while true; do
local do_break="y"
for i in /dev/mapper/luks-*; do
- cryptsetup luksClose $i > /dev/null 2>&1 && do_break=n
+ cryptsetup luksClose "$i" > /dev/null 2>&1 && do_break=n
done
[ "$do_break" = "y" ] && break
done
local dev="$2"
local l d rest
if [ -f /etc/crypttab ]; then
- while read l d rest || [ -n "$l" ]; do
+ while read -r l d rest || [ -n "$l" ]; do
strstr "${l##luks-}" "${luks##luks-}" && return 0
strstr "$d" "${luks##luks-}" && return 0
if [ -n "$dev" ]; then
- for _dev in $(devnames $d); do
+ for _dev in $(devnames "$d"); do
[ "$dev" -ef "$_dev" ] && return 0
done
fi
_line=$(sed -n "\,^$d .*$,{p}" /etc/block_uuid.map)
[ -z "$_line" ] && continue
# get second column with uuid
- _uuid="$(echo $_line | sed 's,^.* \(.*$\),\1,')"
+ _uuid="$(echo "$_line" | sed 's,^.* \(.*$\),\1,')"
strstr "$_uuid" "${luks##luks-}" && return 0
fi
done < /etc/crypttab
# Turn off input echo before tty command is executed and turn on after.
# It's useful when password is read from stdin.
ask_for_password() {
- local cmd
- local prompt
- local tries=3
local ply_cmd
local ply_prompt
local ply_tries=3
# Prompt for password with plymouth, if installed and running.
if type plymouth > /dev/null 2>&1 && plymouth --ping 2> /dev/null; then
plymouth ask-for-password \
- --prompt "$ply_prompt" --number-of-tries=$ply_tries \
+ --prompt "$ply_prompt" --number-of-tries="$ply_tries" \
--command="$ply_cmd"
ret=$?
else
fi
local i=1
- while [ $i -le $tty_tries ]; do
+ while [ $i -le "$tty_tries" ]; do
[ -n "$tty_prompt" ] \
- && printf "$tty_prompt [$i/$tty_tries]:" >&2
+ && printf "%s" "$tty_prompt [$i/$tty_tries]:" >&2
eval "$tty_cmd" && ret=0 && break
ret=$?
i=$((i + 1))
[ -n "$tty_prompt" ] && printf '\n' >&2
done
- [ "$tty_echo_off" = yes ] && stty $stty_orig
+ [ "$tty_echo_off" = yes ] && stty "$stty_orig"
fi
} 9> /.console_lock
local dev="$2"
local f="$3"
local ret=1
- local mount_point=$(mkuniqdir /mnt testdev)
- local path
+ local mount_point
+ mount_point=$(mkuniqdir /mnt testdev)
[ -n "$dev" -a -n "$*" ] || return 1
[ -d "$mount_point" ] || die 'Mount point does not exist!'
if mount -r "$dev" "$mount_point" > /dev/null 2>&1; then
- test $test_op "${mount_point}/${f}"
+ test "$test_op" "${mount_point}/${f}"
ret=$?
umount "$mount_point"
fi
[ -z "$keys_file" -o -z "$for_dev" ] && die 'getkey: wrong usage!'
[ -f "$keys_file" ] || return 1
- local IFS=:
- while read luks_dev key_dev key_path || [ -n "$luks_dev" ]; do
+ while IFS=: read -r luks_dev key_dev key_path _ || [ -n "$luks_dev" ]; do
if match_dev "$luks_dev" "$for_dev"; then
echo "${key_dev}:${key_path}"
return 0
# This creates a unique single mountpoint for *, or several for explicitly
# given LUKS devices. It accomplishes unlocking multiple LUKS devices with
# a single password entry.
- local mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')"
+ local mntp
+ mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')"
if [ ! -d "$mntp" ]; then
mkdir -p "$mntp"
if [ -f /lib/dracut-crypt-loop-lib.sh ]; then
. /lib/dracut-crypt-loop-lib.sh
loop_decrypt "$mntp" "$keypath" "$keydev" "$device"
- printf "%s\n" "umount \"$mntp\"; rmdir \"$mntp\";" > ${hookdir}/cleanup/"crypt-loop-cleanup-99-${mntp##*/}".sh
+ printf "%s\n" "umount \"$mntp\"; rmdir \"$mntp\";" > "${hookdir}/cleanup/crypt-loop-cleanup-99-${mntp##*/}".sh
return 0
else
die "No loop file support to decrypt '$keypath' on '$keydev'."
NEWROOT=${NEWROOT:-"/sysroot"}
# do not ask, if we already have root
-[ -f $NEWROOT/proc ] && exit 0
+[ -f "$NEWROOT"/proc ] && exit 0
. /lib/dracut-lib.sh
# TODO: improve to support what cmdline does
if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; then
- while read name dev luksfile luksoptions || [ -n "$name" ]; do
+ while read -r name dev luksfile luksoptions || [ -n "$name" ]; do
# ignore blank lines and comments
if [ -z "$name" -o "${name#\#}" != "$name" ]; then
continue
# path used in crypttab
else
- cdev=$(readlink -f $dev)
- mdev=$(readlink -f $device)
+ cdev=$(readlink -f "$dev")
+ mdev=$(readlink -f "$device")
if [ "$cdev" = "$mdev" ]; then
luksname="$name"
break
fi
# check if destination already exists
-[ -b /dev/mapper/$luksname ] && exit 0
+[ -b /dev/mapper/"$luksname" ] && exit 0
# we already asked for this device
asked_file=/tmp/cryptroot-asked-$luksname
-[ -f $asked_file ] && exit 0
+[ -f "$asked_file" ] && exit 0
# load dm_crypt if it is not already loaded
[ -d /sys/module/dm_crypt ] || modprobe dm_crypt
OLD_IFS="$IFS"
IFS=,
+# shellcheck disable=SC2086
set -- $luksoptions
IFS="$OLD_IFS"
if [ -n "$luksfile" -a "$luksfile" != "none" -a -e "$luksfile" ]; then
if readkey "$luksfile" / "$device" \
- | cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname"; then
+ | cryptsetup -d - "$cryptsetupopts" luksOpen "$device" "$luksname"; then
ask_passphrase=0
fi
elif [ "$is_keysource" -ne 0 ]; then
info "Asking for passphrase because $device is a keysource."
else
while [ -n "$(getarg rd.luks.key)" ]; do
- if tmp=$(getkey /tmp/luks.keys $device); then
+ if tmp=$(getkey /tmp/luks.keys "$device"); then
keydev="${tmp%%:*}"
keypath="${tmp#*:}"
else
- if [ $numtries -eq 0 ]; then
+ if [ "$numtries" -eq 0 ]; then
warn "No key found for $device. Fallback to passphrase mode."
break
fi
sleep 1
info "No key found for $device. Will try $numtries time(s) more later."
initqueue --unique --onetime --settled \
- --name cryptroot-ask-$luksname \
- $(command -v cryptroot-ask) "$device" "$luksname" "$is_keysource" "$((numtries - 1))"
+ --name cryptroot-ask-"$luksname" \
+ "$(command -v cryptroot-ask)" "$device" "$luksname" "$is_keysource" "$((numtries - 1))"
exit 0
fi
unset tmp
info "Using '$keypath' on '$keydev'"
readkey "$keypath" "$keydev" "$device" \
- | cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname" \
+ | cryptsetup -d - "$cryptsetupopts" luksOpen "$device" "$luksname" \
&& ask_passphrase=0
unset keypath keydev
break
unset _timeout
fi
-if [ "$is_keysource" -ne 0 -a ${luksname##luks-} != "$luksname" ]; then
+if [ "$is_keysource" -ne 0 -a "${luksname##luks-}" != "$luksname" ]; then
luks_close="$(command -v cryptsetup) close"
{
printf -- '[ -e /dev/mapper/%s ] && ' "$luksname"
unset device luksname luksfile
# mark device as asked
->> $asked_file
+: >> "$asked_file"
need_shutdown
udevsettle
# called by dracut
check() {
- local _rootdev
+ local fs
# if cryptsetup is not installed, then we cannot support encrypted devices.
- require_any_binary $systemdutildir/systemd-cryptsetup cryptsetup || return 1
+ require_any_binary "$systemdutildir"/systemd-cryptsetup cryptsetup || return 1
[[ $hostonly ]] || [[ $mount_needs ]] && {
for fs in "${host_fs_types[@]}"; do
[[ $hostonly ]] || [[ $mount_needs ]] && {
# dmsetup returns s.th. like
# cryptvol: 0 2064384 crypt aes-xts-plain64 :64:logon:cryptsetup:....
- dmsetup table | while read name _ _ is_crypt cipher _; do
- [[ $is_crypt != "crypt" ]] && continue
+ dmsetup table | while read -r name _ _ is_crypt cipher _; do
+ [[ $is_crypt == "crypt" ]] || continue
# get the device name
- name=/dev/$(dmsetup info -c --noheadings -o blkdevname ${name%:})
- # check if the device exists as a key in our host_fs_types
+ name=/dev/$(dmsetup info -c --noheadings -o blkdevname "${name%:}")
+ # check if the device exists as a key in our host_fs_types (even with null string)
+ # shellcheck disable=SC2030 # this is a shellcheck bug
if [[ ${host_fs_types[$name]+_} ]]; then
# split the cipher aes-xts-plain64 in pieces
- _OLD_IFS=$IFS
- IFS='-:'
- set -- $cipher
- IFS=$_OLD_IFS
+ IFS='-:' read -ra mods <<< "$cipher"
# try to load the cipher part with "crypto-" prepended
# in non-hostonly mode
- hostonly= instmods $(for k in "$@"; do echo "crypto-$k"; done)
+ hostonly='' instmods "${mods[@]/#/crypto-}" "crypto-$cipher"
fi
done
}
[[ ${host_fs_types[$dev]} != "crypto_LUKS" ]] && continue
UUID=$(
- blkid -u crypto -o export $dev \
- | while read line || [ -n "$line" ]; do
- [[ ${line#UUID} == $line ]] && continue
+ blkid -u crypto -o export "$dev" \
+ | while read -r line || [ -n "$line" ]; do
+ [[ ${line#UUID} == "$line" ]] && continue
printf "%s" "${line#UUID=}"
break
done
install() {
if [[ $hostonly_cmdline == "yes" ]]; then
- local _cryptconf=$(cmdline)
+ local _cryptconf
+ _cryptconf=$(cmdline)
[[ $_cryptconf ]] && printf "%s\n" "$_cryptconf" >> "${initdir}/etc/cmdline.d/90crypt.conf"
fi
if [[ $hostonly ]] && [[ -f $dracutsysrootdir/etc/crypttab ]]; then
# filter /etc/crypttab for the devices we need
- while read _mapper _dev _luksfile _luksoptions || [ -n "$_mapper" ]; do
+ while read -r _mapper _dev _luksfile _luksoptions || [ -n "$_mapper" ]; do
[[ $_mapper == \#* ]] && continue
[[ $_dev ]] || continue
[[ $_dev == ID=* ]] \
&& _dev="/dev/disk/by-id/${_dev#ID=}"
- echo "$_dev $(blkid $_dev -s UUID -o value)" >> "${initdir}/etc/block_uuid.map"
+ echo "$_dev $(blkid "$_dev" -s UUID -o value)" >> "${initdir}/etc/block_uuid.map"
# loop through the options to check for the force option
luksoptions=${_luksoptions}
OLD_IFS="${IFS}"
IFS=,
+ # shellcheck disable=SC2086
set -- ${luksoptions}
IFS="${OLD_IFS}"
# the cryptsetup targets are already pulled in by 00systemd, but not
# the enablement symlinks
inst_multiple -o \
- $systemdutildir/system-generators/systemd-cryptsetup-generator \
- $systemdutildir/systemd-cryptsetup \
- $systemdsystemunitdir/systemd-ask-password-console.path \
- $systemdsystemunitdir/systemd-ask-password-console.service \
- $systemdsystemunitdir/cryptsetup.target \
- $systemdsystemunitdir/sysinit.target.wants/cryptsetup.target \
- $systemdsystemunitdir/remote-cryptsetup.target \
- $systemdsystemunitdir/initrd-root-device.target.wants/remote-cryptsetup.target \
+ "$systemdutildir"/system-generators/systemd-cryptsetup-generator \
+ "$systemdutildir"/systemd-cryptsetup \
+ "$systemdsystemunitdir"/systemd-ask-password-console.path \
+ "$systemdsystemunitdir"/systemd-ask-password-console.service \
+ "$systemdsystemunitdir"/cryptsetup.target \
+ "$systemdsystemunitdir"/sysinit.target.wants/cryptsetup.target \
+ "$systemdsystemunitdir"/remote-cryptsetup.target \
+ "$systemdsystemunitdir"/initrd-root-device.target.wants/remote-cryptsetup.target \
systemd-ask-password systemd-tty-ask-password-agent
fi
is_keysource=0
_uuid=$uuid
uuid=${uuid#keysource:}
- [ $uuid != $_uuid ] && is_keysource=1
+ [ "$uuid" != "$_uuid" ] && is_keysource=1
unset _uuid
uuid=${uuid##luks-}
printf -- 'ENV{ID_PART_ENTRY_UUID}=="*%s*", ' "$uuid"
printf -- 'RUN+="%s --settled --unique --onetime ' "$(command -v initqueue)"
printf -- '--name cryptroot-ask-%%k %s ' "$(command -v cryptroot-ask)"
- printf -- '$env{DEVNAME} %s %s"\n' "$luksname" "$is_keysource" "$tout"
+ # shellcheck disable=SC2016
+ printf -- '$env{DEVNAME} %s %s %s"\n' "$luksname" "$is_keysource" "$tout"
} >> /etc/udev/rules.d/70-luks.rules.new
else
luksname=$(dev_unit_name "$luksname")
+ # shellcheck disable=SC1003
luksname="$(str_replace "$luksname" '\' '\\')"
if ! crypttab_contains "$uuid"; then
is_keysource=0
_serialid=$serialid
serialid=${serialid#keysource:}
- [ $serialid != $_serialid ] && is_keysource=1
+ [ "$serialid" != "$_serialid" ] && is_keysource=1
unset _serialid
serialid=${serialid##luks-}
printf -- 'ENV{ID_SERIAL_SHORT}=="*%s*", ' "$serialid"
printf -- 'RUN+="%s --settled --unique --onetime ' "$(command -v initqueue)"
printf -- '--name cryptroot-ask-%%k %s ' "$(command -v cryptroot-ask)"
- printf -- '$env{DEVNAME} %s %s"\n' "$luksname" "$is_keysource" "$tout"
+ # shellcheck disable=SC2016
+ printf -- '$env{DEVNAME} %s %s %s"\n' "$luksname" "$is_keysource" "$tout"
} >> /etc/udev/rules.d/70-luks.rules.new
else
luksname=$(dev_unit_name "$luksname")
+ # shellcheck disable=SC1003
luksname="$(str_replace "$luksname" '\' '\\')"
if ! crypttab_contains "$serialid"; then
is_keysource=0
_luksid=$luksid
luksid=${luksid#keysource:}
- [ $luksid != $_luksid ] && is_keysource=1
+ [ "$luksid" != "$_luksid" ] && is_keysource=1
unset _luksid
luksid=${luksid##luks-}
printf -- 'ENV{ID_FS_UUID}=="*%s*", ' "$luksid"
printf -- 'RUN+="%s --settled --unique --onetime ' "$(command -v initqueue)"
printf -- '--name cryptroot-ask-%%k %s ' "$(command -v cryptroot-ask)"
+ # shellcheck disable=SC2016
printf -- '$env{DEVNAME} %s %s %s"\n' "$luksname" "$is_keysource" "$tout"
} >> /etc/udev/rules.d/70-luks.rules.new
else
luksname=$(dev_unit_name "$luksname")
+ # shellcheck disable=SC1003
luksname="$(str_replace "$luksname" '\' '\\')"
if ! crypttab_contains "$luksid"; then
if [ $is_keysource -eq 0 ]; then
uuid=$luksid
while [ "$uuid" != "${uuid#*-}" ]; do uuid=${uuid%%-*}${uuid#*-}; done
- printf -- '[ -e /dev/disk/by-id/dm-uuid-CRYPT-LUKS?-*%s*-* ] || exit 1\n' $uuid \
+ printf -- '[ -e /dev/disk/by-id/dm-uuid-CRYPT-LUKS?-*%s*-* ] || exit 1\n' "$uuid" \
>> "$hookdir/initqueue/finished/90-crypt.sh"
{
- printf -- '[ -e /dev/disk/by-uuid/*%s* ] || ' $luksid
- printf -- 'warn "crypto LUKS UUID "%s" not found"\n' $luksid
+ printf -- '[ -e /dev/disk/by-uuid/*%s* ] || ' "$luksid"
+ printf -- 'warn "crypto LUKS UUID "%s" not found"\n' "$luksid"
} >> "$hookdir/emergency/90-crypt.sh"
fi
done
{
printf -- 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="%s ' "$(command -v initqueue)"
printf -- '--unique --settled --onetime --name cryptroot-ask-%%k '
+ # shellcheck disable=SC2016
printf -- '%s $env{DEVNAME} luks-$env{ID_FS_UUID} %s"\n' "$(command -v cryptroot-ask)" "$tout"
} >> /etc/udev/rules.d/70-luks.rules.new
else
{
printf -- 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="%s ' "$(command -v initqueue)"
printf -- '--unique --settled --onetime --name crypt-run-generator-%%k '
+ # shellcheck disable=SC2016
printf -- '%s $env{DEVNAME} luks-$env{ID_FS_UUID}"\n' "$(command -v crypt-run-generator)"
} >> /etc/udev/rules.d/70-luks.rules.new
fi
fi
{
- printf -- 'RUN+="%s --unique --onetime ' $(command -v initqueue)
+ printf -- 'RUN+="%s --unique --onetime ' "$(command -v initqueue)"
printf -- '--name probe-keydev-%%k '
printf -- '%s /dev/%%k %s %s"\n' \
- $(command -v probe-keydev) "${keypath}" "${luksdev}"
+ "$(command -v probe-keydev)" "${keypath}" "${luksdev}"
} >&7
done
unset arg keypath keydev luksdev
projects / thirdparty / dracut.git / commitdiff
