open root device with a key inside encrypted loop container

open root device with a key inside encrypted loop container

[Leho Kraav]

So I gave this is a shot last year in August [http://www.mail-archive.com/initramfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org/msg01988.html].
That was back in dracut-013 time. Since everything still rebases beautifully against dracut-022, I thought I'd
share this again.

[PATCH 1/5] 90crypt: recognize .img as loop key container

[Leho Kraav]

---
 modules.d/90crypt/crypt-lib.sh |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh
index 5d0b272..3aed84d 100755
--- a/modules.d/90crypt/crypt-lib.sh
+++ b/modules.d/90crypt/crypt-lib.sh
@@ -177,6 +177,14 @@ readkey() {
                 die "No GPG support to decrypt '$keypath' on '$keydev'."
             fi
             ;;
+        img)
+            if [ -f /lib/dracut-crypt-loop-lib.sh ]; then
+                . /lib/dracut-crypt-loop-lib.sh
+                loop_decrypt "$mntp" "$keypath" "$keydev" "$device"
+            else
+                die "No loop file support to decrypt '$keypath' on '$keydev'."
+            fi
+            ;;
         *) cat "$mntp/$keypath" ;;
     esac
 
-- 
1.7.8.6

[PATCH 2/5] 90crypt: enhance crypt-lib keydev mounting

[Leho Kraav]

Combining $keydev and $keypath should result in a unique, re-usable keydev
mountpoint. mkuniqdir doesn't seem to have any an advantage here and lacks
reusability. Is there ever a use case where these are true:

 * there are more than one rd.luks.key=$keypath:$keydev
 * one is actually different from the other
---
 modules.d/90crypt/crypt-lib.sh |   13 +++++++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh
index 3aed84d..5f7567e 100755
--- a/modules.d/90crypt/crypt-lib.sh
+++ b/modules.d/90crypt/crypt-lib.sh
@@ -165,8 +165,15 @@ readkey() {
     local keydev="$2"
     local device="$3"
 
-    local mntp=$(mkuniqdir /mnt keydev)
-    mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!'
+    # This creates a unique single mountpoint for *, or several for explicitly
+    # given LUKS devices. It accomplishes unlocking multiple LUKS devices with
+    # a single password entry.
+    local mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')"
+
+    if [ ! -d "$mntp" ]; then
+        mkdir "$mntp"
+        mount -r "$keydev" "$mntp" || die 'Mounting rem. dev. failed!'
+    fi
 
     case "${keypath##*.}" in
         gpg)
@@ -188,6 +195,8 @@ readkey() {
         *) cat "$mntp/$keypath" ;;
     esac
 
+    # General unmounting mechanism, modules doing custom cleanup should return earlier
+    # and install a pre-pivot cleanup hook
     umount "$mntp"
     rmdir "$mntp"
 }
-- 
1.7.8.6

[PATCH 3/5] 91crypt-loop: open root device with a key inside encrypted loop container

[Leho Kraav]

---
 modules.d/91crypt-loop/crypt-loop-lib.sh |   40 ++++++++++++++++++++++++++++++
 modules.d/91crypt-loop/module-setup.sh   |   14 ++++++++++
 2 files changed, 54 insertions(+), 0 deletions(-)
 create mode 100644 modules.d/91crypt-loop/crypt-loop-lib.sh
 create mode 100644 modules.d/91crypt-loop/module-setup.sh

diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh
new file mode 100644
index 0000000..63a553c
--- /dev/null
+++ b/modules.d/91crypt-loop/crypt-loop-lib.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=4 sw=4 sts=0 et filetype=sh
+
+command -v ask_for_password >/dev/null || . /lib/dracut-crypt-lib.sh
+
+# loop_decrypt mnt_point keypath keydev device
+#
+# Decrypts symmetrically encrypted key to standard output.
+#
+# mnt_point - mount point where <keydev> is already mounted
+# keypath - LUKS encrypted loop file path relative to <mnt_point>
+# keydev - device on which key resides; only to display in prompt
+# device - device to be opened by cryptsetup; only to display in prompt
+loop_decrypt() {
+    local mntp="$1"
+    local keypath="$2"
+    local keydev="$3"
+    local device="$4"
+
+    local key="/dev/mapper/$(basename $mntp)"
+
+    if [ ! -b $key ]; then
+        info "Keyfile has .img suffix, treating it as LUKS-encrypted loop keyfile container to unlock $device"
+
+        local loopdev=$(losetup -f "${mntp}/${keypath}" --show)
+        local opts="-d - luksOpen $loopdev $(basename $key)"
+
+        ask_for_password \
+            --cmd "cryptsetup $opts" \
+            --prompt "Password ($keypath on $keydev for $device)" \
+            --tty-echo-off
+
+        [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!" 
+    else
+        info "Existing keyfile found, re-using it for $device"
+    fi
+
+    cat $key
+}
diff --git a/modules.d/91crypt-loop/module-setup.sh b/modules.d/91crypt-loop/module-setup.sh
new file mode 100644
index 0000000..8170694
--- /dev/null
+++ b/modules.d/91crypt-loop/module-setup.sh
@@ -0,0 +1,14 @@
+check() {
+	type -P losetup >/dev/null || return 1
+	
+	return 255
+}
+
+depends() {
+	echo crypt
+}
+
+install() {
+	dracut_install losetup
+	inst "$moddir/crypt-loop-lib.sh" "/lib/dracut-crypt-loop-lib.sh"
+}
-- 
1.7.8.6

[PATCH 4/5] 91crypt-loop: use initqueue for cleanup strategy

[Leho Kraav]

---
 modules.d/90crypt/crypt-lib.sh           |    3 +++
 modules.d/91crypt-loop/crypt-loop-lib.sh |    5 +++++
 2 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh
index 5f7567e..d5caa85 100755
--- a/modules.d/90crypt/crypt-lib.sh
+++ b/modules.d/90crypt/crypt-lib.sh
@@ -188,6 +188,9 @@ readkey() {
             if [ -f /lib/dracut-crypt-loop-lib.sh ]; then
                 . /lib/dracut-crypt-loop-lib.sh
                 loop_decrypt "$mntp" "$keypath" "$keydev" "$device"
+                initqueue --onetime --finished --unique --name "crypt-loop-cleanup-99-$(basename $mntp)" \
+                    $(command -v umount) "$mntp; " $(command -v rmdir) "$mntp"
+                return 0
             else
                 die "No loop file support to decrypt '$keypath' on '$keydev'."
             fi
diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh
index 63a553c..6774e7d 100644
--- a/modules.d/91crypt-loop/crypt-loop-lib.sh
+++ b/modules.d/91crypt-loop/crypt-loop-lib.sh
@@ -32,6 +32,11 @@ loop_decrypt() {
             --tty-echo-off
 
         [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!" 
+
+        initqueue --onetime --finished --unique --name "crypt-loop-cleanup-10-$(basename $key)" \
+            $(command -v cryptsetup) "luksClose $key"
+        initqueue --onetime --finished --unique --name "crypt-loop-cleanup-20-$(basename $loopdev)" \
+            $(command -v losetup) "-d $loopdev"
     else
         info "Existing keyfile found, re-using it for $device"
     fi
-- 
1.7.8.6

[PATCH 5/5] 91crypt-loop: replace basename calls with string matching

[Leho Kraav]

---
 modules.d/90crypt/crypt-lib.sh           |    2 +-
 modules.d/91crypt-loop/crypt-loop-lib.sh |    8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh
index d5caa85..d66ba88 100755
--- a/modules.d/90crypt/crypt-lib.sh
+++ b/modules.d/90crypt/crypt-lib.sh
@@ -188,7 +188,7 @@ readkey() {
             if [ -f /lib/dracut-crypt-loop-lib.sh ]; then
                 . /lib/dracut-crypt-loop-lib.sh
                 loop_decrypt "$mntp" "$keypath" "$keydev" "$device"
-                initqueue --onetime --finished --unique --name "crypt-loop-cleanup-99-$(basename $mntp)" \
+                initqueue --onetime --finished --unique --name "crypt-loop-cleanup-99-${mntp##*/}" \
                     $(command -v umount) "$mntp; " $(command -v rmdir) "$mntp"
                 return 0
             else
diff --git a/modules.d/91crypt-loop/crypt-loop-lib.sh b/modules.d/91crypt-loop/crypt-loop-lib.sh
index 6774e7d..244b6ce 100644
--- a/modules.d/91crypt-loop/crypt-loop-lib.sh
+++ b/modules.d/91crypt-loop/crypt-loop-lib.sh
@@ -18,13 +18,13 @@ loop_decrypt() {
     local keydev="$3"
     local device="$4"
 
-    local key="/dev/mapper/$(basename $mntp)"
+    local key="/dev/mapper/${mntp##*/}"
 
     if [ ! -b $key ]; then
         info "Keyfile has .img suffix, treating it as LUKS-encrypted loop keyfile container to unlock $device"
 
         local loopdev=$(losetup -f "${mntp}/${keypath}" --show)
-        local opts="-d - luksOpen $loopdev $(basename $key)"
+        local opts="-d - luksOpen $loopdev ${key##*/}"
 
         ask_for_password \
             --cmd "cryptsetup $opts" \
@@ -33,9 +33,9 @@ loop_decrypt() {
 
         [ -b $key ] || die "Tried setting it up, but keyfile block device was still not found!" 
 
-        initqueue --onetime --finished --unique --name "crypt-loop-cleanup-10-$(basename $key)" \
+        initqueue --onetime --finished --unique --name "crypt-loop-cleanup-10-${key##*/}" \
             $(command -v cryptsetup) "luksClose $key"
-        initqueue --onetime --finished --unique --name "crypt-loop-cleanup-20-$(basename $loopdev)" \
+        initqueue --onetime --finished --unique --name "crypt-loop-cleanup-20-${loopdev##*/}" \
             $(command -v losetup) "-d $loopdev"
     else
         info "Existing keyfile found, re-using it for $device"
-- 
1.7.8.6