#!/bin/sh
#
-# $1=$device [$2=keyfile|none [$3=size]]
+# $1=$device [$2=keyfile|none [$3=keyslot|any [$4=size]]]
#
[ -d /sys/module/dm_crypt ] || modprobe dm_crypt
+[ -d /sys/module/loop ] || modprobe loop
+
[ -f /tmp/reencrypted ] && exit 0
. /lib/dracut-lib.sh
device="$1"
fi
-PARAMS="$device -T 1 --use-fsync -B 32"
-if [ -n "$3" ]; then
- PARAMS="$PARAMS --device-size $3"
+PARAMS="$device -T 1 --use-fsync --progress-frequency 5 -B 32"
+if [ "$3" != "any" ]; then
+ PARAMS="$PARAMS -S $3"
+fi
+
+if [ -n "$4" ]; then
+ PARAMS="$PARAMS --device-size $4"
fi
reenc_readkey() {
- local keypath="${1#*:}"
- local keydev="${1%%:*}"
+ keypath="${1#*:}"
+ keydev="${1%%:*}"
- local mntp="/tmp/reencrypted-mount-tmp"
+ mntp="/tmp/reencrypted-mount-tmp"
mkdir "$mntp"
- mount -r "$keydev" "$mntp" || return
- cat "$mntp/$keypath"
+ mount -r "$keydev" "$mntp" && cat "$mntp/$keypath"
umount "$mntp"
- rmdir "$mntp"
+ rm -r "$mntp"
}
+# shellcheck disable=SC2086
+# shellcheck disable=SC2164
reenc_run() {
- local cwd=$(pwd)
+ cwd=$(pwd)
+ _prompt="LUKS password for REENCRYPTING $device"
cd /tmp
+ udevadm settle
if [ "$1" = "none" ] ; then
+ if [ "$2" != "any" ]; then
+ _prompt="$_prompt, using keyslot $2"
+ fi
/bin/plymouth ask-for-password \
- --prompt "LUKS password for REENCRYPTING $device" \
- --command="/sbin/cryptsetup-reencrypt $PARAMS"
+ --prompt "$_prompt" \
+ --command="/sbin/cryptsetup-reencrypt-verbose $PARAMS"
else
info "REENCRYPT using key $1"
- reenc_readkey "$1" | /sbin/cryptsetup-reencrypt -d - $PARAMS
+ reenc_readkey "$1" | /sbin/cryptsetup-reencrypt-verbose -d - $PARAMS
fi
+ _ret=$?
cd $cwd
}
info "REENCRYPT $device requested"
# flock against other interactive activities
+# shellcheck disable=SC2086
{ flock -s 9;
- reenc_run $2
-} 9>/.console.lock
+ reenc_run $2 $3
+} 9>/.console_lock
-# do not ask again
->> /tmp/reencrypted
+if [ $_ret -eq 0 ]; then
+ # do not ask again
+ # shellcheck disable=SC2188
+ >> /tmp/reencrypted
+ warn "Reencryption of device $device has finished successfully. Use previous"
+ warn "initramfs image (without reencrypt module) to boot the system. When"
+ warn "you leave the emergency shell, the system will reboot."
+
+ emergency_shell -n "(reboot)"
+ [ -x /usr/bin/systemctl ] && /usr/bin/systemctl reboot
+ [ -x /sbin/shutdown ] && /sbin/shutdown -r now
+fi
-exit 0
+# panic the kernel otherwise
+exit 1