2 # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
3 # ex: ts=8 sw=4 sts=4 et filetype=sh
5 PATH=/usr/sbin:/usr/bin:/sbin:/bin
6 NEWROOT=${NEWROOT:-"/sysroot"}
8 # do not ask, if we already have root
9 [ -f $NEWROOT/proc ] && exit 0
11 # check if destination already exists
12 [ -b /dev/mapper/$2 ] && exit 0
14 # we already asked for this device
15 [ -f /tmp/cryptroot-asked-$2 ] && exit 0
17 # load dm_crypt if it is not already loaded
18 [ -d /sys/module/dm_crypt ] || modprobe dm_crypt
20 . /lib/dracut-crypt-lib.sh
22 # default luksname - luks-UUID
25 # fallback to passphrase
28 # if device name is /dev/dm-X, convert to /dev/mapper/name
29 if [ "${1##/dev/dm-}" != "$1" ]; then
30 device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
38 # TODO: improve to support what cmdline does
39 if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; then
40 while read name dev luksfile luksoptions; do
41 # ignore blank lines and comments
42 if [ -z "$name" -o "${name#\#}" != "$name" ]; then
46 # UUID used in crypttab
47 if [ "${dev%%=*}" = "UUID" ]; then
48 if [ "luks-${dev##UUID=}" = "$2" ]; then
53 # path used in crypttab
55 cdev=$(readlink -f $dev)
56 mdev=$(readlink -f $device)
57 if [ "$cdev" = "$mdev" ]; then
70 info "luksOpen $device $luksname $luksfile $luksoptions"
77 while [ $# -gt 0 ]; do
92 allowdiscards="--allow-discards"
97 # parse for allow-discards
98 if strstr "$(cryptsetup --help)" "allow-discards"; then
99 if discarduuids=$(getargs "rd.luks.allow-discards"); then
100 discarduuids=$(str_replace "$discarduuids" 'luks-' '')
101 if strstr " $discarduuids " " ${luksdev##luks-}"; then
102 allowdiscards="--allow-discards"
104 elif getargbool 0 rd.luks.allow-discards; then
105 allowdiscards="--allow-discards"
109 if strstr "$(cryptsetup --help)" "allow-discards"; then
110 cryptsetupopts="$cryptsetupopts $allowdiscards"
115 if [ -n "$luksfile" -a "$luksfile" != "none" -a -e "$luksfile" ]; then
116 if cryptsetup --key-file "$luksfile" $cryptsetupopts luksOpen "$device" "$luksname"; then
120 while [ -n "$(getarg rd.luks.key)" ]; do
121 if tmp=$(getkey /tmp/luks.keys $device); then
125 if [ $numtries -eq 0 ]; then
126 warn "No key found for $device. Fallback to passphrase mode."
130 info "No key found for $device. Will try $numtries time(s) more later."
131 initqueue --unique --onetime --settled \
132 --name cryptroot-ask-$luksname \
133 $(command -v cryptroot-ask) "$device" "$luksname" "$(($numtries-1))"
138 info "Using '$keypath' on '$keydev'"
139 readkey "$keypath" "$keydev" "$device" \
140 | cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname"
147 if [ $ask_passphrase -ne 0 ]; then
148 luks_open="$(command -v cryptsetup) $cryptsetupopts luksOpen"
149 ask_for_password --ply-tries 5 \
150 --ply-cmd "$luks_open -T1 $device $luksname" \
151 --ply-prompt "Password ($device)" \
153 --tty-cmd "$luks_open -T5 $device $luksname"
157 unset device luksname luksfile
159 # mark device as asked
160 >> /tmp/cryptroot-asked-$2