From: Moritz Maxeiner <moritz@ucworks.org>
Date: Thu, 30 Mar 2017 00:05:52 +0000 (+0200)
Subject: crypt: Support keyfiles embedded in the initrd
X-Git-Tag: 045~2^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1fc68b989d024e58dde1ec3f9264784173b5b685;p=thirdparty%2Fdracut.git

crypt: Support keyfiles embedded in the initrd

For rd.luks.key=keypath:keydev:luksdev, keydev being '/' will
assume the initrd contains the keyfile.
---

diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh
index 2e13da2e3..cb8197e7b 100755
--- a/modules.d/90crypt/crypt-lib.sh
+++ b/modules.d/90crypt/crypt-lib.sh
@@ -182,14 +182,19 @@ readkey() {
     local keydev="$2"
     local device="$3"
 
-    # This creates a unique single mountpoint for *, or several for explicitly
-    # given LUKS devices. It accomplishes unlocking multiple LUKS devices with
-    # a single password entry.
-    local mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')"
-
-    if [ ! -d "$mntp" ]; then
-        mkdir "$mntp"
-        mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!'
+    # No mounting needed if the keyfile resides inside the initrd
+    if [ "/" == "$keydev" ]; then
+        local mntp=/
+    else
+        # This creates a unique single mountpoint for *, or several for explicitly
+        # given LUKS devices. It accomplishes unlocking multiple LUKS devices with
+        # a single password entry.
+        local mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')"
+
+        if [ ! -d "$mntp" ]; then
+            mkdir "$mntp"
+            mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!'
+        fi
     fi
 
     case "${keypath##*.}" in
@@ -215,8 +220,11 @@ readkey() {
         *) cat "$mntp/$keypath" ;;
     esac
 
-    # General unmounting mechanism, modules doing custom cleanup should return earlier
-    # and install a pre-pivot cleanup hook
-    umount "$mntp"
-    rmdir "$mntp"
+    # No unmounting if the keyfile resides inside the initrd
+    if [ "/" != "$keydev" ]; then
+        # General unmounting mechanism, modules doing custom cleanup should return earlier
+        # and install a pre-pivot cleanup hook
+        umount "$mntp"
+        rmdir "$mntp"
+    fi
 }
diff --git a/modules.d/90crypt/parse-keydev.sh b/modules.d/90crypt/parse-keydev.sh
index 4f2d9a5e7..c2ea34d2e 100755
--- a/modules.d/90crypt/parse-keydev.sh
+++ b/modules.d/90crypt/parse-keydev.sh
@@ -17,7 +17,12 @@ if getargbool 1 rd.luks -n rd_NO_LUKS && \
             continue
         fi
 
-        if [ -n "$keydev" ]; then
+    # A keydev of '/' is treated as the initrd itself
+    if [ "/" == "$keydev" ]; then
+        [ -z "$luksdev" ] && luksdev='*'
+        echo "$luksdev:$keydev:$keypath" >> /tmp/luks.keys
+        continue
+    elif [ -n "$keydev" ]; then
             udevmatch "$keydev" >&7 || {
                 warn 'keydev incorrect!'
                 continue