cryptroot-ask.sh: use key file, if specified in crypttab and present

if a key file is specified in crypttab and present in the initramfs use
it to open the device.

https://bugzilla.redhat.com/show_bug.cgi?id=751640

diff --git a/modules.d/90crypt/cryptroot-ask.sh b/modules.d/90crypt/cryptroot-ask.sh
index 9b8f8c2..6a95dc2 100755 (executable)
--- a/modules.d/90crypt/cryptroot-ask.sh
+++ b/modules.d/90crypt/cryptroot-ask.sh
@@ -34,7 +34,7 @@ fi
 
 # TODO: improve to support what cmdline does
 if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -n rd_NO_CRYPTTAB; then
-    while read name dev rest; do
+    while read name dev luksfile rest; do
         # ignore blank lines and comments
         if [ -z "$name" -o "${name#\#}" != "$name" ]; then
             continue
@@ -64,37 +64,44 @@ fi
 # Open LUKS device
 #
 
-info "luksOpen $device $luksname"
+info "luksOpen $device $luksname $luksfile"
 
-while [ -n "$(getarg rd.luks.key)" ]; do
-    if tmp=$(getkey /tmp/luks.keys $device); then
-        keydev="${tmp%%:*}"
-        keypath="${tmp#*:}"
-    else
-        if [ $# -eq 3 ]; then
-            if [ $3 -eq 0 ]; then
-                info "No key found for $device.  Fallback to passphrase mode."
-                break
-            fi
-            info "No key found for $device.  Will try $3 time(s) more later."
-            set -- "$1" "$2" "$(($3 - 1))"
+if [ -n "$luksfile" -a "$luksfile" != "none" -a -e "$luksfile" ]; then
+    if cryptsetup --key-file "$luksfile" luksOpen "$device" "$luksname"; then
+        ask_passphrase=0
+    fi
+else
+    while [ -n "$(getarg rd.luks.key)" ]; do
+        if tmp=$(getkey /tmp/luks.keys $device); then
+            keydev="${tmp%%:*}"
+            keypath="${tmp#*:}"
         else
-            info "No key found for $device.  Will try later."
+            if [ $# -eq 3 ]; then
+                if [ $3 -eq 0 ]; then
+                    info "No key found for $device.  Fallback to passphrase mode."
+                    break
+                fi
+                info "No key found for $device.  Will try $3 time(s) more later."
+                set -- "$1" "$2" "$(($3 - 1))"
+            else
+                info "No key found for $device.  Will try later."
+            fi
+            initqueue --unique --onetime --settled \
+                --name cryptroot-ask-$luksname \
+                $(command -v cryptroot-ask) "$@"
+            exit 0
         fi
-        initqueue --unique --onetime --settled \
-            --name cryptroot-ask-$luksname \
-            $(command -v cryptroot-ask) "$@"
-        exit 0
-    fi
-    unset tmp
-
-    info "Using '$keypath' on '$keydev'"
-    readkey "$keypath" "$keydev" "$device" \
-        | cryptsetup -d - luksOpen "$device" "$luksname"
-    unset keypath keydev
-    ask_passphrase=0
-    break
-done    
+        unset tmp
+
+        info "Using '$keypath' on '$keydev'"
+        readkey "$keypath" "$keydev" "$device" \
+            | cryptsetup -d - luksOpen "$device" "$luksname"
+        unset keypath keydev
+        ask_passphrase=0
+        break
+    done
+fi
+
 if [ $ask_passphrase -ne 0 ]; then
     luks_open="$(command -v cryptsetup) luksOpen"
     ask_for_password --ply-tries 5 \
@@ -105,7 +112,7 @@ if [ $ask_passphrase -ne 0 ]; then
     unset luks_open
 fi
 
-unset device luksname
+unset device luksname luksfile
 
 # mark device as asked
 >> /tmp/cryptroot-asked-$2