	"Where=%s\n"
	91	"Options=ro\n", what, where);
	92
	93	r = fflush_and_check(f);
	94	if (r < 0)
	95	return r;
	96
	97	*unit = TAKE_PTR(u);
	98	*mount = TAKE_PTR(where);
	99
	100	return 0;
	101	}
	102
e23a0ce8 LP	103	static int create_disk(
	104	const char *name,
	105	const char *device,
70f5f48e	106	const char *keydev,
e23a0ce8 LP	107	const char *password,
	108	const char *options) {
	109
fb883e75	110	_cleanup_free_ char n = NULL, d = NULL, u = NULL, e = NULL,
70f5f48e	111	filtered = NULL, u_escaped = NULL, password_escaped = NULL, filtered_escaped = NULL, name_escaped = NULL, keydev_mount = NULL;
7fd1b19b	112	_cleanup_fclose_ FILE *f = NULL;
b559616f	113	const char *dmname;
b001ad61	114	bool noauto, nofail, tmp, swap, netdev;
744198e9	115	int r;
e23a0ce8 LP	116
	117	assert(name);
	118	assert(device);
	119
b9f111b9 ZJS	120	noauto = fstab_test_yes_no_option(options, "noauto\0" "auto\0");
b9f111b9 ZJS	121	nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
a6dba978 ZJS	122	tmp = fstab_test_option(options, "tmp\0");
a6dba978 ZJS	123	swap = fstab_test_option(options, "swap\0");
b001ad61	124	netdev = fstab_test_option(options, "_netdev\0");
8c11d3c1	125
baaa35ad ZJS	126	if (tmp && swap)
	127	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
	128	"Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.",
	129	name);
155da457	130
98bad05e LP	131	name_escaped = specifier_escape(name);
	132	if (!name_escaped)
	133	return log_oom();
	134
744198e9 LP	135	e = unit_name_escape(name);
	136	if (!e)
	137	return log_oom();
	138
f7f21d33	139	u = fstab_node_to_udev_node(device);
24a988e9 HH	140	if (!u)
24a988e9 HH	141	return log_oom();
e23a0ce8	142
fb883e75 ZJS	143	r = unit_name_build("systemd-cryptsetup", e, ".service", &n);
	144	if (r < 0)
	145	return log_error_errno(r, "Failed to generate unit name: %m");
	146
98bad05e LP	147	u_escaped = specifier_escape(u);
	148	if (!u_escaped)
	149	return log_oom();
	150
7410616c LP	151	r = unit_name_from_path(u, ".device", &d);
	152	if (r < 0)
	153	return log_error_errno(r, "Failed to generate unit name: %m");
e23a0ce8	154
d31eb24f LP	155	if (password) {
	156	password_escaped = specifier_escape(password);
	157	if (!password_escaped)
	158	return log_oom();
	159	}
98bad05e	160
baaa35ad ZJS	161	if (keydev && !password)
	162	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
	163	"Key device is specified, but path to the password file is missing.");
70f5f48e	164
fb883e75 ZJS	165	r = generator_open_unit_file(arg_dest, NULL, n, &f);
	166	if (r < 0)
	167	return r;
0d536673	168
b001ad61	169	fprintf(f,
b001ad61 ZJS	170	"[Unit]\n"
	171	"Description=Cryptography Setup for %%I\n"
	172	"Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
	173	"SourcePath=/etc/crypttab\n"
	174	"DefaultDependencies=no\n"
	175	"Conflicts=umount.target\n"
	176	"IgnoreOnIsolate=true\n"
	177	"After=%s\n",
a0dd2097	178	netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target");
e23a0ce8	179
70f5f48e MS	180	if (keydev) {
	181	_cleanup_free_ char unit = NULL, p = NULL;
	182
	183	r = generate_keydev_mount(name, keydev, &unit, &keydev_mount);
	184	if (r < 0)
	185	return log_error_errno(r, "Failed to generate keydev mount unit: %m");
	186
	187	p = prefix_root(keydev_mount, password_escaped);
	188	if (!p)
	189	return log_oom();
	190
	191	free_and_replace(password_escaped, p);
	192	}
	193
155da457 LP	194	if (!nofail)
155da457 LP	195	fprintf(f,
b001ad61 ZJS	196	"Before=%s\n",
b001ad61 ZJS	197	netdev ? "remote-cryptsetup.target" : "cryptsetup.target");
155da457	198
ceca9501	199	if (password) {
e3ca6580	200	if (PATH_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
0d536673	201	fputs("After=systemd-random-seed.service\n", f);
b559616f	202	else if (!STR_IN_SET(password, "-", "none")) {
744198e9 LP	203	_cleanup_free_ char *uu;
	204
	205	uu = fstab_node_to_udev_node(password);
	206	if (!uu)
66a5dbdf DR	207	return log_oom();
66a5dbdf DR	208
bde29068	209	if (!path_equal(uu, "/dev/null")) {
744198e9	210
048dd629	211	if (path_startswith(uu, "/dev/")) {
7410616c	212	_cleanup_free_ char *dd = NULL;
66a5dbdf	213
7410616c LP	214	r = unit_name_from_path(uu, ".device", &dd);
	215	if (r < 0)
	216	return log_error_errno(r, "Failed to generate unit name: %m");
bde29068 LP	217
	218	fprintf(f, "After=%1$s\nRequires=%1$s\n", dd);
	219	} else
98bad05e	220	fprintf(f, "RequiresMountsFor=%s\n", password_escaped);
bde29068	221	}
66a5dbdf	222	}
ceca9501	223	}
e23a0ce8	224
048dd629	225	if (path_startswith(u, "/dev/")) {
9ece938a TW	226	fprintf(f,
	227	"BindsTo=%s\n"
	228	"After=%s\n"
	229	"Before=umount.target\n",
	230	d, d);
a6f8786a MFO	231
a6f8786a MFO	232	if (swap)
0d536673 LP	233	fputs("Before=dev-mapper-%i.swap\n",
0d536673 LP	234	f);
a6f8786a	235	} else
b90cbe66 LHS	236	/* For loopback devices, add systemd-tmpfiles-setup-dev.service
	237	dependency to ensure that loopback support is available in
	238	the kernel (/dev/loop-control needs to exist) */
9ece938a	239	fprintf(f,
b90cbe66 LHS	240	"RequiresMountsFor=%s\n"
	241	"Requires=systemd-tmpfiles-setup-dev.service\n"
	242	"After=systemd-tmpfiles-setup-dev.service\n",
98bad05e LP	243	u_escaped);
98bad05e LP	244
8eea8687 ZJS	245	r = generator_write_timeouts(arg_dest, device, name, options, &filtered);
	246	if (r < 0)
	247	return r;
	248
d31eb24f LP	249	if (filtered) {
	250	filtered_escaped = specifier_escape(filtered);
	251	if (!filtered_escaped)
	252	return log_oom();
	253	}
98bad05e	254
e23a0ce8 LP	255	fprintf(f,
	256	"\n[Service]\n"
	257	"Type=oneshot\n"
	258	"RemainAfterExit=yes\n"
90724929	259	"TimeoutSec=0\n" /* the binary handles timeouts anyway */
0b1f68ac	260	"KeyringMode=shared\n" /* make sure we can share cached keys among instances */
260ab287	261	"ExecStart=" SYSTEMD_CRYPTSETUP_PATH " attach '%s' '%s' '%s' '%s'\n"
7f4e0805	262	"ExecStop=" SYSTEMD_CRYPTSETUP_PATH " detach '%s'\n",
98bad05e LP	263	name_escaped, u_escaped, strempty(password_escaped), strempty(filtered_escaped),
98bad05e LP	264	name_escaped);
e23a0ce8	265
8c11d3c1	266	if (tmp)
e23a0ce8	267	fprintf(f,
50109038	268	"ExecStartPost=/sbin/mke2fs '/dev/mapper/%s'\n",
98bad05e	269	name_escaped);
e23a0ce8	270
8c11d3c1	271	if (swap)
e23a0ce8	272	fprintf(f,
50109038	273	"ExecStartPost=/sbin/mkswap '/dev/mapper/%s'\n",
98bad05e	274	name_escaped);
e23a0ce8	275
70f5f48e MS	276	if (keydev)
	277	fprintf(f,
	278	"ExecStartPost=" UMOUNT_PATH " %s\n\n",
	279	keydev_mount);
	280
4652c56c ZJS	281	r = fflush_and_check(f);
4652c56c ZJS	282	if (r < 0)
fb883e75	283	return log_error_errno(r, "Failed to write unit file %s: %m", n);
e23a0ce8	284
155da457	285	if (!noauto) {
b559616f ZJS	286	r = generator_add_symlink(arg_dest, d, "wants", n);
	287	if (r < 0)
	288	return r;
e23a0ce8	289
b001ad61 ZJS	290	r = generator_add_symlink(arg_dest,
b001ad61 ZJS	291	netdev ? "remote-cryptsetup.target" : "cryptsetup.target",
b559616f ZJS	292	nofail ? "wants" : "requires", n);
	293	if (r < 0)
	294	return r;
f7f21d33	295	}
74715b82	296
b559616f ZJS	297	dmname = strjoina("dev-mapper-", e, ".device");
	298	r = generator_add_symlink(arg_dest, dmname, "requires", n);
	299	if (r < 0)
	300	return r;
74715b82	301
68395007	302	if (!noauto && !nofail) {
a6fb0dc1	303	r = write_drop_in(arg_dest, dmname, 90, "device-timeout",
8eea8687 ZJS	304	"# Automatically generated by systemd-cryptsetup-generator \n\n"
8eea8687 ZJS	305	"[Unit]\nJobTimeoutSec=0");
23bbb0de MS	306	if (r < 0)
23bbb0de MS	307	return log_error_errno(r, "Failed to write device drop-in: %m");
68395007 HH	308	}
68395007 HH	309
24a988e9	310	return 0;
e23a0ce8 LP	311	}
e23a0ce8 LP	312
6dd1c368 ZJS	313	static void crypt_device_free(crypto_device *d) {
	314	free(d->uuid);
	315	free(d->keyfile);
70f5f48e	316	free(d->keydev);
6dd1c368 ZJS	317	free(d->name);
	318	free(d->options);
	319	free(d);
0fa9e53d JJ	320	}
	321
	322	static crypto_device get_crypto_device(const char uuid) {
	323	int r;
	324	crypto_device *d;
	325
	326	assert(uuid);
	327
	328	d = hashmap_get(arg_disks, uuid);
	329	if (!d) {
	330	d = new0(struct crypto_device, 1);
	331	if (!d)
	332	return NULL;
	333
	334	d->create = false;
baade8cc	335	d->keyfile = d->options = d->name = NULL;
0fa9e53d JJ	336
0fa9e53d JJ	337	d->uuid = strdup(uuid);
6b430fdb ZJS	338	if (!d->uuid)
6b430fdb ZJS	339	return mfree(d);
0fa9e53d JJ	340
	341	r = hashmap_put(arg_disks, d->uuid, d);
	342	if (r < 0) {
	343	free(d->uuid);
6b430fdb	344	return mfree(d);
0fa9e53d JJ	345	}
	346	}
	347
	348	return d;
	349	}
	350
96287a49	351	static int parse_proc_cmdline_item(const char key, const char value, void *data) {
0fa9e53d	352	_cleanup_free_ char uuid = NULL, uuid_value = NULL;
1d84ad94 LP	353	crypto_device *d;
1d84ad94 LP	354	int r;
66a78c2b	355
1d84ad94	356	if (streq(key, "luks")) {
059cb385	357
1d84ad94	358	r = value ? parse_boolean(value) : 1;
141a79f4	359	if (r < 0)
1d84ad94	360	log_warning("Failed to parse luks= kernel command line switch %s. Ignoring.", value);
141a79f4 ZJS	361	else
141a79f4 ZJS	362	arg_enabled = r;
66a78c2b	363
1d84ad94	364	} else if (streq(key, "luks.crypttab")) {
66a78c2b	365
1d84ad94	366	r = value ? parse_boolean(value) : 1;
141a79f4	367	if (r < 0)
1d84ad94	368	log_warning("Failed to parse luks.crypttab= kernel command line switch %s. Ignoring.", value);
141a79f4 ZJS	369	else
141a79f4 ZJS	370	arg_read_crypttab = r;
66a78c2b	371
1d84ad94 LP	372	} else if (streq(key, "luks.uuid")) {
	373
	374	if (proc_cmdline_value_missing(key, value))
	375	return 0;
66a78c2b	376
0fa9e53d JJ	377	d = get_crypto_device(startswith(value, "luks-") ? value+5 : value);
0fa9e53d JJ	378	if (!d)
141a79f4	379	return log_oom();
66a78c2b	380
0fa9e53d JJ	381	d->create = arg_whitelist = true;
0fa9e53d JJ	382
1d84ad94 LP	383	} else if (streq(key, "luks.options")) {
	384
	385	if (proc_cmdline_value_missing(key, value))
	386	return 0;
66a78c2b	387
0fa9e53d JJ	388	r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
	389	if (r == 2) {
	390	d = get_crypto_device(uuid);
	391	if (!d)
	392	return log_oom();
	393
1d84ad94	394	free_and_replace(d->options, uuid_value);
0fa9e53d	395	} else if (free_and_strdup(&arg_default_options, value) < 0)
141a79f4	396	return log_oom();
66a78c2b	397
1d84ad94	398	} else if (streq(key, "luks.key")) {
7949dfa7 MS	399	size_t n;
	400	_cleanup_free_ char keyfile = NULL, keydev = NULL;
	401	char *c;
	402	const char *keyspec;
1d84ad94 LP	403
	404	if (proc_cmdline_value_missing(key, value))
	405	return 0;
66a78c2b	406
7949dfa7 MS	407	n = strspn(value, LETTERS DIGITS "-");
	408	if (value[n] != '=') {
	409	if (free_and_strdup(&arg_default_keyfile, value) < 0)
	410	return log_oom();
	411	return 0;
	412	}
70f5f48e	413
7949dfa7 MS	414	uuid = strndup(value, n);
	415	if (!uuid)
	416	return log_oom();
6cd5b12a	417
7949dfa7 MS	418	if (!id128_is_valid(uuid)) {
	419	log_warning("Failed to parse luks.key= kernel command line switch. UUID is invalid, ignoring.");
	420	return 0;
	421	}
	422
	423	d = get_crypto_device(uuid);
	424	if (!d)
	425	return log_oom();
70f5f48e	426
7949dfa7 MS	427	keyspec = value + n + 1;
	428	c = strrchr(keyspec, ':');
	429	if (c) {
	430	*c = '\0';
	431	keyfile = strdup(keyspec);
	432	keydev = strdup(c + 1);
70f5f48e MS	433
	434	if (!keyfile \|\| !keydev)
	435	return log_oom();
7949dfa7 MS	436	} else {
	437	/* No keydev specified */
	438	keyfile = strdup(keyspec);
	439	if (!keyfile)
	440	return log_oom();
	441	}
70f5f48e	442
7949dfa7 MS	443	free_and_replace(d->keyfile, keyfile);
7949dfa7 MS	444	free_and_replace(d->keydev, keydev);
1d84ad94 LP	445	} else if (streq(key, "luks.name")) {
	446
	447	if (proc_cmdline_value_missing(key, value))
	448	return 0;
baade8cc JJ	449
	450	r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
	451	if (r == 2) {
	452	d = get_crypto_device(uuid);
	453	if (!d)
	454	return log_oom();
	455
	456	d->create = arg_whitelist = true;
	457
f9ecfd3b	458	free_and_replace(d->name, uuid_value);
baade8cc JJ	459	} else
baade8cc JJ	460	log_warning("Failed to parse luks name switch %s. Ignoring.", value);
85013844	461	}
66a78c2b	462
24a988e9	463	return 0;
66a78c2b LP	464	}
66a78c2b LP	465
0fa9e53d	466	static int add_crypttab_devices(void) {
7fd1b19b	467	_cleanup_fclose_ FILE *f = NULL;
b42674a1 LP	468	unsigned crypttab_line = 0;
	469	struct stat st;
	470	int r;
e23a0ce8	471
0fa9e53d JJ	472	if (!arg_read_crypttab)
	473	return 0;
	474
	475	f = fopen("/etc/crypttab", "re");
	476	if (!f) {
	477	if (errno != ENOENT)
	478	log_error_errno(errno, "Failed to open /etc/crypttab: %m");
	479	return 0;
e23a0ce8 LP	480	}
e23a0ce8 LP	481
0d536673 LP	482	(void) __fsetlocking(f, FSETLOCKING_BYCALLER);
0d536673 LP	483
0fa9e53d JJ	484	if (fstat(fileno(f), &st) < 0) {
	485	log_error_errno(errno, "Failed to stat /etc/crypttab: %m");
	486	return 0;
	487	}
e23a0ce8	488
0fa9e53d	489	for (;;) {
b42674a1	490	_cleanup_free_ char line = NULL, name = NULL, device = NULL, keyfile = NULL, *options = NULL;
0fa9e53d	491	crypto_device *d = NULL;
b42674a1 LP	492	char l, uuid;
b42674a1 LP	493	int k;
4c12626c	494
b42674a1 LP	495	r = read_line(f, LONG_LINE_MAX, &line);
	496	if (r < 0)
	497	return log_error_errno(r, "Failed to read /etc/crypttab: %m");
	498	if (r == 0)
0fa9e53d	499	break;
66a78c2b	500
0fa9e53d	501	crypttab_line++;
141a79f4	502
0fa9e53d	503	l = strstrip(line);
b42674a1	504	if (IN_SET(l[0], 0, '#'))
0fa9e53d	505	continue;
66a78c2b	506
0fa9e53d JJ	507	k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &keyfile, &options);
	508	if (k < 2 \|\| k > 4) {
	509	log_error("Failed to parse /etc/crypttab:%u, ignoring.", crypttab_line);
	510	continue;
	511	}
66a78c2b	512
49fe5c09	513	uuid = STARTSWITH_SET(device, "UUID=", "luks-");
0fa9e53d JJ	514	if (!uuid)
0fa9e53d JJ	515	uuid = path_startswith(device, "/dev/disk/by-uuid/");
0fa9e53d JJ	516	if (uuid)
0fa9e53d JJ	517	d = hashmap_get(arg_disks, uuid);
8973790e	518
0fa9e53d JJ	519	if (arg_whitelist && !d) {
	520	log_info("Not creating device '%s' because it was not specified on the kernel command line.", name);
	521	continue;
8973790e LP	522	}
8973790e LP	523
70f5f48e	524	r = create_disk(name, device, NULL, keyfile, (d && d->options) ? d->options : options);
0fa9e53d JJ	525	if (r < 0)
0fa9e53d JJ	526	return r;
8973790e	527
0fa9e53d JJ	528	if (d)
	529	d->create = false;
	530	}
8973790e	531
0fa9e53d JJ	532	return 0;
0fa9e53d JJ	533	}
66a78c2b	534
0fa9e53d JJ	535	static int add_proc_cmdline_devices(void) {
	536	int r;
	537	Iterator i;
	538	crypto_device *d;
66a78c2b	539
0fa9e53d JJ	540	HASHMAP_FOREACH(d, arg_disks, i) {
0fa9e53d JJ	541	const char *options;
baade8cc	542	_cleanup_free_ char *device = NULL;
66a78c2b	543
0fa9e53d JJ	544	if (!d->create)
0fa9e53d JJ	545	continue;
e23a0ce8	546
baade8cc JJ	547	if (!d->name) {
	548	d->name = strappend("luks-", d->uuid);
	549	if (!d->name)
	550	return log_oom();
	551	}
e23a0ce8	552
0fa9e53d JJ	553	device = strappend("UUID=", d->uuid);
	554	if (!device)
	555	return log_oom();
7ab064a6	556
0fa9e53d JJ	557	if (d->options)
	558	options = d->options;
	559	else if (arg_default_options)
	560	options = arg_default_options;
	561	else
	562	options = "timeout=0";
141a79f4	563
70f5f48e	564	r = create_disk(d->name, device, d->keydev, d->keyfile ?: arg_default_keyfile, options);
0fa9e53d JJ	565	if (r < 0)
0fa9e53d JJ	566	return r;
e23a0ce8 LP	567	}
e23a0ce8 LP	568
0fa9e53d JJ	569	return 0;
0fa9e53d JJ	570	}
e23a0ce8	571
0fa9e53d	572	int main(int argc, char *argv[]) {
5f4bfe56	573	int r;
e23a0ce8	574
0fa9e53d JJ	575	if (argc > 1 && argc != 4) {
	576	log_error("This program takes three or no arguments.");
	577	return EXIT_FAILURE;
	578	}
e23a0ce8	579
0fa9e53d JJ	580	if (argc > 1)
0fa9e53d JJ	581	arg_dest = argv[1];
e23a0ce8	582
afe44c8f	583	log_setup_generator();
e2cb60fa	584
0fa9e53d	585	arg_disks = hashmap_new(&string_hash_ops);
5f4bfe56 LP	586	if (!arg_disks) {
	587	r = log_oom();
	588	goto finish;
	589	}
7ab064a6	590
1d84ad94	591	r = proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_STRIP_RD_PREFIX);
0fa9e53d	592	if (r < 0) {
5f4bfe56 LP	593	log_warning_errno(r, "Failed to parse kernel command line: %m");
5f4bfe56 LP	594	goto finish;
0fa9e53d	595	}
7ab064a6	596
0fa9e53d	597	if (!arg_enabled) {
5f4bfe56 LP	598	r = 0;
5f4bfe56 LP	599	goto finish;
e23a0ce8 LP	600	}
e23a0ce8 LP	601
5f4bfe56 LP	602	r = add_crypttab_devices();
	603	if (r < 0)
	604	goto finish;
0fa9e53d	605
5f4bfe56 LP	606	r = add_proc_cmdline_devices();
	607	if (r < 0)
	608	goto finish;
0fa9e53d	609
5f4bfe56	610	r = 0;
141a79f4	611
5f4bfe56	612	finish:
6dd1c368	613	hashmap_free_with_destructor(arg_disks, crypt_device_free);
0fa9e53d JJ	614	free(arg_default_options);
0fa9e53d JJ	615	free(arg_default_keyfile);
141a79f4	616
5f4bfe56	617	return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
e23a0ce8	618	}