modules.d/90crypt/cryptroot-ask.sh

   1 #!/bin/sh
   2 # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
   3 # ex: ts=8 sw=4 sts=4 et filetype=sh
   4
   5 PATH=/usr/sbin:/usr/bin:/sbin:/bin
   6
   7 # do not ask, if we already have root
   8 [ -f /sysroot/proc ] && exit 0
   9
  10 # check if destination already exists
  11 [ -b /dev/mapper/$2 ] && exit 0
  12
  13 # we already asked for this device
  14 [ -f /tmp/cryptroot-asked-$2 ] && exit 0
  15
  16 # load dm_crypt if it is not already loaded
  17 [ -d /sys/module/dm_crypt ] || modprobe dm_crypt
  18
  19 . /lib/dracut-crypt-lib.sh
  20
  21 # default luksname - luks-UUID
  22 luksname=$2
  23
  24 # if device name is /dev/dm-X, convert to /dev/mapper/name
  25 if [ "${1##/dev/dm-}" != "$1" ]; then
  26     device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
  27 else
  28     device="$1"
  29 fi
  30
  31 # TODO: improve to support what cmdline does
  32 if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -n rd_NO_CRYPTTAB; then
  33     while read name dev rest; do
  34         # ignore blank lines and comments
  35         if [ -z "$name" -o "${name#\#}" != "$name" ]; then
  36             continue
  37         fi
  38
  39         # UUID used in crypttab
  40         if [ "${dev%%=*}" = "UUID" ]; then
  41             if [ "luks-${dev##UUID=}" = "$2" ]; then
  42                 luksname="$name"
  43                 break
  44             fi
  45
  46         # path used in crypttab
  47         else
  48             cdev=$(readlink -f $dev)
  49             mdev=$(readlink -f $device)
  50             if [ "$cdev" = "$mdev" ]; then
  51                 luksname="$name"
  52                 break
  53             fi
  54         fi
  55     done < /etc/crypttab
  56     unset name dev rest
  57 fi
  58
  59 #
  60 # Open LUKS device
  61 #
  62
  63 info "luksOpen $device $luksname"
  64
  65 if [ -n "$(getarg rd.luks.key)" ]; then
  66     if tmp=$(getkey /tmp/luks.keys $device); then
  67         keydev="${tmp%%:*}"
  68         keypath="${tmp#*:}"
  69     else
  70         info "No key found for $device.  Will try later."
  71         initqueue --unique --onetime --settled \
  72             --name cryptroot-ask-$luksname \
  73             $(command -v cryptroot-ask) "$@"
  74         exit 0
  75     fi
  76     unset tmp
  77
  78     mntp=$(mkuniqdir /mnt keydev)
  79     mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!'
  80     cryptsetup -d "$mntp/$keypath" luksOpen "$device" "$luksname"
  81     umount "$mntp"
  82     rmdir "$mntp"
  83     unset mntp keypath keydev
  84 else
  85     # Prompt for password with plymouth, if installed and running.
  86     if [ -x /bin/plymouth ] && /bin/plymouth --has-active-vt; then
  87         prompt="Password [$device ($luksname)]:"
  88         if [ ${#luksname} -gt 8 ]; then
  89             sluksname=${sluksname##luks-}
  90             sluksname=${luksname%%${luksname##????????}}
  91             prompt="Password for $device ($sluksname...)"
  92         fi
  93
  94         # flock against other interactive activities
  95         { flock -s 9;
  96             /bin/plymouth ask-for-password \
  97                 --prompt "$prompt" --number-of-tries=5 \
  98                 --command="$(command -v cryptsetup) luksOpen -T1 $device $luksname"
  99         } 9>/.console.lock
 100
 101         unset sluksname prompt
 102
 103     else
 104         # flock against other interactive activities
 105         { flock -s 9;
 106             echo "$device ($luksname) is password protected"
 107             cryptsetup luksOpen -T5 $device $luksname
 108         } 9>/.console.lock
 109     fi
 110 fi
 111
 112 unset device luksname
 113
 114 # mark device as asked
 115 >> /tmp/cryptroot-asked-$2
 116
 117 udevsettle
 118
 119 exit 0