summaryrefslogtreecommitdiffstats
path: root/hooks/encrypt
blob: 9ae2d45bfc70a4effefefbed07a9f1dbca43305f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# vim: set ft=sh:
# TODO this one needs some work to work with lots of different
#       encryption schemes
run_hook ()
{
    replace_root ()
    {
       newcmdline=""
       for cmd in $CMDLINE; do
          case "$cmd" in
             root=*) newcmdline="${newcmdline} root=${1}" ;;
             *) newcmdline="${newcmdline} ${cmd}" ;;
          esac
       done
       export CMDLINE="${newcmdline}"
    }
    mkdevice () { /bin/mknod "/dev/mapper/control" c ${1} ${2}; }

    /bin/modprobe -a -q dm-crypt >/dev/null 2>&1
    if [ -e "/sys/class/misc/device-mapper" ]; then
        read dev_t < /sys/class/misc/device-mapper/dev
        OLDIFS=$IFS; IFS=:
        mkdevice $dev_t
        IFS=$OLDIFS

        if /bin/cryptsetup isLuks ${root} >/dev/null 2>&1; then
            echo ""
            echo "A password is required to access the root filesystem:"

            #loop until we get a real password
            while ! /bin/cryptsetup luksOpen ${root} root; do
                sleep 2;
            done
            if [ -e "/dev/mapper/root" ]; then
                export root="/dev/mapper/root"
                replace_root ${root}
            else
                err "Password succeeded, but root creation failed, aborting..."
                exit 1
            fi
        elif [ "x${crypto}" != "x" ]; then
            do_oldcrypto ()
            {
                if [ $# -ne 5 ]; then
                    err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
                    err "Non-LUKS decryption not attempted..."
                else
                    exe="/bin/cryptsetup create root ${root}"
                    [ "x${1}" != "x" ] && exe="$exe --hash \"${1}\""
                    [ "x${2}" != "x" ] && exe="$exe --cipher \"${2}\""
                    [ "x${3}" != "x" ] && exe="$exe --key-size \"${3}\""
                    [ "x${4}" != "x" ] && exe="$exe --offset \"${4}\""
                    [ "x${5}" != "x" ] && exe="$exe --skip \"${5}\""
                    echo ""
                    echo "A password is required to access the root filesystem:"
                    eval "${exe}"
                fi
            }

            msg "Non-LUKS encrypted device found..."
            OLDIFS=$IFS; IFS=:
            do_oldcrypt ${crypto}
            IFS=$OLDIFS

            if [ $? -ne 0 ]; then
                err "Non-LUKS device decryption failed. verify format: "
                err "      crypto=hash:cipher:keysize:offset:skip"
                exit 1
            else
                if [ -e "/dev/mapper/root" ]; then
                    export root="/dev/mapper/root"
                    replace_root ${root}
                else
                    err "Password succeeded, but root creation failed, aborting..."
                    exit 1
                fi
            fi
        fi
    fi
}